CISSP-FD review questions Flashcards
1 General-purpose control types include all the following except A ❍ Detective B ❍ Mandatory C ❍ Preventive D ❍ Compensating
B
2 Violation reports and audit trails are examples of what type of control? A ❍ Detective technical B ❍ Preventive technical C ❍ Detective administrative D ❍ Preventive administrative
A
3 “A user cannot deny an action” describes the concept of A ❍ Authentication B ❍ Accountability C ❍ Non-repudiation D ❍ Plausible deniability
C
4 Authentication can be based on any combination of the following factors except A ❍ Something you know B ❍ Something you have C ❍ Something you need D ❍ Something you are
C
5 Unauthorized users that are incorrectly granted access in biometric systems are described as the A ❍ False Reject Rate (Type II error) B ❍ False Accept Rate (Type II error) C ❍ False Reject Rate (Type I error) D ❍ False Accept Rate (Type I error)
B
6 All the following devices and protocols can be used to implement one-time passwords except A ❍ Tokens B ❍ S/Key C ❍ Diameter D ❍ Kerberos
D
7 Which of the following PPP authentication protocols transmits passwords in clear text? A ❍ PAP B ❍ CHAP C ❍ MS-CHAP D ❍ FTP
A
8 Which of the following is not considered a method of attack against access control systems? A ❍ Brute force B ❍ Dictionary C ❍ Denial of Service D ❍ Buffer overflow
C
9 Sensitivity labels are a fundamental component in which type of access control systems? A ❍ Mandatory access control B ❍ Discretionary access control C ❍ Access control lists D ❍ Role-based access control
A
10 Which of the following access control models addresses availability issues? A ❍ Bell-La Padula B ❍ Biba C ❍ Clark-Wilson D ❍ None of the above
D
1 A data network that operates across a relatively large geographic area defines what type of network? A ❍ LAN B ❍ MAN C ❍ CAN D ❍ WAN
D
2 The process of wrapping protocol information from one layer in the data section of another layer describes A ❍ Data encryption B ❍ Data encapsulation C ❍ Data hiding D ❍ TCP wrappers
B
3 The LLC and MAC are sub-layers of what OSI model layer? A ❍ Data Link B ❍ Network C ❍ Transport D ❍ Session
A
4 The Ethernet protocol is defined at what layer of the OSI model and in which IEEE standard? A ❍ Data Link Layer, 802.3 B ❍ Network Layer, 802.3 C ❍ Data Link Layer, 802.5 D ❍ Network Layer, 802.5
A
5 All the following are examples of packet-switched WAN protocols, except A ❍ X.25 B ❍ Frame Relay C ❍ ISDN D ❍ SMDS
C
6 Which of the following is an example of a Class C IP address? A ❍ 17.5.5.1 B ❍ 127.0.0.1 C ❍ 192.167.4.1 D ❍ 224.0.0.1
C
7 The TCP/IP Protocol Model consists of the following four layers:
A ❍ Application, Presentation, Session, Transport
B ❍ Application, Session, Network, Physical
C ❍ Application, Session, Transport, Internet
D ❍ Application, Transport, Internet, Link
D
8 Which of the following firewall architectures employs external and internal routers, as well as a bastion host? A ❍ Screening router B ❍ Screened-subnet C ❍ Screened-host gateway D ❍ Dual-homed gateway
B
9 Which of the following is not a common VPN protocol standard? A ❍ IPSec B ❍ PPTP C ❍ TFTP D ❍ L2TP
C
10 A type of network attack in which TCP packets are sent from a spoofed source address with the SYN bit set describes A ❍ Smurf B ❍ Fraggle C ❍ Teardrop D ❍ SYN flood
D
1 The three elements of the C-I-A triad include
A ❍ Confidentiality, integrity, authentication
B ❍ Confidentiality, integrity, availability
C ❍ Confidentiality, integrity, authorization
D ❍ Confidentiality, integrity, accountability
B
2 Which of the following government data classification levels describes
information that, if compromised, could cause serious damage to national
security?
A ❍ Top Secret
B ❍ Secret
C ❍ Confidential
D ❍ Sensitive but Unclassified
B
3 The practice of regularly transferring personnel into different positions or
departments within an organization is known as
A ❍ Separation of duties
B ❍ Reassignment
C ❍ Lateral transfers
D ❍ Job rotations
D
4 The individual responsible for assigning information classification levels for assigned information assets is A ❍ Management B ❍ Owner C ❍ Custodian D ❍ User
B
5 Most security policies are categorized as A ❍ Informative B ❍ Regulatory C ❍ Mandatory D ❍ Advisory
D
6 A baseline is a type of A ❍ Policy B ❍ Guideline C ❍ Procedure D ❍ Standard
D
7 ALE is calculated by using the following formula: A ❍ SLE × ARO × EF = ALE B ❍ SLE × ARO = ALE C ❍ SLE + ARO = ALE D ❍ SLE – ARO = ALE
B
8 Which of the following is not considered a general remedy for risk management? A ❍ Risk reduction B ❍ Risk acceptance C ❍ Risk assignment D ❍ Risk avoidance
D
9 Failure to implement a safeguard may result in legal liability if
A ❍ The cost to implement the safeguard is less than the cost of the associated
loss.
B ❍ The cost to implement the safeguard is more than the cost of the associated
loss.
C ❍ An alternate but equally effective and less expensive safeguard is
implemented.
D ❍ An alternate but equally effective and more expensive safeguard is
implemented.
A
10 A cost-benefit analysis is useful in safeguard selection for determining A ❍ Safeguard effectiveness B ❍ Technical feasibility C ❍ Cost-effectiveness D ❍ Operational impact
C
1 Masquerading as another person in order to obtain information illicitly is known as A ❍ Hacking B ❍ Social engineering C ❍ Extortion D ❍ Exhumation
B
2 Viruses, rootkits, and Trojan horses are known as A ❍ Maniacal code B ❍ Fractured code C ❍ Infectious code D ❍ Malicious code
D
3 Antivirus software that detects viruses by watching for anomalous behavior uses what technique? A ❍ Signature matching B ❍ Fleuristics C ❍ Heroistics D ❍ Heuristics
D
4 A developer, suspecting that he may be fired soon, modifies an important
program that will corrupt payroll files long after he is gone. The developer has
created a(n)
A ❍ Delayed virus
B ❍ Logic bomb
C ❍ Applet bomb
D ❍ Trojan horse
B
5 A SYN flood is an example of a A ❍ Dictionary attack B ❍ High Watermark attack C ❍ Buffer Overflow attack D ❍ Denial of Service attack
D
6 The process of recording changes made to systems is known as A ❍ Change Review Board B ❍ System Maintenance C ❍ Change Management D ❍ Configuration Management
D
7 A system that accumulates knowledge by observing events’ inputs and outcomes is known as a(n) A ❍ Expert system B ❍ Neural network C ❍ Synaptic network D ❍ Neural array
B
8 The logic present in an object is known as A ❍ Encapsulation B ❍ Personality C ❍ Behavior D ❍ Method
D
9 The restricted environment that Java applets occupy is known as a A ❍ Sandbox B ❍ Workbox C ❍ Trusted Zone D ❍ Instantiation
A
10 An attacker has placed a URL on a website that, if clicked, will cause malicious
javascript to execute on victims’ browsers. This is known as a
A ❍ Phishing attack
B ❍ Script injection attack
C ❍ Cross-site scripting attack
D ❍ Cross-site request forgery attack
C
1 The four modes of DES include all the following except A ❍ ECB B ❍ ECC C ❍ CFB D ❍ CBC
B
2 A type of cipher that replaces bits, characters, or character blocks with
alternate bits, characters, or character blocks to produce ciphertext is known
as a
A ❍ Permutation cipher
B ❍ Block cipher
C ❍ Transposition cipher
D ❍ Substitution cipher
D
3 Which of the following is not an advantage of symmetric key systems? A ❍ Scalability B ❍ Speed C ❍ Strength D ❍ Availability
A
4 The Advanced Encryption Standard (AES) is based on what symmetric key algorithm? A ❍ Twofish B ❍ Knapsack C ❍ Diffie-Hellman D ❍ Rijndael
D
5 A message that’s encrypted with only the sender’s private key, for the
purpose of authentication, is known as a(n)
A ❍ Secure message format
B ❍ Signed and secure message format
C ❍ Open message format
D ❍ Message digest
C
6 All the following are examples of asymmetric key systems based on discrete logarithms except A ❍ Diffie-Hellman B ❍ Elliptic Curve C ❍ RSA D ❍ El Gamal
C
7 The four main components of a Public Key Infrastructure (PKI) include all the following except A ❍ Directory Service B ❍ Certification Authority C ❍ Repository D ❍ Archive
A
8 Which of the following Internet specifications provides secure e-commerce by
using symmetric key systems, asymmetric key systems, and dual signatures?
A ❍ Public Key Infrastructure (PKI)
B ❍ Secure Electronic Transaction (SET)
C ❍ Secure Sockets Layer (SSL)
D ❍ Secure Hypertext Transfer Protocol (S-HTTP)
B
9 The minimum number of SAs required for a two-way IPSec session between
two communicating hosts using both AH and ESP is
A ❍ 1
B ❍ 2
C ❍ 4
D ❍ 8
C
10 An IPSec SA consists of the following parameters, which uniquely identify it in an IPSec session, except A ❍ Source IP Address B ❍ Destination IP Address C ❍ Security Protocol ID D ❍ Security Parameter Index (SPI)
A
1 The four CPU operating states include all the following except A ❍ Operating B ❍ Problem C ❍ Wait D ❍ Virtual
D
2 A computer system that alternates execution of multiple subprograms on a
single processor describes what type of system?
A ❍ Multiprogramming
B ❍ Multitasking
C ❍ Multiuser
D ❍ Multiprocessing
B
3 An address used as the origin for calculating other addresses describes A ❍ Base addressing B ❍ Indexed addressing C ❍ Indirect addressing D ❍ Direct addressing
A
4 The four main functions of the operating system include all the following except A ❍ Process management B ❍ BIOS management C ❍ I/O device management D ❍ File management
B
5 The total combination of protection mechanisms within a computer system,
including hardware, firmware, and software, which is responsible for enforcing
a security policy defines
A ❍ Reference monitor
B ❍ Security kernel
C ❍ Trusted Computing Base
D ❍ Protection domain
C
6 A system that continues to operate following failure of a network component describes which type of system? A ❍ Fault-tolerant B ❍ Fail-safe C ❍ Fail-soft D ❍ Failover
A
7 Which of the following access control models addresses availability issues? A ❍ Bell-LaPadula B ❍ Biba C ❍ Clark-Wilson D ❍ None of the above
D
8 The four basic control requirements identified in the Orange Book include all the following except A ❍ Role-based access control B ❍ Discretionary access control C ❍ Mandatory access control D ❍ Object reuse
A
9 The purpose of session management in a web application is
A ❍ To prevent Denial of Service attacks
B ❍ To collect session-based security metrics
C ❍ To control the number of concurrent sessions
D ❍ To protect sessions from unauthorized access
D
10 Which of the following ITSEC classification levels is equivalent to TCSEC level B3? A ❍ E3 B ❍ E4 C ❍ E5 D ❍ E6
C
1 The two types of intrusion detection are
A ❍ Attack-based systems and response-based systems
B ❍ Signature-based systems and anomaly-based systems
C ❍ Knowledge-based systems and scripture-based systems
D ❍ Passive monitoring systems and active monitoring systems
B
2 Recording data traveling on a network is known as A ❍ Promiscuous mode B ❍ Packet sniffing C ❍ Packet snoring D ❍ Packing sneaking
B
3 Which of the following is NOT an example of penetration testing? A ❍ Radiation monitoring B ❍ War driving C ❍ Port scanning D ❍ War diving
D
4 Trusted recovery is concerned with
A ❍ The ability of a system to be rebuilt
B ❍ The vulnerability of a system while it’s being rebuilt
C ❍ The ability of a system to rebuild itself
D ❍ The willingness of a system to rebuild itself
B
5 The third-party inspection of a system is known as a(n) A ❍ Confidence check B ❍ Integrity trail C ❍ Audit trail D ❍ Audit
D
6 One of the primary concerns with long-term audit log retention is
A ❍ Whether anyone will be around who can find them
B ❍ Whether any violations of privacy laws have occurred
C ❍ Whether anyone will be around who understands them
D ❍ Whether any tape/disk drives will be available to read them
D
7 The required operating state of a network interface on a system running a sniffer is A ❍ Open mode B ❍ Promiscuous mode C ❍ Licentious mode D ❍ Pretentious mode
B
8 Filling a system’s hard drive so that it can no longer record audit records is known as a(n) A ❍ Audit lock-out B ❍ Audit exception C ❍ Denial of Facilities attack D ❍ Denial of Service attack
D
9 An investigator who needs to have access to detailed employee event information may need to use A ❍ Keystroke monitoring B ❍ Intrusion detection C ❍ Keystroke analysis D ❍ Trend analysis
A
10 Which of the following is NOT true about a signature-based IDS?
A ❍ It reports a low number of false-positives.
B ❍ It requires periodic updating of its signature files.
C ❍ It reports a high number of false-positives.
D ❍ It can’t detect anomalies based on trends.
C
1 The longest period of time that a business can survive without a critical function is called A ❍ Downtime Tolerability Period B ❍ Greatest Tolerable Downtime C ❍ Maximum Survivable Downtime D ❍ Maximum Tolerable Downtime
D
2 Which of the following is not a natural disaster? A ❍ Avalanche B ❍ Stock market crash C ❍ Fire D ❍ Water supply storage drought
B
3 The impact of a disaster on business operations is contained in A ❍ Local newspapers and online media B ❍ The Business Impact Assessment C ❍ The Operations Impact Assessment D ❍ The Vulnerability Assessment
B
4 The decision whether to purchase an emergency generator is based on A ❍ Wholesale electric rates B ❍ Retail electric rates C ❍ The duration of a typical outage D ❍ The income rate of affected systems
C
5 The purpose of a UPS is
A ❍ To provide instantaneous power cutover when utility power fails
B ❍ A lower cost for overnight shipping following a disaster
C ❍ The need to steer an unresponsive vehicle after it’s moving again
D ❍ To restore electric power within 24 hours
A
6 The Business Impact Assessment
A ❍ Describes the impact of disaster recovery planning on the budget
B ❍ Describes the impact of a disaster on business operations
C ❍ Is a prerequisite to the Vulnerability Assessment
D ❍ Is the first official statement produced after a disaster
B
7 To maximize the safety of backup media, it should be stored
A ❍ At a specialized off-site media storage facility
B ❍ At the residences of various senior managers
C ❍ In the operations center in a locked cabinet
D ❍ Between 50°F and 60°F
A
8 An alternate information-processing facility with all systems, patches, and
data mirrored from live production systems is known as a
A ❍ Warm site
B ❍ Hot site
C ❍ Recovery site
D ❍ Mutual Aid Center
B
9 The greatest advantage of a cold site is A ❍ It can be built nearly anywhere B ❍ Its high responsiveness C ❍ Its low cost D ❍ Its close proximity to airports
C
10 The most extensive test for a Disaster Recovery Plan A ❍ Has dual failover B ❍ Is a waste of paper C ❍ Is known as a parallel test D ❍ Is known as an interruption test
D
1 Penalties for conviction in a civil case can include A ❍ Imprisonment B ❍ Probation C ❍ Fines D ❍ Community service
C
2 Possible damages in a civil case are classified as all the following except A ❍ Compensatory B ❍ Punitive C ❍ Statutory D ❍ Financial
D
3 Computer attacks motivated by curiosity or excitement describe A ❍ “Fun” attacks B ❍ Grudge attacks C ❍ Business attacks D ❍ Financial attacks
A
4 Intellectual property includes all the following except A ❍ Patents and trademarks B ❍ Trade secrets C ❍ Copyrights D ❍ Computers
D
5 Under the Computer Fraud and Abuse Act of 1986 (as amended), which of the
following is not considered a crime?
A ❍ Unauthorized access
B ❍ Altering, damaging, or destroying information
C ❍ Trafficking child pornography
D ❍ Trafficking computer passwords
C
6 Which of the following is not considered one of the four major categories of evidence? A ❍ Circumstantial evidence B ❍ Direct evidence C ❍ Demonstrative evidence D ❍ Real evidence
A
7 In order to be admissible in a court of law, evidence must be A ❍ Conclusive B ❍ Relevant C ❍ Incontrovertible D ❍ Immaterial
B
8 What term describes the evidence-gathering technique of luring an individual
toward certain evidence after that individual has already committed a crime;
is this considered legal or illegal?
A ❍ Enticement/Legal
B ❍ Coercion/Illegal
C ❍ Entrapment/Illegal
D ❍ Enticement/Illegal
A
9 In a civil case, the court may issue an order allowing a law enforcement official
to seize specific evidence. This order is known as a(n)
A ❍ Subpoena
B ❍ Exigent circumstances doctrine
C ❍ Writ of Possession
D ❍ Search warrant
C
10 When should management be notified of a computer crime?
A ❍ After the investigation has been completed
B ❍ After the preliminary investigation
C ❍ Prior to detection
D ❍ As soon as it has been detected
D
1 The three elements of the fire triangle necessary for a fire to burn include all the following except A ❍ Fuel B ❍ Oxygen C ❍ Heat D ❍ Nitrogen
D
2 Electrical fires are classified as what type of fire and use what extinguishing methods? A ❍ Class B; CO2 or soda acid B ❍ Class B; CO2 or FM-200 C ❍ Class C; CO2 or FM-200 D ❍ Class A; water or soda acid
C
3 A prolonged drop in voltage describes what electrical anomaly? A ❍ Brownout B ❍ Blackout C ❍ Sag D ❍ Fault
A
4 What type of cabling should be used below raised floors and above drop ceilings? A ❍ CAT-5 B ❍ Plenum C ❍ PVC D ❍ Water-resistant
B
5 In order to deter casual trespassers, fencing should be a minimum height of A ❍ 1 to 3 feet B ❍ 3 to 4 feet C ❍ 6 to 7 feet D ❍ 8 feet or higher
B
6 Three types of intrusion detection systems (IDSs) used for physical security
include photoelectric sensors, dry contact switches, and which of the
following?
A ❍ Motion detectors
B ❍ Anomaly-based
C ❍ Host-based
D ❍ Network-based
A
7 A water sprinkler system in which no water is initially present in the pipes
and which, at activation, delivers a large volume of water describes what type
of system?
A ❍ Wet-pipe
B ❍ Dry-pipe
C ❍ Deluge
D ❍ Preaction
C
8 Portable CO2 fire extinguishers are classified as what type of extinguishing system? A ❍ Gas-discharge systems B ❍ Water sprinkler systems C ❍ Deluge systems D ❍ Preaction systems
A
9 Which of the following extinguishing agents fights fires by separating the elements
of the fire triangle, rather than by simply removing one element?
A ❍ Water
B ❍ Soda acid
C ❍ CO2
D ❍ FM-200
D
10 Production of Halon has been banned for what reason?
A ❍ It is toxic at temperatures above 900°F.
B ❍ It is an ozone-depleting substance.
C ❍ It is ineffective.
D ❍ It is harmful if inhaled.
B
1 The number-one priority of disaster planning should always be:
A Preservation of capital
B Personnel evacuation and safety
C Resumption of core business functions
D Investor relations
1 B. See Chapter 11. People and their safety always come first!
2 An access control system that grants access to information based on that
information’s classification and the clearance of the individual is known as:
A Identity-based access control
B Mandatory access control
C Role-based access control
D Clearance-based access control
2 B. See Chapter 4. Mandatory access control is based on the user’s clearance
level, the classification of the information, and the user’s need-to-know.
3 A database that contains the data structures used by an application is known as: A A data encyclopedia B A data dictionary C Metadata D A schema
3 B. See Chapter 7. A data dictionary contains information about an application’s
data structures, including table names, field names, indexes, and so on.
4 The process of breaking the key and/or plaintext from an enciphered message is known as: A Decryption B Steganography C Cryptanalysis D Extraction
4 C. See Chapter 8. Cryptanalysis is the process of getting the key and/or the
original message the hard way.
5 The Internet Worm incident of 1988 was perpetrated by: A The 414 Gang B Robert Morris C Kevin Mitnick D Gene Spafford
5 B. See Chapter 7. Robert Tappan Morris wrote and released what’s now
known as the Internet Worm in 1988. Researcher Gene Spafford wrote several
papers on the topic.
6 Access controls and card key systems are examples of: A Detective controls B Preventive controls C Corrective controls D Trust controls
6 B. See Chapter 10. Preventive controls are designed to prevent a security
incident.
7 Why should a datacenter’s walls go all the way to the ceiling and not just
stop as high as the suspended ceiling?
A The walls will be stronger.
B The HVAC will run more efficiently.
C An intruder could enter the datacenter by climbing over the low wall.
D The high wall will block more noise.
7 C. See Chapter 13. The primary concern here is to keep intruders out, which
is why computer room walls should extend from the true floor to the true
ceiling.
8 Memory that’s used to store computer instructions and data is known as: A UART B SIMM C Cache D ROM
8 C. See Chapter 9. Cache memory holds instructions and data that are likely to
be frequently accessed. Cache memory is faster than RAM, so it can contribute
to faster performance.
9 Of what value is separation of authority in an organization?
A It limits the capabilities of any single individual.
B It provides multiple paths for fulfilling critical tasks.
C It accommodates the requirement for parallel audit trails.
D It ensures that only one person is authorized to perform each task.
9 A. See Chapter 6. Separation of authority makes it difficult for an individual
to steal an organization’s assets because it requires others to cooperate with
the would-be criminal.
10 UDP is sometimes called the “unreliable data protocol” because:
A It works only on low-speed wireless LANs.
B UDP packets rarely get through because they have a lower priority.
C Few know how to program UDP.
D UDP does not guarantee delivery.
10 D. See Chapter 5. UDP has no guarantee of delivery, nor sequencing or
acknowledgement.
11 Which of the following is NOT a goal of a Business Impact Assessment
(BIA)?
A To inventory mutual aid agreements
B To identify and prioritize business critical functions
C To determine how much downtime the business can tolerate
D To identify resources required by critical processes
11 A. See Chapter 11. Mutual aid agreements aren’t a significant concern of a
Business Impact Assessment (BIA). They’re instead a part of contingency
planning.
12 An access control system that grants access to information based on the identity of the user is known as: A Identity-based access control B Mandatory access control C Role-based access control D Clearance-based access control
12 A. See Chapter 4. Identity-based access control is used to grant access to
information based on the identity of the person requesting access.
13 The purpose of a Service-Level Agreement is:
A To guarantee a minimum quality of service for an application or
function
B To guarantee the maximum quality of service for an application or
function
C To identify gaps in availability of an application
D To correct issues identified in a security audit
13 A. See Chapter 7. A Service-Level Agreement (SLA) defines minimum performance
metrics of an application or service.
14 The method of encryption in which both sender and recipient possess a common encryption key is known as: A Message digest B Hash function C Public key cryptography D Secret key cryptography
14 D. See Chapter 8. Secret key cryptography is used when all parties possess a
common key.
15 Forensics is the term that describes:
A Due process
B Tracking hackers who operate in other countries
C Taking steps to preserve and record evidence
D Scrubbing a system in order to return it to service
15 C. See Chapter 12. Forensics is the activity of discovering, preserving, and
recording evidence.
16 Audit trails and security cameras are examples of: A Detective controls B Preventive controls C Corrective controls D Trust controls
16 A. See Chapter 10. Detective controls are designed to record security events.
17 How does water aid in fire suppression?
A It reduces the fire’s oxygen supply.
B It isolates the fire’s fuel supply.
C It lowers the temperature to a degree at which the fire can’t sustain
itself.
D It extinguishes the fire through a chemical reaction.
17 C. See Chapter 13. Water cools the fuel to the point where the fire can’t continue.
Also, to some extent, water is a physical barrier between the fuel and
oxygen.
18 Firmware is generally stored on: A ROM or EPROM B Tape C RAM D Any removable media
18 A. See Chapter 9. Firmware is software that’s seldom changed. Firmware is
generally used to control low-level functions in computer hardware and
embedded systems.
19 The term open view refers to what activity?
A Reclassifying a document so that anyone can view it
B Viewing the contents of one’s private encryption key
C Leaving classified information where unauthorized people can see it
D Using a decryption key to view the contents of a message
19 C. See Chapter 6. Open view is the act of leaving a classified document out in
the open so that it can be viewed by anyone.
20 TCP is a poor choice for streaming video because:
A It is too bursty for large networks.
B Acknowledgment and sequencing add significantly to its overhead.
C Checksums in video packets are meaningless.
D TCP address space is nearly exhausted.
20 B. See Chapter 5. TCP adds unnecessary overhead. Streaming video can
afford to lose a packet now and then.
21 The longest period of time that an organization can accept a critical outage is known as: A Maximum Acceptable Downtime B Greatest Tolerated Downtime C Maximum Tolerable Downtime D Recovery Time Objective
21 C. See Chapter 11. Maximum Tolerable Downtime (MTD) is the length of time
that an organization can tolerate critical processes being inoperative.
22 An access control system that gives the user some control over who has access to information is known as: A Identity-based access control B User-directed access control C Role-based access control D Clearance-based access control
22 B. See Chapter 4. User-directed access control, a form of discretionary access
control, permits the user to grant access to information based on certain
limitations.
23 CRCs, parity checks, and checksums are examples of: A Corrective application controls B Message digests C Preventive application controls D Detective application controls
23 D. See Chapter 4. Cyclical Redundancy Checks (CRCs), parity checks, and
checksums are examples of detective application controls because they’re
designed to help discover security breaches (as well as network malfunctions
and other undesired events) in a network.
24 Why would a user’s public encryption key be widely distributed?
A So that cryptographers can attempt to break it
B Because it’s encrypted
C Because the user’s private key can’t be derived from his or her public key
D So that the user can decrypt messages from any location
24 C. See Chapter 8. In public key cryptography, the value of the public key
doesn’t in any way betray the value of the secret key.
25 An expert witness:
A Offers an opinion based on the facts of a case and on personal expertise
B Is someone who was present at the scene of the crime
C Has direct personal knowledge about the event in question
D Can testify in criminal proceedings only
25 A. See Chapter 12. An expert witness offers his or her opinion based on the
facts of the case and on personal expertise.
26 Reboot instructions and file restore procedures are examples of: A Detective controls B Preventive controls C Corrective controls D Trust controls
26 C. See Chapter 10. Corrective controls are used to resume business operations
after a security incident.
27 Drain pipes that channel liquids away from a building are called: A Positive drains B Tight lines C Storm drains D Negative drains
27 A. See Chapter 13. Positive drains are those that carry liquids away from a
building.
28 What’s the purpose of memory protection?
A It protects memory from malicious code.
B It prevents a program from being able to access memory used by
another program.
C Memory protection is another term used to describe virtual memory
backing store.
D It assures that hardware refresh happens frequently enough to maintain
memory integrity.
28 B. See Chapter 9. Memory protection is a machine-level security feature that
prevents one program from being able to read or alter memory assigned to
another program.
29 Which individual is responsible for classifying information? A Owner B Custodian C Creator D User
29 A. See Chapter 6. The information owner is ultimately responsible for the
information asset and for its initial classification.
30 How many layers does the TCP/IP protocol model have? A 4 B 5 C 6 D 7
30 A. See Chapter 5. There are four layers in the TCP/IP model: Network Access,
Internet, Transport, and Application.
31 The primary difference between a hot site and a warm site is:
A The hot site is closer to the organization’s datacenters than the warm site.
B The warm site’s systems don’t have the organization’s software or data
installed.
C The warm site doesn’t have computer systems in it.
D The warm site is powered down, but the hot site is powered up and
ready to go.
31 B. See Chapter 11. Warm sites are mostly like hot sites, except that the organization’s
software and data aren’t on the warm site’s systems.
32 Encryption, tokens, access control lists, and smart cards are known as: A Discretionary access controls B Physical controls C Technical controls D Administrative controls
32 C. See Chapter 4. Encryption, tokens, access control lists, and smart cards are
examples of technical, or logical, controls.
33 Data mining:
A Can be performed by privileged users only
B Is generally performed after hours because it’s resource-intensive
C Refers to searches for correlations in a data warehouse
D Is the term used to describe the activities of a hacker who has broken
into a database
33 C. See Chapter 7. Data mining is the term used to describe searches for correlations,
patterns, and trends in a data warehouse.
34 Reading down the columns of a message that has been written across is known as: A A columnar transposition cipher B Calculating the hash C Calculating the checksum D Calculating the modulo
34 A. See Chapter 8. In this cipher, the cryptographer writes across but reads
down.
35 A witness:
A Offers an opinion based on the facts of a case and on personal expertise
B Is someone who was present at the scene of the crime
C Has direct personal knowledge about the event in question
D Can testify in criminal proceedings only
35 C. See Chapter 12. A witness testifies the facts as he or she understands
them.
36 Covert channel analysis is used to: A Detect and understand unauthorized communication B Encipher unauthorized communications C Decipher unauthorized communications D Recover unauthorized communications
36 A. See Chapter 10. Covert channel analysis is used to detect, understand, and
help security personnel to prevent the creation and operation of covert
channels.
37 Of what value is pre-employment screening?
A Undesirable medical or genetic conditions could diminish productivity.
B Only certain personality types can work effectively in some
organizations.
C Employees need to have knowledge of security.
D Background checks could uncover undesirable qualities.
37 D. See Chapter 6. It’s infinitely better to find undesirable qualities, such as a
criminal history, prior to making an employment decision.
38 The mapping of existing physical memory into a larger, imaginary memory space is known as: A Virtual memory B Swapping C Thrashing D Spooling
38 A. See Chapter 9. The virtual memory model is used to create a memory
space that’s larger than the available physical memory.
39 Which individual is responsible for protecting information? A Owner B Custodian C Creator D User
39 B. See Chapter 6. The custodian protects the information on behalf of its
owner.
40 ARP is: A Access Routing Protocol B Address Resolution Protocol C Access Resolution Protocol D Address Recovery Protocol
40 B. See Chapter 5. ARP is the Address Resolution Protocol.
41 Which of the following is NOT a concern for a hot site?
A Programs and data at the hot site must be protected.
B A widespread disaster will strain the hot site’s resources.
C A hot site is expensive because of the controls and patches required.
D Computer equipment must be shipped quickly to the hot site for it to be
effective.
41 D. See Chapter 11. The hot site already has computer equipment.
42 Supervision, audits, procedures, and assessments are known as: A Discretionary access controls B Safeguards C Physical controls D Administrative controls
42 D. See Chapter 4. Administrative access controls consist of all the policies
and procedures that are used to mitigate risk.
43 Object-oriented, relational, and network are examples of: A Types of database tables B Types of database records C Types of database queries D Types of databases
43 D. See Chapter 7. Object-oriented, relational, and network are types of
databases.
44 An asymmetric cryptosystem is also known as a: A Message digest B Hash function C Public key cryptosystem D Secret key cryptosystem
44 C. See Chapter 8. Asymmetric cryptosystems are also known as public key
cryptosystems.
45 Entrapment is defined as:
A Leading someone to commit a crime that they wouldn’t otherwise have
committed
B Monitoring with the intent of recording a crime
C Paying someone to commit a crime
D Being caught with criminal evidence in one’s possession
45 A. See Chapter 12. Entrapment refers to the activities that lure an individual
into committing a crime that he or she wouldn’t have otherwise committed.
46 Least privilege means:
A Analysis that determines which privileges are required to complete a task.
B People who have high privileges delegate some of those privileges to
others.
C The people who have the fewest access rights do all the work.
D Users should have the minimum privileges required to perform
required tasks.
46 D. See Chapter 10. Least privilege is the principle that states users should
have access only to the data and functions required for their stated duties.
47 Which of the following is NOT a part of a building’s automated access audit log? A Time of the attempted entry B The reason for the attempted entry C Location of attempted entry D Entry success or failure
47 B. See Chapter 13. Building access systems don’t know why people are
coming and going.
48 Systems that have published specifications and standards are known as: A Open source B Copyleft C Freeware D Open systems
48 D. See Chapter 9. Open systems are those in which specifications are published
and freely available, permitting any vendor to develop components
that can be used with it.
49 Which of the following is NOT a criterion for classifying information? A Marking B Useful life C Value D Age
49 A. See Chapter 6. Useful life, value, and age are some of the criteria used to
classify information.
50 What is the purpose of ARP?
A When given an IP address, ARP returns a MAC address.
B When given a MAC address, ARP returns an IP address.
C It calculates the shortest path between two nodes on a network.
D It acquires the next IP address on a circular route.
50 A. See Chapter 5. ARP is used to translate an IP address into a MAC address.
51 The Disaster Recovery Plan (DRP) needs to be continuously maintained
because:
A The organization’s software versions are constantly changing.
B The organization’s business processes are constantly changing.
C The available software patches are constantly changing.
D The organization’s data is constantly changing.
51 B. See Chapter 11. The Disaster Recovery Plan (DRP) must contain an up-todate
record of all critical business processes.
52 Security guards, locked doors, and surveillance cameras are known as: A Site-access controls B Safeguards C Physical access controls D Administrative controls
52 C. See Chapter 4. Physical access controls include security guards, locked
doors, and surveillance cameras, as well as other controls such as backups,
protection of cabling, and card-key access.
53 Neural networking gets its name from:
A The make and model of equipment in a network
B Patterns thought to exist in the brain
C Its inventor, Sigor Neura
D Observed patterns in neural telepathy
53 B. See Chapter 7. Neural networks are systems that can detect patterns after
a period of training.
54 The process of hiding a message inside a larger dataset is known as: A Decryption B Steganography C Cryptanalysis D Extraction
54 B. See Chapter 8. Steganography is the science of inserting messages into
larger datasets so that the existence of the message is unknown.
55 Enticement is defined as:
A Being caught with criminal evidence in one’s possession
B Leading someone to commit a crime that they wouldn’t otherwise have
committed
C Monitoring with the intent of recording a crime
D Keeping the criminal at the scene of the crime long enough to gather
evidence
55 D. See Chapter 12. Enticement is used to keep a criminal at the scene of the
crime. In the context of electronic crime, a honeypot is a great way to keep an
intruder sniffing around while his or her origin is traced.
56 The practice of separation of duties:
A Is used to provide variety by rotating personnel among various tasks
B Helps to prevent any single individual from compromising an information
system
C Is used to ensure that the most experienced persons get the best tasks
D Is used in large 24x7 operations shops
56 B. See Chapter 10. Separation of duties is used to ensure that no single individual
has too much privilege, which could lead to a security incident or fraud.
57 Tailgating is a term describing what activity?
A Logging in to a server from two or more locations
B Causing a PBX to permit unauthorized long distance calls
C Following an employee through an uncontrolled access
D Following an employee through a controlled access
57 D. See Chapter 13. Tailgating is a common method used by someone who
wants to enter a controlled area but has no authorization to do so.
58 Which of the following is NOT a security issue with distributed architectures?
A Lack of security awareness by some personnel.
B Difficulty in controlling the distribution and use of software.
C Protection of centrally stored information.
D Backups might not be performed on some systems, risking loss of data.
58 C. See Chapter 9. In a distributed architecture, information isn’t centrally
stored, but rather stored in a multitude of locations. The other answers are
security issues in distributed architectures.
59 What’s the purpose of a senior management statement of security policy?
A It defines who’s responsible for carrying out a security policy.
B It states that senior management need not follow a security policy.
C It emphasizes the importance of security throughout an organization.
D It states that senior management must also follow a security policy.
59 C. See Chapter 6. A senior management statement of security policy underscores
the importance of and support for security.
60 What is the purpose of RARP?
A When given an IP address, RARP returns a MAC address.
B When given a MAC address, RARP returns an IP address.
C It traces the source address of a spoofed packet.
D It determines the least cost route through a multipath network.
60 B. See Chapter 5. RARP is used to translate a MAC address into an IP address.
61 How is the organization’s DRP best kept up-to-date?
A With regular audits to ensure that changes in business processes are
known
B By maintaining lists of current software versions, patches, and
configurations
C By maintaining personnel contact lists
D By regularly testing the DRP
61 A. See Chapter 11. Audits will uncover changes that are needed in the DRP.
62 Role-based access control and task-based access control are examples of: A Mandatory access controls B Administrative controls C Discretionary access controls D Non-discretionary access controls
62 D. See Chapter 4. Role-based access control and task-based access control
are known as non-discretionary controls, which match information to roles or
tasks, not individual users.
63 The verification activity associated with coding is called: A Unit testing B Design review C System testing D Architecture review
63 A. See Chapter 7. Unit testing is the testing of small modules of code, which
is used to verify that the coding was done correctly.
64 Steganography isn’t easily noticed because:
A Monitor and picture quality are so good these days.
B Most PCs’ speakers are turned off or disabled.
C The human eye often can’t sense the noise that steganography
introduces.
D Checksums can’t detect most steganographed images.
64 C. See Chapter 8. Steganography can be difficult to detect visually in an image.
65 The purpose of a honeypot is to:
A Log an intruder’s actions.
B Act as a decoy to keep the intruder interested while his or her origin and
identity are traced.
C Deflect Denial of Service attacks away from production servers.
D Provide direct evidence of a break-in.
65 B. See Chapter 12. A honeypot is designed to keep an intruder sniffing around
long enough for investigators to determine his or her origin and identity.
66 Which of the following tasks would NOT be performed by a security administrator? A Changing file permissions B Configuring user privileges C Installing system software D Reviewing audit data
66 C. See Chapter 10. Installing system software is a system administrator function;
the rest are security administrator functions.
67 What does fail open mean in the context of controlled building entrances?
A Controlled entrances permit no one to pass.
B Controlled entrances permit people to pass without identification.
C A power outage won’t affect control of the entrance.
D A pass key is required to enter the building.
67 B. See Chapter 13. Fail open refers to any controlling mechanism that
remains in the unlocked position when it fails. In the case of controlled building
entrances, anyone can enter the building.
68 TCB is an acronym for: A Trusted Computing Baseline B Trusted Computing Base C Tertiary Computing Base D Trusted Cache Base
68 B. See Chapter 9. TCB stands for Trusted Computing Base.
69 What is the purpose of an “advisory policy”?
A This is an optional policy that can be followed.
B This is an informal offering of advice regarding security practices.
C This is a temporary policy good only for a certain period of time.
D This is a policy that must be followed but is not mandated by regulation.
69 D. See Chapter 6. An advisory policy is required by the organization but is
not mandated by a local or national government.
70 132.116.72.5 is a: A MAC address B IPv4 address C Subnet mask D IPv6 address
70 B. See Chapter 5. This is an IPv4 address.
71 An organization that’s developing its DRP has established a 20 minute
Recovery Time Objective (RTO). Which solution will best support this
objective?
A Cluster
B Cold site
C Hot site
D Virtualization
71 C. See Chapter 11. A short Recovery Time Objective (RTO) usually requires a
hot site because you have very little time available for setting up replacement
systems.
72 Audits, background checks, video cameras, and listening devices are known as: A Discretionary controls B Physical controls C Preventive controls D Detective controls
72 D. See Chapter 4. Detective controls are those controls that are designed to
detect security events, but can’t prevent them in the way that preventive
controls can.
73 What’s the primary input of a high-level product design? A Feasibility study B Integration rules C Unit testing D Requirements
73 D. See Chapter 7. Requirements are the single largest input used in the highlevel
product design phase.
74 What historic event was the backdrop for breakthroughs in strategic cryptography? A The Gulf War B World War I C World War II D The Six-Day War
74 C. See Chapter 8. World War II saw a significant advancement in the science
of cryptography. World War II became a war of cryptanalysis wherein each
participant was sometimes able to break the code of the others, resulting in
strategic advantages.
75 Which of the following is NOT a precaution that needs to be taken before
monitoring e-mail?
A Establishing strict procedures that define under what circumstances
e-mail may be searched
B Posting a visible notice that states e-mail is company information
subject to search
C Issuing monitoring tools to all e-mail administrators
D Making sure that all employees know that e-mail is being monitored
75 C. See Chapter 12. Issuing monitoring tools to all e-mail administrators isn’t a
precaution at all — it’s not even a step that would be considered. The other
items do need to occur before any monitoring is performed.
76 What’s the potential security benefit of rotation of duties?
A It reduces the risk that personnel will perform unauthorized activities.
B It ensures that all personnel are familiar with all security tasks.
C It’s used to detect covert activities.
D It ensures security because personnel aren’t very familiar with their
duties.
76 A. See Chapter 10. Rotation of duties is used to keep mixing up the teams in
order to prevent situations in which individuals are tempted to perform unauthorized
acts.
77 What does fail closed mean in the context of controlled building entrances?
A Controlled entrances permit no one to pass.
B Controlled entrances permit people to pass without identification.
C The access control computer is down.
D Everyone is permitted to enter the building.
77 A. See Chapter 13. Fail closed refers to any controlling mechanism that
remains in the locked position when it fails. In the case of controlled building
entrances, no one can enter the building by normal means.
78 The sum total of all protection mechanisms in a system is known as a: A Trusted Computing Base B Protection domain C Trusted path D SPM (Summation Protection Mechanism)
78 A. See Chapter 9. A Trusted Computing Base is the complete picture of protection
used in a computer system.
79 What is the definition of a “threat”?
A Any event that produces an undesirable outcome.
B A weakness present in a control or countermeasure.
C An act of aggression that causes harm.
D An individual likely to violate security policy.
79 A. See Chapter 6. A threat is a possible undesirable event that may cause
harm or damage.
80 04:c6:d1:45:87:E8 is a: A MAC address B IPv4 address C Subnet mask D IPv6 address
80 A. See Chapter 5. This is a MAC address.
81 Which of the following is NOT a natural disaster? A Tsunami B Pandemic C Flood D Communications outage
81 D. See Chapter 11. A communications outage is considered a man-made
disaster (although it can be caused by a naturally occurring event).
82 Smart cards, fences, guard dogs, and card key access are known as: A Mandatory controls B Physical controls C Preventive controls D Detective controls
82 C. See Chapter 4. Preventive controls are controls that are used to prevent
security events.
83 The main improvement of the Waterfall software life cycle model over earlier
process models is:
A System and software requirements are combined into one step.
B Developers can back up one step in the process for rework.
C Coding and testing is combined into one step.
D The need for rework was eliminated.
83 B. See Chapter 7. Going back one step for rework (of requirements, design,
coding, testing — whatever the step is that needs to be reworked) was the
main improvement of the Waterfall model. This is important because sometimes
any of the steps may fail to consider something that the next step
uncovers.
84 Non-repudiation refers to:
A The technology that shoots down the “I didn’t send that message”
excuse
B Re-verification of all Certificate Authority (CA) certificate servers
C The annual competency review of system authentication mechanisms
D The annual competency review of network authentication mechanisms
84 A. See Chapter 8. Non-repudiation helps to prove that a specific individual
did create or sign a document, or did transmit data to or receive data from
another individual.
85 Intellectual property laws apply to: A Trade secrets, trademarks, copyrights, and patents B Trademarks, copyrights, and patents C Trademarks only D Patents only
85 A. See Chapter 12. Intellectual property laws apply to trade secrets, trademarks,
copyrights, and patents.
86 The process of reviewing and approving changes in production systems is known as: A Availability management B Configuration management C Change management D Resource control
86 C. See Chapter 10. Change management is the complete management function
that controls changes made to a production environment.
87 A water sprinkler system that’s characterized as always having water in the pipes is known as: A Dry-pipe B Wet-pipe C Preaction D Discharge
87 B. See Chapter 13. Wet-pipe is the sprinkler system type in which water is
always in the pipe.
88 The mechanism that overlaps hardware instructions to increase performance is known as: A RISC B Pipeline C Pipe dream D Multitasking
88 B. See Chapter 9. Pipelining is the mechanism used to overlap the steps in
machine instructions in order to complete them faster.
89 A weakness in a security control is called a: A Risk B Vulnerability C Threat D Hole
89 B. See Chapter 6. A vulnerability is a weakness that can permit an undesirable
event.
90 The “ping” command sends: A IGRP Echo Reply packets B IGRP Echo Request packets C ICMP Echo Request packets D UDP Echo Request packets
90 C. See Chapter 5. Ping uses ICMP Echo Requests.
91 The term remote journaling refers to:
A A mechanism that transmits transactions to an alternative processing site
B A procedure for maintaining multiple copies of change control records
C A procedure for maintaining multiple copies of configuration management
records
D A mechanism that ensures the survivability of written records
91 A. See Chapter 11. Remote journaling keeps data at an alternative site up-todate
at all times.
92 Is identification weaker than authentication?
A Yes: Identity is based only on the assertion of identity without providing
proof.
B Yes: Identification uses ASCII data, whereas authentication uses binary
data.
C No: Identification and authentication provide the same level of identity.
D No: They are used in different contexts and have nothing to do with
each other.
92 A. See Chapter 4. Identification is only the assertion of identity, whereas
authentication is the proof of identity.
93 A project team is at the beginning stages of a new software development
project. The team wants to ensure that security features are present in the
completed software application. In what stage should security be introduced?
A Requirements development
B Test plan development
C Application coding
D Implementation plan development
93 A. See Chapter 7. Security should be included in the earliest possible phases
of a software development project. The requirements phase is the earliest
among the choices offered.
94 The amount of effort required to break a given ciphertext is known as: A The Work function B The Effort function C Cryptanalysis D Extraction
94 A. See Chapter 8. Work function is the term used to describe the amount of
time and/or money required to break a ciphertext.
95 In order to be admissible, electronic evidence must:
A Be legally permissible
B Not be copied
C Have been in the custody of the investigator at all times
D Not contain viruses
95 A. See Chapter 12. Evidence gathered in violation of any laws can’t be admitted
in court.
96 The process of maintaining and documenting software versions and settings is known as: A Availability management B Configuration management C Change management D Resource control
96 B. See Chapter 10. Configuration management is the support function that’s
used to store version information about its systems.
97 A water sprinkler system that charges the pipes when it receives a heat or
smoke alarm, and then discharges the water when a higher ambient temperature
is reached, is known as:
A Dry-pipe
B Wet-pipe
C Preaction
D Discharge
97 C. See Chapter 13. Preaction, a combination of dry-pipe and wet-pipe, is
increasingly popular in datacenters because it reduces the likelihood that a
water discharge will actually occur — and a discharge will be limited to a
small area in the datacenter.
98 FORTRAN, BASIC, and C are known as: A Structured languages B Nested languages C Second-generation languages D Third-generation languages
98 D. See Chapter 9. FORTRAN, BASIC, and C are third-generation languages.
99 A security control intended to reduce risk is called a: A Safeguard B Threat C Countermeasure D Partition
99 A. See Chapter 6. Safeguards exist to reduce risk in some way.
100 SMTP is used to: A Manage multiple telnet sessions. B Tunnel private sessions through the Internet. C Simulate modems. D Transport e-mail.
100 D. See Chapter 5. SMTP, or Simple Mail Transport Protocol, is used to send
and receive e-mail messages.
101 Backing up data by sending it through a communications line to a remote location is known as: A Transaction journaling B Off-site storage C Electronic vaulting D Electronic journaling
101 C. See Chapter 11. Electronic vaulting is the term that describes backing up
data over a communications line to another location.
102 Two-factor authentication is so called because:
A It requires two of the three authentication types.
B Tokens use two-factor encryption to hide their secret algorithms.
C Authentication difficulty is increased by a factor of two.
D It uses a factor of two prime numbers algorithm for added strength.
102 A. See Chapter 4. Two-factor authentication requires any two of Type 1
(something you know), Type 2 (something you have), and Type 3 (something
you are) authentication methods.
103 Which of the following is NOT a value of change control in the software
development life cycle?
A Changes are documented and subject to approval.
B Scope creep is controlled.
C It gives the customer veto power over proposed changes.
D The cost of changes is considered.
103 C. See Chapter 7. Veto power is unlikely, but the other choices listed are
value-added features of change control.
104 What’s one disadvantage of an organization signing its own certificates?
A The certificate-signing function is labor intensive.
B Anyone outside the organization will receive warning messages.
C The user-identification process is labor intensive.
D It’s much more expensive than having certificates signed by a
Certification Authority (CA).
104 B. See Chapter 8. The lack of a top-level (root) signature on a certificate
results in warning messages stating that the certificate lacks a top-level
signature.
105 Which agency has jurisdiction over computer crimes in the United States?
A The Department of Justice
B The Electronic Crimes Task Force
C Federal, state, or local jurisdiction
D The FBI and the Secret Service
105 C. See Chapter 12. Federal, state, and local laws cover computer crime.
Depending on the crime, one or more levels of government may have
jurisdiction.
106 Configuration Management is used to:
A Document the approval process for configuration changes.
B Control the approval process for configuration changes.
C Ensure that changes made to an information system don’t compromise
its security.
D Preserve a complete history of the changes to software or data in a
system.
106 D. See Chapter 10. Configuration management is used to preserve all prior
settings or versions of software or hardware, as well as to provide a check
out/check in capability to avoid collisions.
107 Why would a dry-pipe sprinkler be preferred over a wet-pipe sprinkler?
A Dry-pipe systems put out a fire more quickly.
B Dry-pipe systems consume less water.
C Dry-pipe systems have a smaller likelihood of rust damage.
D Dry-pipe systems have a potentially useful time delay before water is
discharged.
107 D. See Chapter 13. Dry-pipe systems take a few moments (at least) before
water discharge begins.
108 The purpose of an operating system is to: A Manage hardware resources. B Compile program code. C Decompile program code. D Present graphic display to users.
108 A. See Chapter 9. An operating system (OS) manages computer hardware
and presents a consistent interface to application programs and tools.
109 The purpose of risk analysis is:
A To qualify the classification of a potential threat.
B To quantify the likelihood of a potential threat.
C To quantify the net present value of an asset.
D To quantify the impact of a potential threat.
109 D. See Chapter 6. The purpose of risk analysis is to quantify the impact of a
potential threat; in other words, to put a monetary value on the loss of information
or functionality.
110 Which of the following is a disadvantage of SSL?
A It requires a certificate on every client system.
B It is CPU intensive.
C All clients must be retrofitted with HTTP v3 browsers.
D An eavesdropper can record and later play back an SSL session.
110 B. See Chapter 5. Because it encrypts and decrypts packets over the network,
SSL consumes a lot of CPU time.
111 Which of the following is NOT a method used to create an online redundant data set? A Remote journaling B Off-site storage C Electronic vaulting D Database mirroring
111 B. See Chapter 11. Off-site storage is merely an alternate location for storing
back-up media.
112 The phrase something you are refers to: A A user’s security clearance B A user’s role C Type 2 authentication D Type 3 authentication
112 D. See Chapter 4. Something you are refers to authentication that measures a
biometric, which means something physical, such as a fingerprint, retina
scan, or voiceprint.
113 How does the Waterfall software development life cycle help to assure that
applications will be secure?
A Security requirements can be included early on and verified later in
testing.
B The testing phase includes penetration testing.
C The Risk Analysis phase will uncover flaws in the feasibility model.
D A list of valid users must be approved prior to production.
113 A. See Chapter 7. The greatest value in the development life cycle is getting
security requirements in at the beginning so that security will be “baked in.”
114 The ability for a government agency to wiretap a data connection was implemented in the: A Skipjack chip B Magic lantern C Cutty chip D Clipper chip
114 D. See Chapter 8. The Clipper Chip implemented a capability to provide
encryption for users and also provided a legal wiretap capability.
115 Under what circumstance may evidence be seized without a warrant?
A If it’s in the public domain
B If it’s believed that its destruction is imminent
C In international incidents
D If it’s on a computer
115 B. See Chapter 12. Evidence may be seized only if law enforcement believes
that it’s about to be destroyed (which the law calls exigent circumstances).
116 The traces of original data remaining after media erasure are known as: A Data remanence B Data traces C Leakage D Data particles
116 A. See Chapter 9. Erasure is seldom 100-percent effective. Despite complex
and time-consuming methods, the slightest traces of data on media that have
been erased may always remain.
117 Why should a datacenter’s walls go all the way to the ceiling and not just
stop as high as the suspended ceiling?
A The walls will serve as an effective fire break.
B The HVAC will run more efficiently.
C The walls will be stronger.
D The high wall will block more noise.
117 A. See Chapter 13. Walls that go all the way up to the ceiling do a better job
of keeping fires from spreading into or out of the datacenter.
118 Protection rings are used for: A Implementing memory protection B Creating nested protection domains C Modeling layers of protection around an information object D Shielding systems from EMF
118 B. See Chapter 9. Protection rings are layers of protection domains, with the
most protected domain in the center.
119 Annualized Rate of Occurrence refers to:
A The exact frequency of a threat.
B The estimated frequency of a threat.
C The estimated monetary value of a threat.
D The exact monetary value of a threat.
119 B. See Chapter 6. Annualized Rate of Occurrence (ARO) is a risk management
term that describes the likelihood of the occurrence of a threat.
120 An access control list is NOT used by:
A A firewall or screening router to determine which packets should pass
through.
B A router to determine which administrative nodes may access it.
C A bastion host to determine which network services should be
permitted.
D A client system to record and save passwords.
120 D. See Chapter 5. Access control lists are used on firewalls, routers, and bastion
hosts, but not on client systems (at least not for recording passwords!).
121 A DRP that has a high RPO and a low RTO will result in:
A A system that takes more time to recover but has recent data
B A system that recovers quickly but has old data
C A system that recovers quickly and has recent data
D A system that has never been tested
121 B. See Chapter 11. A high Recovery Point Objective (RPO) means that data on
a recovered system will be older. A low Recovery Time Objective (RTO)
means that the system will be recovered quickly.
122 Two-factor authentication is stronger than single-factor authentication
because:
A It uses a factor of two prime numbers algorithm for added strength.
B It relies on two factors, such as a password and a smart card.
C Authentication difficulty is increased by a factor of two.
D The user must be physically present to authenticate.
122 B. See Chapter 4. Two-factor authentication requires any two of Type 1
(something you know), Type 2 (something you have), and Type 3 (something
you are) authentication methods.
123 The main purpose of configuration management is to:
A Require cost justification for any change in a software product.
B Require approval for any desired change in a software product.
C Maintain a detailed record of changes for the lifetime of a software
product.
D Provide the customer with a process for requesting configuration
changes.
123 C. See Chapter 7. Configuration management produces a highly detailed
record, including details of each and every copy of a software product that
was created.
124 The cipher device used by Germany in World War II is known as: A M-922 B M-902 C Enigma D Turing
124 C. See Chapter 8. The famous device used by Germany to encrypt and
decrypt secret messages was the Enigma.
125 Motive, means, and opportunity:
A Are required prior to the commission of a crime
B Are the required three pieces of evidence in any criminal trial
C Are the three factors that help determine whether someone may have
committed a crime
D Are the usual ingredients in a sting operation
125 C. See Chapter 12. Motive, means, and opportunity are the standard criteria
when considering a possible suspect in a crime.
126 Software controls are used to:
A Perform input checking to ensure that no buffer overflows occur.
B Keep running programs from viewing or changing other programs’
memory.
C Perform configuration management-like functions on software.
D Ensure the confidentiality and integrity of software.
126 D. See Chapter 10. Software controls are used to protect software from unauthorized
disclosure or tampering.
127 Which of the following are NOT fire detectors? A Dial-up alarms B Heat-sensing alarms C Flame-sensing alarms D Smoke-sensing alarms
127 A. See Chapter 13. Dial-up alarms don’t detect fire; they respond to a fire
detector and call the fire department by using a telephone line to play a prerecorded
message.
128 The TCSEC document is known as the Orange Book because
A It’s orange in color.
B It covers the major classes of computing system security, D through A.
C Its coverage of security was likened to the defoliant Agent Orange.
D No adequate model of computing system security was available at the
time.
128 A. See Chapter 9. The Orange Book was one of several books in the Rainbow
Series, each describing various levels and contexts of computer security, and
each with its own unique color.
129 Single Loss Expectancy refers to:
A The expectation of the occurrence of a single loss.
B The monetary loss realized from an individual threat.
C The likelihood that a single loss will occur.
D The annualized monetary loss from a single threat.
129 B. See Chapter 6. Single Loss Expectancy (SLE) is the monetary value associated
with an individual threat.
130 What is the purpose of the DHCP protocol?
A It’s used to diagnose network problems.
B It assigns IP addresses to servers.
C It assigns IP addresses to stations that join the network.
D It’s used to dynamically build network routes.
130 C. See Chapter 5. The DHCP (dynamic host configuration protocol) is used to
assign IP addresses to stations that join a network.
131 The purpose of a BIA is:
A To determine the criticality of business processes
B To determine the impact of disasters on critical processes
C To determine the impact of software defects on critical business
processes
D To determine which software defects should be fixed first
131 B. See Chapter 11. A Business Impact Assessment (BIA) is used to determine
the impact that different types of disasters have on critical business processes.
132 An organization has recently implemented a palm-scan biometric system to
control access to sensitive zones in a building. Some employees have objected
to the biometric system for sanitary reasons. The organization should:
A Switch to a fingerprint-scanning biometric system.
B Educate users about the inherent cleanliness of the system.
C Allow users who object to the system to be able to bypass it.
D Require employees to use a hand sanitizer prior to using the biometric
system.
132 D. See Chapter 4. It’s reasonable for some employees to voice concerns
regarding the cleanliness of a hand scanner that many employees will be
using. Making hand-sanitizing agents available and requiring all users to use
those hand sanitizers is a reasonable precaution to help prevent the spread
of illnesses.
133 A security specialist has discovered that an application her company
produces has a JavaScript injection vulnerability. What advice should the
security specialist give to the application’s developers?
A Implement input filtering to block JavaScript and other script languages.
B Upgrade to the latest release of Java.
C Re-compile the application with safe input filtering turned on.
D Re-compile the application by using UTF-8 character set support.
133 A. See Chapter 7. An application that has a script injection vulnerability
needs to be modified so that data accepted in input fields is sanitized by
removing script tags and other scripting commands.
134 Cryptography can be used for all the following situations EXCEPT: A Performance B Confidentiality C Integrity D Authentication
134 A. See Chapter 8. Cryptography can be used for confidentiality (by encrypting
a message), integrity (through the use of digital signatures), and authentication
(through the use of digital signatures to prove the origin of a message).
Cryptography isn’t used for performance.
135 The burden of proof in U.S. civil law is:
A The preponderance of the evidence
B Beyond a reasonable doubt
C Beyond all doubt
D Based on the opinion of the presiding judge
135 A. See Chapter 12. The burden of proof in U.S. civil law is based on the
preponderance of the evidence.
136 An organization may choose to perform periodic background checks on its
employees for all the following reasons EXCEPT:
A To determine whether the employee has earned any additional
educational degrees
B To determine whether a detrimental change in an employee’s financial
situation might entice him or her to steal from the employer
C To determine whether a criminal offense has occurred since the person
was hired that would impact the risk of continued employment
D To uncover any criminal offenses that weren’t discovered in the initial
background check
136 A. See Chapter 10. Periodic background checks can be used to discover any
new events in an employee’s criminal or financial background, as well as
uncover any criminal records that weren’t found in the initial background
check.
137 Which class of hand-held fire extinguisher should be used in a datacenter? A Class B B Class C C Class A D Class D
137 B. See Chapter 13. A Class C fire extinguisher should be used in a datacenter;
this type is most effective against electronics and electrical fires.
138 All the following CPUs are CISC design EXCEPT: A PDP-11 B Intel x86 C SPARC D Motorola 68000
138 C. See Chapter 9. PDP-11, Intel x86, and Motorola 68000 are CISC design
CPUs. SPARC is a RISC design CPU.
139 A system architect has designed a system that is protected with redundant
parallel firewalls. This follows which security design principle?
A Avoidance of a single point of failure
B Defense in depth
C Fail open
D Fail closed
139 A. See Chapter 6. An architecture with parallel components generally is following
the avoidance of a single point of failure.
140 The type of cable that is best suited for high RF and EMF environments is: A Fiber-optic B Shielded twisted-pair C Coaxial D Thinnet
140 A. See Chapter 5. Because it transmits light instead of electrical signals, fiberoptic
cabling is virtually immune to RF and EMF environments.
141 A Disaster Recovery Planning team has been told by management that the
equipment required to meet RTO and RPO targets is too costly. What’s the
best course of action to take?
A Classify the system as being out of scope.
B Reduce the RTO and RPO targets.
C Look for less expensive methods for achieving targets and report to
management if no alternatives can be found.
D Ask for more budget for recovery systems.
141 C. See Chapter 11. When management has determined that a proposed
disaster recovery architecture is too expensive, the project team needs to
find less costly alternatives. If none can be found, the project team needs to
inform management, who may approve of longer RPO and RTO targets that
should be less costly.
142 A security manager is planning a new video surveillance system. The manager
wants the video surveillance system to be both a detective control and
a deterrent control. What aspect of the system’s design will achieve this
objective?
A Include a video-recording capability in the system.
B Make video cameras conspicuously visible and post warning notices.
C Hide video cameras and don’t post warning notices.
D Make video monitors conspicuously visible.
142 B. See Chapter 4. A video surveillance system can be an effective deterrent
control if its cameras are visible. Warning notices provide even greater deterrent
ability.
143 Privacy advocacy organizations are concerned about the practice of aggregation,
which involves:
A Selling highly sensitive data to the highest bidder
B Distributing highly sensitive data to third parties
C Combining low-sensitivity data elements that results in highly sensitive
data
D Disclosing highly sensitive data to government agencies
143 C. See Chapter 7. Aggregation is the process of combining data, which can
result in the creation of highly sensitive information.
144 A cipher uses a table to replace plaintext characters with ciphertext
characters. This type of cipher is known as:
A Stream
B Block
C Substitution
D Transposition
144 C. See Chapter 8. A substitution cipher uses a lookup table for substituting
one character for another.
145 Under U.S. law, the amount of a fine and the length of imprisonment are based on: A The opinion of the judge B The opinion of the jury C The evidence introduced in a trial D Federal sentencing guidelines
145 D. See Chapter 12. Federal sentencing guidelines provide the range of possible
monetary fines and length of imprisonment.
146 An organization has identified a high-risk activity that’s performed by a
single individual. The organization will change the activity so that two or
more individuals are required to perform the task. This new setup is
known as:
A Single point of failure
B Shared custody
C Split custody
D Separation of duties
146 D. See Chapter 10. Separation of duties is the concept that supports a process
design in which two or more individuals are required to perform a critical task.
The classic example is the three activities carried out by three separate individuals
in an accounting system: creating a payee, making a payment
request, and making a payment.
147 An organization wants to erect fencing around its property to keep out
determined intruders. What are the minimum specifications that the organization
should consider?
A Eight feet in height and three strands of barbed wire at the top
B Twelve feet in height and three strands of barbed wire at the top
C Eight feet in height
D Twelve feet in height
147 A. See Chapter 13. To keep out determined intruders, an organization should
consider fencing that’s at least eight feet in height and includes three strands
of barbed wire.
148 Which type of technology is a computer designer most likely to use for main memory? A EAROM B Dynamic RAM C Flash D Hard drive
148 B. See Chapter 9. Most computers’ main memory uses dynamic RAM
(DRAM) or static RAM (SRAM).
149 A document that lists the equipment brands, programming languages, and
communications protocols to be used in an organization is a:
A Policy
B Guideline
C Requirement
D Standard
149 D. See Chapter 6. A standards document defines the equipment brands, programming
languages, communications protocols, and other components to
be used in an organization.
150 Which of the following is true about Digital Subscriber Line:
A Digital Subscriber Line is synonymous with DOCSIS (Digital Over Cable
Services Interface Specification).
B Digital Subscriber Line is a simplex protocol.
C Digital Subscriber Line has been superseded by ISDN.
D Digital Subscriber Line has superseded ISDN.
150 D. See Chapter 5. Digital Subscriber Line has superseded ISDN in most areas.
The other statements are false.
151 A DRP has an RTO of 24 hours and an RPO of 56 hours. This indicates that:
A The system will be operational within 24 hours and the maximum data
loss is 56 hours.
B The system will be operational within at least 24 hours and the maximum
data loss is 56 hours.
C The system will be operational within 56 hours and the maximum data
loss is 24 hours.
D The system will be operational within 24 hours and the maximum data
loss will be 32 hours.
151 A. See Chapter 11. An RTO of 24 hours means a recovery system will be
operational within 24 hours of a disaster. An RPO of 56 hours means the
maximum data loss will be 56 hours.
152 The ability to associate users with their actions is known as: A Non-repudiation B Accountability C Audit trails D Responsibility
152 B. See Chapter 4. When users are associated with their actions (which is usually
achieved through audit logs), they’re made to be accountable.
153 A database administrator has tuned a transaction processing database for
optimum performance. Business users now want to use the same database
for business intelligence and decision support. What action should the database
administrator take?
A Implement a separate data warehouse that’s tuned for decision support.
B Tune the transaction processing database to optimize performance of
decision support queries.
C Implement a database server cluster and tune the passive server for
decision support.
D Establish separate user IDs for transaction use and decision-support
use, and tune each for their respective purposes.
153 A. See Chapter 7. It’s rarely possible to tune a database management system
to provide adequate performance for both transaction processing and decision
support. A separate data warehouse should be implemented, and that
database tuned for that purpose. The original database should be tuned for
optimum transaction processing performance.
154 The Advanced Encryption Standard algorithm is based on: A The Rijndael block cipher B The Rijndael stream cipher C The Skipjack cipher D The triple-DES cipher
154 A. See Chapter 8. AES (Advanced Encryption Standard) is based on the
Rijndael block cipher.
155 An organization has developed a new technique for compiling computer
code and wants to protect that technique by using applicable intellectual
property law. Which type of protection should the organization use?
A Patent
B Trademark
C Service mark
D Copyright
155 A. See Chapter 12. A patent is the type of legal protection used for the design
of a mechanism.
156 An organization is reducing the size of its workforce and has targeted the
lead database administrator for termination of employment. How should the
organization handle this termination?
A Terminate the employee’s user accounts within 24 hours of notification.
B Terminate the employee’s user accounts immediately after notification.
C Terminate the employee’s user accounts within 48 hours of notification.
D Retain the employee’s user accounts until a replacement can be trained.
156 B. See Chapter 10. A position such as database administrator, network
administrator, or system administrator usually has high privileges. The safest
course of action when terminating employment for a person in such a position
is to immediately terminate all access immediately after (or just prior to)
notification.
157 What’s one disadvantage of the use of key cards as a building access
control?
A Key card readers are expensive.
B The False Accept Rate (FAR) may exceed the False Reject Rate (FRR).
C Any party who finds a lost key card can use it to enter a building.
D A key card’s PIN code is easily decrypted.
157 C. See Chapter 13. Unless coupled with a PIN pad or biometric reader, any
person can use a key card to enter a building.
158 All the following are components of an operating system EXCEPT: A Compiler B Kernel C Device driver D Tools
158 A. See Chapter 9. Operating systems consist of a kernel, device drivers,
and tools.
159 A document that describes the steps to be followed to complete a task is known as a: A Process B Procedure C Guideline D Standard
159 B. See Chapter 6. A procedure describes the steps used to complete a task.
160 Which routing protocol transmits its passwords in plaintext? A RIPv2 B RIPv1 C BGP D EIGRP
160 A. See Chapter 5. The RIP (Routing Information Protocol) version 2 transmits
passwords in plaintext. RIPv1 did not use passwords at all.
161 Damage assessment of a datacenter after an earthquake should be performed by: A The chief security officer B The datacenter manager C An unlicensed structural engineer D A licensed structural engineer
161 D. See Chapter 11. Only a licensed structural engineer is qualified to examine
the structure of a building after an earthquake and determine whether that
building can be safely used. The other parties aren’t qualified to make this
assessment.
162 The primary reason users are encouraged to use passphrases, rather than
passwords, is:
A They’ll choose longer passwords that are inherently stronger than
shorter ones.
B Their passwords will include spaces, which make passwords more
complex.
C Newer systems don’t support passwords.
D Passphrases can be coupled with biometric systems.
162 A. See Chapter 4. The term passphrase simply means a longer password.
The longer a password, the more difficult it can be to crack.
163 An application that was previously written to support a single user has been
changed to support multiple concurrent users. The application encounters
errors when two users attempt to access the same record. What feature
should be added to the application to prevent these errors?
A Load balancing
B Replication
C Record locking
D Clustering
163 C. See Chapter 7. Record locking is a mechanism used to arbitrate access to
resources in multiuser applications.
164 Two users, A and B, have exchanged public keys. How can user A send a
secret message to user B?
A User A encrypts a message with user B’s public key; user B decrypts the
message with user B’s private key
B User A encrypts the message with user A’s private key; user B decrypts
the message with user B’s private key
C User A encrypts the message with user A’s private key; user B decrypts
the message with user A’s public key
D User A encrypts the message with user B’s public key; user B decrypts
the message with user A’s public key
164 A. See Chapter 8. In public key cryptography, a sender encrypts a message
with the recipient’s public key; the recipient decrypts the message with the
recipient’s private key.
165 An intruder has been apprehended for breaking into an organization’s
computer systems to steal national security secrets. Under what U.S. law
will the intruder likely be charged?
A Cybercrime Act of 2001
B Federal Information Security Management Act of 2002
C U.S. Computer Fraud and Abuse Act of 1986
D U.S. Computer Security Act of 1987
165 C. See Chapter 12. An intruder who steals national security secrets in the U.S.
is likely to be charged with a violation of the Computer Fraud and Abuse Act
of 1986.
166 The process of including text such as Company Confidential: For Internal Use Only on a document is known as: A Branding B Classification C Watermarking D Marking
166 D. See Chapter 10. Classifying, or marking, is the term used to describe the
action of including text such as Company Confidential on a document.
167 An organization wants to install a motion detector in a portion of a building
that has variable ambient noise. Which type of motion detector should be
considered?
A Wave pattern or capacitance
B Wave pattern
C Capacitance
D Photo-electronic
167 A. See Chapter 13. A wave pattern or capacitance motion detector would be a
candidate for an area that experiences ambient noise.
168 An organization uses a Windows-based server to act as a file server. The
owners of individual files and directories are able to grant read and write
permissions to other users in the organization. This capability most closely
resembles which security model?
A Discretionary access control (DAC)
B Mandatory access control (MAC)
C Access matrix
D Take-Grant
168 A. See Chapter 9. The capability for end users to grant permissions to others
corresponds to the discretionary access control (DAC) model.
169 The relationship between threat, vulnerability, and risk is defined as: A Risk = vulnerability × threat B Threat = vulnerability × risk C Vulnerability = threat × risk D Risk = vulnerability + threat
169 A. See Chapter 6. The basic relationship between threat, vulnerability, and
risk is that the risk is equal to the threat times the vulnerability.
170 Which of the following WiFi protocols has not been compromised: A WEP B WPA C WPA2 D TKIP
170 C. See Chapter 5. WPA2 with AES has not been compromised.
171 The purpose of software escrow is:
A Secure storage of software source code in the event of a disaster or the
failure of the company that produced it
B Third-party confirmation of the integrity of a software application
C Secure storage of software object code in the event of a disaster or the
failure of the company that produced it
D Third-party delivery of a software application
171 A. See Chapter 11. The purpose of a software escrow agreement (also known
as a source code escrow agreement) is the secure off-site storage of software
source code in the event of a disaster or the complete failure of the organization.
172 A system has been designed to include strong authentication and transaction
logging so that subjects can’t deny having performed actions. This
inability for a subject to deny having performed an action is known as:
A Irresponsibility
B Culpable deniability
C Non-repudiation
D Dissociation
172 C. See Chapter 4. Non-repudiation is a property of a system to be able to prevent
a subject from denying that he or she performed an action. This is
accomplished through strong authentication and audit (or transaction) logging.
173 An organization is considering the purchase of a business application. What
should the organization develop before making a product decision?
A Application code
B Specifications
C Design
D Requirements
173 D. See Chapter 7. An organization should develop requirements that define
the desired characteristics of an application that it will consider purchasing.
174 Two users want to establish a private communications link. The two users
have never communicated before. How should a symmetric encryption key
be communicated to both parties?
A The encryption key should be kept by one party only.
B The encryption key should be transmitted as part of initial
communications.
C The encryption key should be transmitted by using an in-band
communications channel.
D The encryption key should be transmitted by using an out-of-band
communications channel.
174 D. See Chapter 8. For two parties that have not communicated before, a symmetric
encryption key must be sent from one party to another through an outof-
band channel. For example, an encryption key for network communications
should be sent via fax or courier.
175 An organization has developed a new method for building a mechanical
device. The organization doesn’t want to reveal the method to any third
party. Which type of protection should be used?
A Copyright
B Patent
C Trade secret
D Trademark
175 C. See Chapter 12. An organization that doesn’t want to disclose a method
can’t file a copyright, trademark, or patent because these filings would disclose
the method. Instead, the organization must carefully guard the method
and consider it a trade secret.
176 An intruder has broken into an organization’s computer systems to steal
industrial designs. This action is known as:
A Robbery
B Cracking
C Hacking
D Espionage
176 D. See Chapter 10. Espionage is the process of spying on an organization in
order to discover its military or industrial secrets.
177 For fire suppression in a commercial datacenter, all the following types of
fire-suppression systems may be considered EXCEPT:
A FM-200
B Inert gas
C Preaction
D Deluge
177 D. See Chapter 13. Fire suppression in a commercial datacenter may include
an inert gas system, FM-200 (which is one commercial brand of an inert gas
system), or preaction (if local fire codes require some type of a water sprinkler
system). A deluge system would never be considered.
178 TCSEC has been superseded by which standard? A Common Criteria B ITSEC C ISO 27002 D DITSCAP
178 A. See Chapter 9. The Trusted Computer System Evaluation Criteria (TCSEC)
has been superseded by the Common Criteria.
179 When is it prudent to perform a quantitative risk analysis?
A When the probability of occurrence is low.
B When the value of assets is high.
C When the value of assets is low.
D When the probability of occurrence is high.
179 B. See Chapter 6. A quantitative risk analysis is more difficult and timeconsuming
to perform, and is usually done only on high-value assets.
180 Two users wish to establish a private communications link. The two users
have never communicated before. What algorithm should be used to
establish a symmetric encryption key?
A Merkle
B Diffie-Hellman
C Babbage
D RSA
180 B. See Chapter 8. The Diffie-Hellman (DH) key exchange algorithm permits
the safe establishment of a symmetric encryption key over a communications
channel.
181 The purpose of Layer 1 in the OSI model is to:
A Transmit and receive bits.
B Sequence packets and calculate checksums.
C Perform application-to-application communications.
D Transmit and receive frames.
181 A. See Chapter 5. Layer 1 of the OSI model is concerned only with sending
and receiving bits.
182 The main reason for incorporating a CAPTCHA is: A To slow down brute-force attacks. B To prevent non-human interaction. C To improve application performance. D To reduce false-positives.
182 B. See Chapter 4. The primary reason for using CAPTCHA (Completely
Automated Public Turing test to tell Computers and Humans Apart) is to
ensure that a human is interacting with an application.
183 A set of SQL statements that are stored in the database is known as a: A Callout B Subroutine C Prepared statement D Stored procedure
183 D. See Chapter 7. A stored procedure is a set of one or more SQL statements
that are stored in the database management system, usually in the data
dictionary.
184 Two users have exchanged public keys. User A has encrypted a message
with User B’s public key. What must User B do to read the message?
A Decrypt the message with User A’s private key.
B Decrypt the message with User A’s public key.
C Decrypt the message with User B’s public key.
D Decrypt the message with User B’s private key.
184 D. See Chapter 8. In public key cryptography, a sender encrypts a message
with the recipient’s public key. The recipient decrypts the message with his
own private key.
185 The USA PATRIOT Act:
A Makes it illegal to encrypt international e-mail messages.
B Makes it illegal to export strong encryption technology.
C Gives law enforcement greater power of surveillance, search, and
seizure.
D Means judges no longer need to approve search warrants.
185 C. See Chapter 12. The USA PATRIOT Act gives law enforcement organizations
greater search and seizure powers, primarily to combat terrorism.
186 An organization has added bank account numbers to the data it backs up to
tape. The organization should:
A Back up only the hashes of bank account numbers and not the numbers
themselves.
B Split bank account numbers so they reside on two different backup tapes.
C Stop sending backup tapes off-site.
D Encrypt backup tapes that are sent off-site.
186 D. See Chapter 10. An organization that backs up sensitive data such as bank
account numbers should consider encrypting its backup media.
187 The purpose of a motion sensing request-to-exit sensor on an exterior
doorway is:
A Count the number of persons exiting the door.
B Count the number of persons entering the door.
C Unlock an exterior door and permit a person to exit.
D Detect when a person is approaching an exterior exit from the inside.
187 D. See Chapter 13. The purpose of a request-to-exit (REX) sensor is to detect
when a person is approaching a doorway — usually an exterior exit door
from the inside. If an exterior door is opened from the outside without the
use of a key card and without a person inside the door, then the door is
assumed to have been opened with a key or forced open by an intruder.
188 The risks associated with outsourcing computing to the Cloud are all of the following EXCEPT: A Data ownership. B Data jurisdiction. C Control effectiveness. D Availability.
188 A. See Chapter 9. Data jurisdiction, control effectiveness, and availability are
risks associated with cloud computing. Data ownership is not usually an issue.
189 A system architect has designed a system that is protected with two layers
of firewalls, where each firewall is a different make. This follows which
security design principle?
A Avoidance of a single point of failure
B Defense in depth
C Fail open
D Fail closed
189 B. See Chapter 6. A network that uses two different makes of firewalls follows
the principle of defense in depth. A weakness in one firewall is not likely to
be present in the other.
190 The range of all possible encryption keys is known as: A Keyrange. B Keyspace. C Elliptic curve. D Cryptospace.
190 B. See Chapter 8. The complete range of possible keys in a cryptosystem is
known as the keyspace.
191 2001:0F56:45E3:BA98 is a: A MAC address B IPv4 address C Subnet mask D IPv6 address
191 D. See Chapter 5. 2001:0F56:45E3:BA98 is an IPv6 address.
192 An authentication system does not limit the number of invalid login
attempts. This system is:
A Designed for machine interaction only.
B Integrated to a single sign-on (SSO) service.
C Vulnerable to brute force attacks.
D Not used to store sensitive data.
192 C. See Chapter 4. A system that does not limit the number of invalid login
attempts is vulnerable to mechanized password guessing attacks. The
attacker can attempt to log in thousands of times until the correct password
is discovered.
193 An attacker has discovered a way to change his permissions from an
ordinary end user to an administrator. This type of attack is known as:
A Back door.
B Denial of Service.
C Privilege injection.
D Escalation of privilege.
193 D. See Chapter 7. An attack that results in increased permissions is known as
escalation of privilege.
194 A user has lost the password to his private key. The user should:
A Create a new password for his private key
B Decrypt his private key
C Retrieve the password from his public key
D Generate a new keypair
194 D. See Chapter 8. If a user has lost the password to his private key, the key
can no longer be used; the user must generate a new keypair.
195 The burden of proof in U.S. criminal law is:
A The preponderance of the evidence
B Beyond a reasonable doubt
C Beyond all doubt
D Based on the opinion of the presiding judge
195 B. See Chapter 12. The burden of proof in U.S. criminal law is “beyond a reasonable
doubt.”
196 The best approach for patch management is:
A Install only those patches that scanning tools specify are missing.
B Install patches only after problems are experienced.
C Install all available patches.
D Perform risk analysis and install patches that are relevant.
196 D. See Chapter 10. The best approach for patch management is to perform
risk analysis on each patch, and install those that are relevant. Applying all
available patches consumes more resources and may reduce system integrity.
197 In addition to video surveillance, how can a public reception area be best protected? A Duress alarm B Pepper spray C Hand signals D Emergency telephone numbers
197 A. See Chapter 13. A duress alarm can be used to signal other personnel that
there is an emergency in a specific area of a building.
198 The main weakness of a homogeneous environment is:
A A variety of systems is more difficult to manage effectively.
B Inconsistent management among systems in the environment.
C A vulnerability in one system is likely to be found in all systems in the
environment.
D Port scans will take longer to complete.
198 C. See Chapter 9. The main weakness of a homogeneous environment is that
all of the systems are the same. If one system has a vulnerability or weakness,
many or all of the other systems in the environment are likely to have
the same vulnerability or weakness.
199 A security manager has designed a building entrance that will lock doors in
the event of a power failure. This follows which security design principle?
A Avoidance of a single point of failure
B Defense in depth
C Fail open
D Fail closed
199 D. See Chapter 6. A system that blocks all access in the event of a power failure
(or other type of failure) follows the principle of fail closed.
200 An effective cryptosystem is all of the following EXCEPT:
A Efficient.
B Easy to crack.
C Easy to use.
D Strong, even if its algorithm is known.
200 B. See Chapter 8. An effective cryptosystem is easy to use, strong even if its
algorithm is known, and makes efficient use of resources. A cryptosystem
that is easily broken is not effective.
201 255.255.0.0 is a: A MAC address B IPv4 address C Subnet mask D IPv6 address
201 C. See Chapter 5. 255.255.0.0 is an IPv4 subnet mask.
202 The main reason for preventing password re-use is:
A To increase password entropy.
B To prevent a user from reverting to their old, familiar password.
C To encourage users to use different passwords on different systems.
D To prevent users from using the same passwords on different systems.
202 B. See Chapter 4. Preventing password re-use discourages users from trying
to revert to familiar passwords, which can slightly increase the risk of system
compromise.
203 A software developer has introduced a feature in an application that permits
him to access the application without the need to log in. This feature is
known as a:
A Bypass
B Front door
C Side door
D Back door
203 D. See Chapter 7. A back door is a feature that permits covert access to a
system, usually through bypassing access controls.
204 A cryptosystem uses two-digit numerals to represent each character of a message. This is a: A Concealment cipher B Vernam cipher C Substitution cipher D Transposition cipher
204 C. See Chapter 8. A cryptosystem where message characters are converted
to two-digit numerals is a substitution cipher, because ciphertext characters
are substituted for message characters.
205 California state law SB-1386:
A Requires organizations to publish their privacy policies.
B Requires organizations to encrypt bank account numbers.
C Requires organizations to disclose security breaches to affected citizens.
D Requires organizations to encrypt private data.
205 C. See Chapter 12. The California Security Breach Information Act, SB-1386,
requires organizations to disclose security breaches of specific personal data
to all affected citizens, unless that data was encrypted. The law does not
require that any data be encrypted.
206 The purpose of penetration testing is:
A Simulate an attack by insiders.
B Confirm the presence of application vulnerabilities.
C Confirm the effectiveness of patch management.
D Simulate a real attack and identify vulnerabilities.
206 D. See Chapter 10. The purpose of penetration testing is to simulate an attack
by malicious outsiders or insiders who may be attempting to compromise a
target system.
207 An advantage of video surveillance motion sensing recording over continuous
recording is:
A Date and time stamping on video frames.
B Improved durability of storage media.
C Lower cost of storage media.
D Relevant content can be retained for a longer period of time.
207 D. See Chapter 13. In a motion-sensing surveillance system, only content
with actual motion is recorded. This enables content to be retained for a
greater period of time (because recording of no-activity is eliminated).
208 The four basic requirements in the Orange Book are:
A Security policy, assurance, accountability, and documentation.
B Security policy, availability, accountability, and documentation.
C Security policy, assurance, confidentiality, and documentation.
D Security policy, assurance, accountability, and integrity.
208 A. See Chapter 9. The four basic requirements described in the Orange Book
are security policy, assurance, accountability, and documentation.
209 A document that is unclassified: A Is a threat to national security. B Is not sensitive. C Is secret and must be protected. D Is not a threat to national security.
209 B. See Chapter 6. A document that is unclassified does not contain sensitive
information.
210 In a symmetric cryptosystem, two users who wish to exchange encrypted
messages exchange cryptovariables. The next thing the users should do is:
A Re-issue encryption keys.
B Begin to exchange encrypted messages.
C Change encryption algorithms.
D Change to an asymmetric cryptosystem.
210 B. See Chapter 8. When two users have exchanged cryptovariables (also
known as encryption keys), they may begin exchanging encrypted messages.
211 In the resource \\usdb01\symm\dev\src\, usdb01 is a: A Server. B Directory. C File. D Network.
211 A. See Chapter 5. In Uniform Naming Convention (UNC) for \usdb01\symm\
dev\src\, usdb01 is the name of a server.
212 An attacker has obtained a file containing hashed passwords. The fastest way to crack the hashed passwords is: A Unsalt the hashes B Brute-force attack C Rainbow tables D Cryptanalysis
212 C. See Chapter 4. An attacker who obtains a list of hashed passwords may be
able to use a rainbow table to simply find the matching hashes and learn
their corresponding passwords.
213 The best method for defending against cross-site request forgery (CSRF)
attacks is:
A Encrypt traffic with SSL/TLS.
B Block JavaScript execution.
C Filter input fields to reject injection strings.
D Include a transaction confirmation step with every critical application
function.
213 D. See Chapter 7. The best defense against cross-site request forgery (CSRF)
attacks is to include subsequent steps such as transaction confirmation.
214 A cryptosystem uses a key that is the same length of the message. The key
is used only for this message. This is a:
A Transformation cipher.
B Transposition cipher.
C Substitution cipher.
D Vernam cipher.
214 D. See Chapter 8. A Vernam cipher, or one-time pad, is a cryptosystem where
the encryption key is the same length of the message, and is used only one
time – for that message alone.
215 The purpose of the Sarbanes-Oxley Act of 2002 is to:
A Restore investors’ confidence in U.S. companies.
B Ensure privacy of all U.S. citizens.
C Increase penalties for security breaches.
D Reduce securities fraud.
215 A. See Chapter 12. The purpose of the Sarbanes-Oxley Act of 2002 is to
renew public trust in U.S. public companies by strengthening company controls
related to financial reporting.
216 A disadvantage of a HIDS is all of the following EXCEPT:
A A server-based HIDS system cannot be a choke point like a NIDS/
NIPS can.
B A separate HIDS instance must be installed and maintained on every
server.
C HIDS can only perform signature-based detection, not anomaly-based
detection.
D It will not detect port scans on unused IP addresses.
216 C. See Chapter 10. Because it has to be installed on every host, an organization
may have many HIDS systems to maintain. And, because HIDS runs on
individual hosts, a HIDS system cannot act as a network choke point in the
way a network-based IDS can. A HIDS system can only detect traffic sent
directly to any host it’s running on.
217 The primary advantage for remote monitoring of datacenter access controls is:
A Local monitoring cannot identify all intrusions.
B Remote monitoring is more effective than local monitoring.
C Reduction of costs.
D It compensates for the possibility that personnel in the datacenter are
unavailable or compromised.
217 D. See Chapter 13. One of the main reasons for employing remote monitoring
of physical access controls in a datacenter is the ability to observe physical
access controls even if local staff are unavailable or compromised.
218 TCSEC evaluation criteria are:
A Certification, inspection, and accreditation.
B Confidentiality, integrity, and availability.
C Measurement, guidance, and acquisition.
D System architecture, system integrity, and covert channel analysis.
218 C. See Chapter 9. TCSEC (Orange Book) system evaluation criteria are measurement,
guidance, and acquisition.
219 A document that lists approved protocols is known as a: A Process B Procedure C Guideline D Standard
219 D. See Chapter 6. A document that lists approved protocols, technologies, or
suppliers is known as a standard.
220 An encryption algorithm that rearranges bits, characters, or blocks of data is known as a: A Substitution cipher. B Transposition cipher. C Vernam cipher. D Concealment cipher.
220 B. See Chapter 8. An encryption algorithm that rearranges bits, characters, or
blocks of data is known as a transposition cipher, because it transposes data.
221 Systems on an internal network have RFC 1918 network addresses. To
permit these systems to communicate with systems on the Internet, what
should be implemented on the firewall?
A NAT
B NAC
C NAP
D NAS
221 A. See Chapter 5. In order to facilitate communication to the Internet on systems
with RFC 1918 (private) addresses, implement NAT (network address
translation) on a firewall.
222 The purpose of a user account access review is:
A All of these.
B To ensure that employee terminations were properly processed.
C To ensure that all role assignments were properly approved.
D To ensure that assigned roles are still needed.
222 A. See Chapter 4. The purpose of a user account access review can serve
many purposes, including making sure that employee terminations resulted
in timely access terminations, that all user roles were properly approved, and
that users still require their access roles.
223 The most effective countermeasure for session hijacking is: A Two-factor authentication. B Strong passwords. C Full disk encryption. D Full session HTTPS encryption.
223 D. See Chapter 7. Session hijacking occurs when an attacker obtains session
cookies from a victim user. Full session encryption with HTTPS is an effective
countermeasure, since attackers will not be able to obtain session cookies.
224 A cryptologist has determined that a cryptosystem has a weak PRNG. This
can lead to:
A Compromise of the cryptosystem
B Increased performance of the cryptosystem
C Decreased performance of the cryptosystem
D Collisions
224 A. See Chapter 8. A weak pseudo-random number generator (PRNG) may
result in a weak cryptosystem that can be broken through cryptanalysis.
225 Recordkeeping that is related to the acquisition and management of forensic evidence is known as: A Best evidence. B Burden of proof. C Chain of custody. D Certification.
225 C. See Chapter 12. The Chain of Custody is the recordkeeping that describes
the handling of forensic evidence in support of an investigation.
226 The purpose of audit trails includes all of the following EXCEPT: A Event reconstruction. B Investigation support. C Enforcement of accountability. D Data recovery.
226 D. See Chapter 10. Audit trails support event reconstruction, investigation
support, problem identification, and enforcement of accountability. Audit
trails are not used for recovery purposes.
227 In a datacenter that provides dual power feeds to each equipment rack,
components with dual power supplies are connected to each power feed.
Why should power circuits not be loaded over 40% capacity?
A To permit systems to be power-cycled without overloading circuits.
B To permit systems to be rebooted without overloading circuits.
C To permit power supplies to be swapped out.
D If one power feed fails, power draw on alternate circuits will double.
227 D. See Chapter 13. When dual power supply components are connected to
different circuits, those circuits should not be loaded to a load greater than
40% of capacity. If one power circuit fails, the other circuit can expect its load
to increase to 80%.
228 A web application that uses sequential session identifiers:
A Has high resilience.
B Has low resilience.
C Is vulnerable to session hijacking.
D Is not vulnerable to session hijacking.
228 C. See Chapter 9. A web application that uses sequential session identifiers is
vulnerable to a state attack, where an attacker can easily guess other session
identifiers and attempt to steal other users’ sessions.
229 All of the following statements about policies are true EXCEPT:
A They specify what should be done.
B They specify how something should be done.
C They should be reviewed annually.
D They are formal statements of rules.
229 B. See Chapter 6. Policies are formal statements of business rules; they specify
what should be done, but not how they should be done. Policies should
be reviewed periodically.
230 An encryption algorithm that replaces bits, characters, or blocks in plaintext
with alternate bits, characters, or blocks is known as a:
A Substitution cipher.
B Transposition cipher.
C Vernam cipher.
D Concealment cipher.
230 A. See Chapter 8. An encryption algorithm that replaces bits, characters, or
blocks of data is known as a substitution cipher.
231 Two-factor authentication is preferred for VPN because:
A It is more resistant to a dictionary attack.
B It is more resistant to a replay attack.
C Encryption protects authentication credentials.
D Encryption protects encapsulated traffic.
231 A. See Chapter 5. Two-factor authentication is preferred for VPN because it is
more resistant to a dictionary attack.
232 An audit of user access has revealed that user accounts are not being
locked when employees leave the organization. The best way to mitigate
this finding is:
A Reset all account passwords.
B Lock all user accounts and require users to re-apply for access.
C Improve the termination process and perform monthly access reviews.
D Discipline the culpable personnel.
232 C. See Chapter 4. When it has been discovered that many user accounts were
not locked for users who left the organization, the termination process
should be improved by whatever means necessary. Monthly access reviews
will help to ensure that process changes are effective.
233 A blogging site allows users to embed JavaScript in the body of blog
entries. This will allow what type of attack?
A Cross-frame scripting
B Cross-site request forgery
C Non-persistent cross-site scripting
D Persistent cross-site scripting
233 D. See Chapter 7. Any site that permits users to embed JavaScript is susceptible
to cross-site scripting (XSS) attacks.
234 A system designer needs to choose a stream cipher to encrypt data. The designer should choose: A 3DES B AES C RC1 D RC4
234 D. See Chapter 8. A system designer in need of a stream cipher should
choose RC4. The other ciphers are block ciphers.
235 Evidence that is obtained through illegal means:
A May be used in a legal proceeding.
B May be used as indirect evidence.
C Cannot be used in a legal proceeding.
D Must be returned to its owner.
235 C. See Chapter 12. Any evidence obtained through illegal means cannot be
used in any legal proceeding.
236 A particular type of security incident occurs frequently in an organization.
What should be performed to reduce the frequency of these incidents?
A Audit log correlation
B Root cause analysis
C Incident forensics
D Six Sigma analysis
236 B. See Chapter 10. If a specific type of incident occurs over and over, root
cause analysis should be performed so that the factors responsible for incident
recurrence can be corrected.
237 What procedure should be followed by personnel in case of fire in a
datacenter?
A All personnel should remain to fight the fire.
B One person should remain behind and fight the fire.
C Collect backup media and evacuate.
D Immediate evacuation.
237 D. See Chapter 13. In case of a fire in a datacenter, personnel should evacuate
immediately. Personnel safety is the highest priority in a datacenter.
238 The following statements about the Common Criteria are true EXCEPT:
A It is the European version of ITSEC.
B It has been adopted as international standard ISO 15408.
C It contains eight levels of evaluation assurance.
D It supersedes TCSEC and ITSEC.
238 A. See Chapter 9. The Common Criteria has been adopted as international
standard ISO 15408, it contains eight levels of evaluation assurance, and it
supersedes TCSEC and ITSEC.
239 An organization has employees in many countries, where laws vary on the
type of background checks that can be performed. The best approach for
background checks is:
A Perform background checks only in those countries that permit
reasonable checks.
B Perform the best background check in each country as permitted by law.
C Perform the same background check in all countries by performing only
what is allowed in all of them.
D Do not perform background checks.
239 B. See Chapter 6. An organization should perform the best background check
available and permitted by law in each country.
240 A disadvantage of a symmetric cryptosystem is:
A It is far less efficient than an asymmetric cryptosystem.
B Users who do not know each other will have difficulty securely
exchanging keys.
C It is difficult to publish a public key.
D It is easy to publish a public key.
240 B. See Chapter 8. In a symmetric cryptosystem, both users must possess the
same encryption key. If these users do not know each other, it may be difficult
to securely exchange a key.
241 Two organizations exchange data via FTP. The best choice to make this
more secure is:
A Change the FTP protocol to SFTP or FTPS.
B Encrypt transferred files with PGP.
C Change password more frequently.
D Change to longer, complex passwords.
241 A. See Chapter 5. The best choice for making an FTP connection more secure
is to change to FTPS or SFTP. Encrypting the payload does not protect
authentication credentials.
242 An attacker is capturing a user’s keystrokes during authentication. The attacker may be preparing to launch a: A Brute-force attack. B Cryptanalysis attack. C Replay attack. D Denial of service attack.
242 C. See Chapter 4. An attacker who is able to record the keystrokes of a user
logging in to a system is preparing to launch a replay attack.
243 Users in a company have received e-mail messages claiming to be from the
company’s IT department with instructions on installing a security patch.
The URL points to a page that resembles the company’s IT Helpdesk home
page. This may be a:
A Whaling attack.
B Pharming attack.
C Phishing attack.
D Spear phishing attack.
243 D. See Chapter 7. An e-mail-based attack that points users to a website that
resembles a company’s own website is a spear phishing attack, because it is
targeting users in a specific organization.
244 A laptop containing several private encryption keys has been stolen. The owner of the encryption keys should: A Generate new key pairs B Change the keys’ passwords C Change encryption algorithms D No action is necessary
244 A. See Chapter 8. If a laptop containing private encryption keys has been
stolen, the attacker may be able to guess the passwords for private keys and
compromise the cryptosystem. The owner of the encryption keys should generate
new key pairs.
245 A company outsources its credit card processing to a third-party organization.
The company should:
A Require the third-party organization to be PCI-compliant.
B Require the third-party organization to be GLBA-compliant.
C Sign a contract with the third-party organization.
D Perform penetration tests on the third party’s systems.
245 A. See Chapter 12. Any company that outsources credit card processing to
another organization should require the organization to be PCI-compliant.
246 Administration of a centralized audit log server should be performed by:
A Database administrators.
B IT auditors.
C The same administrators who manage servers being logged.
D Separate administrators from those who administer servers being logged.
246 D. See Chapter 10. Personnel who administer centralized audit log servers
should be separate personnel from those who administer systems being
logged. Otherwise administrators would be able to manipulate the contents
of audit log servers and cover up their activities.
247 The ideal level of relative humidity for datacenter computing equipment is: A Between 0% and 20%. B Between 20% and 40%. C 0%. D Between 40% and 60%.
247 D. See Chapter 13. The ideal level for relative humidity in a datacenter is
between 40% and 60%. If humidity falls below 40%, there is risk of static discharge
that can damage computing equipment. If the humidity rises above
60%, condensation can damage computing equipment.
248 A security manager wishes to establish a set of access control rules that
specify which organization job titles are permitted to have which roles in a
system. The model that the security manager should use as a model is:
A Access Matrix.
B Information Flow.
C Non-Interference.
D Biba.
248 A. See Chapter 9. The access model described here is the Access Matrix,
which specifies which persons (or job titles) are permitted to access which
system roles.
249 A decision on how to resolve an identified risk is known as: A Risk control. B Risk treatment. C Risk management. D Risk mitigation.
249 B. See Chapter 6. A decision on how to resolve an identified risk is known as
risk treatment.
250 The advantage of Cipher Block Chaining (CBC) is:
A Each block of ciphertext has a less random result.
B Each block of ciphertext has a more random result.
C Each block of ciphertext is encrypted separately.
D Each block of ciphertext is decrypted separately.
250 B. See Chapter 8. In Cipher Block Chaining (CBC), each plaintext block is
XORed with the ciphertext of the preceding block, making it more random.
