Chapter 8 Test 1 Flashcards

Question 1

Q

Which of the following is not a type of attack used against access controls?

Dictionary attack

Brute-force attack

Teardrop

Man-in-the-middle attack

Answer

A

C. Dictionary, brute-force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial-of-service attack.

Question 2

Q

George is assisting a prosecutor with a case against a hacker who attempted to break into the computer systems at George’s company. He provides system logs to the prosecutor for use as evidence, but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony?

Testimonial evidence rule

Parol evidence rule

Best evidence rule

Hearsay rule

Answer

A

D. The hearsay rule says that a witness cannot testify about what someone else told them, except under specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.

Question 3

Q

Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?

Record the MAC address of each system.

Require users to fill out a form to register each system.

Scan each system using a port scanner.

Use device fingerprinting via a web-based registration syste

Answer

A

D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.

Question 4

Q

Greg would like to implement application control technology in his organization. He would like to limit users to installing only approved software on their systems. What type of application control would be appropriate in this situation?

Blacklisting

Graylisting

Whitelisting

Bluelisting

Answer

A

C. The whitelisting approach to application control allows users to install only those software packages specifically approved by administrators. This would be an appropriate approach in a scenario where application installation needs to be tightly controlled.

Question 5

Q

Which pair of the following factors is key for user acceptance of biometric identification systems?

The FAR and FRR

The throughput rate and the time required to enroll

The CER and the ERR

How often users must reenroll and the reference profile requirements

Answer

A

B. Biometric systems can face major usability challenges if the time to enroll is long (more than a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren’t typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.

Question 6

Q

Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users?

Cat 5 and Cat 6

Cat 5e and Cat 6

Cat 4e and Cat 5e

Cat 6 and Cat 7

Answer

A

B. Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is rated only to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.

Question 7

Q

Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?

Antivirus

Heuristic

Whitelist

Blacklist

Answer

A

C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and allows only approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.

Question 8

Q

What type of motion detector senses changes in the electromagnetic fields in monitored areas?

Infrared

Wave pattern

Capacitance

Photoelectric

Answer

A

C. Capacitance motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion.

Question 9

Q

Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use?

IaaS

PaaS

CaaS

SaaS

Answer

A

A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of infrastructure as a service (IaaS).

Question 10

Q

What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?

Weekly

Monthly

Semiannually

Annually

Answer

A

D. Individuals with specific business continuity roles should receive training on at least an annual basis.

Question 11

Q

Which one of the following technologies is not normally a capability of mobile device management (MDM) solutions?

Remotely wiping the contents of a mobile device

Assuming control of a nonregistered BYOD mobile device

Enforcing the use of device encryption

Managing device backups

Answer

A

B. MDM products do not have the capability of assuming control of a device not currently managed by the organization. This would be equivalent to hacking into a device owned by someone else and might constitute a crime.

Question 12

Q

Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?

Black box

Crystal box

Gray box

Zero box

Answer

A

B. Crystal-box penetration testing, which is also sometimes called white-box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black- and gray-box testing can and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.

Question 13

Q

What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?

RADIUS+

TACACS+

XTACACS

Kerberos

Answer

A

B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.

Question 14

Q

What type of fire extinguisher is useful against liquid-based fires?

Class A

Class B

Class C

Class D

Answer

A

B. Class B fire extinguishers use carbon dioxide, halon, or soda acid as their suppression material and are useful against liquid-based fires. Water may not be used against liquid-based fires because it may cause the burning liquid to splash, and many burning liquids, such as oil, will float on water.

Question 15

Q

Which one of the following components should be included in an organization’s emergency response guidelines?

Immediate response procedures

Long-term business continuity protocols

Activation procedures for the organization’s cold sites

Contact information for ordering equipment

Answer

A

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

Question 16

Q

Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility?

Simulation test

Tabletop exercise

Parallel test

Checklist review

Answer

A

C. During a parallel test, the team activates the disaster recovery site for testing, but the primary site remains operational. A simulation test involves a roleplay of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Question 17

Q

Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages?

The facility code

The log priority

The security level

The severity level

Answer

A

D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog but is associated with which services are being logged. Security level and log priority are not typical syslog settings.

Question 18

Q

While Lauren is monitoring traffic on two ends of a network connection, she sees traffic that is inbound to a public IP address show up inside the production network bound for an internal host that uses an RFC 1918 reserved address. What technology should she expect is in use at the network border?

NAT

VLANs

S/NAT

BGP

Answer

A

A. Network address translation (NAT) translates an internal address to an external address. VLANs are used to logically divide networks, BGP is a routing protocol, and S/NAT is a made-up term.

Question 19

Q

Michelle is in charge of her organization’s mobile device management efforts and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen?

Mandatory passcodes and application management

Full device encryption and mandatory passcodes

Remote wipe and GPS tracking

Enabling GPS tracking and full device encryption

Answer

A

B. While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application-based attacks and unwanted access to devices but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or Wi-Fi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for resale

Question 20

Q

Dogs, guards, and fences are all common examples of what type of control?

Detective

Recovery

Administrative

Physical

Answer

A

D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus they are not recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.

Question 21

Q

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity?

Public cloud

Private cloud

Community cloud

Shared cloud

Answer

A

A. In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the shared tenancy model.

Question 22

Q

What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service?

A static packet filtering firewall

An application-level gateway firewall

A circuit-level gateway firewall

A stateful inspection firewall

Answer

A

B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.

Question 23

Q

James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?

SLA

RTO

MTD

RPO

Answer

A

D. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.

Question 24

Q

Which one of the following is not one of the canons of the (ISC)2 Code of Ethics?

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Maintain competent records of all investigations and assessments

Answer

A

D. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.

Question 25

Q

Dave is responsible for password security in his organization and would like to strengthen the security of password files. He would like to defend his organization against the use of rainbow tables. Which one of the following techniques is specifically designed to frustrate the use of rainbow tables?

Password expiration policies

Salting

User education

Password complexity policies

Answer

A

B. Rainbow tables use precomputed password hashes to conduct cracking attacks against password files. They may be frustrated by the use of salting, which adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation. Password expiration policies, password complexity policies, and user education may all contribute to password security, but they are not direct defenses against the use of rainbow tables.

Question 26

Q

What is the process that occurs when the Session layer removes the header from data sent by the Transport layer?

Encapsulation

Packet unwrapping

De-encapsulation

Payloading

Answer

A

C. The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrapping is a made-up ter

Question 27

Q

Which one of the following types of firewalls does not have the ability to track connection status between different packets?

Stateful inspection

Application proxy

Packet filter

Next generation

Answer

A

C. Static packet filtering firewalls are known as first-generation firewalls and do not track connection state. Stateful inspection, application proxying, and next-generation firewalls all add connection state tracking capability.

Question 28

Q

Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What goal of cryptography is Alice trying to achieve?

Confidentiality

Nonrepudiation

Authentication

Integrity

Answer

A

D. Integrity ensures that unauthorized changes are not made to data while stored or in transit.

Question 29

Q

Chris is troubleshooting an issue with his organization’s SIEM reporting. After analyzing the issue, he believes that the timestamps on log entries from different systems are inconsistent. What protocol can he use to resolve this issue?

SSH

FTP

TLS

NTP

Answer

A

D. The Network Time Protocol (NTP) allows the synchronization of system clocks with a standardized time source. The Secure Shell (SSH) protocol provides encrypted administrative connections to servers. The File Transfer Protocol (FTP) is used for data exchange. Transport Layer Security (TLS) is an encryption process used to protect information in transit over a network.

Question 30

Q

Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower?

Likelihood

RTO

RPO

Impact

Answer

A

D. Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.

Question 31

Q

Which one of the following technologies is designed to prevent a web server going offline from becoming a single point of failure in a web application architecture?

Load balancing

Dual-power supplies

IPS

RAID

Answer

A

A. Load balancing helps to ensure that a failed server will not take a website or service offline. Dual power supplies only work to prevent failure of a power supply or power source. IPS can help to prevent attacks, and RAID can help prevent a disk failure from taking a system offline.

Question 32

Q

When an application or system allows a logged-in user to perform specific actions, it is an example of what?

Roles

Group management

Logins

Authorization

Answer

A

D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

Question 33

Q

What is the minimum number of cryptographic keys necessary to achieve strong security when using the 3DES algorithm?

1

2

3

4

Answer

A

B. Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.

Question 34

Q

Gina recently took the SSCP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation?

Advance and protect the profession.

Act honorably, honestly, justly, responsibly, and legally.

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Provide diligent and competent service to principals

Answer

A

A. Gina’s actions harm the SSCP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.

Question 35

Q

What type of access controls allow the owner of a file to grant other users access to it using an access control list?

Role-based

Nondiscretionary

Rule-based

Discretionary

Answer

A

D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant access based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an environment to manage access. Nondiscretionary access controls include rule-, role-, and lattice-based access controls.

Question 36

Q

Which one of the following components is used to assign classifications to objects in a mandatory access control system?

Security label

Security token

Security descriptor

Security capability

Answer

A

A. Administrators and processes may attach security labels to objects that provide information on an object’s attributes. Labels are commonly used to apply classifications in a mandatory access control system.

Question 37

Q

Tommy handles access control requests for his organization. A user approaches him and explains that he needs access to the human resources database to complete a headcount analysis requested by the CFO. What has the user demonstrated successfully to Tommy?

Clearance

Separation of duties

Need to know

Isolation

Answer

A

C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that he or she has appropriate clearance to access the information. A note from the CFO would meet this requirement.

Question 38

Q

Which one of the following is not a mode of operation for the Data Encryption Standard?

CBC

CFB

OFB

AES

Answer

A

D. The DES modes of operation are Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). The Advanced Encryption Standard (AES) is a separate encryption algorithm.

Question 39

Q

Voice pattern recognition is what type of authentication factor?

Something you know

Something you have

Something you are

Somewhere you are

Answer

A

C. Voice pattern recognition is “something you are,” a biometric authentication factor, because it measures a physical characteristic of the individual authenticating.

Question 40

Q

Which of the following is not a single sign-on implementation?

Kerberos

ADFS

CAS

RADIUS

Answer

A

D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

Question 41

Q

Chris is conducting a risk assessment for his organization and has determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified?

ALE

SLE

ARO

AV

Answer

A

B. The single loss expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.

Question 42

Q

Susan has discovered that the smart card–based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?

Physical

Administrative

Compensation

Recovery

Answer

A

C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. These controls do not help to recover from an issue and are thus not recovery controls.

Question 43

Q

During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion?

Identification

Preservation

Collection

Production

Answer

A

B. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Question 44

Q

Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle?

Separation of duties

Two-person control

Need to know

Least privilege

Answer

A

D. This broad access may indirectly violate all of the listed security principles, but it is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions.

Question 45

Q

Which of the following tools is best suited to testing known exploits against a system?

Nikto

Ettercap

Metasploit

THC Hydra

Answer

A

C. Metasploit is a tool used to exploit known vulnerabilities. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and THC Hydra is a password brute-force tool

Question 46

Q

Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense?

Real evidence rule

Best evidence rule

Parol evidence rule

Testimonial evidence rule

Answer

A

C. The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.

Question 47

Q

During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident?

Detection

Recovery

Remediation

Reporting

Answer

A

D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.

Question 48

Q

Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified?

ALE

ARO

SLE

EF

Answer

A

A. The annualized loss expectancy is the amount of damage that the organization expects to occur each year as the result of a given risk.

Question 49

Q

Data is sent as bits at what layer of the OSI model?

Transport

Network

Data Link

Physical

Answer

A

D. The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data.

Question 50

Q

Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet?

Packets with a source address from Angie’s public IP address block

Packets with a destination address from Angie’s public IP address block

Packets with a source address outside Angie’s address block

Packets with a source address from Angie’s private address block

Answer

A

A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.

Question 51

Q

Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request?

Harry

Sally

File server

Document

Answer

A

D. In the subject/object model, the object is the resource being requested by a subject. In this example, Harry would like access to the document, making the document the object of the request.

Question 52

Q

Information about an individual like their name, Social Security number, date and place of birth, or their mother’s maiden name is an example of what type of protected information?

PHI

Proprietary data

PII

EDI

Answer

A

C. Personally identifiable information (PII) includes data that can be used to distinguish or trace that person’s identity and also includes information such as their medical, educational, financial, and employment information. PHI is personal health information, EDI is Electronic Data Interchange, and proprietary data is used to maintain an organization’s competitive advantage.

Question 53

Q

Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating?

MTD

RTO

RPO

SLA

Answer

A

B. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.

Question 54

Q

What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred?

Preventive

Corrective

Detective

Directive

Answer

A

C. Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Preventive access controls are designed to prevent the activity from occurring, whereas corrective controls return an environment to its original status after an issue occurs. Directive access controls limit or direct the actions of subjects to ensure compliance with policies.

Question 55

Q

What business process typically requires sign-off from a manager before modifications are made to a system?

SDN

Release management

Change management

Versioning

Answer

A

C. Change management typically requires sign-off from a manager or supervisor before changes are made. This helps to ensure proper awareness and communication. SDN stands for software-defined networking, release management is the process that new software releases go through to be accepted, and versioning is used to differentiate versions of software, code, or other objects.

Question 56

Q

Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?

Purchasing earthquake insurance

Relocating the data center to a safer area

Documenting the decision-making process

Reengineering the facility to withstand the shock of an earthquake

Answer

A

C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.

Question 57

Q

What type of motion detector uses high microwave frequency signal transmissions to identify potential intruders?

Infrared

Heat-based

Wave pattern

Capacitance

Answer

A

C. Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.

Question 58

Q

Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario?

Maintaining the hypervisor

Managing operating system security settings

Maintaining the host firewall

Configuring server access control

Answer

A

A. In an IaaS server environment, the customer retains responsibility for most server security operations under the shared responsibility model. This includes managing OS security settings, maintaining host firewalls, and configuring server access control. The vendor would be responsible for all security mechanisms at the hypervisor layer and below.

Question 59

Q

Callback to a landline phone number is an example of what type of factor?

Something you know

Somewhere you are

Something you have

Something you are

Answer

A

B. A callback to a landline phone number is an example of a “somewhere you are” factor because of the fixed physical location of a wired phone. A callback to a mobile phone would be a “something you have” factor.

Question 60

Q

Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower?

Likelihood

RTO

MTO

Impact

Answer

A

A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.

Question 61

Q

Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with?

Virus

Worm

Trojan horse

Logic bomb

Answer

A

B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

Question 62

Q

What two logical network topologies can be physically implemented as a star topology?

A bus and a mesh

A ring and a mesh

A bus and a ring

It is not possible to implement other topologies as a star.

Answer

A

C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet is commonly deployed as a physical star by placing a switch as the center of a star, but Ethernet still operates as a bus. Similarly, Token Ring deployments using a multistation access unit (MAU) were deployed as physical stars but operated as rings.

Question 63

Q

Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?

Re-provisioning

Account review

Privilege creep

Account revocation

Answer

A

B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while reprovisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

Question 64

Q

What type of inbound packet is characteristic of a ping flood attack?

ICMP echo request

ICMP echo reply

ICMP destination unreachable

ICMP route changed

Answer

A

A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.

Answer 65

A

C. Social engineering is the best answer, as it can be useful to penetration testers who are asked to assess whether staff members are applying security training and have absorbed the awareness messages the organization uses. Port scanning and vulnerability scanning find technical issues that may be related to awareness or training issues but that are less likely to be directly related. Discovery can involve port scanning or other data-gathering efforts but is also less likely to be directly related to training and awareness.

Answer 66

A

A. Encrypting the files reduces the probability that the data will be successfully stolen, so it is an example of risk mitigation. Deleting the files would be risk avoidance. Purchasing insurance would be risk transference. Taking no action would be risk acceptance.

Answer 67

A

C. Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.

Answer 68

A

C. Multipartite viruses use multiple propagation mechanisms to spread between systems. This improves their likelihood of successfully infecting a system because it provides alternative infection mechanisms that may be successful against systems that are not vulnerable to the primary infection mechanism.

Answer 69

A

D. A fingerprint scan is an example of a “something you are” factor, which would be appropriate for pairing with a “something you know” password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both “something you know,” which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.

Answer 70

A

A. The maximum tolerable downtime (MTD) is the amount of time that a business may be without a service before irreparable harm occurs. This measure is sometimes also called maximum tolerable outage (MTO).

Answer 71

A

C. Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. Content distribution network (CDN) is not a converged protocol, and FCoE is Fibre Channel over Ethernet, a converged protocol for storage.

Answer 72

A

A. RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.

Answer 73

A

A. TKIP is used only as a means to encrypt transmissions and is not used for data at rest. RSA, AES, and 3DES are all used on data at rest as well as data in transit.

Answer 74

A

A. Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.

Answer 75

A

D. Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis.

Answer 76

A

D. Nessus, OpenVAS, and SAINT are all vulnerability scanning tools. All provide port scanning capabilities as well but are more than simple port scanning tools.

Answer 77

A

B. Network access control (NAC) systems can be used to authenticate users and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address-based security feature that can restrict only which systems or devices can connect to a given port.

Answer 78

A

C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.

Answer 79

A

B. In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not follow the shared tenancy model. The environment may be built by the company in its own data center or built by a vendor at a co-location site.

Answer 80

A

B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

Answer 81

A

C. In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.

Answer 82

A

B. Password complexity is driven by length, and a longer password will be more effective against brute-force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute-force attacks.

Answer 83

A

C. Heuristic-based antimalware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.

Answer 84

A

B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities

Answer 85

A

B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

Answer 86

A

D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks are very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.

Answer 87

A

B. RAID level 5 is also known as disk striping with parity. It uses three or more disks, with one disk containing parity information used to restore data to another disk in the event of failure. When used with three disks, RAID 5 is able to withstand the loss of a single disk.

Answer 88

A

A. Access control lists (ACLs) are used for determining a user’s authorization level. Usernames are identification tools. Passwords and tokens are authentication tools.

Answer 89

A

A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.

Answer 90

A

C. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Answer 91

A

A. Confidentiality ensures that data cannot be read by unauthorized individuals while stored or in transit.

Answer 92

A

D. Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls. Detective controls are designed to operate after the fact. The doors and the locks on them are examples of physical controls. Preventive controls are designed to stop an event and could also include the locks that are present on the doors.

Answer 93

A

A. Identity as a service (IDaaS) provides an identity platform as a third-party service. This can provide benefits, including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems but can also create risk because of third-party control of identity services and reliance on an offsite identity infrastructure.

Answer 94

A

D. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the sixth power is 64, so a 6-bit keyspace contains 64 possible keys. The number of viable keys is usually smaller in most algorithms because of the presence of parity bits and other algorithmic overhead or security issues that restrict the use of some key values.

Answer 95

A

B. Social engineering exploits humans to allow attacks to succeed. Since help desk employees are specifically tasked with being helpful, they may be targeted by attackers posing as legitimate employees. Trojans are a type of malware, whereas phishing is a targeted attack via electronic communication methods intended to capture passwords or other sensitive data. Whaling is a type of phishing aimed at high-profile or important targets.

Answer 96

A

A. Developing a business impact assessment is an integral part of the business continuity planning effort. The selection of alternate facilities, activation of those facilities, and restoration of data from backup are all disaster recovery tasks.

Answer 97

A

D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a nontransitive trust between AD domains in separate forests.

Answer 98

A

A. This is a clear example of a denial-of-service attack—denying legitimate users authorized access to the system through the use of overwhelming traffic. It goes beyond a reconnaissance attack because the attacker is affecting the system, but it is not a compromise because the attacker did not attempt to gain access to the system. There is no reason to believe that a malicious insider was involved.

Answer 99

A

C. SYN floods rely on the TCP implementation on machines and network devices to cause denial-of-service conditions.

Answer 100

A

A. The Advanced Encryption Standard (AES) supports the use of encryption keys that are 128 bits, 192 bits, or 256 bits in length.

Brainscape's Knowledge GenomeTM

Chapter 8 Test 1 Flashcards

Brainscape's Knowledge Genome^TM