CISSP-FD review questions

Question 1

1 General-purpose control types include all the following except
A ❍ Detective
B ❍ Mandatory
C ❍ Preventive
D ❍ Compensating

Answer 1

B

Question 2

2 Violation reports and audit trails are examples of what type of control?
A ❍ Detective technical
B ❍ Preventive technical
C ❍ Detective administrative
D ❍ Preventive administrative

Answer 2

A

Question 3

3 “A user cannot deny an action” describes the concept of
A ❍ Authentication
B ❍ Accountability
C ❍ Non-repudiation
D ❍ Plausible deniability

Answer 3

C

Question 4

4 Authentication can be based on any combination of the following factors
except
A ❍ Something you know
B ❍ Something you have
C ❍ Something you need
D ❍ Something you are

Answer 4

C

Question 5

5 Unauthorized users that are incorrectly granted access in biometric systems
are described as the
A ❍ False Reject Rate (Type II error)
B ❍ False Accept Rate (Type II error)
C ❍ False Reject Rate (Type I error)
D ❍ False Accept Rate (Type I error)

Answer 5

B

Question 6

6 All the following devices and protocols can be used to implement one-time
passwords except
A ❍ Tokens
B ❍ S/Key
C ❍ Diameter
D ❍ Kerberos

Answer 6

D

Question 7

7 Which of the following PPP authentication protocols transmits passwords in
clear text?
A ❍ PAP
B ❍ CHAP
C ❍ MS-CHAP
D ❍ FTP

Answer 7

A

Question 8

8 Which of the following is not considered a method of attack against access
control systems?
A ❍ Brute force
B ❍ Dictionary
C ❍ Denial of Service
D ❍ Buffer overflow

Answer 8

C

Question 9

9 Sensitivity labels are a fundamental component in which type of access control
systems?
A ❍ Mandatory access control
B ❍ Discretionary access control
C ❍ Access control lists
D ❍ Role-based access control

Answer 9

A

Question 10

10 Which of the following access control models addresses availability issues?
A ❍ Bell-La Padula
B ❍ Biba
C ❍ Clark-Wilson
D ❍ None of the above

Answer 10

D

Question 11

1 A data network that operates across a relatively large geographic area defines
what type of network?
A ❍ LAN
B ❍ MAN
C ❍ CAN
D ❍ WAN

Answer 11

D

Question 12

2 The process of wrapping protocol information from one layer in the data section
of another layer describes
A ❍ Data encryption
B ❍ Data encapsulation
C ❍ Data hiding
D ❍ TCP wrappers

Answer 12

B

Question 13

3 The LLC and MAC are sub-layers of what OSI model layer?
A ❍ Data Link
B ❍ Network
C ❍ Transport
D ❍ Session

Answer 13

A

Question 14

4 The Ethernet protocol is defined at what layer of the OSI model and in which
IEEE standard?
A ❍ Data Link Layer, 802.3
B ❍ Network Layer, 802.3
C ❍ Data Link Layer, 802.5
D ❍ Network Layer, 802.5

Answer 14

A

Question 15

5 All the following are examples of packet-switched WAN protocols, except
A ❍ X.25
B ❍ Frame Relay
C ❍ ISDN
D ❍ SMDS

Answer 15

C

Question 16

6 Which of the following is an example of a Class C IP address?
A ❍ 17.5.5.1
B ❍ 127.0.0.1
C ❍ 192.167.4.1
D ❍ 224.0.0.1

Answer 16

C

Question 17

7 The TCP/IP Protocol Model consists of the following four layers:
A ❍ Application, Presentation, Session, Transport
B ❍ Application, Session, Network, Physical
C ❍ Application, Session, Transport, Internet
D ❍ Application, Transport, Internet, Link

Answer 17

D

Question 18

8 Which of the following firewall architectures employs external and internal
routers, as well as a bastion host?
A ❍ Screening router
B ❍ Screened-subnet
C ❍ Screened-host gateway
D ❍ Dual-homed gateway

Answer 18

B

Question 19

9 Which of the following is not a common VPN protocol standard?
A ❍ IPSec
B ❍ PPTP
C ❍ TFTP
D ❍ L2TP

Answer 19

C

Question 20

10 A type of network attack in which TCP packets are sent from a spoofed source
address with the SYN bit set describes
A ❍ Smurf
B ❍ Fraggle
C ❍ Teardrop
D ❍ SYN flood

Answer 20

D

Question 21

1 The three elements of the C-I-A triad include
A ❍ Confidentiality, integrity, authentication
B ❍ Confidentiality, integrity, availability
C ❍ Confidentiality, integrity, authorization
D ❍ Confidentiality, integrity, accountability

Answer 21

B

Question 22

2 Which of the following government data classification levels describes
information that, if compromised, could cause serious damage to national
security?
A ❍ Top Secret
B ❍ Secret
C ❍ Confidential
D ❍ Sensitive but Unclassified

Answer 22

B

Question 23

3 The practice of regularly transferring personnel into different positions or
departments within an organization is known as
A ❍ Separation of duties
B ❍ Reassignment
C ❍ Lateral transfers
D ❍ Job rotations

Answer 23

D

Question 24

4 The individual responsible for assigning information classification levels for
assigned information assets is
A ❍ Management
B ❍ Owner
C ❍ Custodian
D ❍ User

Answer 24

B

Question 25

5 Most security policies are categorized as
A ❍ Informative
B ❍ Regulatory
C ❍ Mandatory
D ❍ Advisory

Answer 25

D

Question 26

6 A baseline is a type of
A ❍ Policy
B ❍ Guideline
C ❍ Procedure
D ❍ Standard

Answer 26

D

Question 27

7 ALE is calculated by using the following formula:
A ❍ SLE × ARO × EF = ALE
B ❍ SLE × ARO = ALE
C ❍ SLE + ARO = ALE
D ❍ SLE – ARO = ALE

Answer 27

B

Question 28

8 Which of the following is not considered a general remedy for risk
management?
A ❍ Risk reduction
B ❍ Risk acceptance
C ❍ Risk assignment
D ❍ Risk avoidance

Answer 28

D

Question 29

9 Failure to implement a safeguard may result in legal liability if
A ❍ The cost to implement the safeguard is less than the cost of the associated
loss.
B ❍ The cost to implement the safeguard is more than the cost of the associated
loss.
C ❍ An alternate but equally effective and less expensive safeguard is
implemented.
D ❍ An alternate but equally effective and more expensive safeguard is
implemented.

Answer 29

A

Question 30

10 A cost-benefit analysis is useful in safeguard selection for determining
A ❍ Safeguard effectiveness
B ❍ Technical feasibility
C ❍ Cost-effectiveness
D ❍ Operational impact

Answer 30

C

Question 31

1 Masquerading as another person in order to obtain information illicitly is
known as
A ❍ Hacking
B ❍ Social engineering
C ❍ Extortion
D ❍ Exhumation

Answer 31

B

Question 32

2 Viruses, rootkits, and Trojan horses are known as
A ❍ Maniacal code
B ❍ Fractured code
C ❍ Infectious code
D ❍ Malicious code

Answer 32

D

Question 33

3 Antivirus software that detects viruses by watching for anomalous behavior
uses what technique?
A ❍ Signature matching
B ❍ Fleuristics
C ❍ Heroistics
D ❍ Heuristics

Answer 33

D

Question 34

4 A developer, suspecting that he may be fired soon, modifies an important
program that will corrupt payroll files long after he is gone. The developer has
created a(n)
A ❍ Delayed virus
B ❍ Logic bomb
C ❍ Applet bomb
D ❍ Trojan horse

Answer 34

B

Question 35

5 A SYN flood is an example of a
A ❍ Dictionary attack
B ❍ High Watermark attack
C ❍ Buffer Overflow attack
D ❍ Denial of Service attack

Answer 35

D

Question 36

6 The process of recording changes made to systems is known as
A ❍ Change Review Board
B ❍ System Maintenance
C ❍ Change Management
D ❍ Configuration Management

Answer 36

D

Question 37

7 A system that accumulates knowledge by observing events’ inputs and outcomes
is known as a(n)
A ❍ Expert system
B ❍ Neural network
C ❍ Synaptic network
D ❍ Neural array

Answer 37

B

Question 38

8 The logic present in an object is known as
A ❍ Encapsulation
B ❍ Personality
C ❍ Behavior
D ❍ Method

Answer 38

D

Question 39

9 The restricted environment that Java applets occupy is known as a
A ❍ Sandbox
B ❍ Workbox
C ❍ Trusted Zone
D ❍ Instantiation

Answer 39

A

Question 40

10 An attacker has placed a URL on a website that, if clicked, will cause malicious
javascript to execute on victims’ browsers. This is known as a
A ❍ Phishing attack
B ❍ Script injection attack
C ❍ Cross-site scripting attack
D ❍ Cross-site request forgery attack

Answer 40

C

Question 41

1 The four modes of DES include all the following except
A ❍ ECB
B ❍ ECC
C ❍ CFB
D ❍ CBC

Answer 41

B

Question 42

2 A type of cipher that replaces bits, characters, or character blocks with
alternate bits, characters, or character blocks to produce ciphertext is known
as a
A ❍ Permutation cipher
B ❍ Block cipher
C ❍ Transposition cipher
D ❍ Substitution cipher

Answer 42

D

Question 43

3 Which of the following is not an advantage of symmetric key systems?
A ❍ Scalability
B ❍ Speed
C ❍ Strength
D ❍ Availability

Answer 43

A

Question 44

4 The Advanced Encryption Standard (AES) is based on what symmetric key
algorithm?
A ❍ Twofish
B ❍ Knapsack
C ❍ Diffie-Hellman
D ❍ Rijndael

Answer 44

D

Question 45

5 A message that’s encrypted with only the sender’s private key, for the
purpose of authentication, is known as a(n)
A ❍ Secure message format
B ❍ Signed and secure message format
C ❍ Open message format
D ❍ Message digest

Answer 45

C

Question 46

6 All the following are examples of asymmetric key systems based on discrete
logarithms except
A ❍ Diffie-Hellman
B ❍ Elliptic Curve
C ❍ RSA
D ❍ El Gamal

Answer 46

C

Question 47

7 The four main components of a Public Key Infrastructure (PKI) include all the
following except
A ❍ Directory Service
B ❍ Certification Authority
C ❍ Repository
D ❍ Archive

Answer 47

A

Question 48

8 Which of the following Internet specifications provides secure e-commerce by
using symmetric key systems, asymmetric key systems, and dual signatures?
A ❍ Public Key Infrastructure (PKI)
B ❍ Secure Electronic Transaction (SET)
C ❍ Secure Sockets Layer (SSL)
D ❍ Secure Hypertext Transfer Protocol (S-HTTP)

Answer 48

B

Question 49

9 The minimum number of SAs required for a two-way IPSec session between
two communicating hosts using both AH and ESP is
A ❍ 1
B ❍ 2
C ❍ 4
D ❍ 8

Answer 49

C

Question 50

10 An IPSec SA consists of the following parameters, which uniquely identify it
in an IPSec session, except
A ❍ Source IP Address
B ❍ Destination IP Address
C ❍ Security Protocol ID
D ❍ Security Parameter Index (SPI)

Answer 50

A

Question 51

1 The four CPU operating states include all the following except
A ❍ Operating
B ❍ Problem
C ❍ Wait
D ❍ Virtual

Answer 51

D

Question 52

2 A computer system that alternates execution of multiple subprograms on a
single processor describes what type of system?
A ❍ Multiprogramming
B ❍ Multitasking
C ❍ Multiuser
D ❍ Multiprocessing

Answer 52

B

Question 53

3 An address used as the origin for calculating other addresses describes
A ❍ Base addressing
B ❍ Indexed addressing
C ❍ Indirect addressing
D ❍ Direct addressing

Answer 53

A

Question 54

4 The four main functions of the operating system include all the following
except
A ❍ Process management
B ❍ BIOS management
C ❍ I/O device management
D ❍ File management

Answer 54

B

Question 55

5 The total combination of protection mechanisms within a computer system,
including hardware, firmware, and software, which is responsible for enforcing
a security policy defines
A ❍ Reference monitor
B ❍ Security kernel
C ❍ Trusted Computing Base
D ❍ Protection domain

Answer 55

C

Question 56

6 A system that continues to operate following failure of a network component
describes which type of system?
A ❍ Fault-tolerant
B ❍ Fail-safe
C ❍ Fail-soft
D ❍ Failover

Answer 56

A

Question 57

7 Which of the following access control models addresses availability issues?
A ❍ Bell-LaPadula
B ❍ Biba
C ❍ Clark-Wilson
D ❍ None of the above

Answer 57

D

Question 58

8 The four basic control requirements identified in the Orange Book include all
the following except
A ❍ Role-based access control
B ❍ Discretionary access control
C ❍ Mandatory access control
D ❍ Object reuse

Answer 58

A

Question 59

9 The purpose of session management in a web application is
A ❍ To prevent Denial of Service attacks
B ❍ To collect session-based security metrics
C ❍ To control the number of concurrent sessions
D ❍ To protect sessions from unauthorized access

Answer 59

D

Question 60

10 Which of the following ITSEC classification levels is equivalent to TCSEC level
B3?
A ❍ E3
B ❍ E4
C ❍ E5
D ❍ E6

Answer 60

C

Question 61

1 The two types of intrusion detection are
A ❍ Attack-based systems and response-based systems
B ❍ Signature-based systems and anomaly-based systems
C ❍ Knowledge-based systems and scripture-based systems
D ❍ Passive monitoring systems and active monitoring systems

Answer 61

B

Question 62

2 Recording data traveling on a network is known as
A ❍ Promiscuous mode
B ❍ Packet sniffing
C ❍ Packet snoring
D ❍ Packing sneaking

Answer 62

B

Question 63

3 Which of the following is NOT an example of penetration testing?
A ❍ Radiation monitoring
B ❍ War driving
C ❍ Port scanning
D ❍ War diving

Answer 63

D

Question 64

4 Trusted recovery is concerned with
A ❍ The ability of a system to be rebuilt
B ❍ The vulnerability of a system while it’s being rebuilt
C ❍ The ability of a system to rebuild itself
D ❍ The willingness of a system to rebuild itself

Answer 64

B

Question 65

5 The third-party inspection of a system is known as a(n)
A ❍ Confidence check
B ❍ Integrity trail
C ❍ Audit trail
D ❍ Audit

Answer 65

D

Question 66

6 One of the primary concerns with long-term audit log retention is
A ❍ Whether anyone will be around who can find them
B ❍ Whether any violations of privacy laws have occurred
C ❍ Whether anyone will be around who understands them
D ❍ Whether any tape/disk drives will be available to read them

Answer 66

D

Question 67

7 The required operating state of a network interface on a system running a
sniffer is
A ❍ Open mode
B ❍ Promiscuous mode
C ❍ Licentious mode
D ❍ Pretentious mode

Answer 67

B

Question 68

8 Filling a system’s hard drive so that it can no longer record audit records is
known as a(n)
A ❍ Audit lock-out
B ❍ Audit exception
C ❍ Denial of Facilities attack
D ❍ Denial of Service attack

Answer 68

D

Question 69

9 An investigator who needs to have access to detailed employee event information
may need to use
A ❍ Keystroke monitoring
B ❍ Intrusion detection
C ❍ Keystroke analysis
D ❍ Trend analysis

Answer 69

A

Question 70

10 Which of the following is NOT true about a signature-based IDS?
A ❍ It reports a low number of false-positives.
B ❍ It requires periodic updating of its signature files.
C ❍ It reports a high number of false-positives.
D ❍ It can’t detect anomalies based on trends.

Answer 70

C

Question 71

1 The longest period of time that a business can survive without a critical function
is called
A ❍ Downtime Tolerability Period
B ❍ Greatest Tolerable Downtime
C ❍ Maximum Survivable Downtime
D ❍ Maximum Tolerable Downtime

Answer 71

D

Question 72

2 Which of the following is not a natural disaster?
A ❍ Avalanche
B ❍ Stock market crash
C ❍ Fire
D ❍ Water supply storage drought

Answer 72

B

Question 73

3 The impact of a disaster on business operations is contained in
A ❍ Local newspapers and online media
B ❍ The Business Impact Assessment
C ❍ The Operations Impact Assessment
D ❍ The Vulnerability Assessment

Answer 73

B

Question 74

4 The decision whether to purchase an emergency generator is based on
A ❍ Wholesale electric rates
B ❍ Retail electric rates
C ❍ The duration of a typical outage
D ❍ The income rate of affected systems

Answer 74

C

Question 75

5 The purpose of a UPS is
A ❍ To provide instantaneous power cutover when utility power fails
B ❍ A lower cost for overnight shipping following a disaster
C ❍ The need to steer an unresponsive vehicle after it’s moving again
D ❍ To restore electric power within 24 hours

Answer 75

A

Question 76

6 The Business Impact Assessment
A ❍ Describes the impact of disaster recovery planning on the budget
B ❍ Describes the impact of a disaster on business operations
C ❍ Is a prerequisite to the Vulnerability Assessment
D ❍ Is the first official statement produced after a disaster

Answer 76

B

Question 77

7 To maximize the safety of backup media, it should be stored
A ❍ At a specialized off-site media storage facility
B ❍ At the residences of various senior managers
C ❍ In the operations center in a locked cabinet
D ❍ Between 50°F and 60°F

Answer 77

A

Question 78

8 An alternate information-processing facility with all systems, patches, and
data mirrored from live production systems is known as a
A ❍ Warm site
B ❍ Hot site
C ❍ Recovery site
D ❍ Mutual Aid Center

Answer 78

B

Question 79

9 The greatest advantage of a cold site is
A ❍ It can be built nearly anywhere
B ❍ Its high responsiveness
C ❍ Its low cost
D ❍ Its close proximity to airports

Answer 79

C

Question 80

10 The most extensive test for a Disaster Recovery Plan
A ❍ Has dual failover
B ❍ Is a waste of paper
C ❍ Is known as a parallel test
D ❍ Is known as an interruption test

Answer 80

D

Question 81

1 Penalties for conviction in a civil case can include
A ❍ Imprisonment
B ❍ Probation
C ❍ Fines
D ❍ Community service

Answer 81

C

Question 82

2 Possible damages in a civil case are classified as all the following except
A ❍ Compensatory
B ❍ Punitive
C ❍ Statutory
D ❍ Financial

Answer 82

D

Question 83

3 Computer attacks motivated by curiosity or excitement describe
A ❍ “Fun” attacks
B ❍ Grudge attacks
C ❍ Business attacks
D ❍ Financial attacks

Answer 83

A

Question 84

4 Intellectual property includes all the following except
A ❍ Patents and trademarks
B ❍ Trade secrets
C ❍ Copyrights
D ❍ Computers

Answer 84

D

Question 85

5 Under the Computer Fraud and Abuse Act of 1986 (as amended), which of the
following is not considered a crime?
A ❍ Unauthorized access
B ❍ Altering, damaging, or destroying information
C ❍ Trafficking child pornography
D ❍ Trafficking computer passwords

Answer 85

C

Question 86

6 Which of the following is not considered one of the four major categories of
evidence?
A ❍ Circumstantial evidence
B ❍ Direct evidence
C ❍ Demonstrative evidence
D ❍ Real evidence

Answer 86

A

Question 87

7 In order to be admissible in a court of law, evidence must be
A ❍ Conclusive
B ❍ Relevant
C ❍ Incontrovertible
D ❍ Immaterial

Answer 87

B

Question 88

8 What term describes the evidence-gathering technique of luring an individual
toward certain evidence after that individual has already committed a crime;
is this considered legal or illegal?
A ❍ Enticement/Legal
B ❍ Coercion/Illegal
C ❍ Entrapment/Illegal
D ❍ Enticement/Illegal

Answer 88

A

Question 89

9 In a civil case, the court may issue an order allowing a law enforcement official
to seize specific evidence. This order is known as a(n)
A ❍ Subpoena
B ❍ Exigent circumstances doctrine
C ❍ Writ of Possession
D ❍ Search warrant

Answer 89

C

Question 90

10 When should management be notified of a computer crime?
A ❍ After the investigation has been completed
B ❍ After the preliminary investigation
C ❍ Prior to detection
D ❍ As soon as it has been detected

Answer 90

D

Question 91

1 The three elements of the fire triangle necessary for a fire to burn include all
the following except
A ❍ Fuel
B ❍ Oxygen
C ❍ Heat
D ❍ Nitrogen

Answer 91

D

Question 92

2 Electrical fires are classified as what type of fire and use what extinguishing
methods?
A ❍ Class B; CO2 or soda acid
B ❍ Class B; CO2 or FM-200
C ❍ Class C; CO2 or FM-200
D ❍ Class A; water or soda acid

Answer 92

C

Question 93

3 A prolonged drop in voltage describes what electrical anomaly?
A ❍ Brownout
B ❍ Blackout
C ❍ Sag
D ❍ Fault

Answer 93

A

Question 94

4 What type of cabling should be used below raised floors and above drop
ceilings?
A ❍ CAT-5
B ❍ Plenum
C ❍ PVC
D ❍ Water-resistant

Answer 94

B

Question 95

5 In order to deter casual trespassers, fencing should be a minimum height of
A ❍ 1 to 3 feet
B ❍ 3 to 4 feet
C ❍ 6 to 7 feet
D ❍ 8 feet or higher

Answer 95

B

Question 96

6 Three types of intrusion detection systems (IDSs) used for physical security
include photoelectric sensors, dry contact switches, and which of the
following?
A ❍ Motion detectors
B ❍ Anomaly-based
C ❍ Host-based
D ❍ Network-based

Answer 96

A

Question 97

7 A water sprinkler system in which no water is initially present in the pipes
and which, at activation, delivers a large volume of water describes what type
of system?
A ❍ Wet-pipe
B ❍ Dry-pipe
C ❍ Deluge
D ❍ Preaction

Answer 97

C

Question 98

8 Portable CO2 fire extinguishers are classified as what type of extinguishing
system?
A ❍ Gas-discharge systems
B ❍ Water sprinkler systems
C ❍ Deluge systems
D ❍ Preaction systems

Answer 98

A

Question 99

9 Which of the following extinguishing agents fights fires by separating the elements
of the fire triangle, rather than by simply removing one element?
A ❍ Water
B ❍ Soda acid
C ❍ CO2
D ❍ FM-200

Answer 99

D

Question 100

10 Production of Halon has been banned for what reason?
A ❍ It is toxic at temperatures above 900°F.
B ❍ It is an ozone-depleting substance.
C ❍ It is ineffective.
D ❍ It is harmful if inhaled.

Answer 100

B

Question 101

1 The number-one priority of disaster planning should always be:
A Preservation of capital
B Personnel evacuation and safety
C Resumption of core business functions
D Investor relations

Answer 101

1 B. See Chapter 11. People and their safety always come first!

Question 102

2 An access control system that grants access to information based on that
information’s classification and the clearance of the individual is known as:
A Identity-based access control
B Mandatory access control
C Role-based access control
D Clearance-based access control

Answer 102

2 B. See Chapter 4. Mandatory access control is based on the user’s clearance
level, the classification of the information, and the user’s need-to-know.

Question 103

3 A database that contains the data structures used by an application is
known as:
A   A data encyclopedia
B   A data dictionary
C   Metadata
D   A schema

Answer 103

3 B. See Chapter 7. A data dictionary contains information about an application’s
data structures, including table names, field names, indexes, and so on.

Question 104

4 The process of breaking the key and/or plaintext from an enciphered message
is known as:
A   Decryption
B   Steganography
C   Cryptanalysis
D   Extraction

Answer 104

4 C. See Chapter 8. Cryptanalysis is the process of getting the key and/or the
original message the hard way.

Question 105

5 The Internet Worm incident of 1988 was perpetrated by:
A   The 414 Gang
B   Robert Morris
C   Kevin Mitnick
D   Gene Spafford

Answer 105

5 B. See Chapter 7. Robert Tappan Morris wrote and released what’s now
known as the Internet Worm in 1988. Researcher Gene Spafford wrote several
papers on the topic.

Question 106

6 Access controls and card key systems are examples of:
A   Detective controls
B   Preventive controls
C   Corrective controls
D   Trust controls

Answer 106

6 B. See Chapter 10. Preventive controls are designed to prevent a security
incident.

Question 107

7 Why should a datacenter’s walls go all the way to the ceiling and not just
stop as high as the suspended ceiling?
A The walls will be stronger.
B The HVAC will run more efficiently.
C An intruder could enter the datacenter by climbing over the low wall.
D The high wall will block more noise.

Answer 107

7 C. See Chapter 13. The primary concern here is to keep intruders out, which
is why computer room walls should extend from the true floor to the true
ceiling.

Question 108

8 Memory that’s used to store computer instructions and data is known as:
A   UART
B   SIMM
C   Cache
D   ROM

Answer 108

8 C. See Chapter 9. Cache memory holds instructions and data that are likely to
be frequently accessed. Cache memory is faster than RAM, so it can contribute
to faster performance.

Question 109

9 Of what value is separation of authority in an organization?
A It limits the capabilities of any single individual.
B It provides multiple paths for fulfilling critical tasks.
C It accommodates the requirement for parallel audit trails.
D It ensures that only one person is authorized to perform each task.

Answer 109

9 A. See Chapter 6. Separation of authority makes it difficult for an individual
to steal an organization’s assets because it requires others to cooperate with
the would-be criminal.

Question 110

10 UDP is sometimes called the “unreliable data protocol” because:
A It works only on low-speed wireless LANs.
B UDP packets rarely get through because they have a lower priority.
C Few know how to program UDP.
D UDP does not guarantee delivery.

Answer 110

10 D. See Chapter 5. UDP has no guarantee of delivery, nor sequencing or
acknowledgement.

Question 111

11 Which of the following is NOT a goal of a Business Impact Assessment
(BIA)?
A To inventory mutual aid agreements
B To identify and prioritize business critical functions
C To determine how much downtime the business can tolerate
D To identify resources required by critical processes

Answer 111

11 A. See Chapter 11. Mutual aid agreements aren’t a significant concern of a
Business Impact Assessment (BIA). They’re instead a part of contingency
planning.

Question 112

12 An access control system that grants access to information based on the
identity of the user is known as:
A   Identity-based access control
B   Mandatory access control
C   Role-based access control
D   Clearance-based access control

Answer 112

12 A. See Chapter 4. Identity-based access control is used to grant access to
information based on the identity of the person requesting access.

Question 113

13 The purpose of a Service-Level Agreement is:
A To guarantee a minimum quality of service for an application or
function
B To guarantee the maximum quality of service for an application or
function
C To identify gaps in availability of an application
D To correct issues identified in a security audit

Answer 113

13 A. See Chapter 7. A Service-Level Agreement (SLA) defines minimum performance
metrics of an application or service.

Question 114

14 The method of encryption in which both sender and recipient possess a
common encryption key is known as:
A   Message digest
B   Hash function
C   Public key cryptography
D   Secret key cryptography

Answer 114

14 D. See Chapter 8. Secret key cryptography is used when all parties possess a
common key.

Question 115

15 Forensics is the term that describes:
A Due process
B Tracking hackers who operate in other countries
C Taking steps to preserve and record evidence
D Scrubbing a system in order to return it to service

Answer 115

15 C. See Chapter 12. Forensics is the activity of discovering, preserving, and
recording evidence.

Question 116

16 Audit trails and security cameras are examples of:
A   Detective controls
B   Preventive controls
C   Corrective controls
D   Trust controls

Answer 116

16 A. See Chapter 10. Detective controls are designed to record security events.

Question 117

17 How does water aid in fire suppression?
A It reduces the fire’s oxygen supply.
B It isolates the fire’s fuel supply.
C It lowers the temperature to a degree at which the fire can’t sustain
itself.
D It extinguishes the fire through a chemical reaction.

Answer 117

17 C. See Chapter 13. Water cools the fuel to the point where the fire can’t continue.
Also, to some extent, water is a physical barrier between the fuel and
oxygen.

Question 118

18 Firmware is generally stored on:
A   ROM or EPROM
B   Tape
C   RAM
D   Any removable media

Answer 118

18 A. See Chapter 9. Firmware is software that’s seldom changed. Firmware is
generally used to control low-level functions in computer hardware and
embedded systems.

Question 119

19 The term open view refers to what activity?
A Reclassifying a document so that anyone can view it
B Viewing the contents of one’s private encryption key
C Leaving classified information where unauthorized people can see it
D Using a decryption key to view the contents of a message

Answer 119

19 C. See Chapter 6. Open view is the act of leaving a classified document out in
the open so that it can be viewed by anyone.

Question 120

20 TCP is a poor choice for streaming video because:
A It is too bursty for large networks.
B Acknowledgment and sequencing add significantly to its overhead.
C Checksums in video packets are meaningless.
D TCP address space is nearly exhausted.

Answer 120

20 B. See Chapter 5. TCP adds unnecessary overhead. Streaming video can
afford to lose a packet now and then.

Question 121

21 The longest period of time that an organization can accept a critical outage
is known as:
A   Maximum Acceptable Downtime
B   Greatest Tolerated Downtime
C   Maximum Tolerable Downtime
D   Recovery Time Objective

Answer 121

21 C. See Chapter 11. Maximum Tolerable Downtime (MTD) is the length of time
that an organization can tolerate critical processes being inoperative.

Question 122

22 An access control system that gives the user some control over who has
access to information is known as:
A   Identity-based access control
B   User-directed access control
C   Role-based access control
D   Clearance-based access control

Answer 122

22 B. See Chapter 4. User-directed access control, a form of discretionary access
control, permits the user to grant access to information based on certain
limitations.

Question 123

23 CRCs, parity checks, and checksums are examples of:
A   Corrective application controls
B   Message digests
C   Preventive application controls
D   Detective application controls

Answer 123

23 D. See Chapter 4. Cyclical Redundancy Checks (CRCs), parity checks, and
checksums are examples of detective application controls because they’re
designed to help discover security breaches (as well as network malfunctions
and other undesired events) in a network.

Question 124

24 Why would a user’s public encryption key be widely distributed?
A So that cryptographers can attempt to break it
B Because it’s encrypted
C Because the user’s private key can’t be derived from his or her public key
D So that the user can decrypt messages from any location

Answer 124

24 C. See Chapter 8. In public key cryptography, the value of the public key
doesn’t in any way betray the value of the secret key.

Question 125

25 An expert witness:
A Offers an opinion based on the facts of a case and on personal expertise
B Is someone who was present at the scene of the crime
C Has direct personal knowledge about the event in question
D Can testify in criminal proceedings only

Answer 125

25 A. See Chapter 12. An expert witness offers his or her opinion based on the
facts of the case and on personal expertise.

Question 126

26 Reboot instructions and file restore procedures are examples of:
A   Detective controls
B   Preventive controls
C   Corrective controls
D   Trust controls

Answer 126

26 C. See Chapter 10. Corrective controls are used to resume business operations
after a security incident.

Question 127

27 Drain pipes that channel liquids away from a building are called:
A   Positive drains
B   Tight lines
C   Storm drains
D   Negative drains

Answer 127

27 A. See Chapter 13. Positive drains are those that carry liquids away from a
building.

Question 128

28 What’s the purpose of memory protection?
A It protects memory from malicious code.
B It prevents a program from being able to access memory used by
another program.
C Memory protection is another term used to describe virtual memory
backing store.
D It assures that hardware refresh happens frequently enough to maintain
memory integrity.

Answer 128

28 B. See Chapter 9. Memory protection is a machine-level security feature that
prevents one program from being able to read or alter memory assigned to
another program.

Question 129

29 Which individual is responsible for classifying information?
A   Owner
B   Custodian
C   Creator
D   User

Answer 129

29 A. See Chapter 6. The information owner is ultimately responsible for the
information asset and for its initial classification.

Question 130

30 How many layers does the TCP/IP protocol model have?
A   4
B   5
C   6
D   7

Answer 130

30 A. See Chapter 5. There are four layers in the TCP/IP model: Network Access,
Internet, Transport, and Application.

Question 131

31 The primary difference between a hot site and a warm site is:
A The hot site is closer to the organization’s datacenters than the warm site.
B The warm site’s systems don’t have the organization’s software or data
installed.
C The warm site doesn’t have computer systems in it.
D The warm site is powered down, but the hot site is powered up and
ready to go.

Answer 131

31 B. See Chapter 11. Warm sites are mostly like hot sites, except that the organization’s
software and data aren’t on the warm site’s systems.

Question 132

32 Encryption, tokens, access control lists, and smart cards are known as:
A   Discretionary access controls
B   Physical controls
C   Technical controls
D   Administrative controls

Answer 132

32 C. See Chapter 4. Encryption, tokens, access control lists, and smart cards are
examples of technical, or logical, controls.

Question 133

33 Data mining:
A Can be performed by privileged users only
B Is generally performed after hours because it’s resource-intensive
C Refers to searches for correlations in a data warehouse
D Is the term used to describe the activities of a hacker who has broken
into a database

Answer 133

33 C. See Chapter 7. Data mining is the term used to describe searches for correlations,
patterns, and trends in a data warehouse.

Question 134

34 Reading down the columns of a message that has been written across is
known as:
A   A columnar transposition cipher
B   Calculating the hash
C   Calculating the checksum
D   Calculating the modulo

Answer 134

34 A. See Chapter 8. In this cipher, the cryptographer writes across but reads
down.

Question 135

35 A witness:
A Offers an opinion based on the facts of a case and on personal expertise
B Is someone who was present at the scene of the crime
C Has direct personal knowledge about the event in question
D Can testify in criminal proceedings only

Answer 135

35 C. See Chapter 12. A witness testifies the facts as he or she understands
them.

Question 136

36 Covert channel analysis is used to:
A   Detect and understand unauthorized communication
B   Encipher unauthorized communications
C   Decipher unauthorized communications
D   Recover unauthorized communications

Answer 136

36 A. See Chapter 10. Covert channel analysis is used to detect, understand, and
help security personnel to prevent the creation and operation of covert
channels.

Question 137

37 Of what value is pre-employment screening?
A Undesirable medical or genetic conditions could diminish productivity.
B Only certain personality types can work effectively in some
organizations.
C Employees need to have knowledge of security.
D Background checks could uncover undesirable qualities.

Answer 137

37 D. See Chapter 6. It’s infinitely better to find undesirable qualities, such as a
criminal history, prior to making an employment decision.

Question 138

38 The mapping of existing physical memory into a larger, imaginary memory
space is known as:
A   Virtual memory
B   Swapping
C   Thrashing
D   Spooling

Answer 138

38 A. See Chapter 9. The virtual memory model is used to create a memory
space that’s larger than the available physical memory.

Question 139

39 Which individual is responsible for protecting information?
A   Owner
B   Custodian
C   Creator
D   User

Answer 139

39 B. See Chapter 6. The custodian protects the information on behalf of its
owner.

Question 140

40 ARP is:
A   Access Routing Protocol
B   Address Resolution Protocol
C   Access Resolution Protocol
D   Address Recovery Protocol

Answer 140

40 B. See Chapter 5. ARP is the Address Resolution Protocol.

Question 141

41 Which of the following is NOT a concern for a hot site?
A Programs and data at the hot site must be protected.
B A widespread disaster will strain the hot site’s resources.
C A hot site is expensive because of the controls and patches required.
D Computer equipment must be shipped quickly to the hot site for it to be
effective.

Answer 141

41 D. See Chapter 11. The hot site already has computer equipment.

Question 142

42 Supervision, audits, procedures, and assessments are known as:
A   Discretionary access controls
B   Safeguards
C   Physical controls
D   Administrative controls

Answer 142

42 D. See Chapter 4. Administrative access controls consist of all the policies
and procedures that are used to mitigate risk.

Question 143

43 Object-oriented, relational, and network are examples of:
A   Types of database tables
B   Types of database records
C   Types of database queries
D   Types of databases

Answer 143

43 D. See Chapter 7. Object-oriented, relational, and network are types of
databases.

Question 144

44 An asymmetric cryptosystem is also known as a:
A   Message digest
B   Hash function
C   Public key cryptosystem
D   Secret key cryptosystem

Answer 144

44 C. See Chapter 8. Asymmetric cryptosystems are also known as public key
cryptosystems.

Question 145

45 Entrapment is defined as:
A Leading someone to commit a crime that they wouldn’t otherwise have
committed
B Monitoring with the intent of recording a crime
C Paying someone to commit a crime
D Being caught with criminal evidence in one’s possession

Answer 145

45 A. See Chapter 12. Entrapment refers to the activities that lure an individual
into committing a crime that he or she wouldn’t have otherwise committed.

Question 146

46 Least privilege means:
A Analysis that determines which privileges are required to complete a task.
B People who have high privileges delegate some of those privileges to
others.
C The people who have the fewest access rights do all the work.
D Users should have the minimum privileges required to perform
required tasks.

Answer 146

46 D. See Chapter 10. Least privilege is the principle that states users should
have access only to the data and functions required for their stated duties.

Question 147

47 Which of the following is NOT a part of a building’s automated access
audit log?
A   Time of the attempted entry
B   The reason for the attempted entry
C   Location of attempted entry
D   Entry success or failure

Answer 147

47 B. See Chapter 13. Building access systems don’t know why people are
coming and going.

Question 148

48 Systems that have published specifications and standards are known as:
A   Open source
B   Copyleft
C   Freeware
D   Open systems

Answer 148

48 D. See Chapter 9. Open systems are those in which specifications are published
and freely available, permitting any vendor to develop components
that can be used with it.

Question 149

49 Which of the following is NOT a criterion for classifying information?
A   Marking
B   Useful life
C   Value
D   Age

Answer 149

49 A. See Chapter 6. Useful life, value, and age are some of the criteria used to
classify information.

Question 150

50 What is the purpose of ARP?
A When given an IP address, ARP returns a MAC address.
B When given a MAC address, ARP returns an IP address.
C It calculates the shortest path between two nodes on a network.
D It acquires the next IP address on a circular route.

Answer 150

50 A. See Chapter 5. ARP is used to translate an IP address into a MAC address.

Question 151

51 The Disaster Recovery Plan (DRP) needs to be continuously maintained
because:
A The organization’s software versions are constantly changing.
B The organization’s business processes are constantly changing.
C The available software patches are constantly changing.
D The organization’s data is constantly changing.

Answer 151

51 B. See Chapter 11. The Disaster Recovery Plan (DRP) must contain an up-todate
record of all critical business processes.

Question 152

52 Security guards, locked doors, and surveillance cameras are known as:
A   Site-access controls
B   Safeguards
C   Physical access controls
D   Administrative controls

Answer 152

52 C. See Chapter 4. Physical access controls include security guards, locked
doors, and surveillance cameras, as well as other controls such as backups,
protection of cabling, and card-key access.

Question 153

53 Neural networking gets its name from:
A The make and model of equipment in a network
B Patterns thought to exist in the brain
C Its inventor, Sigor Neura
D Observed patterns in neural telepathy

Answer 153

53 B. See Chapter 7. Neural networks are systems that can detect patterns after
a period of training.

Question 154

54 The process of hiding a message inside a larger dataset is known as:
A   Decryption
B   Steganography
C   Cryptanalysis
D   Extraction

Answer 154

54 B. See Chapter 8. Steganography is the science of inserting messages into
larger datasets so that the existence of the message is unknown.

Question 155

55 Enticement is defined as:
A Being caught with criminal evidence in one’s possession
B Leading someone to commit a crime that they wouldn’t otherwise have
committed
C Monitoring with the intent of recording a crime
D Keeping the criminal at the scene of the crime long enough to gather
evidence

Answer 155

55 D. See Chapter 12. Enticement is used to keep a criminal at the scene of the
crime. In the context of electronic crime, a honeypot is a great way to keep an
intruder sniffing around while his or her origin is traced.

Question 156

56 The practice of separation of duties:
A Is used to provide variety by rotating personnel among various tasks
B Helps to prevent any single individual from compromising an information
system
C Is used to ensure that the most experienced persons get the best tasks
D Is used in large 24x7 operations shops

Answer 156

56 B. See Chapter 10. Separation of duties is used to ensure that no single individual
has too much privilege, which could lead to a security incident or fraud.

Question 157

57 Tailgating is a term describing what activity?
A Logging in to a server from two or more locations
B Causing a PBX to permit unauthorized long distance calls
C Following an employee through an uncontrolled access
D Following an employee through a controlled access

Answer 157

57 D. See Chapter 13. Tailgating is a common method used by someone who
wants to enter a controlled area but has no authorization to do so.

Question 158

58 Which of the following is NOT a security issue with distributed architectures?
A Lack of security awareness by some personnel.
B Difficulty in controlling the distribution and use of software.
C Protection of centrally stored information.
D Backups might not be performed on some systems, risking loss of data.

Answer 158

58 C. See Chapter 9. In a distributed architecture, information isn’t centrally
stored, but rather stored in a multitude of locations. The other answers are
security issues in distributed architectures.

Question 159

59 What’s the purpose of a senior management statement of security policy?
A It defines who’s responsible for carrying out a security policy.
B It states that senior management need not follow a security policy.
C It emphasizes the importance of security throughout an organization.
D It states that senior management must also follow a security policy.

Answer 159

59 C. See Chapter 6. A senior management statement of security policy underscores
the importance of and support for security.

Question 160

60 What is the purpose of RARP?
A When given an IP address, RARP returns a MAC address.
B When given a MAC address, RARP returns an IP address.
C It traces the source address of a spoofed packet.
D It determines the least cost route through a multipath network.

Answer 160

60 B. See Chapter 5. RARP is used to translate a MAC address into an IP address.

Question 161

61 How is the organization’s DRP best kept up-to-date?
A With regular audits to ensure that changes in business processes are
known
B By maintaining lists of current software versions, patches, and
configurations
C By maintaining personnel contact lists
D By regularly testing the DRP

Answer 161

61 A. See Chapter 11. Audits will uncover changes that are needed in the DRP.

Question 162

62 Role-based access control and task-based access control are examples of:
A   Mandatory access controls
B   Administrative controls
C   Discretionary access controls
D   Non-discretionary access controls

Answer 162

62 D. See Chapter 4. Role-based access control and task-based access control
are known as non-discretionary controls, which match information to roles or
tasks, not individual users.

Question 163

63 The verification activity associated with coding is called:
A   Unit testing
B   Design review
C   System testing
D   Architecture review

Answer 163

63 A. See Chapter 7. Unit testing is the testing of small modules of code, which
is used to verify that the coding was done correctly.

Question 164

64 Steganography isn’t easily noticed because:
A Monitor and picture quality are so good these days.
B Most PCs’ speakers are turned off or disabled.
C The human eye often can’t sense the noise that steganography
introduces.
D Checksums can’t detect most steganographed images.

Answer 164

64 C. See Chapter 8. Steganography can be difficult to detect visually in an image.

Question 165

65 The purpose of a honeypot is to:
A Log an intruder’s actions.
B Act as a decoy to keep the intruder interested while his or her origin and
identity are traced.
C Deflect Denial of Service attacks away from production servers.
D Provide direct evidence of a break-in.

Answer 165

65 B. See Chapter 12. A honeypot is designed to keep an intruder sniffing around
long enough for investigators to determine his or her origin and identity.

Question 166

66 Which of the following tasks would NOT be performed by a security
administrator?
A   Changing file permissions
B   Configuring user privileges
C   Installing system software
D   Reviewing audit data

Answer 166

66 C. See Chapter 10. Installing system software is a system administrator function;
the rest are security administrator functions.

Question 167

67 What does fail open mean in the context of controlled building entrances?
A Controlled entrances permit no one to pass.
B Controlled entrances permit people to pass without identification.
C A power outage won’t affect control of the entrance.
D A pass key is required to enter the building.

Answer 167

67 B. See Chapter 13. Fail open refers to any controlling mechanism that
remains in the unlocked position when it fails. In the case of controlled building
entrances, anyone can enter the building.

Question 168

68 TCB is an acronym for:
A   Trusted Computing Baseline
B   Trusted Computing Base
C   Tertiary Computing Base
D   Trusted Cache Base

Answer 168

68 B. See Chapter 9. TCB stands for Trusted Computing Base.

Question 169

69 What is the purpose of an “advisory policy”?
A This is an optional policy that can be followed.
B This is an informal offering of advice regarding security practices.
C This is a temporary policy good only for a certain period of time.
D This is a policy that must be followed but is not mandated by regulation.

Answer 169

69 D. See Chapter 6. An advisory policy is required by the organization but is
not mandated by a local or national government.

Question 170

70 132.116.72.5 is a:
A   MAC address
B   IPv4 address
C   Subnet mask
D   IPv6 address

Answer 170

70 B. See Chapter 5. This is an IPv4 address.

Question 171

71 An organization that’s developing its DRP has established a 20 minute
Recovery Time Objective (RTO). Which solution will best support this
objective?
A Cluster
B Cold site
C Hot site
D Virtualization

Answer 171

71 C. See Chapter 11. A short Recovery Time Objective (RTO) usually requires a
hot site because you have very little time available for setting up replacement
systems.

Question 172

72 Audits, background checks, video cameras, and listening devices are
known as:
A   Discretionary controls
B   Physical controls
C   Preventive controls
D   Detective controls

Answer 172

72 D. See Chapter 4. Detective controls are those controls that are designed to
detect security events, but can’t prevent them in the way that preventive
controls can.

Question 173

73 What’s the primary input of a high-level product design?
A   Feasibility study
B   Integration rules
C   Unit testing
D   Requirements

Answer 173

73 D. See Chapter 7. Requirements are the single largest input used in the highlevel
product design phase.

Question 174

74 What historic event was the backdrop for breakthroughs in strategic
cryptography?
A   The Gulf War
B   World War I
C   World War II
D   The Six-Day War

Answer 174

74 C. See Chapter 8. World War II saw a significant advancement in the science
of cryptography. World War II became a war of cryptanalysis wherein each
participant was sometimes able to break the code of the others, resulting in
strategic advantages.

Question 175

75 Which of the following is NOT a precaution that needs to be taken before
monitoring e-mail?
A Establishing strict procedures that define under what circumstances
e-mail may be searched
B Posting a visible notice that states e-mail is company information
subject to search
C Issuing monitoring tools to all e-mail administrators
D Making sure that all employees know that e-mail is being monitored

Answer 175

75 C. See Chapter 12. Issuing monitoring tools to all e-mail administrators isn’t a
precaution at all — it’s not even a step that would be considered. The other
items do need to occur before any monitoring is performed.

Question 176

76 What’s the potential security benefit of rotation of duties?
A It reduces the risk that personnel will perform unauthorized activities.
B It ensures that all personnel are familiar with all security tasks.
C It’s used to detect covert activities.
D It ensures security because personnel aren’t very familiar with their
duties.

Answer 176

76 A. See Chapter 10. Rotation of duties is used to keep mixing up the teams in
order to prevent situations in which individuals are tempted to perform unauthorized
acts.

Question 177

77 What does fail closed mean in the context of controlled building entrances?
A Controlled entrances permit no one to pass.
B Controlled entrances permit people to pass without identification.
C The access control computer is down.
D Everyone is permitted to enter the building.

Answer 177

77 A. See Chapter 13. Fail closed refers to any controlling mechanism that
remains in the locked position when it fails. In the case of controlled building
entrances, no one can enter the building by normal means.

Question 178

78 The sum total of all protection mechanisms in a system is known as a:
A   Trusted Computing Base
B   Protection domain
C   Trusted path
D   SPM (Summation Protection Mechanism)

Answer 178

78 A. See Chapter 9. A Trusted Computing Base is the complete picture of protection
used in a computer system.

Question 179

79 What is the definition of a “threat”?
A Any event that produces an undesirable outcome.
B A weakness present in a control or countermeasure.
C An act of aggression that causes harm.
D An individual likely to violate security policy.

Answer 179

79 A. See Chapter 6. A threat is a possible undesirable event that may cause
harm or damage.

Question 180

80 04:c6:d1:45:87:E8 is a:
A   MAC address
B   IPv4 address
C   Subnet mask
D   IPv6 address

Answer 180

80 A. See Chapter 5. This is a MAC address.

Question 181

81 Which of the following is NOT a natural disaster?
A   Tsunami
B   Pandemic
C   Flood
D   Communications outage

Answer 181

81 D. See Chapter 11. A communications outage is considered a man-made
disaster (although it can be caused by a naturally occurring event).

Question 182

82 Smart cards, fences, guard dogs, and card key access are known as:
A   Mandatory controls
B   Physical controls
C   Preventive controls
D   Detective controls

Answer 182

82 C. See Chapter 4. Preventive controls are controls that are used to prevent
security events.

Question 183

83 The main improvement of the Waterfall software life cycle model over earlier
process models is:
A System and software requirements are combined into one step.
B Developers can back up one step in the process for rework.
C Coding and testing is combined into one step.
D The need for rework was eliminated.

Answer 183

83 B. See Chapter 7. Going back one step for rework (of requirements, design,
coding, testing — whatever the step is that needs to be reworked) was the
main improvement of the Waterfall model. This is important because sometimes
any of the steps may fail to consider something that the next step
uncovers.

Question 184

84 Non-repudiation refers to:
A The technology that shoots down the “I didn’t send that message”
excuse
B Re-verification of all Certificate Authority (CA) certificate servers
C The annual competency review of system authentication mechanisms
D The annual competency review of network authentication mechanisms

Answer 184

84 A. See Chapter 8. Non-repudiation helps to prove that a specific individual
did create or sign a document, or did transmit data to or receive data from
another individual.

Question 185

85 Intellectual property laws apply to:
A   Trade secrets, trademarks, copyrights, and patents
B   Trademarks, copyrights, and patents
C   Trademarks only
D   Patents only

Answer 185

85 A. See Chapter 12. Intellectual property laws apply to trade secrets, trademarks,
copyrights, and patents.

Question 186

86 The process of reviewing and approving changes in production systems is
known as:
A   Availability management
B   Configuration management
C   Change management
D   Resource control

Answer 186

86 C. See Chapter 10. Change management is the complete management function
that controls changes made to a production environment.

Question 187

87 A water sprinkler system that’s characterized as always having water in the
pipes is known as:
A   Dry-pipe
B   Wet-pipe
C   Preaction
D   Discharge

Answer 187

87 B. See Chapter 13. Wet-pipe is the sprinkler system type in which water is
always in the pipe.

Question 188

88 The mechanism that overlaps hardware instructions to increase performance
is known as:
A   RISC
B   Pipeline
C   Pipe dream
D   Multitasking

Answer 188

88 B. See Chapter 9. Pipelining is the mechanism used to overlap the steps in
machine instructions in order to complete them faster.

Question 189

89 A weakness in a security control is called a:
A   Risk
B   Vulnerability
C   Threat
D   Hole

Answer 189

89 B. See Chapter 6. A vulnerability is a weakness that can permit an undesirable
event.

Question 190

90 The “ping” command sends:
A   IGRP Echo Reply packets
B   IGRP Echo Request packets
C   ICMP Echo Request packets
D   UDP Echo Request packets

Answer 190

90 C. See Chapter 5. Ping uses ICMP Echo Requests.

Question 191

91 The term remote journaling refers to:
A A mechanism that transmits transactions to an alternative processing site
B A procedure for maintaining multiple copies of change control records
C A procedure for maintaining multiple copies of configuration management
records
D A mechanism that ensures the survivability of written records

Answer 191

91 A. See Chapter 11. Remote journaling keeps data at an alternative site up-todate
at all times.

Question 192

92 Is identification weaker than authentication?
A Yes: Identity is based only on the assertion of identity without providing
proof.
B Yes: Identification uses ASCII data, whereas authentication uses binary
data.
C No: Identification and authentication provide the same level of identity.
D No: They are used in different contexts and have nothing to do with
each other.

Answer 192

92 A. See Chapter 4. Identification is only the assertion of identity, whereas
authentication is the proof of identity.

Question 193

93 A project team is at the beginning stages of a new software development
project. The team wants to ensure that security features are present in the
completed software application. In what stage should security be introduced?
A Requirements development
B Test plan development
C Application coding
D Implementation plan development

Answer 193

93 A. See Chapter 7. Security should be included in the earliest possible phases
of a software development project. The requirements phase is the earliest
among the choices offered.

Question 194

94 The amount of effort required to break a given ciphertext is known as:
A   The Work function
B   The Effort function
C   Cryptanalysis
D   Extraction

Answer 194

94 A. See Chapter 8. Work function is the term used to describe the amount of
time and/or money required to break a ciphertext.

Question 195

95 In order to be admissible, electronic evidence must:
A Be legally permissible
B Not be copied
C Have been in the custody of the investigator at all times
D Not contain viruses

Answer 195

95 A. See Chapter 12. Evidence gathered in violation of any laws can’t be admitted
in court.

Question 196

96 The process of maintaining and documenting software versions and settings
is known as:
A   Availability management
B   Configuration management
C   Change management
D   Resource control

Answer 196

96 B. See Chapter 10. Configuration management is the support function that’s
used to store version information about its systems.

Question 197

97 A water sprinkler system that charges the pipes when it receives a heat or
smoke alarm, and then discharges the water when a higher ambient temperature
is reached, is known as:
A Dry-pipe
B Wet-pipe
C Preaction
D Discharge

Answer 197

97 C. See Chapter 13. Preaction, a combination of dry-pipe and wet-pipe, is
increasingly popular in datacenters because it reduces the likelihood that a
water discharge will actually occur — and a discharge will be limited to a
small area in the datacenter.

Question 198

98 FORTRAN, BASIC, and C are known as:
A   Structured languages
B   Nested languages
C   Second-generation languages
D   Third-generation languages

Answer 198

98 D. See Chapter 9. FORTRAN, BASIC, and C are third-generation languages.

Question 199

99 A security control intended to reduce risk is called a:
A   Safeguard
B   Threat
C   Countermeasure
D   Partition

Answer 199

99 A. See Chapter 6. Safeguards exist to reduce risk in some way.

Question 200

100 SMTP is used to:
A   Manage multiple telnet sessions.
B   Tunnel private sessions through the Internet.
C   Simulate modems.
D   Transport e-mail.

Answer 200

100 D. See Chapter 5. SMTP, or Simple Mail Transport Protocol, is used to send
and receive e-mail messages.

Question 201

101 Backing up data by sending it through a communications line to a remote
location is known as:
A   Transaction journaling
B   Off-site storage
C   Electronic vaulting
D   Electronic journaling

Answer 201

101 C. See Chapter 11. Electronic vaulting is the term that describes backing up
data over a communications line to another location.

Question 202

102 Two-factor authentication is so called because:
A It requires two of the three authentication types.
B Tokens use two-factor encryption to hide their secret algorithms.
C Authentication difficulty is increased by a factor of two.
D It uses a factor of two prime numbers algorithm for added strength.

Answer 202

102 A. See Chapter 4. Two-factor authentication requires any two of Type 1
(something you know), Type 2 (something you have), and Type 3 (something
you are) authentication methods.

Question 203

103 Which of the following is NOT a value of change control in the software
development life cycle?
A Changes are documented and subject to approval.
B Scope creep is controlled.
C It gives the customer veto power over proposed changes.
D The cost of changes is considered.

Answer 203

103 C. See Chapter 7. Veto power is unlikely, but the other choices listed are
value-added features of change control.

Question 204

104 What’s one disadvantage of an organization signing its own certificates?
A The certificate-signing function is labor intensive.
B Anyone outside the organization will receive warning messages.
C The user-identification process is labor intensive.
D It’s much more expensive than having certificates signed by a
Certification Authority (CA).

Answer 204

104 B. See Chapter 8. The lack of a top-level (root) signature on a certificate
results in warning messages stating that the certificate lacks a top-level
signature.

Question 205

105 Which agency has jurisdiction over computer crimes in the United States?
A The Department of Justice
B The Electronic Crimes Task Force
C Federal, state, or local jurisdiction
D The FBI and the Secret Service

Answer 205

105 C. See Chapter 12. Federal, state, and local laws cover computer crime.
Depending on the crime, one or more levels of government may have
jurisdiction.

Question 206

106 Configuration Management is used to:
A Document the approval process for configuration changes.
B Control the approval process for configuration changes.
C Ensure that changes made to an information system don’t compromise
its security.
D Preserve a complete history of the changes to software or data in a
system.

Answer 206

106 D. See Chapter 10. Configuration management is used to preserve all prior
settings or versions of software or hardware, as well as to provide a check
out/check in capability to avoid collisions.

Question 207

107 Why would a dry-pipe sprinkler be preferred over a wet-pipe sprinkler?
A Dry-pipe systems put out a fire more quickly.
B Dry-pipe systems consume less water.
C Dry-pipe systems have a smaller likelihood of rust damage.
D Dry-pipe systems have a potentially useful time delay before water is
discharged.

Answer 207

107 D. See Chapter 13. Dry-pipe systems take a few moments (at least) before
water discharge begins.

Question 208

108 The purpose of an operating system is to:
A   Manage hardware resources.
B   Compile program code.
C   Decompile program code.
D   Present graphic display to users.

Answer 208

108 A. See Chapter 9. An operating system (OS) manages computer hardware
and presents a consistent interface to application programs and tools.

Question 209

109 The purpose of risk analysis is:
A To qualify the classification of a potential threat.
B To quantify the likelihood of a potential threat.
C To quantify the net present value of an asset.
D To quantify the impact of a potential threat.

Answer 209

109 D. See Chapter 6. The purpose of risk analysis is to quantify the impact of a
potential threat; in other words, to put a monetary value on the loss of information
or functionality.

Question 210

110 Which of the following is a disadvantage of SSL?
A It requires a certificate on every client system.
B It is CPU intensive.
C All clients must be retrofitted with HTTP v3 browsers.
D An eavesdropper can record and later play back an SSL session.

Answer 210

110 B. See Chapter 5. Because it encrypts and decrypts packets over the network,
SSL consumes a lot of CPU time.

Question 211

111 Which of the following is NOT a method used to create an online redundant
data set?
A   Remote journaling
B   Off-site storage
C   Electronic vaulting
D   Database mirroring

Answer 211

111 B. See Chapter 11. Off-site storage is merely an alternate location for storing
back-up media.

Question 212

112 The phrase something you are refers to:
A   A user’s security clearance
B   A user’s role
C   Type 2 authentication
D   Type 3 authentication

Answer 212

112 D. See Chapter 4. Something you are refers to authentication that measures a
biometric, which means something physical, such as a fingerprint, retina
scan, or voiceprint.

Question 213

113 How does the Waterfall software development life cycle help to assure that
applications will be secure?
A Security requirements can be included early on and verified later in
testing.
B The testing phase includes penetration testing.
C The Risk Analysis phase will uncover flaws in the feasibility model.
D A list of valid users must be approved prior to production.

Answer 213

113 A. See Chapter 7. The greatest value in the development life cycle is getting
security requirements in at the beginning so that security will be “baked in.”

Question 214

114 The ability for a government agency to wiretap a data connection was
implemented in the:
A   Skipjack chip
B   Magic lantern
C   Cutty chip
D   Clipper chip

Answer 214

114 D. See Chapter 8. The Clipper Chip implemented a capability to provide
encryption for users and also provided a legal wiretap capability.

Question 215

115 Under what circumstance may evidence be seized without a warrant?
A If it’s in the public domain
B If it’s believed that its destruction is imminent
C In international incidents
D If it’s on a computer

Answer 215

115 B. See Chapter 12. Evidence may be seized only if law enforcement believes
that it’s about to be destroyed (which the law calls exigent circumstances).

Question 216

116 The traces of original data remaining after media erasure are known as:
A   Data remanence
B   Data traces
C   Leakage
D   Data particles

Answer 216

116 A. See Chapter 9. Erasure is seldom 100-percent effective. Despite complex
and time-consuming methods, the slightest traces of data on media that have
been erased may always remain.

Question 217

117 Why should a datacenter’s walls go all the way to the ceiling and not just
stop as high as the suspended ceiling?
A The walls will serve as an effective fire break.
B The HVAC will run more efficiently.
C The walls will be stronger.
D The high wall will block more noise.

Answer 217

117 A. See Chapter 13. Walls that go all the way up to the ceiling do a better job
of keeping fires from spreading into or out of the datacenter.

Question 218

118 Protection rings are used for:
A   Implementing memory protection
B   Creating nested protection domains
C   Modeling layers of protection around an information object
D   Shielding systems from EMF

Answer 218

118 B. See Chapter 9. Protection rings are layers of protection domains, with the
most protected domain in the center.

Question 219

119 Annualized Rate of Occurrence refers to:
A The exact frequency of a threat.
B The estimated frequency of a threat.
C The estimated monetary value of a threat.
D The exact monetary value of a threat.

Answer 219

119 B. See Chapter 6. Annualized Rate of Occurrence (ARO) is a risk management
term that describes the likelihood of the occurrence of a threat.

Question 220

120 An access control list is NOT used by:
A A firewall or screening router to determine which packets should pass
through.
B A router to determine which administrative nodes may access it.
C A bastion host to determine which network services should be
permitted.
D A client system to record and save passwords.

Answer 220

120 D. See Chapter 5. Access control lists are used on firewalls, routers, and bastion
hosts, but not on client systems (at least not for recording passwords!).

Question 221

121 A DRP that has a high RPO and a low RTO will result in:
A A system that takes more time to recover but has recent data
B A system that recovers quickly but has old data
C A system that recovers quickly and has recent data
D A system that has never been tested

Answer 221

121 B. See Chapter 11. A high Recovery Point Objective (RPO) means that data on
a recovered system will be older. A low Recovery Time Objective (RTO)
means that the system will be recovered quickly.

Question 222

122 Two-factor authentication is stronger than single-factor authentication
because:
A It uses a factor of two prime numbers algorithm for added strength.
B It relies on two factors, such as a password and a smart card.
C Authentication difficulty is increased by a factor of two.
D The user must be physically present to authenticate.

Answer 222

122 B. See Chapter 4. Two-factor authentication requires any two of Type 1
(something you know), Type 2 (something you have), and Type 3 (something
you are) authentication methods.

Question 223

123 The main purpose of configuration management is to:
A Require cost justification for any change in a software product.
B Require approval for any desired change in a software product.
C Maintain a detailed record of changes for the lifetime of a software
product.
D Provide the customer with a process for requesting configuration
changes.

Answer 223

123 C. See Chapter 7. Configuration management produces a highly detailed
record, including details of each and every copy of a software product that
was created.

Question 224

124 The cipher device used by Germany in World War II is known as:
A   M-922
B   M-902
C   Enigma
D   Turing

Answer 224

124 C. See Chapter 8. The famous device used by Germany to encrypt and
decrypt secret messages was the Enigma.

Question 225

125 Motive, means, and opportunity:
A Are required prior to the commission of a crime
B Are the required three pieces of evidence in any criminal trial
C Are the three factors that help determine whether someone may have
committed a crime
D Are the usual ingredients in a sting operation

Answer 225

125 C. See Chapter 12. Motive, means, and opportunity are the standard criteria
when considering a possible suspect in a crime.

Question 226

126 Software controls are used to:
A Perform input checking to ensure that no buffer overflows occur.
B Keep running programs from viewing or changing other programs’
memory.
C Perform configuration management-like functions on software.
D Ensure the confidentiality and integrity of software.

Answer 226

126 D. See Chapter 10. Software controls are used to protect software from unauthorized
disclosure or tampering.

Question 227

127 Which of the following are NOT fire detectors?
A   Dial-up alarms
B   Heat-sensing alarms
C   Flame-sensing alarms
D   Smoke-sensing alarms

Answer 227

127 A. See Chapter 13. Dial-up alarms don’t detect fire; they respond to a fire
detector and call the fire department by using a telephone line to play a prerecorded
message.

Question 228

128 The TCSEC document is known as the Orange Book because
A It’s orange in color.
B It covers the major classes of computing system security, D through A.
C Its coverage of security was likened to the defoliant Agent Orange.
D No adequate model of computing system security was available at the
time.

Answer 228

128 A. See Chapter 9. The Orange Book was one of several books in the Rainbow
Series, each describing various levels and contexts of computer security, and
each with its own unique color.

Question 229

129 Single Loss Expectancy refers to:
A The expectation of the occurrence of a single loss.
B The monetary loss realized from an individual threat.
C The likelihood that a single loss will occur.
D The annualized monetary loss from a single threat.

Answer 229

129 B. See Chapter 6. Single Loss Expectancy (SLE) is the monetary value associated
with an individual threat.

Question 230

130 What is the purpose of the DHCP protocol?
A It’s used to diagnose network problems.
B It assigns IP addresses to servers.
C It assigns IP addresses to stations that join the network.
D It’s used to dynamically build network routes.

Answer 230

130 C. See Chapter 5. The DHCP (dynamic host configuration protocol) is used to
assign IP addresses to stations that join a network.

Question 231

131 The purpose of a BIA is:
A To determine the criticality of business processes
B To determine the impact of disasters on critical processes
C To determine the impact of software defects on critical business
processes
D To determine which software defects should be fixed first

Answer 231

131 B. See Chapter 11. A Business Impact Assessment (BIA) is used to determine
the impact that different types of disasters have on critical business processes.

Question 232

132 An organization has recently implemented a palm-scan biometric system to
control access to sensitive zones in a building. Some employees have objected
to the biometric system for sanitary reasons. The organization should:
A Switch to a fingerprint-scanning biometric system.
B Educate users about the inherent cleanliness of the system.
C Allow users who object to the system to be able to bypass it.
D Require employees to use a hand sanitizer prior to using the biometric
system.

Answer 232

132 D. See Chapter 4. It’s reasonable for some employees to voice concerns
regarding the cleanliness of a hand scanner that many employees will be
using. Making hand-sanitizing agents available and requiring all users to use
those hand sanitizers is a reasonable precaution to help prevent the spread
of illnesses.

Question 233

133 A security specialist has discovered that an application her company
produces has a JavaScript injection vulnerability. What advice should the
security specialist give to the application’s developers?
A Implement input filtering to block JavaScript and other script languages.
B Upgrade to the latest release of Java.
C Re-compile the application with safe input filtering turned on.
D Re-compile the application by using UTF-8 character set support.

Answer 233

133 A. See Chapter 7. An application that has a script injection vulnerability
needs to be modified so that data accepted in input fields is sanitized by
removing script tags and other scripting commands.

Question 234

134 Cryptography can be used for all the following situations EXCEPT:
A   Performance
B   Confidentiality
C   Integrity
D   Authentication

Answer 234

134 A. See Chapter 8. Cryptography can be used for confidentiality (by encrypting
a message), integrity (through the use of digital signatures), and authentication
(through the use of digital signatures to prove the origin of a message).
Cryptography isn’t used for performance.

Question 235

135 The burden of proof in U.S. civil law is:
A The preponderance of the evidence
B Beyond a reasonable doubt
C Beyond all doubt
D Based on the opinion of the presiding judge

Answer 235

135 A. See Chapter 12. The burden of proof in U.S. civil law is based on the
preponderance of the evidence.

Question 236

136 An organization may choose to perform periodic background checks on its
employees for all the following reasons EXCEPT:
A To determine whether the employee has earned any additional
educational degrees
B To determine whether a detrimental change in an employee’s financial
situation might entice him or her to steal from the employer
C To determine whether a criminal offense has occurred since the person
was hired that would impact the risk of continued employment
D To uncover any criminal offenses that weren’t discovered in the initial
background check

Answer 236

136 A. See Chapter 10. Periodic background checks can be used to discover any
new events in an employee’s criminal or financial background, as well as
uncover any criminal records that weren’t found in the initial background
check.

Question 237

137 Which class of hand-held fire extinguisher should be used in a datacenter?
A   Class B
B   Class C
C   Class A
D   Class D

Answer 237

137 B. See Chapter 13. A Class C fire extinguisher should be used in a datacenter;
this type is most effective against electronics and electrical fires.

Question 238

138 All the following CPUs are CISC design EXCEPT:
A   PDP-11
B   Intel x86
C   SPARC
D   Motorola 68000

Answer 238

138 C. See Chapter 9. PDP-11, Intel x86, and Motorola 68000 are CISC design
CPUs. SPARC is a RISC design CPU.

Question 239

139 A system architect has designed a system that is protected with redundant
parallel firewalls. This follows which security design principle?
A Avoidance of a single point of failure
B Defense in depth
C Fail open
D Fail closed

Answer 239

139 A. See Chapter 6. An architecture with parallel components generally is following
the avoidance of a single point of failure.

Question 240

140 The type of cable that is best suited for high RF and EMF environments is:
A   Fiber-optic
B   Shielded twisted-pair
C   Coaxial
D   Thinnet

Answer 240

140 A. See Chapter 5. Because it transmits light instead of electrical signals, fiberoptic
cabling is virtually immune to RF and EMF environments.

Question 241

141 A Disaster Recovery Planning team has been told by management that the
equipment required to meet RTO and RPO targets is too costly. What’s the
best course of action to take?
A Classify the system as being out of scope.
B Reduce the RTO and RPO targets.
C Look for less expensive methods for achieving targets and report to
management if no alternatives can be found.
D Ask for more budget for recovery systems.

Answer 241

141 C. See Chapter 11. When management has determined that a proposed
disaster recovery architecture is too expensive, the project team needs to
find less costly alternatives. If none can be found, the project team needs to
inform management, who may approve of longer RPO and RTO targets that
should be less costly.

Question 242

142 A security manager is planning a new video surveillance system. The manager
wants the video surveillance system to be both a detective control and
a deterrent control. What aspect of the system’s design will achieve this
objective?
A Include a video-recording capability in the system.
B Make video cameras conspicuously visible and post warning notices.
C Hide video cameras and don’t post warning notices.
D Make video monitors conspicuously visible.

Answer 242

142 B. See Chapter 4. A video surveillance system can be an effective deterrent
control if its cameras are visible. Warning notices provide even greater deterrent
ability.

Question 243

143 Privacy advocacy organizations are concerned about the practice of aggregation,
which involves:
A Selling highly sensitive data to the highest bidder
B Distributing highly sensitive data to third parties
C Combining low-sensitivity data elements that results in highly sensitive
data
D Disclosing highly sensitive data to government agencies

Answer 243

143 C. See Chapter 7. Aggregation is the process of combining data, which can
result in the creation of highly sensitive information.

Question 244

144 A cipher uses a table to replace plaintext characters with ciphertext
characters. This type of cipher is known as:
A Stream
B Block
C Substitution
D Transposition

Answer 244

144 C. See Chapter 8. A substitution cipher uses a lookup table for substituting
one character for another.

Question 245

145 Under U.S. law, the amount of a fine and the length of imprisonment are
based on:
A   The opinion of the judge
B   The opinion of the jury
C   The evidence introduced in a trial
D   Federal sentencing guidelines

Answer 245

145 D. See Chapter 12. Federal sentencing guidelines provide the range of possible
monetary fines and length of imprisonment.

Question 246

146 An organization has identified a high-risk activity that’s performed by a
single individual. The organization will change the activity so that two or
more individuals are required to perform the task. This new setup is
known as:
A Single point of failure
B Shared custody
C Split custody
D Separation of duties

Answer 246

146 D. See Chapter 10. Separation of duties is the concept that supports a process
design in which two or more individuals are required to perform a critical task.
The classic example is the three activities carried out by three separate individuals
in an accounting system: creating a payee, making a payment
request, and making a payment.

Question 247

147 An organization wants to erect fencing around its property to keep out
determined intruders. What are the minimum specifications that the organization
should consider?
A Eight feet in height and three strands of barbed wire at the top
B Twelve feet in height and three strands of barbed wire at the top
C Eight feet in height
D Twelve feet in height

Answer 247

147 A. See Chapter 13. To keep out determined intruders, an organization should
consider fencing that’s at least eight feet in height and includes three strands
of barbed wire.

Question 248

148 Which type of technology is a computer designer most likely to use for main
memory?
A   EAROM
B   Dynamic RAM
C   Flash
D   Hard drive

Answer 248

148 B. See Chapter 9. Most computers’ main memory uses dynamic RAM
(DRAM) or static RAM (SRAM).

Question 249

149 A document that lists the equipment brands, programming languages, and
communications protocols to be used in an organization is a:
A Policy
B Guideline
C Requirement
D Standard

Answer 249

149 D. See Chapter 6. A standards document defines the equipment brands, programming
languages, communications protocols, and other components to
be used in an organization.

Question 250

150 Which of the following is true about Digital Subscriber Line:
A Digital Subscriber Line is synonymous with DOCSIS (Digital Over Cable
Services Interface Specification).
B Digital Subscriber Line is a simplex protocol.
C Digital Subscriber Line has been superseded by ISDN.
D Digital Subscriber Line has superseded ISDN.

Answer 250

150 D. See Chapter 5. Digital Subscriber Line has superseded ISDN in most areas.
The other statements are false.

Question 251

151 A DRP has an RTO of 24 hours and an RPO of 56 hours. This indicates that:
A The system will be operational within 24 hours and the maximum data
loss is 56 hours.
B The system will be operational within at least 24 hours and the maximum
data loss is 56 hours.
C The system will be operational within 56 hours and the maximum data
loss is 24 hours.
D The system will be operational within 24 hours and the maximum data
loss will be 32 hours.

Answer 251

151 A. See Chapter 11. An RTO of 24 hours means a recovery system will be
operational within 24 hours of a disaster. An RPO of 56 hours means the
maximum data loss will be 56 hours.

Question 252

152 The ability to associate users with their actions is known as:
A   Non-repudiation
B   Accountability
C   Audit trails
D   Responsibility

Answer 252

152 B. See Chapter 4. When users are associated with their actions (which is usually
achieved through audit logs), they’re made to be accountable.

Question 253

153 A database administrator has tuned a transaction processing database for
optimum performance. Business users now want to use the same database
for business intelligence and decision support. What action should the database
administrator take?
A Implement a separate data warehouse that’s tuned for decision support.
B Tune the transaction processing database to optimize performance of
decision support queries.
C Implement a database server cluster and tune the passive server for
decision support.
D Establish separate user IDs for transaction use and decision-support
use, and tune each for their respective purposes.

Answer 253

153 A. See Chapter 7. It’s rarely possible to tune a database management system
to provide adequate performance for both transaction processing and decision
support. A separate data warehouse should be implemented, and that
database tuned for that purpose. The original database should be tuned for
optimum transaction processing performance.

Question 254

154 The Advanced Encryption Standard algorithm is based on:
A   The Rijndael block cipher
B   The Rijndael stream cipher
C   The Skipjack cipher
D   The triple-DES cipher

Answer 254

154 A. See Chapter 8. AES (Advanced Encryption Standard) is based on the
Rijndael block cipher.

Question 255

155 An organization has developed a new technique for compiling computer
code and wants to protect that technique by using applicable intellectual
property law. Which type of protection should the organization use?
A Patent
B Trademark
C Service mark
D Copyright

Answer 255

155 A. See Chapter 12. A patent is the type of legal protection used for the design
of a mechanism.

Question 256

156 An organization is reducing the size of its workforce and has targeted the
lead database administrator for termination of employment. How should the
organization handle this termination?
A Terminate the employee’s user accounts within 24 hours of notification.
B Terminate the employee’s user accounts immediately after notification.
C Terminate the employee’s user accounts within 48 hours of notification.
D Retain the employee’s user accounts until a replacement can be trained.

Answer 256

156 B. See Chapter 10. A position such as database administrator, network
administrator, or system administrator usually has high privileges. The safest
course of action when terminating employment for a person in such a position
is to immediately terminate all access immediately after (or just prior to)
notification.

Question 257

157 What’s one disadvantage of the use of key cards as a building access
control?
A Key card readers are expensive.
B The False Accept Rate (FAR) may exceed the False Reject Rate (FRR).
C Any party who finds a lost key card can use it to enter a building.
D A key card’s PIN code is easily decrypted.

Answer 257

157 C. See Chapter 13. Unless coupled with a PIN pad or biometric reader, any
person can use a key card to enter a building.

Question 258

158 All the following are components of an operating system EXCEPT:
A   Compiler
B   Kernel
C   Device driver
D   Tools

Answer 258

158 A. See Chapter 9. Operating systems consist of a kernel, device drivers,
and tools.

Question 259

159 A document that describes the steps to be followed to complete a task is
known as a:
A   Process
B   Procedure
C   Guideline
D   Standard

Answer 259

159 B. See Chapter 6. A procedure describes the steps used to complete a task.

Question 260

160 Which routing protocol transmits its passwords in plaintext?
A   RIPv2
B   RIPv1
C   BGP
D   EIGRP

Answer 260

160 A. See Chapter 5. The RIP (Routing Information Protocol) version 2 transmits
passwords in plaintext. RIPv1 did not use passwords at all.

Question 261

161 Damage assessment of a datacenter after an earthquake should be performed
by:
A   The chief security officer
B   The datacenter manager
C   An unlicensed structural engineer
D   A licensed structural engineer

Answer 261

161 D. See Chapter 11. Only a licensed structural engineer is qualified to examine
the structure of a building after an earthquake and determine whether that
building can be safely used. The other parties aren’t qualified to make this
assessment.

Question 262

162 The primary reason users are encouraged to use passphrases, rather than
passwords, is:
A They’ll choose longer passwords that are inherently stronger than
shorter ones.
B Their passwords will include spaces, which make passwords more
complex.
C Newer systems don’t support passwords.
D Passphrases can be coupled with biometric systems.

Answer 262

162 A. See Chapter 4. The term passphrase simply means a longer password.
The longer a password, the more difficult it can be to crack.

Question 263

163 An application that was previously written to support a single user has been
changed to support multiple concurrent users. The application encounters
errors when two users attempt to access the same record. What feature
should be added to the application to prevent these errors?
A Load balancing
B Replication
C Record locking
D Clustering

Answer 263

163 C. See Chapter 7. Record locking is a mechanism used to arbitrate access to
resources in multiuser applications.

Question 264

164 Two users, A and B, have exchanged public keys. How can user A send a
secret message to user B?
A User A encrypts a message with user B’s public key; user B decrypts the
message with user B’s private key
B User A encrypts the message with user A’s private key; user B decrypts
the message with user B’s private key
C User A encrypts the message with user A’s private key; user B decrypts
the message with user A’s public key
D User A encrypts the message with user B’s public key; user B decrypts
the message with user A’s public key

Answer 264

164 A. See Chapter 8. In public key cryptography, a sender encrypts a message
with the recipient’s public key; the recipient decrypts the message with the
recipient’s private key.

Question 265

165 An intruder has been apprehended for breaking into an organization’s
computer systems to steal national security secrets. Under what U.S. law
will the intruder likely be charged?
A Cybercrime Act of 2001
B Federal Information Security Management Act of 2002
C U.S. Computer Fraud and Abuse Act of 1986
D U.S. Computer Security Act of 1987

Answer 265

165 C. See Chapter 12. An intruder who steals national security secrets in the U.S.
is likely to be charged with a violation of the Computer Fraud and Abuse Act
of 1986.

Question 266

166 The process of including text such as Company Confidential: For Internal
Use Only on a document is known as:
A   Branding
B   Classification
C   Watermarking
D   Marking

Answer 266

166 D. See Chapter 10. Classifying, or marking, is the term used to describe the
action of including text such as Company Confidential on a document.

Question 267

167 An organization wants to install a motion detector in a portion of a building
that has variable ambient noise. Which type of motion detector should be
considered?
A Wave pattern or capacitance
B Wave pattern
C Capacitance
D Photo-electronic

Answer 267

167 A. See Chapter 13. A wave pattern or capacitance motion detector would be a
candidate for an area that experiences ambient noise.

Question 268

168 An organization uses a Windows-based server to act as a file server. The
owners of individual files and directories are able to grant read and write
permissions to other users in the organization. This capability most closely
resembles which security model?
A Discretionary access control (DAC)
B Mandatory access control (MAC)
C Access matrix
D Take-Grant

Answer 268

168 A. See Chapter 9. The capability for end users to grant permissions to others
corresponds to the discretionary access control (DAC) model.

Question 269

169 The relationship between threat, vulnerability, and risk is defined as:
A   Risk = vulnerability × threat
B   Threat = vulnerability × risk
C   Vulnerability = threat × risk
D   Risk = vulnerability + threat

Answer 269

169 A. See Chapter 6. The basic relationship between threat, vulnerability, and
risk is that the risk is equal to the threat times the vulnerability.

Question 270

170 Which of the following WiFi protocols has not been compromised:
A   WEP
B   WPA
C   WPA2
D   TKIP

Answer 270

170 C. See Chapter 5. WPA2 with AES has not been compromised.

Question 271

171 The purpose of software escrow is:
A Secure storage of software source code in the event of a disaster or the
failure of the company that produced it
B Third-party confirmation of the integrity of a software application
C Secure storage of software object code in the event of a disaster or the
failure of the company that produced it
D Third-party delivery of a software application

Answer 271

171 A. See Chapter 11. The purpose of a software escrow agreement (also known
as a source code escrow agreement) is the secure off-site storage of software
source code in the event of a disaster or the complete failure of the organization.

Question 272

172 A system has been designed to include strong authentication and transaction
logging so that subjects can’t deny having performed actions. This
inability for a subject to deny having performed an action is known as:
A Irresponsibility
B Culpable deniability
C Non-repudiation
D Dissociation

Answer 272

172 C. See Chapter 4. Non-repudiation is a property of a system to be able to prevent
a subject from denying that he or she performed an action. This is
accomplished through strong authentication and audit (or transaction) logging.

Question 273

173 An organization is considering the purchase of a business application. What
should the organization develop before making a product decision?
A Application code
B Specifications
C Design
D Requirements

Answer 273

173 D. See Chapter 7. An organization should develop requirements that define
the desired characteristics of an application that it will consider purchasing.

Question 274

174 Two users want to establish a private communications link. The two users
have never communicated before. How should a symmetric encryption key
be communicated to both parties?
A The encryption key should be kept by one party only.
B The encryption key should be transmitted as part of initial
communications.
C The encryption key should be transmitted by using an in-band
communications channel.
D The encryption key should be transmitted by using an out-of-band
communications channel.

Answer 274

174 D. See Chapter 8. For two parties that have not communicated before, a symmetric
encryption key must be sent from one party to another through an outof-
band channel. For example, an encryption key for network communications
should be sent via fax or courier.

Question 275

175 An organization has developed a new method for building a mechanical
device. The organization doesn’t want to reveal the method to any third
party. Which type of protection should be used?
A Copyright
B Patent
C Trade secret
D Trademark

Answer 275

175 C. See Chapter 12. An organization that doesn’t want to disclose a method
can’t file a copyright, trademark, or patent because these filings would disclose
the method. Instead, the organization must carefully guard the method
and consider it a trade secret.

Question 276

176 An intruder has broken into an organization’s computer systems to steal
industrial designs. This action is known as:
A Robbery
B Cracking
C Hacking
D Espionage

Answer 276

176 D. See Chapter 10. Espionage is the process of spying on an organization in
order to discover its military or industrial secrets.

Question 277

177 For fire suppression in a commercial datacenter, all the following types of
fire-suppression systems may be considered EXCEPT:
A FM-200
B Inert gas
C Preaction
D Deluge

Answer 277

177 D. See Chapter 13. Fire suppression in a commercial datacenter may include
an inert gas system, FM-200 (which is one commercial brand of an inert gas
system), or preaction (if local fire codes require some type of a water sprinkler
system). A deluge system would never be considered.

Question 278

178 TCSEC has been superseded by which standard?
A   Common Criteria
B   ITSEC
C   ISO 27002
D   DITSCAP

Answer 278

178 A. See Chapter 9. The Trusted Computer System Evaluation Criteria (TCSEC)
has been superseded by the Common Criteria.

Question 279

179 When is it prudent to perform a quantitative risk analysis?
A When the probability of occurrence is low.
B When the value of assets is high.
C When the value of assets is low.
D When the probability of occurrence is high.

Answer 279

179 B. See Chapter 6. A quantitative risk analysis is more difficult and timeconsuming
to perform, and is usually done only on high-value assets.

Question 280

180 Two users wish to establish a private communications link. The two users
have never communicated before. What algorithm should be used to
establish a symmetric encryption key?
A Merkle
B Diffie-Hellman
C Babbage
D RSA

Answer 280

180 B. See Chapter 8. The Diffie-Hellman (DH) key exchange algorithm permits
the safe establishment of a symmetric encryption key over a communications
channel.

Question 281

181 The purpose of Layer 1 in the OSI model is to:
A Transmit and receive bits.
B Sequence packets and calculate checksums.
C Perform application-to-application communications.
D Transmit and receive frames.

Answer 281

181 A. See Chapter 5. Layer 1 of the OSI model is concerned only with sending
and receiving bits.

Question 282

182 The main reason for incorporating a CAPTCHA is:
A   To slow down brute-force attacks.
B   To prevent non-human interaction.
C   To improve application performance.
D   To reduce false-positives.

Answer 282

182 B. See Chapter 4. The primary reason for using CAPTCHA (Completely
Automated Public Turing test to tell Computers and Humans Apart) is to
ensure that a human is interacting with an application.

Question 283

183 A set of SQL statements that are stored in the database is known as a:
A   Callout
B   Subroutine
C   Prepared statement
D   Stored procedure

Answer 283

183 D. See Chapter 7. A stored procedure is a set of one or more SQL statements
that are stored in the database management system, usually in the data
dictionary.

Question 284

184 Two users have exchanged public keys. User A has encrypted a message
with User B’s public key. What must User B do to read the message?
A Decrypt the message with User A’s private key.
B Decrypt the message with User A’s public key.
C Decrypt the message with User B’s public key.
D Decrypt the message with User B’s private key.

Answer 284

184 D. See Chapter 8. In public key cryptography, a sender encrypts a message
with the recipient’s public key. The recipient decrypts the message with his
own private key.

Question 285

185 The USA PATRIOT Act:
A Makes it illegal to encrypt international e-mail messages.
B Makes it illegal to export strong encryption technology.
C Gives law enforcement greater power of surveillance, search, and
seizure.
D Means judges no longer need to approve search warrants.

Answer 285

185 C. See Chapter 12. The USA PATRIOT Act gives law enforcement organizations
greater search and seizure powers, primarily to combat terrorism.

Question 286

186 An organization has added bank account numbers to the data it backs up to
tape. The organization should:
A Back up only the hashes of bank account numbers and not the numbers
themselves.
B Split bank account numbers so they reside on two different backup tapes.
C Stop sending backup tapes off-site.
D Encrypt backup tapes that are sent off-site.

Answer 286

186 D. See Chapter 10. An organization that backs up sensitive data such as bank
account numbers should consider encrypting its backup media.

Question 287

187 The purpose of a motion sensing request-to-exit sensor on an exterior
doorway is:
A Count the number of persons exiting the door.
B Count the number of persons entering the door.
C Unlock an exterior door and permit a person to exit.
D Detect when a person is approaching an exterior exit from the inside.

Answer 287

187 D. See Chapter 13. The purpose of a request-to-exit (REX) sensor is to detect
when a person is approaching a doorway — usually an exterior exit door
from the inside. If an exterior door is opened from the outside without the
use of a key card and without a person inside the door, then the door is
assumed to have been opened with a key or forced open by an intruder.

Question 288

188 The risks associated with outsourcing computing to the Cloud are all of the
following EXCEPT:
A   Data ownership.
B   Data jurisdiction.
C   Control effectiveness.
D   Availability.

Answer 288

188 A. See Chapter 9. Data jurisdiction, control effectiveness, and availability are
risks associated with cloud computing. Data ownership is not usually an issue.

Question 289

189 A system architect has designed a system that is protected with two layers
of firewalls, where each firewall is a different make. This follows which
security design principle?
A Avoidance of a single point of failure
B Defense in depth
C Fail open
D Fail closed

Answer 289

189 B. See Chapter 6. A network that uses two different makes of firewalls follows
the principle of defense in depth. A weakness in one firewall is not likely to
be present in the other.

Question 290

190 The range of all possible encryption keys is known as:
A   Keyrange.
B   Keyspace.
C   Elliptic curve.
D   Cryptospace.

Answer 290

190 B. See Chapter 8. The complete range of possible keys in a cryptosystem is
known as the keyspace.

Question 291

191 2001:0F56:45E3:BA98 is a:
A   MAC address
B   IPv4 address
C   Subnet mask
D   IPv6 address

Answer 291

191 D. See Chapter 5. 2001:0F56:45E3:BA98 is an IPv6 address.

Question 292

192 An authentication system does not limit the number of invalid login
attempts. This system is:
A Designed for machine interaction only.
B Integrated to a single sign-on (SSO) service.
C Vulnerable to brute force attacks.
D Not used to store sensitive data.

Answer 292

192 C. See Chapter 4. A system that does not limit the number of invalid login
attempts is vulnerable to mechanized password guessing attacks. The
attacker can attempt to log in thousands of times until the correct password
is discovered.

Question 293

193 An attacker has discovered a way to change his permissions from an
ordinary end user to an administrator. This type of attack is known as:
A Back door.
B Denial of Service.
C Privilege injection.
D Escalation of privilege.

Answer 293

193 D. See Chapter 7. An attack that results in increased permissions is known as
escalation of privilege.

Question 294

194 A user has lost the password to his private key. The user should:
A Create a new password for his private key
B Decrypt his private key
C Retrieve the password from his public key
D Generate a new keypair

Answer 294

194 D. See Chapter 8. If a user has lost the password to his private key, the key
can no longer be used; the user must generate a new keypair.

Question 295

195 The burden of proof in U.S. criminal law is:
A The preponderance of the evidence
B Beyond a reasonable doubt
C Beyond all doubt
D Based on the opinion of the presiding judge

Answer 295

195 B. See Chapter 12. The burden of proof in U.S. criminal law is “beyond a reasonable
doubt.”

Question 296

196 The best approach for patch management is:
A Install only those patches that scanning tools specify are missing.
B Install patches only after problems are experienced.
C Install all available patches.
D Perform risk analysis and install patches that are relevant.

Answer 296

196 D. See Chapter 10. The best approach for patch management is to perform
risk analysis on each patch, and install those that are relevant. Applying all
available patches consumes more resources and may reduce system integrity.

Question 297

197 In addition to video surveillance, how can a public reception area be best
protected?
A   Duress alarm
B   Pepper spray
C   Hand signals
D   Emergency telephone numbers

Answer 297

197 A. See Chapter 13. A duress alarm can be used to signal other personnel that
there is an emergency in a specific area of a building.

Question 298

198 The main weakness of a homogeneous environment is:
A A variety of systems is more difficult to manage effectively.
B Inconsistent management among systems in the environment.
C A vulnerability in one system is likely to be found in all systems in the
environment.
D Port scans will take longer to complete.

Answer 298

198 C. See Chapter 9. The main weakness of a homogeneous environment is that
all of the systems are the same. If one system has a vulnerability or weakness,
many or all of the other systems in the environment are likely to have
the same vulnerability or weakness.

Question 299

199 A security manager has designed a building entrance that will lock doors in
the event of a power failure. This follows which security design principle?
A Avoidance of a single point of failure
B Defense in depth
C Fail open
D Fail closed

Answer 299

199 D. See Chapter 6. A system that blocks all access in the event of a power failure
(or other type of failure) follows the principle of fail closed.

Question 300

200 An effective cryptosystem is all of the following EXCEPT:
A Efficient.
B Easy to crack.
C Easy to use.
D Strong, even if its algorithm is known.

Answer 300

200 B. See Chapter 8. An effective cryptosystem is easy to use, strong even if its
algorithm is known, and makes efficient use of resources. A cryptosystem
that is easily broken is not effective.

Question 301

201 255.255.0.0 is a:
A   MAC address
B   IPv4 address
C   Subnet mask
D   IPv6 address

Answer 301

201 C. See Chapter 5. 255.255.0.0 is an IPv4 subnet mask.

Question 302

202 The main reason for preventing password re-use is:
A To increase password entropy.
B To prevent a user from reverting to their old, familiar password.
C To encourage users to use different passwords on different systems.
D To prevent users from using the same passwords on different systems.

Answer 302

202 B. See Chapter 4. Preventing password re-use discourages users from trying
to revert to familiar passwords, which can slightly increase the risk of system
compromise.

Question 303

203 A software developer has introduced a feature in an application that permits
him to access the application without the need to log in. This feature is
known as a:
A Bypass
B Front door
C Side door
D Back door

Answer 303

203 D. See Chapter 7. A back door is a feature that permits covert access to a
system, usually through bypassing access controls.

Question 304

204 A cryptosystem uses two-digit numerals to represent each character of a
message. This is a:
A   Concealment cipher
B   Vernam cipher
C   Substitution cipher
D   Transposition cipher

Answer 304

204 C. See Chapter 8. A cryptosystem where message characters are converted
to two-digit numerals is a substitution cipher, because ciphertext characters
are substituted for message characters.

Question 305

205 California state law SB-1386:
A Requires organizations to publish their privacy policies.
B Requires organizations to encrypt bank account numbers.
C Requires organizations to disclose security breaches to affected citizens.
D Requires organizations to encrypt private data.

Answer 305

205 C. See Chapter 12. The California Security Breach Information Act, SB-1386,
requires organizations to disclose security breaches of specific personal data
to all affected citizens, unless that data was encrypted. The law does not
require that any data be encrypted.

Question 306

206 The purpose of penetration testing is:
A Simulate an attack by insiders.
B Confirm the presence of application vulnerabilities.
C Confirm the effectiveness of patch management.
D Simulate a real attack and identify vulnerabilities.

Answer 306

206 D. See Chapter 10. The purpose of penetration testing is to simulate an attack
by malicious outsiders or insiders who may be attempting to compromise a
target system.

Question 307

207 An advantage of video surveillance motion sensing recording over continuous
recording is:
A Date and time stamping on video frames.
B Improved durability of storage media.
C Lower cost of storage media.
D Relevant content can be retained for a longer period of time.

Answer 307

207 D. See Chapter 13. In a motion-sensing surveillance system, only content
with actual motion is recorded. This enables content to be retained for a
greater period of time (because recording of no-activity is eliminated).

Question 308

208 The four basic requirements in the Orange Book are:
A Security policy, assurance, accountability, and documentation.
B Security policy, availability, accountability, and documentation.
C Security policy, assurance, confidentiality, and documentation.
D Security policy, assurance, accountability, and integrity.

Answer 308

208 A. See Chapter 9. The four basic requirements described in the Orange Book
are security policy, assurance, accountability, and documentation.

Question 309

209 A document that is unclassified:
A   Is a threat to national security.
B   Is not sensitive.
C   Is secret and must be protected.
D   Is not a threat to national security.

Answer 309

209 B. See Chapter 6. A document that is unclassified does not contain sensitive
information.

Question 310

210 In a symmetric cryptosystem, two users who wish to exchange encrypted
messages exchange cryptovariables. The next thing the users should do is:
A Re-issue encryption keys.
B Begin to exchange encrypted messages.
C Change encryption algorithms.
D Change to an asymmetric cryptosystem.

Answer 310

210 B. See Chapter 8. When two users have exchanged cryptovariables (also
known as encryption keys), they may begin exchanging encrypted messages.

Question 311

211 In the resource \\usdb01\symm\dev\src\, usdb01 is a:
A   Server.
B   Directory.
C   File.
D   Network.

Answer 311

211 A. See Chapter 5. In Uniform Naming Convention (UNC) for \usdb01\symm\
dev\src\, usdb01 is the name of a server.

Question 312

212 An attacker has obtained a file containing hashed passwords. The fastest
way to crack the hashed passwords is:
A   Unsalt the hashes
B   Brute-force attack
C   Rainbow tables
D   Cryptanalysis

Answer 312

212 C. See Chapter 4. An attacker who obtains a list of hashed passwords may be
able to use a rainbow table to simply find the matching hashes and learn
their corresponding passwords.

Question 313

213 The best method for defending against cross-site request forgery (CSRF)
attacks is:
A Encrypt traffic with SSL/TLS.
B Block JavaScript execution.
C Filter input fields to reject injection strings.
D Include a transaction confirmation step with every critical application
function.

Answer 313

213 D. See Chapter 7. The best defense against cross-site request forgery (CSRF)
attacks is to include subsequent steps such as transaction confirmation.

Question 314

214 A cryptosystem uses a key that is the same length of the message. The key
is used only for this message. This is a:
A Transformation cipher.
B Transposition cipher.
C Substitution cipher.
D Vernam cipher.

Answer 314

214 D. See Chapter 8. A Vernam cipher, or one-time pad, is a cryptosystem where
the encryption key is the same length of the message, and is used only one
time – for that message alone.

Question 315

215 The purpose of the Sarbanes-Oxley Act of 2002 is to:
A Restore investors’ confidence in U.S. companies.
B Ensure privacy of all U.S. citizens.
C Increase penalties for security breaches.
D Reduce securities fraud.

Answer 315

215 A. See Chapter 12. The purpose of the Sarbanes-Oxley Act of 2002 is to
renew public trust in U.S. public companies by strengthening company controls
related to financial reporting.

Question 316

216 A disadvantage of a HIDS is all of the following EXCEPT:
A A server-based HIDS system cannot be a choke point like a NIDS/
NIPS can.
B A separate HIDS instance must be installed and maintained on every
server.
C HIDS can only perform signature-based detection, not anomaly-based
detection.
D It will not detect port scans on unused IP addresses.

Answer 316

216 C. See Chapter 10. Because it has to be installed on every host, an organization
may have many HIDS systems to maintain. And, because HIDS runs on
individual hosts, a HIDS system cannot act as a network choke point in the
way a network-based IDS can. A HIDS system can only detect traffic sent
directly to any host it’s running on.

Question 317

217 The primary advantage for remote monitoring of datacenter access controls is:
A Local monitoring cannot identify all intrusions.
B Remote monitoring is more effective than local monitoring.
C Reduction of costs.
D It compensates for the possibility that personnel in the datacenter are
unavailable or compromised.

Answer 317

217 D. See Chapter 13. One of the main reasons for employing remote monitoring
of physical access controls in a datacenter is the ability to observe physical
access controls even if local staff are unavailable or compromised.

Question 318

218 TCSEC evaluation criteria are:
A Certification, inspection, and accreditation.
B Confidentiality, integrity, and availability.
C Measurement, guidance, and acquisition.
D System architecture, system integrity, and covert channel analysis.

Answer 318

218 C. See Chapter 9. TCSEC (Orange Book) system evaluation criteria are measurement,
guidance, and acquisition.

Question 319

219 A document that lists approved protocols is known as a:
A   Process
B   Procedure
C   Guideline
D   Standard

Answer 319

219 D. See Chapter 6. A document that lists approved protocols, technologies, or
suppliers is known as a standard.

Question 320

220 An encryption algorithm that rearranges bits, characters, or blocks of data is
known as a:
A   Substitution cipher.
B   Transposition cipher.
C   Vernam cipher.
D   Concealment cipher.

Answer 320

220 B. See Chapter 8. An encryption algorithm that rearranges bits, characters, or
blocks of data is known as a transposition cipher, because it transposes data.

Question 321

221 Systems on an internal network have RFC 1918 network addresses. To
permit these systems to communicate with systems on the Internet, what
should be implemented on the firewall?
A NAT
B NAC
C NAP
D NAS

Answer 321

221 A. See Chapter 5. In order to facilitate communication to the Internet on systems
with RFC 1918 (private) addresses, implement NAT (network address
translation) on a firewall.

Question 322

222 The purpose of a user account access review is:
A All of these.
B To ensure that employee terminations were properly processed.
C To ensure that all role assignments were properly approved.
D To ensure that assigned roles are still needed.

Answer 322

222 A. See Chapter 4. The purpose of a user account access review can serve
many purposes, including making sure that employee terminations resulted
in timely access terminations, that all user roles were properly approved, and
that users still require their access roles.

Question 323

223 The most effective countermeasure for session hijacking is:
A   Two-factor authentication.
B   Strong passwords.
C   Full disk encryption.
D   Full session HTTPS encryption.

Answer 323

223 D. See Chapter 7. Session hijacking occurs when an attacker obtains session
cookies from a victim user. Full session encryption with HTTPS is an effective
countermeasure, since attackers will not be able to obtain session cookies.

Question 324

224 A cryptologist has determined that a cryptosystem has a weak PRNG. This
can lead to:
A Compromise of the cryptosystem
B Increased performance of the cryptosystem
C Decreased performance of the cryptosystem
D Collisions

Answer 324

224 A. See Chapter 8. A weak pseudo-random number generator (PRNG) may
result in a weak cryptosystem that can be broken through cryptanalysis.

Question 325

225 Recordkeeping that is related to the acquisition and management of forensic
evidence is known as:
A   Best evidence.
B   Burden of proof.
C   Chain of custody.
D   Certification.

Answer 325

225 C. See Chapter 12. The Chain of Custody is the recordkeeping that describes
the handling of forensic evidence in support of an investigation.

Question 326

226 The purpose of audit trails includes all of the following EXCEPT:
A   Event reconstruction.
B   Investigation support.
C   Enforcement of accountability.
D   Data recovery.

Answer 326

226 D. See Chapter 10. Audit trails support event reconstruction, investigation
support, problem identification, and enforcement of accountability. Audit
trails are not used for recovery purposes.

Question 327

227 In a datacenter that provides dual power feeds to each equipment rack,
components with dual power supplies are connected to each power feed.
Why should power circuits not be loaded over 40% capacity?
A To permit systems to be power-cycled without overloading circuits.
B To permit systems to be rebooted without overloading circuits.
C To permit power supplies to be swapped out.
D If one power feed fails, power draw on alternate circuits will double.

Answer 327

227 D. See Chapter 13. When dual power supply components are connected to
different circuits, those circuits should not be loaded to a load greater than
40% of capacity. If one power circuit fails, the other circuit can expect its load
to increase to 80%.

Question 328

228 A web application that uses sequential session identifiers:
A Has high resilience.
B Has low resilience.
C Is vulnerable to session hijacking.
D Is not vulnerable to session hijacking.

Answer 328

228 C. See Chapter 9. A web application that uses sequential session identifiers is
vulnerable to a state attack, where an attacker can easily guess other session
identifiers and attempt to steal other users’ sessions.

Question 329

229 All of the following statements about policies are true EXCEPT:
A They specify what should be done.
B They specify how something should be done.
C They should be reviewed annually.
D They are formal statements of rules.

Answer 329

229 B. See Chapter 6. Policies are formal statements of business rules; they specify
what should be done, but not how they should be done. Policies should
be reviewed periodically.

Question 330

230 An encryption algorithm that replaces bits, characters, or blocks in plaintext
with alternate bits, characters, or blocks is known as a:
A Substitution cipher.
B Transposition cipher.
C Vernam cipher.
D Concealment cipher.

Answer 330

230 A. See Chapter 8. An encryption algorithm that replaces bits, characters, or
blocks of data is known as a substitution cipher.

Question 331

231 Two-factor authentication is preferred for VPN because:
A It is more resistant to a dictionary attack.
B It is more resistant to a replay attack.
C Encryption protects authentication credentials.
D Encryption protects encapsulated traffic.

Answer 331

231 A. See Chapter 5. Two-factor authentication is preferred for VPN because it is
more resistant to a dictionary attack.

Question 332

232 An audit of user access has revealed that user accounts are not being
locked when employees leave the organization. The best way to mitigate
this finding is:
A Reset all account passwords.
B Lock all user accounts and require users to re-apply for access.
C Improve the termination process and perform monthly access reviews.
D Discipline the culpable personnel.

Answer 332

232 C. See Chapter 4. When it has been discovered that many user accounts were
not locked for users who left the organization, the termination process
should be improved by whatever means necessary. Monthly access reviews
will help to ensure that process changes are effective.

Question 333

233 A blogging site allows users to embed JavaScript in the body of blog
entries. This will allow what type of attack?
A Cross-frame scripting
B Cross-site request forgery
C Non-persistent cross-site scripting
D Persistent cross-site scripting

Answer 333

233 D. See Chapter 7. Any site that permits users to embed JavaScript is susceptible
to cross-site scripting (XSS) attacks.

Question 334

234 A system designer needs to choose a stream cipher to encrypt data. The
designer should choose:
A   3DES
B   AES
C   RC1
D   RC4

Answer 334

234 D. See Chapter 8. A system designer in need of a stream cipher should
choose RC4. The other ciphers are block ciphers.

Question 335

235 Evidence that is obtained through illegal means:
A May be used in a legal proceeding.
B May be used as indirect evidence.
C Cannot be used in a legal proceeding.
D Must be returned to its owner.

Answer 335

235 C. See Chapter 12. Any evidence obtained through illegal means cannot be
used in any legal proceeding.

Question 336

236 A particular type of security incident occurs frequently in an organization.
What should be performed to reduce the frequency of these incidents?
A Audit log correlation
B Root cause analysis
C Incident forensics
D Six Sigma analysis

Answer 336

236 B. See Chapter 10. If a specific type of incident occurs over and over, root
cause analysis should be performed so that the factors responsible for incident
recurrence can be corrected.

Question 337

237 What procedure should be followed by personnel in case of fire in a
datacenter?
A All personnel should remain to fight the fire.
B One person should remain behind and fight the fire.
C Collect backup media and evacuate.
D Immediate evacuation.

Answer 337

237 D. See Chapter 13. In case of a fire in a datacenter, personnel should evacuate
immediately. Personnel safety is the highest priority in a datacenter.

Question 338

238 The following statements about the Common Criteria are true EXCEPT:
A It is the European version of ITSEC.
B It has been adopted as international standard ISO 15408.
C It contains eight levels of evaluation assurance.
D It supersedes TCSEC and ITSEC.

Answer 338

238 A. See Chapter 9. The Common Criteria has been adopted as international
standard ISO 15408, it contains eight levels of evaluation assurance, and it
supersedes TCSEC and ITSEC.

Question 339

239 An organization has employees in many countries, where laws vary on the
type of background checks that can be performed. The best approach for
background checks is:
A Perform background checks only in those countries that permit
reasonable checks.
B Perform the best background check in each country as permitted by law.
C Perform the same background check in all countries by performing only
what is allowed in all of them.
D Do not perform background checks.

Answer 339

239 B. See Chapter 6. An organization should perform the best background check
available and permitted by law in each country.

Question 340

240 A disadvantage of a symmetric cryptosystem is:
A It is far less efficient than an asymmetric cryptosystem.
B Users who do not know each other will have difficulty securely
exchanging keys.
C It is difficult to publish a public key.
D It is easy to publish a public key.

Answer 340

240 B. See Chapter 8. In a symmetric cryptosystem, both users must possess the
same encryption key. If these users do not know each other, it may be difficult
to securely exchange a key.

Question 341

241 Two organizations exchange data via FTP. The best choice to make this
more secure is:
A Change the FTP protocol to SFTP or FTPS.
B Encrypt transferred files with PGP.
C Change password more frequently.
D Change to longer, complex passwords.

Answer 341

241 A. See Chapter 5. The best choice for making an FTP connection more secure
is to change to FTPS or SFTP. Encrypting the payload does not protect
authentication credentials.

Question 342

242 An attacker is capturing a user’s keystrokes during authentication. The
attacker may be preparing to launch a:
A   Brute-force attack.
B   Cryptanalysis attack.
C   Replay attack.
D   Denial of service attack.

Answer 342

242 C. See Chapter 4. An attacker who is able to record the keystrokes of a user
logging in to a system is preparing to launch a replay attack.

Question 343

243 Users in a company have received e-mail messages claiming to be from the
company’s IT department with instructions on installing a security patch.
The URL points to a page that resembles the company’s IT Helpdesk home
page. This may be a:
A Whaling attack.
B Pharming attack.
C Phishing attack.
D Spear phishing attack.

Answer 343

243 D. See Chapter 7. An e-mail-based attack that points users to a website that
resembles a company’s own website is a spear phishing attack, because it is
targeting users in a specific organization.

Question 344

244 A laptop containing several private encryption keys has been stolen. The
owner of the encryption keys should:
A   Generate new key pairs
B   Change the keys’ passwords
C   Change encryption algorithms
D   No action is necessary

Answer 344

244 A. See Chapter 8. If a laptop containing private encryption keys has been
stolen, the attacker may be able to guess the passwords for private keys and
compromise the cryptosystem. The owner of the encryption keys should generate
new key pairs.

Question 345

245 A company outsources its credit card processing to a third-party organization.
The company should:
A Require the third-party organization to be PCI-compliant.
B Require the third-party organization to be GLBA-compliant.
C Sign a contract with the third-party organization.
D Perform penetration tests on the third party’s systems.

Answer 345

245 A. See Chapter 12. Any company that outsources credit card processing to
another organization should require the organization to be PCI-compliant.

Question 346

246 Administration of a centralized audit log server should be performed by:
A Database administrators.
B IT auditors.
C The same administrators who manage servers being logged.
D Separate administrators from those who administer servers being logged.

Answer 346

246 D. See Chapter 10. Personnel who administer centralized audit log servers
should be separate personnel from those who administer systems being
logged. Otherwise administrators would be able to manipulate the contents
of audit log servers and cover up their activities.

Question 347

247 The ideal level of relative humidity for datacenter computing equipment is:
A   Between 0% and 20%.
B   Between 20% and 40%.
C   0%.
D   Between 40% and 60%.

Answer 347

247 D. See Chapter 13. The ideal level for relative humidity in a datacenter is
between 40% and 60%. If humidity falls below 40%, there is risk of static discharge
that can damage computing equipment. If the humidity rises above
60%, condensation can damage computing equipment.

Question 348

248 A security manager wishes to establish a set of access control rules that
specify which organization job titles are permitted to have which roles in a
system. The model that the security manager should use as a model is:
A Access Matrix.
B Information Flow.
C Non-Interference.
D Biba.

Answer 348

248 A. See Chapter 9. The access model described here is the Access Matrix,
which specifies which persons (or job titles) are permitted to access which
system roles.

Question 349

249 A decision on how to resolve an identified risk is known as:
A   Risk control.
B   Risk treatment.
C   Risk management.
D   Risk mitigation.

Answer 349

249 B. See Chapter 6. A decision on how to resolve an identified risk is known as
risk treatment.

Question 350

250 The advantage of Cipher Block Chaining (CBC) is:
A Each block of ciphertext has a less random result.
B Each block of ciphertext has a more random result.
C Each block of ciphertext is encrypted separately.
D Each block of ciphertext is decrypted separately.

Answer 350

250 B. See Chapter 8. In Cipher Block Chaining (CBC), each plaintext block is
XORed with the ciphertext of the preceding block, making it more random.