CISSP-P1 Flashcards

Question 1

Q

The CIA triad stands for

Answer

A

Confidentiality Integrity Availability

Question 2

Q

From a CIA perspective “Access Controls help ensure that only authorized subjects can access objects”

Confidentiality
Integrity
Availability

Answer

A

Confidentiality

Question 3

Q

From a CIA perspective “Ensures that our data or system configurations are not modified without authorization”

Confidentiality
Integrity
Availability

Answer

A

Integrity

Question 4

Q

From a CIA perspective “Authorized request for objects must be granted to subjects within a reasonable amount of time”

Confidentiality
Integrity
Availability

Answer

A

Availability

Question 5

Q

The isc2 code of ethics

P.A.P.A

Answer

A

Protect society, the common wealth, the Infrastructure
Act honorably, honestly, justly, responsibly and legally
Provide diligent and competent service to principals
Advance and protect the profession

Question 6

Q

Out of these four levels of security policy development which one “offers recommendation”

Security procedures
Security guidelines
Security baselines
Acceptable use policy

Answer

A

Security guidelines

Question 7

Q

Out of these four levels of security policy development which one offers “detailed step by step”

Security procedures
Security guidelines
Security baselines
Acceptable use policy

Answer

A

Security procedures

Question 8

Q

Out of these four levels of security policy development which one assigns roles and responsibilities”

Security procedures
Security guidelines
Security baselines
Acceptable use policy

Answer

A

Acceptable use policy

Question 9

Q

Out of these four levels of security policy development which one defines minimum levels”

Security procedures
Security guidelines
Security baselines
Acceptable use policy

Answer

A

Security baselines

Question 10

Q

In security planning this pan is categorized as a “Midterm plan developed to provide more details on goals of the strategic plan 1 year”

Strategic
Tactical
Operational

Question 11

Q

In security planning this pan is categorized as a “Long Term, stable plan that should include a risk assessment (5 year with annual updates)”

Strategic
Tactical
Operational

Answer

A

Strategic

Question 12

Q

In security planning this pan is categorized as a “Short term highly detailed plan based on the strategic and tactical plan”

Strategic
Tactical
Operational

Answer

A

Operational

Question 13

Q

In the Response to risk category which one of these is defined as “Do nothing, and you must accept the risk and potential loss if threat occurs”.

Risk Rejection
Risk deterrence
Risk avoidance
Risk mitigation
Risk assignment
Risk acceptance

Answer

A

Risk acceptance

Question 14

Q

In the Response to risk category which one of these is defined as “You do this by implementing a countermeasure and accepting the residual risk”.

Risk mitigation
Risk Rejection
Risk deterrence
Risk acceptance
Risk assignment

Answer

A

Risk mitigation

Question 15

Q

In the Response to risk category which one of these is defined as “Transfer (assign) to a 3rd party , like by purchasing insurance against damage”.

Risk acceptance
Risk avoidance
Risk Rejection
Risk deterrence
Risk mitigation
Risk assignment

Answer

A

Risk assignment

Question 16

Q

In the Response to risk category which one of these is “when cost of mitigating or accepting are higher than benefits of the service”.

Risk acceptance
Risk mitigation
Risk avoidance
Risk Rejection
Risk assignment
Risk deterrence

Answer

A

Risk avoidance

Question 17

Q

In the Response to risk category which one of these is “Implementing deterrents to would be violators of security and Policy”.
Risk acceptance
Risk mitigation
Risk avoidance
Risk deterrence
Risk Rejection
Risk assignment

Answer

A

Risk deterrence

Question 18

Q

In the Response to risk category which one of these is “An unacceptable possible response to risk is to reject risk or ignore risk”.
Risk acceptance
Risk mitigation
Risk avoidance
Risk deterrence
Risk assignment
Risk Rejection

Answer

A

Risk Rejection

Question 19

Q

The Seven steps of the risk management framework (NIST 800-37)

People - Prepare or Procure?
Can - Classify or Categorize?
See - Select or Sort?
I - influence or Implement
Am - Authorize or assess”
Always - Authorize or assess?
Monitoring- Monitor or Monitor?

Answer

A

Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor

Question 20

Q

This type of risk is the risk that remains even with all conceivable safeguards in place.

Residual Risk
Inherent Risk
Total Risk

Answer

A

Residual Risk

Question 21

Q

This type of risk is newly identified risk not yet addressed with risk management strategies, the amount of risk that exist in the absence of controls

Residual Risk
Inherent Risk
Total Risk

Answer

A

Inherent Risk

Question 22

Q

Types of risk

Residual = after controls implemented
Inherent = Before controls implemented
Total = Without controls

True
False

Question 23

Q

This type of risk is the amount of risk an organization would face if no safe guards were implemented.

Residual Risk
Inherent Risk
Total Risk

Answer

A

Total Risk

Question 24

Q

Residual = Before controls implemented
Inherent = Without controls
Total = after controls implemented

True
False

Question 25

Q

Formula for total risk

A. Threats * Vulnerabilities * asset value
B. Threats * Vulnerabilities * ALE

Question 26

Q

Risk is defined as

A. risk= asset * vulnerability
B. risk= threat * vulnerability

Question 27

Q

Which one of these Risk analysis concepts “Assigns a dollar value to evaluate effectiveness of countermeasures?” It is an objective measure.

Qualitative
Quantitative

Answer

A

Quantitative

Question 28

Q

Risk Analysis steps in quantitative risk analysis?
I - Inventory
IDENTIFIED - Identify
PEOPLE - Perform
ENJOYING -Estimate
RAMBUNCTIOUS - Research
PARTY - Perform

Answer

A

Inventory assets (AV)
Identify Threats (calculate EF and SLE)
Perform a threat analysis (ARO)
Estimate the potential loss (ALE)
Research countermeasures for each threat
Perform a cost benefit analysis

Question 29

Q

Which one of these Risk analysis concepts “uses a scoring system to rank threats and effectiveness of countermeasures?” It is a subjective measure as it involves opinions, therefore less accurate.

Qualitative
Quantitative

Answer

A

Qualitative

Question 30

Q

What is the Delphi technique?

A. Uses a scoring system to rank threats and effectiveness of countermeasures
B. Assigns a dollar value to evaluate effectiveness of countermeasures?
C. Anonymous feedback and response process used to arrive at a consensus

Question 31

Q

Threat agents are what caused the threats by exploiting vulnerabilities

True
False

Question 32

Q

In calculating risk this is defined as “Percentage of loss than an organization would experience if a specific asset were violated by a realized risk

Question 33

Q

In calculating risk this “Represents the cost associated with a single realized risk against a specific asset.”

Question 34

Q

Formula for SLE

Question 35

Q

In calculating risk this is “the expected frequency with a specific threat or risk will occur within a single year.”

Question 36

Q

In calculating risk this is “the possible yearly cost of all instances of a specific realized threat against a specific asset.”

Question 37

Q

Formula for ALE

Answer

A

SLE X ARO

Question 38

Q

ALE Example

Office bldg. = 200,000
Hurricane damage estimate 50%
Hurricane probability is one every ten years 10%

(AV X EF = SLE) 200,000 X .50 = 100,000
(SLE X ARO = ALE) 100,000 XS .10 = 10,000

Question 39

Q

ALE Example

Office bldg. = 200,000
Hurricane damage estimate 50%
Hurricane probability is one every ten years 10%

(AV X EF = SLE) 200,000 X 50 = 10,000,000
(SLE X ARO = ALE) 10,000,000 X 10 = 100,000,000

Answer

A

False

Watch that decimal!

Question 40

Q

In calculating risk a safeguard evaluation means that the security controls are cost effective.

Ale before safeguard - Ale after safeguard - annual cost of safeguard = value of the safeguard

ALE1-ALE2-ACS

Answer

A

True the control cannot cost more than the value of the safeguard, is the safeguard cost effective?

Question 41

Q

Thread model - S.T.R.I.D.E

Answer

A

STRIDE - Microsoft threat modeling tool

Spoofing
Tampering
Repudiation - attacker can deny participation
Information disclosure
Denial of service
Elevation of privilege

Question 42

Q

Thread model - At which stage of the pasta model do we perform an “Attack AnalysIs?”

Stage One
Stage Two
Stage Three
Stage Four:
Stage Five:
Stage Six:
Stage Seven:

Answer

A

Stage Six: Attack Analysis

Stage One: Define the Objectives
Stage Two: Define the Technical Scope
Stage Three: Decompose the Application
Stage Four: Analyze the Threats
Stage Five: Vulnerability Analysis
Stage Six: Attack Analysis
Stage Seven: Risk and Impact Analysis

Question 43

Q

Thread model - At which stage of the pasta model do we “ Decompose the Application?”

Stage One
Stage Two
Stage Three
Stage Four:
Stage Five:
Stage Six:
Stage Seven:

Answer

A

Stage Three: Decompose the Application

Stage One: Define the Objectives
Stage Two: Define the Technical Scope
Stage Three: Decompose the Application
Stage Four: Analyze the Threats
Stage Five: Vulnerability Analysis
Stage Six: Attack Analysis
Stage Seven: Risk and Impact Analysis

Question 44

Q

Thread model - At which stage of the pasta model do we “ Define the objectives”

Stage One
Stage Two
Stage Three
Stage Four:
Stage Five:
Stage Six:
Stage Seven:

Answer

A

Stage One: Define the Objectives

Stage One: Define the Objectives
Stage Two: Define the Technical Scope
Stage Three: Decompose the Application
Stage Four: Analyze the Threats
Stage Five: Vulnerability Analysis
Stage Six: Attack Analysis
Stage Seven: Risk and Impact Analysis

Question 45

Q

Thread model - At which stage of the pasta model do we “ Define the Technical Scope”

Stage One:
Stage Two:
Stage Three:
Stage Four:
Stage Five:
Stage Six:
Stage Seven:

Answer

A

Stage Two: Define the Technical Scope

Stage One: Define the Objectives
Stage Two: Define the Technical Scope
Stage Three: Decompose the Application
Stage Four: Analyze the Threats
Stage Five: Vulnerability Analysis
Stage Six: Attack Analysis
Stage Seven: Risk and Impact Analysis

Question 46

Q

Thread model - At which stage of the pasta model do we “ Analyze the Threats”

Stage One:
Stage Two:
Stage Three:
Stage Four:
Stage Five:
Stage Six:
Stage Seven:

Answer

A

Stage Four: Analyze the Threats

Stage One: Define the Objectives
Stage Two: Define the Technical Scope
Stage Three: Decompose the Application
Stage Four: Analyze the Threats
Stage Five: Vulnerability Analysis
Stage Six: Attack Analysis
Stage Seven: Risk and Impact Analysis

Question 47

Q

Thread model - At which stage of the pasta model do we perform a “ Vulnerability Analysis”

Stage One:
Stage Two:
Stage Three:
Stage Four:
Stage Five:
Stage Six:
Stage Seven:

Answer

A

Stage Five: Vulnerability Analysis

Stage One: Define the Objectives
Stage Two: Define the Technical Scope
Stage Three: Decompose the Application
Stage Four: Analyze the Threats
Stage Five: Vulnerability Analysis
Stage Six: Attack Analysis
Stage Seven: Risk and Impact Analysis

Question 48

Q

Thread model - At which stage of the pasta model do we perform a “Risk and Impact Analysis”

Stage One:
Stage Two:
Stage Three:
Stage Four:
Stage Five:
Stage Six:
Stage Seven:

Answer

A

Stage Seven: Risk and Impact Analysis

Stage One: Define the Objectives
Stage Two: Define the Technical Scope
Stage Three: Decompose the Application
Stage Four: Analyze the Threats
Stage Five: Vulnerability Analysis
Stage Six: Attack Analysis
Stage Seven: Risk and Impact Analysis

Question 49

Q

Treat model V.A.S.T

Visual
Agile
Simple
Threat

Question 50

Q

D.r.e.a.d

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 51

Q

Trike

Answer

A

Memorize A requirements model

Question 52

Q

COBIT 5 is based on five principles that are essential for the effective management and governance of enterprise IT

Principle 1: Meeting stakeholder needs
Principle 2: Covering the enterprise end to end
Principle 3: Applying a single integrated framework
Principle 4: Enabling a holistic approach
Principle 5: Separating governance from management

Question 53

Q

Access control types fall into one of three categories: administrative, technical, or physical. This control is implemented using software, hardware, or firmware that restricts logical access on an IT system. Examples include firewalls, routers, encryption, etc.

Administrative (also called directive)
Technical
Physical

Answer

A

Technical

Question 54

Q

Access control types fall into one of three categories: administrative, technical, or physical. This control is implemented by creating and following organizational
policy, procedure, or regulation. User training and awareness also fall into this category.

Administrative (also called directive)
Technical
Physical

Answer

A

Administrative (also called directive)

Question 55

Q

Access control types fall into one of three categories: administrative, technical, or physical. This control is implemented with devices, such as locks, fences, gates, and security guards

Administrative (also called directive)
Technical
Physical

Question 56

Q

This type of access control prevent actions from occurring. It applies restrictions to what a potential user, either authorized or unauthorized, can do. An example of an this control is a preemployment drug screening. It is designed to prevent an organization from hiring an employee who is using illegal drugs

Corrective
Preventive
Compensating
Detective
Deterrent
Recovery

Answer

A

Preventive

Question 57

Q

This type of access control sends alerts during or after a successful attack. Examples of this control are intrusion detection systems that send alerts after a successful attack, closed-circuit television cameras that alert guards to an intruder, and a building alarm system that is triggered by an intruder

Corrective
Preventive
Compensating
Detective
Deterrent
Recovery

Answer

A

Detective

Question 58

Q

This type of access control works by “correcting” a damaged system or process. This access control typically works hand in hand with detective access controls. Antivirus software has both components. First, the antivirus software runs a scan and uses its definition file to detect whether there is any software that matches its virus list. If it detects a virus, this control takes over and either places the suspicious software in quarantine or deletes it from the system

Corrective
Preventive
Compensating
Detective
Deterrent
Recovery

Answer

A

Corrective

Question 59

Q

This type of access control means after a security incident has occurred, we may need to restore the functionality of the system and organization. This control means that the system must be restored, which involves reinstallation from OS media or image, data restored from backups, etc

Corrective
Preventive
Compensating
Detective
Deterrent
Recovery

Question 60

Q

This type of access control deter users from performing certain actions on a system. One example is a “Beware of Dog” sign; a thief encountering two buildings, one with guard dogs and one without, is more likely to attack the building without guard dogs. Another example is large fines for drivers who speed. This control is a sanction policy that makes users understand that they will be fired if they are caught surfing illicit or illegal websites

Corrective
Preventive
Compensating
Detective
Deterrent
Recovery

Answer

A

Deterrent

Question 61

Q

This type of access control is an additional security control put in place to compensate for weaknesses in other controls

Corrective
Preventive
Compensating
Detective
Deterrent
Recovery

Answer

A

Compensating

Question 62

Q

This law pertains to those laws where the victim can be seen as society itself. While it might seem odd to consider society the victim when an individual is murdered, the goal of criminal law is to promote and maintain an orderly and law-abiding citizenry. This law can include penalties that remove an individual from society
by incarceration or, in some extreme cases in some regions, death. The goals of this law are to deter crime and to punish offenders. Due to the severity of depriving criminals of either freedom or their lives, the burden of proof in criminal cases is beyond any reasonable doubt

Civil law
Liability
Criminal law
Administrative law

Answer

A

Criminal law

Question 63

Q

In addition to this law being a major legal system in the world, it also serves as a type of law within the common law legal system. Another term associated with this lawis tort law, which deals with injury (loosely defined), resulting from someone violating their responsibility to provide a duty of care. Tort law is the primary component of this law, and it is the most significant source of lawsuits that seek damages. In the United States, the burden of proof in a criminal court is beyond a reasonable doubt, while the burden of proof in civil proceedings is the preponderance of the evidence. “Preponderance” means more likely than not. Satisfying the burden of proof requirement regarding the preponderance of the evidence in a civil matter is
much easier than meeting the burden of proof requirement in criminal proceedings.

Civil law
Liability
Criminal law
Administrative law

Answer

A

Civil law

Question 64

Q

This law also known as a regulatory law is law enacted by government agencies. The executive branch (deriving from the Office of the President) enacts this law in the United States. Government-mandated compliance measures are these laws. Some examples of this law are FCC regulations, Health Insurance Portability and Accountability Act (HIPAA) security mandates, FDA regulations, and FAA regulations

Civil law
Liability
Criminal law
Administrative law

Answer

A

Administrative law

Answer 47

A

LIABILITY

Answer 48

A

Computer Fraud and Abuse Act

Answer 49

A

Federal Sentencing Guidelines

Answer 50

A

Federal Information Security Management Act (FISMA)

Answer 51

A

Copyright and the Digital Millennium Copyright Act

Answer 52

A

Trademark

Answer 53

A

Copyright

Answer 54

A

Trade secrets

Answer 55

A

Real Evidence

Answer 56

A

Direct evidence

Answer 57

A

Circumstantial evidence

Answer 58

A

Corroborative evidence

Answer 59

A

Hearsay evidence

Answer 60

A

Secondary evidence

Answer 61

A

Protection of intellectual property

Answer 62

A

The recovery point objective is not a preference

The Maximum Allowable Downtime (MAD) also known as the Maximum Tolerable Downtime (MTD), and also a Maximum Allowable Outage (MAO) is the amount of time that the business can be disrupted before the organization dies. The Recovery Time Objective (RTO) is the target time set for recovering from an interruption. The recovery point objective (RPO) is how much data can be lost before the organization dies.

Answer 63

A

The Exposure Factor of a single loss in relation to the total of all asset values

This question is looking to see if you know the difference between AF, EF, ALE, ARO, and SLE in a non-standard context. EF in the context of the available choices would be 20K divided by 5 million, not 240,000 divided by 60 million. Try to ignore the additional information that was intentionally thrown into the options (“in relation to…”)

Answer 64

A

The exploitation of a vulnerability

Vulnerability is a weakness, or lack of a safeguard. A safeguard is a control; a threat is something that can take advantage of the vulnerability.

Answer 65

A

The employee should not have this many job duties unless they are clearly articulated in the job description.

Least privilege has to do with access. While the other responses are good, the MOST correct statement is that he shouldn’t have such duties unless they are articulated in his job description.

Answer 66

A

The asset values contained therein might be nominal values to one particular area

Ideally the BIA will contain mostly accurate asset values rather than nominal values that one particular area of the business presumes.

Answer 67

A

Training seeks to educate, awareness seeks to remind

As presented in Domain 1, education is more formal, offered by an accredited organization and results in a degree or certification. This can be through an accredited college, or official training program. Training is semi-formal, typically offered by employers, it can be documented & tracked, occurs during employment, and may be required by law or industry/regulator policy. Awareness is the effort to make employees aware of security requirements. It is informal, unscheduled, not required, and consists of reminders and encouragement, typically in the form of email reminders, security posters, team meeting discussions, conference call presentation, in-person presentations and guest speaker presentations.

Answer 68

A

The import/export of cryptographic software and hardware

Answer 69

A

Conducting dictionary attacks on competitor website accounts at work; this type of attack is documented as part of your job duties under the category of “ethical hacking activities” to conduct on your company’s website.

According to the ISC2 code of conduct, the (ISC)2 member is expected to do the following: 
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

If your activities are not authorized you would be violating the second and third tenets of the code of conduct (acting justly and legally responsible; providing diligent and competent service). Conducting dictionary attacks on competitor websites would violate these tenets (because it is not authorized by your job description).

Answer 70

A

Free to use including any modifications but support and extra features are not free

Answer 71

A

Mitigate, accept, transfer, abandon the activity

Abandon the activity” is the same as to avoid the risk. If you struggled with this question.

Answer 72

A

Accountability

Accountability is not a tenet of privacy law, however it does apply to data ownership responsibility.

Answer 73

A

Work factor in breaking the algorithm

Answer 74

A

Procedures ensure that tasks are performed according to standards

Knowledge needed:

Candidates need to be aware of the difference between policies, standards, procedures, and guidelines.

Policy – should have the following components:

-High level overview of security strategy or goals
-Contains data classifications (confidential, sensitive, etc.)
-Type of access management (whether role-based, etc.)
-Expected user behavior with the entity’s IT systems and data
-High level personnel security practices, such as background checks

Standard – should have the following elements:

-Can come from statutory/administrative law, professional organizations, or industry groups
-Describes settings, expectations of performance, configurations, specific requirements

Guidelines – contain recommendations and suggestions, but they are not required.

Procedures – contain specific, repeatable steps; very task-oriented.

Answer 75

A

That the company could be liable under the prudent person rule.

Explanation:

This question may be especially challenging since it has multiple correct or incorrect answers, depending on how you interpret it. The best approach with questions like this is to rate each response according to which one would be better than the other. Whichever response has the better rating should be the answer you select.

Knowledge needed:

Due diligence involves the research and preparation, whereas due care (aka “prudent person”) applies to the actions afterward. This would not constitute a security incident (however it could lead to a security incident). Not applying the selected security framework could make the company liable under the prudent person rule. There is no such thing as due practice.

Answer 76

A

The recovery time objective must be less than the maximum allowable downtime

RTO is a preference, MAD cannot be exceeded, otherwise the business cannot continue.

Answer 77

A

Part of training & awareness

Knowledge needed:

Awareness is the effort to make employees aware of security requirements. It is informal, unscheduled, not required, and consists of reminders and encouragement, typically in the form of email reminders, security posters, team meeting discussions, conference call presentation, in-person presentations and guest speaker presentations.

Policy – should have the following components:

High level overview of security strategy or goals
Contains data classifications (confidential, sensitive, etc.)
Type of access management (whether role-based, etc.)
Expected user behavior with the entity’s IT systems and data
High level personnel security practices, such as background checks

Procedures contain specific, repeatable steps; very task-oriented.

Standards should have the following elements:

Can come from statutory/administrative law, professional organizations, or industry groups
Describes settings, expectations of performance, configurations, specific requirements

Guidelines – contain recommendations and suggestions, but they are not required.

Answer 78

A

The results of a financial audit that are not current

The type of opinions is irrelevant when conducting surveys in a BIA. An old financial audit does not capture variances in the asset values, thus would not be used as input for a BIA.

Answer 79

A

None of the above

Correct
all of these are intellectual property

Answer 80

A

Ensuring that the critical path continues despite or without disruption

Correct
Critical path is synonymous with mission criticality. Profits may or may not be part of the critical path. The other two options are not optimal because they are concerned with management decisions and recovery rather than continuity.

Answer 81

A

The data can be shared with others

Explanation:

This question may be especially challenging since it asks the question in roundabout way. These questions are presented with statements like “which of the following is NOT”, which is misleading for those of us who are quick readers. The best approach with questions like this is to rephrase the question in your mind, and turn it into something like “all of these are good options EXCEPT” and then find the choice that doesn’t fit.

Knowledge needed:

Dissemination refers to the tenet that data should not be shared with others. Here is the mnemonic to use that can help memorize the general privacy tenets presented in the Common Body of Knowledge, but keep in mind ISC2 has added the GDPR privacy tenets as well, which are slightly different. Here is the mnemonic for the general tenets: “PLS (please) Acquire or Reveal Some DoNuts”. These are intentionally out of order from your book(s) to make memorization easier:

Participation – the data subject should have the option to opt in or opt out.
Limitation – data can only use it for the purpose stated.
Scope – there must be a specific purpose (and it must be legal/ethical), the scope should be include in the notification.
Accuracy – the data must be as accurate as possible, and the data subject should be able to make corrections.
Retention – the data should be kept only as long as it’s needed.
Security – the custodian must protect the data.
Dissemination – the custodian must not share the data without notifying the data subject.
Notification – must notify the user that you’re collecting and creating their data before it’s used, should include purpose of use

Answer 82

A

Single loss expectancy

Correct
Explanation:

This question may be especially challenging since it contains irrelevant information. The best approach with questions like this is to take your time in reading the question and available responses a few times to identify the irrelevant information. This will help you to understand what the question is really asking.

Knowledge needed:

Single loss expectancy is the correct answer since this is a dollar amount (20,000 x 12). The Risk Measurement Model from Domain 1 is outdated according to ISC2 and is based on a physical security model, but they are still holding tight to these concepts. Asset Value (AV) is of course the asset’s value, exposure factor (EF) is the percent of the asset that can be lost from a certain event, single loss expectancy (SLE) is the AV x the EF, measured in money; the annual rate of occurrence (ARO) is how many times in a year the event occurs, typically a decimal but it can be more; the Annual loss expectancy (ALE) is the SLE x ARO, which shows how much the business is currently losing without implementing safeguards. If the safeguards are cheaper than the ALE, it’s best to implement the safeguards.

Answer 83

A

The alert is a compensating control in the absence of other controls.

Incorrect
Compensating controls only exist in the absence of other, more efficient controls.

Answer 84

A

The annualized rate of earthquake occurrence for the area

This question may be especially challenging since it takes concepts from the Common Body of Knowledge and applies them to a realistic scenario. The best approach with questions like this is to try and identify which concept you are being quizzed on, which you can do by reading both question and available options slowly. It may take several times before you fully understand what the question is asking. Try not to rush in the real exam, and be patient with yourself.

Knowledge needed:

The Risk Measurement Model from Domain 1 is outdated according to ISC2 and is based on a physical security model, but they are still holding tight to these concepts. Asset Value (AV) is of course the asset’s value, exposure factor (EF) is the percent of the asset that can be lost from a certain event, single loss expectancy (SLE) is the AV x the EF, measured in money; the annual rate of occurrence (ARO) is how many times in a year the event occurs, typically a decimal but it can be more; the Annual loss expectancy (ALE) is the SLE x ARO, which shows how much the business is currently losing without implementing safeguards. If the safeguards are cheaper than the ALE, it’s best to implement the safeguards.

Answer 85

A

Regulatory mandates do not have financial incentives

This is a convoluted way of saying that contractual mandates do have financial incentives.

Answer 86

A

A work that is given by the author into the public domain

Correct
Public domain works, as long as they are given as such by the creator, are not considered intellectual property and do not need to be protected.

Answer 87

A

Rate of annualized occurrence

Correct
This question is looking to see if you know the difference between AF, EF, ALE, ARO, and SLE. While this is not worded exactly correct, ARO is the correct answer even though it rearranges the words to throw you off.

Answer 88

A

Password requirements for the company’s systems

Password requirements for systems are typically part of requirements identified during the SDLC. All other options would be included in the policy even though they are worded slightly different than your book may have presented them.

Answer 89

A

The asset values contained therein might be nominal values to one particular area

This question may be especially challenging since it does not have enough information to make a good choice with the available options (the question is vague or ambiguous). The best approach with questions like this is to either think through the process to what the eventual outcome or missing component might be, or to give the available options a rating to see which one is CLOSEST to being the right answer.

Knowledge needed:

Ideally the BIA will contain mostly accurate asset values rather than nominal values that one particular area of the business presumes.

Answer 90

A

Procedures ensure that tasks are performed according to standards

Knowledge needed:

Candidates need to be aware of the difference between policies, standards, procedures, and guidelines.

Policy – should have the following components:

-High level overview of security strategy or goals
-Contains data classifications (confidential, sensitive, etc.)
-Type of access management (whether role-based, etc.)
-Expected user behavior with the entity’s IT systems and data
-High level personnel security practices, such as background checks

Standard – should have the following elements:

-Can come from statutory/administrative law, professional organizations, or industry groups
-Describes settings, expectations of performance, configurations, specific requirements

Guidelines – contain recommendations and suggestions, but they are not required.

Procedures – contain specific, repeatable steps; very task-oriented.

Answer 91

A

Code of ethics

While this is a specific directive, you have to think about where it would fit within the given options (don’t assume too much) – in this case an organizational code of ethics would be the best fit.

Answer 92

A

Exposure factor from an earthquake

ALE is the amount of loss the company currently experiences, single loss expectancy is the loss from a single instance, and annualized cost of mitigation is not a concept in the CBK.

Answer 93

A

Executives who are not directly interacting with staff carrying out the program

While many organizations state that all employees are responsible, such a directive can only come from executive management.

Answer 94

A

The fence is a compensating control.

Since the lack of a guard is a vulnerability, the other controls are compensating.

Answer 95

A

The mannequin is a deterrent control

This question tries to confuse you with too much information in the beginning. Since the lack of a guard is a vulnerability, the mannequin would deter an attacker from breaking in.

Answer 96

A

The process of how an organization is managed

Answer 97

A

Take a subjective approach to risk analysis

“Subjective” means that something is based on opinions or feelings, and is the description of “qualitative”. This is the best approach due to the lack of numeric values and un-quantifiable metrics.

Answer 98

A

Recovery steps to the alternate site within the recovery time objective

Alternate site (could be warm or cold) within the RTO is the best choice here, given that we don’t have more details. The other options mix terminology to confuse you. A hot site is the same as mirror.

Answer 99

A

Purchase insurance if the annualized loss expectancy for each boat exceeds the cost of the annualized rate of insurance.

Remember that the ALE is what’s currently being experienced, thus the cost to transfer the risk (insurance) must be less than the ALE.

Answer 100

A

All staff at one location can use the software, regardless of the number

Answer 101

A

Business impact analysis

Answer 102

A

Embedded security games within the training that feed user scores into a separate data analytics system.

One of the key words in this question is “evaluating”. Hold on to that word as you read through the options to determine which of the options is the best option. While the question itself doesn’t ask you to find the “best option”, you should assume that’s the case with all questions. Gamification, while fun and engaging, is useless in evaluating the training’s effectiveness unless scores can be viewed and evaluated by management.

Answer 103

A

The security officer conducting in-person training to board members

This is almost a giveaway question, but could be challenging since it presents real-world scenarios. If you understand what governance is, the key word “decision” should stand out in all the options here. Also, note how the question uses the phrase “is not”, in which case you should, by now, be able to flip the wording in your mind by saying “all of these are examples EXCEPT…” and hopefully arrive at the right answer.

Answer 104

A

Unrealistic vulnerability identifications, standard compensating controls that prevent future loss expectancy capabilities, and more emphasis on application security

This is part of the CBK that is hidden within the pages of the risk management module. Pay special attention to these sections as they often have important information for the exam.

Answer 105

A

Potential impact to organizational assets

Ambiguous questions can be difficult. Two key words are “performed” and “considered” – management decisions have already been made if you are “performing” pentest activities. Make sure you understand the question completely before choosing an answer.

Answer 106

A

A support function

Remember that the purpose of security is to support the organizational mission/goals.

Answer 107

A

Security governance

“Security decisions”

Answer 108

A

The process of how a decision is made

Answer 109

A

Employment agreements

Since the third-party is not an employee, an employment agreement would not apply to this situation.

Answer 110

A

Process-based

Knowledge needed:

Safety critical activities can frequently be the focus of process-based risk perspectives. As the title suggests, processes are the primary focus of process-based risk analysis.

Answer 111

A

Senior management

Line supervisors are typically concerned with day-to-day supervision tasks, whereas functional management has a better perspective on what the asset values might be. Senior and Executive management would make the final decision while taking into consideration the input of functional management

Answer 112

A

Directive

Answer 113

A

Humidified areas in a data center

Again when questions contain “not”, be sure to re-write them in your mind to something like “These are all physical vulnerabilities EXCEPT”… at which point the question should become easier.

Answer 114

A

Due diligence

Remember that due diligence is doing the pre-decision work, or the research; whereas due care is the action, or the decision piece. In the context of this question, purchasing the services of the best and most compliant vendor would be practicing due care.

Answer 115

A

An e-commerce web application that collects individual’s names, shipping/billing address, and credit card information.

Data minimization principle of GDPR stipulates that data collected must be limited to the minimum amount of data necessary for the specified purpose.

Answer 116

A

Lack of encryption for data at rest; with an organizational viewpoint that more can always be done

This question combines the concepts of professional ethics and risk maturity from Domain 1 in a vague fashion. Continuous improvement is a philosophy in the ISO 27,000 Family of Standards. It claims that “enough” implementation does not really exist, thus the assumption is that no matter what you do you can always do more. Security management is process, not a goal or task with a definable end date.

Answer 117

A

Unilateral NDA

Unilateral refers to a one-way disclosure agreement.

Answer 118

A

It may have a negative impact on operations

Answer 119

A

Simulation

Simulation provides numbers, samples, and data points as a basis of risk before systems are built. If you struggled with this question, be sure to read up on simulation in Domain 1.

Answer 120

A

Attaining a level of control with the capability to destroy target data and systems.

Vague options can be confusing. Rule out any options that contain information that is too specific, such as destruction of users, or allowing unauthorized users into the system. Elevating permissions may be tempting, but the key phrase in that option is too specific (allowing users into the system). While this could be part of the threat model, the STRIDE model is described at a higher-level in the Common Body of Knowledge.

Answer 121

A

An aspect of the code that does not create an exploitable vulnerability

Double negatives can be tricky. Rephrase the question in your mind to “All of these are software vulnerabilities” and then find the one that isn’t. If there’s another negative in the answer/response, rephrase the response, in this case to read “An aspect of the code that prevented vulnerabilities”.

Answer 122

A

Factor analysis of information risk (FAIR) method

The FAIR method uses straightforward, numeric, and simple ways to make most risk assessment tasks start out quantitative and stay that way.

Answer 123

A

Outcomes-based

Outcomes-based risk approach identifies goals or objectives the company wants to achieve and links them to core business processes that make them happen.

Answer 124

A

Alert senior management so that a priority can be set on the risk, and request that a decision be made to mitigate, transfer, accept, or avoid the risk.

Domain 1 of the revised Common Body of Knowledge (May 2021) brings a new update to the decision making process for risk. Each risk must have two decisions made before anything should be done to respond.

1) Prioritize
2) Choose one of the four decisions: mitigate, accept, transfer, avoid.

Since the condensation is a risk and not an imminent threat (i.e. it’s not happening right now), the two decisions must be made before acting on it.

Answer 125

A

Administrative

Answer 126

A

Detective controls

Detective controls identify or recognize malicious activity.

Answer 127

A

The decision to conduct backups

A decision to conduct backups would most likely be considered part of the governance process and not a recovery control. The others are administrative, technical, preventative, and corrective controls (controls may fall into more than one category).

Answer 128

A

OCTAVE, Trike

Answer 129

A

Legal standards are based on court decisions; regulatory standards are mandates set by government agencies

Comparison questions can be the trickiest. Be sure to focus on the question and what you know.

Answer 130

A

The handbook informs employees about expectations; the contract holds them accountable for behavior requirements

Answer 131

A

Encryption

Answer 132

A

A reduction in revenue
Regulatory shutdown

PCI DSS noncompliance results in loss of ability to process card payments, resulting in loss of sales or revenue.

Answer 133

A

Cryptographic services applied to informational assets by the security office staff who were intentionally left out of the recovery plan documentation

Information security is a supporting function. One of the key words here is “critical”. Security staff may or may not be designated as critical path, however, such terminology can be thrown in just to confuse you.

Answer 134

A

The Scope tenet but lacking the Limitation tenet

Answer 135

A

Addressing many issues versus addressing a single issue

Take your time with questions like these. When there is vague wording, look at the overall spirit of the question and pick “the best of the worst” since all of these options are poorly worded.

Answer 136

A

Limitation tenet

Answer 137

A

Quantitative risk analysis; consideration of compensating controls presented in the risk report

Answer 138

A

Notification tenet

Answer 139

A

Security Policy

Answer 140

A

Security Guideline

Answer 141

A

Participation tenet

Answer 142

A

A standard

Answer 143

A

Standards

This is straight from the CBK. “Practices” typically represent what is currently being done, thus standards would be the best choice. Policy influences standards, which drive procedures, and guidelines are good ideas.

Answer 144

A

A vulnerability

Answer 145

A

Because guidelines might suggest it

This question requires you to pay attention to the wording (as do all questions). It tests your knowledge of the difference between policy, procedures, guidelines, and regulation. The phrase “Take into consideration” is the giveaway – guidelines are suggestions and not required. All other options would be some type of requirement.

Answer 146

A

Standard

The document is a standard because it represents an overview of a process rather than specific steps.

Answer 147

A

Codifying the performance expectations through an employment contract

Since contracts are legally enforceable, this is the best option.

Answer 148

A

Policy, standard, guideline

Answer 149

A

Both are decisions; one addresses consequences and the other addresses preventing the consequences

Answer 150

A

Because it could impact availability and could be related to a security incident

This question tests your knowledge of the difference between the CIA tenets of information security from Domain 1.

Answer 151

A

An administrative control

The key concept is that the organization did something before hiring you, which is an administrative control no matter how you might feel about it or what the laws might be in your area. It would not be considered a procedure because the question does not mention any referencing of a document.

Answer 152

A

Review looks at inputs, evaluation looks at outputs

This question tries to confuse you with vague wordings. Inputs for training/awareness might be a vague way of indicating the content and what’s driving the content, whereas output refers to the efficacy of the program. Evaluation is the formal process.

Answer 153

A

If the TLS accelerator fails, then traffic may be unencrypted; consider implementing a redundant accelerator

This question tests your ability to filter out key terms that are used incorrectly, to identify the vulnerability, and to pay attention to wording. The reference to “availability” might have been the most tempting, but pay special attention to the word “either” which means that if one OR the other fails (not both, in which case redundant web servers would be the correct answer).

Answer 154

A

Security awareness training that covers social engineering

The key word here is “tricked,” which means that social engineering has occurred, and the best preventive measure would be appropriate security awareness training. Phishing is a type of social engineering, and since we don’t know the method of trickery, security awareness training that covers social engineering is the best response.

Answer 155

A

A hybrid standard/guideline

Answer 156

A

Contingency is critical, continuity is normal

The key word is “critical”. Contingency is concerned with critical operations. While poorly worded, you may see questions like this in the exam that seek to confuse you (aka: test your knowledge).

Answer 157

A

A group of mid-to-high ranking employees who meet regularly to discuss security policies, roles, and processes used to make security decisions

The term “governance” is used in the available responses to tempt you into selecting the wrong answer. Notice that one group is focused on security incidents, another is concerned with overall processes/procedures, and another is concerned with carrying out the governance directives. These can all be ruled out.

Answer 158

A

Program effectiveness evaluation

This is the updated terminology used for a security education training & awareness program in Domain 1.

Answer 159

A

Degradation of service attack

This could be a type of beta question that uses terminology not necessarily covered in the CBK. The key word in this question (not that they all have key words) is “occasionally”, which indicates that the attack is not continuous – in combination with the fact that login is taking five to ten minutes (as opposed to never) indicates this is a degradation, not a denial.

Answer 160

A

Poor personnel screening practices

This question is vague but seeks to test your knowledge about what category background checks and reference checks fit into. When an option is as vague as “poor judgment”, you can instantly rule it out. Also while high-level options (such as hiring practices) might seem good, the exam is testing you on specific concepts presented in the CBK.

Answer 161

A

Governance

Answer 162

A

Staff using write-block technology to conduct forensics on suspicious devices

Investigative processes are detective controls, which can sometimes be technical as well, but not in this case.

Answer 163

A

Investigative standards most likely do not exist to guide the security manager

Since the procedures do not exist and the manager already has the appropriate knowledge, focus on what may be missing from this equation and look back to your lesson on the difference between policy, standard, guideline and procedure. In questions like this, not everything will be spelled out perfectly for you, and you may need to make some assumptions using the knowledge you gained from studying the CBK. As always, go with the best of the worst options.

Answer 164

A

Licensing and continuous audit trails

Ultimately this question tests your knowledge about digital rights management solutions. Since very little information is given, you have to look for key words and make assumptions (e.g. dynamic policy control).

Answer 165

A

Recovery steps and objectives to the alternate site

While short and vague, this question tests your knowledge between terminology from the Security Operations and Security Risk Management domains – the many “Rs” (remediation, response, recovery, etc.) can be confusing when not presented in the context of their respective domains. Be sure to study up on contingency planning and incident management if you missed this question.

Answer 166

A

In its governance

Vague wording is used in this question. Governance is the best answer because it takes into consideration all the policies, standards, and handbooks from the company.

Answer 167

A

Implement the weaker framework

In difficult ethical questions like this, pay attention to wording. One key word is “could”, meaning it’s unknown whether the company would be out of compliance. Also, keep in mind that nothing in this question ties the two incidents together (weak framework and being laid off). In addition, remember that security is a supporting function that must align with organizational goals.

Answer 168

A

Subjective

“Subjective” is the same as qualitative. Since metrics are missing, this is the best option.

Answer 169

A

Legal standard

This question tests your knowledge of the difference between legal, regulatory, and industry standards. The key word here is “court ruling”.

Answer 170

A

Likelihood

This is a vague question, but remember that likelihood is the measure of possibility. If the possibility is increasing, the likelihood is increasing.

Answer 171

A

The protocol document should be followed.

Given that one of the options talks about “guidelines”, you might be able to decipher that this question is talking about the difference between policy, procedures, standards, etc. Also, given that none of these answers are perfect, you have to choose the best one, which is usually the higher level option since a protocol (policy/standard) would overrule a runbook (procedure). Thesaurus and non-CBK terms are commonly inserted into questions to test your ability to apply the knowledge and ability to wade through challenges.

Answer 172

A

Educate the board members on how to submit a complaint to internal affairs.

In ethical dilemma questions, pay attention to the wording and when in doubt, the best approach is to look for established processes/procedures that can be followed. Also try to ignore irrelevant information within the question, such as the number of board members, and their lack of knowledge. Since each of the available options has an inherent assumption (which will make you uncomfortable during the exam), you have to choose the BEST one.

Answer 173

A

Interruptions to service must not exceed 3 seconds. Interruptions beyond this

SLAs need to have a measurable and financially/legally enforceable metric. While some of these options have numeric metrics, they are not objective or reasonable, and could easily be disputed.

Answer 174

A

Guidelines

When all of the answers are theoretically “correct”, try to choose the option that is the least correct. In this case, since guidelines are recommendations, they would be the least correct out of the options presented here.

Answer 175

A

They should be considered for implementation through the regular change process.

While the options available are vague and poorly worded, look for key words that can help you focus on the bottom line and rule out the bad options. Ultimately this question asks what the difference is between policy and guideline. If you remember that guidelines are simply suggestions, then this question becomes fairly easy. If a change complies with policy then it should be considered through the normal process.

Answer 176

A

Administrators have impersonator accounts where logging is written as the impersonated user.

This question is vague, and has multiple right answers, but the best choice is the one in which the employee would have the “most” repudiation. Remember that repudiation is the ability to deny, so in the case where an “impersonator” account exists, the admin remains completely anonymous and users can deny all actions performed under their accounts.

Answer 177

A

Request copies of third-party audit results.

When all of the options seem good, you have to use the process of elimination to weed out the worst options. When ruling out options, re-read the question multiple times, especially if the question is short. In this case since we don’t know what’s in the contract or what the regulations allow, conducting an audit is out of the question, and looking at the contract won’t do any good other than adding to your knowledge. Elevating the issue might be good, but the CBK specifically mentions reviewing audit results for organizations that are subject to the same regulations. Be sure to review risk management concepts in Domain 1 if you struggled with this question.

Answer 178

A

Role-based access controls and user monitoring

This question requires you to think through each option, what they might do as a combination, and how they might complement each other as a layered defense architecture. In this case, the only two that would provide sufficient layered defense would be RBAC and monitoring, because it presents a technical control and administrative/management control combination. The remaining options are good but not the best (remember to always choose the “best” option).

Answer 179

A

Access control systems

Standards, procedures, and policy dictate the rules, but systems or processes enforce them.

Answer 180

A

C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One
of the responsibilities that goes into protecting this information is properly
classifying it

Answer 181

A

C. If data is going to be available to a wide range of people, more granular
security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.

Answer 182

A

B. The best answer to this question is B, because to properly classify data,
the data owner must evaluate the availability, integrity, and confidentiality
requirements of the data. Once this evaluation is done, it will dictate which
employees, contractors, and users can access the data, which is expressed in
answer A. This assessment will also help determine the controls that should
be put into place.

Answer 183

A

D. The key to this question is the use of the word “ultimately.” Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.

Answer 184

A

A. Without senior management’s support, a security program will not receive
the necessary attention, funds, resources, and enforcement capabilities.

Answer 185

A

D. Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss
if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.

Answer 186

A

B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D are inserted into a cost/benefit analysis.

Answer 187

A

D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure
out the amount of money that should be earmarked to protect this asset from this threat.

Answer 188

A

C. The functionality describes how a mechanism will work and behave. This may have nothing to do with the actual protection it provides. Assurance
is the level of confidence in the protection level a mechanism will provide. When systems and mechanisms are evaluated, their functionality and
assurance should be examined and tested individually.

Answer 189

A

D. The equation is more conceptual than practical. It is hard to assign a number to an individual vulnerability or threat. This equation enables you to look at the potential loss of a specific asset, as well as the controls gap (what the specific countermeasure cannot protect against). What remains is the residual risk, which is what is left over after a countermeasure is implemented

Answer 190

A

C. An analysis is only as good as the data that go into it. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. Each department
understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the company.

Answer 191

A

C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses
opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.

Answer 192

A

D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.

Answer 193

A

D. The Control Objectives for Information and related Technology (CobiT) is a framework developed by the Information Systems Audit and Control
Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT
maps to business needs.

Answer 194

A

A. CobiT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down
into subcategories. For example, Acquire and Implement contains the
following subcategories:
* Acquire and Maintain Application Software
* Acquire and Maintain Technology Infrastructure
* Develop and Maintain Procedures
* Install and Accredit Systems
* Manage Changes

Answer 195

A

A. It is referred to as the health informatics, and its purpose is to provide
guidance to health organizations and other holders of personal health
information on how to protect such information via implementation
of ISO/IEC 27002.

Answer 196

A

B. COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives,
but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director
responsibility, and internal communication structures. Its main purpose
is to help ensure fraudulent financial reporting cannot take place in an
organization

Answer 197

A

B. NIST 800-30 Risk Management Guide for Information Technology Systems is a U.S. federal standard that is focused on IT risks. OCTAVE is a
methodology to set up a risk management program within an organizational structure. AS/NZS 4360 takes a much broader approach to risk management. This methodology can be used to understand a company’s financial, capital,
human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose.

Answer 198

A

D. Security through obscurity is not implementing true security controls, but rather attempting to hide the fact that an asset is vulnerable in the hope
that an attacker will not notice. Security through obscurity is an approach to try and fool a potential attacker, which is a poor way of practicing security.
Vulnerabilities should be identified and fixed, not hidden.

Answer 199

A

B. Physical controls are security mechanisms in the physical world, as in locks,
fences, doors, computer cages, etc. There are three main control types, which
are administrative, technical, and physical.

Answer 200

A

A. Logical (or technical) controls are security mechanisms, as in firewalls, encryption, software permissions, and authentication devices.They are
commonly used in tandem with physical and administrative controls to provide a defense-in-depth approach to security.

Answer 201

A

A. $62,000 is the correct answer. The firewall reduced the annualized loss expectancy (ALE) from $92,000 to $30,000 for a savings of $62,000. The
formula for ALE is single loss expectancy × annualized rate of occurrence = ALE.

Subtracting the ALE value after the firewall is implemented from the value before it was implemented results in the potential loss savings this type of control provides.

Answer 202

A

D. –$3,000 is the correct answer. The firewall saves $62,000, but costs $65,000 per year. 62,000 – 65,000 = –3,000. The firewall actually costs the
company more than the original expected loss, and thus the value to the company is a negative number. The formula for this calculation is (ALE before
the control is implemented) – (ALE after the control is implemented) – (annual cost of control) = value of control.

Answer 203

A

D. Risk mitigation involves employing controls in an attempt to reduce the either the likelihood or damage associated with an incident, or both. The four ways of dealing with risk are accept, avoid, transfer, and mitigate (reduce). A firewall is a countermeasure installed to reduce the risk of a threat.

Answer 204

A

B. $480,000 is the correct answer. The formula for single loss expectancy (SLE) is asset value × exposure factor (EF) = SLE. In this situation the formula would work out as asset value ($800,000) × exposure factor (60%) = $480,000. This
means that the company has a potential loss value of $480,000 pertaining to this one asset (facility) and this one threat type (fire).

Answer 205

A

C. The annualized rate occurrence (ARO) is the frequency that a threat will most likely occur within a 12-month period. It is a value used in the ALE
formula, which is SLE × ARO = ALE.

Answer 206

A

C. $48,000 is the correct answer. The annualized loss expectancy formula (SLE × ARO = ALE) is used to calculate the loss potential for one asset experiencing one threat in a 12-month period. The resulting ALE value helps to determine
the amount that can be reasonably be spent in the protection of that asset. In this situation, the company should not spend over $48,000 on protecting this asset from the threat of fire. ALE values help organizations rank the severity
level of the risks they face so they know which ones to deal with first and how
much to spend on each.

Answer 207

A

D. The proper mapping for the ISO/IEC standards are as follows:
* ISO/IEC 27001 ISMS requirements
* ISO/IEC 27002 Code of practice for information security management
* ISO/IEC 27003 Guideline for ISMS implementation
* ISO/IEC 27004 Guideline for information security management measurement and metrics framework
* ISO/IEC 27005 Guideline for information security risk management
* ISO/IEC 27006 Guidance for bodies providing audit and certification of
information security management systems

Answer 208

A

C. The best process improvement approaches provided in this list are Six Sigma and the Capability Maturity Model. The following outlines the
definitions for all items in this question:
* TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group
* ITIL Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce
* Six Sigma Business management strategy that can be used to carry out process improvement
* Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon

Answer 209

A

C. Mandatory vacation is an administrative detective control that allows for an organization to investigate an employee’s daily business activities to uncover any potential fraud that may be taking place. The employee should be forced to be away from the organization for a two-week period and another person put into that role. The idea is that the person who was rotated into that position may be able to detect suspicious activities

Answer 210

A

A. Separation of duties is an administrative control that is put into place to ensure that one person cannot carry out a critical task by himself. If a person were able to carry out a critical task alone, this could put the organization at risk. Collusion is when two or more people come together to carry out fraud. So if a task was split between two people, they would have to carry out collusion (working together) to complete that one task and carry out fraud.

Answer 211

A

D. Dual control is an administrative preventative control. It ensures that two people must carry out a task at the same time, as in two people having
separate keys when opening the vault. It is not a detective control. Notice that the question asks what Todd is not doing. Remember that on the exam
you need to choose the best answer.

Answer 212

A

B. While each answer is a good thing for Sam to carry out, the first thing that needs to be done is to ensure that the policies properly address data
classification and protection requirements for the company. Policies provide direction, and all other documents (standards, procedures, guidelines) and
security controls are derived from the policies and support them.

Answer 213

A

C. Data is one of the most critical assets to any organization. The value of the asset must be understood so that the organization knows which assets require the most protection. There are many components that go into calculating the value of an asset: cost of replacement, revenue generated from asset, amount adversaries would pay for the asset, cost that went into the development of the asset, productivity costs if asset was absent or destroyed, and liability costs of not properly protecting the asset. So the data owners need to be able to
determine the value of the data to the organization for proper classification
purposes.

Answer 214

A

A. The company has developed a data classification policy, which is an administrative control.

Answer 215

A

D. The operations staff needs to know what minimum level of security is required per system within the network. This minimum level of security is
referred to as a baseline. Once a baseline is set per system, then the staff has something to compare the system against to know if changes have not taken
place properly, which could make the system vulnerable.

Answer 216

A

D. Susan needs to illustrate these vulnerabilities (misconfigured systems) in the context of risk to her boss. This means she needs to identify the specific
vulnerabilities, associate threats to those vulnerabilities, and calculate their risks. This will allow her boss to understand how critical these issues are and what type of action needs to take place

Answer 217

A

A. Standards need to be developed that outline proper configuration management processes and approved baseline configuration settings. Once
these standards are developed and put into place, then employees can be trained on these issues and how to implement and maintain what is outlined
in the standards. Systems can be tested against what is laid out in the standards, and systems can be monitored to detect if there are configurations that do not meet the requirements outlined in the standards. You will find that some CISSP
questions seem subjective and their answers hard to pin down. Questions that ask what is “best” or “more likely” are common

Answer 218

A

Mandatory

Answer 219

A

Mandatory

Answer 220

A

Mandatory

Answer 221

A

Discretionary

Answer 222

A

Discretionary

Answer 223

A

Correct answer and explanation: C. The ARO is the number of attacks in a year.Incorrect answers and explanations: Answers A, B, and D are incorrect. The
AV is $20,000. The EV is 40% and the monthly cost of the DoS service (used to
calculate TCO) is $10,000.

Answer 224

A

Correct answer and explanation: D. The ALE is derived by first calculating the SLE, which is the AV, $20,000, multiplied by the EF, 40%.
The SLE is $8000, which is multiplied by the ARO of 7 for an ALE of $56,000.
Incorrect answers and explanations: Answers A, B, and C are incorrect. $20,000 is the AV, while $8000 is the SLE.

Answer 225

A

Correct answer and explanation: C. The TCO of the DoS mitigation service is higher than ALE of lost sales due to DoS attacks. This means it is less expensive to accept the risk of DoS attacks or to find a less expensive mitigation strategy.Incorrect answers and explanations: Answers A, B, and D are incorrect. The
annual TCO is higher, not lower. $10,000 is the monthly TCO; you must calculate yearly TCO to compare with the ALE.

Answer 226

A

Correct answer and explanation: A. The canons are applied in order and “To protect society, the commonwealth, and the infrastructure” is the first canon, and is thus the most important of the four canons of The (ISC)2 Code of Ethics.

Incorrect answers and explanations:
Answers B, C, and D are incorrect.
The canons of The (ISC)2 Code of Ethics are presented in order of importance.

The second canon requires the security professional to act honorably, honestly, justly, responsibly, and legally.

The third mandates that professionals provide
diligent and competent service to principals.

The final and therefore least important canon wants professionals to advance and protect the profession.

Answer 227

A

Answer: D. Privacy

Explanation: The CIA triad consists of confidentiality, integrity, and availability. Privacy is an important security concept but not part of the CIA
triad

Answer 228

A

Answer: D. Financial

Explanation: Access control has three categories:
physical, administrative, and technical. Financial is
not a category of access control.

Answer 229

A

Answer: B. To reduce risks to an acceptable level

Explanation: The primary goal of a security risk
assessment is to identify and analyze risks and then
develop strategies to reduce them to an acceptable
level.

Answer 230

A

Answer: B. AES

Explanation: AES is a symmetric key algorithm, meaning the same key is used for encryption and decryption. RSA, Diffie-Hellman, and ElGamal are
examples of asymmetric key algorithms.

Answer 231

A

Answer: D. Sequential

Explanation: There is no SDLC model called sequential. The most common SDLC models are Waterfall, Agile, and Spiral.

Answer 232

A

Answer: A. To prevent unauthorized access to a network

Explanation: The primary purpose of a firewall is to prevent unauthorized access to a network by blocking traffic that does not meet specific criteria.

Answer 233

A

Answer: C. Firewalls

Explanation: Firewalls are an example of technical security control, not physical security. Physical security controls include security cameras, biometric scanners, and fences.

Answer 234

A

Answer: D. Public-private key

Explanation: There is no such thing as a public private key. Public key encryption uses a public and private key, while symmetric key encryption uses a session key.

Answer 235

A

Answer: B. Security awareness training

Explanation: Security awareness training is a security control that falls under the security operations domain. It aims to educate employees about their responsibilities in maintaining the organization’s security posture and helps them recognize and respond to potential threats.Penetration testing is not a correct answer because it
falls under the Security Assessment and Testing domain, which involves evaluating an organization’s security posture by simulating real-world attacks. Access control is not a correct answer because it falls under the Identity and Access Management (IAM) domain, which deals with controlling who has access to resources and ensuring that only authorized individuals can access those resources. Application security testing is not a correct answer because it falls under the Software Development security domain, which focuses on ensuring the security of applications throughout their development life cycle.

Answer 236

A

Answer: D. Penetration

Explanation: Penetration is not a component of a security incident response plan. The three primary components of a security incident response plan are preparation, detection, and mitigation. Preparation involves developing policies, procedures, and controls to prevent security incidents from occurring. Detection consists of identifying and analyzing security incidents when they occur. Mitigation consists of responding to and containing the impact of security incidents and preventing similar incidents from occurring.

Answer 237

A

Answer: C. Intrusion detection system
Explanation: Technical security controls use technology to prevent, detect, or respond to security threats. Examples include firewalls, antivirus software, and intrusion detection systems.

Answer 238

A

Answer: D. Something you want

Explanation: The three common authentication factors are something you know (e.g., password), something you have (e.g., token), and something you are (e.g., biometric). Something you want is not a recognized authentication factor.

Answer 239

A

Answer: B. Vulnerability scanning

Explanation: Vulnerability scanning is a security control under the security assessment and testing domain. It involves scanning a system for known
vulnerabilities and weaknesses.

Answer 240

A

Answer: D. Access control list (ACL)

Explanation: Access control lists (ACLs) are a common implementation of access control but are not themselves an access control model. The three common access control models are discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC).

Answer 241

A

Answer: A. High availability

Explanation: A key consideration when designing asecure network architecture is ensuring the high availability of critical services and resources. While cost, administration, and bandwidth are also important, they are secondary to availability in the context of security.

Answer 242

A

Answer: A. To establish the minimum-securityrequirements for a system or application

Explanation: A security baseline is a set of minimum-security requirements that a system or application must meet to be considered secure. It serves as a starting point for security configuration and helps ensure security controls are implemented
consistently across the organization.

Answer 243

A

Answer: D. Proxy
Explanation: Proxy is not a method of authentication. The three common methods of authentication are something you know (e.g.,password), something you have (e.g., token), and something you are (e.g., biometric). The certificate is a type of token-based authentication.

Answer 244

A

Answer: D. To ensure compliance with security
policies and standards
Explanation: A security audit systematically evaluates an organization’s security policies, standards, and procedures to ensure compliance with established security requirements

Answer 245

A

Answer: B. Security by design

Explanation: Security by design is a key principle of secure software development that involves considering security requirements throughout the entire Software Development Life Cycle rather than as an afterthought.

Answer 246

A

Answer: D. Termination
Explanation: Termination is not a key component of an incident response plan. The three primary components are preparation, detection and analysis, and containment, eradication, and recovery.

Answer 247

A

Answer: C. Two-factor authentication and D. Passwords

Explanation: Non-repudiation controls prevent the denial of an action or transaction. Digital signatures and audit trails are examples of non-repudiation controls, as they prove a transaction’s origin and integrity. Two-factor authentication provides authentication and authorization but does not prevent repudiation. Passwords are not a non-repudiation control.

Answer 248

A

Answer: C. Background checks

Explanation: Background checks are a type of administrative security control, not a technical security control. Technical security controls involve using technology to prevent, detect, or respond to security threats.

Answer 249

A

Answer: C. Network availability

Explanation: Network availability is crucial when designing a secure network topology. The network must be designed to ensure that critical services and resources are available when needed while minimizing downtime and disruption in an attack or failure.

Answer 250

A

Answer: D. Secure coding

Explanation: Secure coding is a key principle of secure software development that involves writing code free from security vulnerabilities and exploits. This helps prevent the introduction of security weaknesses into the software and reduces the risk of
a successful attack.

Answer 251

A

Answer: C. Accountability
Explanation: Accountability is not a type of access control but rather a concept related to responsibility and liability for actions taken. The three common types of access control are authentication, authorization, and audit/monitoring.

Answer 252

A

Answer: D. Improved disaster recovery capabilities

Explanation: Cloud computing can improve disaster recovery by providing redundant infrastructure and data backups in multiple locations. While cloud providers may also offer enhanced physical security and other benefits, improved disaster recovery is a key benefit for protection.

Answer 253

A

Answer: D. Enforcing data encryption and access control policies

Explanation: Enforcing data encryption and access control policies is a key consideration for secure Mobile Device Management. Mobile devices are highly portable and often contain sensitive data, making encryption and access control critical for protecting against unauthorized access or data loss.

Answer 254

A

Answer: B. Using long, complex passwords

Explanation: Using long, complex passwords is a key principle of secure password management Requiring password changes too frequently can lead to weaker passwords while storing passwords in a centralized database or sharing passwords increases the risk of unauthorized access.

Answer 255

A

Answer: D. Hierarchical access control (HAC)

Explanation: Hierarchical access control (HAC) is not a recognized access control model. The three common access control models are role-based access control (RBAC), mandatory access control (MAC), and discretionary access control (DAC).

Answer 256

A

Answer: C. Isolating critical systems and resources

Explanation: Isolating critical systems and resources is a key consideration when designing secure network segmentation. Segmenting the network can help limit the impact of a security breach or failure, but it is important to ensure that critical systems and resources are properly isolated and protected.

Answer 257

A

Answer: C. Securing virtual machine images and snapshots

Explanation: Securing virtual machine images and snapshots is a key consideration when designing secure virtualization environments. Virtual machines can be easily copied or cloned, potentially exposing sensitive data or allowing unauthorized access. Proper security measures must be taken to secure virtual machine images and snapshots.

Answer 258

A

Answer: B. Minimizing network complexity

Explanation: Minimizing network complexity is a key principle of secure network design. Complex networks are more difficult to manage and secure and can increase the risk of security breaches or failures. Simplifying the network and reducing complexity can help improve security.

Answer 259

A

Answer: D. Social engineering vulnerability

Explanation: Social engineering is a technique that manipulates people into divulging sensitive information or performing actions that compromise security. It is not a type of vulnerability. The three types of vulnerabilities listed are commonly found in
software or systems.

Answer 260

A

Answer: C. Ensuring compliance with applicable regulations and standards

Explanation: Ensuring compliance with applicable regulations and standards is a key consideration when designing secure cloud architecture. Cloud providers must comply with various regulations and standards, such as GDPR or HIPAA, depending on the industry and the data stored in the cloud.

Answer 261

A

Answer: C. Implementing secure coding practices

Explanation: Implementing secure coding practices is a key principle of secure application development. Secure coding involves writing code free from security vulnerabilities and exploits and incorporating security considerations throughout the Software Development Life Cycle.

Answer 262

A

Answer: D. Enforcing strong encryption and access controls

Explanation: Enforcing strong encryption and access controls is a key consideration when implementing secure remote access. Remote access can expose sensitive data and resources to unauthorized access, so it is important to use strong authentication mechanisms and enforce proper access controls

Answer 263

A

Answer: C. Applying consistent data classification criteria

Explanation: Applying consistent data classification criteria is a key principle of secure data classification. Data classification involves categorizing data based on its sensitivity and value and applying appropriate security controls based on the classification. Consistency in classification criteria helps ensure that data is properly protected across the organization.

Answer 264

A

Answer: D. HMAC

Explanation: HMAC (Hash-based Message Authentication Code) is a cryptographic hash function, not an encryption algorithm. The three common encryption algorithms listed are commonly used for encryption and decryption.

Answer 265

A

Answer: C. Conducting thorough post-incident analysis and review

Explanation: Conducting thorough post-incident analysis and review is a key principle of secure incident response. Incident response involves detecting, analyzing, and responding to security incidents, and conducting a post-incident analysis and review helps identify areas for improvement and strengthen the organization’s security posture.

Answer 266

A

Answer: C. Securing data at rest and in transit

Explanation: Securing data at rest and in transit is a key consideration when implementing secure data storage. Data must be protected against unauthorized access or disclosure, whether stored on disk or transmitted across the network. Encryption and access controls are commonly used to secure data at rest and in transit

Answer 267

A

Answer: D. Risk decisions should be based on the impact on the business.

Explanation: Risk decisions should be made case by case, considering the unique context and potential impact on the business. A one-size-fits-all approach to risk management is not effective. Instead, an organization should evaluate each risk regarding its potential impact and decide the most appropriate risk response strategy: accept, avoid, transfer, or mitigate.

Answer 268

A

Answer: D. To facilitate appropriate levels of protection based on value or sensitivity.

Explanation: Data classification is essential to an organization’s information security strategy. By classifying data, organizations can apply appropriate levels of protection to sensitive information and ensure that resources are allocated efficiently.

Answer 269

A

Answer: B. To control network traffic based on predetermined security rules

Explanation: A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. It is a critical piece of a network security infrastructure and can help prevent unauthorized access to or from a network.

Answer 270

A

Answer: C. Integrating security throughout the life cycle, including design, development, and testing.

Explanation: Security should be a key consideration throughout the entire software development life cycle, not just at the end. This approach, often called “security by design,” helps ensure that security is integrated into the software from the ground up and can help identify and mitigate vulnerabilities early in the development process.

Answer 271

A

Answer: C. Mandatory access control (MAC)

Explanation: Mandatory access control (MAC) uses labels (often reflecting different sensitivity levels, such as confidential, secret, and top secret) to determine access. In a MAC model, users do not have the discretion to determine who has access to the
information they own or control.

Answer 272

A

Answer: C. To ensure the continuation of business processes
Explanation: The primary goal of a business continuity plan (BCP) is to ensure the continuation of business processes during and after a disruption. The BCP is a comprehensive plan to maintain or resume business during a disruption.

Answer 273

A

Answer: B. That the data has not been altered during transmission

Explanation: In cryptography, “integrity” ensures that the data has not been altered during transmission. Alteration can be accidental, such as data corruption during transmission, or intentional, such as a malicious attack

Answer 274

A

Answer: B. Evaluate the effectiveness of security controls

Explanation: The primary purpose of penetration testing is to evaluate the
effectiveness of security controls by simulating an attack. By identifying
vulnerabilities and testing security measures, organizations can better understand their security posture and make informed decisions about risk management.

Answer 275

A

Answer: B. Granting users the minimum access necessary to perform their job function

Explanation: A key principle of Identity and Access Management is granting users the minimum access necessary to perform their job functions. This principle, known as the principle of least privilege, is critical for reducing the risk of unauthorized access or actions.

Answer 276

A

Answer: D. Authenticity

Explanation: The CIA triad in information security stands for confidentiality, integrity, and availability. While authenticity is an important concept in information security, it is not a part of the CIA triad.

Answer 277

A

Answer: A. Granting users only the permissions they need to perform their job functions

Explanation: The principle of least privilege is a computer security concept in which users are given the minimum access necessary to complete their job functions. This helps to reduce the potential damage caused by errors or malicious actions.

Answer 278

A

Answer: B. An attack that involves sending deceptive emails to trick individuals into revealing sensitive information

Answer 279

A

Answer: C. Intrusion detection system

Explanation: In the context of information security, IDS stands for intrusion detection system. A device or software application monitors a network or systems for malicious activity or policy violations.

Answer 280

A

Answer: B. Technical

Explanation: A biometric scanner is technical security control. Technical controls are often hardware or software tools, such as firewalls, encryption, and authentication mechanisms, like biometric scanners, designed to protect systems and data.

Answer 281

A

Answer: B. Impact, threat, vulnerability

Explanation: Risk is typically composed of three components: threat (a potential cause of an incident that may result in harm), vulnerability (a weakness that can be exploited by a threat), and impact (the potential harm caused by a threat exploiting a vulnerability)

Answer 282

A

Answer: D. Risk acceptance

Explanation: Risk acceptance is when an organization decides to acknowledge a risk but does not implement additional controls or measures to address it. The other options (avoidance, mitigation,
and transfer) all involve taking some action to address
the risk.

Answer 283

A

Answer: D. Prioritize personal gain over professional duties

Explanation: The ISC2 Code of Ethics includes the principles of protecting society and the infrastructure; acting honorably, honestly, and legally; and providing diligent and competent service. Prioritizing personal gain over professional duties is contrary to the ethical principles outlined by ISC2.

Answer 284

A

Answer: A. Determining the most essential functions and processes of the organization

Explanation: Identifying critical business functions involves determining the most essential functions and processes of the organization, which should be prioritized for recovery during an incident. This is a crucial first step in business continuity and disaster recovery planning. The other options are also part of the planning process, but they do not define what it means to “identify critical business functions.”

Answer 285

A

Answer: B. It relies on subjective judgments to rank risk.

Explanation: A qualitative risk assessment uses subjective judgments and expert opinions to rank risks, often categorizing them as low, medium, or
high. In contrast, a quantitative risk assessment uses numerical values and calculations to estimate risks.

Answer 286

A

Answer: C. Evaluating the potential impact on operations if the asset is compromised

Explanation: The “business impact” asset valuation method involves evaluating the potential impact on the organization’s operations, reputation, or bottom line if the asset is compromised. The other options
correspond to different asset valuation methods: “financial value,” “market value,” and “intangible value,” respectively.

Answer 287

A

Answer: D. Complexity

Explanation: Effective risk communication and reporting should be clear, timely, and consistent. Complexity, particularly in the form of jargon and
technical terms, can actually hinder effective communication and should be avoided when possible.

Answer 288

A

Answer: D. Implementing risk treatment plans

Explanation: Regular risk monitoring and review involves tracking risk treatment progress, reviewing risk assessments, and analyzing incident reports. Implementing risk treatment plans is part of risk treatment, not monitoring and review.

Answer 289

A

Answer: C. Perform regular assessments of the organization’s adherence to relevant laws and regulations

Explanation: Conducting compliance audits involves performing regular assessments to check if the organization is adhering to relevant laws and
regulations. This process helps to identify any deviations or noncompliance issues, which can then be addressed to avoid legal penalties, reputational damage, and other negative consequences. Options A,B, and D are all important components of a compliance program but do not accurately define the term “conduct compliance audits.

Answer 290

A

Answer: D. Risk expansion

Explanation: Risk expansion is not a recognized risk treatment option. The commonly accepted risk treatment options are risk acceptance, risk avoidance, risk mitigation, and risk transfer.

Answer 291

A

Answer: B. Factor Analysis of Information Risk

Explanation: FAIR stands for Factor Analysis of Information Risk. It offers a quantitative approach to risk management, enabling organizations to measure and prioritize risks using financial terms.

Answer 292

A

Answer: D. Transferring the risk to a third party

Explanation: Risk transfer involves shifting the risk to a third party, such as an insurance company or a service provider.

Answer 293

A

Answer: D. Emotional controls

Explanation: Risk mitigation strategies involve technical, administrative, and physical controls. Emotional controls are not a recognized type of
control in risk mitigation.

Answer 294

A

Answer: D. Assess operational efficiency

Explanation: The risk assessment process involves identifying assets, threats, and vulnerabilities, assessing the potential impact and likelihood of each threat-vulnerability pair, and prioritizing risks. Assessing operational efficiency is not part of this process.

Answer 295

A

Answer: B. To prepare for, respond to, and recover rom disruptions or disasters

Explanation: The primary purpose of business continuity and disaster recovery planning is to prepare for, respond to, and recover from disruptions or disasters. While prevention is ideal, it is not always possible, hence the need for preparation, response, and recovery plans.

Answer 296

A

Answer: D. Intangible value

Explanation: Intangible value considers the asset’s contribution to the organization’s intellectual property, customer trust, or competitive advantage. These aspects may not have a direct monetary value but are critical to the organization’s success.

Answer 297

A

Answer: B. A set of fundamental principles

Explanation: The “canons” in the ISC2 Code of Ethics refer to a set of fundamental principles that guide the ethical and professional behavior of
information security professionals.

Answer 298

A

Answer: B. Risk acceptance tolerates the risk, while risk avoidance eliminates the risk.

Explanation: Risk acceptance involves acknowledging and deciding to tolerate the risk, whereas risk avoidance involves eliminating the risk by discontinuing the activity or process that causes it.

Answer 299

A

Answer: B. Risk in product design and marketing

Explanation: The COSO ERM framework includes principles and guidance focusing on risk governance and culture, strategy and objective setting, and risk in execution and performance. Risk in product design and marketing, while important, is not specifically mentioned in the framework.

Answer 300

A

Answer: C. To use numerical values to estimate risks

Explanation: Quantitative risk assessment uses numerical values and calculations to estimate potential risks, often in terms of potential financial
impact.

Answer 301

A

Answer: D. Controls

Explanation: Controls are not a component of risk but are measures taken to mitigate risk. The primary components of risk are threats, vulnerabilities, and potential impacts.

Answer 302

A

Answer: B. Implementing a risk management process
for federal information systems

Explanation: The NIST SP 800-37 framework primarily provides guidelines for implementing a risk management process for federal information systems.

Answer 303

A

Answer: D. Presenting information in a clear and understandable manner

Explanation: Effective risk communication and reporting involve presenting risk-related information clearly, timely, and concisely. This allows stakeholders at all levels, regardless of their technical
expertise, to comprehend the risks and make informed decisions. Option A is incorrect as complex technical terms can make the information harder to understand, especially for nontechnical stakeholders.
Option B is also incorrect as frequent communication of risk-related information is crucial to keep all stakeholders informed and aware of the current risk landscape.

Answer 304

A

Answer: B. It allows risk considerations to be part of decision-making processes and overall business strategy.

Explanation: Integrating risk management into an organization’s business processes ensures that risk considerations are incorporated into all aspects of the business, including decision-making processes, resource allocation, and strategic planning. This approach promotes a risk-aware culture and allows the organization to proactively manage risks rather
than reactively responding to them

Answer 305

A

Answer: B. The organization acknowledges the risk and decides to tolerate it.

Explanation: Risk acceptance involves acknowledging risk and deciding to tolerate it without implementing additional controls. This typically
occurs when the cost of mitigating the risk exceeds the potential benefit or when the risk is deemed to have a low impact on the organization.

Answer 306

A

Answer: A. To estimate the direct monetary value of an asset

Explanation: Asset valuation involves assigning a value to an organization’s assets, such as hardware, software, data, or personnel. This value can be based on various factors, including the cost of purchasing, maintaining, or replacing the asset; its potential impact on the organization’s operations or reputation; its market value; or its intangible value.

Answer 307

A

Answer: C. Tailoring the content and format of risk reports to the needs of the intended audience

Explanation: Effective risk communication and reporting should be tailored to the needs and preferences of the intended audience. This includes presenting information in a clear, concise, and understandable manner; communicating risks and risk management activities regularly; and maintaining consistency in risk communication and reporting across the organization

Answer 308

A

Answer: B. To ensure that the organization can continue operating during and after a disruption or disaster

Explanation: Business continuity and disaster recovery planning aim to ensure that an organization can continue its critical operations during and after a disruption or disaster This involves identifying disruption or disaster. This involves identifying critical business functions, assessing potential disruptions, developing recovery strategies, implementing recovery plans, and regularly testing and maintaining these plans.

Answer 309

A

Answer: B. To provide diligent and competent service to principals

Explanation: According to the ISC2 Code of Ethics, a primary ethical obligation of a security professional is to provide diligent and competent service to principals. This means that security professionals should strive to serve their employers, clients, and other stakeholders with the highest level of professionalism.

Answer 310

A

D.
Spiritual

Answer 311

A

Answer: C. Tracking risk treatment progress

Explanation: Tracking risk treatment progress is a key component of the risk monitoring and review process. Other elements include reviewing risk
assessments, analyzing incident reports, and evaluating the overall effectiveness of the risk management program

Answer 312

A

Answer: B. It ensures that risk considerations are part of decision-making processes.

Explanation: Integrating risk management into an organization’s business processes helps ensure that risk considerations are part of decision-making processes, resource allocation, and overall business strategy. This can help the organization make better informed decisions and mitigate potential risks more effectively.

Answer 313

A

Answer: C. Ignoring compliance audits

Explanation: Ignoring compliance audits is not a part of compliance and regulatory considerations. Regular audits are important for assessing the
organization’s compliance with relevant laws and regulations and identifying potential gaps or areas for improvement.

Answer 314

A

Answer: D. Risk transfer

Explanation: Risk transfer is a risk treatment option that involves transferring the risk to a third party, such as an insurance company or a service provider.

Answer 315

A

Answer: C. The asset’s contribution to the organization’s intellectual property or customer trust

Explanation: The intangible value of an asset refers to nonmonetary aspects such as its contribution to the organization’s intellectual property, customer trust, or competitive advantage.

Answer 316

A

Answer: B. Engage a financial or accounting expert to determine the asset’s profit returns

Explanation: The value of an intangible asset is
best determined by assessing its economic benefits,
such as the profits it generates. A financial or
accounting professional would be most equipped to
calculate this

Answer 317

A

Answer: A. It can be executed easily and by individuals with basic knowledge of the risk assessment process.

Explanation: Qualitative risk assessment is characterized by its simplicity and the ability to be performed by individuals with a basic understanding
of the process. It does not rely heavily on specific metrics or calculations; rather, it uses descriptions or categories to assess and prioritize risks.

Answer 318

A

Answer: C. By multiplying the asset value and exposure factor

Explanation: Single Loss Expectancy (SLE) is calculated by multiplying the asset value (how much the asset is worth) by the exposure factor (the
proportion of the asset that is lost in the event of an
incident).

Answer 319

A

Answer: D. Organizational culture, budget, and resource capabilities

Explanation: The type of risk assessment to be performed in an organization is influenced by various factors. These include the organizational culture (which can determine the acceptance and
understanding of the assessment process), the available budget (which can limit or extend the scope and depth of the assessment), and resource
capabilities (which can impact the ability to perform certain types of assessments). While the probability of exposure is a factor in risk assessment, it is part of the assessment process itself rather than a
determining factor in the type of risk assessment to
be conducted.

Answer 320

A

Answer: B. Security roles and responsibilities of staff

Explanation: Security awareness training typically covers the roles and responsibilities of staff regarding security. It aims to equip them with the knowledge they need to recognize and respond appropriately to
security threats.

Answer 321

A

Answer: D. To protect the organization if a user’s behavior violates the policy

Explanation: While all options may have some relevance, a signed user acknowledgment of the corporate security policy primarily helps protect the organization if a user’s behavior violates the policy. It serves as documented evidence that the user was aware of the policy and the associated consequences of noncompliance.

Answer 322

A

Answer: B. Reduces risk to an acceptable level

Explanation: Effective security management focuses on mitigating risk to a level that is acceptableto the organization, balancing the cost of risk
mitigation with the potential impact of security incidents. While cost control, prioritization for new products, and timely patching are important, they are part of a broader strategy aimed at risk reduction.

Answer 323

A

Answer: D. Denial-of-service attacks, fires, floods, hurricanes, and unreadable backup tapes

Explanation: The principle of availability in information security is concerned with ensuring that authorized users have access to data and resources when needed. This involves protection against a variety of threats including denial-of-service attacks; natural disasters like fires, floods, and hurricanes; and technical issues such as unreadable backup
tapes.

Answer 324

A

Answer: C. CFO, CEO, or Chief Information Officer

Explanation: To avoid bias and ensure independence, a security officer could report directly to top-level management such as the Chief Financial
Officer (CFO), Chief Executive Officer (CEO), or the Chief Information Officer (CIO). This arrangement helps to ensure that security concerns are addressed at the highest level of decision-making.

Answer 325

A

Answer: D. To deploy new security technology

Explanation: Tactical security plans are typically used to guide the implementation of specific security measures, such as the deployment of new security technologies. These plans have a shorter time horizon
than strategic security plans and are more detailed, focusing on the practical aspects of implementing security measures.

Answer 326

A

Answer: A. Everyone

Explanation: While specific roles like the security officer, senior management, and data owners have key responsibilities, implementing information security is a shared responsibility. Everyone in an
organization has a part to play in maintaining security, from following established policies to reporting potential security incidents.

Answer 327

A

Answer: D. Implementation

Explanation: Implementing security measures often involves significant costs, including the purchase of security hardware or software, hiring or
training staff, and potential disruptions to business operations. It’s generally more cost-effective to consider security early in the design phase, where potential issues can be addressed before they become
expensive problems during implementation.

Answer 328

A

Answer: D. Directive words such as shall, must, or will a defined policy development process and is will, a defined policy development process, and is short in length

Explanation: A security policy that remains meaningful over time is one that is clear and concise, has a defined policy development and review process, and uses directive words to clearly communicate the
requirements. It doesn’t necessarily need to contain detailed technical specifications, as these may change over time and could make the policy less adaptable and more difficult to maintain.

Answer 329

A

Answer: B. Collaborating with finance or accounting professionals to ascertain the profit returned by the asset

Explanation: The value of an intangible asset is often best determined by its ability to generate profit. Therefore, working with finance or accounting
professionals to ascertain the profit returned by the asset is typically the most effective approach.

Answer 330

A

Answer: B. Separation of duties

Explanation: The separation of duties principle is designed to prevent errors and fraud that might be possible when only one person is in control of all parts of a process. Here, allowing one person to both add vendors and make payments could lead to fraudulent transactions. Hence, this scenario is a violation of the separation of duties principle.

Answer 331

A

Answer: A. Job rotation

Explanation: Collusion is the act of collaborating fraudulently within an organization to deceive or defraud. Job rotation, which involves moving
employees between different roles, is a good way to prevent collusion because it reduces the opportunity for long-term manipulation in any single position.

Answer 332

A

Answer: B. Data owners

Explanation: Data owners, the individuals or entities responsible for the data’s security and use, are best suited to make decisions about data access. They understand the data’s sensitivity and the potential risks of unauthorized access. While other stakeholders may have input, the ultimate decision should lie with the data owner.

Answer 333

A

Answer: C. Insiders

Explanation: Although cybercrime can come from various sources, the greatest risk often comes from insiders. These are individuals who have legitimate access to the system and can misuse it for harmful activities. Insider threats are difficult to detect and can cause substantial damage.

Answer 334

A

Answer: C. Activity associated with computer crime is truly international.

Explanation: The international nature of computer crime is a major hindrance to fighting it. Jurisdictional issues, differences in laws across countries, and the sheer scope of the Internet make it challenging to
investigate and prosecute cybercrimes effectively.

Answer 335

A

Answer: A. Law

Explanation: Computer forensics is a multidisciplinary field that combines computer science, information technology, and engineering with law. The goal is to gather and analyze data in a way that is legally admissible.

Answer 336

A

Answer: D. Locard’s principle of exchange

Explanation: Locard’s exchange principle states that the perpetrator of a crime will bring something into the crime scene and leave with something from it and that both can be used as forensic evidence. This principle is applicable to cybercrimes, where digital traces can be left behind

Answer 337

A

Answer: B. Completeness, authenticity, and admissibility
Explanation: The five cardinal rules of evidence include completeness, authenticity, admissibility, accuracy, and reasonableness. Hence, option B is correct as it contains three of these principles.

Answer 338

A

Answer: B. Prosecution

Explanation: While prosecution may be a result of an incident response, it is not a phase in itself. The typical phases of incident response include
preparation, identification, containment, eradication, recovery, and lessons learned/documentation.

Answer 339

A

Answer: B. Civil law

Explanation: Civil law, also known as Roman law, is primarily based on written codes, statutes, and legal principles developed by legal scholars and academics. It emphasizes abstract concepts of law.

Answer 340

A

Answer: C. Copyright

Explanation: Copyright law protects the expression of an idea in a tangible medium, such as a book, song, or software program, rather than the idea itself.

Answer 341

A

Answer: A. Trademark

Explanation: Trademarks protect brand names, logos, and other identifiers that signify the source of goods or services. The value of a trademark lies in the goodwill and brand recognition that a merchant or vendor builds in its products or services.

Answer 342

A

Answer: D. Freeware, commercial, and academic

Explanation: These are all types of software licensing. Freeware is software that is available free of charge. Commercial software is typically sold for
profit Academic licenses are special types of software profit. Academic licenses are special types of software licenses designed for educational institutions. These licenses are often offered at a discounted rate and
may come with specific terms and conditions that restrict usage to educational purposes only.

Answer 343

A

Answer: A. Privacy

Explanation: Privacy deals with the rights and obligations of individuals and organizations with respect to the collection, use, retention, and
disclosure of personal information.

Answer 344

A

Answer: C. Detection, identification, notification

Explanation: The initial steps of triage in incident response typically include detection (discovering the incident), identification (understanding the nature of the incident), and notification (informing relevant parties about the incident).

Answer 345

A

Answer: A. Comparing hash totals to the original source

Explanation: The integrity of a forensic bit stream image is typically verified by comparing the hash of the image to the hash of the original source. If the hashes match, it verifies that the image is an exact replica of the original.

Answer 346

A

Answer: D. Have the minimum possible level of contamination

Explanation: The aim should always be to minimize contamination of the crime scene to maintain the integrity of the digital evidence. This aids in its
admissibility and reliability in a court of law.

Answer 347

A

Answer: A. All regulatory and compliance requirements must be transferred to the provider.

Explanation: The responsibility for regulatory and compliance requirements lies with the organization, but when outsourcing IT systems these requirements but when outsourcing IT systems, these requirements
should be clearly communicated and agreed upon
with the provider.

Answer 348

A

Answer: C. Based on the order of the canons

Explanation: If a conflict arises between the canons in the ISC2 Code of Ethics, they are resolved by giving precedence to the canon that appears
earlier in the list.

Answer 349

A

Answer: C. Federal Information Security Management Act (FISMA)

Explanation: The FISMA requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information systems that support its operations and
assets.

Answer 350

A

Answer: C. Data localization

Explanation: Data localization is not a principle stated in GDPR. GDPR principles include lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity
and confidentiality, and accountability.

Answer 351

A

Answer: A. HIPAA Security Rule

Explanation: The HIPAA Security Rule specifically focuses on the protection of electronic protected health information (ePHI).

Answer 352

A

Answer: B. Gramm-Leach-Bliley Act (GLBA)

Explanation: The GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard
sensitive data.

Answer 353

A

Answer: A. Fair Credit Reporting Act (FCRA)

Explanation: FCRA is designed to ensure the accuracy, fairness, and privacy of the information in a consumer’s credit reports.

Answer 354

A

Answer: A. To regulate how websites collect data about children under 13

Explanation: COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual
knowledge that they are collecting personal information online from a child under 13 years of age.

Answer 355

A

Answer: D. To ensure the security of credit card transactions

Explanation: PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Answer 356

A

Answer: A. Executive Order 13636

Explanation: This executive order establishes a policy to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation,
and economic prosperity.

Answer 357

A

Answer: A. Fair and Accurate Credit Transactions Act (FACTA)

Explanation: FACTA aims to help consumers protect their data from identity theft. It allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies.

Answer 358

A

Answer: A. Computer Fraud and Abuse Act (CFAA)

Explanation: The CFAA makes it illegal to intentionally access a computer without authorization or to exceed authorized access and thereby obtain
protected information from any protected computer

Answer 359

A

Answer: D. $425,000.

Explanation: The Annualized Loss Expectancy (ALE) is calculated by first determining the Single Loss Expectancy (SLE), which is the product of the
asset value and the exposure factor (EF). In this case, the SLE would be $500,000 multiplied by 0.85, resulting in $425,000. The ALE is then calculated by multiplying the SLE by the Annualized Rate of Occurrence (ARO), which is 0.60. However, since the ALE is essentially an annualized version of the SLE in this specific scenario, the ALE would also be $425,000. The residual risk of $200,000 is a separate metric that indicates the remaining risk after security measures have been applied and does not directly factor into the ALE calculation for this question.

Answer 360

A

Answer: D. SLE, ARO, ALE, residual risk

Explanation: The correct order of these formulas in the context of risk assessment is as follows:
SLE (Single Loss Expectancy): This is calculated first as it represents the monetary loss expected from a single event.
ARO (Annualized Rate of Occurrence): This is the frequency with which a threat is expected to occur within a year.
ALE (Annualized Loss Expectancy): This is calculated by multiplying the SLE by the ARO; hence, it comes after SLE and ARO.
Residual risk: This is the remaining risk after security controls have been applied and is typically assessed after understanding the potential losses
(ALE).
Thus, the proper order is Single Loss Expectancy (SLE),
Annualized Rate of Occurrence (ARO), Annualized Loss
Expectancy (ALE), and then residual risk.

Answer 361

A

Answer: C. The author’s life plus 70 years

Explanation: In both the United States and the European Union, copyright protection generally lasts for the duration of the author’s life plus 70 years.
This time frame provides creators with a substantial period of control over their works, incentivizing further creation and innovation. It’s important to
note that copyright laws can vary by country and type of work, so always refer to specific legislation for accurate information.

Answer 362

A

Answer: B. Vulnerability

Explanation: In the context of information security, a vulnerability refers to a flaw, loophole, oversight, or error in a system that could be exploited to cause harm. This could include software bugs, misconfigurations, weak passwords, etc. Vulnerabilities can be exploited by threats, such as
hackers or malware, to perform unauthorized actions or gain unauthorized access. The process of identifying and addressing these vulnerabilities is a crucial part of any organization’s risk management
and security strategy. The term “weakness” is quite often used when defining vulnerability.

Answer 363

A

Answer: C. Policies

Explanation: Policies are the most general type of security document. They provide a high-level overview of an organization’s principles, rules, and
expectations regarding information security. Policies set the foundation for all other security documents and guide the development of standards,
procedures, and baselines, which are more specific and detail oriented. They are typically designed to guide decision-making and set the direction for an organization’s information security program.

Answer 364

A

Answer: D. The owner

Explanation: Within an organization, the owner of an information asset is typically responsible for assigning sensitivity labels. These labels represent
the asset’s classification level and help guide how the asset should be handled, stored, transmitted, and destroyed. The owner, having the best
understanding of the data’s value and sensitivity, is in the best position to assign these labels.

Answer 365

A

Answer: B. Transfer the risk

Explanation: When the cost of the countermeasure is more than the value of the asset, the most appropriate approach is typically to transfer the risk. This could be through insurance or by using third-party services. In this way, the organization can balance the cost of protection with the value of the asset. This doesn’t mean ignoring the risk (option A) or unnecessarily increasing costs (option D). Mitigating the risk (option C) might still be more expensive than the asset’s value.

Answer 366

A

Answer: A. ISO 27001

Explanation: ISO 27001 is the international standard for information security management. It establishes the requirements and best practices for an Information Security Management System (ISMS). The other ISO standards listed here are also part of the ISO 27000 series, but they focus on different aspects of information security. For example, ISO 27002 provides a code of practice for information security controls, while ISO 27004 provides guidelines for the measurement of information security. ISO 27799 provides guidelines for health informatics – information security management in health using ISO/IEC 27002.

Answer 367

A

Answer: A. Risk acceptance, risk transference, risk avoidance, risk mitigation

Explanation: The four main risk management techniques are risk acceptance (accepting the potential loss and continuing operations), risk
transference (shifting the potential loss to another party), risk avoidance (eliminating the risk by not engaging in a certain activity), and risk mitigation (reducing the impact of the risk). The other terms mentioned in the options, such as risk containment, risk migration, and risk quantification, are not standard risk management techniques.

Answer 368

A

Answer: D. SABSA

Explanation: The Sherwood Applied Business Security Architecture (SABSA) is a framework and methodology for enterprise security architecture and
service management. It is specifically designed to focus on security, unlike other models like COBIT, COSO, or the Zachman framework, which are
designed for broader governance of an entire enterprise. COBIT (Control Objectives for Information and Related Technologies) and COSO
(Committee of Sponsoring Organizations of the Treadway Commission) are used for IT governance and enterprise risk management, respectively. The Zachman framework is an enterprise architecture framework, which is not specifically focused on security

Answer 369

A

Answer: A. Due care

Explanation: “Due care” refers to the effort made by an ordinarily prudent or reasonable party to prevent harm to another taking the circumstances
prevent harm to another, taking the circumstances into account. It is the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances. In the context of lawsuits, demonstrating “due care” can help management show that they took all necessary precautions, even
if the outcomes weren’t perfect. The other options – “prudency,” “due diligence,” and “threat agent” – are not specifically related to this context.

Answer 370

A

Answer: C. The Delphi method

Explanation: The Delphi method is a structured communication technique, originally developed as a systematic, interactive forecasting method which
relies on a panel of experts. The experts answer questionnaires in multiple rounds. After each round, a facilitator provides an anonymous summary of the experts’ forecasts from the previous round as well as the reasons they provided for their judgments. Thus, the Delphi method involves anonymous interviews or surveys, and it’s used to arrive at a group consensus. The other options – ISO/IEC 27001, qualitative valuation, and quantitative valuation – do not involve interviewing people anonymously

Answer 371

A

Answer: C. The same level as employees Explanation: Third-party providers should be governed at the same level as employees. This is
because they often have access to the same sensitive information and systems as employees and therefore pose a similar risk. They should be subject to the same policies, procedures, and controls as employees to ensure information security. The other options – an NDA, an acceptable use policy, and the ISC2 Code of Ethics – are components of a broader
governance strategy, but they are not comprehensive standards for third-party governance

Answer 372

A

Answer: D. Single loss expectancy (SLE)

Explanation: The Single Loss Expectancy (SLE) represents the monetary loss expected from the occurrence of a risk on an asset once. It is calculated by multiplying the asset’s value (AV) by the exposure
factor (EF), which represents the impact of the risk on the asset. The other terms – ALE, EF, and AV – are also important in risk assessment, but they do not directly represent the expected cost of a single loss event.

Answer 373

A

Answer: B. Because the worth of data varies as time progresses

Explanation: Data’s value can change over time based on its relevance, accuracy, and usefulness to the organization. Therefore, it’s essential to
periodically reevaluate the classification of data files and records. While the other options may influence data management practices, they don’t directly explain why data classification should be reevaluated annually.

Answer 374

A

Answer: C. Catering to the needs of the business

Explanation: A governance framework should be designed primarily to support the needs of the business. It should guide the organization in
achieving its strategic objectives while managing risks and ensuring compliance. Although maximizing profits, avoiding losses, and ensuring safety are important, they are not the primary purpose of a governance framework.

Answer 375

A

Answer: A. Carry out an analysis of a bit-level duplicate of the disk.

Explanation: When forensically analyzing digital evidence the first priority is to create and analyze a evidence, the first priority is to create and analyze a bit-level clone of the disk. This ensures that the original evidence remains unaltered and preserves its admissibility in court. After creating the clone, further analysis like reviewing log files, detecting malicious code, or performing a steganographic analysis can be done.

Answer 376

A

Answer: C. Payment Card Industry Data Security Standard (PCI DSS)

Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is an example of self regulation. It’s a standard created by the major credit card companies to protect cardholder data. The companies themselves enforce compliance with the standard, not a governmental or external
regulatory body. In contrast, Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) are examples of governmental regulation, and third party governance is a broader concept that includes various mechanisms of control over third-party relationship

Answer 377

A

Answer: A. It can be either allocated or accepted.

Explanation: Residual risk is the remaining risk after controls and mitigation efforts have been applied. This risk can either be accepted (if it’s
within the organization’s risk tolerance) or it can be assigned/transferred to another entity, such as through insurance.

Answer 378

A

Answer: D. Countermeasures

Explanation: Risk analysis involves the identification and assessment of assets, threats, and vulnerabilities. Countermeasures, however, are a
response to the identified risk, applied after risk analysis to mitigate the risk. They are not a part of the analysis itself

Answer 379

A

Answer: D. Risk analysis

Explanation: Security safeguards and controls are used to reduce, avoid, or transfer risk. However, they do not perform risk analysis. Risk analysis is a separate process that identifies and assesses risk, which then informs the appropriate safeguards and controls.

Answer 380

A

Answer: B. Acceptable level

Explanation: The amount of risk an organization can handle or tolerate is based on its acceptable level of risk. This level is determined by factors such as the organization’s strategic goals, resources, and risk appetite. While affordability and measurability
might influence the decision, the acceptable level is
the determining factor

Answer 381

A

C. The Control Objectives for Information and related
Technology (CobiT) is a framework developed by the
Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI). It defines goals for
the controls that should be used to properly manage IT and
ensure IT maps to business needs, not specifically just
security needs. The Information Technology Infrastructure
Library (ITIL) is the de facto standard of best practices for IT
service management. A customizable framework, ITIL
provides the goals, the general activities necessary to
achieve these goals, and the input and output values for
each process required to meet these determined goals. In
essence, CobiT addresses “what is to be achieved,” while
ITIL addresses “how to achieve it.”
A is incorrect because, while CobiT can be used as a model
for IT governance, ITIL is not a model for corporate
governance. Actually, Committee of Sponsoring
Organizations of the Treadway Commission (COSO) is a
model for corporate governance. CobiT is derived from the
COSO framework. You can think of CobiT as a way to meet
many of the COSO objectives, but only from the IT
perspective. In order to achieve many of the objectives
addressed in CobiT, an organization can use ITIL, which
provides process-level steps for achieving IT service
management objectives.
B is incorrect because, as previously stated, CobiT can be
used as a model for IT governance, not corporate
governance. COSO is a model for corporate governance. The
second half of the answer is correct. ITIL is a customizable
framework that is available as a series of books or online, for
IT service management.
D is incorrect because CobiT defines goals for the controls
that should be used to properly manage IT and ensure IT
maps to business needs, not just IT security needs. ITIL
provides steps for achieving IT service management goals as
they relate to business needs. ITIL was created because of
the increased dependence on information technology to
meet business needs.

Answer 382

A

B is incorrect because identifying assets is part of a risk
assessment, and the question asks to identify what is not
included in a risk assessment. In order to determine the
value of assets, those assets must first be identified. Asset
identification and valuation are also important tasks of risk
management.
C is incorrect because identifying threats is part of a risk
assessment, and the question asks to identify what is not
included in a risk assessment. Risk is present because of the
possibility of a threat exploiting a vulnerability. If there were
no threats, there would be no risk. Risk ties the vulnerability,
threat, and likelihood of exploitation to the resulting business
impact.
D is incorrect because analyzing risk in order of cost or
criticality is part of the risk assessment process, and the
question asks to identify what is not included in a risk
assessment. A risk assessment researches and quantifies the
risk a company faces. Dealing with risk must be done in a
cost-effective manner. Knowing the severity of the risk allows
the organization to determine how to address it effectively.

Answer 383

A

B is incorrect because identifying assets is part of a risk
assessment, and the question asks to identify what is not
included in a risk assessment. In order to determine the
value of assets, those assets must first be identified. Asset
identification and valuation are also important tasks of risk
management.
C is incorrect because identifying threats is part of a risk
assessment, and the question asks to identify what is not
included in a risk assessment. Risk is present because of the
possibility of a threat exploiting a vulnerability. If there were
no threats, there would be no risk. Risk ties the vulnerability,
threat, and likelihood of exploitation to the resulting business
impact.
D is incorrect because analyzing risk in order of cost or
criticality is part of the risk assessment process, and the
question asks to identify what is not included in a risk
assessment. A risk assessment researches and quantifies the
risk a company faces. Dealing with risk must be done in a
cost-effective manner. Knowing the severity of the risk allows
the organization to determine how to address it effectively.

Answer 384

A

D. The extraction of data to share with unauthorized entities
is a confidentiality issue, not an integrity issue.
Confidentiality ensures that the necessary level of secrecy is
enforced at each junction of data processing and prevents
unauthorized disclosure. This level of confidentiality should
prevail while data resides on systems and devices within the
network, as it is transmitted, and once it reaches its
destination. Integrity, on the other hand, is the principle that
signifies the data has not been changed or manipulated in
an unauthorized manner.
A is incorrect because integrity is related to the unauthorized
manipulation or changes to data. Integrity is upheld when
any unauthorized modification is prevented. Hardware,
software, and communication mechanisms must work in
concert to maintain and process data correctly and move
data to intended destinations without unexpected alteration.
The systems and network should be protected from outside
interference and contamination.
B is incorrect because the modification of data without
authorization is related to integrity. Integrity is about
protecting data so that it cannot be changed either by users
or other systems that do not have the rights to do so.
C is incorrect because the intentional or accidental
substitution of data is related to integrity. Along with the
assurance that data is not modified by unauthorized entities,
integrity is upheld when the assurance of the accuracy and
reliability of the information and systems is provided. An
environment that enforces integrity prevents attackers, for
example, from inserting a virus, logic bomb, or backdoor into
a system that could corrupt or replace data. Users usually
affect a system or its data’s integrity by mistake (although
internal users may also commit malicious deeds). For
example, a user may insert incorrect values into a data
processing application that ends up charging a customer
$3,000 instead of $300.

Answer 385

A

C. Masquerading is an attempt to gain unauthorized access
by impersonating an authorized user. Masquerading is
commonly used by attackers carrying out phishing attacks
and has been around for a long time. For example, in 1996
hackers posed as AOL staff members and sent messages to
victims asking for their passwords in order to verify correct
billing information or verify information about the AOL
accounts. Today, phishers often masquerade as large
banking companies and well-known Internet entities like
Amazon.com and eBay. Masquerading is a type of active
attack because the attacker is actually doing something
instead of sitting back and gathering data.
A is incorrect because changing an IP packet’s source
address is an example of masquerading and not a definition
of masquerading. IP spoofing is the act of presenting false
information within packets, to trick other systems and hide
the origin of the message. This is usually done by hackers so
that their identity cannot be successfully uncovered.
B is incorrect because elevating privileges is not part of
masquerading. Elevating privileges is often the next step
after being able to penetrate a system successfully, but it
does not have anything to do directly with fooling a user or
system about the attacker’s true identity.
D is incorrect because masquerading involves commonly
posing as an authorized user that already exists in the
system the attacker is attempting to access. It is common
for the attacker then to attempt to create a new authorized
user account on a compromised system, but successful
masquerading has to happen first

Answer 386

A

B. The level of insurance required to cover the asset is not a
consideration when assigning values to assets. It is actually
the other way around: By knowing the value of an asset, an
organization can more easily determine the level of
insurance coverage to purchase for that asset. In fact,
understanding the value of an asset is the first step to
understanding what security mechanisms should be put in
place and what funds should go toward protecting it. This
knowledge can also help companies perform effective
cost/benefit analyses, understand exactly what is at risk, and
comply with legal and regulatory requirements.
A is incorrect because the asset’s value in the external
marketplace is a factor that should be considered when
determining the value of an asset. It should also include the
value the asset might have to competitors or what others are
willing to pay for a given asset.
C is incorrect because the initial and outgoing costs of
purchasing, licensing, and supporting the asset are
considerations when determining the cost and value of an
asset. The asset must be cost-effective to the business
directly. If the supporting requirements of maintaining the
asset outweighs the business need for the asset, its value
will decrease.
D is incorrect because it is a factor to be considered when
determining an asset’s value. The asset’s value to the
organization’s production operations is the determination of
cost to an organization if the asset is not available for a
certain period of time. Along these same lines, the asset’s
usefulness and role in the organization should be considered
as well as the operational and production activities affected
if the asset is unavailable. If the asset helps operations it is
valuable; the trick is to figure out how valuable.

Answer 387

A

A. The best approach to securing the database in this
situation would be to increase the controls and assign very
granular permissions. These measures would ensure that
users cannot abuse their privileges and the confidentiality of
the information would be maintained. Granularity of
permissions gives network administrators and security
professionals additional control over the resources they are
charged with protecting, and a fine level of detail enables
them to give individuals just the precise level of access they
need.
B is incorrect because implementing access controls that
display each user’s permissions each time they access the
database is an example of one control. It is not the overall
way of dealing with user access to a full database of
information. This may be an example of increasing database
security controls, but it is only one example and more would
need to be put into place.
C is incorrect because the classification level of the
information in the database was previously determined
based on its confidentiality, integrity, and availability levels.
These levels do not change simply because more users need
access to the data. Thus, you would never increase or
decrease the classification level of information when more
users or groups need to access that information. Increasing
the classification level would only mean a smaller subset of
users could access the database.
D is incorrect because it puts data at risk. If security is
decreased so that all users can access it as needed, then
users with lower privileges will be able to access data of
higher classification levels. Lower security also makes it
easier for intruders to break into the database. As stated in
answer C, a classification level is not changed just because
the number of users who need to access the data increases
or decreases

Answer 388

A

C. Countermeasures are implemented to reduce overall risk
to an acceptable level. However, no system or environment
is 100 percent secure, and with every countermeasure some
risk remains. The leftover risk after countermeasures are
implemented is called residual risk. Residual risk differs from
total risk, which is the risk companies face when they choose
not to implement any countermeasures. While the total risk
can be determined by calculating threats × vulnerability ×
asset value = total risk, residual risk can be determined by
calculating (threats × vulnerability × asset value) × control
gap = residual risk. Control gap is the amount of protection
the control cannot provide.
A is incorrect because threats × vulnerability × asset value
does not equal residual risk. It is the equation to calculate
total risk. Total risk is the risk a company faces in the
absence of any security safeguards or actions to reduce the
overall risk exposure. The total risk is reduced by
implementing safeguards and countermeasures, leaving the
company with residual risk—or the risk left over after
safeguards are implemented.
B is incorrect because SLE × frequency is the equation to
calculate the annualized loss expectancy (ALE) as a result of
a threat exploiting a vulnerability and the business impact.
The frequency is the threat’s annual rate of occurrence
(ARO). The ALE is not equal to residual risk. ALE indicates
how much money a specific type of threat is likely to cost
the company over the course of a year. Knowing the real
possibility of a threat and how much damage, in monetary
terms, the threat can cause is important in determining how
much should be spent to try and protect against that threat
in the first place.
D is incorrect and is a distracter answer. There is no such
formula like this used in risk assessments. The actual
equations are threats × vulnerability × asset value = total
risk; and (threats × vulnerability × asset value) × control
gap = residual risK

Answer 389

A

D. The Chief Privacy Officer (CPO) position is being created
by companies in response to the increasing demands on
organizations to protect myriad types of data. The CPO is
responsible for ensuring the security of customer, company,
and employee data, which keeps the company free from
legal prosecution and—hopefully—out of the headlines.
Thus, the CPO is directly involved with setting policies on
how data is collected, protected, and distributed to third
parties. The CPO is usually an attorney and reports to the
Chief Security Officer.
A is incorrect because protecting partner data is just a small
subset of all the data the CPO is responsible for protecting.
CPOs are responsible for ensuring the protection of
customer, company, and employee data. Partner data is
among the various types of data that the CPO is responsible
for protecting. In addition, the CPO is responsible for
knowing how its company’s suppliers, partners, and other
third parties are protecting its sensitive information. Many
times, companies will need to review these other parties
(which have copies of data needing protection).
B is incorrect because the accuracy of financial information is
the responsibility of its data owner—the Chief Financial
Officer (CFO). The CFO is responsible for the corporation’s
account and financial activities, and the overall financial
structure of the organization. The CPO is responsible for
helping to ensure the secrecy of this data, but not the
accuracy of the data. The financial information is also a small
subset of all the data types the CPO is responsible for
protecting.
C is incorrect because the definition and enforcement of
security policies is the responsibility of senior management,
commonly delegated to the CISO or CSO—not the CPO. A
security policy is an overall general statement that dictates
what role security plays within the organization. The CPO’s
responsibilities as they relate to policies are to contribute to
the setting of data protection policies, including how data is
collected, protected, and distributed to third parties.

Answer 390

A

C. Any individual who routinely uses data for work-related
tasks is a data user. Users must have the necessary level of
access to the data to perform the duties within their position
and are responsible for following operational security
procedures to ensure the data’s confidentiality, integrity, and
availability to others. This means that users must practice
due care and act in accordance with both security policy and
data classification rules.
A is incorrect because the data owner has a greater level of
responsibility in the protection of the data. Data owners are
responsible for classifying the data, regularly reviewing
classification levels, and delegating the responsibility of the
data protection duties to the data custodian. The data owner
is typically a manager or executive in the organization and is
held responsible when it comes to protecting the company’s
information assets.
B is incorrect because the data custodian is responsible for
the implementation and maintenance of security controls as
dictated by the data owner. In other words, the data
custodian is the technical caretaker of the controls that
protects the data. Her duties include making backups,
restoring data, implementing and maintaining
countermeasures, and administering controls.
D is incorrect because an information systems auditor is
responsible for evaluating controls. After evaluating the
controls, the auditor provides reports to management,
illustrating the mapping between the set acceptable risk level
of the organization and her findings. This does not have to
do with using the data or practicing due care with the use of
data.

Answer 391

A

C. While ANZ 4360 can be used to analyze security risks, it
was not created for that purpose. It takes a much broader
approach to risk management than other risk assessment
methodologies, such as NIST and OCTAVE, which focus on
IT threats and information security risks. ANZ 4360 can be
used to understand a company’s financial, capital, human
safety, and business decisions risks.
A is incorrect because there is no formal FAP risk analysis
approach. It is a distracter answer.
B is incorrect because OCTAVE focuses on IT threats and
information security risks. OCTAVE is meant to be used in
situations where people manage and direct the risk
evaluation for information security within their organization.
The organization’s employees are given the power to
determine the best approach for evaluating security.
D is incorrect because NIST SP 800-30 is specific to IT
threats and how they relate to information security risks. It
focuses mainly on systems. Data is collected from network
and security practice assessments, and from people within
the organization. The data is then used as input values for
the risk analysis steps outlined in the 800-30 document.

Answer 392

A

B. If all security activity takes place within the security
department, then security is working within a silo and is not
integrated throughout the organization. In a company with a
security governance program, security responsibilities
permeate the entire organization, from executive
management down the chain of command. A common
scenario would be executive management holding business
unit managements responsible for carrying out risk
management activities for their specific business units. In
addition, employees are held accountable for any security
breaches they participate in, either maliciously or
accidentally.
A is incorrect because security governance is a set of
responsibilities and practices exercised by the board and
executive management of an organization with the goal of
providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately,
and verifying that the organization’s resources are used
responsibly. An organization with a security governance
program in place has a board of directors that understands
the importance of security and is aware of the organization’s
security performance and breaches.
C is incorrect because security governance is a coherent
system of integrated security components that includes
products, personnel, training, processes, etc. Thus, an
organization with a security governance program in place is
likely to purchase and deploy security products, managed
services, and consultants in an informed manner. They are
also constantly reviewed to ensure they are cost-effective.
D is incorrect because security governance requires
performance measurement and oversight mechanisms. An
organization with a security governance program in place
continually reviews its processes, including security, with the
goal of continued improvement. On the other hand, an
organization that lacks a security governance program is
likely to march forward without analyzing its performance
and therefore repeatedly makes similar mistakes.

Answer 393

A

A. Before Michael begins developing his company’s
classification program, he must understand the different
levels of protection that must be provided. Only then can he
develop the necessary classification levels and their criteria.
One company may choose to use only two layers of
classification, while another may choose to use more.
Regardless, when developing classification levels, he should
keep in mind that too many or too few classification levels
will render the classification ineffective; there should be no
overlap in the criteria definitions between classification
levels; and classification levels should be developed for both
data and software.
B is incorrect because data classification criteria cannot be
established until the classification levels themselves have
been defined. The classification criteria are used by data
owners to know what classification should be assigned to
specific data. Basically, the classifications are defined
buckets and the criteria help data owners determine what
bucket each data set should be put into.
C is incorrect because there is no need to identify the data
custodians until classification levels are defined, criteria are
determined for how data are classified, and the data owner
has indicated the classification of the data she is responsible
for. Remember, the data custodian is responsible for
implementing and maintaining the controls specified by the
data owner.
D is incorrect because protection mechanisms for each
classification level cannot be determined until the
classification levels themselves are defined based on the
different levels of protection that are required. The types of
controls implemented per classification will depend upon the
level of protection that management and the security team
have determined is needed.

Answer 394

A

D. The ISO/IEC 27005 standard is the guideline for
information security risk management. ISO/IEC 27005 is an
international standard for how risk management should be
carried out in the framework of an information security
management system (ISMS).
A is incorrect because ISO/IEC 27002 is the code of practice
for information security management; thus, it has a correct
mapping. ISO/IEC 27002 provides best practice
recommendations and guidelines as they pertain to initiating,
implementing, or maintaining information security
management systems (ISMS).
B is incorrect because ISO/IEC 27003 is the guideline for
ISMS implementation; thus, it has a correct mapping. It
focuses on the critical aspects needed for successful design
and implementation of an information security management
system (ISMS) in accordance with ISO/IEC 27001:2005. It
describes the process of ISMS specification and design from
inception to the production of implementation plans.
C is incorrect because ISO/IEC 27004 is the guideline for
information security management measurement and metrics
framework; thus, it has a correct mapping. It provides
guidance on the development and use of measures and
measurement in order to assess the effectiveness of an
implemented information security management system
(ISMS) and controls or groups of controls, as specified in
ISO/IEC 2700

Answer 395

A

d. Stateful protocol analysis (also known as deep packet inspection)
is the process of comparing predetermined profiles of generally
accepted definitions of benign protocol activity for each protocol state
against observed events to identify deviations. Stateful protocol
analysis uses blacklists, whitelists, thresholds, and program code
viewing to provide various security capabilities.
A blacklist is a list of discrete entities, such as hosts or applications
that have been previously determined to be associated with malicious
activity. A whitelist is a list of discrete entities, such as hosts or
applications known to be benign. Thresholds set the limits between
normal and abnormal behavior of the intrusion detection and
prevention systems (IDPS). Program code viewing and editing features
are established to see the detection-related programming code in the
IDPS.

Answer 396

A

C. An applicant applies to a registration authority (RA) to become a
subscriber of a credential service provider (CSP) and, as a subscriber,
is issued or registers a secret, called a token, and a credential (public
key certificate) that binds the token to a name and other attributes that
the RA has verified. The token and credential may be used in
subsequent authentication events.

Answer 397

A

B. The RA performs the identity proofing after registering the
applicant with the CSP. An applicant becomes a subscriber of the CSP.

Answer 398

A

D. The relying party can use the authenticated information provided
by the verifier/CSP to make access control decisions or authorization
decisions. The verifier verifies that the claimant is the subscriber/applicant through an authentication protocol. The verifier passes on an assertion about the identity of the subscriber to the relying party. The verifier and the CSP may or may not belong to the same identity.

Answer 399

A

A. An authenticated session is established between the claimant and
the relying party. Sometimes the verifier is also the relying party. The
other three choices are incorrect because the correct answer is based on
facts.

Answer 400

A

B. The use of digital certificates represents a logical link between the
verifier and the CSP rather than a physical link. In some implementations, the verifier, relying party, and the CSP functions may be distributed and separated. The verifier needs to directly communicate with the CSP only when there is a physical link between them. In other words, the verifier does not need to directly communicate with the CSP for the other three choices.

Answer 401

A

A. The CSP maintains registration records for each subscriber to
allow recovery of registration records. Other responsibilities of the
CSP include the following:
The CSP is responsible for establishing suitable policies for renewal
and reissuance of tokens and credentials. During renewal, the usage or
validity period of the token and credential is extended without
changing the subscriber’s identity or token. During reissuance, a new
credential is created for a subscriber with a new identity and/or a new
token.
The CSP is responsible for maintaining the revocation status of
credentials and destroying the credential at the end of its life. For
example, public key certificates are revoked using certificate
revocation lists (CRLs) after the certificates are distributed. The
verifier and the CSP may or may not belong to the same entity.
The CSP is responsible for mitigating threats to tokens and credentials
and managing their operations. Examples of threats include disclosure,
tampering, unavailability, unauthorized renewal or reissuance, delayed
revocation or destruction of credentials, and token use after
decommissioning.
The other three choices are incorrect because the (i) subscriber is a
party who has received a credential or token from a CSP, (ii) relying
party is an entity that relies upon the subscriber’s credentials or
verifier’s assertion of an identity, and (iii) registration authority (RA) is
a trusted entity that establishes and vouches for the identity of a
subscriber to a CSP. The RA may be an integral part of a CSP, or it
may be independent of a CSP, but it has a relationship to the CSP(s).

Answer 402

A

A. It is suggested that a personal identity verification (PIV) card
token is used in the unique identification of employees and contractors.
The PIV is a physical artifact (e.g., identity card or smart card) issued
to an individual that contains stored identity credentials (e.g.,
photograph, cryptographic keys, or digitized fingerprint).
The other three choices are used in user authenticator management, not
in user identifier management. Examples of user authenticators include
passwords, tokens, cryptographic keys, personal identification
numbers (PINs), biometrics, public key infrastructure (PKI)
certificates, and key cards. Examples of user identifiers include
internal users, external users, contractors, guests, PIV cards,
passwords, tokens, and biometrics.

Answer 403

A

B. The token may be a piece of hardware that contains a
cryptographic key that produces the authenticator used in the
authentication process to authenticate the claimant. The key is
protected by encrypting it with a password.
The other three choices cannot produce an authenticator. A public key
is the public part of an asymmetric key pair typically used to verify
signatures or encrypt data. A verifier is an entity that verifies a
claimant’s identity. A private key is the secret part of an asymmetric
key pair typically used to digitally sign or decrypt data. A claimant is a
party whose identity is to be verified using an authentication protocol.

Answer 404

A

C. Shared secrets are based on either symmetric keys or passwords.
The asymmetric keys are used in public key pairs. In a protocol sense,
all shared secrets are similar and can be used in similar authentication
protocols.

Answer 405

A

C. An assertion is a statement from a verifier to a relying party that
contains identity information about a subscriber. Assertions may be
digitally signed objects, or they may be obtained from a trusted source
by a secure protocol. X.509 certificates are examples of electronic
credentials, not assertions. Cookies, security assertions markup
language (SAML), and Kerberos tickets are examples of assertions.

Answer 406

A

A. When electronic credentials are stored in a directory or database
server, the directory or database may be an untrusted entity because the
data it supplies is self-authenticated. Alternatively, the directory or
database server may be a trusted entity that authenticates itself to the
relying party or verifier, but not to the CSP.

Answer 407

A

A. The correct flows and proper interactions between the various
parties involved in electronic authentication include the following:
An individual applicant applies to a registration authority (RA)
through a registration process to become a subscriber of a
credential service provider (CSP) The RA identity proofs that applicant
On successful identity proofing, the RA sends the CSP a
registration confirmation message A secret token and a corresponding credential are established between the CSP and the new subscriber for use in subsequent authentication events The party to be authenticated is called a claimant (subscriber) and the party verifying that identity is called a verifier The other three choices are incorrect be

Answer 408

A

B. An assertion is a statement from a verifier to a relying party that
contains identity information about a subscriber (i.e., claimant). These
assertions are used to pass information about the claimant from the
verifier to a relying party. Assertions may be digitally signed objects or
they may be obtained from a trusted source by a secure protocol. When
the verifier and the relying parties are separate entities, the verifier
conveys the result of the authentication protocol to the relying party.
The object created by the verifier to convey the result of the
authentication protocol is called an assertion. The credential service
provider and the registration authority are not part of the assertion
process.

Answer 409

A

C. Both the Bell-LaPadula model and domain type enforcement
model uses restricted access control models because they are employed
in safety-critical systems, such as military and airline systems. In a
restricted model, the access control policies are expressed only once by
a trusted principal and fixed for the life of the system. The identitybased and attribute-based access control policies are not based on
restricted access control models but based on identities and attributes
respectively.

Answer 410

A

C. Entropy in an information system is the measure of the disorder
or randomness in the system. Passwords need high entropy because
low entropy is more likely to be recovered through brute force attacks.
Salting is the inclusion of a random value in the password hashing
process that greatly decreases the likelihood of identical passwords
returning the same hash. Larger salts effectively make the use of
Rainbow Tables (lookup tables) by attackers infeasible. Many
operating systems implement salted password hashing mechanisms to
reduce the effectiveness of password cracking.
Stretching, which is another technique to mitigate the use of rainbow
tables, involves hashing each password and its salt thousands of times.
Larger stretching makes the creation of rainbow tables more time consuming, which is not good for the attacker, but good for the
attacked organization. Rainbow tables are lookup tables that contain
precomputed password hashes. Therefore, passwords with high
entropy, larger salts, and larger stretching can mitigate password
guessing and cracking attempts by attackers.

Answer 411

A

C. The authenticator is generated through the use of a token. In the
trivial case, the authenticator may be the token secret itself where the
token is a password. In the general case, an authenticator is generated
by performing a mathematical function using the token secret and one
or more optional token input values such as a nonce or challenge.
A salt is a nonsecret value used in a cryptographic process, usually to
ensure that the results of computations for one instance cannot be
reused by an attacker.
A seed is a starting value to generate initialization vectors. A nonce is
an identifier, a value, or a number used only once. Using a nonce as a
challenge is a different requirement than a random-challenging because
a nonce is predictable.
A shim is a layer of host-based intrusion detection and prevention code
placed between existing layers of code on a host that intercepts data
and analyzes it.

Answer 412

A

B. Using one token to gain access to a second token is considered a
single token and a single factor scheme because all that is needed to
gain access is the initial token. Therefore, when this scheme is used,
the compound solution is only as strong as the token with the lowest
assurance level. The other choices are incorrect because they are not
applicable to the situation here.

Answer 413

A

D. A password synchronization solution takes a password from a
user and changes the passwords on other resources to be the same as
that password. The user then authenticates directly to each resource
using that password. There is no centralized directory or no
authentication server performing authentication on behalf of the
resources. The primary benefit of password synchronization is that it
reduces the number of passwords that users need to remember; this
may permit users to select stronger passwords and remember them
more easily. Unlike single sign-on (SSO) technology, password
synchronization does not reduce the number of times that users need to
authenticate. Password synchronization solutions are typically easier,
less expensive, and less secure to implement than SSO technologies

Answer 414

A

A. All four choices are problems with password synchronization
solution. Because the same password is used for many resources, the
compromise of any one instance of the password compromises all the
instances, therefore becoming a single point-of-failure. Password
synchronization forces the use of the lowest common denominator
approach to password strength, resulting in weaker passwords due to
character and length constraints. Passwords can become
unsynchronized when a user changes a resource password directly with
that resource instead of going through the password synchronization
user interface. A password could also be changed due to a resource
failure that requires restoration of a backup.

Answer 415

A

C. Access control policy may benefit from separating Web services
into various domains or compartments. This separation can be
implemented in ABAC using resource attributes or through additional
roles defined in RBAC. The other three choices cannot handle
separation of domains.

Answer 416

A

A. Having a common password shared among all local
administrator or root accounts on all machines within a network
simplifies system maintenance, but it is a widespread security
weakness, becoming a single point-of-failure. If a single machine is
compromised, an attacker may recover the password and use it to gain
access to all other machines that use the shared password. Therefore, it
is good to avoid using the same local administrator or root account
passwords across many systems. The other three choices, although
risky in their own way, do not yield a single point-of-failure.

Answer 417

A

B. In a multistage token scheme, two tokens are used in two stages,
and additional tokens are used for transaction receipt and confirmation
mechanism to achieve the required assurance level. The level of
assurance of the combination of the two stages can be no higher than
that possible through a multitoken authentication scheme using the
same set of tokens.

Answer 418

A

A. Entropy is the uncertainty of a random variable. Tokens that
generate high entropy authenticators prevent online guessing of secret
tokens registered to a legitimate claimant and offline cracking of
tokens. The other three choices cannot prevent online guessing of
tokens or passwords.

Answer 419

A

B. In token duplication, the subscriber’s token has been copied with
or without the subscriber’s knowledge. A countermeasure is to use
hardware cryptographic tokens that are difficult to duplicate. Physical
security mechanisms can also be used to protect a stolen token from
duplication because they provide tamper evidence, detection, and
response capabilities. The other three choices cannot handle a
duplicate tokens problem.

Answer 420

A

C. A countermeasure to mitigate the eavesdropping threat is to use
tokens with dynamic authenticators where knowledge of one
authenticator does not assist in deriving a subsequent authenticator.
The other choices are incorrect because they cannot provide dynamic
authentication.

Answer 421

A

B. All users accessing an organization’s information systems must
be uniquely identified and authenticated. Identifier management is
applicable to local user accounts where the account is valid only on a
local computer, and its identity can be traced to an individual.
Identifier management is not applicable to shared information system
accounts, such as group, guest, default, blank, anonymous, and
nonspecific user accounts.

Answer 422

A

C. A countermeasure to mitigate the phishing or pharming threat is
to use tokens with dynamic authenticators where knowledge of one
authenticator does not assist in deriving a subsequent authenticator.
The other choices are incorrect because they cannot provide dynamic
authentication.
Phishing is tricking individuals into disclosing sensitive personal
information through deceptive computer-based means. Phishing
attacks use social engineering and technical subterfuge to steal
consumers’ personal identity data and financial account credentials. It
involves Internet fraudsters who send spam or pop-up messages to lure
personal information (e.g., credit card numbers, bank account
information, social security numbers, passwords, or other sensitive
information) from unsuspecting victims. Pharming is misdirecting
users to fraudulent websites or proxy servers, typically through DNS
hijacking or poisoning.

Answer 423

A

D. A countermeasure to mitigate the threat of token theft is to use
multifactor tokens that need to be activated through a PIN or
biometric. The other choices are incorrect because they cannot provide
multifactor tokens.

Answer 424

A

C. A countermeasure to mitigate the social engineering threat is to
use tokens with dynamic authenticators where knowledge of one
authenticator does not assist in deriving a subsequent authenticator.
The other choices are incorrect because they cannot provide dynamic
authentication.

Answer 425

A

B. Out-of-band tokens can be used to verify proof-of-possession of
registered devices (e.g., cell phones) or identifiers (e.g., e-mail IDs).
The other three choices cannot verify proof-of-possession. Lookup
secret tokens can be copied. Some tokens can lock up after a number
of repeated failed activation attempts. Physical security mechanisms
can be used to protect a stolen token from duplication because they
provide tamper evidence, detection, and response capabilities.

Answer 426

A

B. Unencrypted password files and unsigned public key certificates
are examples of weakly bound credentials. The association between
the identity and the token within a weakly bound credential can be
readily undone, and a new association can be readily created. For
example, a password file is a weakly-bound credential because anyone
who has “write” access to the password file can potentially update the
association contained within the file.

Answer 427

A

D. Signed password files and signed public key certificates are
examples of strongly bound credentials. The association between the
identity and the token within a strongly bound credential cannot be
easily undone. For example a digital signature binds the identity to the
public key in a public key certificate; tampering of this signature can
be easily detected through signature verification.

Answer 428

A

B. Authorization controls such as access control matrices and
capability tests are a part of preventive controls because they block
unauthorized access. Preventive controls deter security incidents from
happening in the first place.
Directive controls are broad-based controls to handle security
incidents, and they include management’s policies, procedures, and
directives. Detective controls enhance security by monitoring the
effectiveness of preventive controls and by detecting security incidents
where preventive controls were circumvented. Corrective controls are
procedures to react to security incidents and to take remedial actions
on a timely basis. Corrective controls require proper planning and
preparation as they rely more on human judgment.

Answer 429

A

C. The credential service provider (CSP) is the only one responsible
for maintaining the credential in storage. The verifier and the CSP may
or may not belong to the same entity. The other three choices are
incorrect because they are not applicable to the situation here.

Answer 430

A

B. Privilege management is defined as a process that creates,
manages, and stores the attributes and policies needed to establish
criteria that can be used to decide whether an authenticated entity’s
request for access to some resource should be granted. Privilege
management is conceptually split into two parts: attribute management
and policy management. The attribute management is further defined
in terms of entity attributes, resource attributes, and environment
attributes. Similarly, the policy management is further defined in terms
of entity policies, resource policies, and environment policies.

Answer 431

A

A. The extensible access control markup language (XACML) is a
standard for managing access control policy and supports the
enterprise-level privilege management. It includes a policy language
and a query language. However, XACML does not define authority
delegation and trust management.

Answer 432

A

D. Some intrusion detection and prevention system (IDPS) sensors
have a learning mode or simulation mode that suppresses all
prevention actions and instead indicates when a prevention action
should have been performed. This ability enables administrators to
monitor and fine-tune the configuration of the prevention capabilities
before enabling prevention actions, which reduces the risk of
inadvertently blocking benign activity. Alerts can be enabled or
disabled later

Answer 433

A

C. A protocol is said to have weak resistance to MitM attacks if it
provides a mechanism for the claimant to determine whether he is
interacting with the real verifier, but still leaves the opportunity for the
nonvigilant claimant to reveal a token authenticator to an unauthorized
party that can be used to masquerade as the claimant to the real
verifier. For example, sending a password over server authenticated
transport layer security (TLS) is weakly resistant to MitM attacks. The
browser enables the claimant to verify the identity of the verifier;
however, if the claimant is not sufficiently vigilant, the password will
be revealed to an unauthorized party who can abuse the information.
The other three choices do not deal with MitM attacks, but they can
enhance the overall electronic authentication process.
An account lockout mechanism is implemented on the verifier to
prevent online guessing of passwords by an attacker who tries to
authenticate as a legitimate claimant. Random data and nonce can be
used to disguise the real data.

Answer 434

A

D. A protocol is said to be highly resistant to man-in-the-middle
(MitM) attacks if it does not enable the claimant to reveal, to an
attacker masquerading as the verifier, information (e.g., token secrets
and authenticators) that can be used by the latter to masquerade as the
true claimant to the real verifier. For example, in client authenticated
transport layer security (TLS), the browser and the Web server
authenticate one another using public key infrastructure (PKI)
credentials, thus strongly resistant to MitM attacks. The other three
choices are incorrect, because they are examples of being weakly
resistant to MitM attacks and are examples of zero-knowledge
password protocol where the claimant is authenticated to a verifier
without disclosing the token secret.

Answer 435

A

D. In a cross site scripting (XSS) vulnerability, an attacker may use
an extensible markup language (XML) injection to perform the
equivalent of an XSS, in which requesters of a valid Web service have
their requests transparently rerouted to an attacker-controlled Web
service that performs malicious operations. To prevent XSS
vulnerabilities, the relying party should sanitize inputs from claimants
or subscribers to ensure they are not executable, or at the very least not
malicious, before displaying them as content to the subscriber’s
browser. The other three choices are incorrect because they are not
applicable to the situation here.

Answer 436

A

A. A cross site request forgery (CSRF) is a type of session
hijacking attack where a malicious website contains a link to the URL
of the legitimate relying party. Web applications, even those protected
by secure sockets layer/transport layer security (SSL/TLS), can still be
vulnerable to the CSRF attack. One control to protect the CSRF attack
is by inserting random data, supplied by the relying party, into any
linked uniform resource locator with side effects and into a hidden
field within any form on the relying party’s website. Generating a persession shared secret is effective against a session hijacking problem.
Sanitizing inputs to make them nonexecutable is effective against cross
site scripting (XSS) attacks, not CSRF attacks.

Answer 437

A

A. An assertion is a statement from a verifier to a relying party that
contains identity information about a subscriber. To mitigate the threat
of assertion manufacture and/or modification, the assertion may be
digitally signed by the verifier and the assertion sent over a protected
channel such as TLS/SSL. The other three choices are incorrect
because they are not applicable to the situation here.

Answer 438

A

B. An assertion is a statement from a verifier to a relying party that
contains identity information about a subscriber. To mitigate the threat
of assertion reuse, the assertion should include a timestamp and a short
lifetime of validity. The other three choices are incorrect because they
are not applicable to the situation here.

Answer 439

A

C. An assertion is a statement from a verifier to a relying party that
contains identity information about a subscriber. To mitigate the threat
of assertion repudiation, the assertion may be digitally signed by the
verifier using a key that supports nonrepudiation. The other three
choices are incorrect because they are not applicable to the situation
here.

Answer 440

A

D. An assertion is a statement from a verifier to a relying party that
contains identity information about a subscriber. To mitigate the threat
of assertion substitution, the assertion may include a combination of
HTTP to handle message order and TLS to detect and disallow
malicious reordering of packets. The other three choices are incorrect
because they are not applicable to the situation here.

Answer 441

A

B. Proof-by-knowledge is where a claimant authenticates his
identity to a verifier by the use of a password or PIN (i.e., something
you know) that he has knowledge of.
Proof-by-possession and proof-by-property, along with proof-byknowledge, are used in mobile device authentication and robust
authentication. Proof-of-origin is the basis to prove an assertion. For
example, a private signature key is used to generate digital signatures
as a proof-of-origin.

Answer 442

A

A. Vulnerabilities typically result when an untrusted individual is
granted unauthorized access to a system. Granting unauthorized access
is riskier than granting authorized access to an untrusted individual,
and trusted individuals are better than untrusted individuals. Both trust
and authorization are important to minimize vulnerabilities. The other
three choices are incorrect because serious vulnerabilities may not
exist with them.

Answer 443

A

C. Proof-by-property is where a claimant authenticates his identity
to a verifier by the use of a biometric sample such as fingerprints (i.e.,
something you are).
Proof-by-possession and proof-by-knowledge, along with proof-by property, are used in mobile device authentication and robust
authentication. Proof-of-origin is the basis to prove an assertion. For
example, a private signature key is used to generate digital signatures
as a proof-of-origin.

Answer 444

A

B. All the accounts mentioned in the question can be disabled,
notified, or terminated, but it is not effective. Auditing of account
creation, modification, notification, disabling, and termination (i.e., the
entire account cycle) is effective because it can identify anomalies in
the account cycle process.

Answer 445

A

B. Dual authorization mechanisms require two forms of approval to
execute. The organization should not employ a dual authorization
mechanism when an immediate response is necessary to ensure public
and environmental safety because it could slow down the needed
response. The other three choices are appropriate when an immediate
response is necessary.

Answer 446

A

A. Nondiscretionary access control policies have rules that are not
established at the discretion of the user. These controls can be changed
only through administrative action and not by users. An identity-based
access control (IBAC) decision grants or denies a request based on the
presence of an entity on an access control list (ACL). IBAC and
discretionary access control are considered equivalent and are not
examples of nondiscretionary access controls.
The other three choices are examples of nondiscretionary access
controls. Mandatory access control deals with rules, role-based access
control deals with job titles and functions, and temporal constraints
deal with time-based restrictions and control time-sensitive activities.

Answer 447

A

B. Secure, non-operable system states are states in which the
information system is not performing business-related processing.
These states include offline for maintenance, troubleshooting, bootup,
and shutdown. Offline data should be stored with encryption in a
secure location. Removing information from online storage to offline
storage eliminates the possibility of individuals gaining unauthorized
access to that information via a network.

Answer 448

A

C. Unstructured data consists of two basic categories: bitmap
objects (e.g., image, audio, and video files) and textual objects (e.g., emails and spreadsheets). Security policy filters include file type
checking filters, dirty word filters, structured and unstructured data
filters, metadata content filters, and hidden content filters.

Answer 449

A

C. Packet filters are based on header information whereas message
filters are based on content using keyword searches. Both packet filters
and message filters use rulesets. Structured data filters and metadata
content filters do not use rulesets.

Answer 450

A

A. Information flow enforcement using explicit security attributes
are used to control the release of certain types of information such as
sensitive data. Data content, data structure, and source and destination
objects are examples of implicit security attributes.

Answer 451

A

C. Policy enforcement mechanisms include the filtering and/or
sanitization rules that are applied to information prior to transfer to a
different security domain. Embedding rules and release rules do not
handle information transfer.

Answer 452

A

B. Parsing transfer files facilitates policy decisions on source,
destination, certificates, classification subject, or attachments. The
other three choices are examples of policy rules for cross domain
transfers.

Answer 453

A

D. The information system, when transferring information between
different security domains, implements security policy filters that
constrain file lengths, character sets, schemas, data structures, and
allowed enumerations to reduce the range of potential malicious and/or
unsanctioned content.

Answer 454

A

A. One-way flows are implemented using hardware mechanisms for
controlling the flow of information within a system and between
interconnected systems. As such they cannot detect unsanctioned
information.
The other three choices do detect unsanctioned information and
prohibit the transfer with actions such as checking all transferred
information for malware, implementing dirty word list searches on
transferred information, and applying security attributes to metadata
that are similar to information payloads.

Answer 455

A

B. Means to bind and enforce the information flow include
resolution labels that distinguish between information systems and
their specific components, and between individuals involved in
preparing, sending, receiving, or disseminating information. The other
three types of labels cannot bind security attributes to information.

Answer 456

A

B. Normal access enforcement mechanisms include access control
lists, access control matrices, and cryptography. Increased information
security is provided at the application system level (i.e., accounting
and marketing systems) due to the use of password and PIN.

Answer 457

A

D. Specific architectural security solutions can reduce the potential
for undiscovered vulnerabilities. These solutions include all four items
mentioned.

Answer 458

A

B. Separation of duty constraints require that two roles be mutually
exclusive because no user should have the privileges from both roles.
Both role-based and rule-based access controls are examples of static
separation of duty.
Dynamic separation of duty is enforced at access time, and the
decision to grant access refers to the past access history. Examples of
dynamic separation of duty include workflow policy and the Chinese
Wall policy.

Answer 459

A

C. The goal of biometrics-based identification and authentication
techniques about biometric errors is to obtain low numbers for both
false rejection rate and false acceptance rate errors. Another goal is to
obtain a low crossover error rate because it represents high accuracy or
a high crossover error rate because it represents low accuracy.

Answer 460

A

D. User-selected passwords generally contain less entropy, are easier for users to remember, use weaker passwords, and at the same time are easier for attackers to guess or crack.

Answer 461

A

D. A common architecture for single sign-on (SSO) is to have an
authentication service, such as Kerberos, for authenticating SSO users,
and a database or directory service such as lightweight directory access
protocol (LDAP) that stores authentication information for the
resources the SSO handles authentication for. By definition, the SSO
technology uses a password, and an SSO solution usually includes one
or more centralized servers containing authentication credentials for
many users. Such a server becomes a single point-of-failure for
authentication to many resources, so the availability of the server
affects the availability of all the resources that rely on that server.

Answer 462

A

A. User authentication to the single sign-on (SSO) technology is
important. If proper mutual authentication is not performed, the SSO
technology using passwords is vulnerable to a man-in-the-middle
(MitM) attack. Social engineering and phishing attacks are based on
passwords, and replay attacks do not use passwords.

Answer 463

A

A. The two-person rule states that the first user can be any
authorized user, but the second user can be any authorized user
different from the first. History-based separation of duty regulates that
the same subject (role or user) cannot access the same object (program
or device) for a variable number of times. Design-time and run-time
are used in the workflow policy.

Answer 464

A

A. The Chinese Wall policy is used where company sensitive
information (i.e., confidentiality) is divided into mutually disjointed
conflict-of-interest categories. The Biba model focuses on integrity.
Availability, assurance, and integrity are other components of security
principles that are not relevant to the Chinese Wall policy.

Answer 465

A

B. The goal of workflow policy is to maintain consistency between
the internal data and external (users’) expectations of that data. This is
because the workflow is a process, consisting of tasks, documents, and
data. The Chinese Wall policy deals with dividing sensitive data into
separate categories. The security policy and the access control policy
are too general to be of any importance here.

Answer 466

A

B. Computer systems must be designed and developed with
security and safety in mind because unsecure and unsafe systems can
cause injury to people and damage to assets (e.g., military and airline
systems). With separation of duty (SOD), fraud can be minimized
when sensitive tasks are separated from each other (e.g., signing a
check from requesting a check). Reliability is more of an engineering
term in that a computer system is expected to perform with the
required precision on a consistent basis. On the other hand, SOD deals
with people and their work-related actions, which are not precise and
consistent.

Answer 467

A

D. If complete trust by a principal is not practical, there is a
possibility of a safety violation. The separation of duty concept is used
to enforce safety and security in some access control models. In an
event where there are many users (subjects), objects, and relations
between subjects and objects, safety needs to be carefully considered.

Answer 468

A

C. The separation of duty concept is not enforced by the access
control matrix model because it is not safety configured and is based
on an arbitrary constraint. The other three choices use restricted access
control models with access constraints that describe the safety
requirements of any configuration.

Answer 469

A

A. A static exclusivity problem is the condition for which it is
considered dangerous for any user to gain authorization for a
conflicting set of access capabilities. The motivation for exclusivity
relations includes reducing the likelihood of fraud or preventing the
loss of user objectivity. The assurance principle deals with committing
fraud or collusion when many users are involved in handling a
business transaction.

Answer 470

A

D. The concept of limiting access or least privilege is simply to
provide no more authorization than necessary to perform required
functions. Best practice suggests it is better to have several
administrators with limited access to security resources rather than one
administrator with super-user access permissions. The principle of
least privilege is connected to the role-based access control in that each
role is assigned those access permissions needed to perform its
functions, as mentioned in the other three choices.

Answer 471

A

C. The goal is to limit exposure due to operating from within a
privileged account or role. A change of role for a user or process
should provide the same degree of assurance in the change of access
authorizations for that user or process. The same degree of assurance is
also needed when a change between a privileged account and nonprivileged account takes place. Auditing of privileged accounts is
required mostly to ensure that privileged account users use only the
privileged accounts and that non-privileged account users use only the
non-privileged accounts. An audit is not required for public access
accounts due to little or no risk involved. Privileged accounts are
riskier than nonpublic accounts.

Answer 472

A

C. The ability to identify source and destination points for
information flowing in an information system allows for forensic
reconstruction of events and increases compliance to security policies.
Security attributes are critical components of the operations security
concept.

Answer 473

A

D. Privileged user accounts should be established and administered
in accordance with a role-based access scheme to access security
functions. Privileged roles include network administration, security
administration, system administration, database administration, and
Web administration, and should be given access to security functions.
End users and internal auditors should not be given a privileged
account to access security functions during the course of normal
operations.

Answer 474

A

A. Service-oriented architecture (SOA) implementations rely on
run-time access control decisions facilitated by dynamic privilege
management. In contrast, conventional access control implementations
employ static information accounts and predefined sets of user
privileges. Although user identities remain relatively constant over
time, user privileges may change more frequently based on the
ongoing business requirements and operational needs of the
organization.

Answer 475

A

C. Privilege management is defined as a process that creates,
manages, and stores the attributes and policies needed to establish
criteria that can be used to decide whether an authenticated entity’s
request for access to some resource should be granted. Authentication
management deals with identities, credentials, and any other
authentication data needed to establish an identity. Access
management, which includes privilege management and access
control, encompasses the science and technology of creating,
assigning, storing, and accessing attributes and policies. These
attributes and policies are used to decide whether an entity’s request
for access should be allowed or denied. In other words, a typical access
decision starts with authentication management and ends with access
management, whereas privilege management falls in between.

Answer 476

A

B. Super user accounts are typically described as administrator or
root accounts. Access to super user accounts should be limited to
designated security and system administration staff only, and not to the
end-user accounts, guest accounts, anonymous accounts, or temporary
accounts. Security and system administration staff use the super user
accounts to access key security/system parameters and commands.

Answer 477

A

C. Response to unsuccessful login attempts can be implemented at
both the operating system and the application system levels. The
session lock is implemented typically at the operating system level but
may be at the application system level. Hardware and firmware are not
used for unsuccessful login attempts and session lock.

Answer 478

A

A. A session lock prevents further access to an information system
after a defined time period of inactivity. A session lock is not a
substitute for logging out of the system as in logging out at the end of
the workday. The other three choices are true statements about a
session lock.

Answer 479

A

C. Access to public websites and emergency situations are
examples of user permitted actions that don’t require identification or
authentication. Both unsuccessful login attempts and reestablishing a
session lock require proper identification or authentication procedures.
A session lock is retained until proper identification or authentication
is submitted, accepted, and reestablished..

Answer 480

A

A. Additional security protection is needed for a mobile device
(e.g., PDA) requiring a login where the login is made to the mobile
device itself, not to any one account on the device. Additional
protection is not needed when removable media is accessed without a
login and when the information on the mobile device is encrypted. A
successful login to any account on the mobile device resets the
unsuccessful login count to zero.

Answer 481

A

B. An information system dynamically reconfigures security
attributes in accordance with an identified security policy as
information is created and combined. The system supports and
maintains the binding of security attributes to information in storage, in
process, and in transmission. The term security label is often used to
associate a set of security attributes with a specific information object
as part of the data structures (e.g., records, buffers, and files) for that
object.

Answer 482

A

A. International standards for access control decisions do not use
the U.S.-based discretionary or mandatory access control policies.
Instead, they use identity-based and rule-based access control policies.

Answer 483

A

D. An organization must ensure that remote access sessions for
accessing security functions employ security measures and that they
are audited. Bulk encryption, session layer encryption, secure shell-2
(SSH-2), and virtual private networking (VPN) with blocking enabled
are standard security measures. Bluetooth and peer-to-peer (P2P)
networking are examples of less than secure networking protocols.

Answer 484

A

D. Actions that may be taken to confine wireless communication to
organization-controlled boundaries include all the four items
mentioned. Mutual authentication protocols include EAP/TLS and
PEAP. Reducing the power of the wireless transmission means that the
transmission cannot go beyond the physical perimeter of the
organization. It also includes installing TEMPEST measures to control
emanations.

Answer 485

A

C. An identifiable owner (e.g., employee, organization, or project)
for removable media helps to reduce the risk of using such technology
by assigning responsibility and accountability for addressing known
vulnerabilities in the media (e.g., malicious code insertion). Use of
project-owned removable media is acceptable because the media is
assigned to a project, and the other three choices are not acceptable
because they have no accountability feature attached to them.
Restricting the use of writable, removable media is a good security
practice.

Answer 486

A

D. When unclassified mobile devices are connected to classified
systems containing classified information, it is a risky situation
because a security policy is violated. This action should trigger an
incident response handling process. Connection of an unclassified
mobile device to an unclassified system still requires an approval;
although, it is less risky. Use of internal or external modems or
wireless interfaces within the mobile device should be prohibited.

Answer 487

A

D. Organizations can utilize network scanning tools, intrusion
detection and prevention systems (IDPS), endpoint protections such as
firewalls, and host-based intrusion detection systems to identify and
prevent the use of prohibited functions, ports, protocols, and services.

Answer 488

A

D. An information system must use multifactor authentication
mechanisms for both network access (privileged and non-privileged)
and local access (privileged and non-privileged) because both
situations are risky. System/network administrators have administrative
(privileged) accounts, and these individuals have access to a set of
“access rights” on a given system. Malicious non-privileged account
users are as risky as privileged account users because they can cause
damage to data and program files.

Answer 489

A

D. You need to require that individuals are authenticated with an
individual authenticator prior to using a group authenticator. The other
three choices are true statements.

Answer 490

A

D. An authentication process resists replay attacks if it is
impractical to achieve a successful authentication by recording and
replaying a previous authentication message. Techniques used to
address the replay attacks include protocols that use nonces or
challenges (e.g., TLS) and time synchronous or challenge-response
one-time authenticators.

Answer 491

A

A. For dynamic address allocation for devices, dynamic host
configuration protocol (DHCP)-enabled clients obtain leases for
Internet Protocol (IP) addresses from DHCP servers. Therefore, the
dynamic address allocation process for devices is standardized with
DHCP. The other three choices do not have the capability to obtain
leases for IP addresses.

Answer 492

A

C. Conventional approaches to identifications and authentications
employ static information system accounts for known preregistered
users. Service-oriented architecture (SOA) implementations do not rely
on static identities but do rely on establishing identities at run-time for
entities (i.e., dynamic identities) that were previously unknown.
Dynamic identities are associated with dynamic attributes and
privileges as they rely on pre-established trust relationships.

Answer 493

A

B. Organizations should change the default authenticators upon
information system installation or require vendors and/or
manufacturers to provide unique authenticators prior to delivery. This
is because default authenticator credentials are often well known,
easily discoverable, and present a significant security risk, and
therefore, should be changed upon installation. A stored or embedded
authenticator can be risky depending on whether it is encrypted or
unencrypted. Both reused and refreshed authenticators are less risky
compared to default and stored authenticators because they are under
the control of the user organization.

Answer 494

A

C. Examples of user identifiers include internal users, contractors,
external users, guests, passwords, tokens, and biometrics. Examples of
user authenticators include passwords, PINs, tokens, biometrics,
PKI/digital certificates, and key cards. When an individual has
accounts on multiple information systems, there is the risk that if one
account is compromised and the individual uses the same user
identifier and authenticator, other accounts will be compromised as
well. Possible alternatives include (i) having the same user identifier
but different authenticators on all systems, (ii) having different user
identifiers and different user authenticators on each system, (iii)
employing a single sign-on mechanism, or (iv) having one-time
passwords on all systems.

Answer 495

A

D. It is less risky to dynamically manage identifiers, attributes, and
access authorizations. Run-time identifiers are created on-the-fly for
previously unknown entities. Information security management should
ensure that unencrypted, static authenticators are not embedded in
application systems or access scripts or not stored on function keys.
This is because these approaches are risky. Here, the concern is to
determine whether an embedded or stored authenticator is in the
encrypted or unencrypted form.

Answer 496

A

A. An organization employs a deny-all, permit-by-exception
authorization policy to identify software not allowed to execute on the
system. The other three choices are incorrect because the correct
answer is based on specific access authorization policy.

Answer 497

A

B. Encryption prevents unauthorized access and protects data and
programs when they are in storage (at rest) or in transit. Preventive
controls deter security incidents from happening in the first place.
Directive controls are broad-based controls to handle security
incidents, and they include management’s policies, procedures, and
directives. Detective controls enhance security by monitoring the
effectiveness of preventive controls and by detecting security incidents
where preventive controls were circumvented. Corrective controls are
procedures to react to security incidents and to take remedial actions
on a timely basis. Corrective controls require proper planning and
preparation as they rely more on human judgment.

Answer 498

A

A. Examples of managed interfaces employing boundary
protection devices include proxies, gateways, routers, firewalls,
hardware/software guards, and encrypted tunnels on a demilitarized
zone (DMZ). This policy “deny-all, permit-by-exception” denies
network traffic by default and enables network traffic by exception
only.
The other three choices are incorrect because the correct answer is
based on specific access authorization policy. Access control lists
(ACL) can be applied to traffic entering the internal network from
external sources.

Answer 499

A

D. When the enforcement of normal security policies, procedures,
and rules is difficult, it takes on a different dimension from that of
requiring contracts, separation of duties, and system access controls.
Under these situations, compensating controls in the form of close
supervision, followed by peer and team review of quality of work are
needed101. a. An information system authenticates devices before
establishing remote and wireless network connections using
bidirectional authentication between devices that are
cryptographically-based. Examples of device identifiers include media
access control (MAC) addresses, IP addresses, e-mail IDs, and device unique token identifiers. Examples of device authenticators include
digital/PKI certificates and passwords. The other three choices are not
correct because they lack two-way authentication.

Answer 500

A

B. A protection-state is that part of the system-state critical to
understanding an access control policy. A system must be either in a
protection-state or reachable-state. User-state is not critical because it
is the least privileged mode.

Answer 501

A

A. DES is weak and should not be used because of several
documented security weaknesses. The other three choices can be used.
AES can be used because it is strong. RSA is used in key transport
where the authentication server generates the user symmetric key and
sends the key to the client. DH is used in key agreement between the
authentication server and the client.

Answer 502

A

B. When failures occur due to flaws in permission-based systems,
they tend to fail-safe with permission denied. There are two types of
access control decisions: permission-based and exclusion-based.

Answer 503

A

B. Host and application system hardening procedures are a part of
preventive controls, as they include antivirus software, firewalls, and
user account management. Preventive controls deter security incidents
from happening in the first place.
Directive controls are broad-based controls to handle security
incidents, and they include management’s policies, procedures, and
directives. Detective controls enhance security by monitoring the
effectiveness of preventive controls and by detecting security incidents
where preventive controls were circumvented. Corrective controls are
procedures to react to security incidents and to take remedial actions
on a timely basis. Corrective controls require proper planning and
preparation as they rely more on human judgment.

Answer 504

A

C. Fail-safe defaults mean that access control decisions should be
based on permit and allow policy (i.e., permission rather than
exclusion). This equates to the condition in which lack of access is the
default (i.e., no access, yes default). “Allow all and deny-by-default”
refers to yes-access, yes-default situations.

Answer 505

A

D. Automatically generated random (or pseudo-random)
passwords usually provide greater entropy, are hard for attackers to
guess or crack, stronger passwords, but at the same time are hard for
users to remember.

Answer 506

A

C. The trick is balancing the trade-off between the false
acceptance rate (FAR) and false rejection rate (FRR). A high FAR
means that security is unacceptably weak.
A FAR is the probability that a biometric system can incorrectly
identify an individual or fail to reject an imposter. The FAR given
normally assumes passive imposter attempts, and a low FAR is better.
The FAR is stated as the ratio of the number of false acceptances
divided by the number of identification attempts.
An FRR is the probability that a biometric system will fail to identify
an individual or verify the legitimate claimed identity of an individual.
A low FRR is better. The FRR is stated as the ratio of the number of
false rejections divided by the number of identification attempts.

Answer 507

A

D. A high false rejection rate (FRR) means that the technology is
creating a (PP) nuisance to falsely rejected users thereby undermining
user acceptance and questioning the viability of the technology used.
This could also mean that the technology is obsolete, inappropriate,
and/or not meeting the user’s changing needs.
A false acceptance rate (FAR) is the probability that a biometric
system will incorrectly identify an individual or fail to reject an
imposter. The FAR given normally assumes passive imposter attempts,
and a low FAR is better and a high FAR is an indication of a poorly
operating biometric system, not related to technology. The FAR is
stated as the ratio of the number of false acceptances divided by the
number of identification attempts.
A FRR is the probability that a biometric system will fail to identify an
individual or verify the legitimate claimed identity of an individual. A
low FRR is better. The FRR is stated as the ratio of the number of false
rejections divided by the number of identification attempts.

Answer 508

A

A. An adversary may present something other than his own
biometric to trick the system into verifying someone else’s identity,
known as spoofing. One type of mitigation for an identity spoofing
threat is liveness detection (e.g., pulse or lip reading). The other three
choices cannot perform liveness detection.

Answer 509

A

B. Attackers can use residual data on the biometric reader or in
memory to impersonate someone who authenticated previously.
Cryptographic methods such as digital signatures can prevent attackers
from inserting or swapping biometric data without detection. The other
three choices do not provide cryptographic measures to prevent
impersonation attacks.

Answer 510

A

C. A replay attack occurs when someone can capture a valid user’s
biometric data and use it at a later time for unauthorized access. A
potential solution is to reject exact matches, thereby requiring the user
to provide another biometric sample. The other three choices do not
provide exact matches.

Answer 511

A

D. It is good to limit the number of attempts any user can
unsuccessfully attempt to authenticate. A session lock should be placed
where the system locks the user out and logs a security event whenever
a user exceeds a certain amount of failed logon attempts within a
specified timeframe.
The other three choices cannot stop unsuccessful authentication
attempts. For example, if an adversary can repeatedly submit fake
biometric data hoping for an exact match, it creates a security breach
without a session lock. In addition, rejecting exact matches creates ill
will with the genuine user.

Answer 512

A

B. Timestamps or other mechanisms to thwart replay attacks
should be included in the single sign-on (SSO) credential
transmissions. Man-in-the-middle (MitM) attacks are based on
authentication and social engineering, and phishing attacks are based
on passwords.

Answer 513

A

A. This combination of authentication represents something that
you know (PIN) and something that you are (biometric). At the
authentication system prompt, the user enters the PIN and then submits
a biometric live-captured sample. The system compares the biometric
sample to the biometric reference data associated with the PIN entered,
which is a one-to-one matching of biometric verification. The other
three choices are incorrect because the correct answer is based on its
definition.

Answer 514

A

B. This combination of authentication represents something that
you know (PIN) and something that you are (biometric). The user
presents a biometric sample first to the sensor, and the system conducts
a one-to-many matching of biometric identification. The user is
prompted to supply a PIN that provided the biometric reference data.
The other three choices are incorrect because the correct answer is
based on its definition.

Answer 515

A

B. The biometric identification with one-to-many matching can
result in slow system response times and can be more expensive
depending on the size of the biometric database. That is, the larger the
database size, the slower the system response time. A personal
identification number (PIN) is entered as a second authentication
factor, and the matching is slow.

Answer 516

A

A. The biometric verification with one-to-one matching can result
in faster system response times and can be less expensive because the
personal identification number (PIN) is entered as a first authenticator
and the matching is quick.

Answer 517

A

C. This combination represents something that you have (i.e.,
hardware token) and something that you know (i.e., PIN). The
hardware token can be lost or stolen. Therefore, this is a weak form of
two-factor authentication that can be used to support unattended access
controls for physical access only. Logical access controls are software based and as such do not support a hardware token.

Answer 518

A

D. This combination represents something that you have (i.e., PKI
keys) and something that you know (i.e., PIN). There is no hardware
token to lose or steal. Therefore, this is a strong form of two-factor
authentication that can be used to support logical access.

Answer 519

A

D. Identity-based access control (IBAC) and discretionary access
control (DAC) are considered equivalent. The rule-based access
control (RuBAC) and mandatory access control (MAC) are considered
equivalent. IBAC uses access control lists (ACLs) whereas RuBAC
does not.

Answer 520

A

B. Most network operating systems are implemented with an
identity-based access control (IBAC) policy. Entities are granted
access to resources based on any identity established during network
logon, which is compared with one or more access control lists
(ACLs). These lists may be individually administered, may be
centrally administered and distributed to individual locations, or may
reside on one or more central servers. Attribute-based access control
(ABAC) deals with subjects and objects, rule-based (RuBAC) deals
with rules, and role-based (RBAC) deals with roles or job functions.

Answer 521

A

C. Role-based access control policy (RBAC) is a composite access
control policy between identity-based access control (IBAC) policy
and rule-based access control (RuBAC) policy and should be
considered as a variant of both. In this case, an identity is assigned to a
group that has been granted authorizations. Identities can be members
of one or more groups.

Answer 522

A

B. This situation illustrates that multiple instances of the same
factor (i.e., something you have is used two times) results in one-factor
authentication. When this is combined with something you know, it
results in a two-factor authentication scheme.

Answer 523

A

B. Remote access controls are a part of preventive controls, as
they include Internet Protocol (IP) packet filtering by border routers
and firewalls using access control lists. Preventive controls deter
security incidents from happening in the first place.
Directive controls are broad-based controls to handle security
incidents, and they include management’s policies, procedures, and
directives. Detective controls enhance security by monitoring the
effectiveness of preventive controls and by detecting security incidents
where preventive controls were circumvented. Corrective controls are
procedures to react to security incidents and to take remedial actions
on a timely basis. Corrective controls require proper planning and
preparation as they rely more on human judgment.

Answer 524

A

B. Requiring two different passwords for accessing two different
systems in the same session is more secure than requiring one
password for two different systems. This equates to two-factor
authentication. Requiring multiple proofs of authentication presents
multiple barriers to entry access by intruders. On the other hand, using
the same password (one-factor) for accessing multiple systems in the
same session is a one-factor authentication, because only one type (and
the same type) of proof is used. The key point is whether the type of
proof presented is same or different.

Answer 525

A

B. On the surface, this situation may seem a three-factor
authentication, but in reality it is a two-factor authentication, because
only a card (proof of one factor) and PIN (proof of second factor) are
used, resulting in a two-factor authentication. Note that it is not the
strongest two-factor authentication because of the attended access. A
security guard is an example of attended access, who is checking for
the validity of the card, and is counted as one-factor authentication.
Other examples of attended access include peers, colleagues, and
supervisors who will vouch for the identify of a visitor who is
accessing physical facilities.

Answer 526

A

D. Tracking the driver’s physical location (perhaps with GPS or
wireless sensor network) is an example of somewhere you are (proof
of first factor). Showing the employee a physical badge with photo ID
is an example of something you have (proof of second factor).
Entering a password and PIN is an example of something you know
(proof of third factor). Taking a biometric sample of fingerprint is an
example of something you are (proof of fourth factor). Therefore, this
scenario represents a four-factor authentication. The key point is that it
does not matter whether the proof presented is one item or more items
in the same category (e.g, somewhere you are, something you have,
something you know, and something you are).

Answer 527

A

A. Least assurance is achieved when two authentication proofs of
something that you have (e.g., card, key, and mobile ID device) are
implemented because the card and the key can be lost or stolen.
Consequently, multiple uses of something that you have offer lesser
access control assurance than using a combination of multifactor
authentication techniques. Equivalent assurance is neutral and does not
require any further action.

Answer 528

A

B. Increased assurance is achieved when two authentication proofs
of something that you know (e.g., using two different passwords with
or without PINs) are implemented. Multiple proofs of something that
you know offer greater assurance than does multiple proofs of
something that you have. However, multiple uses of something that
you know provide equivalent assurance to a combination of multifactor
authentication techniques.

Answer 529

A

C. Maximum assurance is achieved when two authentication
proofs of something that you are (e.g., personal recognition by a
colleague, user, or guard, and a biometric verification check) are
implemented. Multiple proofs of something that you are offer the
greatest assurance than does multiple proofs of something that you
have or something that you know, used either alone or combined.
Equivalent assurance is neutral and does not require any further action.

Answer 530

A

A. Altering the configuration of an intrusion detection and
prevention system (IDPS) to improve its detection accuracy is known
as tuning. IDPS technologies cannot provide completely accurate
detection at all times. Access to the targeted host is blocked from the
offending user account or IP address.
Evasion is modifying the format or timing of malicious activity so that
its appearance changes but its effect is the same. Attackers use evasion
techniques to try to prevent intrusion detection and prevention system
(IDPS) technologies from detecting their attacks. Most IDPS
technologies can overcome common evasion techniques by duplicating
special processing performed by the targeted host. If the IDPS
configuration is same as the targeted host, then evasion techniques will
be unsuccessful at hiding attacks.
Some intrusion prevention system (IPS) technologies can remove or
replace malicious portions of an attack to make it benign. A complex
example is an IPS that acts as a proxy and normalizes incoming
requests, which means that the proxy repackages the payloads of the
requests, discarding header information. This might cause certain
attacks to be discarded as part of the normalization process.

Answer 531

A

A. Reusing a user’ operating system password for preboot
authentication in a full (whole) disk encryption deployment would
allow an attacker to learn only a single password to gain full access to
the device’s information. The password could be acquired through
technical methods, such as infecting the device with malware, or
through physical means, such as watching a user type in a password in
a public location. The correct choice is risky compared to the incorrect
choices because the latter do not deal with booting a computer or pre boot authentication.

Answer 532

A

A. Products such as volume encryption, virtual disk encryption, or
file/folder encryption may use the operating system’s authentication
for single sign-on (SSO). After a user authenticates to the operating
system at login time, the user can access the encrypted file without
further authentication, which is risky. You should not use the same
single-factor authenticator for multiple purposes. A full-disk
encryption provides better security than the other three choices because
the entire disk is encrypted, as opposed to part of it.

Answer 533

A

D. For high-security situations, storage encryption authentication
products can be configured so that too many failed attempts cause the
product to delete all the protected data from the device. This approach
strongly favors security over functionality. The other three choices can
be used for low-security situations.

Answer 534

A

C. Recovery mechanisms increase the availability of the storage
encryption authentication solutions for individual users, but they can
also increase the likelihood that an attacker can gain unauthorized
access to encrypted storage by abusing the recovery mechanism.
Therefore, information security management should consider the trade off between availability and security when selecting and planning
recovery mechanisms. The other three choices do not provide recovery
mechanisms.

Answer 535

A

A. When a user logs onto a host computer or workstation, the user
must be identified and authenticated before access to the host or
network is granted. This process requires a mechanism to authenticate
a real person to a machine. The best methods of doing this involve
multiple forms of authentication with multiple factors, such as
something you know (password), something you have (physical
token), and something you are (biometric verification). The other three
choices do not require multifactor authentication because they use
different authentication methods.
Peer-to-peer architecture, sometimes referred to as mutual
authentication protocol, involves the direct communication of
authentication information between the communicating entities (e.g.,
peer-to-peer or client host-to-server).
The architecture for trusted third-party (TTP) authentication uses a
third entity, trusted by all entities, to provide authentication
information. The amount of trust given the third entity must be
evaluated. Methods to establish and maintain a level of trust in a TTP
include certification practice statements (CPS) that establishes rules,
processes, and procedures that a certificate authority (CA) uses to
ensure the integrity of the authentication process and use of secure
protocols to interface with authentication servers. A TTP may provide
authentication information in each instance of authentication, in realtime, or as a precursor to an exchange with a CA.

Answer 536

A

D. One way to ensure password strength is to add a password filter
utility program, which is specifically designed to verify that a
password created by a user complies with the password policy. Adding
a password filter is a more rigorous and proactive solution, whereas the
other three choices are less rigorous and reactive solutions.
The password filter utility program is also referred to as a password
complexity enforcement program.

Answer 537

A

D. Robust authentication increases security in two significant
ways. It can require the user to possess a token in addition to a
password or personal identification number (PIN). Tokens, when used
with PINs, provide significantly more security than passwords. For a
hacker or other would-be impersonator to pretend to be someone else,
the impersonator must have both a valid token and the corresponding
PIN. This is much more difficult than obtaining a valid password and
user ID combination. Robust authentication can also create one-time
passwords. Electronic monitoring (eavesdropping or sniffing) or
observing a user type in a password is not a threat with one-time
passwords because each time a user is authenticated to the computer, a
different “password” is used. (A hacker could learn the one-time
password through electronic monitoring, but it would be of no value.)
The firewall is incorrect because it uses a secure gateway or series of
gateways to block or filter access between two networks, often
between a private network and a larger, more public network such as
the Internet or public-switched network (e.g., the telephone system).
Firewall does not use tokens and passwords as much as robust
authentication.
A port protection device (PPD) is incorrect because it is fitted to a
communications port of a host computer and authorizes access to the
port itself, prior to and independent of the computer’s own access
control functions. A PPD can be a separate device in the
communications stream or may be incorporated into a communications
device (e.g. a modem). PPDs typically require a separate authenticator,
such as a password, to access the communications port. One of the
most common PPDs is the dial-back modem. PPD does not use tokens
and passwords as much as robust authentication.
Encryption is incorrect because it is more expensive than robust
authentication. It is most useful if highly confidential data needs to be
transmitted or if moderately confidential data is transmitted in a highthreat area. Encryption is most widely used to protect the
confidentiality of data and its integrity (it detects changes to files).
Encryption does not use tokens and passwords as much as robust
authentication.

Answer 538

A

A. Some applications use access control (typically enforced by the
operating system) to restrict access to certain types of information or
application functions. This can be helpful to determine what a
particular application user could have done. Some applications record
information related to access control, such as failed attempts to
perform sensitive actions or access restricted data.

Answer 539

A

B. Auditing is a detection activity, not a preventive measure.
Examples of preventive measures to mitigate the risks of network
intrusion attacks include firewalls, system configuration, and intrusion
detection system.

Answer 540

A

C. Smart cards are credit card-size plastic cards that host an
embedded computer chip containing an operating system, programs,
and data. Smart card authentication is perhaps the best-known example
of proof-by-possession (e.g., key, card, or token). Passwords are an
example of proof-by-knowledge. Fingerprints are an example of proof by-property. Proof-of-concept deals with testing a product prior to
building an actual product.

Answer 541

A

A. In electronic authentication, a countermeasure against the token
threat of online guessing uses tokens that generate high entropy
authenticators. Common countermeasures against the threats listed in
the other three choices are the same and they do not use high entropy
authenticators. These common countermeasures include (i) use of
tokens with dynamic authenticators where knowledge of one
authenticator does not assist in deriving a subsequent authenticator and
(ii) use of tokens that generate authenticators based on a token input
value.

Answer 542

A

A. The underlying mechanism used to authenticate users via smart
cards relies on a challenge-response protocol between the device and
the smart card. For example, a personal digital assistant (PDA)
challenges the smart card for an appropriate and correct response that
can be used to verify that the card is the one originally enrolled by the
PDA device owner. The challenge-response protocol provides a
security service. The three main software components that support a
smart card application include the service provider, a resource
manager, and a driver for the smart card reader.

Answer 543

A

D. For user authentication, the fundamental threat is an attacker
impersonating a user and gaining control of the device and its contents.
Of all the four choices, impersonating is a non sophisticated technical
attack. Smart cards are designed to resist tampering and monitoring of
the card, including sophisticated technical attacks that involve reverse
engineering, fault injection, and signal leakage.

Answer 544

A

B. Non polled authentication is discrete; after the verdict is
determined, it is inviolate until the next authentication attempt.
Examples of non polled authentication include password, fingerprint,
and voice verification. Polled authentication is continuous; the
presence or absence of some token or signal determines the
authentication status. Examples of polled authentication include smart
card, memory token, and communications signal, whereby the absence
of the device or signal triggers a non authenticated condition.

Answer 545

A

B. Honeypot systems, padded cell systems, and vulnerability
assessment tools complement IDS to enhance an organization’s ability
to detect intrusion. Inference cells do not complement IDS. A
honeypot system is a host computer that is designed to collect data on
suspicious activity and has no authorized users other than security
administrators and attackers. Inference cells lead to an inference attack
when a user or intruder is able to deduce privileged information from
known information. In padded cell systems, an attacker is seamlessly
transferred to a special padded cell host. Vulnerability assessment tools
determine when a network or host is vulnerable to known attacks

Answer 546

A

B. Sniffing is observing and monitoring packets passing by on the
network traffic using packet sniffers. Sniffing precedes either spoofing
or hijacking. Spoofing, in part, is using various techniques to subvert
IP-based access control by masquerading as another system by using
their IP address. Spoofing is an attempt to gain access to a system by
posing as an authorized user. Other examples of spoofing include
spoofing packets to hide the origin of attack in a DoS, spoofing e-mail
headers to hide spam, and spoofing phone numbers to fool caller-ID.
Spoofing is synonymous with impersonating, masquerading, or
mimicking, and is not synonymous with sniffing. Hijacking is an
attack that occurs during an authenticated session with a database or
system.
Snooping, scanning, and sniffing are all actions searching for required
and valuable information. They involve looking around for
vulnerabilities and planning to attack. These are preparatory actions
prior to launching serious penetration attacks.
Phishing is tricking individuals into disclosing sensitive personal
information through deceptive computer-based means. Phishing
attacks use social engineering and technical subterfuge to steal
consumers’ personal identity data and financial account credentials. It
involves Internet fraudsters who send spam or pop-up messages to lure
personal information (e.g., credit card numbers, bank account
information, social security number, passwords, or other sensitive
information) from unsuspecting victims. Pharming is misdirecting
users to fraudulent websites or proxy servers, typically through DNS
hijacking or poisoning.
Cracking is breaking for passwords and bypassing software controls in
an electronic authentication system such as user registration.
Scamming is impersonating a legitimate business using the Internet.
The buyer should check out the seller before buying goods or services.
The seller should give out a physical address with a working telephone
number.

Answer 547

A

C. Logical, physical, and administrative controls are examples of
access control mechanisms. Passwords, PINs, and encryption are
examples of logical access controls.

Answer 548

A

B. Honeypots are deceptive measures collecting better data on
precursors, not on indications. A precursor is a sign that an incident
may occur in the future. An indication is a sign that an incident may
have occurred or may be occurring now.
Honeypots are hosts that have no authorized users other than the
honeypot administrators because they serve no business function; all
activity directed at them is considered suspicious. Attackers scan and
attack honeypots, giving administrators data on new trends and
attack/attacker tools, particularly malicious code. However, honeypots
are a supplement to, not a replacement for, properly securing networks,
systems, and applications.

Answer 549

A

A. The principle of least privilege requires that each subject (user)
in a system be granted the most restrictive set of privileges (or lowest
clearances) needed to perform authorized tasks. The application of this
principle limits the damage that can result from accident, error, and/or
unauthorized use. The principle of separation of duties states that no
single person can have complete control over a business transaction or
task.
The principle of system clearance states that users’ access rights
should be based on their job clearance status (i.e., sensitive or non sensitive). The principle of system accreditation states that all systems
should be approved by management prior to making them operational.

Answer 550

A

D. IDPS technologies use many methodologies to detect incidents.
The primary classes of detection methodologies include signature based, anomaly-based, and stateful protocol analysis, where the latter
is the only one that analyzes both network-based and host-based
activity.
Signature-based detection is the process of comparing signatures
against observed events to identify possible incidents. A signature is a
pattern that corresponds to a known threat. It is sometimes incorrectly
referred to as misuse detection or stateful protocol analysis. Misuse
detection refers to attacks from within the organizations.
Anomaly-based detection is the process of comparing definitions of
what activity is considered normal against observed events to identify
significant deviations and abnormal behavior.
Stateful protocol analysis (also known as deep packet inspection) is the
process of comparing predetermined profiles of generally accepted
definitions of benign protocol activity for each protocol state against
observed events to identify deviations. The stateful protocol is
appropriate for analyzing both network-based and host-based activity,
whereas deep packet inspection is appropriate for network-based
activity only. One network-based IDPS can listen on a network
segment or switch and can monitor the network traffic affecting
multiple hosts that are connected to the network segment. One host based IDPS operates on information collected from within an
individual computer system and determines which processes and user
accounts are involved in a particular attack.

Answer 551

A

B. The Clark-Wilson security model is an approach that provides
data integrity for common commercial activities. It is a specific model
addressing “integrity,” which is one of five security objectives. The
five objectives are: confidentiality, integrity, availability, accountability, and assurance.

Answer 552

A

B. The Biba security model is an integrity model in which no subject may depend on a less trusted object, including another subject. It is a specific model addressing only one of the security objectives such as confidentiality, integrity, availability, and accountability.

Answer 553

A

D. The Take-Grant security model uses a directed graph to specify
the rights that a subject can transfer to an object or that a subject can
take from another subject. It does not address the security objectives
such as confidentiality, integrity, availability, and accountability.
Access rights are a part of access control models.

Answer 554

A

C. Rainbow attacks are a form of a password cracking technique
that employs rainbow tables, which are lookup tables that contain pre computed password hashes. These tables enable an attacker to attempt
to crack a password with minimal time on the victim system and
without constantly having to regenerate hashes if the attacker attempts
to crack multiple accounts. The other three choices are not based on
pre-computed password hashes; although, they are all related to
passwords.
A brute force attack is a form of a guessing attack in which the attacker
uses all possible combinations of characters from a given character set
and for passwords up to a given length.
A dictionary attack is a form of a guessing attack in which the attacker
attempts to guess a password using a list of possible passwords that is
not exhaustive.
A hybrid attack is a form of a guessing attack in which the attacker
uses a dictionary that contains possible passwords and then uses
variations through brute force methods of the original passwords in the
dictionary to create new potential passwords.

Answer 555

A

C. Anomaly-based detection is the process of comparing
definitions of what activity is considered normal against observed
events to identify significant deviations. Thresholds are most often
used for anomaly-based detection. A threshold is a value that sets the
limit between normal and abnormal behavior.
An anomaly-based detection does not use blacklists, whitelists, and
program code viewing. A blacklist is a list of discrete entities, such as
hosts or applications that have been previously determined to be
associated with malicious activity. A whitelist is a list of discrete
entities, such as hosts or applications known to be benign. Program
code viewing and editing features are established to see the detection related programming code in the intrusion detection and prevention system (IDPS).

Answer 556

A

C. The Clark and Wilson security model addresses the separation
of duties concept along with well-formed transactions. Separation of
duties attempts to ensure the external consistency of data objects. It
also addresses the specific integrity goal of preventing authorized users
from making improper modifications. The other three models do not
address the separation of duties concept

Answer 557

A

C. As presented by Brewer and Nash, the Chinese-Wall policy is a
mandatory access control policy for stock market analysts. According
to the policy, a market analyst may do business with any company.
However, every time the analyst receives sensitive “inside“
information from a new company, the policy prevents him from doing
business with any other company in the same industry because that
would involve him in a conflict of interest situation. In other words,
collaboration with one company places the Chinese-Wall between him
and all other companies in the same industry.
The Chinese-Wall policy does not meet the definition of an
aggregation problem; there is no notion of some information being
sensitive with the aggregate being more sensitive. The Chinese-Wall
policy is an access control policy in which the access control rule is not
based just on the sensitivity of the information, but is based on the
information already accessed. It is neither an inference nor a data
classification problem.

Answer 558

A

C. In a Bell-LaPadula model, the clearance/classification scheme
is expressed in terms of a lattice. To determine whether a specific
access model is allowed, the clearance of a subject is compared to the
classification of the object, and a determination is made as to whether
the subject is authorized for the specific access mode. The other three
models do not deal with security clearances and sensitivity
classifications.

Answer 559

A

B. A local password could be based on a cryptographic hash of the
media access control address and a standard password. However, if an
attacker recovers one local password, the attacker could easily
determine other local passwords. An attacker could not exploit the
other three choices because they are secure. Other positive solutions
include disabling built-in accounts, storing the passwords in the
database in an encrypted form, and generating passwords based on a
machine name or a media access control address.

Answer 560

A

C. An IDS should be used as a complement to a firewall, not a
substitute for it. Together, they provide a synergistic effect.

Answer 561

A

C. Star property (* -property) is a Bell-LaPadula security rule
enabling a subject write access to an object only if the security level of
the object dominates the security level of the subject.

Answer 562

A

C. The key thing in shoulder surfing is to make sure that no one
watches the user while his password is typed. Encryption does not help
here because it is applied after a password is entered, not before.
Proper education and awareness and using difficult-to-guess passwords
can eliminate this problem.

Answer 563

A

B. The star property means no write-down and yes to a write-up.
A subject can write objects only at a security level that dominates the
subject’s level. This means, a subject of one higher label cannot write
to any object of a lower security label. This is also known as the
confinement property. A subject is prevented from copying data from
one higher classification to a lower classification. In other words, a
subject cannot write anything below that subject’s level.

Answer 564

A

B. The Biba model is an example of an integrity model. The Bell LaPadula model is a formal state transition model of a computer
security policy that describes a set of access control rules. Both the
Bell-LaPadula and the Take-Grant models are a part of access control
models.

Answer 565

A

A. The Bell-LaPadula model addresses confidentiality by
describing different security levels of security classifications for
documents. These classification levels, from least sensitive to most
insensitive, include Unclassified, Confidential, Secret, and Top Secret.

Answer 566

A

C. “What the user can do” is defined in access rules or user
profiles, which come after a successful authentication. The other three
choices are part of an authentication process. The authenticator factor
“knows” means a password or PIN, “has” means key or card, and “is”
means a biometric identity.

Answer 567

A

B. The Bell-LaPadula model is used for protecting the
confidentiality of classified information, based on multilevel security
classifications. The information flow model, a basis for the Bell LaPadula model, ensures that information at a given security level
flows only to an equal or higher level. Each object has an associated
security level. An object’s level indicates the security level of the data
it contains. These two models ensure the confidentiality of classified
information.
The Biba model is similar to the Bell-LaPadula model but protects the
integrity of information instead of its confidentiality. The Clark-Wilson
model is a less formal model aimed at ensuring the integrity of
information, not confidentiality. This model implements traditional
accounting controls including segregation of duties, auditing, and well formed transactions such as double entry bookkeeping. Both the Biba
and Clark-Wilson models are examples of integrity models.

Answer 568

A

C. It is essential to detect insecure situations to respond in a timely
manner. Also, it is of little use to detect a security breach if no effective
response can be initiated. No set of prevention measures is perfect.
Reporting is the last step in the intrusion detection and containment
process.

Answer 569

A

B. The processing engine is the heart of the intrusion detection
system (IDS). It consists of the instructions (language) for sorting
information for relevance, identifying key intrusion evidence, mining
databases for attack signatures, and decision making about thresholds
for alerts and initiation of response activities.
For example, a mutation engine is used to obfuscate a virus,
polymorphic or not, to aid the proliferation of the said virus. A state
machine is the basis for all computer systems because it is a model of
computations involving inputs, outputs, states, and state transition
functions. A virtual machine is software that enables a single host
computer to run using one or more guest operating systems.

Answer 570

A

D. When failures occur due to flaws in exclusion-based systems,
they tend to grant unauthorized permissions. The two types of access
control decisions are permission-based and exclusion-based.

Answer 571

A

B. One of the biggest single issues with intrusion detection system
(IDS) implementation is the handling of false-positive notification. An
anomaly-based IDS produces a large number of false alarms (false positives) due to the unpredictable nature of users and networks.
Automated systems are prone to mistakes, and human differentiation of
possible attacks is resource-intensive.

Answer 572

A

C. For basic authentication, user IDs, passwords, and account
numbers are used for internal authentication. Centralized
authentication servers such as RADIUS and TACACS/TACACS+ can
be integrated with token-based authentication to enhance firewall
administration security.

Answer 573

A

A. Authorization comes after authentication because a user is
granted access to a program (authorization) after he is fully
authenticated. Authorization is permission to do something with
information in a computer. Authorization and authentication are not the
same, where the former is verifying the user’s permission and the latter
is verifying the identity of a user.

Answer 574

A

B. The simplest form of initial authentication uses a user ID and
password, which occurs on the client. The server has no knowledge of
whether the authentication was successful. The problem with this
approach is that anyone can make a request to the server asserting any
identity, allowing an attacker to collect replies from the server and
successfully launching a real attack on those replies.
In pre-authentication, the user sends some proof of his identity to the
server as part of the initial authentication process. The client must
authenticate prior to the server issuing a credential (ticket) to the client.
The proof of identity used in pre-authentication can be a smart card or
token, which can be integrated into the Kerberos initial authentication
process. Here, post-authentication and re-authentication processes do
not apply because it is too late to be of any use.

Answer 575

A

D. Discretionary access control (DAC) permits the granting and
revoking of access control privileges to be left to the discretion of
individual users. A discretionary access control mechanism enables
users to grant or revoke access to any of the objects under the control.
As such, users are said to be the owners of the objects under their
control. It uses access control lists.

Answer 576

A

C. Robust authentication means strong authentication that should
be required for accessing internal computer systems. Robust
authentication is provided by Kerberos, one-time passwords,
challenge-response exchanges, digital certificates, and secure remote
procedure calls (Secure RPC). Reusable passwords provide weak
authentication.

Answer 577

A

A. Kerberos uses symmetric key cryptography and a trusted third
party. Kerberos users authenticate with one another using Kerberos
credentials issued by a trusted third party. The bit size of Kerberos is
the same as that of DES, which is 56 bits because Kerberos uses a
symmetric key algorithm similar to DES.

Answer 578

A

D. Continuous authentication protects against impostors (active
attacks) by applying a digital signature algorithm to every bit of data
sent from the claimant to the verifier. Also, continuous authentication
prevents session hijacking and provides integrity.
Static authentication uses reusable passwords, which can be
compromised by replay attacks. Robust authentication includes one time passwords and digital signatures, which can be compromised by
session hijacking. Intermittent authentication is not useful because of
gaps in user verification.

Answer 579

A

D. Intrusion detection and prevention system (IDPS) technologies
cannot provide completely accurate detection at all times. All four
items are true statements. When an IDPS incorrectly identifies benign
activity as being malicious, a false positive has occurred. When an
IDPS fails to identify malicious activity, a false negative has occurred.

Answer 580

A

D. Passwords and PINs are often vulnerable to guessing,
interception, or brute force attack. Devices such as access tokens and
crypto-cards can be stolen. Biometrics can be vulnerable to
interception and replay attacks. A location cannot be different than
what it is. The techniques used in the other three choices are not
foolproof. However, “where the user is” based on a geodetic location is
foolproof because it cannot be spoofed or hijacked.
Geodetic location, as calculated from a location signature, adds a
fourth and new dimension to user authentication and access control
mechanisms. The signature is derived from the user’s location. It can
be used to determine whether a user is attempting to log in from an
approved location. If unauthorized activity is detected from an
authorized location, it can facilitate finding the user responsible for
that activity.

Answer 581

A

C. A rule-based access control mechanism is based on specific
rules relating to the nature of the subject and object. These specific
rules are embedded in access rules. Filtering rules are specified in
firewalls. Both identity and business rules are inapplicable here.

Answer 582

A

C. The proof-of-wholeness control is a system integrity tool that
analyzes system integrity and irregularities and identifies exposures
and potential threats. The proof-of-wholeness principle detects
violations of security policies.
Auditing is a detective control, which enables monitoring and tracking
of system abnormalities. “Restore to secure state” is a recovery control
that enables a system to return to a state that is known to be secure,
after a security breach occurs. Intrusion detection tools detect security
breaches.

Answer 583

A

D. A basic tenet of IT security is that individuals must be
accountable for their actions. If this is not followed and enforced, it is
not possible to successfully prosecute those who intentionally damage
or disrupt systems or to train those whose actions have unintended
adverse effects.
The concept of individual accountability drives the need for many
security safeguards, such as unique (user) identifiers, audit trails, and
access authorization rules. Policies and procedures indicate what to
accomplish and how to accomplish objectives. By themselves, they do
not exact individual accountability.

Answer 584

A

D. A virtual password is a password computed from a passphrase
that meets the requirements of password storage (e.g., 56 bits for
DES). A passphrase is a sequence of characters, longer than the
acceptable length of a regular password, which is transformed by a
password system into a virtual password of acceptable length.
An access password is a password used to authorize access to data and
is distributed to all those who are authorized to have similar access to
that data. A personal password is a password known by only one
person and is used to authenticate that person’s identity. A valid
password is a personal password that authenticates the identity of an
individual when presented to a password system. It is also an access
password that enables the requested access when presented to a
password system.

Answer 585

A

C. The database administrator (DBA) function is concerned with
short-term development and use of databases, and is responsible for the
data of one or several specific databases. The DBA function should be
separate from the systems’ security function due to possible conflict of
interest for manipulation of access privileges and rules for personal
gain. The DBA function can be mixed with data administration,
information systems administration, or information systems planning
because there is no harm to the organization

Answer 586

A

B. A replay attack refers to the recording and retransmission of
message packets in the network. Although a replay attack is frequently
undetected, but it can be prevented by using packet timestamping.
Kerberos uses the timestamps but not cards, tokens, and keys.

Answer 587

A

D. Biometric systems require the creation and storage of profiles
or templates of individuals wanting system access. This includes
physiological attributes such as fingerprints, hand geometry, or retina
patterns, or behavioral attributes such as voice patterns and handwritten signatures.
Memory tokens and smart cards involve the creation and distribution
of a token device with a PIN, and data that tell the computer how to
recognize valid tokens or PINs. Cryptography requires the generation,
distribution, storage, entry, use, distribution, and archiving of
cryptographic keys.

Answer 588

A

C. System administrators should ensure that all intrusion detection
and prevention system (IDPS) management communications are
protected either through physical separation (management network) or
logical separation (virtual network) or through encryption using
transport layer security (TLS). However, for security products that do
not provide sufficient protection through encryption, administrators
should consider using a virtual private network (VPN) or other
encrypted tunneling method to protect the network traffic.

Answer 589

A

A. Kerberos is a private key authentication system that uses a
central database to keep a copy of all users’ private keys. The entire
system can be compromised due to the central database. Kerberos is
used to manage centralized access rights, encryption keys, and access
permissions.

Answer 590

A

B. Mandatory access controls are the simplest to use because they
can be used to grant broad access to large sets of files and to broad
categories of information.
Discretionary access controls are not simple to use due to their finer
level of granularity in the access control process. Both the access
control list and logical access control require a significant amount of
administrative work because they are based on the details of each
individual user

Answer 591

A

A. With role-based access control, access decisions are based on
the roles that individual users have as part of an organization. Users
take on assigned roles (such as doctor, nurse, bank teller, and
manager). Access rights are grouped by role name, and the use of
resources is restricted to individuals authorized to assume the
associated role. The use of roles to control access can be an effective
means for developing and enforcing enterprise-specific security
policies and for streamlining the security management process.
Identity-based and user-directed policies are incorrect because they are
examples of discretionary access control. Identity-based access control
is based only on the identity of the subject and object. In user-directed
access controls, a subject can alter the access rights with certain
restrictions. Rule-based policy is incorrect because it is an example of
a mandatory type of access control and is based on specific rules
relating to the nature of the subject and object.

Answer 592

A

B. IP address-based access mechanisms use Internet Protocol (IP)
source addresses, which are not secure and subject to IP address
spoofing attacks. The IP address deals with identification only, not
authentication.
Location-based access mechanism is incorrect because it deals with a
physical address, not IP address. Token-based access mechanism is
incorrect because it uses tokens as a means of identification and
authentication. Web-based access mechanism is incorrect because it
uses secure protocols to accomplish authentication. The other three
choices accomplish both identification and authentication and do not
create a security problem as does the IP address-based access
mechanism.

Answer 593

A

C. A challenge-response protocol is based on cryptography and
works by having the computer generate a challenge, such as a random
string of numbers. The smart token then generates a response based on
the challenge. This is sent back to the computer, which authenticates
the user based on the response. Smart tokens that use either challenge response protocols or dynamic password generation can create one time passwords that change periodically (e.g., every minute).
If the correct value is provided, the log-in is permitted, and the user is
granted access to the computer system. Electronic monitoring is not a
problem with one-time passwords because each time the user is
authenticated to the computer, a different “password” is used. A hacker
could learn the one-time password through electronic monitoring, but
it would be of no value.
Passwords and personal identification numbers (PINs) have
weaknesses such as disclosing and guessing. Passwords combined with
PINs are better than passwords only. Both passwords and PINs are
subject to electronic monitoring. Simple encryption of a password that
will be used again does not solve the monitoring problem because
encrypting the same password creates the same cipher-text; the cipher text becomes the password.

Answer 594

A

A. Recurring passwords are static passwords with reuse and are
considered to be a relatively weak security mechanism. Users tend to
use easily guessed passwords. Other weaknesses include spoofing
users, users stealing passwords through observing keystrokes, and
users sharing passwords. The unauthorized use of passwords by
outsiders (hackers) or insiders is a primary concern and is considered
the least efficient and least effective security mechanism for re authentication.
Nonrecurring passwords are incorrect because they provide a strong
form of re-authentication. Examples include a challenge-response
protocol or a dynamic password generator where a unique value is
generated for each session. These values are not repeated and are good
for that session only.
Tokens can help in re-authenticating a user or transaction. Memory
tokens store but do not process information. Smart tokens expand the
functionality of a memory token by incorporating one or more
integrated circuits into the token itself. In other words, smart tokens
store and process information. Except for passwords, all the other
methods listed in the question are examples of advanced authentication
methods that can be applied to re-authentication.

Answer 595

A

C. Separation of duties is the first line of defense against the
prevention, detection, and correction of errors, omissions, and
irregularities. The objective is to ensure that no one person has
complete control over a transaction throughout its initiation,
authorization, recording, processing, and reporting. If the total risk is
acceptable, then two different jobs can be combined. If the risk is
unacceptable, the two jobs should not be combined. Both quality
assurance and data security are staff functions and would not handle
the day-to-day operations tasks.
The other three choices are incorrect because they are examples of
incompatible functions. The rationale is to minimize such functions
that are not conducive to good internal control structure. For example,
if a computer operator is also responsible for production job
scheduling, he could submit unauthorized production jobs.

Answer 596

A

D. Mandatory access control is a type of access control that cannot
be made more permissive by subjects. They are based on information
sensitivity such as security labels for clearance and data classification.
Rule-based and administratively directed policies are examples of
mandatory access control policy.
Role-based policy is an example of nondiscretionary access controls.
Access control decisions are based on the roles individual users are
taking in an organization. This includes the specification of duties,
responsibilities, obligations, and qualifications (e.g., a teller or loan
officer associated with a banking system).
Both identity-based and user-directed policies are examples of
discretionary access control. It is a type of access control that permits
subjects to specify the access controls with certain limitations.
Identity-based access control is based only on the identity of the
subject and object. User-directed control is a type of access control in
which subjects can alter the access rights with certain restrictions.

Answer 597

A

A. Authorization creep occurs when employees continue to
maintain access rights for previously held positions within an
organization. This practice is inconsistent with the principle of least
privilege.
All the other three choices are incorrect because they are consistent
with the principle of least privilege. Reauthorization can eliminate
authorization creep, and it does not matter how many users have access
to the system or how much access to the system as long as their access
is based on need-to-know concept.
Permanent changes are necessary when employees change positions
within an organization. In this case, the process of granting account
authorizations occurs again. At this time, however, it is also important
that access authorizations of the prior position be removed. Many
instances of authorization-creep have occurred with employees
continuing to maintain access rights for previously held positions
within an organization. This practice is inconsistent with the principle
of least privilege, and it is security vulnerability.

Answer 598

A

B. Accountability means holding individual users responsible for
their actions. Due to several problems with passwords and user IDs,
they are considered to be the least effective in exacting accountability.
These problems include easy to guess passwords, easy to spoof users
for passwords, easy to steal passwords, and easy to share passwords.
The most effective controls for exacting accountability include a
policy, authorization scheme, identification and authentication
controls, access controls, audit trails, and auditing.

Answer 599

A

A. The relationship between the registration authority (RA) and
the credential service provider (CSP) is a complex one with ongoing
relationship. In the simplest and perhaps the most common case, the
RA and CSP are separate functions of the same entity. However, an
RA might be part of a company or organization that registers
subscribers with an independent CSP, or several different CSPs.
Therefore a CSP may be an integral part of RA, or it may have
relationships with multiple independent RAs, and an RA may have
relationships with different CSPs as well.
The statements in the other three choices are true. The party to be
authenticated is called a claimant (subscriber) and the party verifying
that identity is called a verifier. When a subscriber needs to
authenticate to perform a transaction, he becomes a claimant to a
verifier. A relying party relies on results of an online authentication to
establish the identity or attribute of a subscriber for the purpose of
some transaction. Relying parties use a subscriber’s authenticated
identity and other factors to make access control or authorization
decisions. The verifier and the relying party may be the same entity, or
they may be separate entities. In some cases the verifier does not need
to directly communicate with the CSP to complete the authentication
activity (e.g., the use of digital certificates), which represents a logical
link between the two entities rather than a physical link. In some
implementations, the verifier, the CSP functions, and the relying party
may be distributed and separated.

Answer 600

A

C. Transportation firms can use location-based authentication
techniques continuously, as there are no time and resource limits. It
does not require any secret information to protect at either the host or
user end. Continuous authentication is better than robust
authentication, where the latter can be intermittent.

Answer 601

A

C. Authentication data needs to be stored securely, and its value
lies in the data’s confidentiality, integrity, and availability. If
confidentiality is compromised, someone may use the information to
masquerade as a legitimate user. If system administrators can read the
authentication file, they can masquerade as another user. Many systems
use encryption to hide the authentication data from the system
administrators.
Masquerading by system administrators cannot be entirely prevented.
If integrity is compromised, authentication data can be added, or the
system can be disrupted. If availability is compromised, the system
cannot authenticate users, and the users may not be able to work.
Because audit controls would be out of the control of the administrator,
controls can be set up so that improper actions by the system
administrators can be detected in audit records. Due to their broader
responsibilities, the system administrators’ access to the system cannot
be limited. System administrators can compromise a system’s integrity;
again their actions can be detected in audit records.
It makes a big difference whether an organization has one or more than
one system administrator for separation of duties or for “least
privilege” principle to work. With several system administrators, a
system administrator account could be set up for one person to have
the capability to add accounts. Another administrator could have the
authority to delete them. When there is only one system administrator
employed, breaking up the duties is not possible.

Answer 602

A

C. Computer-based access controls are called logical access
controls. These controls can prescribe not only who or what is to have
access to a specific system resource but also the type of access
permitted, usually in software. Reliability is more of a hardware issue.
Logical access controls can help protect (i) operating systems and
other systems software from unauthorized modification or
manipulation (and thereby help ensure the system’s integrity and
availability); (ii) the integrity and availability of information by
restricting the number of users and processes with access; and (iii)
confidential information from being disclosed to unauthorized
individuals.

Answer 603

A

A. Security labels are a strong form of access control. Unlike
access control lists, labels cannot ordinarily be changed. Because
labels are permanently linked to specific information, data cannot be
disclosed by a user copying information and changing the access to
that file so that the information is more accessible than the original
owner intended. Security labels are well suited for consistently and
uniformly enforcing access restrictions, although their administration
and inflexibility can be a significant deterrent to their use.
Passwords are a weak form of access control, although they are easy to
use and administer. Although encryption is a strong form of access
control, it is not a deterrent to its use when compared to labels. In
reality, the complexity and difficulty of encryption can be a deterrent to
its use.

Answer 604

A

B. At a minimum, four basic types of access controls should be
considered: physical, operating system, communications, and
application. In general, access controls within an application are the
most specific. However, for application access controls to be fully
effective, they need to be supported by operating system and
communications system access controls. Otherwise, access can be
made to application resources without going through the application.
Operating system, communication, and application access controls
need to be supported by physical access controls such as physical
security and contingency planning.

Answer 605

A

A. Most systems can be compromised if someone can physically
access the CPU machine or major components by, for example,
restarting the system with different software. Logical access controls
are, therefore, dependent on physical access controls (with the
exception of encryption, which can depend solely on the strength of
the algorithm and the secrecy of the key).
Application systems, operating systems, and utility programs are
heavily dependent on logical access controls to protect against
unauthorized use.

Answer 606

A

D. By advising users that they are personally accountable for their
actions, which are tracked by an audit trail that logs user activities,
managers can help promote proper user behavior. Users are less likely
to attempt to circumvent security policy if they know that their actions
will be recorded in an audit log. Audit trails work in concert with
logical access controls, which restrict use of system resources. Because
logical access controls are enforced through software, audit trails are
used to maintain an individual’s accountability. The other three choices
collect some data in the form of an audit trail, and their use is limited
due to the limitation of useful data collected.

Answer 607

A

D. Placing the Kerberos protocol below the application layer and at all layers of the network provides greatest security protection without the need to modify applications.

Answer 608

A

B. Properly authorized access, as well as misused authorized
access, can use audit trail analysis but more so of the latter due to its
high risk. Although users cannot be prevented from using resources to
which they have legitimate access authorization, audit trail analysis is
used to examine their actions. Similarly, unauthorized access attempts,
whether successful or not, can be detected through the analysis of audit
trails.

Answer 609

A

D. Many computer systems provide maintenance accounts. These
special login accounts are normally preconfigured at the factory with
preset, widely known weak passwords. It is critical to change these
passwords or otherwise disable the accounts until they are needed. If
the account is to be used remotely, authentication of the maintenance
provider can be performed using callback confirmation. This helps
ensure that remote diagnostic activities actually originate from an
established phone number at the vendor’s site. Other techniques can
also help, including encryption and decryption of diagnostic
communications, strong identification and authentication techniques,
such as smart tokens, and remote disconnect verification.

Answer 610

A

A. The separation of duties principle is related to the “least
privilege” principle; that is, users and processes in a system should
have the least number of privileges and for the minimal period of time
necessary to perform their assigned tasks. The authority and capacity
to perform certain functions should be separated and delegated to
different individuals. This principle is often applied to split the
authority to write and approve monetary transactions between two
people. It can also be applied to separate the authority to add users to a
system and other system administrator duties from the authority to
assign passwords, conduct audits, and perform other security
administrator duties.
There is no relation between the parity check, which is hardware based, and the limit check, which is a software-based application. The
parity check is a check that tests whether the number of ones (1s) or
zeros (0s) in an array of binary digits is odd or even. Odd parity is
standard for synchronous transmission and even parity for
asynchronous transmission. In the limit check, a program tests the
specified data fields against defined high or low value limits for
acceptability before further processing. The RSA algorithm is incorrect
because it uses two keys: private and public. The DES is incorrect
because it uses only one key for both encryption and decryption (secret or private key).

Answer 611

A

B. Password advisors are computer programs that examine user
choices for passwords and inform the users if the passwords are weak.
Passwords produced by password generators are difficult to remember,
whereas user selected passwords are easy to guess. Users write the
password down on a paper when it is assigned to them.

Answer 612

A

D. Authentication is providing assurance about the identity of a
subject or object; for example, ensuring that a particular user is who he
claims to be. A smart card system uses cryptographic-based smart
tokens that offer great flexibility and can solve many authentication
problems such as forgery and masquerading. A smart token typically
requires a user to provide something the user knows (i.e., a PIN or
password), which provides a stronger control than the smart token
alone. Smart cards do not require a callback because the codes used in
the smart card change frequently, which cannot be repeated.
Callback systems are used to authenticate a person. A fixed callback
system calls back to a known telephone associated with a known place.
However, the called person may not be known, and it is a problem with
masquerading. It is not only insecure but also inflexible because it is
tied to a specific place. It is not applicable if the caller moves around.
A variable callback system is more flexible than the fixed one but
requires greater maintenance of the variable telephone numbers and
locations. These phone numbers can be recorded or decoded by a
hacker.

Answer 613

A

C. Because valuable data is stored on a smart card, the card is
useless if lost, damaged, or forgotten. An unauthorized person can gain
access to a computer system in the absence of other strong controls. A
smart card is a credit card-sized device containing one or more
integrated circuit chips, which performs the functions of a
microprocessor, memory, and an input/output interface.
Smart cards can be used (i) as a means of access control, (ii) as a
medium for storing and carrying the appropriate data, and (iii) a
combination of (1) and (2)

Answer 614

A

A. Login controls specify the conditions users must meet for
gaining access to a computer system. In most simple and basic cases,
access will be permitted only when both a username and password are
provided. More complex systems grant or deny access based on the
type of computer login; that is, local, dialup, remote, network, batch, or
sub process. The security system can restrict access based on the type
of the terminal, or the remote computer’s access will be granted only
when the user or program is located at a designated terminal or remote
system. Also, access can be defined by the time of day and the day of
the week. As a further precaution, the more complex and sophisticated
systems monitor unsuccessful logins, send messages or alerts to the
system operator, and disable accounts when a break-in occurs.

Answer 615

A

C. A security policy is the framework within which an
organization establishes needed levels of information security to
achieve the desired confidentiality goals. A policy is a statement of
information values, protection responsibilities, and organizational
commitment for a computer system. It is a set of laws, rules, and
practices that regulate how an organization manages, protects, and
distributes sensitive information.
There are trade-offs among controls such as technical controls and
procedural controls. If technical controls are not available, procedural
controls might be used until a technical solution is found.
Nevertheless, technical controls are useless without procedural
controls and a robust security policy.
Similarly, there is a trade-off between access and confidentiality; that
is, a system meeting standards for access allows authorized users
access to information resources on an ongoing basis. The emphasis
given to confidentiality, integrity, and access depends on the nature of
the application. An individual system may sacrifice the level of one
requirement to obtain a greater degree of another. For example, to
allow for increased levels of availability of information, standards for
confidentiality may be lowered. Thus, the specific requirements and
controls for information security can vary.
Passwords and controls also involve trade-offs, but at a lower level.
Passwords require deciding between system-generated passwords,
which can offer more security than user-generated passwords because
system-generated passwords are randomly generated pseudo words not
found in the dictionary. However, system-generated passwords are
harder to remember, forcing users to write them down, thus defeating
the purpose. Controls require selecting between a manual and
automated control or selecting a combination of manual and automated
controls. One control can work as a compensating control for the other.

Answer 616

A

C. Program library controls enable only assigned programs to run
in production and eliminate the problem of test programs accidentally
entering the production environment. They also separate production
and testing data to ensure that no test data are used in normal
production. This practice is based on the “separation of duties”
principle.
File placement controls ensure that files reside on the proper direct
access storage device so that data sets do not go to a wrong device by
accident. Data file, program, and job naming conventions implement
the separation of duties principle by uniquely identifying each
production and test data file names, program names, job names, and
terminal usage.

Answer 617

A

B. Users take on assigned roles such as doctor, nurse, teller, and
manager. With role-based access control mechanism, access decisions
are based on the roles that individual users have as part of an
organization, that is, job duties. Job enlargement means adding width
to a job; job enrichment means adding depth to a job; and job rotation
makes a person well rounded.

Answer 618

A

C. Salting is the inclusion of a random value in the password
hashing process that greatly decreases the likelihood of identical
passwords returning the same hash. If two users choose the same
password, salting can make it highly unlikely that their hashes are the
same. Larger salts effectively make the use of rainbow tables
infeasible. Stretching involves hashing each password and its salt
thousands of times. This makes the creation of the rainbow tables
correspondingly more time-consuming, while having little effect on the
amount of effort needed by the organization’s systems to verify
password authentication attempts.
Keyspace is the large number of possible key values (keys) created by
the encryption algorithm to use when transforming the message.
Passphrase is a sequence of characters transformed by a password
system into a virtual password. Entropy is a measure of the amount of
uncertainty that an attacker faces to determine the value of a secret.

Answer 619

A

C. Passwords should not be included in initialization files, script files, or batch files due to possible compromise. Instead, they should be stored in a password file, preferably encrypted.

Answer 620

A

D. The rule-based access control (RuBAC) is based on specific
rules relating to the nature of the subject and object. A RuBAC
decision requires authorization information and restriction information
to compare before any access is granted. Both Bell-LaPadula access
control model and mandatory access control policy deals with rules.
The other three choices do not deal with rules.

Answer 621

A

C. Hardware keys are devices that do not require a complicated process of administering user rights and access privileges. They are simple keys, similar to door keys that can be plugged into the personal computer before a person can successfully log on to access

Answer 622

A

A. The primary goal of Kerberos is to prevent system users from
claiming the identity of other users in a distributed computing
environment. The Kerberos authentication system is based on secret
key cryptography. The Kerberos protocol provides strong
authentication of users and host computer systems. Further, Kerberos
uses a trusted third party to manage the cryptographic keying
relationships, which are critical to the authentication process. System
users have a significant degree of control over the workstations used to
access network services, and these workstations must therefore be
considered not trusted.
Kerberos was developed to provide distributed network authentication
services involving client/server systems. A primary threat in this type
of client/server system is the possibility that one user claims the
identity of another user (impersonation), thereby gaining access to
system services without the proper authorization. To protect against
this threat, Kerberos provides a trusted third party accessible to
network entities, which supports the services required for
authentication between these entities. This trusted third party is known
as the Kerberos key distribution server, which shares secret
cryptographic keys with each client and server within a particular
realm. The Kerberos authentication model is based upon the
presentation of cryptographic tickets to prove the identity of clients
requesting services from a host system or server.
The other three choices are incorrect because they cannot reduce the
risk of impersonation. For example: (i) passwords can be shared,
guessed, or captured and (ii) memory tokens and smart tokens can be
lost or stolen. Also, these three choices do not use a trusted third party
to strengthen controls as Kerberos does controlled
data files and programs. Each user gets a set of keys for his personal
use. Hardware keys are simple to use and easy to administer.
Passwords is an incorrect answer because they do require some amount
of security administrative work such as setting up the account and
helping users when they forget passwords. Passwords are simple to use
but hard to administer.
Cryptographic tokens is an incorrect answer because they do require
some amount of security administrative work. Tokens need to be
assigned, programmed, tracked, and disposed of.
Encrypted data files is an incorrect answer because they do require
some amount of security administrative work. Encryption keys need to
be assigned to the owners for encryption and decryption purposes.

Answer 623

A

C. Kerberos is an authentication system with encryption
mechanisms that make network traffic secure. Weaknesses of Kerberos
include (i) it is subject to dictionary attacks where passwords can be
stolen by an attacker and (ii) it requires modification of all network
application source code, which is a problem with vendor developed
applications with no source code provided to users. Kerberos strengths
include that it can be added to an existing security system and that it
makes intercepting and analyzing network traffic difficult. This is due
to the use of encryption in Kerberos.

Answer 624

A

C. Impersonation attacks involving the use of physical keys and
biometric checks are less likely due to the need for the network
attacker to be physically near the biometric equipment. Passwords and
account names are incorrect because they are the most common way to
initiate impersonation attacks on the network. A firewall is a
mechanism to protect IT computing sites against Internet-borne
attacks. Most digital certificates are password-protected and have an
encrypted file that contains identification information about its holder.

Answer 625

A

A. Kerberos is a de facto standard for an authentication protocol,
providing a robust authentication method. Kerberos was developed to
enable network applications to securely identify their peers and can be
used for local/remote logins, remote execution, file transfer,
transparent file access (i.e., access of remote files on the network as
though they were local) and for client/server requests. The Kerberos
system includes a Kerberos server, applications which use Kerberos
authentication, and libraries for use in developing applications which
use Kerberos authentication. In addition to secure remote procedure
call (Secure RPC), Kerberos prevents impersonation in a network
environment and only provides authentication services. Other services
such as confidentiality, integrity, and availability must be provided by
other means. With Kerberos and secure RPC, passwords are not
transmitted over the network in plaintext.
In Kerberos two items need to prove authentication. The first is the
ticket and the second is the authenticator. The ticket consists of the
requested server name, the client name, the address of the client, the
time the ticket was issued, the lifetime of the ticket, the session key to
be used between the client and the server, and some other fields. The
ticket is encrypted using the server’s secret key and thus cannot be
correctly decrypted by the user. If the server can properly decrypt the
ticket when the client presents it and if the client presents the
authenticator encrypted using the session key contained in the ticket,
the server can have confidence in the user’s identity. The authenticator
contains the client name, address, current time, and some other fields.
The authenticator is encrypted by the client using the session key
shared with the server. The authenticator provides a time-validation for
the credential. If a user possesses both the proper credential and the
authenticator encrypted with the correct session key and presents these
items within the lifetime of the ticket, then the user’s identity can be
authenticated.
Confidentiality is incorrect because it ensures that data is disclosed to
only authorized subjects. Integrity is incorrect because it is the
property that an object is changed only in a specified and authorized
manner. Availability is incorrect because it is the property that a given
resource will be usable during a given time period

Answer 626

A

B. Under a single sign-on (SSO), a user can authenticate once to gain access to multiple applications that have been previously defined
in the security system. The SSO system is convenient for the end user
in that it provides fewer areas to manage when compared to multiple
sign-on systems, but SSO is risky. Many points of failure exist in
multiple sign-on systems as they are inconvenient for the end user
because of many areas to manage.

Answer 627

A

B. In a playback (replay) attack, messages received from
something or from somewhere are replayed back to it. It is also called
a reflection attack. Kerberos puts the time of day in the request to
prevent an eavesdropper from intercepting the request for service and
retransmitting it from the same host at a later time.
A tunneling attack attempts to exploit a weakness in a system that
exists at a level of abstraction lower than that used by the developer to
design the system. For example, an attacker might discover a way to
modify the microcode of a processor used when encrypting some data,
rather than attempting to break the system’s encryption algorithm.
Destructive attacks damage information in a fashion that denies
service. These attacks can be prevented by restricting access to critical
data files and protecting them from unauthorized users.
In process attacks, one user makes a computer unusable for others that
use the computer at the same time. These attacks are applicable to
shared computers.

Answer 628

A

C. History-based access control policies are defined in terms of
subjects and events where the events of the system are specified as the
object access operations associated with activity at a particular security
level. This assumes that the security policy is defined in terms of the
sequence of events over time, and that the security policy decides
which events of the system are permitted to ensure that information
does not flow in an unauthorized manner. History-based access control
policies are not based on standard access control mechanism but based
on practical applications. In the history-based access control policies,
previous access events are used as one of the decision factors for the
next access authorization. The workflow and the Chinese Wall policies
are examples of history-based access control policies.

Answer 629

A

C. The access control list (ACL) is the most useful and flexible
type of implementation of an access control matrix. The ACL permits
any given user to be allowed or disallowed access to any object. The
columns of an ACL show a list of users attached to protected objects.
One can associate access rights for individuals and resources directly
with each object. The other three choices require extensive
administrative work and are useful but not that flexible.

Answer 630

A

B. Kerberos was developed to enable network applications to
securely identify their peers. It uses a ticket, which identifies the client,
and an authenticator that serves to validate the use of that ticket and
prevent an intruder from replaying the same ticket to the server in a
future session. A ticket is valid only for a given time interval. When
the interval ends, the ticket expires, and any later authentication
exchanges require a new ticket.
An access-oriented protection system can be based on hardware or
software or a combination of both to prevent and detect unauthorized
access and to permit authorized access. In list-oriented protection
systems, each protected object has a list of all subjects authorized to
access it. A lock-and-key-oriented protection system involves
matching a key or password with a specific access requirement. The
other three choices do not provide a strong authentication protection,
as does the Kerberos.

Answer 631

A

B. Administrators should check the intrusion detection and
prevention system (IDPS) thresholds and alert settings to determine
whether they need to be adjusted periodically to compensate for
changes in the system environment and changes in threats. The other
three choices are incorrect because the anomaly-based detection does
not use whitelists, blacklists, and program code viewing.

Answer 632

A

C. An intrusion detection system (IDS) cannot act as a “silver
bullet,” compensating for weak identification and authentication
mechanisms, weaknesses in network protocols, or lack of a security
policy. IDS can do the other three choices, such as recognizing and
reporting alterations to data files, tracing user activity from the point of
entry to the point of exit or impact, and interpreting the mass of
information contained in operating system logs and audit trail logs.

Answer 633

A

C. Intrusion detection systems (IDS) can recognize when a known
type of attack is perpetrated on a system. However, IDS cannot do the
following: (i) analyze all the traffic on a busy network, (ii) compensate
for receiving faulty information from system sources, (iii) always deal
with problems involving packet-level attacks (e.g., an intruder using
fabricated packets that elude detection to launch an attack or multiple
packets to jam the IDS itself), and (iv) deal with high-speed
asynchronous transfer mode networks that use packet fragmentation to
optimize bandwidth.

Answer 634

A

B. Access control software can be enabled or disabled, meaning
security function can be turned on or off. When disabled, the logging
function does not work. The other three choices are somewhat risky
but not as much as enabled or disabled.

Answer 635

A

A. If audit records showing trails have been designed and
implemented to record appropriate information, they can assist in
intrusion detection. Usually, audit records contain pertinent data (e.g.,
date, time, status of an action, user IDs, and event ID), which can help
in intrusion detection.
Access control lists refer to a register of users who have been given
permission to use a particular system resource and the types of access
they have been permitted. Security clearances are associated with a
subject (e.g., person and program) to access an object (e.g., files,
libraries, directories, and devices). Host-based authentication grants
access based upon the identity of the host originating the request,
instead of the identity of the user making the request. The other three
choices have no facilities to record access activity and therefore cannot
assist in intrusion detection.

Answer 636

A

B. Anomaly detectors identify abnormal, unusual behavior
(anomalies) on a host or network. In threshold detection measures,
certain attributes of user and system behavior are expressed in terms of
counts, with some level established as permissible. Such behavior
attributes can include the number of files accessed by a user in a given
period of time.
Statistical measures include parametric and nonparametric. In
parametric measures the distribution of the profiled attributes is
assumed to fit a particular pattern. In the nonparametric measures the
distribution of the profiled attributes is “learned” from a set of
historical data values, observed over time.
Rule-based measures are similar to nonparametric statistical measures
in that observed data defines acceptable usage patterns but differs in
that those patterns are specified as rules, not numeric quantities.

Answer 637

A

A. An ATM customer can stand within three feet of a camera that
automatically locates and scans the iris in the eye. The scanned bar
code is then compared against previously stored code in the bank’s file.
Iris-detection technology is far superior for accuracy compared to the
accuracy of voice, face, hand, and fingerprint identification systems.
Iris technology does not require a PIN.

Answer 638

A

C. Biometrics tends to be the most expensive and most secure. In
general, passwords are the least expensive authentication technique
and generally the least secure. Memory tokens are less expensive than
smart tokens but have less functionality. Smart tokens with a human
interface do not require reading equipment but are more convenient to
use.

Answer 639

A

D. If a one-way method is used to authenticate the initiator
(typically a road warrior) to the responder (typically an IPsec
gateway), a digital signature is used to authenticate the responder to
the initiator. One-way authentication, such as one-time passwords or
digital certificates on tokens is well suited for road warrior usage,
whereas mutual authentication is preferable for environments at high
risk of identity spoofing, such as wireless networks.

Answer 640

A

C. Both users and the system can initiate session lock
mechanisms. However, a session lock is not a substitute for logging
out of the information system because it is done at the end of the
workday. Previous logon notification occurs at the time of login.
Concurrent session control deals with either allowing or not allowing
multiple sessions at the same time. Session termination can occur when
there is a disconnection of the telecommunications link or other
network operational problems.

Answer 641

A

D. Identity thieves get personal information by stealing records or
information while they are on the job, bribing an employee who has
access to these records, hacking electronic records, and conning
information out of employees. Sources of personal information include
the following: Dumpster diving, which includes rummaging through
personal trash, a business’ trash, or public trash dumps.
Skimming includes stealing credit card or debit card numbers by
capturing the information in a data storage device. Phishing and
pretexting deal with stealing information through e-mail or phone by
posing as legitimate companies and claiming that you have a problem
with your account. This practice is known as phishing online or
pretexting (social engineering) by phone respectively.

Answer 642

A

C. Pass-through authentication refers to passing operating system
credentials (e.g., username and password) unencrypted from the
operating system to the application system. This is risky due to
unencrypted credentials. Note that pass-through authentications can be
encrypted or unencrypted.
External authentication is incorrect because it uses a directory server,
which is not risky. Proprietary authentication is incorrect because
username and passwords are part of the application, not the operating
system. This is less risky. Host/user authentication is incorrect because
it is performed within a controlled environment (e.g., managed
workstations and servers within an organization). Some applications
may rely on previous authentication performed by the operating
system. This is less risky.

Answer 643

A

C. An inference attack is where a user or an intruder can deduce
information to which he had no privilege from information to which he
has privilege.

Answer 644

A

D. In an out-of-band attack, the attack is against an authentication
protocol run where the attacker assumes the role of a subscriber with a
genuine verifier or relying party. The attacker obtains secret and
sensitive information such as passwords and account numbers and
amounts when a subscriber manually enters them into a one-time
password device or confirmation code sent to the verifier or relying
party.
In an out-of-band attack, the attacker alters the authentication protocol
channel through session hijacking, verifier impersonation, or man-in the-middle (MitM) attacks. In a verifier impersonation attack, the
attacker impersonates the verifier and induces the claimant to reveal
his secret token. The MitM attack is an attack on the authentication
protocol run in which the attacker positions himself in between the
claimant and verifier so that he can intercept and alter data traveling
between them.
In a password guessing attack, an impostor attempts to guess a
password in repeated logon trials and succeeds when he can log onto a
system. In a replay attack, an attacker records and replays some part of
a previous good protocol run to the verifier. Both password guessing
and replay attacks are examples of in-band attacks. In an in-band
attack, the attack is against an authentication protocol where the
attacker assumes the role of a claimant with a genuine verifier or
actively alters the authentication channel. The goal of the attack is to
gain authenticated access or learn authentication secrets.

Answer 645

A

A. Access control requires a cross-cutting approach because it is
related to access control, incident response, audit and accountability,
and configuration management control families (areas). Cross-cutting
means a control in one area affects the controls in other-related areas.
The other three choices require a control-specific approach.

Answer 646

A

A. Cryptography, which is a part of technical control, ensures the
confidentiality goal. The other three choices are part of user
identification and authentication controls, which are also a part of
technical control.

Answer 647

A

C. Reconstruction of transactions is a part of audit trail mechanisms. The other three choices are a part of authorization and access controls.

Answer 648

A

A. Performance-based policy is used to evaluate an employee’s
performance annually or other times. The other three choices are
examples of an access control policy where they control access
between users and objects in the information system.

Answer 649

A

D. It is difficult to meet the security and safety requirements with
flexible access control policies expressed in implicit constraints such
as role-based access control (RBAC) and rule-based access control
(RuBAC). Static separation-of-duty constraints require that two roles
of an individual must be mutually exclusive, constraints must reduce
the chances of collusion, and constraints must minimize the conflict of-interest in task assignments to employees.

Answer 650

A

A. A single sign-on (SSO) technology allows a user to authenticate
once and then access all the resources the user is authorized to use. A
reduced sign-on (RSO) technology allows a user to authenticate once
and then access many, but not all, of the resources the user is
authorized to use. Hence, SSO and RSO perform similar functions.
The other three choices do not perform similar functions. Data
encryption standard (DES) is a symmetric cipher encryption algorithm.
Domain name system (DNS) provides an Internet translation service
that resolves domain names to Internet Protocol (IP) addresses and
vice versa. Address resolution protocol (ARP) is used to obtain a
node’s physical address. Point-to-point protocol (PPP) is a data-link
framing protocol used to frame data packets on point-to-point lines.
Serial line Internet protocol (SLIP) carries Internet Protocol (IP) over
an asynchronous serial communication line. PPP replaced SLIP.
Simple key management for Internet protocol (SKIP) is designed to
work with the IPsec and operates at the network layer of the TCP/IP
protocol, and works very well with sessionless datagram protocols.

Answer 651

A

D. Identification is the process used to recognize an entity such as
a user, program, process, or device. It is performed first, and
authentication is done next. Identification and authentication are not
the same. Identification requires a user ID, and authentication requires
a password.

Answer 652

A

B. Accountability is typically accomplished by identifying and
authenticating system users and subsequently tracing their actions
through audit trails (i.e., auditing).

Answer 653

A

D. Mandatory access control is expensive and causes system
overhead, resulting in reduced system performance of the database.
Mandatory access control uses sensitivity levels and security labels.
Discretionary access controls use tags.

Answer 654

A

D. The purpose of auditors reviewing access controls and logs is
to find out whether employees follow security policies and access
rules, and to detect any violations and anomalies. The audit report
helps management to improve access controls.

Answer 655

A

A. A management official responsible for a particular application
system, subsystem, or group of systems develops the security policy.
The development of an access control policy may not be an easy
endeavor. User-friendliness should receive the highest interest because
the system is designed for users, and the system usage is determined by
whether the system is user-friendly. The other three choices have a
competing interest in a security policy, but they are not as important as
the user-friendliness issue. An example of a security principle is “least
privilege.”

Answer 656

A

A. A password-generating program can produce passwords in a
random fashion, rather than relying on user-selected ones. System generated passwords are usually hard to remember, forcing users to
write them down. This defeats the whole purpose of stronger
passwords.
Encrypted passwords protect from unauthorized viewing or using. The
encrypted password file is kept secure with access permission given to
security administration for maintenance or to the passwords system
itself. This approach is productive in keeping the passwords secure and
secret.
Non reusable passwords are used only once. A series of passwords are
generated by a cryptographic secure algorithm and given to the user for
use at the time of login. Each password expires after its initial use and
is not repeated or stored anywhere. This approach is productive in
keeping the passwords secure and secret.
In time-based passwords, the password changes every minute or so. A
smart card displays some numbers that are a function of the current
time and the user’s secret key. To get access, the user must enter a
number based on his own key and the current time. Each password is a
unique one and therefore need not be written down or guessed. This
approach is productive and effective in keeping the passwords secure
and secret.

Answer 657

A

A. The largest risk exposure remains with employees. Personnel
security measures are aimed at hiring honest, competent, and capable
employees. Job requirements need to be programmed into the logical
access control software. Policy is also closely linked to personnel
issues. A deterrent effect arises among employees when they are aware
that their misconduct (intentional or unintentional) may be detected.
Selecting the right type and access level for employees, informing
which employees need access accounts and what type and level of
access they require, and informing changes to access requirements are
also important. Accounts and accesses should not be granted or
maintained for employees who should not have them in the first place.
The other three choices are distantly related to logical access controls
when compared to employee issues.

Answer 658

A

C. Cognitive passwords use fact-based and opinion-based
cognitive data as a basis for user authentication. It uses interactive
software routines that can handle initial user enrollment and
subsequent cue response exchanges for system access. Cognitive
passwords are based on a person’s lifetime experiences and events
where only that person, or his family, knows about them. Examples
include the person’s favorite high school teachers’ names, colors,
flowers, foods, and places. Cognitive password procedures do not
depend on the “people memory” often associated with the conventional
password dilemma. However, implementation of a cognitive password
mechanism could cost money and take more time to authenticate a
user. Cognitive passwords are easier to recall and difficult for others to
guess.
Conventional (static) passwords are difficult to remember whether
user-created or system-generated and are easy to guess by others.
Dynamic passwords change each time a user signs on to the computer.
Even in the dynamic password environment, a user needs to remember
an initial code for the computer to recognize him. Conventional
passwords are reusable whereas dynamic ones are not. Conventional
passwords rely on memory.

Answer 659

A

A. Passphrases have the virtue of length (e.g., up to 80 characters),
making them both difficult to guess and burdensome to discover by an
exhaustive trial-and-error attack on a system. The number of characters
used in the other three choices is smaller (e.g., four to eight characters)
than passphrases. All four security codes are user identification
mechanisms.
Passwords are uniquely associated with a single user. Lock words are
system-generated terminal passwords shared among users. Passcodes
are a combination of password and ID card.

Answer 660

A

C. Anomaly detection approaches often require extensive training
sets of system event records to characterize normal behavior patterns.
Skill sets are also important for the IT security analyst. Tool sets and
data sets are not relevant here because the tool sets may contain
software or hardware, and the data sets may contain data files and
databases.

Answer 661

A

B. A security label is a marking bound to a resource (which may
be a data unit) that names or designates the security attributes of that
resource. A security tag is an information unit containing a
representation of certain security-related information (e.g., a restrictive
attribute bitmap).
A security level is a hierarchical indicator of the degree of sensitivity
to a certain threat. It implies, according to the security policy enforced,
a specific level of protection. A security attribute is a security-related
quality of an object. Security attributes may be represented as
hierarchical levels, bits in a bitmap, or numbers. Compartments,
caveats, and release markings are examples of security attributes.

Answer 662

A

C. The greatest problem with temporary access is that once
temporary access is given to an employee, it is not reverted back to the
previous status after the project has been completed. This can be due to
forgetfulness on both sides of employee and employer or the lack of a
formal system for change notification. There can be a formal system of
change notification for permanent access, and guest or contractor
accesses are removed after the project has been completed.

Answer 663

A

A. Discretionary access controls deal with the concept of control
objectives, or control over individual aspects of an enterprise’s
processes or resources. They are based on the identity of the users and
of the objects they want to access. Discretionary access controls are
implemented by one user or the network/system administrator to
specify what levels of access other users are allowed to have.
Mandatory access controls are implemented based on the user’s
security clearance or trust level and the particular sensitivity
designation of each file. The owner of a file or object has no discretion
as to who can access it.
An access control list is based on which user can access what objects.
Logical access controls are based on a user-supplied identification
number or code and password. Discretionary access control is by group
association whereas mandatory access control is by sensitivity level.

Answer 664

A

B. Discretionary access control offers a finer level of granularity
in the access control process. Mandatory access controls can provide
access to broad categories of information, whereas discretionary access
controls can be used to fine-tune those broad controls, override
mandatory restrictions as needed, and accommodate special
circumstances.

Answer 665

A

D. Several infrastructures are devoted to providing identities and
the means of authenticating those identities. Examples of these
infrastructures include the X.509 authentication framework, the
Internet Engineering Task Force’s PKI (IETF’s PKI), the secure
domain name system (DNS) initiatives, and the simple public key
infrastructure (SPKI).

Answer 666

A

A. The best control for protecting sensitive files is using
mandatory access controls supplemented by discretionary access
controls and implemented through the use of an access control list. A
complementary mandatory access control mechanism can prevent the
Trojan horse attack that can be allowed by the discretionary access
control. The mandatory access control prevents the system from giving
sensitive information to any user who is not explicitly authorized to
access a resource.

Answer 667

A

B. Mandatory access controls are the simplest to use because they
can be used to grant broad access to large sets of files and to broad
categories of information. Discretionary access controls are not simple
to use due to their finer level of granularity in the access control
process. Both the access control list and logical access control require
a significant amount of administrative work because they are based on
the details of each individual user.

Answer 668

A

A. Capabilities and profiles are used to represent the access
control matrix data by row and connect accessible objects to the user.
On the other hand, a protection bit-based system and access control list
represents the data by column, connecting a list of users to an object.

Answer 669

A

A. Discretionary access control is a means of restricting access to
objects based on the identity of subjects and/or groups to which they
belong. In a mandatory access control mechanism, the owner of a file
or object has no discretion as to who can access it. Both security
control and access control are too broad and vague to be meaningful
here.

Answer 670

A

D. passwords and is readable only by the root user. The password
validation file uses the shadow password file before allowing the user
to log in. The password-aging file contains an expiration date, and the
password reuse file prevents a user from reusing a previously used
password. The files mentioned in the other three choices are not
hidden.

Answer 671

A

C. Workflow policy is a process that operates on rules and
procedures. A workflow is specified as a set of tasks and a set of
dependencies among the tasks, and the sequencing of these tasks is
important (i.e., task transactions). The various tasks in a workflow are
usually carried out by several users in accordance with organizational
rules represented by the workflow policy. The Chinese Wall policy
addresses conflict-of-interest issues, with the objective of preventing
illicit flows of information that can result in conflicts of interest. The
Chinese Wall policy is simple and easy to describe but difficult to
implement. Both role- and rule-based access control can create
conflict-of-interest situations because of incompatibility between
employee roles and management rules.

Answer 672

A

D. A commonly used method to ensure that access to a
communications session is controlled and authenticated continuously is
the use of encryption mechanisms to prevent loss of control of the
session through session stealing or hijacking. Other methods such as
signed x.509 certificates and password files associated with access
control lists (ACLs) can bind entities to unique IDs. Although these
other methods are good, they do not prevent the loss of control of the
session.

Answer 673

A

C. A computer system can be protected through a power-on
password, which prevents an unauthorized user from starting an
alternative operating system. The other three types of passwords
mentioned do not have the preventive nature, as does the power-on
password

Answer 674

A

A. An organization practices the concept of least privilege for
specific job duties and information systems, including specific
responsibilities, network ports, protocols, and services in accordance
with risk assessments. These practices are necessary to adequately
mitigate risk to organizations’ operations, assets, and individuals. The
other three choices are specific components of access controls.

Answer 675

A

A. There are two primary approaches to analyzing events to detect
attacks: signature detection and anomaly detection. Signature detection
is the primary technique used by most commercial systems; however,
anomaly detection is the subject of much research and is used in a
limited form by a number of intrusion detection and prevention
systems (IDPS). Behavior and statistical based IDPS are part of
anomaly-based IDPS.

Answer 676

A

A. A passive attack is an attack against an authentication protocol
where the attacker intercepts data traveling along the network between
the claimant and verifier but does not alter the data. Eavesdropping is
an example of a passive attack.
A man-in-the-middle (MitM) attack is incorrect because it is an active
attack on the authentication protocol run in which the attacker
positions himself between the claimant and verifier so that he can
intercept and alter data traveling between them.
Impersonation is incorrect because it is an attempt to gain access to a
computer system by posing as an authorized user. It is the same as
masquerading, spoofing, and mimicking.
Session hijacking is incorrect because it is an attack that occurs during
an authentication session within a database or system. The attacker
disables a user’s desktop system, intercepts responses from the
application, and responds in ways that probe the session. Man-in-the middle, impersonation, and session hijacking are examples of active
attacks. Note that MitM attacks can be passive or active depending on
the intent of the attacker because there are mild MitM or strong MitM
attacks.

Answer 677

A

B. Token threats include masquerading, off-line attacks, and
guessing passwords. Multiple factors raise the threshold for successful
attacks. If an attacker needs to steal the cryptographic token and guess
a password, the work factor may be too high.
Physical security mechanisms are incorrect because they may be
employed to protect a stolen token from duplication. Physical security
mechanisms can provide tamper evidence, detection, and response.
Complex passwords are incorrect because they may reduce the
likelihood of a successful guessing attack. By requiring the use of long
passwords that do not appear in common dictionaries, attackers may be
forced to try every possible password.
System and network security controls are incorrect because they may
be employed to prevent an attacker from gaining access to a system or
installing malicious software (malware).

Answer 678

A

C. The RA may be a part of the CSP, or it may be a separate and
independent entity; however a trusted relationship always exists
between the RA and CSP. Either the RA or CSP must maintain records
of the registration. The RA and CSP may provide services on behalf of
an organization or may provide services to the public.

Answer 679

A

A. Spoofing is a tampering activity and is an active attack.
Sniffing is a surveillance activity and is a passive attack. An exhaustive
attack (i.e., brute force attack) consists of discovering secret data by
trying all possibilities and checking for correctness. For a four-digit
password, you might start with 0000 and move to 0001 and 0002 until
9999.

Answer 680

A

C. There are two general categories of threats to the registration
process: impersonation and either compromise or malfeasance of the
infrastructure (RAs and CSPs). Infrastructure threats are addressed by
normal computer security controls such as separation of duties, record
keeping, and independent audits.

Answer 681

A

A. Registration authorities (RAs), credential service providers
(CSPs), verifiers, and relying parties are ordinarily trustworthy in the
sense of being correctly implemented and not deliberately malicious.
However, claimants or their systems may not be trustworthy or else
their identity claims could simply be trusted. Moreover, whereas RAs,
CSPs, and verifiers are normally trustworthy, they are not invulnerable
and could become corrupted. Therefore, protocols that expose long term authentication secrets more than are absolutely required, even to
trusted entities, should be avoided.

Answer 682

A

C. Employees can come and go, but their roles do not change,
such as a doctor or nurse in a hospital. With role-based access control,
access decisions are based on the roles that individual users have as
part of an organization. Employee names may change but the roles
does not. This access control is the best for organizations experiencing
excessive employee turnover.
Rule-based access control and mandatory access control are the same
because they are based on specific rules relating to the nature of the
subject and object. Discretionary access control is a means to restrict
access to objects based on the identity of subjects and/or groups to
which they belong.

Answer 683

A

C. The principle of least privilege refers to granting users only
those accesses required to perform their duties. Only the concept of
“appropriate privilege” is supported by the principle of least privilege.

Answer 684

A

B. Password management is an example of preventive controls in
that passwords deter unauthorized users from accessing a system
unless they know the password through some other means.

Answer 685

A

A. A discretionary access control (DAC) model uses access
control matrix where it places the name of users (subjects) in each row
and the names of objects (files or programs) in each column of a
matrix. The other three choices do not use an access control matrix.

Answer 686

A

C. Access control mechanisms include logical (passwords and
encryption), physical (keys and tokens), and administrative (forms and
procedures) controls. Directive, preventive, detective, corrective, and
recovery controls are controls by action. Management, operational, and
technical controls are controls by nature.

Answer 687

A

B. Security labels and interfaces are used to determine access
based on the mandatory access control (MAC) policy. A security label
is the means used to associate a set of security attributes with a specific
information object as part of the data structure for that object. Labels
could be designated as proprietary data or public data. The other three
choices do not use security labels.

Answer 688

A

B. Intrusion detection and prevention systems (IDPS) serve as
monitoring mechanisms, watching activities, and making decisions
about whether the observed events are suspicious. IDPS can spot
attackers circumventing firewalls and report them to system
administrators, who can take steps to prevent damage. Firewalls serve
as barrier mechanisms, barring entry to some kinds of network traffic
and allowing others, based on a firewall policy.

Answer 689

A

A. When Kerberos authentication is combined with single sign-on
systems, it requires establishment of and operating the privilege
servers. Kerberos uses symmetric key cryptography, and the other
three choices are examples of asymmetric key cryptography.

Answer 690

A

B. The legal implications of using honeypot and padded cell
systems are not well defined. It is important to seek guidance from
legal counsel before deciding to use either of these systems.

Answer 691

A

B. Safety is fundamental to ensuring that the most basic of access
control policies can be enforced. This enforcement is tied to the job
description of an individual employee through access authorizations
(e.g., permissions and privileges). Job description lists job tasks,
duties, roles, and responsibilities expected of an employee, including
safety and security requirements.
The other three choices do not provide safety enforcements. Job
rotation makes an employee well-rounded because it broadens an
employee’s work experience, job enlargement adds width to a job, and
job enrichment adds depth to a job.

Answer 692

A

C. Identification comes before authentication, and authorization
comes after authentication. Accountability is last where user actions
are recorded.

Answer 693

A

B. The principle of least privilege deals with access control
authorization mechanisms, and as such the principle ensures integrity
of data and systems by limiting access to data/information and
information systems.

Answer 694

A

D. A major vulnerability with the Kerberos model is that if the key
distribution server is attacked, every secret key used on the network is
compromised. The principals involved in the Kerberos model include
the user, the client, the key-distribution-center, the ticket-granting service, and the server providing the requested services.

Answer 695

A

C. Identity proofing is the process by which a credential service
provider (CSP) and a registration authority (RA) validate sufficient
information to uniquely identify a person. A certification authority
(CA) is not involved in identity proofing. A CA is a trusted entity that
issues and revokes public key certificates. A certificate revocation list
(CRL) is not involved in identity proofing. A CRL is a list of revoked
public key certificates created and digitally signed by a CA.

Answer 696

A

B. A lattice security model is based on a nondiscretionary access
control (non-DAC) model. A lattice model is a partially ordered set for
which every pair of elements (subjects and objects) has a greatest
lower bound and a least upper bound. The subject has the greatest
lower bound, and the object has the least upper bound.

Answer 697

A

A. Electronic credentials are digital documents used in
authentication that bind an identity or an attribute to a subscriber’s
token. Security assertion markup language (SAML) is a specification
for encoding security assertions in the extensible markup language
(XML). SAML assertions have nothing to do with electronic credential
because they can be used by a verifier to make a statement to a relying
party about the identity of a claimant.
An X.509 public-key identity certificate is incorrect because binding
an identity to a public key is a common type of electronic credential.
X.509 attribute certificate is incorrect because binding an identity or a
public key with some attribute is a common type of electronic
credential. Kerberos tickets are incorrect because encrypted messages
binding the holder with some attribute or privilege is a common type
of electronic credential.

Answer 698

A

C. Making it more difficult to accomplish or increasing the
likelihood of detection can deter registration fraud. The goal is to make
impersonation more difficult.

Answer 699

A

A. A discretionary access control (DAC) mechanism enables users
to grant or revoke access to any of the objects under their control. As
such, users are said to be the owners of the objects under their control.
Users and owners are different in the other three choices.

Answer 700

A

A. Eavesdroppers are assumed to be physically able to intercept
authentication protocol runs; however, the protocol may be designed to
render the intercepted messages unintelligible, or to resist analysis that
would allow the eavesdropper to obtain information useful to
impersonate the claimant.
Subscriber impostors are incorrect because they need only normal
communications access to verifiers or relying parties. Impostor
verifiers are incorrect because they may have special network
capabilities to divert, insert, or delete packets. But, in many cases, such
attacks can be mounted simply by tricking subscribers with incorrect
links or e-mails or on Web pages, or by using domain names similar to
those of relying parties or verifiers. Therefore, the impostors do not
necessarily need to have any unusual network capabilities. Hijackers
are incorrect because they must divert communications sessions, but
this capability may be comparatively easy to achieve today when many
subscribers use wireless network access.

Answer 701

A

D. An attacker can send attack packets using a fake source IP
address but arrange to wiretap the victims reply to the fake address.
The attacker can do this without having access to the computer at the
fake address. This manipulation of IP addressing is called IP address
spoofing.
A system scanning attack occurs when an attacker probes a target
network or system by sending different kinds of packets. Denial-of service attacks attempt to slow or shut down targeted network systems
or services. System penetration attacks involve the unauthorized
acquisition and/or alteration of system privileges, resources, or data.

Answer 702

A

C. In an in-band attack, the attacker assumes the role of a claimant
with a genuine verifier. These include a password guessing attack and
a replay attack. In a password guessing attack, an impostor attempts to
guess a password in repeated logon trials and succeeds when he can
log onto a system. In a replay attack, an attacker records and replays
some part of a previous good protocol run to the verifier. In the verifier
impersonation attack, the attacker impersonates the verifier and
induces the claimant to reveal his secret token. A man-in-the-middle
attack is an attack on the authentication protocol run in which the
attacker positions himself between the claimant and verifier so that he
can intercept and alter data traveling between them.

Answer 703

A

B. An access control list (ACL) is an object associated with a file
and containing entries specifying the access that individual users or
groups of users have to the file. ACLs provide a straightforward way to
grant or deny access for a specified user or groups of users. Other
choices are not that straightforward in that they use labels, tags, and
roles.

Answer 704

A

B. Spoofing is an unauthorized use of legitimate identification and
authentication data such as user IDs and passwords. Intercepted user
names and passwords can be used to impersonate the user on the login
or file transfer server host that the user accesses.
Snooping and sniffing attacks are the same in that sniffing is observing
the packet’s passing by on the network. Spamming is posting identical
messages to multiple unrelated newsgroups on the Internet or sending
unsolicited e-mail sent indiscriminately to multiple users.

Answer 705

A

B. A mandatory access control (MAC) restricts access to objects
based on the sensitivity of the information contained in the objects and
the formal authorization (i.e., clearance) of subjects to access
information of such sensitivity.

Answer 706

A

C. Spoofing is using various techniques to subvert IP-based access
control by masquerading as another system by using its IP address.
Attacks such as hidden code, inference, and traffic analysis are based
on data and information.

Answer 707

A

C. The honeypot system is instrumented with sensitive monitors,
event triggers, and event loggers that detect unauthorized accesses and
collect information about the attacker’s activities. These systems are
filled with fabricated data designed to appear valuable.

Answer 708

A

B. Intrusion detection and prevention systems (IDPS) look for
specific symptoms of intrusions and security policy violations
dynamically. IDPS are analogous to security monitoring cameras.
Vulnerability analysis systems take a static view of symptoms.
Linearly and nonlinearly are not applicable here because they are
mathematical concepts.

Answer 709

A

C. In biometrics, crossover error rate is defined as the point at
which the false rejection rates and the false acceptance rates are equal.
Type I error, called false rejection rate, is incorrect because genuine
users are rejected as imposters. Type II error, called false acceptance
rate, is incorrect because imposters are accepted as genuine users.

Answer 710

A

B. Separation of duties, job rotation, and mandatory vacations are
management controls that can help in preventing fraud. Job
enlargement and job enrichment do not prevent fraud because they are
not controls; their purpose is to expand the scope of an employee’s
work for a better experience and promotion.

Answer 711

A

C. The Clark-Wilson model partitions objects into programs and data for each subject forming a subject/program/data access triple. The generic model for the access triples is <subject, rights, object>.

Answer 712

A

B. Symbolic links are links on UNIX, MINIX, and LINUX systems
that point from one file to another file. A symlink vulnerability is
exploited by making a symbolic link from a file to which an attacker
does have access to a file to which the attacker does not have access.
Symlinks do not exist on Windows systems, so symlink attacks cannot
be performed against programs or files on those systems. MINIX is a
variation of UNIX and is small in size. A major difference between
MINIX and UNIX is the editor where the former is faster and the latter
is slower

Answer 713

A

C . “What the user can do” is defined in access rules or user profiles,
which come after a successful authentication. The other three choices
are part of an authentication process.

Answer 714

A

C. For basic authentication, user IDs, passwords, and account
numbers are used for internal authentication. Centralized
authentication servers such as RADIUS and TACACS/TACACS+ can
be integrated with token-based authentication to enhance firewall
administration security.

Answer 715

A

C. Robust authentication means strong authentication that should be
required for accessing internal computer systems. Robust
authentication is provided by Kerberos, one-time passwords,
challenge-response exchanges, digital certificates, and secure RPC.
Reusable passwords provide weak authentication.

Answer 716

A

D. Continuous authentication protects against impostors (active
attacks) by applying a digital signature algorithm to every bit of data
sent from the claimant to the verifier. Also, continuous authentication
prevents session hijacking. Static authentication uses reusable
passwords, which can be compromised by replay attacks. Robust
authentication includes one-time passwords and digital signatures,
which can be compromised by session hijacking. Intermittent
authentication is not useful because of gaps in user verification.

Answer 717

A

D. A two-factor authentication uses two different kinds of evidence.
For example, a challenge-response token card typically requires both
physical possession of the card (something you have, one factor) and a
PIN (something you know, another factor). The other three choices
have only one factor to authenticate.

Answer 718

A

D. A basic tenet of IT security is that individuals must be accountable for their actions. If this is not followed and enforced, it is not possible to successfully prosecute those who intentionally damage or disrupt systems or to train those whose actions have unintended adverse effects. The concept of individual accountability drives the need for many security safeguards, such as unique (user) identifiers, audit trails, and access authorization rules. Policies and procedures indicate what to accomplish and how to accomplish objectives. By themselves, they do not exact individual accountability

Answer 719

A

D Biometric systems require the creation and storage of profiles or
templates of individuals wanting system access. This includes
physiological attributes such as fingerprints, hand geometry, or retina
patterns, or behavioral attributes such as voice patterns and hand written signatures. Memory tokens and smart tokens involve the creation and distribution of token/PINs and data that tell the computer how to recognize valid tokens or PINs. Cryptography requires the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys.

Answer 720

A

A. Recurring passwords are static passwords with reuse and are
considered to be a relatively weak security mechanism. Users tend to
use easily guessed passwords. Other weaknesses include spoofing
users, users stealing passwords through observing keystrokes, and
users sharing passwords. The unauthorized use of passwords by
outsiders (hackers) or insiders is a primary concern and is considered
the least efficient and least effective security mechanism for re authentication.
Nonrecurring passwords is incorrect because they provide a strong
form of re-authentication. Examples include a challenge-response
protocol or a dynamic password generator where a unique value is
generated for each session. These values are not repeated and are good
for that session only. Tokens can help in re-authenticating a user or
transaction. Memory tokens store but do not process information.
Smart tokens expand the functionality of a memory token by
incorporating one or more integrated circuits into the token itself. In
other words, smart tokens store and process information. Except for
passwords, all the other methods listed in the question are examples of
advanced authentication methods that can be applied to re authentication.

Answer 721

A

A. A private credential object links a user’s identity to a
representation of the token in a way that the exposure of the credential
to unauthorized parties can lead to any exposure of the token secret. A
private credential can be used to derive, guess, or crack the value of the
token secret or spoof the possession of the token. Therefore, it is
important that the contents of the private credential be kept
confidential (e.g., a hashed password values).
Public credentials are shared widely, do not lead to an exposure of the
token secret, and have little or no confidentiality requirements. Paper
credentials are documents that attest to the identity of an individual
(e.g., passports, birth certificates, and employee identity cards) and are
based on written signatures, seals, special papers, and special inks.
Electronic credentials bind an individual’s name to a token with the use
of X.509 certificates and Kerberos tickets

Answer 722

A

B. Controlling access to the network is provided by the network’s
identification and authentication services, which go together. This
service is pivotal in providing controlled access to the resources and
services offered by the network and in verifying that the mechanisms
provide proper protection. Identification is the process that enables
recognition of an entity by a computer system, generally by the use of
unique machine-readable usernames. Authentication is the verification
of the entity’s identification. That is when the host, to whom the entity
must prove his identity, trusts (through an authentication process) that
the entity is who he claims to be. The threat to the network that the
identification and authentication service must protect against is
impersonation.
Access control list (ACL) and access privileges do not provide
controlled access to networks because ACL is a list of the subjects that
are permitted to access an object and the access rights (privileges) of
each subject. This service comes after initial identification and
authentication service.
Certification and accreditation services do not provide controlled
access to networks because certification is the administrative act of
approving a computer system for use in a particular application.
Accreditation is the management’s formal acceptance of the adequacy
of a computer system’s security. Certification and accreditation are
similar in concept. This service comes after initial identification and
authentication service.
Accreditation and assurance services do not provide controlled access
to networks because accreditation is the management’s formal
acceptance of the adequacy of a computer system’s security. Assurance
is confidence that a computer system design meets its requirements.
Again, this service comes after initial identification and authentication
service.

Answer 723

A

A. Packet replay is one of the most common security threats to
network systems, similar to impersonation and eavesdropping in terms
of damage, but dissimilar in terms of functions. Packet replay refers to
the recording and retransmission of message packets in the network. It
is a significant threat for programs that require authenticationsequences because an intruder could replay legitimate authentication
sequence messages to gain access to a system. Packet replay is
frequently undetectable but can be prevented by using packet
timestamping and packet-sequence counting.
Forgery is incorrect because it is one of the ways an impersonation
attack is achieved. Forgery is attempting to guess or otherwise
fabricate the evidence that the impersonator knows or possesses.
Relay is incorrect because it is one of the ways an impersonation attack
is achieved. Relay is where one can eavesdrop upon another’s
authentication exchange and learn enough to impersonate a user.
Interception is incorrect because it is one of the ways an impersonation
attack is achieved. Interception is where one can slip in between the
communications and “hijack” the communications channel.

Answer 724

A

A. The purpose of a privilege mechanism is to provide a means of
granting specific users or processes the ability to perform security relevant actions for a limited time and under a restrictive set of
conditions, while still permitting tasks properly authorized by the
system administrator. This is the underlying theme behind the security
principle of least privilege. It does not imply an “all or nothing”
privilege.
The granularity of privilege is incorrect because it is one of the
security features supported by the principle of least privilege. A
privilege mechanism that supports granularity of privilege can enable a
process to override only those security-relevant functions needed to
perform the task. For example, a backup program needs to override
only read restrictions, not the write or execute restriction on files.
The time bounding of privilege is incorrect because it is one of the
security features supported by the principle of least privilege. The time
bounding of privilege is related in that privileges required by an
application or a process can be enabled and disabled as the application
or process needs them.
Privilege inheritance is incorrect because it is one of the security
features supported by the principle of least privilege. Privilege
inheritance enables a process image to request that all, some, or none
of its privileges get passed on to the next process image. For example,
application programs that execute other utility programs need not pass
on any privileges if the utility program does not require them.

Answer 725

A

C. No automated vulnerability-testing tool can ensure that system
users have not disclosed their passwords; thus secrecy cannot be
guaranteed.
Password length can be tested to ensure that short passwords are not
selected. Password lifetime can be tested to ensure that they have a
limited lifetime. Passwords should be changed regularly or whenever
they may have been compromised. Password storage can be tested to
ensure that they are protected to prevent disclosure or unauthorized
modification.

Answer 726

A

B. By definition, a static verification takes place only once at the
start of each login session. Passwords may or may not be reusable.
Dynamic verification of a user takes place when a person types on a
keyboard and leaves an electronic signature in the form of keystroke
latencies in the elapsed time between keystrokes. For well-known,
regular type strings, this signature can be quite consistent. Here is how
a dynamic verification mechanism works: When a person wants to
access a computer resource, he is required to identify himself by typing
his name. The latency vector of the keystrokes of this name is
compared with the reference signature stored in the computer. If this
claimant’s latency vector and the reference signature are statistically
similar, the user is granted access to the system. The user is asked to
type his name a number of times to provide a vector of mean latencies
to be used as a reference. This can be viewed as an electronic signature
of the user.
Passwords do not provide a strong user authentication. If they did,
there would not be a hacker problem today. Passwords provide the
weakest user authentication due to their sharing and guessable nature.
Only online systems require a user ID and password from a user due to
their interactive nature. Only batch jobs and files require a user ID and
password when submitting a job or modifying a file. Batch systems are
not interactive.

Answer 727

A

D. Password selection is a difficult task to balance between
password effectiveness and its remembrance by the user. The selected
password should be simple to remember for oneself and difficult for
others to know. It is no advantage to have a scientifically generated
password if the user cannot remember it. Using randomly generated
characters as a password is not only difficult to remember but also easy
to publicize. Users will be tempted to write them down in a
conspicuous place if the password is difficult to remember.
The approaches in the other three choices would be relatively easy to
remember due to the user familiarity with the password origin. A
simple procedure is to use well-known personal information that is
rearranged.

Answer 728

A

Physical
Data link
Network
Transport
Session
Presentation
Application

Answer 729

A

1 Physical

Answer 730

A

2 Data Link

Answer 731

A

4 Tranport

Answer 732

A

5 Session

Answer 733

A

6 Presentation

Answer 734

A

7 Application

Answer 735

A

(I prefer counting euros as prime dollar)
Forensic Investigation Process
Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision

Answer 736

A

(I prefer counting euros as prime dollar)
Forensic Investigation Process
Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision

Answer 737

A

(Re Do Damn Test Right)
Software Development Life Cycle

Req Gather
Design
Develop
Test
Release

Answer 738

A

Business Continuity Plan (BCP)
(I believe people retain concepts through memory)

Initiation
BIA (Impact)
Preventative
Recovery
Continuity
Test
Manage/Maintain

Answer 739

A

Trans border protection deal

Answer 740

A

The pad is used to encrypt contents, the passcode is used to control access

Answer 741

A

End-to-end encryption is a possibility

Answer 742

A

End-to-end encryption is a possibility

Answer 743

A

A standard

Answer 744

A

Single factor

If the application itself authenticates users using biometrics only (something you are), it’s considered single factor.

Answer 745

A

Response

Detection and Reporting is the correct choice in this scenario because that is where the intake of complaints and suspicious events would occur.
Assessment and Decision would not be the right choice because this is where analysis and evaluation of evidence occurs (from an incident already reported).
Response would not be the right choice because this is where Containment, Eradication and Recovery occur.
Analysis would not be the right choice because this is a distractor.

Answer 746

A

Physical and Datalink

The key term is “card”. The card has both a physical “bit pushing” and a datalink component.

Answer 747

A

Degaussing

Answer 748

A

Destruction

Answer 749

A

Top Secret

Answer 750

A

Unclassified

Answer 751

A

Unclassified

Answer 752

A

Confidential/Proprietary

Answer 753

A

Sensitive

Answer 754

A

Data Owner

Answer 755

A

Data Owner

Answer 756

A

Data Custodian

Answer 757

A

Data Custodian

Answer 758

A

Data Admins

Answer 759

A

Business/Mission Owners

Answer 760

A

Business/Mission Owners

Answer 761

A

Asset Owners

Answer 762

A

Data Processor

Answer 763

A

Data Controller

Answer 764

A

Data Transfer

Answer 765

A

Anonymization

Answer 766

A

Pseudonymization

Answer 767

A

Data classifications provide strong protection against the loss of confidentiality and are the best choice of the available answers. Data labels and proper data handling are based on first identifying data classifications. Data degaussing methods apply only to magnetic media.

Answer 768

A

D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won’t protect it if it is stored in an unstaffed warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite or offsite backups are destroyed, security is sacrificed by risking availability.

Answer 769

A

B. Destruction is the final stage in the lifecycle of backup media. Because the backup method is no longer using tapes, they should be destroyed. Degaussing and declassifying the tape is done if you plan to reuse it. Retention implies you plan to keep the media, but retention is
not needed at the end of its lifecycle

Answer 770

A

C. The data owner is the person responsible for classifying data. A data controller decides what data to process and directs the data processor to process the data. A data custodian protects the integrity and security of the data by performing day-to-day maintenance. Users simply access the data.

Answer 771

A

A. The data custodian is responsible for the tasks of implementing the protections defined by the security policy and senior management. A data controller decides what data to process and how. Data users are not responsible for implementing the security policy protections. A data processor controls the processing of data and only does what the data controller tells them to do with the data.

Answer 772

A

D. The company can implement a data collection policy of minimization to minimize the amount of data they collect and store. If they are selling digital products, they don’t need the physical address. If they are reselling products to the same customers, they can use tokenization to save tokens that match the credit card data, instead of saving and storing credit card
data. Anonymization techniques remove all personal data and make the data unusable for reuse on the website. Pseudonymization replaces data with pseudonyms. Although the process can be reversed, it is not necessary.

Answer 773

A

B. Security labeling identifies the classification of data such as sensitive, secret, and so on. Media holding sensitive data should be labeled. Similarly, systems that hold or process sensitive data should also be marked. Many organizations require the labeling of all systems
and media, including those that hold or process non sensitive data.

Answer 774

A

B. A data subject is a person who can be identified by an identifier such as a name, identification number, or other PII. All of these answers refer to the General Data Protection Regulation (GDPR). A data owner owns the data and has ultimate responsibility for protecting it. A data controller decides what data to process and how it should be processed. A data
processor processes the data for the data controller.

Answer 775

A

B. Personnel did not follow the record retention policy for the backups sent to the warehouse. The scenario states that administrators purge onsite emails older than six months to comply with the organization’s security policy, but the leak was from emails sent over
three years ago. Personnel should follow media destruction policies when the organization no longer needs the media, but the issue here is the data on the tapes. Configuration management ensures that systems are configured correctly using a baseline, but this does not
apply to backup media. Versioning applies to applications, not backup tapes.

Answer 776

A

D. Record retention policies define the amount of time to keep data, and laws or regulations often drive these policies. Data remanence is data remnants on media, and proper data destruction procedures remove data remnants. Laws and regulations do outline requirements for some data roles, but they don’t specify requirements for the data user role.

Answer 777

A

D. Purging is the most reliable method among the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure that data is removed. It ensures there isn’t any data remanence. Erasing or deleting processes rarely remove the data from media but instead mark it for deletion. Solid-state drives (SSDs) do not have magnetic flux, so degaussing an SSD doesn’t destroy data

Answer 778

A

A. Overwriting the disks multiple times will remove all existing data. This is called purging, and purged media can then be used again. Formatting the disks isn’t secure because it doesn’t typically remove the previously stored data. Degaussing the disks often damages the electronics but doesn’t reliably remove the data. Defragmenting a disk optimizes it, but it doesn’t remove data.

Answer 779

A

D. Systems with an EOS date that occurs in the following year should be a top priority for replacement. The EOS date is the date that the vendor will stop supporting a product. The EOL date is the date that a vendor stops offering a product for sale, but the vendor continues to support the product until the EOS date. Systems used for data loss prevention or to process sensitive data can remain in service.

Answer 780

A

D. Purging memory buffers removes all remnants of data after a program has used it. Asymmetric encryption (along with symmetric encryption) protects data in transit. The data is already encrypted and stored in the database. The scenario doesn’t indicate that the program modified the data, so there’s no need to overwrite the existing data in the database. Data loss prevention methods prevent unauthorized data loss but do not protect data in use.

Answer 781

A

A. Symmetric encryption methods protect data at rest, and data at rest is any data stored on media, such as a server. Data in transit is data transferred between two systems. Data in use is data in memory that is used by an application. Steps are taken to protect data from the time
it is created to the time it is destroyed, but this question isn’t related to the data lifecycle.

Answer 782

A

B. Scoping is a part of the tailoring process and refers to reviewing a list of security controls and selecting the security controls that apply. Tokenization is the use of a token, such as a random string of characters, to replace other data and is unrelated to this question. Note that scoping
focuses on the security of the system and tailoring ensures that the selected controls align with the organization’s mission. If the database server needs to comply with external entities, it’s appropriate to select a standard baseline provided by that entity. Imaging is done to deploy an identical configuration to multiple systems, but this is typically done after identifying security controls.

Answer 783

A

A. Tailoring refers to modifying a list of security controls to align with the organization’s mission. The IT administrators identified a list of security controls to protect the web farm during the scoping steps. Sanitization methods (such as clearing, purging, and destroying) help ensure that data cannot be recovered and is unrelated to this question. Asset classification identifies the classification of assets based on the classification of data the assets hold or process. Minimization refers to data collection. Organizations should collect and maintain only the data they need.

Answer 784

A

A. A cloud access security broker (CASB) is software placed logically between users and cloud-based resources, and it can enforce security policies used in an internal network. Data loss prevention (DLP) systems attempt to detect and block data exfiltration. CASB systems typically include DLP capabilities. Digital rights management (DRM) methods attempt to provide copyright protection for copyrighted works. End-of-life (EOL) is generally a marketing term and indicates when a company stops selling a product.

Answer 785

A

B. Network-based data loss prevention (DLP) systems can scan outgoing data and look for specific keywords and/or data patterns. DLP systems can block these outgoing transmissions. Antimalware software detects malware. Security information and event management (SIEM) provides real-time analysis of events occurring on systems throughout an organization but doesn’t necessarily scan outgoing traffic. Intrusion prevention systems (IPSs) scan incoming traffic to prevent unauthorized intrusions.

Answer 786

A

B, C, D. Persistent online authentication, automatic expiration, and a continuous audit trail are all methods used with digital rights management (DRM) technologies. Virtual licensing isn’t a valid term within DRM

Answer 787

A

D. A third-party payroll company is an Incorrect answers and explanations: Answers A, B, and C are incorrect. A data controller is someone who creates PII, such as an HR department. “Data handler” is not a formal term and is a distractor answer. A data owner is a management employee responsible for assuring that specific data is
protected.

Answer 788

A

D. A system owner is responsible for the actual computers that house data, including the security of hardware and software configurations.
Incorrect answers and explanations: Answers A, B, and C are incorrect.
A custodian is a nonmanager who provides hands-on protection of assets. A data owner is a manager responsible for assuring that specific data is protected. A mission owner is a member of senior management who creates the information security program and ensures that it is properly staffed and funded and has the appropriate organizational priority.

Answer 789

A

B. Degaussing destroys the integrity of magnetic media, such as tapes or disk drives, and the data they contain by exposing them to a strong magnetic field. Incorrect answers and explanations: Answers A, C, and D are incorrect. A bit level overwrite removes data by overwriting every sector of a disk. Destruction physically destroys data; for example, via incineration. Shredding electronic data involves overwriting a file’s contents before deleting the file.

Answer 790

A

C. SRAM is relatively expensive and fast memory that uses small latches called “flip-flops” to store bits. Incorrect answers and explanations: Answers A, B, and D are incorrect. DRAM is relatively inexpensive memory that uses capacitors. EPROM may be erased with ultraviolet light. A SSD is a combination of DRAM and EEPROM.

Answer 791

A

A. DRAM stores bits in small capacitors (like small batteries).
Incorrect answers and explanations: Answers B, C, and D are incorrect.
EPROM may be erased with ultraviolet light. SRAM is relatively expensive and fast memory that uses small latches called “flip-flops” to store bits. A SSD is a combination of DRAM and EEPROM

Answer 792

A

Target of evaluation (ToE)

Answer 793

A

Security target

Answer 794

A

Protection profile

Answer 795

A

Evaluation assurance level (EAL)

Answer 796

A

Monitor and Evaluate

Answer 797

A

Plan and Organize

Answer 798

A

Acquire and Implement

Answer 799

A

Deliver and Support

Answer 800

A

Service Strategy

Answer 801

A

Service Design

Answer 802

A

Service Transition

Answer 803

A

Service Operation

Answer 804

A

Continual Service Improvement

Answer 805

A

Answer: C. Enterprise owners
Explanation: Enterprise or business owners are
the most likely to select and apply the COBIT
framework. COBIT allows them to govern and
manage the IT environment to ensure that business
needs, such as risk management, resource
optimization, and value creation, are met effectively.
While all roles may interact with COBIT somehow,
the business owners are primarily responsible for
aligning security controls with business
requirements. Data processors, information
stewards, and data custodians focus more on the
operational aspects of data and may not be involved
in strategic decision-making processes like selecting
a governance framework.

Answer 806

A

Answer: B. A Cloud Access Security Broker (CASB)
Explanation: A Cloud Access Security Broker
(CASB) is a tool that sits between cloud service
consumers and cloud service providers to enforce
security, compliance, and governance policies for
cloud applications. It can help monitor and secure
the hybrid cloud environment.

Answer 807

A

Answer: B. The media is tagged based on the highest
classification tier of the data it accommodates.
Explanation: When labeling media based on the
classification of the data it contains, the rule
typically applied is to label it based on the highest
classification level of the data. This ensures the most
restrictive and appropriate controls are applied to
protect the entire dataset.

Answer 808

A

Answer: A. Data categorization
Explanation: Data classification, or
categorization, is an administrative process that
involves sorting data into categories based on its
sensitivity level. This aids organizations in assigning
appropriate levels of security controls to sensitive
information, ensuring that each type of data is
adequately protected according to its value and
sensitivity

Answer 809

A

Answer: A. Personally Identifiable Information (PII)
Explanation: Personally Identifiable Information
(PII) is any data that could identify a specific
individual. It includes any information that can be
used to distinguish or trace an individual’s identity,
such as name, social security number, date and
place of birth, mother’s maiden name, or biometric
records.

Answer 810

A

Answer: B. Data breach
Explanation: A data breach involving
unauthorized access and retrieval of sensitive
information often has the most significant
reputational impact on an organization. It can lead
to losing trust among customers and stakeholders,
legal repercussions, and financial losses.

Answer 811

A

Answer: B. Data at rest
Explanation: Full disk encryption tools like
BitLocker are used to protect data at rest, that is,
data that is stored on physical or virtual disk drives,
storage devices, or other types of media.

Answer 812

A

Answer: B. Planned obsolescence
Explanation: Planned obsolescence is a policy of
planning or designing a product with an artificially
limited useful life or a purposely frail design, so it
becomes outdated or nonfunctional after a certain
period. In this case, even though the phones are still
operational and receiving updates, they are replaced
every two years. This is a form of planned
obsolescence, where the company ensures that the
old devices are phased out and replaced, even
though they might still be usable. EOL is when the
device is no longer suitable for use and is discarded.
EOS means that the manufacturer has stopped
EOS means that the manufacturer has stopped
providing updates or fixes for the product. Device
risk management is a process to identify, assess, and
prioritize the risks associated with using devices in
an organization. None of these options describes the
scenario as accurately as planned obsolescence.

Answer 813

A

Answer: D. It identifies the value of the data to the
organization.
Explanation: The primary purpose of data
classification is to identify the value of the data to
the organization. This process involves categorizing
data based on its sensitivity level and importance to
the organization, which helps implement appropriate
security controls and handling procedures.

Answer 814

A

Answer: D. Asset and information classification
Explanation: Identifying and classifying
information and assets is a key step in managing
security risks. This process helps prioritize
resources, apply appropriate protections, and
comply with legal and regulatory requirements.

Answer 815

A

Answer: B. Data classification
Explanation: Data classification categorizes data
into types, forms, or other distinct classes. This
classification may be based on data sensitivity such
as private, confidential, public, or the data’s
importance to the organization.

Answer 816

A

Answer: B. Asset classification
Explanation: Asset classification defines an
organization’s assets based on their criticality,
sensitivity, and other factors. This helps
organizations apply appropriate security measures
and prioritize their resources.

Answer 817

A

Answer: B. Setting information and asset handling
guidelines
Explanation: Establishing information and asset
handling requirements means setting up policies and
procedures determining how data and assets should
be managed, stored, transmitted, and disposed of.
This is an essential part of an organization’s
information security strategy, helping to ensure that
sensitive information and valuable assets are
appropriately protected.

Answer 818

A

Answer: A. Asset management and secure
provisioning
Explanation: Asset management and secure
provisioning encompass the secure allocation of
resources, identifying and assigning ownership of
information and assets, and maintaining a
comprehensive inventory of tangible and intangible
assets. This helps provide an organized view of the
company’s resources and assists in maintaining
proper security controls.

Answer 819

A

Answer: D. Data custodian
Explanation: A data custodian is responsible for
the data’s safe custody, transport, and storage. They
maintain the integrity, confidentiality, and
availability of the data.

Answer 820

A

Answer: B. Data remanence
Explanation: Data remanence is the residual
representation of data nominally erased or removed.

Answer 821

A

Answer: C. Data collection
Explanation: Data collection is the process of
gathering and measuring information on targeted
variables in an established system, enabling one to
answer relevant questions and evaluate outcomes.
Answer: B Data retention

Answer 822

A

Answer: B. Data retention
Explanation: Data retention involves policies and
strategies to keep data for compliance or business
reasons. After the predetermined period, the data is
discarded.

Answer 823

A

Answer: B. Data maintenance
Explanation: Data maintenance involves
maintaining data assets by ensuring data accuracy,
consistency, and reliability throughout its life cycle.

Answer 824

A

Answer: D. Data owner
Explanation: The data owner is typically a senior
executive with legal authority and responsibility for
a dataset.

Answer 825

A

Answer: B. Data location
Explanation: Data location refers to the physical
or virtual place where data is stored, such as in house servers, data centers, or cloud storage.

Answer 826

A

Answer: C. Data processor
Explanation: A data processor is responsible for
processing personal data on behalf of the controller.

Answer 827

A

Answer: C. Data destruction
Explanation: Data destruction is destroying data
stored on tapes, hard disks, and other electronic
media so that it is completely unreadable and cannot
be accessed or used for unauthorized purposes.

Answer 828

A

Answer: C. Data controller
Explanation: The data controller is the person (or
business) who determines the purposes for which
and how personal data is processed. They are
responsible for establishing practices and policies in
line with regulations to protect the data they are
handling.

Answer 829

A

Answer: C. The time when an asset is no longer
useful for the organization and is disposed of
Explanation: EOL generally refers to a stage in
the asset’s life cycle when it is no longer beneficial
or productive for the organization. This could be due
to obsolescence, failure, or when it is more cost effective to replace the asset than to continue maintaining it.

Answer 830

A

Answer: B. The software may no longer receive
security updates and patches
Explanation: When software reaches its EOS
stage, the manufacturer or provider typically stops
providing updates, patches, or fixes, including
security-related ones. This can leave the software
vulnerable to security threats and affect compliance
with certain regulations.

Answer 831

A

Answer: C. To ensure compliance with legal and
regulatory requirements for data retention
Explanation: Asset retention policies are primarily
designed to ensure that organizations comply with
applicable legal and regulatory requirements. These
requirements often specify how long certain data
types must be retained and how they should be
securely disposed of when no longer needed.

Answer 832

A

Answer: C. To prevent unauthorized access or data
breaches
Explanation: When an asset reaches its End-of Life (EOL) stage, it’s crucial to ensure that all data on the asset is either transferred or destroyed
appropriately. If not managed correctly, it can lead to unauthorized access or data breaches, which can have significant consequences for the organization.

Answer 833

A

Answer: D. Evaluate risks associated with continued
use and plan for their replacement or upgrade
Explanation: When assets reach their EOS stage,
evaluating the risks associated with their continued
use is essential. These might include security
vulnerabilities due to a lack of updates or
incompatibility issues with other systems. Based on
this evaluation, a plan should be made for replacing
or upgrading the assets.

Answer 834

A

Answer: B. In use, in transit, and at rest
Explanation: The three states of data that need to
be considered when securing data are “in use” (data
being processed), “in transit” (data being moved
from one location to another), and “at rest” (data
that is stored).

Answer 835

A

Answer: A. To customize security controls to fit the
specific needs of the organization
Explanation: Scoping and tailoring is adjusting a
set of standard security controls to fit an
organization’s specific needs better. This may
involve adding, modifying, or removing specific
controls based on the organization’s unique risk
environment and business requirements.

Answer 836

A

Answer: D. All of the above
Explanation: DRM is a technology used to protect
digital media copyrights. It can prevent
unauthorized access, track digital media usage, and
control how digital media is shared.

Answer 837

A

Answer: D. All of the above
Explanation: A CASB is a software tool or service
between an organization’s on-premises and cloud
provider’s infrastructure. A CASB can provide
various services, including encrypting data,
monitoring for malicious activity and enforcing
monitoring for malicious activity, and enforcing
security compliance policies.

Answer 838

A

Answer: A. To prevent data breaches by detecting
potential data breach/data ex-filtration
transmissions
Explanation: DLP ensures that end users do not
send sensitive or critical information outside the
corporate network. The term also describes software
products that help a network administrator control
what data end users can transfer.

Answer 839

A

Answer: D. Conducting data classification
Explanation: Data classification involves
analyzing an organization’s data, determining its
importance and value, and then categorizing it
accordingly. This process is crucial for effective data
management and protection.

Answer 840

A

Answer: C. Purging
Explanation: Purging refers to securely removing
sensitive data from storage devices so that it cannot
be recovered using normal system functions or
software file/data recovery utilities.

Answer 841

A

Answer: A. File encryption software
Explanation: File encryption software allows for
the encryption of specific files, providing flexibility
in securing particular data elements.

Answer 842

A

Answer: D. Curie temperature
Explanation: The Curie temperature is the critical
point where a material’s intrinsic magnetic
alignment changes direction. This concept is
relevant in data storage technologies that use
magnetic storage media.

Answer 843

A

Answer: C. Serving as data custodians
Explanation: Data custodians ensure that
important datasets are developed, maintained, and
accessible within their specifications. This role is
crucial in an organization’s overall data management
and protection strategy.

Answer 844

A

Answer: A. Confidential
Explanation: The US government ranks the
sensitivity of information into several levels: Top
Secret, Secret, and Confidential. Of these,
Confidential is considered the lowest level of
sensitivity.

Answer 845

A

Answer: C. GDPR
Explanation: The General Data Protection
Regulation (GDPR) is the primary law in Europe
regulating how companies protect EU citizens’
personal data.

Answer 846

A

Answer: A. Data in motion
Explanation: The Transport Layer Security (TLS)
protocol is primarily designed to provide privacy and
data integrity between two or more communicating
computer applications, making it suitable for
securing data in motion.

Answer 847

A

Answer: C. SSH
Explanation: SSH (Secure Shell) is a secure
protocol that can replace Telnet for secure server
management.

Answer 848

A

Answer: D. Erasing
Explanation: Of the methods listed, erasing is
generally the least secure method for data removal
from magnetic media. It simply removes pointers to
the data but doesn’t physically erase them.

Answer 849

A

Answer: A. RAM
Explanation: RAM (Random Access Memory) is a
type of computer memory used to read and write
data that is being actively used or processed by the
computer. Hence, it is an example of “data in use.”

Answer 850

A

Answer: B. Home address
Explanation: A home address can identify an
individual even when seen in isolation. Hence, it is
considered PII.

Answer 851

A

Answer: D. System owner
Explanation: The system owner, or information
system owner or information owner, is typically
responsible for the overall procurement,
development, integration, modification, or operation
and maintenance of the information system. When
there is a significant change in the system, they are
primarily responsible for updating the system
security plan (SSP). This includes documenting
changes in the system environment, updating the
system inventory, and reevaluating the security
controls. The business owner, data processor, and
data owner also have crucial roles in the
organization but are not primarily responsible for
the SSP. The business owner usually oversees the
business process that the system supports. The data
processor processes data on behalf of the data
owner, who is responsible for the data’s accuracy,
privacy, and security.

Answer 852

A

Answer: B. Value of the data
Explanation: The value of the data, in terms of its
sensitivity and the impact if it were compromised, is
the most important factor when determining a data
classification level.

Answer 853

A

Answer: A. AES
Explanation: Advanced Encryption Standard
(AES) is used for encrypting files, and it keeps the
file encrypted even after it is received and detached
from the email. While TLS and SSL secure
communication channels, they do not encrypt the
file, so it would not remain encrypted after receipt.
Though it can encrypt files, DES is considered
insecure due to its small key size.

Answer 854

A

50.
Answer: B. Mandatory access control
Explanation: Mandatory access control (MAC) is a
nondiscretionary access control policy regulated by
a central authority. It’s based on security labels
attached to each information object, and access is
granted or denied based on the security clearances
assigned to users.

Answer 855

A

Answer: A. The strongest password
Explanation: When you use a passphrase instead
of a standard dictionary word as your password, you
are essentially creating a stronger password.
Passphrases are typically longer than traditional
passwords, making it more difficult for attackers to
guess or crack using brute force. They can include
spaces and be more mnemonic, making them easier
for users to remember.

Answer 856

A

Answer: C. Palm vein scanner
Explanation: Biometric systems like palm vein
scanners offer the highest level of security. These
systems are unique to each individual and are more
difficult to replicate or forge than passwords or
smart cards.

Answer 857

A

Answer: A. Corrective control
Explanation: Corrective controls are implemented
in response to a security incident. They aim to limit
the extent of any damage caused recover the
the extent of any damage caused, recover the
system’s normal functions, and correct any system
weaknesses identified during the incident.

Answer 858

A

Answer: A. Create, use, share, store, archive, and
destroy
Explanation: The correct sequence of asset life
cycle phases is create, use, share, store, archive, and
destroy. This sequence reflects the typical
progression of an asset’s life.

Answer 859

A

Answer: D. Detective control
Explanation: Detective controls are designed to
discover and react to occurring incidents. In this
case, investigating a breach is an example of a
detective control, as you are identifying the cause
and impact of the incident that has already taken
place.

Answer 860

A

Answer: A. Create, use, share, store, archive, and
destroy
Explanation: The correct sequence of asset life
cycle phases is create, use, share, store, archive, and
destroy. This sequence reflects the typical
progression of an asset’s life.

Answer 861

A

Answer: B. The destruction of assets in a controlled,
legally defensible, and compliant manner
Explanation: Defensible destruction refers to
destroying assets in a way that complies with legal
and regulatory requirements and can be defended if
questioned.

Answer 862

A

Answer: D. By outlining controls to protect valuable
assets
Explanation: Asset classification assists in
identifying the most critical and valuable assets,
enabling an organization to allocate resources and
controls effectively to protect these assets. This
leads to an improved ability to achieve its goals and
objectives.

Answer 863

A

Answer: C. Data controller
Explanation: In the context of data privacy, the
data controller is the entity that determines the
purposes and means of processing personal data
purposes and means of processing personal data.
They are responsible for ensuring that the
processing complies with relevant laws and
regulations.

Answer 864

A

Answer: B. Right to be Forgotten Principle
Explanation: The Right to be Forgotten is not an
OECD principle. It’s a provision from the General
Data Protection Regulation (GDPR) of the European
Union. The OECD principles include the Collection
Limitation, Use Limitation, and Accountability
principles, among others.

Answer 865

A

Answer: D. Data steward
Explanation: While a data steward can help
manage and enforce data policies, they’re not a
requirement for effective retention requirements.
Policies, education, training, and an understanding
of compliance requirements are all necessary.

Answer 866

A

Answer: A. Specific steps that must be executed
Explanation: Baseline security controls do provide
a minimum level of security, can be associated with
specific architectures and systems, and serve as a
consistent reference point. However, they do not
dictate specific steps that must be executed. While
they set a base standard, the specific steps to
achieve this standard can vary based on the
organization’s unique needs and circumstances.

Answer 867

A

Answer: C. Limiting general baseline
recommendations by removing those that do not
apply
Explanation: Scoping involves tailoring baseline
security recommendations to fit the specific
circumstances of an organization. This may involve
removing recommendations that are not applicable,
adding additional controls where necessary, or
modifying existing recommendations to better suit
the organization’s needs.

Answer 868

A

Answer: B. Selectively implementing parts of the
standard or framework based on relevance
Explanation: Scoping involves adapting a
standard or framework to suit the specific
circumstances of an organization, which might
involve selecting only those parts that are relevant
or useful to the organization.

Answer 869

A

Answer: B. Overwriting
Explanation: Overwriting is the process of
replacing existing data with new data, which can be
used to effectively eliminate data remanence on
rewritable memory like PROM, flash memory, and
SSD drives.

Answer 870

A

Answer: C. Data in use
Explanation: While data is in use, it is typically in
an unencrypted state as it is being processed or
accessed. Thus, it is difficult to apply encryption
protection to data in this state.

Answer 871

A

Answer: C. EEPROM
Explanation: Flash drives use Electrically
Erasable Programmable Read-Only Memory
(EEPROM), which allows data to be electrically
erased and reprogrammed.

Answer 872

A

Answer: C. Exposure to UV light
Explanation: Erasable Programmable Read-Only
Memory (EPROM) can be erased by exposing it to
strong UV light, allowing it to be rewritten.

Answer 873

A

Answer: D. Clean desk policies, print policies, job
rotation, mandatory vacations, and view angle
screens
Explanation: All these measures can contribute to
Explanation: All these measures can contribute to
protecting data in use. The need-to-know policy,
while valuable, does not directly address the
protection of data in use.

Answer 874

A

Answer: D. Clean desk policies, print policies, job
rotation, mandatory vacations, and view angle
screens
Explanation: All these measures can contribute to
Explanation: All these measures can contribute to
protecting data in use. The need-to-know policy,
while valuable, does not directly address the
protection of data in use.

Answer 875

A

Answer: C. Encryption
Explanation: Encryption is a primary method for
protecting data at rest. It renders the data
unreadable without the correct decryption key,
thereby protecting it even if physical security
measures fail.

Answer 876

A

Answer: C. As long as it is useful or required,
whichever is longer
Explanation: The duration for keeping backups
should be based on both the utility of the data and
any legal or regulatory requirements. Some data
may need to be kept for a specific period due to
regulations, while other data may be useful for
business purposes for a certain length of time.

Answer 877

A

Answer: A. DRAM
Explanation: Dynamic Random Access Memory
(DRAM) is a type of volatile memory. It retains data
as long as it’s powered on, but once the power is
turned off, the data is lost.

Answer 878

A

Answer: A. DRAM
Explanation: Dynamic Random Access Memory
(DRAM) is a type of volatile memory. It retains data
as long as it’s powered on, but once the power is
turned off, the data is lost.

Answer 879

A

Answer: C. PROM
Explanation: Programmable Read-Only Memory
(PROM) can be programmed using a special device.
This process can only happen once. Once the PROM
has been programmed, the data written to it is
permanent and cannot be erased or rewritten.

Answer 880

A

Answer: B. To ensure there is no data remanence
Explanation: Multiple forms of data destruction
are used to ensure there is no data remanence,
which means ensuring that no remnants of data
which means ensuring that no remnants of data
remain that could be potentially recovered.

Answer 881

A

Answer: A. Cryptanalysis
Explanation: Cryptanalysis, or attempting to
break encryption or cryptographic systems, is a
common attack method targeting data at rest.

Answer 882

A

Answer: D. Proper data encryption
Explanation: Encryption is a process that
transforms readable data into unreadable data. An
attacker could not access the data without the
decryption key if the backup tapes were adequately
encrypted.

Answer 883

A

Answer: A. Unclassified
Explanation: In US government data
classification, data that wouldn’t harm national
security if disclosed is typically classified as
“Unclassified.”

Answer 884

A

Answer: A. Stealing unencrypted laptops
Explanation: Stealing unencrypted laptops is a
common attack against data at rest because the data
on these devices is easy to access if not encrypted.

Answer 885

A

Answer: C. Where do we keep the backup data?
Explanation: While the location of the backup
data is an important aspect of data management, it
is not directly related to the data retention policy,
which focuses on the duration and manner of data
retention.

Answer 886

A

Answer: A. Minimal use of paper copies and only
used while at the desk and in use
Explanation: A clean desk policy typically involves
minimizing the use of paper copies and ensuring
they are only in use while at the desk, to prevent
unauthorized access to sensitive information.

Answer 887

A

Answer: A. Data remanence
Explanation: The primary purpose of data
disposal is to eliminate data remanence, or residual
data that remains after data deletion or erasure,
which could be potentially recovered and exploited.

Answer 888

A

Answer: D. How the data will be used
Explanation: Although how the data is used can
influence its sensitivity, the primary factors in
determining sensitivity are who has access, its value,
and the potential impact of its exposure.

Answer 889

A

Answer: D. Shredding
Explanation: Shredding, or physically destroying
the SSD, is one of solid-state drives’ most secure
data disposal methods.

Answer 890

A

Answer: A, C, D, E. Clean desk policy, View angle
privacy screen for monitors, Print policy,
Workstation locking
Explanation: All of these, except encryption, are
strategies that can be used to protect data.
Encryption is typically used for data at rest or in
motion.

Answer 891

A

Answer: D. All of these
Explanation: When dealing with sensitive data, it
is important to encrypt all these forms of data
storage and transmission to ensure the security of
the data.

Answer 892

A

Answer: B. Perform the backups and restores
Explanation: A data custodian’s primary role is to
manage and handle the data, which includes
performing backups and restorations.

Answer 893

A

Answer: C. Eavesdropping
Explanation: Eavesdropping, or interception of
information in transit, is a common type of attack on
data in motion.

Answer 894

A

Answer: A. Proper data handling
Explanation: Implementing logs to monitor who
accesses what data on your backup servers is an
example of proper data handling. This is a measure
to ensure accountability and traceability in the event
of any unauthorized or suspicious activities.

Answer 895

A

Answer: C. Incinerate
Explanation: While all options can erase data,
incineration is the most thorough method to ensure
there is no data remanence on SSD drives. It
physically destroys the drives, making data recovery
impossible.

Answer 896

A

Answer: B. The CFO
Explanation: The CFO, or Chief Financial Officer,
is typically responsible for the day-to-day financial
leadership of an organization.

Answer 897

A

Answer: B. Produce electronic information to
internal or external attorneys or legal teams
Explanation: The e-discovery process typically
involves producing electronic information for
internal or external legal teams in preparation for
legal proceedings.

Answer 898

A

Answer: C. Secret
Explanation: In the US government’s data
classification scheme, information is classified as
Secret when its unauthorized disclosure could
reasonably be expected to cause serious damage to
national security.

Answer 899

A

Answer: C. Data in motion
Explanation: End-to-end encryption is most
relevant for data in motion. It’s a secure
communication method that prevents third parties
from accessing data while it’s transferred from one
end system to another.

Answer 900

A

Answer: C. To protect the confidentiality, integrity,
and availability of data
Explanation: The primary goal of information
classification is to protect the confidentiality,
integrity, and availability of data by identifying the
sensitivity of data and implementing suitable
controls to protect it.

Answer 901

A

Answer: C. Top Secret
Explanation: The Top Secret classification is
typically used within government organizations, not
the private sector.

Answer 902

A

Answer: B. Data owner
Explanation: The data owner, who is usually
someone with appropriate authority within the
organization, is typically responsible for data
classification.

Answer 903

A

Answer: B. Implement controls as defined by the
data owner
Explanation: The data custodian is responsible for
the implementation of the controls defined by the
data owner, including storage, protection, and
retrieval of datasets.

Answer 904

A

Answer: A. Data that remains on a storage medium
after it has been deleted
Explanation: Data remanence refers to the
residual representation of data that remains even
after attempts have been made to remove or erase
the data.

Answer 905

A

Answer: A. To define how long data should be kept
before it is deleted
Explanation: A data retention policy outlines how
long data should be stored based on regulatory
requirements, business needs, and data value.

Answer 906

A

Answer: C. The size of the data
Explanation: While the size of the data may affect
storage requirements, it typically does not determine
the length of data retention periods.

Answer 907

A

Answer: B. To protect the rights of individuals with
respect to their personal data
Explanation: The primary goal of privacy laws and
regulations is to protect individuals’ rights regarding
their personal data, including how it is collected,
stored, used, and shared.

Answer 908

A

Answer: D. Destruction
Explanation: The final stage of the information
life cycle is typically destruction, during which data
is destroyed in a way that ensures it cannot be
reconstructed or recovered.

Answer 909

A

Answer: A. Preventative
Explanation: Encryption is a preventative control
that protects data confidentiality and integrity by
transforming plaintext into ciphertext that is
unreadable without the decryption key

Answer 910

A

Stream Cipher

Answer 911

A

Block Cipher

Answer 912

A

Substitution

Answer 913

A

Transposition

Answer 914

A

initialization vector (IV)

Answer 915

A

One Time Pad

Answer 916

A

One Time Pad

Answer 917

A

Zero Knowledge proof

Answer 918

A

Split Knowledge

Answer 919

A

Work function - Work factor

Answer 920

A

Symmetric

Answer 921

A

Asymmetric

Answer 922

A

Symmetric

Answer 923

A

Asymmetric

Answer 924

A

Confidentiality

Answer 925

A

Integrity

Answer 926

A

Non Repudiation

Answer 927

A

Electronic Codebook Mode (ECB)

Answer 928

A

Cipher Block (CBC)

Answer 929

A

Cipher Feedback (CFB)

Answer 930

A

Output Feedback (OFB)

Answer 931

A

Counter (CTR)

Answer 932

A

Output Feedback (OFB)
Counter (CTR)

Answer 933

A

Key clustering

Answer 934

A

Public Keys

Answer 935

A

Private Keys

Answer 936

A

Use the recipients public key

Answer 937

A

Use your own private key

Answer 938

A

Use your own private key

Answer 939

A

Use the senders public key

Answer 940

A

c. Virus scanners, being one of reactive (detective) countermeasures, search for “signature strings” or use algorithmic
detection methods to identify known viruses. These reactive methods have no hope of preventing fast spreading worms or worms that use zero-day exploits to carry out their attacks. The other three choices are examples of proactive (preventive) countermeasures. Packet-filtering firewalls block all incoming traffic
except what is needed for the functioning of the network. Stack guarding prevents worms from gaining increased privileges on a system. A virtual machine prevents potentially malicious software from using the operating system for illicit actions.

Answer 941

A

b. Acquiring tools and resources is a part of the preparation phase. These tools and resources may include packet sniffers and protocol analyzers. The other three choices are incorrect because they are a part of the detection phase. The malware incident response life cycle has four phases, including (i) preparation, (ii) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.

Answer 942

A

a. Basic testing is a test methodology that assumes no knowledge of the internal structure and implementation details of the assessment object. Basic testing is also known as black-box testing. Comprehensive testing is a test methodology that assumes explicit and
substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white- box testing.
Focused testing is a test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Focused testing is also known as gray-box testing.

Answer 943

A

a. In a widespread incident, if malware cannot be identified by updated antivirus software, or updated signatures are not yet fully deployed, organizations should be prepared to use other security tools
to contain the malware until the antivirus signatures can perform the containment effectively. Expecting antivirus software to handle the complete workload of a malware incident is unrealistic during high volume infections. By using a defense-in-depth strategy for detecting and blocking malware, an organization can spread the workload across multiple components. Antivirus software alone cannot ensure defense in-depth strategy. Automated detection methods other than antivirus
software are needed to ensure defense-in-depth strategy. These detection methods include e-mail filtering, network-based intrusion prevention system (IPS) software, and host-based IPS software.

Answer 944

A

b. A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. An active stealth file virus can typically not reveal any size increase in infected files, and it must be active to exhibit its stealth qualities.

Answer 945

A

b. Organizations should identify which individuals or groups can assist in infection identification efforts. System administrators are good at identifying infected servers such as domain name system (DNS), email, and Web servers. The roles of the other three administrators are
different from separation of duties, independence, and objectivity viewpoints.

Answer 946

A

b. Spam-filtering software, whether host-based or network-based, is effective at stopping known email-based malware that uses the organization’s e-mail services and is effective at stopping some unknown malware. The most common tools for eradication are antivirus software, spyware detection and removal utility software,
patch management software, and dedicated malware removal tool.

Answer 947

A

d. If an incident has resulted in unauthorized administrator-level access, changes to system files, unstable system, and the extent of damage is unclear, organizations should be prepared to rebuild each affected system.

Answer 948

A

d. Rebuild each affected system by reinstalling and reconfiguring its operating system and applications, securing the operating system and applications, and restoring the data from known good backups.

Answer 949

A

d. Capturing the lessons following the handling of a malware incident should help an organization improve its incident handling capability and malware defenses, including needed changes to security policy, software configurations, and malware detection and prevention
software deployments.

Answer 950

A

c. When organizations develop strategies for malware incident containment, they should consider developing tools to assist incident handlers in selecting and implementing containment strategies quickly when a serious incident occurs.
Network- and host-based antivirus software does detect and stop the
worm, and identify and clean the infected systems. Host-based firewalls do block worm activity from entering or exiting
hosts, reconfigure the host-based firewall itself to prevent exploitation
by the worm, and update the host-based firewall software so that it is no longer exploitable. Network-based firewalls do detect and stop the worm from entering or
exiting networks and subnets. Internet border and internal routers do detect and stop the worm from entering or exiting networks and subnets if the volume of traffic is too high for network firewalls to handle or if certain subnets need greater
protection. The incorrect sequences listed in the other three choices does not
contain malware incidents because their combined effect is not as strong and effective as the correct sequence.

Answer 951

A

b. Requiring administrator-level privileges is a characteristic of a non managed environment, where system owners and users have substantial control over their own system. Owners and users can alter system configurations, making security weak. In a managed environment, one or more centralized groups have substantial control over the server and workstation operating system and application configurations across the enterprise. Recommended security practices include installing antivirus software on all hosts and keeping it up-to date, using deny-by-default policies on firewalls, and applying patches to operating systems and applications. These practices enable a
consistent security posture to be maintained across the enterprise.

Answer 952

A

c. Conceptually, behavioral controls can be viewed as a software cage or quarantine mechanism that dynamically intercepts and thwarts attempts by the subject code to take unacceptable actions that violate policy. As with firewalls and antivirus products, methods that dynamically restrain mobile code were born out of necessity to supplement existing mechanisms, and represent an emerging class of security product. Such products are intended to complement firewall and antivirus products that respectively block network transactions or mobile code based on predefined signatures (i.e., content inspection), and may refer to methods such as dynamic sandbox, dynamic monitors, and behavior monitors, used for controlling the behavior of mobile code. In addition to mobile code, this class of product may also be applicable to stationary code or downloaded code whose trust worthiness is in doubt. Technical controls, administrative controls, and physical controls are incorrect because they are not strong enough as the behavioral controls to combat mobile code.

Answer 953

A

A. Application access is basic, low-privilege access. It may include access to data entry, data update, data query, data output, or report programs. Administrative access, privileged access, and root access are advanced levels of access to a computer system that include the ability to perform significant configuration changes to the computer’s operating system.

Answer 954

A

C. The cost not to mitigate = W × T × R, where W is the number of computers or workstations, T is the time spent fixing systems plus lost user productivity, and R is the hourly rate of time spent or lost. During downtime, the computer owner or user is without a computer to do his work, which should be added to the time required to rebuild a computer. This is translated into $560,000 (i.e., 1,000 computers × 8 hours × $70 per hour). $280,000 is incorrect because it fails to take into account the lost user productivity time. This is translated into $280,000 (i.e., 1,000 computers × 4 hours × $70 per hour). $500,000 is incorrect because it assumes the budget for in-house technical support. $600,000 is incorrect because it assumes the budget for outsourced technical support.

Answer 955

A

D. The major principle of configuration management is to provide a repeatable mechanism for effecting system modifications in a controlled environment. Achieving repeatable mechanism can automatically achieve the other three choices.

Answer 956

A

A. The Reference Monitor concept is an access control concept that refers to an abstract computer mediating all accesses to objects by subjects. It is useful to any system providing multilevel secure computing facilities and controls.

Answer 957

A

D. A common virus is a code that plants a version of itself in any program it can modify. It is a self-replicating code segment attached to a host executable.
The boot-sector virus works during computer booting, where the master boot sector and boot sector code are read and executed. A worm is a self-replicating program that is self-contained and does not require a host program. A multi-partite virus combines both sector and file infector viruses.

Answer 958

A

c. Built-in security means that security features are designed into the system during its development, not after. Any feature that is installed during post-implementation of a system is an example of built-on security, not built-in. Security and control features must be built in from a cost-benefit perspective.

Answer 959

A

c. System assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the data and information it processes. For example, software assurance achieves trustworthiness and predictable execution.
The three well-accepted and basic-level security objectives are confidentiality, integrity, and availability, and assurance can be considered an advanced-level security objective because the former
culminates into the latter. What good is an information system that cannot provide full assurance with regards to its security?

Answer 960

A

b. Antivirus software is a preventive control in that it stops a known virus from getting into a computer system. It is also a detective control because it notifies upon detecting a known virus. Audit trails are detective controls; policies and procedures are directive controls, whereas contingency plans are an example of recovery controls.

Answer 961

A

b. Computer virus defenses are expensive to use, ineffective over time, and ineffective against serious attackers. Virus scanning
programs are effective against viruses that have been reported and ineffective against new viruses or viruses written to attack a specific organization. Program change controls limit the introduction of
unauthorized changes such as viruses. Redundancy can often be used to facilitate integrity. Integrity checking with cryptographic checksums
in integrity shells is important to defend against viruses. System or equipment isolation to limit the spread of viruses is good, too.

Answer 962

A

c. Defending an information system requires safeguards to be applied throughout the system, as well as at points of entry. The selection and placement of security controls should be done in a way
that progressively weakens or defeats all attacks. Having a series of similar controls in succession tends to only lengthen the duration of the attack, which is not good. Applying different types of controls that
complement each other and are mutually supportive is a much more effective approach in achieving defense-in-depth strategy. Although the capabilities of available safeguards may overlap to some extent, the combined effect should exceed the effects of each control used
individually. The other three choices are true statements in achieving security in an
application environment. The information system isolates security functions from non security functions implemented via partitions and domains that control access to and protects the integrity of the
hardware, software, and firmware that perform those security functions. Safety functions should be kept separate from one another. The design of information systems and the design of protection
mechanisms in those systems should be as simple as possible. Complexity is at the root of many security issues. The principle of data hiding should be useful during program testing and software maintenance.

Answer 963

A

b. During the system development phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During this phase, functional users and system/security administrators develop system controls and audit trails used during the operational phase.

Answer 964

A

b. In the repeatability level of the software capability maturity model, system requirements are defined; these include security, performance, quality, and delivery dates. The purpose is to establish a
common understanding between the customer and the software development project team. The other three choices are not correct because each level deals with specific requirements.

Answer 965

A

B. Data leakage is removal of data from a system by covert means, and it might be conducted directly through the use of Trojan horse, logic bomb, or scavenging methods. Asynchronous attacks are indirect attacks on a computer program that act by altering legitimate data or codes at a time when the program is idle and then causing the changes to be added to the target program at later execution.

Answer 966

A

C. Multi-partite viruses are a combination of both sector- and file infector viruses, which can be spread by both methods. A worm is a self-replicating, self-contained program and does not require a host program. Link viruses manipulate the directory structure of the media on which they are stored, pointing the operating system to virus code instead of legitimate code. Macro viruses are stored in a spreadsheet or word processing document.

Answer 967

A

c. Backdoors are also called hooks and trapdoors. Logic bomb is incorrect because it is a program that triggers an unauthorized, malicious act when some predefined condition occurs. Worms are
incorrect because they search the network for idle computing resources and use them to execute the program in small segments. Trojan horses are incorrect because a Trojan horse is a production program that has access to otherwise unavailable files and is changed by adding extra,
unauthorized instructions. It disguises computer viruses.

Answer 968

A

a. Some vendors can install a backdoor or a trapdoor entry for remote monitoring and maintenance purposes. The good news is that the backdoor is a convenient approach to solve operational problems. The bad news is that the backdoor is wide open for hackers. Also, the vendor can modify the software at will without the user’s knowledge or permission. An unhappy vendor can disconnect a user from
accessing the software as a penalty for nonpayment or disputes in payment. Access codes should be required for remote monitoring and maintenance.

Answer 969

A

c. Hidden code attacks are based on data and information. Using layered protections and disabling active-content code (for example, ActiveX and JavaScript) from the Web browser are effective controls
against such attacks. War dialing software is good at detecting trapdoors (backdoor modems) and not good against trapdoor attacks. Firewalls are effective against spoofing attacks.

Answer 970

A

a. Evaluation of change control is a part of the physical configuration audit, whereas the other choices are part of the functional
configuration audit. The physical configuration audit provides an
independent evaluation of whether components in the as-built version
of the software map to the specifications of the software. Specifically, this audit is held to verify that the software and its documentation are internally consistent and ready for delivery. Activities typically
planned and executed as part of the physical configuration audit
include evaluation of product composition and structure, product functionality, and change control. The functional configuration audit provides an independent evaluation of configuration items to determine whether actual functionality and performance are consistent with the requirements specifications. Specifically, this audit is conducted prior to the software delivery to
verify that all requirements specified in the requirements document have been met. Activities typically planned and executed as part of a functional configuration audit include testing of software products,
tracing of system requirements from their initial specification through system testing, evaluation of the test approach and results attained, and evaluating the consistency between the baselined product elements

Answer 971

A

a. Applets are small application programs mostly written in Java
programming language that are automatically downloaded and
executed by applet-enabled Web browsers.

Answer 972

A

c. The contingency processes should be tested and maintained during the implementation phase of the SDLC. The capability to recover and reconstitute data should be considered during the initiation
phase. Recovery strategies should be considered during the development phase. The contingency plan should be exercised and maintained during the
operation/maintenance phase.

Answer 973

A

b. A macro virus is associated with a word processing file, which can damage the computer system. Macro viruses pass through the firewall with ease because they are usually passed on as either an email message or simply downloaded as a text document. The macro virus represents a significant threat because it is difficult to detect. A macro virus consists of instructions in Word Basic, Visual Basic for
applications, or some other macro languages, and resides in documents. Any application that supports macros that automatically execute is a potential platform for macro viruses. Now, documents are more widely shared through networks and the Internet than via disks.

Answer 974

A

a. Because the discretionary access control system restricts access based on identity, it carries with it an inherent flaw that makes it vulnerable to Trojan horse attacks. Most programs that run on behalf of a user inherit the discretionary access control
rights of that user.

Answer 975

A

c. Virus checkers monitor computers and look for malicious code. A problem is that virus-checking programs need to be installed at each computer, workstation, or network, thus duplicating the software at
extra cost. The best place to use the virus-checking programs is to scan e-mail attachments at the e-mail server. This way, the majority of viruses are stopped before ever reaching the users.

Answer 976

A

d. In cross-site scripting (XSS) flaws, the Web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user.

Answer 977

A

c. Virus writers use a mutation engine to transform simple viruses into polymorphic ones for proliferation purposes and to evade detection. The other three choices do not deal with the transformation process.

Answer 978

A

d. A security kernel is defined as hardware, firmware, and software elements of a Trusted Computing Base (TCB) that
implements the reference monitor concept. A security kernel cannot achieve process isolation. Techniques such as encapsulation, time multiplexing of shared
resources, naming distinctions, and virtual mapping are used to employ the process isolation or separation principle. These separation principles are supported by incorporating the principle of least
privilege.

Answer 979

A

d. Organizations should identify which individuals or groups can assist in infection identification efforts. Desktop administrators are good at identifying changes in login scripts along with Windows Registry or file scans, and good at implementing changes in login scripts. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.

Answer 980

A

b. Software patching, being one of reactive (detective) countermeasures, is mostly done after vulnerability or programming/design error is discovered. These reactive methods have no hope of preventing fast-spreading worms or worms that use zero day exploits to carry out their attacks. The other three choices are examples of proactive (preventive)
countermeasures. Integrity checkers keep cryptographic hashes of known good instances of files so that integrity comparisons can be made at any time. Host firewalls enforce rules that define the manner in which specific applications may use the network. Stateful firewalls keep track of network connections and monitor their state.

Answer 981

A

c. It is a common practice for some organizations to certify all removable media disks coming into the organization from outside prior to their use. This is done by a centralized group for the entire location and requires testing the disk for possible inclusion of viruses. The other three choices are effective as internal protection mechanisms against viruses.

Answer 982

A

c. Passwords are administrative controls; although, access controls are technical controls. Access controls include discretionary access controls and mandatory access controls. An audit trail is the collection of data that provides a trace of user actions, so security events can be traced to the actions of a specific individual. To fully implement an audit trails program, audit reduction and analysis tools are also required. Least privilege is a concept that deals with limiting damage through the enforcement of separation of duties. It refers to the principle that users and processes should operate with no more
privileges than those needed to perform the duties of the role they are
currently assuming.

Answer 983

A

b. The goal of work factor principle is to increase an attacker’s work factor in breaking an information system or a network’s security features. The amount of work required for an attacker to break the
system or network (work factor) should exceed the value that the attacker would gain from a successful compromise. Various variables such as cost and benefit; effort; value (negative and positive); time;
tools and techniques; gains and losses; knowledge, skills, and abilities (KSAs); and risks and opportunities involved in a successful compromise of security features must be balanced. The principle of compromise recording means computer or manual records and logs should be maintained so that if a compromise does
occur, evidence of the attack is available. The recorded information can be used to better secure the host or network in the future and can assist in identifying and prosecuting attackers. The principle of psychological acceptability encourages the routine and correct use of protection mechanisms by making them easy to use,
thus giving users no reason to attempt to circumvent them. The security mechanisms must match the user’s own image of protection goals. The principle of least common mechanism requires the minimal
sharing of mechanisms either common to multiple users or depended upon by all users. Sharing represents posb. The goal of work factor principle is to increase an attacker’s work factor in breaking an information system or a network’s security features. The amount of work required for an attacker to break the
system or network (work factor) should exceed the value that the attacker would gain from a successful compromise. Various variables such as cost and benefit; effort; value (negative and positive); time;
tools and techniques; gains and losses; knowledge, skills, and abilities (KSAs); and risks and opportunities involved in a successful compromise of security features must be balanced. The principle of compromise recording means computer or manual records and logs should be maintained so that if a compromise does
occur, evidence of the attack is available. The recorded information can be used to better secure the host or network in the future and can assist in identifying and prosecuting attackers. The principle of psychological acceptability encourages the routine and correct use of protection mechanisms by making them easy to use,
thus giving users no reason to attempt to circumvent them. The security mechanisms must match the user’s own image of protection goals. The principle of least common mechanism requires the minimal
sharing of mechanisms either common to multiple users or depended upon by all users. Sharing represents possible communications paths between subjects used to circumvent security policy.

Answer 984

A

d. The major outputs from the implementation (testing) phase
include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, and acceptance). Security features are tested to see if they work and are then certified.

Answer 985

A

d. Certifications performed on applications under development are interleaved with the system development process. Certification and accreditation needs must be considered in the validation, verification,
and testing phases employed throughout the system development process (i.e., development and implementation). It does not address the operation/maintenance phase.

Answer 986

A

a. Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities is still required. The difference may be in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and
traditional system development project are different

Answer 987

A

c. System testing, which is a part of implementation, is important to determine whether internal controls and security controls are operating as designed and are in accordance with established policies
and procedures. In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases.
However, the testing phase should not be compressed so much for quality reasons. By definition, prototyping requires some compression of activities and time due to the speedy nature of the prototyping
development methodology without loss of the main features, functions, and quality.

Answer 988

A

C. Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage and generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read,
inserted, and deleted. A source program is precompiled, linked, and compiled to become an object or executable program. A source program is tested (errors discovered), debugged (errors removed), and logged for review and further action

Answer 989

A

c. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an
operational environment. These interrelated systems include not only
those owned and managed by the organization, but also the external
systems with which they interface.
Unit test is incorrect because its purpose is to verify that the smallest defined module of software (i.e., individual subprograms, subroutines, or procedures) works as intended. These modules are internal to an
organization. Integration test is incorrect because its purpose is to verify that units of software, when combined, work together as intended. Typically, a number of software units are integrated or linked
together to form an application. Again, this test is performed internally in an organization. System acceptance test is incorrect because its purpose is to verify that the complete system satisfies specified
requirements and is acceptable to end users.

Answer 990

A

b. A test tool cannot guarantee error-free software; it is neither a cure-all nor a silver bullet. For some, it may give a false sense of security. The test tool still requires careful planning, time, effort, and experience from which it can use and benefit.

Answer 991

A

c. Errors are made in several places and times: (i) when source code is developed, (ii) when modules are initially written, (iii) when an enhancement is being added to a module, (iv) when another error is
fixed, and (v) when code is being moved from one module to another. Software configuration management products have a backtracking feature to correct these types of errors. The product should list the
exact source code changes that make up each build. Then, these changes are examined to identify which one can create the new error. The concept of check-in/check-out software enables multiple
developers to work on a project without overwriting one another’s work. It is a fundamental method of preventing errors from being included or reintroduced into software modules.

Answer 992

A

c. The test repository consists of test plans, test cases, test procedures, test requirements, and test objectives maintained by the software test manager. Because of the concentrated work products, the test repository needs a higher level of security protection from
unauthorized changes. Test procedures, test cases, and test plans are part of test repository.

Answer 993

A

b. An unattended computer terminal represents a severe security violation. An unauthorized user could seize the opportunity to access sensitive data. The data could be copied, deleted, added to, or
modified. An intruder can also use this occasion to modify executable files. A virus, Trojan horse, or a password-sniffing program could easily be slipped onto the system in no time. Security logic that detects an idle terminal is needed.
Unattended computer operations are incorrect because they represent a
situation where most of computer operational tasks are performed by
machines (robots) and less with people.
Unattended software testing is incorrect because testing is conducted by automated test tools without a person watching the testing process. The test tool continues running the test sessions by replaying one or more test scripts. It handles unforeseen circumstances gracefully. Unattended facsimile machine is incorrect because it can lead to social engineering attacks. The unattended computer operations, software
testing, and facsimile machine pose less risk than the unattended computer terminal.

Answer 994

A

c. A reusable library can improve software productivity and quality by increasing the efficient reuse of error-free code for both new and modified application software. “Who owns the reusable code?” is a legal question that requires a careful answer due to difficulty in tracing to the original author of the software. A test library is incorrect because it is where the new software is
developed or the existing software is modified. A quality assurance library is incorrect because it is a staging area where final quality reviews and production setup procedures take place. A production
library is incorrect because it is the official place where operational programs reside and execute to process data. Data ownership rights in these three libraries (test, quality assurance, and production) are clear and traceable to the author(s).

Answer 995

A

c. Fan-in and fan-out are based on program coupling. Fan-in is a count of the number of modules that call a given module, and fan-out is a count of the number of modules that are called by a given module. Both fan-in and fan-out measure program complexity. Check-in and check-out are program change controls where documents or data/program files will have a check-in or check-out indicator in system libraries to prevent their concurrent use by programmers and computer programs.

Answer 996

A

d. The big-bang approach puts all the units or modules together at once, with no stubs or drivers. In it, all the program units are compiled and tested at once.
Top-down approach is incorrect because it uses stubs. The actual code for lower level units is replaced by a stub, which is a throwaway code that takes the place of the actual code. Bottom-up approach is incorrect because it uses drivers. Units at higher levels are replaced by drivers
that emulate the procedure calls. Drivers are also a form of throwaway code. Sandwich approach is incorrect because it uses a combination of top-down (stubs) and bottom-up (drivers) approaches.

Answer 997

A

d. A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members ask questions and make comments about technique, style, and identify possible errors, violations of development standards, and other
problems. Walkthroughs are similar to reviews but are less formal. Inspections are incorrect because they are an evaluation technique in which application software requirements, design, code, or other
products are examined by a person or group other than the author to detect faults, violations of development standards, and other problems. Inspections are more formal than walkthroughs. Traceability analysis is incorrect because it is the process of verifying that each specified requirement has been implemented in the
design/code, that all aspects of the
design/code have their basis in the
specified requirements, and that testing produces results compatible with the specified requirements. Traceability analysis is more formal than walkthroughs.
Reviews are incorrect because a review is a meeting at which the
requirements, design, code, or other products of software development
project are presented to the user, sponsor, or other interested parties for
comment and approval, often as a prerequisite for concluding a given
phase of the software development process. Reviews are more formal
than walkthroughs.

Answer 998

A

d. An inspection is an evaluation technique in which software requirements, design, code, or other products are examined by a person or group, other than the author, to detect faults, violations of development standards, and other problems. input/output description errors are detected in the interface testing phase. The type of errors detected in inspections includes incomplete requirements errors,
infeasible requirements errors, and conflicting requirements errors.

Answer 999

A

a. The purpose of decision tables is to provide a clear and coherent analysis of complex logical combinations and relationships. This method uses two-dimensional tables to concisely describe logical relationships between Boolean program variables (for example, AND and OR). Advantages of decision tables include (i) their conciseness
and tabular nature enables the analysis of complex logical combinations expressed in code and (ii) they are potentially executable if used as specifications. Disadvantages include that they require tedious effort. The requirements analysis, which is a part of initiation phase, is the best place to use the decision table.

Answer 1000

A

c. Dynamic analysis techniques involve the execution of a product and analysis of its response to sets of input data to determine its validity and to detect errors. The behavioral properties of the program are also observed. The most common type of dynamic analysis technique is testing. Testing of software is usually conducted on
individual components (for example, subroutines and modules) as they are developed, on software subsystems when they are integrated with one another or with other system components, and on the complete system. Another type of testing is acceptance testing performed before the user accepts the product. Inspections, code reading, and tracing are examples of static analysis. Static analysis is the analysis of requirements, design, code, or other items either manually or automatically, without executing the subject of the analysis to determine its lexical and syntactic properties as opposed to its behavioral properties.

Answer 1001

A

a. Data-flow diagrams are used to describe the data flow through a program in a diagrammatic form. They show how data input is transformed to output, with each stage representing a distinct transformation. The diagrams use three types of components:
1. Annotated bubbles represent transformation centers, and the
annotation specifies the transformation.
2. Annotated arrows represent the data flow in and out of the
transformation centers; annotations specify what the data is.
3. Operators (AND and OR) link the annotated arrows.
Data-flow diagrams describe only data and should not include control
or sequencing information. Each bubble can be considered a black box
that, as soon as its inputs are available, transforms them to outputs.
Each bubble should represent a distinct transformation, whose output
is somehow different from its input.

Answer 1002

A

a. The purpose of a finite state machine (FSM) is to define or implement the control structure of a system. Many systems can be defined in terms of their states, inputs, and actions. By defining a system’s actions for each input in every state, you can completely define a system. The resulting model of the system is an FSM, which
can detect incomplete or inconsistent requirements specifications.

Answer 1003

A

c. In desk-checking, programming code is read by an expert, other than the author of the code, who performs any of the following: (i) looking over the code for obvious defects, (ii) checking for correct procedure interfaces, (iii) reading the comments to develop a sense of
what the code does and then comparing it to its external specifications,
(iv) comparing comments to design documentation, (v) stepping
through with input conditions contrived to exercise all paths including
those not directly related to the external specifications, (vi) checking for compliance with programming standards and conventions, or (vii) any combination of these. As can be seen, desk-checking is a technical exercise performed by programmers.

Answer 1004

A

c. The purpose of mutation analysis is to determine the thoroughness with which a program has been tested and, in the
process, detect errors. This procedure involves producing a large set of version or mutation of the original program, each derived by altering a single element of the program (for example, changing an operator, variable, or constant). Each mutant is then tested with a given
collection of test data sets. Because each mutant is essentially different from the original, the testing should demonstrate that each is different. If each of the outputs produced by the mutants differs from the output produced by the original program and from each other, then the program is considered adequately tested and correct. Mutation analysis requires good automated tools to be effective.

Answer 1005

A

c. The purpose of error-seeding is to determine whether a set of test cases is adequate. Some known error types are inserted into the program, and the program is executed with the test cases under test conditions. If only some of the seeded errors are found, the test case set
is not adequate. One can estimate the number of errors remaining by subtracting the number of real errors found from the total number of real errors. The remaining test effort can then be estimated. If all the
seeded errors are found, this indicates that either the test case set is adequate or that the seeded errors were too easy to find.

Answer 1006

A

c. Sensitivity analysis is a new method of quantifying ultra reliable software during the implementation phase. It is based on a
fault-failure model of software and is based on the premise that software testability can predict the probability that failure occurs when a fault exists given a particular input distribution. A sensitive location is one in which faults cannot hide during testing. The internal states are disturbed to determine sensitivity. This technique requires
instrumentation of the code and produces a count of the total executions through an operation, an infection rate estimate, and a
propagation analysis.

Answer 1007

A

c. The purpose of boundary-value analysis is to detect and remove errors occurring at parameter limits or boundaries. The input domain of the program is divided into a number of input classes. The tests should
cover the boundaries and extremes of the classes. The tests check that the boundaries of the input domain of the specification coincide with those in the program. Test cases should also be designed to force the output to its extreme values. If possible, a test case that causes output to exceed the specification boundary values should be specified. If
output is a sequence of data, special attention should be given to the first and last elements and to lists containing zero, one, and two elements.

Answer 1008

A

a. The purpose of formal methods is to check whether software fulfills its intended function. It involves the use of theoretical and mathematical models to prove the correctness of a program without
executing it. The requirements should be written in a formal specification language (for example, VDM and Z) so that these
requirements can then be verified using a proof of correctness. Using this method, the program is represented by a theorem and is proved with first-order predicate calculus. A number of assertions are stated at various locations in the program and are used as pre- and post conditions to various paths in the program. The proof consists of
showing that the program transfers the pre-conditions into the post conditions according to a set of logical rules, and that the program terminates.

Answer 1009

A

a. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to
communicate the specifier’s interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is
built using high-level tools and is evaluated against the customer’s criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements of
the system. A review is a meeting at which the requirements, design, code, or other
products of a software development project are presented to the user, sponsor, or other interested parties for comment and approval, often as a prerequisite for concluding a given phase of the software
development process. A review is usually held at the end of a phase, but it may be called when problems arise. Simulation is used to test the functions of a software system, together with its interface to the real environment, without modifying the
environment in any way. The simulation may be software only or a combination of hardware and software.
A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members ask questions and make comments about technique and style, and
identify possible errors, violations of
development standards, and other problems. Walkthroughs are similar to reviews but are less formal.

Answer 1010

A

d. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to
communicate the specifier’s interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is
built using high-level tools and is evaluated against the customer’s criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements and design of the system. Simulation or modeling is used to test the functions of a software system, together with its interface to the real environment, without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A model of the system to be controlled by the actual system under test is created. This model mimics the behavior of the controlled
system and is for testing purposes only. Although prototyping and simulation can be used in the system maintenance phase, the payback would be less than the development phase. Usually, the scope of
system maintenance can be small and minor, making it cost-prohibitive to the use of prototyping and simulation techniques.

Answer 1011

A

b. Adherence to a common standard ensures the interoperability of software components. Extensive testing is required to ensure that software components can communicate effectively in both single processor and distributed processing environments. In a networked environment, it must be remembered that, when any component is added or replaced/upgraded, a large number of tests have to be run to ensure that the integrity and performance of the network has been retained. Therefore, tests must be repeatable and well documented. Hence, regression tests are necessary. In load testing, many combinations and permutations of workload
patterns can be imposed on the components of a networked
configuration. Although it would be difficult, if not impossible, to test
them all, a thorough analysis of the expected workload is required to
identify the most likely traffic patterns for this testing procedure. By
their nature, networked systems provide a great number of opportunities for violating system security. This is especially true when security levels are not uniformly imposed throughout a configuration made of multiple, interconnected local-area networks. Systemwide security testing is required to identify any security fault that may have been overlooked in the integrated system design.

Answer 1012

A

c. Resiliency testing measures durability of the system. In functional testing, correctness of system operation under normal operating conditions is demonstrated. In performance testing, system throughput and response times under varying load conditions are
demonstrated. In recovery testing, the ability of the system to resume
operating after partial or total system failure is determined. Both the
system and individual components are tested to determine the ability to
operate within the fallback and recovery structure established for the system.

Answer 1013

A

a. Integration testing is the cutoff point for the development project, and, after integration, it is labeled the back end. Integration is the development phase in which various parts and components are
integrated to form the entire software product, and, usually after integration, the product is under formal change control. Specifically, after integration testing, every change of the software must have a
specific reason and must be documented and tracked. It is too early to have a formal change control mechanism during unit testing because of constant changes to program code. It is too late to have a formal
change control mechanism after completing system and acceptance testing.

Answer 1014

A

d. A system development life cycle moves through the unit test, integration test, system test, and acceptance test in that sequence. Programmers perform both the unit test and integration tests, whereas
system testing is conducted jointly between users and programmers. End users and production operations staff, from their own viewpoint, perform acceptance testing. The quality of a computer system is enhanced if this sequence is followed during software testing.

Answer 1015

A

c. Activity logs contain a record of all the test cases executed. Incident reports show a priority assigned to test problems during test execution. All incidents logged should be resolved within a reasonable time. Software versioning controls the program source versions to ensure that there is no duplication or confusion between multiple
versions. Test cases and test documentation are incorrect because test cases contain a listing of all possible tests to be executed with their associated data and test documentation includes test plans, test objectives, and approaches.
Test summaries and test execution reports are incorrect because test summary is a brief description of what is changing. Key words are used so that project personnel reading the log can scan for items that
may affect their work. Test execution reports show a status of software
testing execution to management with summary information. Test cases rejected and test cases accepted are incorrect because they simply list what test cases were rejected or accepted. The documents
such as test cases, test documentation, test summaries, test execution reports, and test cases rejected and accepted do not have the same monitoring and controlling effect as do the documents such as activity
logs, incident reports, and software versioning.

Answer 1016

A

a. Integration testing is conducted when software units are integrated with other software units or with system components. Its objective is to test the interfaces among separately tested program units. Software integration tests check how the units interact with other software (for example, libraries) and hardware. Integration testing is in the middle; it is neither unit testing nor system testing. The approach to integration testing varies such as top-down, bottom-up, a combination of top-down and bottom-up (sandwich), or all-at-once (big-bang) approaches. Due to a variety of ways, integration testing can be conducted and because there is no base document such as
specifications to rely upon for testing creates difficulty in understanding the objectives of integration testing clearly.
Unit testing and module testing are incorrect because they are best
understood of all. Unit testing is the same as module testing. Unit/module test cases are derived from the detailed design
documentation of the unit. Each unit or module has a defined beginning and ending and deals with specific inputs and outputs. Boundaries are also well defined.
System testing is incorrect because it is better understood than integration testing. End users know what they expect from the system because it is based on functional instead of structural knowledge. System test cases are derived from the requirements specification document.

Answer 1017

A

a. Functional decomposition works best when the system requirements are completely understood by the software developer or the end user. The waterfall model works with the functional
decomposition principle. It assumes that system requirements can be defined thoroughly, and that end users know exactly what they wanted from the system.
Incremental and evolutionary development models are incorrect because successive versions of the system are developed reflecting constrained technology or resources. Requirements are added in a
layered manner. Rapid prototyping model is incorrect because it is quite opposite to the waterfall model. That is, it is good when requirements are not fully understood by both parties. Due to the iterative process, the specification-to-customer feedback cycle time is reduced, thus producing early versions of the system.

Answer 1018

A

c. An application software test log has several benefits. Reporting problems for the sake of reporting/compliance to a policy or a procedure is the least beneficial. What is done with the report is more
important than just reporting. The other three choices are incorrect because they are the most important benefits. The log shows a record of all problems encountered during testing so events can be traced for verification. The log can also be used as a training tool for new testers
because the log shows what happened in the past. Most of all, the log indicates what the tester did or did not do during testing. It forces testers to document the actions or decisions taken place during testing.

Answer 1019

A

a. Stress testing involves the response of the system to extreme conditions (for example, with an exceptionally high workload over a short span of time) to identify vulnerable points within the software and to show that the system can withstand normal workloads. Examples of testing conditions that can be applied during stress testing include the following: (i) if the size of the database plays an important role, then increase it beyond normal conditions, (ii) increase the input
changes or demands per time unit beyond normal conditions, (iii) tune influential factors to their maximum or minimal speed, and (iv) for the most extreme cases, put all influential factors to the boundary
conditions at the same time. Stress testing can detect design errors related to full-service requirements of system and errors in planning defaults when system is overstressed. Conversion testing is incorrect because it determines whether old data files and record balances are carried forward accurately, completely,
and properly to the new system. Performance testing is incorrect
because it measures resources required such as memory and disk and determines system response time. Regression testing is incorrect because it verifies that changes do not introduce new errors.

Answer 1020

A

a. Security categorization standards provide a common framework for expressing security needs. Categorization is based on an assessment of the potential impact (i.e., low, moderate, or high) that a loss of confidentiality, integrity, or availability of information systems would have on organizational operations, organizational assets, or individuals. It is a task performed in the initiation phase.

Answer 1021

A

d. Configuration management and control ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. It is a task
performed in the operation/maintenance phase.

Answer 1022

A

b. The notion of software component reuse has been developed with the invention of object-oriented development approach. After the design model has been created, the software developer browses a
library, or repository, that contains existing program components to determine if any of the components can be used in the design at hand. If reusable components are found, they are used as building blocks to
construct a prototype of the software.
The waterfall model is incorrect because it takes a linear, sequential view of the software engineering process. The waterfall method is another name for the classic software development life cycle. The prototype model is incorrect because it is a process that enables the developer to create a model of the software built in an evolutionary manner. The spiral model is incorrect because it is another type of evolutionary model. It has been developed to provide the best feature of both the
classic life cycle approach and prototyping. None of these three choices provide for software reuse.

Answer 1023

A

d. Continuous monitoring ensures that controls continue to be effective in their application through periodic testing and evaluation. It is a task performed in the operation/maintenance phase.

Answer 1024

A

b. Local threats in Windows XP systems include boot process, unauthorized local access, and privilege escalation. A boot process threat results when an unauthorized individual boots a computer from third-party media (for example, removable drives and universal serial
bus [USB] token storage devices), which permits the attacker to circumvent operating system security measures. An unauthorized local-access threat results when an individual who is not permitted to
access a computer system gains local access. A privilege escalation threat results when an authorized user with normal user-level rights escalates the account’s privileges to gain administrator-level access. Remote threats in Windows XP systems include network services, data
disclosure, and malicious payloads. A network service threat results when remote attackers exploit vulnerable network services on a computer system. This includes gaining unauthorized access to
services and data, and causing a denial-of-service (DoS) condition. A data disclosure threat results when a third party intercepts confidential data sent over a network. A malicious payload threat results when
malicious payloads (for example, viruses, worms, Trojan horses, and active content) attack computer systems through many vectors. System end users may accidentally trigger malicious payloads.

Answer 1025

A

b. According to the open Web application security project, information from Web requests is not validated before being used by a Web application leading to vulnerability from invalidated input.

Answer 1026

A

a. It is during the system requirements definition phase that the project team identifies the required controls needed for the system. The identified controls are then incorporated into the system during the
design phase. When there is a choice between the system requirements
definition phase and the design phase, the auditor would benefit most by participating in the former phase. The analyst does not need to participate in the program development or testing phase.

Answer 1027

A

a. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set to trigger at a particular time, whereas the logic bomb is set to trigger at a particular condition, event, or command. The logic bomb could be a computer program or a code fragment. Computer virus is incorrect because it “reproduces” by making copies
of it and inserting them into other programs. Worm is incorrect because
it searches the network for idle computing resources and uses them to execute the program in small segments. NAK (negative
acknowledgment character) attack is incorrect because it is a penetration technique capitalizing on a potential weakness in an operating system that does not handle asynchronous interrupts
properly, thus leaving the system in an unprotected state during such
interrupts. NAK uses binary synchronous communications where a transmission control character is sent as a negative response to data received. Here, negative response means data was not received
correctly or that a command was incorrect or unacceptable.

Answer 1028

A

b. A Trojan horse fits the description. It is a program that performs a useful function and an unexpected action as well as a form
of virus. Trapdoor is incorrect because it is an entry point built into a program
created by programmers for debugging purposes. Worm is incorrect because it searches the network for idle computing resources and uses them to execute a program in small segments. Time bomb is incorrect because it is a part of a logic bomb, where a damaging act triggers at
some period of time after the bomb is set.

Answer 1029

A

b. Continuous process improvements are expected in the optimizing level of the software capability maturity model. It is
enabled by quantitative feedback from the process and from piloting
innovative ideas and technologies.

Answer 1030

A

d. The purpose of security testing is to assess the robustness of the system’s security capabilities (for example, physical facilities, procedures, hardware, software, and communications) and to identify
security vulnerabilities. All the tests listed in the question are part of system acceptance tests where the purpose is to verify that the
complete system satisfies specified requirements and is acceptable to
end users. Functional test is incorrect because the purpose of functional or black box testing is to verify that the system correctly performs specified functions. Performance test is incorrect because the purpose of performance testing is to assess how well a system meets specified
performance requirements. Examples include specified system response times under normal workloads (for example, defined transaction volumes) and specified levels of system availability and mean-times-to-repair. Stress test is incorrect because the purpose of stress testing is to analyze system behavior under increasingly heavy workloads (for example, higher transaction rates), severe operating
conditions (for example, higher error rates, lower component availability rates), and, in particular, to identify points of system
failure.

Answer 1031

A

a. The application software prototype becoming the finished system is a major risk in prototyping unless this is a conscious
decision, as in evolutionary prototyping where a pilot system is built, thrown away, another system is built, and so on. Inflated user expectations is a risk that can be managed with proper education and
training. Paying attention to cosmetic details is not bad except that it wastes valuable time. The prototype model is supposed to be iterated many times because that is the best way to define and redefine user requirements and security features until satisfied.

Answer 1032

A

b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task
performed in the development/acquisition phase.

Answer 1033

A

b. A detailed design occurs after the general design is completed where known tasks are described and identified in a much more detailed fashion and are ready for program design and coding. This
includes developing screen/program flows with specifications, input and output file specifications, and report specifications.
The other three choices are incorrect because, by definition, they are examples of activities taking place in the general design phase. System requirements are the input to the general design where the system is viewed from top-down and where higher-level design issues are addressed. This includes (i) identifying the purpose and major functions of the system and its subsystems, (ii) defining control,
security, and audit requirements, and (iii) developing system justification for the approval of analysis of alternative design choices.

Answer 1034

A

c. Broken authentication means account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat
authentication restrictions and assume other user’s identities.

Answer 1035

A

a. Buffer overflows occur when web application components (for example, common gateway interface, libraries, drivers, and Web application servers) that do not properly validate input can be crashed and, in some cases, used to take control of a process.

Answer 1036

A

a. Web applications frequently use cryptographic functions to protect information and credentials in storage. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.

Answer 1037

A

b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task
performed in the development/acquisition phase.

Answer 1038

A

a. Security categorization standards provide a common framework for expressing security needs. Categorization is based on an assessment of the potential impact (i.e., low, moderate, or high) that a loss of confidentiality, integrity, or availability of information systems would have on organizational operations, organizational assets, or individuals. It is a task performed in the initiation phase.

Answer 1039

A

d. Configuration management and control ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. It is a task
performed in the operation/maintenance phase.

Answer 1040

A

d. Continuous monitoring ensures that controls continue to be effective in their application through periodic testing and evaluation. It is a task performed in the operation/maintenance phase.

Answer 1041

A

c. Security certification ensures that the controls are effectively implemented through established verification techniques and procedures and gives an organization confidence that the appropriate
safeguards and countermeasures are in place to protect the organization’s information systems. Security accreditation provides the necessary security authorization of an information system to process, store, or transmit information that is required. Both security certification and accreditation tasks are performed in the
implementation phase.

Answer 1042

A

d. Media sanitization ensures that data is deleted, erased, and written over as necessary. It is a task performed in the disposition phase.

Answer 1043

A

b. During the system development phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During this phase, functional users with system/security administrators develop system controls and audit trails used during the operational
phase.

Answer 1044

A

c. System testing, which is a part of implementation, is important to
determine whether internal controls and security controls are operating as designed and are in accordance with established policies and procedures. In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases.
However, the testing phase should not be compressed so much for quality reasons. By definition, prototyping requires some compression of activities and time due to the speedy nature of the prototyping
development methodology without loss of the main features, functions, and quality.

Answer 1045

A

a. Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities is still required. The difference may be in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and
traditional system development project are different.

Answer 1046

A

D. Unit testing involves testing an individual component in a controlled environment to validate data structure, logic, and boundary conditions. After a programmer develops a
component, it is tested with several different input values and in many different situations. Unit testing can start early
in development and usually continues throughout the development phase. One of the benefits of unit testing is finding problems early in the development cycle, when it is easier and less expensive to make changes to individual units.
A is incorrect because acceptance testing is carried out to ensure that the code meets customer requirements. This testing is for part or all of the application, but not commonly one individual component.
B is incorrect because regression testing refers to the retesting of a system after a change has taken place to ensure its functionality, performance, and protection.
Essentially, regression testing is done to identify bugs that have caused functionality to stop working as intended as a result of program changes. It is not unusual for developers to fix one problem, only to inadvertently create a new problem, or for the new fix to break a fix to an old problem.
Regression testing may include checking previously fixed bugs to make sure they have not re-emerged and rerunning
previous tests.
C is incorrect because integration testing involves verifying that components work together as outlined in design specifications. After unit testing, the individual components or units are combined and tested together to verify that they meet functional, performance, and reliability requirements.

Answer 1047

A

C. Databases are commonly used by many different applications simultaneously and many users interacting with them at one time. Concurrency means that different
processes (applications and users) are accessing the database at the same time. If this is not controlled properly,
the processes can overwrite each other’s data or cause deadlock situations. The negative result of concurrency
problems is the reduction of the integrity of the data held within the database. Database integrity is provided by
concurrency protection mechanisms. One concurrency control is locking, which prevents users from accessing and
modifying data being used by someone else. A is incorrect because concurrency refers to processes running simultaneously, not at different levels. Concurrency
issues come up when the database can be accessed at the same time by different users and/or applications. If controls
are not in place, two users can access and modify the same data at the same time, which can be detrimental to a
dynamic environment.
B is incorrect because the ability to deduce new information from reviewing accessible data occurs when a subject at a
lower security level indirectly guesses or infers data at ahigher level. This can lead to an inference attack. It is notrelated to concurrency. Concurrency has to do with integrity, while inference is related to confidentiality.
D is incorrect because storing data in more than one place is not a problem with concurrency. Concurrency becomes a
problem when two subjects or applications are trying to modify the same data at the same time

Answer 1048

A

A. In an object-oriented database, objects are instantiated when needed, and the data and procedure (called method) go with the object when it is requested. This differs from a relational database, in which the application uses its own procedures to obtain and process data when retrieved from the database.
B is incorrect because a mesh network is a physical topology and has nothing to do with databases. A mesh topology is a
network of interconnected routers and switches that provides multiple paths to all the nodes on the network. In a full mesh topology, every node is directly connected to every other node, which provides a great degree of redundancy. In a partial mesh topology, every node is not directly
connected. The Internet is an example of a partial mesh topology.
C is incorrect because subjects accessing a hierarchical database—not an object-oriented database—must have
knowledge of the access path in order to access data. In the hierarchical database model, records and fields are related in
a logical tree structure. Parents can have one child, many children, or no children. The tree structure contains branches, and each branch has a number of data fields. To access data, the application must know which branch to start with and which route to take through each layer until the
data is reached.
D is incorrect because the relationships between data entities provide the framework for organizing data in a relational database. A relational database is composed of two dimensional tables, and each table contains unique rows, columns, and cells. Each cell contains one data value that represents a specific attribute within a given row. These data entities are linked by relationships, which provide the
framework for organizing the data

Answer 1049

A

B. Normalization is a process that eliminates redundancy, organizes data efficiently, reduces the potential for
anomalies during data operations, and improves data consistency within databases. It is a systematic way of
ensuring that a database structure is designed properly to be free of certain undesirable characteristics—insertion, update, and deletion anomalies—that could lead to a loss of data integrity.
A is incorrect because polymorphism is when different objects are given the same input and react differently. As a simplistic example of polymorphism, suppose three different objects receive the input “Bob.” Object A would process this input and produce the output “43-year-old white male.”
Object B would receive the input “Bob” and produce the output “Husband of Sally.” Object C would produce the output “Member of User group.” Each object received the same input but responded with a different output.
C is incorrect because database views are logical access controls and are implemented to permit one group, or a
specific user, to see certain information while restricting another group from viewing it altogether. For example,
database views can be implemented to allow middle management to see their departments’ profits and expenses
without viewing the whole company’s profits. Database views do not minimize duplicate data; rather, they manipulate how data is viewed by specific users/groups.
D is incorrect because schema of a database system is its structure described in a formal language. In a relational
database, the schema defines the tables, the fields, relationships, views, indexes, procedures, queues, database links, directories, and so on. The schema describes the database and its structure, but not the data that will live within that database itself. This is similar to a blueprint of a house. The blueprint can state that there will be four rooms, six doors, 12 windows, and so on without describing the
people who will live in the house.

Answer 1050

A

c. Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage and generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read,
inserted, and deleted. A source program is precompiled, linked, and compiled to become an object or executable program.

Answer 1051

A

B. Online transaction processing (OLTP) is used when databases are clustered to provide high fault tolerance and
performance. It provides mechanisms to watch for and deal with problems when they occur. For example, if a process
stops functioning, the monitor mechanisms within OLTP can detect this and attempt to restart the process. If the process
cannot be restarted, then the transaction taking place will be rolled back to ensure no data is corrupted or that only part
of a transaction happens. OLTP records transactions as they occur (in real time), which usually updates more than one
database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement the characteristics of
what’s known as the ACID test:
* Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect. Either the changes are committed or the database
is rolled back.
* Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data are consistent in the different databases.
* Isolation Transactions execute in isolation until completed, without interacting with other transactions.
The results of the modification are not available until the transaction is completed.
* Durability Once the transaction is verified as accurate on all systems, it is committed, and the databases cannot be rolled back.
The term “atomic” means that the units of a transaction will occur together or not at all, thereby ensuring that if one
operation fails, the others will not be carried out and corrupt
the data in the database.
A is incorrect because OLTP and ACID enforce, but do not
establish, the integrity rules that are outlined in the database
security policy. Representing the letter C in ACID,
consistency relates to the enforcement and enforceability of
integrity rules. Database software that demonstrates
consistency conducts transactions that follow a specific
integrity policy and ensure all data are the same in the
different databases.
C is incorrect because atomicity divides transactions into
units of work and ensures that all modifications take effect
or none takes effect. Either the changes are committed or
the database is rolled back. This means if something does
not happen correctly, the database is reverted (rolled back)
to its original state. After the transaction happens properly, a
rollback cannot take place, which is the durability component
of the ACID test. This question is specifically asking about
the atomic transaction approach, not durability.
D is incorrect because atomic transactions do not address
the isolation of processes that are carrying out database
transactions; this is the “isolation” component of the ACID
test. It is important that a process that is carrying out a
transaction cannot be interrupted or modified by another
process. This is to ensure the integrity, accuracy, and
confidentiality of the data that is being processed during the
transaction

Answer 1052

A

C. Component-based development involves the use of independent and standardized modules. Each standard module consists of a functional algorithm or instruction set
and is provided with interfaces to communicate with each other. Component-based development adds reusability and
pluggable functionality into programs, and is widely used in modern programming to augment program coherence and
substantially reduce software maintenance costs. A common example of these modules is “objects” that are frequently
used in object-oriented programming.
A is incorrect because the spiral method of system development periodically revisits previous stages to update and verify design requirements. The spiral method builds
upon the waterfall method. It uses discrete phases of development with an emphasis on risk analysis, prototypes, and simulations. The spiral method does not specify the development and testing of components.
B is incorrect because structured
programming development involves the use of logical blocks to achieve system design using procedural programming. A structured program layout minimizes the use of arbitrary transfer control statements
like GOTO and emphasizes on single points of entry and exit. This hierarchical approach makes it easier for the program to be understood and modified later on.
D is incorrect because extreme programming is a methodology that is generally implemented in scenarios
requiring rapid adaptations to changing client requirements. Extreme programming emphasizes client feedback to evaluate project outcomes and to analyze project domains that may require further attention. The coding principle of
extreme programming throws out the traditional long-term planning carried out for code reuse and instead focuses on
creating simple code optimized for the contemporary assignment

Answer 1053

A

A. A tunneling virus—not a polymorphic virus—attempts to install itself under an antivirus program. When the antivirus
conducts its health check on critical files, file sizes, modification dates, etc., it makes a request to the operating system to gather this information. If the virus can put itself
between the antivirus and the operating system, then when the antivirus sends out a system call for this type of information, the tunneling virus can intercept the call and respond with information that indicates the system is free of virus infections. The polymorphic virus also attempts to fool antivirus scanners, but it does so by producing varied but operational copies of itself. Even if antivirus software finds and disables one or two copies, other copies may still remain
active within the system.
B is incorrect because a polymorphic virus can vary the sequence of its instructions by including noise, or bogus instructions, with other useful instructions. It can also use a
mutation engine and a random-number generator to change the sequence of its instructions in the hopes of not being
detected. The original functionality stays the same, but the code changes, making it close to impossible to identify all versions of the virus using a fixed signature.
C is incorrect because a polymorphic virus can use different encryption schemes requiring different decryption routines.
This requires an antivirus scan for several scan strings, one for each possible decryption method, in order to identify all
copies of this type of virus. Polymorphic virus writers most commonly hide a virus’s payload with encryption and add a
decryption method to the code. Once it is encrypted, the code is meaningless. However, a virus that is encrypted is
not necessarily a polymorphic virus. To be polymorphic, the virus’s encryption and decryption algorithms must mutate
with each new version of itself.
D is incorrect because a polymorphic virus produces multiple, varied copies of itself in an effort to avoid detection by antivirus software. A polymorphic virus has the capability to change its own code, enabling the virus to have hundreds or thousands of variants. These activities can cause the virus scanner to not properly recognize the virus and to leave it to do its damage.

Answer 1054

A

B. Java is an object-oriented, platform-independent programming language. It is employed as a full-fledged programming language and is used to write complete
programs and short programs, called applets, which run in a user’s browser. Java is platform independent because it
creates intermediate code, bytecode, which is not processor-specific. The Java Virtual Machine (JVM) then converts the
bytecode into machine-level code that the processor on the particular system can understand.
A is incorrect because the Java Virtual Machine converts the bytecode into machine-level code. It does not convert the
source code into bytecode—a Java compiler does that. The JVM also creates a virtual machine within an environment
called a sandbox. This virtual machine is an enclosed environment in which the applet carries out its activities. Applets are commonly sent over HTTP within a requested web page, which means the applet executes as soon as it arrives. It can carry out malicious activity on purpose or
accidentally if the developer of the applet did not do his part correctly. So the sandbox strictly limits the applet’s access to any system resources. The JVM mediates access to system resources to ensure the applet code behaves and stays
within its own sandbox.
C is incorrect because Java is an object-oriented, platform independent programming language. Other languages are compiled to object code for a specific operating system and processor. This is why a particular application may run on
Windows but not on Macintosh. An Intel processor does not necessarily understand machine code compiled for an Alpha
processor, and vice versa. Java is platform-independent because it creates intermediate code—bytecode—which is
not processor-specific.
D is incorrect because the Java Virtual Machine does not write applets. Java is employed as a full-fledged programming language and is used to write complete
programs and short programs, called applets, which run in a user’s browser. A programmer creates a Java applet and runs
it through a compiler. The Java compiler converts the source code into bytecode. The user then downloads the Java
applet. The bytecode is converted into machine-level code by the JVM. Finally, the applet runs when called upon.

Answer 1055

A

B. A Trojan horse looks like an innocent and helpful program, but in the
background it is carrying out some type of malicious activity unknown to the
user. The Trojan horse could be corrupting files, sending the user’s password
to an attacker, or attacking another computer.

Answer 1056

A

A. The trick to this question, and any one like it, is that security should be implemented at the first possible phase of a project. Requirements are gathered
and developed at the beginning of a project, which is project initiation.
The other answers are steps that follow this phase, and security should be integrated right from the beginning instead of in the middle or at the end.

Answer 1057

A

A. The whole purpose of an expert system is to look at the data it has to work with and what the user presents to it and to come up with new or different solutions. It basically performs data-mining activities, identifies patterns and relationships the user can’t see, and provides solutions. This is the same reason you would go to a human expert. You would give her your information, and she would combine it with the information she knows and give you a solution or advice, which is not necessarily the same data you gave her.

Answer 1058

A

D. In a relational database, a row is referred to as a tuple, whereas a column is referred to as an attribute.

Answer 1059

A

C. This can seem like a tricky question. It is asking you if the system detected an invalid transaction, which is most likely a user error. This error should be logged so it can be reviewed. After the review, the supervisor, or whoever makes this type of decision, will decide whether or not it was a mistake and investigate it as needed. If the system had a glitch, power fluctuation, hang-up, or any other software- or hardware-related error, it would not be an invalid transaction, and in that case the system would carry out a rollback function.

Answer 1060

A

B. The following outlines the common phases of the software development
life cycle:
1. Project initiation
2. Functional design analysis and planning
3. System design specifications
4. Software development
5. Testing
6. Installation/implementation
7. Operational/maintenance
8. Disposal

Answer 1061

A

B. Garbage collection is an automated way for software to carry out part of its
memory management tasks. A garbage collector identifies blocks of memory
that were once allocated but are no longer in use and deallocates the blocks
and marks them as free. It also gathers scattered blocks of free memory and
combines them into larger blocks. It helps provide a more stable environment
and does not waste precious memory. Some programming languages, such
as Java, perform automatic garbage collection; others, such as C, require the
developer to perform it manually, thus leaving opportunity for error.

Answer 1062

A

A. The software development models and their definitions are as follows:
* Joint Analysis Development (JAD) A method that uses a team approach
in application development in a workshop-oriented environment.
* Rapid Application Development (RAD) A method of determining user requirements and developing systems quickly to satisfy immediate needs.
* Reuse Model A model that approaches software development by using
progressively developed models. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the Reuse model does not require programs to be built from scratch, it drastically reduces both development cost and time.
* Cleanroom An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.

Answer 1063

A

C. Fuzz testing or fuzzing is a software testing technique that provides invalid,
unexpected, or random data to the input interfaces of a program. If the program
fails (for example, by crashing or failing built-in code assertions), the defects
can be noted.

Answer 1064

A

A. The five levels of the Capability Maturity Integration Model are:
* Initial Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable.
* Repeatable A formal management structure, change control, and quality
assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined.
* Defined Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement.
* Managed The company has formal processes in place to collect and
analyze quantitative data, and metrics are defined and fed into the
process improvement program.
* Optimizing The company has budgeted and integrated plans for continuous process improvement.

Answer 1065

A

B. The characteristics and their associated definitions are listed as follows:
* Modularity Autonomous objects, cooperation through exchanges of
messages.
* Deferred commitment The internal components of an object can be
redefined without changing other parts of the system.
* Reusability Other programs using the same objects.
* Naturalness Object-oriented analysis, design, and modeling map to
business needs and solutions.

Answer 1066

A

B. An object-relational database (ORD) or object-relational database management system (ORDBMS) is a relational database with a software front end that is written in an object-oriented programming language.
Different companies will have different business logic that needs to be carried
out on the stored data. Allowing programmers to develop this front-end
software piece allows the business logic procedures to be used by requesting
applications and the data within the database.

Answer 1067

A

B. Knowledge discovery in databases (KDD) is a field of study that works with metadata and attempts to put standards and conventions in place on the way that data are analyzed and interpreted. KDD is used to identify patterns and relationships between data. It is also called data mining.

Answer 1068

A

B. Software Configuration Management (SCM) identifies the attributes of
software at various points in time, and performs a methodical control of
changes for the purpose of maintaining software integrity and traceability
throughout the software development life cycle. It defines the need to track
changes and provides the ability to verify that the final delivered software has
all of the approved changes that are supposed to be included in the release.

Answer 1069

A

D. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. This approach allows for different business applications to access the current web services available within the environment.

Answer 1070

A

D. A mashup is the combination of functionality, data, and presentation
capabilities of two or more sources to provide some type of new service or
functionality. Open APIs and data sources are commonly aggregated and
combined to provide a more useful and powerful resource.

Answer 1071

A

B. Web service provides the application functionality. The Web Services
Description Language describes the web service’s specifications. Universal
Description, Discovery, and Integration provides the mechanisms for web
services to be posted and discovered. The Simple Object Access Protocol
allows for the exchange of messages between a requester and provider of a
web service.
lly bypassed

Answer 1072

A

C. The need-to-know policy operates on the basis that any given system user should be granted access only to portions of sensitive information or materials necessary to perform some task. The principle of least privilege ensures that personnel are granted only the permissions they need to perform their job and no more. Separation of duties ensures that no single person has total control over a critical function or system. There isn’t a standard principle called “as-needed basis.”

Answer 1073

A

C. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties (SoD) ensures that a single person doesn’t control all the elements of a process. A separation of duties policy ensures that no single person has total control over a critical function. A job rotation policy requires employees to rotate to different jobs periodically.

Answer 1074

A

C. An organization applies the least privilege principle to ensure employees receive only the access they need to complete their job responsibilities. Need to know refers to permissions only, whereas privileges include both rights and permissions. A mandatory vacation policy requires employees to take a vacation in one- or two-week increments. An SLA identifies performance expectations and can include monetary penalties.

Answer 1075

A

D. Microsoft domains include a privileged account management solution that grants administrators elevated privileges when they need them but restrict the access using a time-limited ticket. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn’t control all the elements of a process or a critical function. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more.

Answer 1076

A

D. The default level of access should be no access. The principle of least privilege dictates that users should only be granted the level of access they need for their job, and the question doesn’t indicate that new users need any access to the database. Read access, modify access, and full access grants users some level of access, which violates the principle of least privilege.

Answer 1077

A

A. Each account should have only the rights and permissions needed to perform their job when following the least privilege policy. New employees would not need full rights and permissions to a server. Employees will need some rights and permissions in order to do their jobs. Regular user accounts should not be added to the Administrators group.

Answer 1078

A

C. Separation of duties ensures that no single entity can perform all the tasks for a job or function. A job rotation policy moves employees to different jobs periodically. A mandatory vacation policy requires employees to take vacations. A least privilege policy ensures users have only the privileges they need, and no more.

Answer 1079

A

A. A job rotation policy has employees rotate jobs or job responsibilities and can help detect collusion and fraud. A separation of duties policy ensures that a single person doesn’t control all elements of a specific function. Mandatory vacation policies ensure that employees take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. Least privilege ensures that users have only the permissions they need to perform their jobs and no more.

Answer 1080

A

B. Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. It does not rotate job responsibilities. Although mandatory vacations might help employees reduce their overall stress levels and increase productivity, these are not the primary reasons for mandatory vacation policies.

Answer 1081

A

C. A service-level agreement (SLA) can provide monetary penalties if a third-party provider doesn’t meet its contractual requirements. Neither a memorandum of understanding (MOU) nor an interconnection security agreement (ISA) includes monetary penalties. Separation of duties is sometimes shortened to SED, but this is unrelated to third-party relationships.

Answer 1082

A

A. The IaaS service model provides an organization with the most control compared to the other models, and this model requires the organization to perform all maintenance on operating systems and applications. The SaaS model gives the organization the least control, and the cloud service provider (CSP) is responsible for all maintenance. The PaaS model splits control and maintenance responsibilities between the CSP and the organization.

Answer 1083

A

C. The SaaS service model provides services such as email available via a web browser. IaaS provides the infrastructure (such as servers), and PaaS provides a platform (such as an operating system and application installed on a server). Public is a deployment method, not a service model.

Answer 1084

A

A. When images are used to deploy systems, the systems start with a common baseline, which is important for configuration management. Images don’t necessarily improve the evaluation, approval, deployment, and audits of patches to systems within the network. Although images can include current patches to reduce their vulnerabilities, this is because the image provides a baseline. Change management provides documentation for changes.

Answer 1085

A

C. An effective change management program helps prevent outages from unauthorized changes. Vulnerability management helps detect weaknesses but wouldn’t block the problems from this modification. Patch management ensures systems are kept up to date. Blocking scripts removes automation, which would increase the overall workload.

Answer 1086

A

B, C, D. Change management processes include requesting a change, creating a rollback plan for the change, and documenting the change. Changes should not be implemented immediately without evaluating the change.

Answer 1087

A

C. Change management aims to ensure that any change does not result in unintended outages or reduce security. Change management doesn’t affect personnel safety. A change management plan will commonly include a rollback plan, but that isn’t a specific goal of the program. Change management doesn’t perform any type of auditing.

Answer 1088

A

D. An effective patch management program evaluates and tests patches before deploying them and would have prevented this problem. Approving all patches would not prevent this problem because the same patch would be deployed. Systems should be audited after deploying patches, not to test for the impact of new patches.

Answer 1089

A

A. A patch management system ensures that systems have required patches. In addition to deploying patches, it would also check the systems to verify they accepted the patches. There is no such thing as a patch scanner. A penetration test will attempt to exploit a vulnerability, but it can be intrusive and cause an outage, so it isn’t appropriate in this scenario. A fuzz tester sends random data to a system to check for vulnerabilities but doesn’t test for patches.

Answer 1090

A

B. Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn’t directly check systems for vulnerabilities.

Answer 1091

A

D. A vulnerability scan will list or enumerate all security risks within a system. None of the other answers will list security risks within a system. Configuration management systems check and modify configuration settings. Patch management systems can deploy patches and verify patches are deployed, but they don’t check for all security risks. Hardware inventories only verify the hardware is still present.

Answer 1092

A

Correct answer and explanation: A. DevOps is a more agile development and
support model, where developers directly support operations.
Incorrect answers and explanations: Answers B, C, and D are incorrect.
Sashimi, spiral, and waterfall are software development methodologies that do
not describe a model for developers directly supporting operations.

Answer 1093

A

Correct answer and explanation: C. Polyinstantiation means “many instances,”
such as two objects with the same names that have different data.
Incorrect answers and explanations: Answers A, B, and D are incorrect.
Delegation allows objects to delegate messages to other objects. Inheritance
means an object inherits capabilities from its parent class. Polymorphism allows
the ability to overload operators, performing different methods depending on the
context of the input message.

Answer 1094

A

Correct answer and explanation: A. Entity integrity means each tuple has a
unique primary key that is not null.
Incorrect answers and explanations: Answers B, C, and D are incorrect.
Normalization seeks to make the data in a database table logically concise,
organized, and consistent. Referential integrity means that every foreign key in
a secondary table matches a primary key in the parent table; if this is not true,
referential integrity has been broken. Semantic integrity means each attribute
(column) value is consistent with the attribute data type.

Answer 1095

A

Correct answer and explanation: Answer A is correct; acceptance testing
determines whether software meets various end-state requirements from a user
or customer, contract, or compliance perspective.
Incorrect answers and explanations: Answers B, C, and D are incorrect.
Integration testing tests multiple software components as they are combined into
a working system. Regression testing tests software after updates, modifications,
or patches. Unit testing consists of low-level tests of software components, such
as functions, procedures, or objects.

Answer 1096

A

Correct answer and explanation: A. Cross-site request forgery (CSRF) allows a
third party to redirect static content within the security context of a trusted site.
Incorrect answers and explanations: Answers B, C, and D are incorrect. XSS is
a third-party execution of web scripting languages, such as Javascript, within
the security context of a trusted site. XSS is similar to CSRF; the difference is
XSS uses active code. PHP RFI alters normal PHP variables to reference remote
content, which can lead to execution of malicious PHP code. SQL injection
manipulates a back-end SQL server via a front-end web server

Answer 1097

A

Answer: C. Control of evidence to maintain its
integrity for court presentation
Explanation: The primary focus of the chain of
custody is to ensure the control and integrity of
evidence so that it can be presented in court without
any doubts about its authenticity.

Answer 1098

A

2.Answer: D. Predictive evidence
Explanation: While corroborative, hearsay, and
secondary are types of evidence mentioned, predictive
evidence is not listed as a type of evidence in the
context of a computer security investigation.

Answer 1099

A

3.Answer: A. A virus requires human interaction to
trigger, while a worm can self-propagate.
Explanation: A virus is a type of malware that
requires some form of human interaction to be
activated, such as opening a file. In contrast, a worm
can spread on its own by exploiting vulnerabilities in
systems.

Answer 1100

A

Answer: B. It looks harmless or desirable but contains
malicious code.
Explanation: A Trojan horse is a type of malware
that appears to be something legitimate or desirable
but contains hidden malicious code. It tricks users
into downloading or running it, thinking it’s safe or
beneficial.

Answer 1101

A

Answer: A. A backup that is an exact copy of a dataset
without any compression
Explanation: A mirror backup creates an exact
replica of a dataset. It does not use compression,
making it the fastest backup type in terms of both
backup and restore, but it requires a significant
amount of storage.

Answer 1102

A

Answer: B. Evidence that is stored in places like RAM,
cache, and buffers of a running system
Explanation: Live evidence refers to data stored in
a running system’s volatile memory, such as RAM,
cache, and buffers. This type of evidence can change
or disappear if the system’s state is altered.

Answer 1103

A

Answer: B. Encryption
Explanation: While detection, mitigation, and
remediation are steps in the incident response
process, encryption is not a step in this process.
Encryption is a method to secure data.

Answer 1104

A

Answer: B. Agreements that denote time frames
against the performance of specific operations
Explanation: SLAs contain terms that specify
related time frames against the performance of
certain operations agreed upon within the overall
contract.

Answer 1105

A

Answer: C. To monitor the behavior and patterns of
users and entities
Explanation: UEBA focuses on analyzing the
behavior and patterns of users and entities, logging
and correlating the underlying data, analyzing the
data, and triggering alerts when necessary.

Answer 1106

A

Answer: C. Data diddler
Explanation: A data diddler is a type of malware
that makes minimal changes over a prolonged period
to evade detection. Its primary goal is to subtly alter
data without being noticed.

Answer 1107

A

Answer: C. Polymorphic malware
Explanation: Polymorphic malware can change
aspects of itself to evade detection every time it
replicates across a network.

Answer 1108

A

Answer: C. Digital footprints
Explanation: While oral/written statements,
visual/audio evidence, and hearsay evidence are
considered types of evidence in computer security
investigations, “digital footprints” is not specifically
mentioned as a type of evidence.

Answer 1109

A

Answer: B. To provide an effective and efficient
response to reduce impact to the organization
Explanation: The main goals of incident response
are to provide an effective and efficient response to
reduce the impact on the organization, maintain or
restore business continuity, and defend against future
attacks.

Answer 1110

A

Answer: A. RAID 0
Explanation: Single points of failure refer to
components or parts of a system that, if they fail, will
cause the entire system to fail. To mitigate these
vulnerabilities, redundancy is often introduced.
Among the options, RAID 0 does not provide
redundancy. Instead, it stripes data across multiple
disks, which can improve performance but does not
eliminate a single point of failure. If one disk in a
RAID 0 array fails, all data is lost. On the other hand,
RAID 1, having a secondary Internet connection, and
using a load-balanced server cluster all introduce
redundancy and help in eliminating single points of
failure.
a u e.

Answer 1111

A

Answer: C. No information
Explanation: Black box penetration testing
simulates an external attack where the attacker has
no prior knowledge of the target system. The red
team, in this context, is given no specific details about
the infrastructure they are testing. This approach is
designed to mimic the perspective of a real-world
attacker and identify vulnerabilities that may be
exploited by someone with no inside knowledge.
Answer: D. Mean time between failures (MTBF)

Answer 1112

A

Explanation: MTBF (mean time between failures)
is a measure used to estimate the time between
inherent failures of a system during its operational
phase. It provides an average time span between
failures and is commonly used in reliability
engineering to assess the reliability of a product or
system. MTTR, on the other hand, refers to the
average time taken to repair a failed component. MTD
is the maximum time a service or system can be down
without causing significant harm to the business.
Statistical deviation is a general term and does not
specifically relate to the functional lifetime of a
system or device.

Answer 1113

A

Answer: C. The process of transitioning files from
high-cost, high-speed storage to more affordable,
slower storage solutions
Explanation: Hierarchical Storage Management
(HSM) is a data storage technique that automatically
moves data between high-cost and low-cost storage
media. As data ages and is accessed less frequently, it
is moved to slower, more cost-effective storage media.
This ensures that critical and frequently accessed
data remains on faster storage, while older, less
accessed data is moved to cheaper storage.

Answer 1114

A

Answer: B. Passive reconnaissance
Explanation: Passive reconnaissance involves
collecting information without directly interacting
with the target system. A sniffer, which captures
network traffic, is a tool that can be used during this
phase to gather valuable information without alerting
the target. Active reconnaissance, on the other hand,
involves direct interaction with the target, which can
raise alarms.

Answer 1115

A

Answer: B. Implementing separation of duties and
rotating job responsibilities
Explanation: Collusion refers to the act of two or
more individuals working together to commit fraud or
other malicious activities. The best defense against
collusion is the separation of duties, ensuring that no
single individual has control over all aspects of any
critical transaction. Job rotation further reduces the
risk by regularly changing individuals’
responsibilities, making it harder for them to
collaborate maliciously over an extended period.

Answer 1116

A

Answer: D. To counteract privilege accumulation
Explanation: Privilege accumulation, often referred
to as “authorization creep,” occurs when individuals
retain old privileges even after changing roles within
an organization. Over time, this can lead to users
having more access rights than necessary for their
current position, increasing the risk of accidental or
intentional data misuse. By revoking Nicole’s previous
privileges upon her transfer, the organization ensures
she only has access to what’s relevant to her new
role, maintaining a principle of least privilege.

Answer 1117

A

Answer: C. The strategy of transitioning files from
high-speed, high-cost storage to more economical,
slower storage media
Explanation: Hierarchical Storage Management
(HSM) is a data storage technique that moves data
between high-cost and low-cost storage media based
on its age and access frequency. As data becomes
older and is accessed less frequently, it is transferred
to slower, more economical storage solutions.

Answer 1118

A

Answer: C. Sandbox
Explanation: A sandbox is a controlled environment
where potentially malicious code can be executed
safely, without posing a risk to the host system or
network. It is isolated from the main system, ensuring
that any malicious actions are contained within the
sandbox and do not affect the broader environment.

Answer 1119

A

Answer: B. Ensuring the employee is rejuvenated
Explanation: While ensuring an employee is well
rested is a good general practice for employee well being, it is not specifically a security or operational
reason related to mandatory vacations. The other
options relate directly to security and operational
benefits.

Answer 1120

A

Answer: D. Detective
Explanation: An audit trail is a record of activities,
typically in the context of a computer system, which
can be used to detect and investigate unauthorized or
anomalous activities. It is a detective control because
it helps in identifying issues after they have occurred.

Answer 1121

A

Answer: B. Prolonged recovery time
Explanation: RAID is designed to provide
redundancy, improve performance, and increase
storage capacity. One of its primary benefits is fault
tolerance, which means that if one disk fails, data is
not lost. However, prolonged recovery time is not a
benefit; in fact, certain RAID configurations aim to
reduce recovery time.

Answer 1122

A

Answer: C. PBX systems
Explanation: Phreakers are individuals who
manipulate or hack telephone systems, primarily
targeting Private Branch Exchange (PBX) systems.
Their activities often involve making free long distance calls or gaining unauthorized access to telecommunication systems.

Answer 1123

A

Answer: A. Dual controls
Explanation: Separation of duties and dual controls
are both strategies to ensure that no single individual
has complete control over all aspects of any critical
financial transaction. By requiring two or more
individuals to complete a task or transaction, the risk
of fraud or error is reduced.

Answer 1124

A

28.Answer: B. Graylist
Explanation: Graylisting is an anti-spam technique
where the mail server temporarily rejects emails from
unknown senders and asks the sending server to
resend the message after a certain period. If the email
is legitimate, the sending server will attempt to
resend it, and it will be accepted on the subsequent
attempt.

Answer 1125

A

Answer: A. Incremental
Explanation: Incremental backups only save the
changes made since the last backup, making them
faster to perform. However, during a restore, you
would need the last full backup and all subsequent
incremental backups, making the restoration process
longer compared to other backup methods.

Answer 1126

A

29.Answer: D. COOP (continuity of operations plan)
Explanation: A continuity of operations plan
(COOP) is designed to ensure that essential functions
continue during and after a disaster. It focuses on
restoring an organization’s mission-essential functions
at an alternate site and performing those functions for
up to 30 days before returning to normal operations.

Answer 1127

A

Answer: A. RAID 0
Explanation: RAID 0 uses data striping, where data
is split into blocks and each block is written to a
separate disk drive. It improves performance but
offers no redundancy. If one drive fails, all data in the
RAID 0 array is lost.

Answer 1128

A

Answer: B. Statistical based
Explanation: A statistical-based intrusion detection
system (IDS) monitors network traffic and compares
it against an established baseline. The baseline will
identify what is considered “normal” behavior. When
the IDS detects activity that deviates significantly
from the baseline, it will trigger an alert.

Answer 1129

A

Answer: C. Zeroization
Explanation: Zeroization is the process of erasing
sensitive data by overwriting it with zeros. This
ensures that the original data is unrecoverable.

Answer 1130

A

Answer: C. RAID 10
Explanation: RAID 10, also known as RAID 1+0,
combines the features of RAID 1 (mirroring) and
RAID 0 (striping). It stripes data across mirrored
pairs. As a result, it offers both performance
improvements (from striping) and redundancy (from
mirroring).

Answer 1131

A

Answer: D. JBOD (Just a Bunch of Disks)
Explanation: JBOD stands for “Just a Bunch of
Disks” or “Just a Bunch of Drives.” It is a method of
combining multiple hard drives into one logical unit,
but without any RAID features like redundancy or
performance improvement. Each drive operates
independently, and the total storage is the sum of all
drives.

Answer 1132

A

Answer: C. Distributed computing
Explanation: Distributed computing involves using
multiple computers, often spread across vast
distances, to work together on a single task. This
approach can harness a massive amount of processing
power by breaking down a problem into smaller parts
and processing them concurrently across multiple
machines. It’s particularly useful for tasks that
require extensive computational resources.

Answer 1133

A

Answer: B. A sanctioned set of preparations and
adequate procedures to react to disasters
Explanation: A business continuity/disaster
recovery plan is a comprehensive approach that
outlines how an organization will continue its
operations and recover from unforeseen disasters. It’s
not just about preventing disasters but having a
structured and approved response when they occur.

Answer 1134

A

Answer: C. Due diligence
Explanation: Due diligence refers to the care that a
reasonable person or organization exercises to avoid
harm to others or their property. It’s a general
principle that applies across industries, ensuring that
organizations act responsibly and with caution.

Answer 1135

A

Answer: A. Continuity planning is a paramount
organizational concern encompassing all
organizational areas or functions.
Explanation: Business continuity planning should
be holistic, addressing all parts of an organization.
While technology recovery is essential other
While technology recovery is essential, other
functions like human resources, operations, and
supply chain management are equally crucial.

Answer 1136

A

40.Answer: A. Determine the effects of a threat on
organizational operations
Explanation: Business impact analysis (BIA) is
conducted to understand the potential effects of
disruptions on an organization’s operations. It helps
in identifying critical functions and the impact if these
functions were to be interrupted.

Answer 1137

A

41.Answer: D. Instituting procedural controls
Explanation: Implementing procedural controls is a
proactive approach to manage threats and mitigate
the effects of potential events. These controls provide
structured guidelines and processes to ensure that
risks are minimized and managed effectively.

Answer 1138

A

42.Answer: A. To discourage or eliminate the risk
Explanation: The main purpose of implementing
controls or safeguards is to deter potential threats or
to mitigate the associated risks, ensuring that the
organization’s assets and operations remain secure.

Answer 1139

A

43.Answer: D. A business impact analysis determines the
consequences of disruptions on the organization.
Explanation: Business impact analysis (BIA) is
primarily concerned with understanding the potential
effects of disruptions on an organization’s operations.
It helps in identifying critical functions and the impact
if these functions were to be interrupted.

Answer 1140

A

Answer: B. The technological environment
Explanation: Disaster recovery primarily focuses
on the recovery of IT systems and data after a
disaster. It’s a subset of business continuity planning
and emphasizes the restoration of IT infrastructure,
systems, and data.

Answer 1141

A

45.Answer: A. Business impact analysis
Explanation: Business impact analysis (BIA) is the
process of determining the potential effects of
interruptions to an organization’s operations. It helps
organizations understand the potential consequences
of various disruptions and prioritize recovery
strategies.

Answer 1142

A

Answer: A. It’s a more cost-effective recovery option.
Explanation: A cold site is a backup facility that is
not immediately ready for use but can be equipped
and made operational relatively quickly. Its primary
advantage is that it’s typically less expensive than
other recovery options, such as hot sites, which are
fully equipped and ready for immediate use.

Answer 1143

A

Answer: B. Threats, assets, and controls to mitigate
them
Explanation: Risk is typically understood in terms
of potential threats to assets and the controls in place
to mitigate those threats. It’s a combination of the
likelihood of an event occurring and the potential
impact if it does.

Answer 1144

A

Answer: A. The maximum duration a service or system
can be down
Explanation: RTO, or recovery time objective,
refers to the target time within which a business
process or IT system must be restored after a
disruption to avoid unacceptable consequences.

Answer 1145

A

Answer: D. Interrupting a live production application
or function
Explanation: Halting a live production application or function can have real-world consequences and is not a recommended method for testing a business
continuity plan. The other options are controlled exercises designed to test various aspects of the plan without causing disruptions.

Answer 1146

A

Answer: A. Full backup
Explanation: A full backup captures all the data in an entire system or subsystem. When restoring from a full backup, all the data can be retrieved in one
operation, making it the most efficient restore method.

Answer 1147

A

Answer: A. To pinpoint the strengths and weaknesses
of the plan
Explanation: The primary goal of a business continuity exercise is to test the plan in a controlled environment, allowing the organization to identify areas where the plan excels and areas that need improvement.

Answer 1148

A

Answer: B. It’s highly available.
Explanation: A hot site is a fully equipped data center that can take over operations almost immediately after a disaster. Its primary advantage is its high availability, ensuring minimal disruption to operations.

Answer 1149

A

Answer: A. RAID 6 with a hot site alternative
Explanation: A recovery point objective (RPO) of
zero means no data loss is acceptable. RAID 6
provides fault tolerance and can handle two
simultaneous drive failures. Paired with a hot site,
which is a fully equipped data center ready for
immediate use, this combination ensures both data
integrity and rapid recovery. RAID 0, on the other
hand, offers no redundancy and is not suitable for
scenarios where data loss is unacceptable.

Answer 1150

A

Answer: D. As part of the configuration and change
management procedure
Explanation: Business continuity plans should be
updated regularly to reflect changes in the
organization’s environment, operations, or risk
profile. Integrating updates into the configuration and
change management process ensures that the plan
remains current and relevant.

Answer 1151

A

Answer: A. Support from senior leadership
Explanation: While all the options are important,
the support and commitment of senior leadership are
the support and commitment of senior leadership are
crucial for the success of business continuity. Their
support ensures that the necessary resources are
allocated, and it emphasizes the importance of
continuity planning throughout the organization.

Answer 1152

A

Answer: A. Cold site
Explanation: A cold site is a backup facility that is
not immediately ready for use but can be equipped
and made operational within a certain time frame.
Given a recovery time objective of two months, a cold
site would be the most cost-effective and suitable
option.

Answer 1153

A

Answer: B. Detect, delay, and respond
Explanation: The primary function of a physical
protection system is to detect any unauthorized
activities or intrusions, delay the intruder’s progress,
and respond to the situation, either by alerting
security personnel or initiating other security
measures.

Answer 1154

A

Answer: A. Threat definition, target identification, and
facility characterization
Explanation: A comprehensive vulnerability
assessment requires understanding the potential
threats, identifying potential targets, and
characterizing the facility’s features and
vulnerabilities.

Answer 1155

A

Answer: B. Defense in depth
Explanation: Defense in depth is a security
strategy that employs multiple layers of defense to
protect assets. This approach ensures that if one layer
is breached, additional layers remain to provide
protection.

Answer 1156

A

59.Answer: C. Windows at street level, entrances, and
other access points
Explanation: Laminated glass is designed to
remain intact even when shattered, making it ideal for
areas vulnerable to break-ins or accidental damage,
such as street-level windows and doorways.

Answer 1157

A

Answer: C. Crime prevention through environmental
design
Explanation: Crime prevention through
environmental design (CPTED) is a multidisciplinary
approach to deterring criminal behavior through
environmental design. It focuses on designing a
physical environment that positively influences human
behavior, making spaces less conducive to crime and
more conducive to positive social interaction.

Answer 1158

A

Answer: B. 5 fc
Explanation: Adequate lighting is essential for
safety in perimeter areas. A level of 5 foot-candles (fc)
is commonly recommended for such zones to ensure
visibility and deter potential threats.

Answer 1159

A

62.Answer: A. Integration of individuals, processes, and
equipment
Explanation: An effective physical protection
system relies on the harmonious integration of people
(who operate and respond to the system), procedures
(the guidelines and protocols in place), and
equipment (the physical and technological tools
used).

Answer 1160

A

Answer: B. Ensure only authorized individuals gain
entry
Explanation: The primary purpose of access control
is to ensure that only those with the appropriate
permissions or credentials can enter a specific area or
facility, thereby maintaining security.

Answer 1161

A

Answer: C. Acoustic/shock glass-break sensors
Explanation: Acoustic or shock glass-break sensors
detect the specific frequencies or vibrations
associated with breaking glass, making them ideal for
buildings with accessible windows.

Answer 1162

A

Answer: A. Monitoring, deterrence, and evidence
collection
Explanation: CCTV systems primarily serve to
monitor areas, act as a deterrent to potential
intruders or malicious actors, and provide evidence in
case of incidents.

Answer 1163

A

67.Answer: B. Enhancement of the security framework,
often leading to cost savings for the organization
Explanation: When security technologies are
appropriately implemented, they can bolster the
organization’s security measures. This not only
enhances protection but can also lead to operational
efficiencies and cost savings in the long run.

Answer 1164

A

Answer: B. In relation to the specified threats and the
worth of the organization’s assets
Explanation: A meaningful assessment of a facility
should be conducted to understand the potential
threats against it and to evaluate the security
measures in place relative to the value of the assets it
houses.

Answer 1165

A

Answer: A. Minimizing the number of entrances that
need monitoring, staffing, and protection
Explanation: When designing a facility with
security as a priority, it’s crucial to limit potential
vulnerabilities. By reducing the number of entrances,
the facility can more effectively monitor, staff, and
secure those points of entry.

Answer 1166

A

70.Answer: C. To record the duration of the visit, the
person visited, and to account for everyone in
emergencies
Explanation: A visitor’s log serves multiple
purposes, but its primary function is to maintain a
record of individuals entering and exiting the facility.
This ensures that in case of emergencies, there’s an
accurate account of everyone present, enhancing
safety and accountability.

Answer 1167

A

Answer: A. Tamper protection
Explanation: Tamper protection mechanisms are
designed to prevent unauthorized access or
interference with the physical components of an
alarm system. If someone tries to tamper with the
system, an alert is typically triggered, ensuring the
system’s integrity and reliability.

Answer 1168

A

Answer: A. Cable locks, encryption, password
safeguards, and heightened awareness
Explanation: Portable devices are vulnerable to
theft or unauthorized access. Employing physical
measures like cable locks, combined with digital
security measures like encryption and password
protection, and fostering a heightened awareness
among users are the best practices to ensure their
security.

Answer 1169

A

Answer: A. Biometric devices
Explanation: Biometric devices authenticate
individuals based on their unique physical or
behavioral characteristics. These can include
fingerprints, retina or iris patterns, voice recognition,
and facial recognition, among others.

Answer 1170

A

Answer: A. Layers
Explanation: The layered approach to physical
security ensures that multiple levels of protection are
in place. If one layer is breached, additional layers
remain to provide protection, making it more
challenging for unauthorized individuals to gain
access or cause damage.

Answer 1171

A

Answer: B. Security survey
Explanation: A security survey provides a
comprehensive overview of a facility’s security
posture. It evaluates physical security controls,
policies, procedures, and ensures the safety of
employees, identifying potential vulnerabilities and
areas for improvement.

Answer 1172

A

Answer: B. Turnstiles
Explanation: Turnstiles are physical barriers that
allow only one person to pass at a time, making it
difficult for someone to “piggyback” or “tailgate”
behind an authorized individual. They are especially
effective in high-security areas or entrances where
strict access control is required.

Answer 1173

A

Answer: C. Internal actors or employees
Explanation: While all the listed entities pose
threats, insiders often have direct access to an
organization’s systems and data, making them a
significant risk. They might exploit their access for
malicious purposes, either intentionally or
inadvertently.

Answer 1174

A

Answer: C. The global nature of computer crime
activities
Explanation: Computer crime often transcends
borders, making jurisdiction and international
cooperation challenging. While all the options present
challenges, the international nature of cybercrime
complicates investigations, prosecution, and
prevention.

Answer 1175

A

Answer: A. Legal principles
Explanation: Computer forensics involves the
collection, analysis, and preservation of digital
evidence in a manner that is legally admissible in a
court of law. Thus, it marries technical expertise with
legal principles.

Answer 1176

A

Answer: D. Locard’s exchange principle
Explanation: Dr. Edmond Locard posited that every
contact leaves a trace. This means that criminals will
always leave some evidence behind at a crime scene
and simultaneously take something with them.

Answer 1177

A

Answer: B. Civil law
Explanation: Civil law, also known as code-based
or codified law, is based on comprehensive statutes
and codes that emphasize abstract legal principles. It
is influenced by legal scholars and is distinct from
common law systems.

Answer 1178

A

Answer: B. Be exhaustive, be genuine, and be
permissible in court.
Explanation: For evidence to be effective in a legal
setting, it must be complete (covering all aspects of
the matter), authentic (verifiable and genuine), and
admissible (acceptable in a court of law).

Answer 1179

A

Answer: B. Legal action
Explanation: While prosecution might be an
outcome or follow-up to an incident response, it is not
typically considered a phase of the incident response
process itself. The primary stages often include
preparation, identification, containment, eradication,
recovery, and lessons learned/documentation.

Answer 1180

A

Answer: A. Brand mark (trademark)
Explanation: Trademarks protect symbols, names,
and slogans used to identify goods or services. They
safeguard the goodwill and brand recognition a
company has built.

Answer 1181

A

Answer: C. Literary and artistic works protection
(copyright)
Explanation: Copyrights protect the expression of
ideas, such as writings, music, and art. They do not
protect the underlying ideas themselves.

Answer 1182

A

Answer: C. IOCE, SWGDE, and ACPO
Explanation: IOCE (International Organization on
Computer Evidence), SWGDE (Scientific Working
Group on Digital Evidence), and ACPO (Association of
Chief Police Officers) are all recognized entities that
provide guidelines and best practices in the field of
computer forensics.

Answer 1183

A

87.Answer: A. No-cost software, open source, and paid
software (freeware, open source, and commercial)
Explanation: Freeware is software that is available
at no cost. Open source software is software for which
the original source code is made freely available and
may be redistributed and modified. Commercial
software is sold for profit.

Answer 1184

A

88.Answer: A. Personal rights (privacy)
Explanation: Privacy pertains to the rights and
obligations of individuals and organizations
concerning the collection, use, retention, and
disclosure of personal information.

Answer 1185

A

89.Answer: C. Spotting, recognizing, alerting (detection,
identification, notification)
Explanation: Triage in incident response typically
involves detecting the incident, identifying its nature,
and notifying relevant stakeholders.

Answer 1186

A

Answer: A. By comparing digital signatures with the
original (comparing hash totals to the original source)
Explanation: Hash values (like MD5 or SHA-256)
are used to verify the integrity of data. If the hash
value of the original matches the hash value of the
copy, it indicates that the copy is an exact replica of
the original.

Answer 1187

A

Answer: D. Have minimal interference (must have the
least amount of contamination that is possible)
Explanation: While it’s crucial to preserve the
integrity of a digital crime scene, it’s also understood
that some interaction might be necessary for
investigation. The goal is to minimize any changes or
contamination.

Answer 1188

A

Answer: A. All legal and compliance responsibilities
are transferred to the service provider.
Explanation: While the service provider has its own
set of responsibilities, the primary organization
remains ultimately responsible for ensuring
compliance. It’s essential to ensure that any
outsourced services meet the required compliance
standards.
Answer: C It uses the order in which the principles

Answer 1189

A

Answer: C. It uses the order in which the principles
are listed (the order of the canons).
Explanation: The ISC2 Code of Ethics uses the
order of its canons (principles) to prioritize and
resolve conflicts.

Answer 1190

A

Answer: D. Approach every incident as if it might lead
to legal action (treat every incident as though it may
be a crime)
Explanation: By treating every incident as a
potential crime, organizations ensure that evidence is
preserved and handled correctly from the outset.

Answer 1191

A

Answer: D. Contact a professional data recovery
service, explain the situation, and ask them to create
a forensic image.
Explanation: Professional data recovery services
have the expertise and equipment to handle such
situations. They can ensure that the data is retrieved
without further damaging the drive or compromising
the integrity of the evidence.

Answer 1192

A

96.Answer: A. Infrastructure as a Service (IaaS)
Explanation: Infrastructure as a Service (IaaS)
provides an organization with the most control over
its cloud resources, including virtual machines,
storage, and networking. However, this level of
control comes with the responsibility of managing and
maintaining the operating systems and applications.
Unlike PaaS and SaaS, where the cloud provider takes
on more of the management burden, IaaS requires the
organization to handle all aspects of maintenance and
administration.

Answer 1193

A

98.Answer: B. Anomaly-based IDS
Explanation: Anomaly-based IDS systems are
effective in detecting zero-day attacks because they
identify deviations from established baselines, rather
than relying on known signatures

Answer 1194

A

Answer: B. On a dedicated logging server
Explanation: Storing log files on a dedicated
logging server is generally the most secure method as
it isolates the logs from potential compromise of the
application or system being monitored.

Brainscape's Knowledge GenomeTM

CISSP-P1 Flashcards

Brainscape's Knowledge Genome^TM