CISSP-P2 Flashcards

Question 1

Q

Asymmetry

Public key request
Public key received
Encrypt using public key
Receiver uses private key to decrypt

True or false

Question 2

Q

Asymmetry

Public key request
Public key received
Encrypt using private key
Receiver uses private key to decrypt

True or false

Question 3

Q

Asymmetry

Private key request
Private key received
Encrypt using private key
Receiver uses public key to decrypt

True or false

Question 4

Q

To Memory - Hash functions has 5 requirements

The must allow input of any length
Provide fixed- length output
Make it relatively easy to compute the hash function for any input
Provide one-way functionality
Must be collision free

Question 5

Q

To Memory -Collision in hashes is when we put two different inputs through a hash function and it will generate the same output.

Question 6

Q

Cryptographic Salts - Is used as an additional input to a one way function that hashes data, a password or a phrase
Adding this _______ to the passwords before hashing them reduces the effectiveness of rainbow table attacks.

Salts
DES
3DES

Question 7

Q

The digital signature standard uses the SHA-1, SHA-2 and SHA-3 , there are also

Salt function
Message Digest function

Answer

A

Message Digest function used in DSS

Question 8

Q

In PKI certificate recipients who validates the certificate?

User public key
CA Public key

Answer

A

CA Public key

Question 9

Q

Where would you use S/MIME and Pretty good privacy (PGP)?

Email
Web
Network

Question 10

Q

Where would you use TLS?

Email
Web
Network

Question 11

Q

Where would you IPSEC?

Email
Web
Network

Question 12

Q

IPSEC has 2 modes

Transport Tunnel-Tunnel Mode
Transport Timeout-Tunnel Pair

Answer

A

Transport Tunnel-Tunnel Mode

Question 13

Q

IPSEC uses 2 protocols
Authentication Header- Encapsulating payload
Authorization Header- Encapsulating payload

Answer

A

Authentication Header- Encapsulating payload

Question 14

Q

To Memory-
If you want to encrypt a confidential message, use the recipient’s public key.

If you want to decrypt a confidential message sent to you, use your private key.

If you want to digitally sign a message you are sending to someone else, use your private key.

If you want to verify the signature on a message sent by someone else, use the sender’s public key.

Question 15

Q

Brian computes the digest of a single sentence of text using a SHA-2 hash function. He then changes a single character of the sentence and computes the hash value again. Which one of the following statements is true about the new hash value?

A. The new hash value will be one character different from the old hash value.
B. The new hash value will share at least 50 percent of the characters of the old hash value.
C. The new hash value will be unchanged.
D. The new hash value will be completely different from the old hash value.

Answer

A

D. Any change, no matter how minor, to a message will result in a completely different hash
value. There is no relationship between the significance of the change in the message and the
significance of the change in the hash value.

Question 16

Q

Alan believes that an attacker is collecting information about the electricity consumption of a sensitive cryptographic device and using that information to compromise encrypted data.
What type of attack does he suspect is taking place?

A. Brute force
B. Side channel
C. Known plaintext
D. Frequency analysis

Answer

A

B. Side-channel attacks use information gathered about a system’s use of resources, timing, or other characteristics to contribute to breaking the security of encryption. Brute-force attacks seek to exhaust all possible encryption keys. Known plaintext attacks require access to both plaintext and its corresponding ciphertext. Frequency analysis attacks require access to ciphertext.

Question 17

Q

If Richard wants to send a confidential encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the message?

A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key

Answer

A

C. Richard must encrypt the message using Sue’s public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard’s private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard’s freely available public key. Richard could not encrypt the message using Sue’s private key because he does not have access to it. If he did, any user could decrypt it using Sue’s freely available public key.

Question 18

Q

If a 2,048-bit plaintext message were encrypted with the ElGamal public key cryptosystem, how long would the resulting ciphertext message be?

A. 1,024 bits
B. 2,048 bits
C. 4,096 bits
D. 8,192 bit

Answer

A

C. The major disadvantage of the ElGamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plaintext message would yield a 4,096-bit ciphertext message when ElGamal is used for the encryption process.

Question 19

Q

Acme Widgets currently uses a 3,072-bit RSA encryption standard companywide. The company plans to convert from RSA to an elliptic curve cryptosystem. If the company wants
to maintain the same cryptographic strength, what ECC key length should it use?

A. 256 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bit

Answer

A

A. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 3,072-bit RSA key is cryptographically equivalent to a 256-bit elliptic curve cryptosystem key.

Question 20

Q

John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-2 hashing algorithm, what is a possible size for the message digest generated?

A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits

Answer

A

B. The SHA-2 hashing algorithm comes in four variants. SHA-224 produces 224-bit digests. SHA-256 produces 256-bit digests. SHA-384 produces 384-bit digests, and SHA512 produces 512-bit digests. Of the options presented here, only 512 bits is a valid SHA-2 hash length.

Question 21

Q

After conducting a survey of encryption technologies used in her organization, Melissa suspects that some may be out of date and pose security risks. Which one of the following technologies is considered flawed and should no longer be used?

A. SHA-3
B. TLS 1.2
C. IPsec
D. SSL 3.0

Answer

A

D. The Secure Sockets Layer (SSL) protocol is deprecated and no longer considered secure. It should never be used. The Secure Hash Algorithm 3 (SHA-3), Transport Layer Security (TLS) 1.2, and IPsec are all modern, secure protocols and standards.

Question 22

Q

You are developing an application that compares passwords to those stored in a Unix password file. The hash values you compute are not correctly matching those in the file. What
might have been added to the stored password hashes?

A. Salt
B. Double hash
C. Added encryption
D. One-time pad

Answer

A

A. Cryptographic salt values are added to the passwords in password files before hashing to defeat rainbow table and dictionary attacks. Double hashing does not provide any added security. Adding encryption to the passwords is challenging, because then the operating system must possess the decryption key. A one-time pad is only appropriate for use in human-to-human communications and would not be practical here.

Question 23

Q

Richard received an encrypted message sent to him from Sue. Sue encrypted the message using the RSA encryption algorithm. Which key should Richard use to decrypt the message?

A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key

Answer

A

B. Sue would have encrypted the message using Richard’s public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.

Question 24

Q

Richard wants to digitally sign a message he’s sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest?

A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key

Answer

A

B. Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard’s public key and then compute the
digest herself. If the two digests match, she can be assured that the message truly originated from Richard.

Question 25

Q

Which one of the following algorithms is not supported by the Digital Signature Standard under FIPS 186-4?

A. Digital Signature Algorithm
B. RSA
C. ElGamal DSA
D. Elliptic Curve DSA

Answer

A

C. The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function
to produce secure digital signatures.

Question 26

Q

Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication?

A. X.500
B. X.509
C. X.900
D. X.905

Answer

A

B. X.509 governs digital certificates and the public key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.

Question 27

Q

Ron believes that an attacker accessed a highly secure system in his data center and applied high-voltage electricity to it in an effort to compromise the cryptographic keys that it uses. What type of attack does he suspect?

A. Implementation attack
B. Fault injection
C. Timing
D. Chosen ciphertext

Answer

A

B. Fault injection attacks compromise the integrity of a cryptographic device by causing some type of external fault, such as the application of high-voltage electricity. Implementation attacks rely on flaws in the cryptographic algorithm. Timing attacks measure the length of time consumed by encryption operations. Chosen ciphertext attacks require access to the algorithm and work by having the attacker perform encryption that results in an expected
ciphertext.

Question 28

Q

Brandon is analyzing network traffic and is searching for user attempts to access websites over secure TLS connections. What TCP port should Brandon add to his search filter because it would normally be used by this traffic?

A. 22
B. 80
C. 443
D. 1443

Answer

A

C. HTTPS uses TCP port 443 for encrypted client/server communications over TLS. Port 22 is used by the secure shell (SSH) protocol. Port 80 is used by the unencrypted HTTP protocol. Port 1433 is used for Microsoft SQL Server database connections.

Question 29

Q

Beth is assessing the vulnerability of a cryptographic system to attack. She believes that the cryptographic keys are properly secured and that the system is using a modern, secure algorithm. Which one of the following attacks would most likely still be possible against the system by an external attacker who did not participate in the system and did not have physical access to the facility?

A. Ciphertext only
B. Known plaintext
C. Chosen plaintext
D. Fault injection

Answer

A

A. An attacker without any special access to the system would only be able to perform ciphertext-only attacks. Known plaintext and chosen plaintext attacks require the ability to encrypt data. Fault injection attacks require physical access to the facility.

Question 30

Q

Which of the following tools can be used to improve the effectiveness of a brute-force password cracking attack?

A. Rainbow tables
B. Hierarchical screening
C. TKIP
D. Random enhancement

Answer

A

A. Rainbow tables contain precomputed hash values for commonly used passwords and may be used to increase the efficiency of password-cracking attacks.

Question 31

Q

Chris is searching a Windows system for binary key files and wishes to narrow his search using file extensions. Which one of the following certificate formats is closely associated with Windows binary certificate files?

A. CCM
B. PEM
C. PFX
D. P7B

Answer

A

C. The PFX format is most closely associated with Windows systems that store certificates in binary format, whereas the P7B format is used for Windows systems storing files in text
format. The PEM format is another text format, and the CCM format does not exist.

Question 32

Q

What is the major disadvantage of using certificate revocation lists?

A. Key management
B. Latency
C. Record keeping
D. Vulnerability to brute-force attacks

Answer

A

B. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.

Question 33

Q

Which one of the following encryption algorithms is now considered insecure?

A. ElGamal
B. RSA
C. Elliptic Curve Cryptography
D. Merkle–Hellman Knapsack

Answer

A

D. The Merkle–Hellman Knapsack algorithm, which relies on the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.

Question 34

Q

Brian is upgrading a system to support SSH2 rather than SSH1. Which one of the following advantages will he achieve?

A. Support for multifactor authentication
B. Support for simultaneous sessions
C. Support for 3DES encryption
D. Support for IDEA encryption

Answer

A

B. SSH2 adds support for simultaneous shell sessions over a single SSH connection. Both SSH1 and SSH2 are capable of supporting multifactor authentication. SSH2 actually drops support for the IDEA algorithm, whereas both SSH1 and SSH2 support 3DES

Question 35

Q

Ryan is responsible for managing the cryptographic keys used by his organization. Which of the following statements are correct about how he should select and manage those keys? (Choose all that apply.)

A. Keys should be sufficiently long to protect against future attacks if the data is expected to remain sensitive.
B. Keys should be chosen using an approach that generates them from a predictable pattern.
C. Keys should be maintained indefinitely.
D. Longer keys provide greater levels of security.

Answer

A

A, D. Keys must be long enough to withstand attack for as long as the data is expected to remain sensitive. They should not be generated in a predictable way but, rather, should be
randomly generated. Keys should be securely destroyed when they are no longer needed and not indefinitely retained. Longer keys do indeed provide greater security against brute force attacks.

Question 36

Q

John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message?

A. Nonrepudiation
B. Confidentiality
C. Availability
D. Integrity

Answer

A

A. Nonrepudiation prevents the sender of a message from later denying that they sent it. Confidentiality protects the contents of encrypted data from unauthorized disclosure. Integrity protects data from unauthorized modification. Availability is not a goal of cryptography.

Question 37

Q

You are implementing AES encryption for files that your organization plans to store in a cloud storage service and wish to have the strongest encryption possible. What key length should you choose?

A. 192 bits
B. 256 bits
C. 512 bits
D. 1,024 bits

Answer

A

B. The strongest keys supported by the Advanced Encryption Standard are 256 bits. The valid AES key lengths are 128, 192, and 256 bits.

Question 38

Q

You are creating a security product that must facilitate the exchange of symmetric encryption keys between two parties that have no way to securely exchange keys in person. What algorithm might you use to facilitate the exchange?

A. Rijndael
B. Blowfish
C. Vernam
D. Diffie–Hellman

Answer

A

D. The Diffie–Hellman algorithm allows the exchange of symmetric encryption keys between two parties over an insecure channel.

Question 39

Q

What occurs when the relationship between the plaintext and the key is complicated enough that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key? (Choose all that apply.)

A. Confusion
B. Transposition
C. Polymorphism
D. Diffusion

Answer

A

A, D. Confusion and diffusion are two principles underlying most cryptosystems. Confusion occurs when the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key. Diffusion occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext.

Question 40

Q

Randy is implementing an AES-based cryptosystem for use within his organization. He would like to better understand how he might use this cryptosystem to achieve his goals.
Which of the following goals are achievable with AES? (Choose all that apply.)

A. Nonrepudiation
B. Confidentiality
C. Authentication
D. Integrity

Answer

A

B, C, D. AES provides confidentiality, integrity, and authentication when implemented properly. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message and cannot be achieved with a symmetric cryptosystem, such as AES.

Question 41

Q

Brian encountered encrypted data left on one of his systems by attackers who were communicating with one another. He has tried many cryptanalytic techniques and was unable to decrypt the data. He believes that the data may be protected with an unbreakable system. When correctly implemented, what is the only cryptosystem known to be unbreakable?

A. Transposition cipher
B. Substitution cipher
C. Advanced Encryption Standard
D. One-time pad

Answer

A

D. Assuming that it is used properly, the one-time pad is the only known cryptosystem that is not vulnerable to attacks. All other cryptosystems, including transposition ciphers, substitution ciphers, and even AES, are vulnerable to attack, even if no attack has yet been discovered.

Question 42

Q

Helen is planning to use a one-time pad to meet a unique cryptographic requirement in her organization. She is trying to identify the requirements for using this cryptosystem. Which of the following are requirements for the use of a one-time pad? (Choose all that apply.)

A. The encryption key must be at least one-half the length of the message to be encrypted.
B. The encryption key must be randomly generated.
C. Each one-time pad must be used only once.
D. The one-time pad must be physically protected against disclosure.

Answer

A

B, C, D. The encryption key must be at least as long as the message to be encrypted. This is because each key element is used to encode only one character of the message. The three other facts listed are all characteristics of one-time pad systems

Question 43

Q

Brian administers a symmetric cryptosystem used by 20 users, each of whom has the ability to communicate privately with any other user. One of those users lost control of their account and Brian believes that user’s keys were compromised. How many keys must he change?

A. 1
B. 2
C. 19
D. 190

Answer

A

C. In a symmetric cryptosystem, a unique key exists for each pair of users. In this case, every key involving the compromised user must be changed, meaning that the key that the user shared with each of the other 19 users must be changed.

Question 44

Q

Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message?

A. Stream cipher
B. Caesar cipher
C. Block cipher
D. ROT3 cipher

Answer

A

C. Block ciphers operate on message “chunks” rather than on individual characters or bits. The other ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of a message.

Question 45

Q

James is the administrator for his organization’s symmetric key cryptographic system. He issues keys to users when the need arises. Mary and Beth recently approached him and
presented a need to be able to exchange encrypted files securely. How many keys must James generate?

A. One
B. Two
C. Three
D. Four

Answer

A

A. Symmetric key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction. Therefore, James only needs to create a single symmetric key to facilitate this communication.

Question 46

Q

Dave is developing a key escrow system that requires multiple people to retrieve a key but does not depend on every participant being present. What type of technique is he using?

A. Split knowledge
B. M of N Control
C. Work function
D. Zero-knowledge proof

Answer

A

B. M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. M of N Control is an example of a split knowledge technique, but not all split knowledge techniques are used for key escrow.

Question 47

Q

What is used to increase the strength of cryptography by creating a unique ciphertext every time the same message is encrypted with the same key?

A. Initialization vector
B. Vigenère cipher
C. Steganography
D. Stream cipher

Answer

A

A. An initialization vector (IV) is a random bit string (a nonce) that is the same length as the block size that is XORed with the message. IVs are used to create a unique ciphertext every time the same message is encrypted with the same key. Vigenère ciphers are an example of a substitution cipher technique. Steganography is a technique used to embed hidden messages within a binary file. Stream ciphers are used to encrypt continuous streams of data.

Question 48

Q

Tammy is choosing a mode of operation for a symmetric cryptosystem that she will be using in her organization. She wants to choose a mode that is capable of providing both confidentiality and data authenticity. What mode would best meet her needs?

A. ECB
B. GCM
C. OFB
D. CTR

Answer

A

B. Galois/Counter Mode (GCM) and Counter with Cipher Block Chaining Message Authentication Code mode (CCM) are the only two modes that provide both confidentiality and
data authenticity. Other modes, including Electronic Code Book (ECB), Output Feedback (OFB), and Counter (CTR) modes, only provide confidentiality.

Question 49

Q

Julie is designing a highly secure system and is concerned about the storage of unencrypted data in RAM. What use case is she considering?

A. Data in motion
B. Data at rest
C. Data in destruction
D. Data in use

Answer

A

D. Data that is stored in memory is being actively used by a system and is considered data in use. Data at rest is data that is stored on nonvolatile media, such as a disk. Data in motion is being actively transferred over a network.

Question 50

Q

Renee conducted an inventory of encryption algorithms used in her organization and found that they are using all of the algorithms below. Which of these algorithms should be discontinued? (Choose all that apply.)

A. AES
B. DES
C. 3DES
D. RC5

Answer

A

B, C. The Advanced Encryption Standard (AES) and Rivest Cipher 6 (RC6) are modern, secure algorithms. The Data Encryption Standard (DES) and Triple DES (3DES) are outdated and no longer considered secure.

Question 51

Q

Which one of the following encryption algorithm modes suffers from the undesirable characteristic of errors propagating between blocks?

A. Electronic Code Book
B. Cipher Block Chaining
C. Output Feedback
D. Counter

Answer

A

B. One important consideration when using CBC mode is that errors propagate—if one block is corrupted during transmission, it becomes impossible to decrypt that block and the next block as well. The other modes listed here do not suffer from this flaw.

Question 52

Q

Which one of the following key distribution methods is most cumbersome when users are located in different geographic locations?

A. Diffie–Hellman
B. Public key encryption
C. Offline
D. Escrow

Answer

A

C. Offline key distribution requires a side channel of trusted communication, such as in person contact. This can be difficult to arrange when users are geographically separated.
Alternatively, the individuals could use the Diffie–Hellman algorithm or other asymmetric/public key encryption technique to exchange a secret key. Key escrow is a method for managing the recovery of lost keys and is not used for key distribution.

Question 53

Q

Victoria is choosing an encryption algorithm for use within her organization and would like to choose the most secure symmetric algorithm from a list of those supported by the software package she intends to use. If the package supports the following algorithms, which would be
the best option?

A. AES-256
B. 3DES
C. RC4
D. Skipjack

Answer

A

A. The AES-256 algorithm is a modern, secure cryptographic algorithm. 3DES, RC4, and Skipjack are all outdated algorithms that suffer from significant security issues.

Question 54

Q

The Jones Institute has six employees and uses a symmetric key encryption system to ensure
confidentiality of communications. If each employee needs to communicate privately with
every other employee, how many keys are necessary?

A. 1
B. 6
C. 15
D. 30

Answer

A

C. A separate key is required for each pair of users who want to communicate privately. In a group of six users, this would require a total of 15 secret keys. You can calculate this value by using the formula (n * (n – 1) / 2). In this case, n = 6, resulting in (6 * 5) / 2 = 15 keys.

Question 55

Q

There are several components involved with steganography. Which of the following refers to a file that has hidden information in it?

A. Stego-medium
B. Concealment cipher
C. Carrier
D. Payload

Question 56

Q

Which of the following correctly describes the relationship
between SSL and TLS?

A. TLS is the open-community version of SSL.
B. SSL can be modified by developers to expand the protocol’s capabilities.
C. TLS is a proprietary protocol, while SSL is an open community protocol.
D. SSL is more extensible and backward compatible with TLS.

Question 57

Q

Which of the following incorrectly describes steganography?

A. It is a type of security through obscurity.
B. Modifying the most significant bit is the most common
method used.
C. Steganography does not draw attention to itself like
encryption does.
D. Media files are ideal for steganographic transmission becauseof their large size.

Question 58

Q

Which of the following correctly describes a drawback of
symmetric key systems?

A. Computationally less intensive than asymmetric systems
B. Work much more slowly than asymmetric systems
C. Carry out mathematically intensive tasks
D. Key must be delivered via secure courier

Question 59

Q

Which of the following occurs in a PKI environment?

A. The RA creates the certificate, and the CA signs it.
B. The CA signs the certificate.
C. The RA signs the certificate.
D. The user signs the certificate.

Question 60

Q

Encryption can happen at different layers of an operating
system and network stack. Where does PPTP encryption take place?

A. Data link layer
B. Within applications
C. Transport layer
D. Data link and physical layers

Question 61

Q

Which of the following correctly describes the difference
between public key cryptography and public key infrastructure?

A. Public key cryptography is the use of an asymmetric
algorithm, while public key infrastructure is the use of a
symmetric algorithm.
B. Public key cryptography is used to create public/private keypairs, and public key infrastructure is used to perform key exchange and agreement.
C. Public key cryptography provides authentication and
nonrepudiation, while public key infrastructure provides
confidentiality and integrity.
D. Public key cryptography is another name for asymmetric
cryptography, while public key infrastructure consists of
public key cryptographic mechanisms.

Question 62

Q

Which of the following best describes Key Derivation functions (KDFs)?

A. Keys are generated from a master key.
B. Session keys are generated from each other.
C. Asymmetric cryptography is used to encrypt symmetric keys.
D. A master key is generated from a session key.

Question 63

Q

An elliptic curve cryptosystem is an asymmetric algorithm.
What sets it apart from other asymmetric algorithms?

A. It provides digital signatures, secure key distribution, and
encryption.
B. It computes discrete logarithms in a finite field.
C. It uses a larger percentage of resources to carry out
encryption.
D. It is more efficient.

Question 64

Q

If implemented properly, a one-time pad is a perfect encryption scheme. Which of the following incorrectly describes a requirement for implementation?

A. The pad must be securely distributed and protected at its
destination.
B. The pad must be made up of truly random values.
C. The pad must always be the same length.
D. The pad must be used only one time.

Answer 45

A

A. Cryptanalysis is the process of trying to reverse-engineer a cryptosystem,
with the possible goal of uncovering the key used. Once this key is uncovered,
all other messages encrypted with this key can be accessed. Cryptanalysis is
carried out by the white hats to test the strength of the algorithm.

Answer 46

A

C. A brute force attack is resource-intensive. It tries all values until the correct
one is obtained. As computers have more powerful processors added to them,
attackers can carry out more powerful brute force attacks.

Answer 47

A

D. A hashing algorithm will take a string of variable length, the message can
be any size, and compute a fixed-length value. The fixed-length value is the
message digest. The MD family creates the fixed-length value of 128 bits, and
SHA creates one of 160 bits.

Answer 48

A

C. Hashing algorithms generate message digests to detect whether modification
has taken place. The sender and receiver independently generate their own
digests, and the receiver compares these values. If they differ, the receiver knows
the message has been altered.

Answer 49

A

C. SHA was created to generate secure message digests. Digital Signature
Standard (DSS) is the standard to create digital signatures, which dictates that
SHA must be used. DSS also outlines the digital signature algorithms that can
be used with SHA: RSA, DSA, and ECDSA.

Answer 50

A

C. In an HMAC operation, a message is concatenated with a symmetric key
and the result is put through a hashing algorithm. This provides integrity and
system or data authentication. CBC-MAC uses a block cipher to create a MAC,
which is the last block of ciphertext.

Answer 51

A

A. RSA can be used for data encryption, key exchange, and digital signatures.
DSA can be used only for digital signatures.

Answer 52

A

C. The U.S. government has greatly reduced its restrictions on cryptography
exportation, but there are still some restrictions in place. Products that use
encryption cannot be sold to any country the United States has declared is
supporting terrorism. The fear is that the enemies of the country would use
encryption to hide their communication, and the government would be
unable to break this encryption and spy on their data transfers.

Answer 53

A

C. A digital signature is a message digest that has been encrypted with the
sender’s private key. A sender, or anyone else, should never have access to the
receiver’s private key.

Answer 54

A

D. A digital signature provides authentication (knowing who really sent
the message), integrity (because a hashing algorithm is involved), and
nonrepudiation (the sender cannot deny sending the message).

Answer 55

A

A. DES has a key size of 64 bits, but 8 bits are used for parity, so the true
key size is 56 bits. Remember that DEA is the algorithm used for the DES
standard, so DEA also has a true key size of 56 bits, because we are actually
talking about the same algorithm here. DES is really the standard, and DEA
is the algorithm. We just call it DES in the industry because it is easier.

Answer 56

A

C. The reason a certificate is revoked is to warn others who use that person’s
public key that they should no longer trust the public key because, for some
reason, that public key is no longer bound to that particular individual’s
identity. This could be because an employee left the company, or changed his
name and needed a new certificate, but most likely it is because the person’s
private key was compromised.

Answer 57

A

B. Data Encryption Standard was developed by NIST and the NSA to encrypt
sensitive but unclassified government data.

Answer 58

A

D. A registration authority (RA) accepts a person’s request for a certificate and
verifies that person’s identity. Then the RA sends this request to a certificate
authority (CA), which generates and maintains the certificate.

Answer 59

A

C. DEA is the algorithm that fulfilled the DES standard. So DEA has all of the
attributes of DES: a symmetric block cipher that uses 64-bit blocks, 16 rounds,
and a 56-bit key.

Answer 60

A

D. The first released public key cryptography algorithm was developed by
Whitfield Diffie and Martin Hellman.

Answer 61

A

D. After a session key has been created, it must be exchanged securely. In most
cryptosystems, an asymmetric key (the receiver’s public key) is used to encrypt
this session key, and it is sent to the receiver.

Answer 62

A

A. DES carries out 16 rounds of mathematical computation on each 64-bit
block of data it is responsible for encrypting. A round is a set of mathematical
formulas used for encryption and decryption processes.

Answer 63

A

B. Data encryption always requires careful key management. Most algorithms
are so strong today it is much easier to go after key management rather than
to launch a brute force attack. Hashing algorithms are used for data integrity,
encryption does require a good amount of resources, and keys do not have to
be escrowed for encryption

Answer 64

A

D. Message A was encrypted with key A and the result is ciphertext Y. If that
same message A were encrypted with key B, the result should not be ciphertext
Y. The ciphertext should be different since a different key was used. But if the
ciphertext is the same, this occurrence is referred to as key clustering.

Answer 65

A

B. The work factor of a cryptosystem is the amount of time and resources
necessary to break the cryptosystem or its encryption process. The goal is
to make the work factor so high that an attacker could not be successful in
breaking the algorithm or cryptosystem.

Answer 66

A

B. Passwords are usually run through a one-way hashing algorithm so the
actual password is not transmitted across the network or stored on a system
in plaintext. This greatly reduces the risk of an attacker being able to obtain
the actual password.

Answer 67

A

B. The RSA algorithm’s security is based on the difficulty of factoring large
numbers into their original prime numbers. This is a one-way function. It is
easier to calculate the product than it is to identify the prime numbers used to
generate that product.

Answer 68

A

A. DES is a symmetric algorithm. RSA is an asymmetric algorithm. DES is used
to encrypt data, and RSA is used to create public/private key pairs.

Answer 69

A

A. When an HMAC function is used, a symmetric key is combined with the
message, and then that result is put though a hashing algorithm. The result is
an HMAC value. HMAC provides data origin authentication and data integrity.

Answer 70

A

B. Different values can be used independently or together to play the role of
random key material. The algorithm is created to use specific hash, passwords,
and\or salt values, which will go through a certain number of rounds of
mathematical functions dictated by the algorithm.

Answer 71

A

A and B. The Electronic Code Book (ECB) mode should be used to encrypt
credit card PIN values, and the Cipher Block Chaining (CBC) mode should be
used to encrypt documents.

Answer 72

A

B. Since data is transmitting over dedicated WAN links, link encryptors can be
implemented to encrypt the sensitive data as it moves from branch to branch.

Answer 73

A

C. The users can be authenticated by providing digital certificates to the
software within a PKI environment. This is the best authentication approach,
since SSL requires a PKI environment.

Answer 74

A

B. IPSec can be configured using the AH protocol, which enables system
authentication but does not provide encryption capabilities. IPSec can
be configured with the ESP protocol, which provides authentication and
encryption capabilities.

Answer 75

A

D. Trusted Platform Module (TPM) is a microchip that is part of the
motherboard of newer systems. It provides cryptographic functionality that
allows for full disk encryption. The decryption key is wrapped and stored
within the TPM chip.

Answer 76

A

A. A digital signature is a hash value that has been encrypted with the sender’s
private key. A message can be digitally signed, which provides authentication,
nonrepudiation, and integrity. When e-mail clients have this type of
functionality, each sender is authenticated through digital certificates

Answer 77

A

b. The availability service for data in storage deals with backup and
archive storages. During a key’s crypto-period, keying material (i.e.,
keys and initialization vectors) should be stored in both normal
operational storage and in backup storage. After the end of a key’s
crypto-period, keying material should be placed in archive storage. The
other three choices do not deal with backup and archive storages.

Answer 78

A

b. In general, escrow is something (for example, a document or an
encryption key) that is delivered to a third party to be given to the
grantee only upon the fulfillment of a predefined condition (i.e., a
grantor and grantee relationship with a third party in the middle). Key
escrow is the processes of managing (for example, generating, storing,
transferring, and auditing) the two components of a cryptographic key
by two component holders. A key component is the two values from
which a key can be derived. A key escrow system entrusts the two
components comprising a cryptographic key (for example, a device
unique key) to two key component holders (also called escrow agents).
The other three choices are incorrect. Key list is a printed series of key
settings for a specific cryptonet. Key lists may be produced in list, pad,
or printed tape format. Key loader is a self-contained unit that is
capable of storing at least one plaintext or encrypted cryptographic key
or key component that can be transferred, upon request, into a
cryptographic module. Key exchange is the process of exchanging
public keys and other information in order to establish secure
communications.

Answer 79

A

b. Transaction privacy controls include secure sockets layer (SSL),
transport layer security (TLS), and secure shell (SSH) to protect
against loss of privacy for transactions performed by an individual.
Mandatory access controls (MAC) define access control security
policy.

Answer 80

A

b. Key rollover is the process of generating and using a new key
(symmetric or asymmetric key pair) to replace one already in use.
Rollover is done because a key has been compromised as a result of
usage and age. The DNSSEC-aware resolver is incorrect because it is an entity that
sends DNS queries, receives DNS responses, and understands the
DNSSEC specification, even if it is incapable of performing validation.
A zone-signing key is incorrect because it is an authentication key that
corresponds to a private key used to sign a zone. A key signing key is
incorrect because it is an authentication key that corresponds to a
private key used to sign one or more other authentication keys for a
given zone.

Answer 81

A

c. Secure hypertext transfer protocol (S-HTTP) is used for
encrypting data flowing over the Internet, but it is limited to individual
messages. Secure sockets layer (SSL) and transport layer security
(TLS) are designed to establish a secure connection between two
computers. Hypertext transfer protocol (HTTP) cannot do encryption
and is not as secure as S-HTTP.

Answer 82

A

B. Entropy is the uncertainty of a random variable, which is stated in
bits. Min-entropy is the worst-case measure of uncertainty for a
random variable with the greatest lower bound. Min-entropy is a
measure of the difficulty that an attacker has to guess the most
commonly chosen password used in a system. Guessing entropy is a
measure of the difficulty that an attacker has to guess the value of a
secret (e.g., a password). Guessing entropy refers to an attacker that
knows the actual password frequency distribution. Max-entropy and
min-max entropy are not usually used in the context of entropy.

Answer 83

A

A. Changing cryptographic keys frequently and increasing the key
length can fight against the brute force attacks on keys. Changing
protocols and algorithms cannot fight against the brute force attacks
because the changed protocols and algorithms could be subjected to
the same attacks or different attacks.

Answer 84

A

A. Nonce is a time-varying and nonrepeating cryptographic value
with the use of a timestamp, a sequence number, or combination,
which are freshly generated random values. Checksums and check
digits are used to ensure data accuracy during data entry and data
transmission. Payload is a part of the data stream representing the user
information in a communication. Protocol is a set of rules used by two
or more entities that describe the message order and data structures for
information exchange between the entities. A public key is a
cryptographic key, used with a public key cryptographic algorithm,
that is uniquely associated with an entity and that may be made public.
A private key is a cryptographic key, used with a public key
cryptographic algorithm that is uniquely associated with an entity and
that is not made public.

Answer 85

A

D. A self-signed certificate is a public key certificate whose digital
signature may be verified by the public key contained within the
certificate. The signature on a self-signed certificate protects the
integrity of the data but does not guarantee authenticity of the
information. The trust of a self-signed certificate is based on the secure
procedures used to distribute it.
The X.509 certificate comes in two types: X.509 public key certificate
(most common) and the X.509 attribute certificate (less common). A
public key certificate is a set of data that uniquely identifies an entity
and binds the public key to the entity. The private key is
mathematically linked with a corresponding public key.

Answer 86

A

C. The AES-128 bit key is an example of optional-to-implement
encryption algorithm that provides a greater security. Other variants of
AES include AES-192 bit keys and AES-256 bit keys. The DES
algorithm, RC2, and the RSA-512 bit key do not provide adequate
security. The DES and RC2 are examples of mandatory-to-implement
encryption algorithms that do not provide adequate security.
Mandatory-to-implement algorithms will be in any product that meets
the public standards, enabling interoperability between products.
Optional-to-implement algorithms are next-generation algorithms with
improved security that could increase the longevity of a system.

Answer 87

A

C. A lightweight directory access protocol (LDAP) is a centralized
directory that becomes a major focal point as a tool for access control.
It uses names, addresses, groups, roles, devices, files, and profiles to
enable a modular, expandable access control and single sign-on
solution to be deployed rapidly for all application systems.
The other three choices do not have such capabilities as the LDAP
does. An online certificate status protocol (OCSP) responder is a
trusted system and provides signed status information, on a per
certificate basis, in response to a request from a relying party. Both
certification authority (CA) and registration authority (RA) software
support the use of a certificate management protocol (CMP). An overthe-air rekeying (OTAR) protocol is used in digital radios to handle
cryptographic security. LDAP, CRLs, and OCSP are used to provide a
path validation in a public-key certificate.

Answer 88

A

B. Most commonly, the certificate revocation lists (CRLs) are
distributed via lightweight directory access protocol (LDAP)
directories or Web servers. The certificate management protocol
(CMP) and HTTP uniform resource locators (HTTP URLs) are not
used to distribute CRLs. Both the LDAP and HTTP URLs are used to
specify the location of CRLs. Both certification authority (CA) and
registration authority (RA) software support the use of a certificate
management protocol (CMP). An LDAP is a centralized directory that
becomes a major focal point as a tool for access control.

Answer 89

A

C. Encryption key breaking is not a common method because it is
difficult to do and may take years to do. It requires an extensive
knowledge of algorithms, hardware, and software that is not possessed
by too many people. Password cracking involves guessing a password,
which can then be used to gain access to a system. Packet sniffing
involves placing a rogue program in a host computer or in a network
switch. The program will then monitor all information packets as they
go through the network. A malicious code can be sent along with
Internet-based e-mail. When the message is received, the attacker’s
code will be executed.

Answer 90

A

B. The user should not destroy the private key establishment key
until all symmetric keys established using this key have been
recovered or protected by encryption under a different key. Premature
destruction of private key establishment keys may prevent recovery of
the subscriber’s plaintext data. The keys in the other three choices can
be destroyed safely.

Answer 91

A

B. The transport layer security (TLS) and secure socket layer (SSL)
protocols are the primary end-to-end security protocols used to protect
information on the Internet. TLS is an enhanced version of SSL; these
protocols are similar but not identical. TLS is a robust protocol that is
used to protect various links, such as authentication server to a wireless
access point, the electronic mail link between client and server, or
dedicated network infrastructure applications primarily involving
machines with no human user involvement.

Answer 92

A

C. Mandatory-to-implement cryptographic algorithms will be in
any cryptographic product that meets the public standards (for
example, IETF’s RFCs and ANSI) enabling interoperability between
products. AES is an optional-to-implement algorithm now that could
become mandatory-to-implement in the future. DES and RC2 are
mandatory and do not provide adequate security. DH is the Diffie Hellman algorithm, which is used to provide key agreement. ECDH is the elliptic curve Diffie-Hellman algorithm, which is used to support key establishment; 3-TDEA is three key TDEA; RSA is a public-key algorithm, whereas ECDSA is a digital signature algorithm.

Answer 93

A

D. A transport layer security (TLS) session requires server
authentication and requests certificates from the client and the server.
The RSA key transport method implicitly authenticates the server to
the client. In a Diffie-Hellman (DH) key agreement, the server
authenticates itself by supplying a signed static DH key in a certificate
or by signing an ephemeral key and sending a certificate with its public
signing key. Thus, the server will always send a certificate, with either
a signing key or a key-establishment key. In a static-to-static DH key
agreement, client certificates will not contain a signing key thus are not
recommended to use in a TLS session. This is because the server may
request a certificate from the client.

Answer 94

A

C. A key used for key wrapping is known as a key encrypting key,
which is used to encrypt a symmetric key using another symmetric
key. Key wrapping provides both confidentiality and integrity
protection using a symmetric key.
The other three choices are not used in key wrapping. Key transport is
a key establishment procedure whereby one party (sender) selects and
encrypts the keying material and then distributes the material to
another party (the receiver). Key update is a function performed on a
cryptographic key to compute a new but related key. Key bundle is a
set of keys used during one operation, typically a TDEA operation.

Answer 95

A

B. A key management infrastructure provides a unified and
seamless structure for the generation, distribution, and management of
cryptographic keys. It starts at the central oversight authority (the
highest node, which is not used in the question) and moves down to
key processing facility (the next highest node), service agent, client
node, and user entities (the lowest node).

Answer 96

A

D. Service agents support an organization’s key management
infrastructure as single point-of-access for other nodes, including key
processing facility, client nodes, and user entities.

Answer 97

A

A. Recent advances in cryptographic technology have lead to the
development of public key cryptographic algorithms. These algorithms
are referred to as “asymmetric” because they rely on two different keys
to perform cryptographic processing of data. These keys are generated
and used in pairs consisting of private and public key components.
Public key crypto-systems make possible authentication schemes in
which a secret can be verified without the need to share that secret. In
public key cryptography, each user independently generates two
mathematically related keys. One is typically made public, so it is
referred to as the public key. The other is kept private, so it is referred
to as the user’s private key. The public key becomes in effect part of
the user’s identity and should be made well known as necessary, like a
phone number. Conversely, the private key should be known only to
the user because it can be used to prove ownership of the public key
and thus the user’s identity. It is computationally infeasible to derive a
user’s private key from the corresponding public key, so free
distribution of the public key poses no threat to the secrecy of the
private key.
The private key component of the public key cryptography is used to
create the digital signatures. Similar to a written signature, a digital
signature is unique to the signer except that it can be verified
electronically. This is made possible by the fact that in public key
crypto-systems, digital signatures are generated with the private key
component of the public/private key pair. The corresponding public
key is used to verify the signature. Because a given user’s private key
does not need to be shared with other parties, there is a strong
association between the user’s identity and possession of the private
key.
Key escrow cryptographic techniques are used in electronic
surveillance of telecommunications by law enforcement officials. A
definition of a key escrow system is that an encryption key or a
document is delivered to a third person to be given to the grantee only
upon the fulfillment of a condition. A key escrow system is one that
entrusts the two components comprising a cryptographic key (for
example, a device unique key) to two key component holders (also
called “escrow agents”).
The key component holders provide the components of a key to a
“grantee” (for example, a law enforcement official) only upon
fulfillment of the condition that the grantee has properly demonstrated
legal authorization to conduct electronic surveillance of
telecommunications encrypted using the specific device whose device
unique key is being requested. The key components obtained through
this process are then used by the grantee to reconstruct the device
unique key and obtain the session key that is then used to decrypt the
telecommunications that are encrypted with that session key. The
digital signature does not use the key escrow cryptography.
The primary feature distinguishing secret key algorithms is the use of a
single secret key for cryptographic processing. The use of advanced
encryption standard (AES) is an example of secret key cryptography.
The AES algorithm can be implemented with reasonable efficiency in
the firmware of a smart token. Electronic signatures can use either
secret key or public key cryptography. The digital signature is not
using the secret key cryptography due to sharing of a secret key by two
parties. Hybrid approaches are possible, where public key
cryptography is used to distribute keys for use by secret key
algorithms. However, the digital signature is not using the hybrid
approaches.

Answer 98

A

D. All four items are examples of procedural security controls for
recognizing trusted CA and RA roles. The CA is a trusted third party
that generates, issues, signs, and revokes public key certificates. The
CA can delegate responsibility for the verification of the subject’s
identity to an RA. The RA is a trusted entity that establishes and
vouches for the identity of a subscriber to a credentials service
provider (CSP).

Answer 99

A

D. The emphasis should be to use nonrepeating values in message
authentication to ensure that an attempt to replay an earlier successful
authentication exchange will be detected. Timestamps, sequence
numbers, and unpredictable values can detect replay attempts.
Timestamps assume there is a common reference that logically links a
claimant and verifier. On receipt of an authentication message, the
verifier calculates the difference between the timestamp in the message
and the time of receipt. If this difference is within the expected time
window, the message is accepted.
A message with a particular sequence number is accepted only once as
agreed by the claimant and verifier in advance. Messages received by a
verifier are checked for acceptability within the range of agreed-upon
values. An unpredictable value, or challenge, is sent by the verifier,
and he will ensure that the same challenge is not reused within the time
frame of concern. The values used do not require true statistical
randomness. The only requirement is that the values should be
unpredictable with a high probability of nonrepeating.
The problem with the statistical random value is that it deals with
probabilities of occurrence and sampling methods, which will not meet
the requirements of the other three choices.

Answer 100

A

A. Ephemeral keys are cryptographic keys that are generated for
each execution of a key establishment process and that meet other
requirements of the key (for example, unique to each message or
session and short-lived). It may not be practical or necessary to
maintain accounting records for relatively short-lived keys such as
ephemeral keys. This is because user devices (for example, user
entities at client nodes) generate ephemeral keys, and they are intended
for use within the client node.
The other three choices need accounting records. Encrypted keys are
encrypted with a key encrypting key to disguise the value of the
underlying plaintext key. The key encrypting key is used for the
encryption or decryption of other keys.

Answer 101

A

C. The consequences of willful or negligent mishandling of
cryptographic keying materials (for example, keys and initialization
vectors) should be commensurate with the potential harm that the
policy violation can result in for the organization and other affected
parties. The actual harm cannot be known in advance, and there is no
guarantee that harm will occur for certain.

Answer 102

A

A. Notification of users of compromised keys, emergency key
revocation, and secure replacement of the compromised keys are a part
of normal recovery procedures. Key destruction must take place only
when an external attacker is involved, not when user errors and system
problems are involved during the course of regular work. The other
three choices are normally used during the compromise recovery
process.

Answer 103

A

D. The AES-128 bit key in counter mode with CBC-MAC provides
both encryption and integrity protection. The AES-128 bit in CBC
mode and the AES-128 bit in counter mode provide only encryption
whereas the HMAC SHA1-96 bit provides only integrity protection.
The encrypted ESP should not be used without integrity protection
because the ESP needs both encryption and integrity protection.

Answer 104

A

A. The authentication header (AH) protects the Internet Protocol
(IP) header and the data following the IP header. However, the AH
processing introduces unnecessary complexity. Because the
encapsulating security protocol (ESP) can provide equivalent
functionality as the AH, the use of AH is not recommended due to its
complexity in processing. Moreover, the ESP protects the source and
destination addresses in the IP header in both transport and tunnel
modes. Hence, the ESP is better than the AH.

Answer 105

A

C. The counter value in the AES-GCM or AES-GMAC is used for
more than one packet with the same key. Therefore, the security of
these algorithms’ confidentiality mechanism is compromised. The
DES-CBC mode is susceptible to compromise. Also, the AES-GCM
and AES-GMAC should not be used with manually distributed keys.
Automated keying using the Internet key exchange (IKE) establishes
secret keys for the two peers within each security association (SA)
with low probability of duplicate keys.

Answer 106

A

C. After completion of the handshake sequence, the transport layer
security (TLS) protocol provides a secure communication channel
between the server and client for the duration of a communication
session. All cipher suites provide authentication and integrity
protection for transferred data, and most TLS cipher suites also provide
encryption. If encryption is provided, data is encrypted when sent and
decrypted when received. TLS does not, however, provide a
cryptographic nonrepudiation service to allow a validation of the
session data or authentication after the communication session has
been ended by a third party.

Answer 107

A

D. The secure/multipurpose Internet mail extension (S/MIME)
provides a consistent way to send and receive secure Internet mail.
However, S/MIME is not restricted to e-mail; it can be used with any
transport mechanism that employs MIME protocols, such as HTTP.
The TDEA in CBC mode or AES-128-bit key in CBC mode is used to
provide encryption only.

Answer 108

A

D. An end user is the individual using a client to access the system.
Even within a centrally managed environment, end users may find that
they have a significant amount of control over some of the security
features within an S/MIME implementation. End users should not send
the same message both encrypted and in plaintext. The end users can
do the other three choices.

Answer 109

A

A. Either the Rivest, Shamir, and Adelman (RSA) or digital
signature algorithm (DSA) with key sizes greater than or equal to 1024
bits is used to provide digital signatures. They are not used for hash
values and key agreement, although less than 1024-bit keys are used
for encryption.

Answer 110

A

C. The Diffie-Hellman (DH) algorithm is used to provide key
agreement. The DH algorithm cannot provide digital signatures, hash
values, and encryption.

Answer 111

A

A. The proof-of-possession is a verification process whereby it is
proven that the owner of a key pair actually has the private key
associated with the public key. The owner demonstrates the possession
by using the private key in its intended manner. Without the assurance
of possession, it would be possible for the certificate authority to bind
the public key to the wrong entity. The other three choices do not
demonstrate proof-of-possession.

Answer 112

A

D. The security strength of a cryptographic algorithm as well as
entropy, hash function, and the Internet Protocol (IP) address identifier
are specified in bits.

Answer 113

A

A. Certificate authorities (CAs) generally issue a self-signed
certificate (called root certificate), which is also called a trust anchor.
CAs that a relying party trusts directly are called trust anchors. When
multiple trust anchors are recognized, the set of trust anchors is
referred to as the trust list. CA certificates play a key role in many
protocols and applications and are generally kept in what is often
called a root certificate store. Trust keys are used in trust anchors. Root
certificate store is used in validating certificate path.

Answer 114

A

C. Cryptographic hash algorithms (hash functions) do not require
keys. The hash functions generate a relatively small digest (hash value)
from a large input that is difficult to reverse. However, in some
instances such as in the generation of hashed message authentication
codes (HMAC), keyed hash functions are used.
Symmetric key algorithms (known as secret/private) transform data
that is difficult to undo without knowledge of a secret key. Asymmetric
key algorithms (known as public) use two related keys to perform their
functions (i.e., a public key and a private key forming a key pair).

Answer 115

A

B. Although message integrity is often provided using
noncryptographic techniques known as error detection codes, these
codes can be altered by an attacker for his benefit and hence create
insecurity. Use of message authentication code (MAC) can alleviate
this problem as it is based on block cipher algorithm. The
cryptographic checksum is an algorithm that uses the bits in the
transmission to create a checksum value and hence is secure. A
noncryptographic technique does not use a cryptographic key.

Answer 116

A

A. Key wrapping is the encryption of a key by a key encrypting key
using a symmetric algorithm. Key wrapping provides both
confidentiality and integrity services to the wrapped material and does
not provide services listed in the other three choices

Answer 117

A

A. The man-in-the-middle (MitM) attack takes advantage of the
store-and-forward mechanism used by insecure networks such as the
Internet. Digital signatures and split knowledge procedures are
effective against such attacks. Faster hardware and packet filters are
effective against denial-of-service (DoS) attacks.

Answer 118

A

A. Digital signatures cannot by themselves provide confidentiality
service; instead, they provide authentication, integrity, and non repudiation services. Specific algorithms used for digital signatures
include DSA, RSA, PKCS, and ECDSA.

Answer 119

A

B. The transport layer security (TLS) protocol is protected by
strong cryptographic integrity, an authentication mechanism, and
encrypted payload. The TLS can detect any attack or noise event but
cannot recover from errors. If an error is detected, the protocol run is
simply terminated. Hence, the TLS needs to work with the TCP
(transport control protocol) to recover from errors.

Answer 120

A

B. The digital signature algorithm (DSA) produces digital
signatures of 320, 448, or 512 bits using the key size of 160, 224, or
256 respectively. Hence, the length of the digital signature is two-times
the length of the key size.

Answer 121

A

A. Cryptographic key establishment schemes are used to set up
keys to be used between communicating entities. The scheme uses key
transport and key agreement. The key transport is the distribution of a
key from one entity to another entity. The key agreement is the
participation by both entities in the creation of shared keying material
(for example, keys and initialization vectors). The key establishment
scheme does not deal with the other three choices.

Answer 122

A

B. Forward error-correcting codes are a subset of noncryptographic
checksums (i.e., they use an algorithm without secret information in
terms of a cryptographic key) that can be used to correct a limited
number of errors without retransmission. If forward error-correction is
applied before encryption and errors are inserted in the ciphertext
during transmission, it is difficult to decrypt, thus making the errors
uncorrectable. Therefore, it is preferable to apply the forward errorcorrection mechanism after the encryption process. This will allow the
error correction by the receiving entity’s system before the ciphertext
is decrypted, resulting in correct plaintext.

Answer 123

A

A. Shared secrets are generated during a key establishment process.
Intermediate results of cryptographic operations are generated using
secret information. Therefore, both shared secrets and intermediate
results should not exist outside the cryptographic boundary of the
crypto-module due to their sensitivity and criticality. The other three
choices either do not exist outside the cryptographic boundary or they
are less sensitive and critical.

Answer 124

A

C. The crypto-period of a symmetric key is the period of time from
the beginning of the originator usage period to the end of the recipient
usage period.

Answer 125

A

A. Both random number generator (RNG) seeds and intermediate
results should be destroyed after use due to their sensitivity. Domain
parameters remain in effect until changed. Shared secrets and
initialization vectors should be destroyed as soon as they are no longer
needed. A nonce should not be retained longer than needed for
cryptographic processing.

Answer 126

A

B. The strength of cryptographic protection is determined by the
weakest algorithm and the key size used. This is explained as follows:
A 160-bit ECDSA and 128-bit AES provide 80 bits of security.
A 256-bit ECDSA and 128-bit AES provide 128 bits of security.
A 256-bit SHA and 1024-bit RSA provide 80 bits of security.
A 256-bit SHA and 2048-bit RSA provide 112 bits of security.
Therefore, 80 bits of security is weaker than 112 bits and 128 bits of
security.

Answer 127

A

B. A cryptographic algorithm’s originator usage period is the period
of time that a cryptographic algorithm and the key size are used to
apply cryptographic protection. When the security life of the data is
taken into account, cryptographic protection should not be applied to
data using a given algorithm and key size if the security life of the data
extends beyond the end of the algorithm security lifetime. Hence, the
algorithm security life is the algorithm originator usage period plus the
security life of the data.

Answer 128

A

A. A shared secret is a secret value that has been computed using a
key agreement scheme and is used as input to a key derivation
function. Hence, shared secrets should not be distributed while the
other three choices can be safely distributed most of the time. Because
the initialization vectors are often stored with the data that they protect,
a determined attacker (not a normal attacker) could take advantage of
them for hacking.

Answer 129

A

D. The private signature key need not be backed up because
nonrepudiation would be in question. This is because proof-of-origin
and proof-of-delivery are needed for a successful nonrepudiation using
private signature key by the originator (i.e., the signatory). Therefore,
the private signature key should be protected in a safe and secure
location. The other three choices can be backed up without any
question.

Answer 130

A

B. A checksum is a program that forms a cryptographic checksum
of files in a computer system to allow their integrity to be checked at
will. However, the checksum program adds overhead to the system in
terms of adding more bytes to each program and increases boot-up
time by several minutes. Any attempt to recompile a program will be
flagged as a “virus type” activity (when it is not) and will be stopped.
It misleads a program recompilation process.

Answer 131

A

A. An archive for keying material (i.e., keys and initialization
vectors) should provide both integrity and access control. When
archived, keying material should be archived prior to the end of the
crypto-period of the key. When no longer required, the keying material
should be destroyed. Private signature key need not be archived
because it is private but should be protected in a safe and secure
location.Both symmetric and public authentication keys should be archived
until no longer required to authenticate the data. A symmetric master
key should be archived until no longer needed to derive other keys.

Answer 132

A

A. A digital signature provides for nonrepudiation of origin. A
simpler alternative to a digital signature is a hash function, where the
message is indexed to a digest for integrity checking. It requires that
both parties trust one another. However, it is of limited use because it
does not provide for repudiation of origin.
A digital certificate contains identification information about its holder.
It includes a public key and a unique private key. Exchanging keys and
certificates allows two parties to verify each other’s identities before
communicating. A handwritten signature is similar to a digital
signature in that it places a unique mark on a document that verifies the
identity of the sender. A major problem with the handwritten signature
is that it can be forged. A certificate authority is a third party that
distributes public and private key pairs.

Answer 133

A

A. Domain parameters should be archived until all keying material,
signatures, and signed data using the domain parameters are removed
from the archive. The other three choices should not be archived due to
their secrecy and because they are temporary in nature. One exception
is that a shared secret is sometimes permanent as in a preshared key
(PSK) for a site-to-site IPsec VPN.

Answer 134

A

A. Where symmetric keys or private asymmetric keys are used to
protect only a single user’s local information in communications
between a single pair of users, the compromise recovery process can
be relatively simple and inexpensive. The damage assessment and
mitigation measures are often local matters. On the other hand, damage
assessment can be complex and expensive where (i) a key is shared by
or affects a large number of users, (ii) certification authority’s (CA’s)
private key is replaced, (iii) transport keys are widely used, (iv) keys
are used by many users of large distributed databases, and (v) a key is
used to protect a large number of stored keys.

Answer 135

A

B. For all cryptographically based mechanisms, the strength of the
mechanism lies partly in the strength of the cryptographic algorithm
(including key size), partly in the security of any communication
protocol, and in large part, in the protection provided to secret key
material (i.e., keys and initialization vectors). A secret key is a
symmetric key that is not made public and requires protection from
disclosure.

Answer 136

A

B. In general, protocols and applications are designed to use
cryptographic algorithms from one mathematical family. For most
uses, digital signature keys and key establishment keys should provide
consistent cryptographic strength. For example, applications that
encounter certificates with elliptic curve digital signature algorithm
(ECDSA) digital signatures would expect to use elliptic curve DiffieHellman (ECDH) for the key establishment key. Rivest, Shamir, and
Adelman (RSA) is not compatible with ECDSA, whereas it is
compatible with DH. It is advisable that users obtain an authentication
type key, a digital signature key, and a key establishment key that are
complementary in nature to ensure that the keys can be used together
in protocols and applications. Complementary algorithms for public
keys enhance interoperability.

Answer 137

A

B. Reliable delivery of data implies that all messages presented to
the sending TCP/IP stack are delivered in proper sequence by the
receiving TCP/IP stack. These messages may be broken up into
packets and fragmented or segmented as they are sent and routed
through any arrangement of local-area, wide-area, or metropolitan-area
networks. During routing through networks, data are augmented with
cyclical redundancy checks or forward error correction techniques to
help ensure that the delivered messages are identical to the transmitted
messages. Reliable delivery means that the messages are properly
reassembled and presented in proper sequence to the peer protocol
TLS entity. Here, the TLS relies on the communications functionality
of the OSI/ISO lower layer protocols.

Answer 138

A

D. The TLS version 1.1 mandates the use of the TLS and RSA with
3DES-EDE-CBC and SHA-1 cipher suite, and is more commonly
used. The DES with RC4-40, RC2-CBC-40, and DES-40 cannot be
combined with TLS because the algorithm is deprecated. The TLS and
DHE-DSA with 3DES-EDE-CBCand SHA-1 is not often used. The
TLS version 1.0 uses the TLS and DHE-DSS with 3DES-EDE-CBC
and SHA-1.

Answer 139

A

C. The transport layer security (TLS) protocol’s security
specification for ensuring the confidentiality goal is 3DES-EDE-CBC.
RSA is used for key establishment, a DSA is used for digital
signatures, and MD5 is used for hash function purposes.

Answer 140

A

C. A digital certificate is a password-protected and encrypted file
that contains identification information about its holder. It is not a
modem-protected file.

Answer 141

A

B. The ISO/ITU-T X.509 standard defines two types of certificates:
the X.509 public key certificate and the X.509 attribute certificate.
Most commonly, an X.509 certificate refers to the X.509 public key
certificate. The public key certificate contains three nested elements:
(i) the tamper-evident envelope (digitally signed by the source), (ii) the
basic certificate content (for example, identifying information and
public key), and (iii) extensions that contain optional certificate
information. The X.509 attribute certificate is less commonly used.

Answer 142

A

D. In the recursive feature, the message is parsed one protection at a
time until it yields a standard HTTP content type. Here, protections are
applied in layers, one layer after another to achieve higher levels of
protection. S-HTTP uses a simple challenge-response to ensure that
data being returned to the server is “fresh.” Algorithm independence
means new cryptographic methods can be easily implemented. Syntax
compatibility means that the standard HTTP messages are syntactically
the same as secure HTTP messages.

Answer 143

A

D. The Secure Sockets Layer (SSL) is an open and nonproprietary
protocol that provides services such as mutual authentication, message
privacy, and message integrity. Mutual handshake is not done by SSL.

Answer 144

A

C. Traffic padding is a function that generates a continuous stream
of random data or ciphertext. True data is mixed with extraneous data
thus making it difficult to deduce the amount of traffic, that is, traffic
analysis. Encryption is good with traffic padding because it can
disguise the true data very well and requires a key to decipher the
encrypted data.
Passwords are incorrect because they are most often associated with
user authentication, not with traffic padding. Smart tokens and memory
tokens are incorrect because they are also used to authenticate users.
Memory tokens store, but do not process, information, whereas smart
tokens both store and process information.

Answer 145

A

D. File labels are used in computer job runs to process application
systems data to ensure that the right file is used. Encryption
algorithms, due to their encryption and decryption mechanisms and by
keeping the encryption keys secure, provide integrity to the message
transmitted or stored. Hashing algorithms are a form of authentication
that provides data integrity. File seal is adding a separate signature to
software and partly works with virus checking software. When the file
seal and virus checking software signatures do not match, it is an
indication that data integrity has been compromised.

Answer 146

A

B. Functional capabilities can be placed inside network components
to control access and protect information from misuse. Automated
access control systems can require users and systems to log on to a
network by identifying themselves and providing an automated
password or similar control. Link and end-to-end encryption devices
can protect information from misuse during transmission over a circuit
or through a network. Link encryption is the application of online
crypto-operation to a link of a communications system so that all
information passing over the link is encrypted in its entirety. End-toend encryption is the encryption of information at its origin and
decryption at its intended destination without any intermediate
decryption.
Administrative control is incorrect because it deals with handling the
paperwork associated with operating a network. The scope includes
receiving requests for service from prospective users, notifying
operations personnel of dates that devices should be connected and
disconnected, maintaining a directory of network users and services,
authorizing users to access the network and, issuing passwords.
Cost control is incorrect because it deals with cost recovery and
avoidance. It includes price setting for network services and billing the
users. The price of network services is often a function of the volume
of information exchanged, the duration of usage, the distance between
parties, and the time of day of usage.
Technical control is incorrect because it includes activities such as
failure detection, problem diagnosis, and service restoration of network
components. The scope includes alarms, status indicators, test equipment interfaces, remote controls, and automatic monitoring.

Answer 147

A

A. Passive wiretapping includes not only information release but
also traffic analysis (using addresses, other header data, message
length, and message frequency). Security measures such as traffic
padding can be used to prevent traffic analysis attacks. Active
wiretapping includes message stream modifications, including delay,
duplication, deletion, or counterfeiting.

Answer 148

A

C. A hash-based message authentication code (HMAC) is based on
a symmetric key authentication method using hash functions. A
symmetric key is a cryptographic key that is used to perform both the
cryptographic operation and its inverse, for example to encrypt and
decrypt, or create a message authentication code (MAC), and to verify
the code.
Asymmetric key is incorrect because there are two related keys in
asymmetric keys; a public key and a private key that are used to
perform complementary operations, such as encryption and decryption,
or signature generation and signature verification. Public key is
incorrect because it is the public part of an asymmetric key pair that is
typically used to verify signatures or encrypt data. Private key is
incorrect because it is the secret part of an asymmetric key pair that is
typically used to digitally sign or decrypt data.

Answer 149

A

C. A message authentication code (MAC) is a cryptographic
checksum on data that uses a symmetric key to detect both accidental
and intentional modifications of data.

Answer 150

A

D. A hash function maps a bit string of arbitrary length to a fixed
length bit string. Approved hash functions must satisfy the following
two properties: one-way and collision resistant. It is computationally
infeasible to find any input that map to any prespecified output or two
distinct inputs that map to the same output.
Offline attack is an attack where the attacker obtains some data
through eavesdropping that he can analyze in a system of his own
choosing. Online attack is an attack against an authentication protocol
where the attacker either assumes the role of a claimant with a genuine
verifier or actively alters the authentication channel. The goal of the
attack may be to gain authenticated access or learn authentication
secrets.

Answer 151

A

A. Entropy is a measure of the amount of uncertainty that an
attacker faces to determine the value of a secret. Entropy is usually
stated in bits as it relates to information theory. It is a statistical
parameter.
Random number is incorrect because it can be used to generate
passwords or keys. Nonce is incorrect because it is a value used in
security protocols that is never repeated with the same key. Pseudonym
is incorrect because it is a subscriber name that has been chosen by the
subscriber that is not verified as meaningful by identity proofing.

Answer 152

A

A. Salt is a nonsecret value that is used in a cryptographic process,
usually to ensure that an attacker cannot reuse the results of
computations for one instance.
Shared secret is incorrect because it is a secret used in authentication
that is known to the claimant and the verifier. Min-entropy is incorrect
because it is a measure of the difficulty that an attacker has to guess the
most commonly chosen password used in a system. Guessing entropy
is incorrect because it is a measure of the difficulty that an attacker has
to guess the average password used in a system.

Answer 153

A

C. Digital watermarks are used to prove proprietary rights. It is the
process of irreversibly embedding information into a digital signal. An
example is embedding copyright information about the copyright
owner.
Digital libraries are storage places for data and programs. Digital
signals are electronic switches in computers and are represented as
binary digits called bits. Digital signatures are a security authorization
method to prove that a message was not modified.

Answer 154

A

B. Steganography is a part of cryptology that deals with hiding
messages and obscuring who is sending or receiving them. Message
traffic is padded to reduce the signals that otherwise would come from
the sudden beginning of messages. Quantum cryptography is based on
quantum-mechanics principles where eavesdroppers alter the quantum
state of the system.
Cryptology is the science and study of writing, sending, receiving, and
deciphering secret messages. It includes authentication, digital
signatures, steganography, and cryptanalysis. Cryptology includes both
cryptography and cryptanalysis. Cryptology is the science that deals
with hidden communications. Cryptography involves the principles,
means, and methods used to render information unintelligible and for
restoring encrypted information to intelligible form.

Answer 155

A

D. The cipher block chaining method is used to convert a block
encryption scheme with a variable length key into a stream encryption
of arbitrarily sized messages.
In link encryption, all information passing over the link is encrypted in
its entirety. Link encryption is also called an online encryption.
Simultaneous encryption of all channels of a multichannel
telecommunications trunk is called a bulk encryption.
In end-to-end encryption, the information is encrypted at its origin and
decrypted at its intended destination without any intermediate
decryption. End-to-end encryption is also called an offline encryption.
In link encryption, bulk encryption, and end-to-end encryption, the
algorithm takes a fixed-length block of message (for example, 64 bits
in the case of both DES and IDEA).

Answer 156

A

B. A checksum is digits or bits summed according to arbitrary rules
and used to verify the integrity of data. All forms of checksums have
the same objective, that is, to ensure that the conveyed information has
not been changed in transit from sender to recipient. The difference
between these checksums is how strong the protective mechanism is
for changing the information, that is, how hard it will be to attack for a
knowledgeable attacker, not for a natural source. A message
authentication code is a cryptographic checksum with the highest form
of security against attacks. The public key is used to encrypt the
message prior to transmission, and knowledge of a private (secret) key
is needed to decode or decrypt the received message.
A data checksum is incorrect because it catches errors that are the
result of noise or other more natural or nonintentional sources. For
example, most of these errors are due to human errors.
A digital signature is incorrect because it is a form of authenticator. It
is decrypted using the secret decryption key and sent to the receiver.
The receiver may encrypt, using the public key, and may verify the
signature, but the signature cannot be forged because only the sender
knows the secret decryption key. Nonpublic key algorithms can also be
used for digital signatures. The basic difference between the message
authentication code and the digital signature is that although message
authentication codes require a secret (private) key to verify, digital
signatures are verifiable with a public key, that is, a published value.
Message authentication codes are used to exchange information
between two parties, where both have knowledge of the secret key. A
digital signature does not require any secret key to be verified.
A cyclic redundancy check (CRC) is incorrect because it uses an
algorithm for generating error detection bits, and the receiving station
performs the same calculation as the transmitting station. If the results
differ, then one or more bits are in error. Both message authentication
codes and digital signatures operate with keys (whether public or
private), are based on cryptography, and are hard to attack by intruders.
On the other hand, data checksums and cyclic redundancy checks
operate on algorithms, are not based on cryptography, and are easily
attacked by intruders.

Answer 157

A

A. For confidentiality service, encryption with an approved
algorithm is needed for the cryptographic module. Moreover, the
encryption mechanism should not be an easier way to recover the key
encrypting key than it is to recover the key being encrypted. In other
words, recovering the key being encrypted should be relatively easier
and recovering the key encrypting key should be difficult.

Answer 158

A

D. Checksums are of two types: a cryptographic checksum and a
noncryptographic checksum. A cyclic redundancy code is a
noncryptographic checksum, which is designed to detect random bit
changes, not purposeful alterations or malicious tampering. These
checksums are good at finding a few bits changed at random.
The other three incorrect choices are based on cryptographic checksum
techniques. Message authentication code is a message digest with a
password attached to it. The intent is that someone cannot re-create the
code with the same input unless that person also knows the secret key
(password). A digital signature is a message digest encrypted with
someone’s private key to certify the contents. Digital signatures
perform three important functions: integrity, authentication, and
nonrepudiation. A message digest is a hash code produced by a
mathematical function. It takes variable length input and reduces it to a
small value, and a small change in the input results in a significant
change in the output.
Secure hash algorithms create a short message digest. The message
digest is then used, with the sender’s private key and the algorithm
specified in digital signature standard, to produce a message-specific
signature. Verifying the digital signature standard involves a
mathematical operation on the signature and message digest, using the
sender’s public key and the hash standard.

Answer 159

A

A. Password hashing requires storing a password in its hash form,
which is better than storing an unencrypted password. When a
password is supplied, it computes the password’s hash and compares it
with the stored value. If they match, the password is correct. An
attacker cannot derive the password from the hashes. It is good to hide
the hashed password list.
The other three incorrect choices are weak forms of handling a
password. Encrypting passwords leads to judgmental errors. A
password can be easily guessed if the user selects the password from a
word dictionary. An exhaustive search may then “crack” the password.

Answer 160

A

C. Message padding adds bits to a message to make it a desired
length—for instance, an integral number of bytes. Traffic padding
involves adding bogus traffic into the channel to prevent traffic
analysis, which is a passive attack. Data checksums are digits or bits
summed according to arbitrary rules and used to verify the integrity of
data. The one-time pad contains a random number for each character in
the original message. The pad is destroyed after its initial use.

Answer 161

A

A. RSA’s technique can be used for document encryption as well as
creating digital signatures. DSS is a public key cryptographic system
for computing digital signatures only, but not for encryption. Both
RSA and DSS appear to be similar. DES is a secret key cryptographic
scheme. IDEA is also a secret key cryptographic scheme gaining
popularity. Both DES and IDEA use secret (private) key algorithms,
whereas DSS and RSA use public key algorithms.

Answer 162

A

A. A digital signature authorizes and legitimizes the transaction by
using a secret decryption key to send it to the receiver. An actual
signature written on the computer is incorrect because it is not an
actual signature. Instead, a digital signature is decrypted using the
secret decryption key and sent to the receiver. Checksum is incorrect
because it is a technique to ensure the accuracy of transmission, and it
ensures the integrity of files. There is no such thing as an analog
signature because a digital signature is needed.

Answer 163

A

C. Encryption can be used to prevent eavesdroppers from obtaining
data traveling over unsecured networks. The items mentioned in the
other three choices do not have the same features as encryption.
Authentication is the act of verifying the identity of a user and the
user’s eligibility to access computerized information. Access controls
determine what users can do in a computer system. Intrusion detection
systems are software or hardware systems that detect unauthorized use
of, or attack upon, a computer or network.

Answer 164

A

B. The public key system is more secure because transmission
involves the public key only; the private key is never transmitted and is
kept secret by its holder. On the other hand, in a private key system,
both the sender and the recipient know the secret key and thus it can be
less secure. Authentication and encryption key systems are incorrect
because they can be either public (more secure) or private (less secure)
key systems.

Answer 165

A

C. Improper error handling during a transmission between a sender
and a receiver can result in side channel attacks, which can result in
integrity failures. A security policy should define the response to such
a failure. Remedies for integrity failures can include retransmission
limited to a predetermined number of times and storing the error data
in an audit log for later identification of the source of the error.
The other three choices do not allow side channel attacks because they
do not deal with transmission errors. Confidentiality deals with privacy
and nondisclosure of information, and more. Availability deals with
making data and systems within the reach of users. Labels are used to
identify attributes, parameters, or the intended use of a key.

Answer 166

A

C. Public key methods are much slower than private methods and
cause overhead, which are their main disadvantages. The public key
contains alphanumeric characters. The public key systems use digital
signatures for authentication.

Answer 167

A

B. There are three routes of data interception: direct observation,
interception of data transmission, and electromagnetic interception.
Data encryption can be a solution to data interception.

Answer 168

A

C. The XTS-AES mode was designed for the cryptographic
protection of data on storage devices that use fixed length data units,
and it was not designed for encryption of data in transit. This mode
also provides confidentiality for the protected data but not
authentication of data or access control.

Answer 169

A

D. A radius server with extensible authentication protocol (EAP)
and transport layer security (TLS) authentication is used to identify
and authenticate devices on LANs and/or WANs. It is not used for
authenticating system users. The other three choices are used for PKI based authentication of system users.

Answer 170

A

B. The message authentication code (MAC) provides data
authentication and integrity. A MAC is a cryptographic checksum on
the data that is used to provide assurance that the data has not changed
and that the MAC was computed by the expected entity. It cannot
provide other security services.

Answer 171

A

D. Traffic flow security is a technique to counter traffic analysis
attacks, which is the protection resulting from encrypting the source
and destination addresses of valid messages transmitted over a
communications circuit. Security is assured due to use of link
encryption and because no part of the data is known to an attacker.
Traffic padding, which generates mock communications or data units
to disguise the amount of real data units being sent, also protects traffic
analysis attacks.
The other two items cannot control traffic analysis attacks. Traffic flow
signal control is used to conduct traffic flow analysis. Traffic
encryption key is used to encrypt plaintext or to super-encrypt
previously encrypted text and/or to decrypt ciphertext.

Answer 172

A

C. Black core refers to a communications network architecture in
which user data traversing a core (global) Internet Protocol (IP)
network is end-to-end encrypted at the IP layer.
RED refers to data/information or messages that contain sensitive or
classified information that is not encrypted whereas BLACK refers to
information that is encrypted. Striped core is a communications
network architecture in which user data traversing a core (global) IP
network is decrypted, filtered, and re-encrypted one or more times. The
process of decryption filtering, and re-encryption is performed within a
“red gateway”; consequently, the core is “striped” because the data
path is alternatively black, red, and black.

Answer 173

A

C. Digital signature generation should provide security strength of
112 bits or more. Digital signature verification should provide security
strength of 80 bits or more. Less than 80 bits or a range between 80
and 112 bits are not acceptable for the digital signature generation.

Answer 174

A

D. A digital signature is an electronic analogue of a handwritten
signature in that it can be used to prove to the recipient, or a third
party, that the originator in fact signed the message. It is an encrypted
digest of the text that is sent along with a message, usually a text
message, but possibly one that contains other types of information,
such as pictures. A digital signature authenticates the identity of the
sender of the message and also guarantees that no one has altered the
document.
On the other hand, an electronic signature is a cryptographic
mechanism that performs a similar function to a handwritten signature.
It is used to verify the origin and contents of a message (for example,
an e-mail message). It is a method of signing an electronic message
that (i) identifies and authenticates a particular person as the source of
the electronic message and (ii) indicates such person’s approval of the
information contained in the electronic message. Electronic signatures
can use either secret key or public key cryptography.Hence, electronic
signatures and digital signatures are not the same.

Answer 175

A

A. Traffic flow confidentiality protects against sensitive
information being disclosed by observing network traffic flows. It uses
traffic (message) padding and address hiding controls. In traffic
padding, “dummy” traffic is generated to confuse the intruder. Address
hiding requires that protocol header information be protected from
unauthorized attack via cryptographic means.
Testword is incorrect because a string of characters is appended to a
transaction by the sending party and verified by the receiving party. A
testword is an early technology realization of a seal or signature used
in financial transactions. A seal or signature involves cryptographically
generating a value that is appended to a plain text data item. Both
testwords and seals are used to increase the data integrity of financial
transactions.

Answer 176

A

B. Scalability means the system can be made to have more or less
computational power by configuring it with a larger or smaller number
of processors, amount of memory, interconnection bandwidth, number
of total connections, input/output bandwidth, and amount of mass
storage. Scalability is a technology or organizational issue, not a
cryptography issue.
Interoperability is incorrect because it is needed in cryptography where
two or more systems can interact with one another and exchange data
according to a prescribed method to achieve predictable results.
Mobility is incorrect because it is needed in cryptography to
authenticate between local and remote systems. Portability is incorrect
because it is needed in cryptography between operating systems and
application systems. The other three choices are cryptography issues to
deal with.

Answer 177

A

A. Secure hash algorithm -1 (SHA-1), which is 160 bits, provides
less security than SHA-224, SHA-256, and SHA-384. Cryptographic
hash functions that compute a fixed size message digest (MD) from
arbitrary size messages are widely used for many purposes in
cryptography, including digital signatures. A hash function produces a
short representation of a longer message. A good hash function is a
one-way function: It is easy to compute the hash value from a
particular input; however, backing up the process from the hash value
back to the input is extremely difficult. With a good hash function, it is
also extremely difficult to find two specific inputs that produce the
same hash value. Because of these characteristics, hash functions are
often used to determine whether data has changed.
Researchers discovered a way to “break” a number of hash algorithms,
including MD4, MD5, HAVAL-128, RIPEMD, and SHA-0. New
attacks on SHA-1 have indicated that SHA-1 provides less security
than originally thought. Therefore, the use of SHA-1 is not
recommended for generating digital signatures in new systems. New
systems should use one of the larger and better hash functions, such as
SHA-224, SHA-256, SHA-384, and SHA-512.

Answer 178

A

B. In symmetric cryptography, the same key is used for both
encryption and decryption. If there are four entities such as A, B, C,
and D, there are six possible relationships such as A-B, A-C, A-D, BC, B-D, and C-D. Therefore, six keys are required. It uses the formula
(n)(n–1)/2 where “n” equals the number of entities.

Answer 179

A

A. Triple data encryption algorithm (TDEA) encrypts data in
blocks of 64 bits, using three keys that define a key bundle. The use of
three distinctly different (i.e., mathematically independent) keys is
highly recommended because this provides the most security from
TDEA; this is commonly known as three-key TDEA (3TDEA or
3TDES). The use of two-key TDEA (2TDEA or 2TDES), in which the
first and third keys are identical and the second key is distinctly
different, is highly discouraged. Other configurations of keys in the
key bundle shall not be used.

Answer 180

A

B. Critical security parameters (CSP) contain security-related
information (for example, secret and private cryptographic keys, and
authentication data such as passwords and PINs) whose disclosure or
modification can compromise the security of a cryptographic module
or the security of the information protected by the module. Public
security parameters (PSP) deal with security-related public information
(for example, public keys) whose modification can compromise the
security of a cryptographic module. Sensitive security parameters
(SSP) contain both CSP and PSP. In other words, SSP = CSP + PSP. A
trusted channel is generally established to transport the SSPs, data, and
other critical information shared by the cryptographic module and the
module’s operator.
The other three choices are incorrect. A port is a physical entry or exit
point of a cryptographic module that provides access to the module for
physical signals represented by logical information flows. The port
security parameters along with data/program security parameters are
not that important to the cryptographic module. The private security
parameters do not exist.

Answer 181

A

A. Encryption using keys of 40 or fewer bits is only acceptable for
use behind the firewall. Leading cryptographers recommend
businesses use key lengths of at least 75 bits, with 90 bits being
preferable. The Data Encryption Standard (DES) uses 56 keys, which
is still acceptable for near term use.

Answer 182

A

D. In the implementation phase, the focus is on configuring the
system for use in the operational environment. This includes
configuring the cryptographic controls. After the system has been
configured, certification testing is performed to ensure that the system
functions as specified and that the security controls are operating
effectively. The security provided by a cryptographic control depends
on the mathematical soundness of the algorithm, the length of the
cryptographic keys, key management, and mode of operation. A
weakness in any one of these components may result in a weakness or
compromise to the security of the cryptographic control. A weakness
may be introduced at any phase of the system life cycle.

Answer 183

A

C. Cryptography may provide methods that protect security relevant software, including audit trails, from undetected modification.
This is addressed as part of the integrity controls. Physical access
controls are incorrect because they deal with prevention, detection,
physical replacement or modification of the cryptographic system, and
the keys within the system. Logical access controls are incorrect
because they may provide a means of isolating the cryptographic
software from attacks and modifications. The cryptographic module
boundary may consist of the hardware, operating system, and
cryptographic software. User authentication is incorrect because it
includes use of cryptographic authentication to provide stronger
authentication of users.

Answer 184

A

B. It is a rule to follow in the operation and maintenance phase,
not in the implementation phase. For example, cryptographic keys that
are never changed, even when disgruntled employees leave the
organization, are not secure. The other three choices are incorrect
because they are the rules that guide the implementation of
cryptography.

Answer 185

A

a. Configuration management (CM) is needed most for high-risk
areas such as hardware and firmware and system software maintenance
and update. CM ensures the integrity of managing system and security
features through controlling changes made to a system’s hardware,
firmware, software, and documentation. The documentation may
include user guidance, test scripts, test data, and test results. The
hardware and firmware maintenance scope covers adding new
capabilities, expanding the system to accommodate more users,
replacing nonfunctional equipment, changing platforms, and upgrading
hardware components. The system software maintenance and update
scope includes adding new capabilities, fixing errors, improving
performance, and replacing keys.
The application software maintenance scope covers updating
passwords, deleting users from access lists, updating remote access,
and changing roles and responsibilities of users and maintenance
personnel, which are mostly routine in nature. The cryptographic key
maintenance scope includes key archiving, key destruction, and key
change, as it is mostly done in the disposal phase

Answer 186

A

A. Acquiring the keying material from backup or by
reconstruction is commonly known as key recovery. The other items
deal with key registration, which results in the binding of keying
material to information or attributes associated with a particular entity.
A trusted third party (for example, Kerberos realm server or a PKI
certification authority) performs the binding.

Answer 187

A

D. The keying material backup on an independent, secure storage
medium provides a source for key recovery. Keying material
maintained in backup should remain in storage for at least as long as
the same keying material is maintained in storage for normal
operational use. Not all keys need be backed up. For example, random
number generator (RNG) seed need not be backed up because it is a
secret value that is used to initialize a deterministic random bit
generator. In addition, storing the RNG seed would actually decrease
the security of the keys by increasing the risk of the material being
used to reverse-engineer the keys.
Domain parameters are incorrect because they can be backed up. It is a
parameter used with some public key algorithm to generate key pairs,
to create digital signatures, or to establish keying material. Passwords
are incorrect because they can be backed up. A password is a string of
characters (for example, letters, numbers, and other symbols) that are
used to authenticate an identity or to verify access authorization. Audit
information is incorrect because it can be backed up and can be used to
trace events and actions.

Answer 188

A

C. During the post-operational phase, keying material is no longer
in operational use, but access to the keying material may still be
possible. A key management archive is a repository containing keying
material and other related information of historical interest. Not all
keying material needs to be archived. For example, passwords which
often change need not be archived because storing passwords for the
keys can increase the risk of disclosure.
Initialization vector is incorrect because it can be archived. It can be
retained until it’s no longer needed to process the protected data. An
initialization vector is a vector used in defining the starting point of a
cryptographic process. Audit information can be archived and can be
retained until no longer needed. Domain parameters are incorrect
because they can be archived. These parameters can be retained until
all keying material, signatures, and signed data using the domain
parameters are removed from the archive.

Answer 189

A

C. On a more frequent basis, the actions of the humans who use,
operate, and maintain the system should be reviewed to verify that they
continue to follow established security procedures. Strong
cryptographic systems can be compromised by lax and inappropriate
human actions. Highly unusual events should be noted and reviewed as
possible indicators of attempted attacks on the system.
Security plans, security procedures, and protective mechanisms are
incorrect because they are considered as part of the human actions
audit and they continue to support the cryptographic key management
policy.

Answer 190

A

D. Without access to the cryptographic keys that are needed to
decrypt information, organizations risk losing their access to that
information. Consequently, it is prudent to retain backup copies of the
keys necessary to decrypt stored enciphered information, including
master keys, key encrypting keys, public signature verification keys,
and authorization keys. These items should be stored until there is no
longer any requirement for access to the underlying plain text
information.

Answer 191

A

D. A cryptographic key management system must have three
components to operate: a point-to-point environment, a key
distribution center environment, and a key translation center
environment. A key disclosure center environment is not relevant here.

Answer 192

A

C. Nonrepudiation services are obtained by employing various
techniques or mechanisms such as digital signatures, digital message
receipts, and timestamps, not integrity checks. Integrity checks are
used with operating systems.

Answer 193

A

C. Key zeroization means key destruction. It is a method of
erasing electronically stored keys by altering the contents of key
storage so as to prevent the recovery of keys. The other three choices
do not need key zeroization. Key recovery is a function in the life
cycle of keying material in that it allows authorized entities to retrieve
keying material from the key backup or archive. Key regeneration and
key correction are needed when a key is compromised.

Answer 194

A

C. Binding an individual’s identity to the public key corresponds
to the protection afforded to the individual’s private signature key.
Digital certificates are used in this process.

Answer 195

A

C. Public key technology and digital certificates can be used to
support authentication, encryption, nonrepudiation, and data integrity,
but not availability.

Answer 196

A

C. Quantum cryptography is related to quantum computing
technology, but viewed from a different perspective. Quantum
cryptography is a possible replacement for public key algorithms that
hopefully will not be susceptible to the attacks enabled by quantum
computing.
Quantum computing deals with large word size quantum computers in
which the security of integer factorization and discrete log-based
public-key cryptographic algorithms would be threatened. This would
be a major negative result for many cryptographic key management
systems that rely on these algorithms for the establishment of
cryptographic keys. Lattice-based public-key cryptography would be
resistant to quantum computing threats.
Utility computing means allowing users to access technology-based
services without much technical knowledge. On-demand computing
deals with providing network access for self-services. Virtual
computing uses virtual machine with software that allows a single host
to run one or more guest operating systems. Utility computing, on demand computing, and virtual computing are part of cloud
computing.

Answer 197

A

C. Prior to issuance of digital certificates, organizations should
require a “subscriber agreement” in place that the subscriber manually
signs. This agreement describes his obligations to protect the private
signature key, and to notify appropriate authorities if it is stolen, lost,
compromised, unaccounted for, or destroyed. Often the provisions of a
subscriber agreement can be placed into other documents such as an
employment contract or security agreement.

Answer 198

A

C. Using the X.509 Version 3 standard helps application programs
in accepting digital certificates from multiple vendor CAs, assuming
that the certificates conform to consistent Certificate Profiles.
Application programs either have to be PKI-enabled, PKI-aware, or
use PKI vendor plug-ins prior to the use of X.509 Version 3 standard.
Version 3 is more interoperable so that an application program can
accept digital certificates from multiple vendor certification
authorities. Version 3 standard for digital certificates provides specific
bits that can be set in a certificate to ensure that the certificate is used
only for specific services such as digital signature, authentication, and
encryption.

Answer 199

A

A. At a minimum, organizations should consider establishing
backup and recovery sites for their key PKI components (RA, CA, and
Directories) that supply the services necessary for application
programs to use certificates. A PKI is an infrastructure, like a highway.
By itself, it does little. It is useful when application programs employ
the certificates and services that it supports. The PKI is a combination
of products, services, software, hardware, facilities, policies,
procedures, agreements, and people that provide for and sustain secure
interactions on open networks such as the Internet. The other three
choices are the side effects of using a PKI, which also needs to be
developed.

Answer 200

A

B. Public key cryptography verifies integrity by using public key
signatures and secure hashes. A secure hash algorithm (SHA) is used
to create a message digest (hash). The hash can change if the message
is modified. The hash is then signed with a private key. The hash may
be stored or transmitted with the data. When the integrity of the data is
to be verified, the hash is recalculated, and the corresponding public
key is used to verify the integrity of the message.

Answer 201

A

D. Data is electronically signed by applying the originator’s
private key to the data. The resulting digital signature can be stored or
transmitted with the data. Any party using the public key of the signer
can verify the signature. If the signature is verified, then the verifier
has confidence that the data was not modified after being signed and
that the owner of the public key was the signer. A digital certificate
binds the public key to the identity of the signer.

Answer 202

A

D. The data sanitization practices have serious implications for
security and data recovery in the cloud computing environment and are
most affected. Sanitization is the removal of sensitive data from a
storage device such as (i) when a storage device is removed from
service or moved elsewhere to be stored, (ii) when residual data
remains upon termination of service, and (iii) when backup copies are
made for recovery and restoration of service. Data sanitization matters
can get complicated when data from one subscriber is physically
commingled with the data of other subscribers. It is also possible to
recover data from failed drives (for example, hard drives and flash
drives) that are not disposed of properly by cloud providers.
Procedures for protecting data at rest are not as well standardized in a
cloud computing environment. Cryptography can be used to protect
data in transit. Trust mechanisms such as requiring service contracts
and performing risk assessments can protect data in use because this is
an emerging area of cryptography.

Answer 203

A

D. The digital certificate contains information about the user’s
identity (for example, name, organization, and e-mail), but this
information may not necessarily be unique. A one-way (hash) function
can be used to construct a fingerprint (message digest) unique to a
given certificate using the user’s public key.

Answer 204

A

B. DSA, RSA, and ECDSA are included in the DSS that specifies
a digital signature used in computing and verifying digital signatures.
DES is a symmetric algorithm and is not included in the DSS. DES is a
block cipher and uses a 56-bit key.
DES has been replaced by advanced encryption standard (AES) where
the latter is preferred as an encryption algorithm for new products. The
AES is a symmetric key encryption algorithm to protect electronic data
as it is fast and strong due to its Key-Block-Round combination. The
strength of DES is no longer sufficient

Answer 205

A

A. Public-key cryptography has been recommended for
distribution of secret keys and in support of digital signatures. Privatekey cryptography has been recommended for encryption of messages
and can be used for message integrity check computations. Hybrid
keys combine the best of both public and private keys. Primary keys
are used in database design and are not relevant here.

Answer 206

A

B. Elliptic curve systems are public-key (asymmetric)
cryptographic algorithms. DES is private-key (symmetric)
cryptographic algorithms.

Answer 207

A

D. Data encryption standard (DES) provides encryption, access
control, integrity, and key management standards. It cannot provide
authentication services. The DES is a cryptographic algorithm
designed for access to and protection of unclassified data. Because the
original “single” DES is insecure, the Triple DES should be used
instead.

Answer 208

A

A. The elliptic curve systems are used to create digital signatures
with a hash algorithm such as SHA-1 (160-bit key). The SHA-1 is used
to generate a condensed representation of a message called a message
digest. SHA-1 is a technical revision of SHA. A secure hash algorithm
(SHA) is used to generate a condensed message representation called a
message digest. SHA is used by PGP or GNU PGP to generate digital
signatures.

Answer 209

A

D. End-to-end encryption refers to communications encryption in
which data is encrypted when being passed through a network (i.e.,
encryption at origin and decryption at destination) but routing
information remains visible without intermediate decryption. End-to end encryption is safe as end-to-end security in that information is
safeguarded from point of origin to point of destination.

Answer 210

A

A. A cyclic redundancy check (CRC) can be used to verify the
integrity of data transmitted over a communications line. Passwords,
PINs, and biometrics can be used to authenticate user identity.
Digitized signatures do not provide data integrity because they are
simply created by scanning a handwritten signature.

Answer 211

A

C. Symmetric key cryptography is a class of algorithms where
parties share a secret key. These algorithms are primarily used to
achieve confidentiality but may also be used for authentication,
integrity, and limited nonrepudiation services.

Answer 212

A

C. As part of controls, all encrypted messages must contain some
redundancy as part of the message but have no meaning to the
message, such as cryptographic hash or a Hamming code, to do error
detection or correction to make the attacker work harder. The
redundancy should not be in the form of “n” zeros at the start or end of
a message because they yield predictable results to the attacker.
Hamming code is based on Hamming distance, which is the number of
bit positions in which two codewords differ. The codeword contains
both data and check bits. The goal is to keep the Hamming distance
shorter.
The cyclic redundancy code (CRC) is also known as the polynomial
code, which is based on treating bit strings as representations of
polynomials with coefficients of 0 and 1 only. Checksums based on
CRC are not effective in detecting errors because it yields undetected
errors due to the lack of random bits in the checksums. The CRC uses
an algorithm for generating error detection bits in a data link protocol.
The receiving station performs the same calculation as done by the
transmitting station. If the results differ, then one or more bits are in
error. CRC is not a cryptographically secure mechanism unlike a
cryptographic hash or message authentication code (MAC). Hence,
CRC is least effective in verifying against malicious tampering of data.
The parity bit code is not as effective as the Hamming code because
the former is used to detect single errors whereas the latter is used to
detect both single and burst errors. Hence, the Hamming code is the
most efficient way of detecting transmission errors.

Answer 213

A

B. Asymmetric key algorithms are used to achieve authentication,integrity, and nonrepudiation, and not to support confidentiality for handling large volumes of data efficiently. These algorithms are used
to perform three operations such as digital signatures, key transport,and key agreement. Although the asymmetric key is not efficient tohandle large volumes of data, it can be used to encrypt short messages,
thus providing for confidentiality for short messages. The asymmetrickey (public key) is an encryption system that uses a public-private keypair for encrypting/decrypting data and for generating/verifying digital
signature.

Answer 214

A

A. The secure hash algorithm (SHA) and hash-based message
authentication code (HMAC) provide the basis for data integrity in
electronic communications. They do not provide confidentiality and
are a weak tool for authentication or nonrepudiation.

Answer 215

A

D. Two basic data structures are used in PKIs. These are the public
key certificates and the certificate revocation lists (CRLs). A third data
structure, the attribute certificate, may be used as an addendum. The
certificate authority (CA) issues a public key certificate for each
identity confirming that the identity has the appropriate credentials.
CAs must also issue and process CRLs, which are lists of certificates
that have been revoked. The X.509 attribute certificate binds attributes
to an attribute certificate holder. This definition is being profiled for
use in Internet applications. Subject certificate is meaningless here.

Answer 216

A

A. The concept of public-key cryptography (asymmetric
encryption algorithm) was introduced by Diffie-Hellman (DH) to solve
the key management problem with symmetric algorithms. The other
three choices are incorrect because they are examples of symmetric
encryption algorithms.

Answer 217

A

C. Both message digests 4 and 5 (MD4 and MD5) are examples of
hashing algorithms. They are effective when they work with SHA-1
algorithms. Cryptographic hash functions such as MD5 and SHA-1
execute much faster and use less system resources than typical
encryption algorithms. The other three choices are not relevant here.

Answer 218

A

B. Hash functions produce a much smaller message digest than the
original message. Encrypting them saves time and effort and improves
performance.

Answer 219

A

C. When the elliptic curve digital signature algorithm (ECDSA) is
used with a message identifier (MID), it provides the capability of
detecting duplicate transactions. The MID operates on checking the
sequence number of transactions.

Answer 220

A

B. The term “protocols” is too generic to be of any use. A replay
attack refers to the recording and retransmission of message packets in
the network. Nonces are random numbers that are unique and fresh
each time of use. Kerberos and timestamps go hand-in-hand.

Answer 221

A

C. The highest level of testing occurs at the application or system
level. This level is also called certification testing. Algorithm level and
module level are incorrect because they provide low-level testing.
Product level is incorrect because it is the next higher level above
algorithm and module level testing.

Answer 222

A

C. Message digests are used in cryptography to verify digital
signatures and to ensure data integrity. A unique user ID is determined
by constructing the hash of the client’s certificate using a trusted
algorithm. For the user ID to be unique, you must have reasonable
certainty that another client’s certificate will not hash to the same
value. This requirement is satisfied as long as the hash function is
sufficiently collision-resistant.

Answer 223

A

C. A hash function is a many-to-one function that takes an
arbitrary-length-input message and constructs a fixed-length output
digest.

Answer 224

A

D. Secure Multipurpose Internet Mail Extensions (S/MIME) is an
open standard where e-mail messages can be digitally signed.
Validating the signature on the e-mail can help the recipient know with
confidence who sent it and that it was not altered during transmission
(i.e., nonrepudiation). Previous versions are implemented in the regular
MIME. Both SSL and SHA are not relevant here.

Answer 225

A

C. Internet Protocol security (IPsec) is a protocol that operates
within the Internet protocol (IP). The IP transmits and routes messages,
breaks large messages into smaller sizes on one end, and reassembles
them into the original message on the other end. IP accomplishes these
tasks using the IP header, which is inserted at the beginning of each
packet. Point-to-point tunneling protocol (PPTP) hides information in
IP packets. Hypertext transfer protocol (HTTP) is a connection oriented protocol that uses transmission control protocol (TCP) to
carry Web traffic between a computer’s Web browser and the Web
server being accessed. Point-to-point protocol (PPP) is used in router to-router traffic and home user-to-ISP traffic.

Answer 226

A

B. Asymmetric keys (public keys) by definition are slow and
suitable for encrypting and distributing keys and for providing
authentication. On the other hand, symmetric (private keys) are faster
and suitable for encrypting files and communication channels.

Answer 227

A

C. A cryptographic module’s critical security parameters (CSPs)
contain keys, passwords, personal identification numbers (PINs), and
other information. CSPs are vulnerable to attacks.

Answer 228

A

C. In the Advanced Encryption Standard (AES), there are five
modes that can provide data confidentiality and one mode that can
provide data authentication. The confidentiality modes are the
Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher
Feedback (CFB), Output Feedback (OFB), and Counter (CTR) modes.
The authentication mode is the Cipher Block Chaining-Message
Authentication Code (CBC-MAC) mode.

Answer 229

A

C. Hash-based message authentication code (HMAC) provides
message integrity and is fast and therefore heavily used in IPsec
operations because of little or no overhead. It requires limited system
resources to operate. HMAC uses a key in combination with the hash
function to produce a message digest. It can be used with a hash
function in combination with a secret key. The other three choices are
not relevant here.

Answer 230

A

B. Some cryptographic applications may require a hash function
with a message digest length different than those allowed in standards.
In such cases, a truncated message digest may be used, whereby a hash
function with a larger message digest length is applied to the data to be
hashed, and the resulting message digest is truncated by selecting an
appropriate number of the leftmost bits. The least significant bit is the
rightmost bit of a bit string. The leftmost bit is the most significant bit.

Answer 231

A

B. Secure hash algorithms (for example, SHA-224, 256,384, and
512) are used to hash a message. These algorithms enable the
determination of a message’s integrity; meaning any change to the
message results in a different message digest. SHA and SHA-1 should
not be used because they are not secure. Message identity is a field (for
example a sequence number) that may be used to identify a message.

Answer 232

A

D. The information on the digital certificate includes the owner
name, public key, and start and end dates of its validity. The certificate
should not contain any owner information that changes frequently (for
example, the insurance company name).

Answer 233

A

C. A public key certificate is a credential that binds a key pair and
the identity of the owner of the key (i.e., to a legal person). The
necessary trust may come from several sources such as the role and
independence of the certification authority, reputation, contract,
management integrity, and other legal obligations.

Answer 234

A

A. The elliptic curve is well suited for low bandwidth systems and
uses an asymmetric-key algorithm for encryption. The Rivest, Shamir,
and Adelman (RSA) and elliptic curve algorithms are used for
encryption, where the latter is a new one with shorter key lengths and
is less computationally intensive. The Whitfield-Diffie algorithm is
used for secure key exchange. The digital signature algorithm is used
only for digital signatures. Both Whitfield and digital signatures do not
compete with elliptic curve.

Answer 235

A

B. There are two modes of implementation of encryption in a
network, namely link (online) and end-to-end. Link encryption
encrypts all the data along a communications path (for example, a
satellite link, telephone circuit, or T1 line) and encrypts both headers
and trailer of the packet, which is the best thing to do. It provides good
protection against external threats such as traffic analysis because all
data flowing on links can be encrypted, including addresses and
routing information. Although a major advantage of link encryption is
that it is easy to incorporate into network protocols at the lower levels
of the OSI model, a major disadvantage is that it encrypts and decrypts
a message several times at each link or node in the clear text, thus
leading to node compromise.
Bulk encryption is simultaneous encryption of all channels of a
multichannel telecommunications trunk. Transaction encryption is
used in the payment card industry, perhaps using secure electronic
transaction (SET) protocol for secure transactions over the Internet.
In end-to-end encryption, a message is encrypted and decrypted only at
endpoints, does not encrypt headers and trailers, and operates at the
higher levels of the OSI model, thereby largely circumventing
problems that compromise intermediate nodes. In this type of
encryption, routing information remains visible and is a potential risk.

Answer 236

A

C. With three keys operating, the sequence is encrypt-encrypt encrypt, that is, one key is used for each mode of operation. Encrypt decrypt-encrypt is incorrect because it is an example of operating with
two keys where the first key is used to encrypt, the second key is to
decrypt, and the first key again to encrypt. The other two choices are
not meaningful here.

Answer 237

A

C. Trusted third parties, who are independent of the certification
and registration authorities and subscribers and who are employed by
independent audit or consulting organizations are good candidates to
conduct security evaluations (for example, reviews and audits) of the
PKI systems and procedures. A written report is published after the
security evaluation. A certification authority is a person or institution
that is trusted and can vouch for the authenticity of a public key. The
authority can be a principal or a government agency that is authorized
to issue a certificate. A registration authority manages the certificate
life cycle in terms of maintenance and revocation. Subscribers include
both individuals and business organizations that use the certificate in
their businesses.

Answer 238

A

C. Secure sockets layer (SSL) uses a combination of symmetric
and asymmetric key cryptography to perform authentication and
encryption services. It is a session-oriented protocol used to establish a
secure connection between the client and the server for a particular
session. SSL is not a point-to-point protocol.

Answer 239

A

A. The secure hash algorithm (SHA1) produces a 160-bit hash of
the message contents. Message digest 5 (MD5) produces a 128-bit
hash of the message contents. Many cryptographic applications
generate and process both SHA1 and MD5. These are faster and take
less space to store data. The algorithms mentioned in the other three
choices do not have the ability to compress data. 3DES uses a 168-bit
key

Answer 240

A

C. A disadvantage of asymmetric-key cryptography is that it is much slower than symmetric-key cryptography and is therefore impractical or efficient for use in encrypting large amounts of data. The other three choices are examples of advantages of using the asymmetric-key cryptography.

Answer 241

A

D. Digital certificates are used as a means of user and device
authentication. Entities can prove their possession of the private key by digitally signing known data or by demonstrating knowledge of a secret exchanged using public-key cryptographic methods.

Answer 242

A

D. Both HMAC-SHA-1 and HMAC-MD5 algorithms are stronger than SHA-1 or MD5, either alone or together, because they use hash based message authentication codes (HMACs). Both the SHA-1 and MD5 algorithms are weaker by themselves.

Answer 243

A

A. Encryption provides the highest level of security to protect data access from unauthorized people. It is the process of transforming data to an unintelligible form in such a way that the original data either cannot be obtained (one-way encryption) or cannot be obtained without using the inverse decryption process (two-way encryption). It is difficult to break the encryption algorithm and the keys used in that
process. Callback or dial-back systems and magnetic cards with personal identification numbers provide medium protection, whereas user identification numbers and passwords provide minimum protection. Callback systems can be negated through the use of call forwarding features in a telephone system. Magnetic cards can be lost, stolen, or
counterfeited. User IDs and passwords can be shared with others or guessed by others, a control weakness.

Answer 244

A

D. Encryption can protect anything from one message field to an entire message packet in the transmission over network lines. Because the message field is the lowest level element and an important element in terms of message content and value, security is effective and enhanced. Here, encryption is focused on where it matters the most.
Note that the field-level encryption is stronger than file-, record-, and packet-level encryption although encryption can be applied at each of these levels.

Answer 245

A

D. Use of passwords and other identification codes is not powerful due to their sharing and guessable nature. Scrambling, encoding, and decoding are cryptographic methods used in data transmission. Encryption is used in scrambling, encoding (encrypting), and decoding (decrypting) of data. Encryption is the process of transforming data to
an unintelligible form in such a way that the original data either cannot be obtained (one way encryption) or cannot be obtained without using the inverse decryption process (two-way encryption). Authorized users of encrypted computer data must have the key that was used to encrypt the data to decrypt it. The unique key chosen for use in a particular application makes the results of encrypting data using the algorithm unique. Using a different key causes different results. The cryptographic security of the data depends on the security provided for the keys used to encrypt and decrypt the data.

Answer 246

A

D. Personal computers (PCs) are in increasing use as computer terminal devices are connected to larger host systems and when two or more PCs are connected to networks. Information transmitted over unprotected telecommunications lines can be intercepted by someone
masquerading as an authorized user, thereby actively receiving sensitive information. Encryption can be adapted as a means of remote user authorization. A user key, entered at the keyboard, authenticates the user. A second
encryption key can be stored in encrypted form in the calling system firmware that authenticates the calling system as an approved communications endpoint. When dial-back is used with two-key encryption, data access can be restricted to authorized users (with the user key) with authorized systems (those whose modems have the correct second key), located at authorized locations (those with phone numbers listed in the answering system’s phone directory). Dial-back technique alone cannot guarantee protection against
masquerading because hackers can use the dial-forward technique to reroute calls and spoof the connection. File encryption only may not be adequate because an intruder may have an opportunity to intercept the key while it is in transit. Managing the encryption key is critical.

Answer 247

A

A. Message authentication is a process for detecting unauthorized changes made to data transmitted between users or machines or to data retrieved from storage. Message authentication keys should receive greater protection. It is the message header not the footer that identifies the receiving party of the message. There will be some delay for the messages to be transmitted and received, especially to remote, foreign destinations. Undelivered message reports may be produced at specific time intervals, not immediately.

Answer 248

A

A. Here, the communication link from a user site to a CPU
computer is encrypted to provide confidentiality. Line encryption protects data in a transfer. One-time password is incorrect because it ensures that a particular password is used only once, in connection with a specific transaction.
It is similar to the one-time key used in the encryption process. The one-time password protects data in process.
File encryption is incorrect because it protects only the file in storage, not the entire communication line where the data transfer is taking place. File encryption protects data in storage. The end-to-end encryption is incorrect because it is applied to messages on the communication line twice, once by hardware and once by software techniques.

Answer 249

A

B. An encryption security mechanism provides security services such as integrity, confidentiality, and authentication. The data and message integrity service helps to protect data and software on workstations, file servers, and other local-area network (LAN) components from unauthorized modification, which can be intentional or accidental.
The use of cryptographic checksums and granular access control and privilege mechanisms can provide this service. The more granular the access control or privilege mechanism, the less likely an unauthorized or accidental modification can occur. The data and message integrity service also helps to ensure that a message is not altered, deleted, or added to in any manner during transmission. A message authentication code, which is a type of cryptographic checksum, can protect against both accidental and intentional but not against unauthorized data modification. The use of digital signatures can also be used to detect the modification of data or messages. It uses either public key or private key cryptography. A digital signature provides two distinct services: nonrepudiation and
message integrity. The message authentication code can also be used to provide a digital signature capability. Nonrepudiation helps ensure that the parties or entities in a communication cannot deny having participated in all or part of the communication.

Answer 250

A

D. Each electronic-mail message is encrypted with its own unique key. The security program generates a random key and uses it to encrypt the message. It is true that the security of the cryptography can never be greater than the security of the people using it because it is the people who make the security a success, security of any electronic-mail program cannot be greater than the security of the machine where the encryption is performed because security is an
extension of the machine, and (iii) security of an encryption algorithm is no more or less than the security of the key because it assumes that the algorithm used is a good one.

Answer 251

A

C. Encryption is a desirable option in mainframe but not in a local area network (LAN) environment due to performance problems. Although hardware-based encryption is faster, it degrades system performance as found in software-based encryption. In addition, keys used in the encryption require management’s attention in terms of key distribution and disposition. Therefore, encryption is not a desirable option for LANs. As the capacity of CPU processors increase, it could become a desirable option for LANs for mitigating insider risks.

Answer 252

A

D. Any encryption scheme can be made more secure through multiple encryptions with different keys. Similarly, a triple encryption is stronger than a double or single encryption. However, costs and overhead increase as the number of encryptions increase. Also, system performance degrades as the number of encryptions increase. For example, 2DES encryption with two keys is no more secure than a 1DES encryption due to the possibility of the meet-in-the middle attack. Therefore, 3DES (triple DES) should be considered.

Answer 253

A

D. Secure and reliable telecommunications networks must have effective ways for authenticating information and assuring the confidentiality of information. There is no single technology or technique that can produce the needed security and reliability of networks. A range of technologies, including cryptography, improved identification and authentication technologies, and firewalls will be required, along with trusted encryption keys and security Management infrastructures.

Answer 254

A

C. A cryptographic system should be monitored and periodically reviewed to ensure that it is satisfying its security objectives. All parameters associated with correct operation of the cryptographic system should be reviewed, and operation of the system itself should be periodically tested and the results evaluated. Certain information,
such as secret keys or private keys in public key systems, should not be subject to review. However, nonsecret or nonprivate keys could be used in a simulated review procedure. Physical protection of a cryptographic module is required to prevent physical replacement or modification of the cryptographic system.

Answer 255

A

D. Denial-of-service (DoS) is any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes the unauthorized destruction, modification, or delay of service. By using a private key to generate digital signatures for authentication, it becomes computationally infeasible for an attacker to masquerade as
another entity. Using random number challenges (tokens) and digital signatures eliminates the need for transmitting passwords for authentication, thus reducing the threat of their compromise. The use of random number challenges also prevents an intruder from copying an authentication token signed by another user and replaying it successfully at a later time. However, a new random number challenge
should be generated for each authentication exchange.

Answer 256

A

B. An electronic signature is a cryptographic mechanism that
performs a similar function to a handwritten signature. It is used to verify the origin and contents of a message. For example, a recipient of data (such as an e-mail message) can verify who signed the data and that the data was not modified after being signed. This also means that the originator (for example, sender of an e-mail message) cannot falsely deny having signed the data. Electronic signatures are difficult to forge; although, written signatures are easily forged. Electronic signatures can use either secret (private) key or public key cryptography; however, public key methods are generally easier to use. The other three choices are incorrect because they are true statements. In general, electronic signatures have received the same legal status as
that of written signatures. Cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures rely on the secrecy of the keys, the link or binding between the owner of the key, and the key itself. If a key is compromised due to social engineering by theft, coercion, or trickery,
then the electronic originator of a message may not be the same as the owner of the key. Although the binding of cryptographic keys to actual people is a significant problem, it does not necessarily make electronic signatures less secure than written signatures. Trickery and coercion
are problems for written signatures as well.

Answer 257

A

B. A digital signature provides two distinct services:
nonrepudiation and message integrity. The digital signature standard (DSS) specifies a digital signature algorithm (DSA) that should be used when message and data integrity is required. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of
rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and the integrity of the data can be verified. The DSA provides the capability to generate and verify digital signatures. Signature verification makes use of a public key that corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. It is assumed that the public knows about public keys. Private keys are never shared. Anyone can verify the signature of a user by employing that user’s public key. Only
the possessor of the user’s private key can perform signature generation. Because of this, nonrepudiation of a message is achieved. This means that the parties to an electronic communication could not dispute having participated in the communication, or it can prove to a
third party that data was actually signed by the generator of the signature. The DSS can be implemented in hardware, software, and/or firmware and is subject to U.S. Commerce Department export controls. The DSS technique is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data
storage, and other applications that require data integrity assurance and origin authentication. A digital signature system requires a means for associating pairs of public and private keys with the corresponding users. A mutually
trusted third party such as a certifying authority can bind a user’s identity and his public key. The certifying authority could issue a “certificate” by signing credentials containing a user’s identity and public key. Hence, a third-party certificate is needed.

Answer 258

A

C. Both pretty good privacy (PGP) and privacy enhanced mail
(PEM) encrypt messages and sign messages based on public-key cryptography. However, they operate on different philosophies. PGP is based on a distributed network of individuals. PEM is based on the concept of a hierarchical organization. PGP is suited for individuals communicating on the Internet, whereas PEM might be more suited for application systems in all organizations. PGP is a product, not a standard. It does not interoperate with any other security product, either PEM or non-PEM. PGP is portable to a wide variety of hardware platforms.

Answer 259

A

B. A digital signature is a cryptographic checksum computed as a function of a message and a user’s private key. A user’s digital signature varies with the data and protects against modification. This does not prevent deletion or modification of the audit trail, but it provides an alert that the audit trail has been altered. Access to online audit logs should be strictly controlled Passwords are not strong access controls due to their weaknesses, such as sharing or writing them down. Logging before and after image records of modification is incorrect because it is a passive activity and
does not protect against modification. Audit trail data can be used to review what occurred after an event, for periodic reviews, and for real time analysis.

Answer 260

A

C. Cryptography, a hidden writing, is an important tool for
protecting information and is used in many aspects of computer security. It can help provide data confidentiality, data integrity, electronic signatures, and advanced user authentication. It has nothing to do with data availability, which is a property that a given resource will use during a given time period.

Answer 261

A

B. The Rivest, Shamir, and Adelman (RSA) scheme uses a public key encryption algorithm and is an asymmetric cipher system. The data encryption standard (DES) uses a secret key encryption algorithm and is a symmetric cipher system. RSA uses two keys (private and public), whereas DES uses one key (private).

Answer 262

A

A. Exploiting a weakness is called an attack. In a ciphertext-only attack, an attacker has some ciphertext encrypted with an algorithm. He does not know the plain text or the key, but he knows the algorithm. His goal is to find the corresponding plain text. This is the most common attack. A birthday attack is an attack against message digest 5 (MD5), a hash function. The attack is based on probabilities where it finds two
messages that hash to the same value (collision) and then exploits it to attack. The attacker is looking for “birthday” pairs of two messages with the same hash values. This attack is not feasible given today’s computer technology.
In a chosen plain text attack, the attacker knows the plain text and the corresponding ciphertext and algorithm but does not know the key. This type of attack is harder but still possible. The adaptive chosen plain text attack is a variation of the chosen plain text attack where the selection of the plain text is changed based on the previous attack results.

Answer 263

A

C. A message authentication code, a type of cryptographic
checksum, can protect against both accidental and intentional, but unauthorized, data modification. Ordinary error detecting codes such as cyclic redundancy codes are not adequate because they cannot detect intentional modification. A message authentication code is initially calculated by applying a cryptographic algorithm and a secret value, called the key, to the data. The initial code is retained. The data is later verified by applying the cryptographic algorithm and the same secret key to the data to produce another, second code; this second code is then compared to the initial code. If the two codes are equal, then the data is considered authentic. Otherwise, an unauthorized modification is assumed. Any party trying to modify the data without knowing the key would not know how to calculate the appropriate code corresponding to the altered data.

Answer 264

A

B. One-time pad is unbreakable given infinite resources. Each random key in the one-time pad is used exactly once, for only one message, and for only a limited time period. The algorithm for a one time pad requires the generation of many sets of matching encryption keypads. Each pad consists of a number of random key characters, not generated by a cryptographic key generator. Each key character in the pad is used to encrypt one and only one plain text character; then the key character is never used again. The number of random keypads that need to be generated must be at least equal to the volume of plain text
messages to be encrypted. Due to the number of random keypads to be generated, this approach is not practical for high-speed communication systems. This is the reason the one-time pad is absolutely unbreakable. Brute force attack is possible with the data encryption standard (DES) and international data encryption algorithm (IDEA). The key length in Rivest cipher 2 and 4 (RC2 and RC4) is variable, and details of their algorithms are unknown because they are new proprietary algorithms. IDEA is a new algorithm and works as a double-DES (2DES). DES is in the public domain so that anyone can use it. IDEA is patented and requires a license for commercial use. RC2 and RC4 are unpatented
but are trade secrets.

Answer 265

A

A. A hash function can detect modification of a message,
independent of any connection with signatures. That is, it can serve as a cryptographic checksum. It is a solution to the problem of signing long messages. A one-way hash function converts an arbitrary-length message into a fixed-length hash. Like an encryption algorithm, a one way hash function converts a plain text message into an unintelligent text. This is where the similarity stops. However, unlike an encryption
algorithm, there is no way to go backward with a one-way hash function. It is impossible to reverse a one-way hash function to get the original input from the output value. An encryption algorithm does not destroy any information. A one-way hash function destroys information and does not have a key. No secrecy is involved in the one-way hash function; the security is in the lack of ability to reverse
itself. This property makes it a useful way to identify a message.

Answer 266

A

B. A message integrity code uses a secret key to produce a fixed length hash code that is sent with the message. Integrity codes are used to protect the integrity of large interbank electronic funds transfers. A message authentication code is a hashed representation of a message and is computed by the message originator as a function of the message being transmitted and the secret key. If the message authentication code computed by the recipient matches the authentication code appended to the message, the recipient is assured that the message was not modified. Both integrity codes and authentication codes are cryptographic checksums, which are stronger than non-cryptographic checksums. Cryptography can effectively detect both intentional and unintentional modification; however, cryptography does not protect files from being
modified. Both secret key and public key cryptography can be used to ensure integrity. When secret key cryptography is used, a message authentication code is calculated and appended to the data. To verify that the data has not been modified at a later time, any party with access to the correct secret key can recalculate the authentication code. The new authentication code is compared with the original authentication code. If they are identical, the verifier has confidence that an unauthorized party has not modified the data. Data checksums are digits or bits summed according to arbitrary rules and used to verify the integrity of data. A cyclic redundancy code (CRC) uses an algorithm for generating error detection bits in a data link protocol. The receiving station performs the same calculation as done by the transmitting station. If the results differ, then one or more bits are in error. Both data checksums and CRC are not based on cryptographic checksums. Instead, they are based on algorithms.

Answer 267

A

B. The significant difference between a secret key algorithm and a message digest algorithm is that a secret key algorithm is designed to be reversible and a message digest algorithm is designed to be impossible to reverse. It is true that the drive for a message digest algorithm started with public key cryptography. Rivest, Shamir, and Adelman (RSA) is used to perform digital signatures on messages. A
cryptographically secure message digest function with high
performance would make RSA much more useful. This is because a long message is compressed into a small size by first performing a message digest and then computing an RSA signature on the digest.

Answer 268

A

C. Both RSA and DSS provide digital signature, authentication, and data integrity capabilities. RSA provides encryption; DSS does not. The digital signature algorithm (DSA) is specified in the DSS. The DSS contains the DSA to create signatures as well as the secure hash algorithm (SHA) to provide data integrity. SHA is used in electronic
mail and electronic funds transfer applications.

Answer 269

A

A. Meet-in-the-middle (MIM) attacks occur when one end is
encrypted and the other end is decrypted, and the results are matched in the middle. MIM attacks are made on block ciphers. A block cipher algorithm is a (i) symmetric key cryptographic algorithm that transforms a block of information at a time using a cryptographic key and (ii) a family of functions and their inverse functions that is
parameterized by a cryptographic key; the functions map bit strings of a fixed length to bit strings of the same length. This means, the length of the input block is the same as the length of the output block. The other three choices are incorrect because they do not use block ciphers. Codebook attacks are a type of attack where the intruder attempts to create a codebook of all possible transformations between
plaintext and ciphertext under a single key. Man-in-the-middle (MitM) attacks are a type of attack that takes advantage of the store-and forward mechanism used by insecure networks, such as the Internet. MitM attacks are also called bucket brigade attacks.

Answer 270

A

B. Digital signatures use Rivest, Shamir, and Adelman (RSA), a public-key (two-key) cryptographic algorithm. RSA enhances authentication and confidentiality due to the use of a two-key system; one key is public and the other one is private. The use of RSA in digital signatures prevents repudiation by the sender as well as by the receiver. Nonrepudiation means the sender cannot say that he never
sent the message, and the receiver cannot say that he never received the message. Nonrepudiation is possible due to the use of a two-key system where the private key of the sender and the receiver is kept secret while their public key is known only to each party. Both the sender and the receiver cannot deny having participated in the message transmission.

Answer 271

A

B. It has been tested and proven that the RSA algorithm has a slower signature generation capability and faster verification than the digital signature algorithm (DSA). On the other hand, the DSA has faster signature generation and slower verification than the RSA. RSA is much slower to compute than popular secret key algorithms like data encryption standard (DES) and international data encryption
algorithm (IDEA). RSA algorithm uses a variable length public key a long key for enhanced security or a short key for efficiency. RSA encryption algorithm requires greater computing power (i.e., memory or disk storage space) necessary to generate keys. The keys for RSA algorithm are large numbers generated mathematically by combining prime numbers. The algorithm is powerful and has resisted
all attempts to break it to date, except for 40-bit RSA.

Answer 272

A

D. Availability is the property of a given resource that is usable during a given time period; it is not provided by cryptography. Data communications channels are often insecure, subjecting messages transmitted over the channels to various passive and active attacks (threats). Cryptography is the solution to counteract such threats.
Cryptography is the science of mapping readable text, called plain text, into an unreadable format, called ciphertext, and vice versa. The mapping process is a sequence of mathematical computations. The computations affect the appearance of the data, without changing its meaning.
To protect a message, an originator transforms a plain text message into ciphertext. This process is called encryption or encipherment. The ciphertext is transmitted over the data communications channel. If the message is intercepted, the intruder has access to only the unintelligible ciphertext. Upon receipt, the message recipient transforms the ciphertext into its original plain text format. This process is called decryption or decipherment. The mathematical operations used to map between plain text and ciphertext are identified by cryptographic algorithms. Cryptographic
algorithms require the text to be mapped and, at a minimum, require some value that controls the mapping process. This value is called a key. Given the same text and the same algorithm, different keys produce different mappings. Cryptographic algorithms need not be kept secret. The success of cryptography is attributed to the difficulty of inverting an algorithm. In other words, the number of mappings from which plaintext can be transformed into ciphertext is so great that it is impractical to find the correct mapping without the key. For example, the Data Encryption Standard (DES) uses a 56-bit key. A user with the correct key can easily decrypt a message, whereas a user without the key needs to attempt random keys from a set of more than 72 quadrillion possible values.
Authentication is incorrect because it is one of the services provided by cryptography. Authentication allows the recipient of a message to validate its origin. It prevents an imposter from masquerading as the sender of the message. Confidentiality is incorrect because it is one of the services provided by cryptography. Confidentiality prevents disclosure of the message to unauthorized users. Integrity is incorrect because it is one of the services provided by cryptography. Integrity assures the recipient that the message was not modified en route. Note that the integrity service allows the recipient to detect message modification but not prevent it.

Answer 273

A

D. Sandbox is not related to S-box, P-box, and product ciphers. Sandbox is a system that allows an untrusted application to run in a highly controlled environment where the application’s permissions are restricted to an essential set of computer permissions. In particular, an application in a sandbox (for example, JavaApplet) is usually restricted
from accessing the file system or the network. The other three choices are related to each other. S-box is a nonlinear
substitution table box used in several byte substitution transformations and in the key expansion routine to perform a one-for-one substitution of a byte value. This substitution, which is implemented with simple electrical circuits, is done so fast in that it does not require any
computation, just signal propagation. P-box is a permutation box used to effect a transposition on an 8-bit input in a product cipher. This transposition, which is implemented
with simple electrical circuits, is done so fast in that it does not require any computation, just signal propagation.
Product ciphers are a whole series of combination of S-boxes and Pboxes cascaded. In each iteration or round, first there is an S-box followed by a P-box. In addition, there is one P-box at the beginning and one P-box at the end of each round. Common product ciphers operate on k-bit inputs to product k-bit outputs.

Answer 274

A

A. Cryptography is the process of scrambling information in such a manner that it becomes unintelligible and can be unscrambled only by the intended recipient(s). In cryptographic terms, this process involves the encryption of plain text data to produce ciphertext, and the subsequent decryption of ciphertext to recover the original plain text.
Encryption and decryption are therefore inverse processes.
Cryptographic processing depends on the use of keys, which are of primary importance in the security of a cryptographic system. Cryptographic keys are conceptually similar to the keys used with padlocks, in the sense that data can be locked, or encrypted, through the use of a key with a cryptographic algorithm. Symmetric key algorithms decrypt data with the same key used for encryption. Asymmetric key algorithms use a pair of keys, consisting of a public key component and a private key component, both having a specific mathematical relationship. Symmetric and asymmetric key algorithms are commonly referred to as secret key and public key algorithms, respectively. Cryptography plays a major role in information security
and is a critical component of authentication technology.

Answer 275

A

C. Symmetric cryptography uses the same key for both encryption and decryption, whereas asymmetric cryptography uses separate keys for encryption and decryption, or to digitally sign and verify a signature. RSA is an example of asymmetric cryptography. DES, 3DES, and AES are examples of symmetric cryptography.

Answer 276

A

C. Encryption is used to provide data confidentiality. The data to be protected is called plain-text. Encryption transforms the plain-text data into ciphertext data. Cipher-text can be transformed back into plain-text using decryption. The approved algorithms for encryption
and decryption include the advanced encryption standard (AES) and the triple data encryption algorithms (TDEA). Each of these algorithms operates on blocks (chunks) of data during an encryption or decryption operation. For this reason, these algorithms are commonly referred to
as block cipher algorithms. RAS is remote access server, which is not a block cipher, and DES is data encryption standard, which is a block cipher. Message authentication code (MAC) is incorrect because it is not a block cipher because it provides an assurance of authenticity and
integrity. HMAC is a MAC that uses a cryptographic hash function in combination with a secret key. Both MAC and HMAC are based on hash functions, which are used by (i) keyed hash message authentication coded algorithms, (ii) digital signature algorithms, (iii) key derivation functions for key agreement, and (iv) random number generators. Typically, MACs are used to detect data modifications that
occur between the initial generation of the MAC and the verification of the received MAC. They do not detect errors that occur before the MAC is originally generated.

Answer 277

A

A. There are four architectures used to link certificate authorities (CAs), including hierarchical, mesh, bridge, and complex. In a hierarchical PKI model, authorities are arranged hierarchically under a “root CA” that issues certificates to subordinate CAs. A CA delegates when it certifies a subordinate CA. Trust delegation starts at a root CA that is trusted by every node in the infrastructure. Therefore, cross certification is not allowed in the hierarchical PKI model. Mesh (network) PKI model is incorrect because trust is established between any two CAs in peer relationships (cross-certification), thus allowing the possibility of multiple trust paths between any two CAs.
Independent CAs cross-certify each other resulting in a general mesh of trust relationships between peer CAs. The bridge PKI model was designed to connect enterprise PKIs regardless of the architecture; enterprises can link their own PKIs to those of their business partners. The complex PKI model is a combination of hierarchical PKI model and mesh PKI model because they are not mutually exclusive.

Answer 278

A

C. When a system is shut down or transitioned to a new system, one of the primary responsibilities is ensuring that cryptographic keys are properly destroyed or archived. Long-term symmetric keys may need to be archived to ensure that they are available in the future to decrypt data. Signing keys used by traditional and non-traditional CAs
may also need to be maintained for signature verification.
An individual’s signing keys should not be archived due to constant changes and employee turnover.

Answer 279

A

C. A level of “trust” is required for an organization to complete the digital certificate transaction reliably. This includes determining the level of identity proofing required for a subscriber to get a certificate, the strength of the key lengths and algorithms employed, and how the
corresponding private key is protected. The Certificate Authority (CA) operates under a Certificate Policy (CP) and Certification Practices Statement (CPS) that collectively describe the CA’s responsibilities and duties to its customers and trading partners. Organizations can operate their own certification authority duties or outsource that function.

Answer 280

A

A. A birthday attack is against message digest 5 (MD5), a hash algorithm. The attack is based on probabilities where it finds two messages that hash to the same value and then exploits it to attack. MD5 is a message authentication method based on producing a 128-bit hash code (signature fingerprint) from a message. The other three choices are not subjected to birthday attacks. SSL is secure sockets
layer, SLIP is serial line interface protocol, and SET is secure
electronic transaction.

Answer 281

A

B. One of the fundamental principles for protecting keys is the practice of split knowledge and dual control. These are used to protect the centrally stored secret keys and root private keys and secure the distribution of user tokens. Zeroization is a method of erasing electronically stored data by altering the contents of the data storage so as to prevent the recovery of data. Zero-knowledge proof is where one
party proving something to another without revealing any additional information. Total knowledge, single control, triple control, and formal proof are not relevant here.

Answer 282

A

B. Use of electronic processes provides benefits such as time
savings, enhanced services, cost-savings, and improved data quality and integrity. Public key technology can create a trusted environment that promotes the use and growth of all electronic processes, not just digital signatures.

Answer 283

A

C. This is the definition of an intermediate CA in that he has a superior CA and a subordinate CA. In a hierarchical PKI, the root CA’s public key serves as the most trusted datum (i.e., the beginning of trusted paths) for a security domain. The superior CA has certified the certificate signature key of another CA and who constrains the activities of that CA. Another CA certifies the subordinate CA’s certificate signature key.

Answer 284

A

B. Digital signatures provide authentication, nonrepudiation, and
integrity services. Availability is a system requirement intended to
ensure that systems work promptly and that service is not denied to
authorized users.

Answer 285

A

A. Public-key cryptographic systems are known as two-key or
asymmetric systems. Private-key cryptographic systems are known as one-key or symmetric systems.

Answer 286

A

A. In symmetric key algorithms, parties share a single, secret key. Establishing that shared key is called key management, and it is a difficult problem. In asymmetric key algorithms, there are two keys (public and private) for each party. The public and private keys are generated at the same time, and data encrypted with one key can be decrypted with the other key. Hybrid key algorithms combine the best features of public and private key systems. Hash key algorithms is
meaningless here.

Answer 287

A

C. Session encryption is used to encrypt data between application and end users. This provides strong authentication. File encryption protects data in storage. Bulk encryption is simultaneous encryption of all channels of a multichannel telecommunications trunk. Stream encryption encrypts and decrypts arbitrarily sized messages not a
strong authentication.

Answer 288

A

A. Symmetric cryptography uses the same key for both encryption and decryption, whereas asymmetric cryptography uses separate keys for encryption and decryption, or to digitally sign and verify a signature. ECDSA is an example of asymmetric cryptography. HMAC,MD5, and SHA-1 are examples of symmetric cryptography.

Answer 289

A

C. The entity deregistration function removes the authorization of an entity to participate in a security domain. Deregistration is intended to prevent other entities from relying on or using the deregistered entity’s keying material. At the end of a key’s crypto-period, a new key needs to be available to replace the old key if operations are to be
continued. This can be accomplished by rekeying, key update, or key derivation.

Answer 290

A

A. Asymmetric authentication is susceptible to attacks because of the way the authentication is performed. The client authenticates the gateway and then uses that channel to authenticate the client. It is a weak form of authentication. The other three choices provide strong forms of authentication because they are a function of either transport layer security (TLS) or Internet Protocol security (IPsec).

Answer 291

A

A. Zero-knowledge proof requires that one party proves something to another without revealing any additional information. This proof has applications in public-key encryption process. Zeroization process is a method of erasing electronically stored data by altering the contents of the data storage so as to prevent the recovery of data. Degaussing operation is a process whereby the magnetic media is erased, that is, returned to its original state. Data remanence operation is the residual physical representation of data that has been in some way erased.

Answer 292

A

A. Key management provides the foundation for the secure
generation, storage, distribution, and translation of cryptographic keys. Key layering is a meaningless term here.

Answer 293

A

B. This is an application of split knowledge procedure. An
original cryptographic key is split into “n” multiple key components, individually providing no knowledge of the original key, which can be subsequently combined to recreate the original cryptographic key. If knowledge of “k” components is required to construct the original key,
then knowledge of any k–1 key components provides no information about the original key. However, it may provide information about the length of the original key. Here, “k” is less than or equal to “n.”

Answer 294

A

A. When private (secret) key cryptography is used, a data
(message) authentication code is generated. Typically, a code is stored or transmitted with data. When data integrity is to be verified, the code is generated on the current data and compared with the previously generated code. If the two values are equal, the integrity (i.e.,authenticity) of the data is verified. Message identifier is a field that may be used to identify a message, usually a sequence number. Message header and trailer contain information about the message. The other three choices do not have the code generation and verification capabilities.

Answer 295

A

D. All certification paths begin with a trust anchor, include zero or more intermediate certificates, and end with the certificate that contains the user’s public key. This can be an iterative process, and finding the appropriate intermediate certificates is one of PKI’s challenges in path discovery, especially when there is more than one intermediary involved. A certificate authority (CA) generally issues a
self-signed certificate called a root certificate or trust anchor; this is used by applications and protocols to validate the certificates issued by a CA. Note that CAs issue cross certificates that bind another issuer’s name to that issuer’s public key.

Answer 296

A

C. Public-key cryptographic systems have low bandwidth and
hence are not suitable for bulk encryption, where the latter requires a lot of bandwidth. The other three choices are applicable for specific needs.

Answer 297

A

D. Public-key cryptography is particularly useful when the parties wanting to communicate cannot rely upon each other or do not share a common key (for example, Rivest-Shamir-Adelman [RSA] and digital signature standard [DSS]). Mandatory access control (MAC) and discretionary access control (DAC) are examples of access control mechanisms. Data encryption standard, DES, (56-bit key), three key
triple data encryption standard, 3DES, (168-bit key), and international data encryption algorithm, IDEA, (128-bit key) are examples of private-key cryptographic systems. IDEA is another block cipher, similar to DES, and is a replacement for or an improvement over DES. IDEA is used in pretty good privacy (PGP) for data encryption.

Answer 298

A

B. Side channel attacks result from the physical implementation of a cryptosystem through the leakage of information by monitoring sound from computations to reveal cryptographic key-related information. Side-channel attacks are based on stealing valuable information whereas the other three choices deal with deceiving people.
Social engineering attacks focus on coercing people to divulge passwords and other valuable information. Phishing attack involves tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing is a digital form of social engineering that uses authentic-looking but bogus e-mails to request information from users or direct them to a fake website that
requests valuable personal information. Shoulder surfing attack is similar to social engineering where the attacker uses direct observation techniques such as looking over someone’s shoulder to obtain passwords, PINs, and other valuable codes.

Answer 299

A

B. A cryptographic key may pass through several states between its generation and its destruction. Six key-states include pre-activation state, active state, deactivated state, destroyed state, compromised state, and destroyed compromised state. In general, keys are compromised when they are released to or determined by an unauthorized entity. If the integrity or secrecy of the key is suspect, the
compromised key is revoked. A cryptographic key may enter the compromised state from all states except the destroyed state and destroyed compromised states. A compromised key is not used to apply cryptographic protection to information. Even though the key no longer exists in the destroyed state, certain key attributes such as key
name, key type, and crypto-period may be retained, which is risky. The other three choices are not risky. In the pre-activation state, the key has been generated but is not yet authorized for use. In this state the key may be used only to perform proof-of-possession or key confirmation. In the active state, a key may be used to cryptographically protect information or to cryptographically process previously protected information (for example, decrypt ciphertext or
verify a digital signature) or both. When a key is active, it may be designated to protect only, process only, or both protect and process. In the deactivated state, a key’s crypto-period has expired, but it is still needed to perform cryptographic processing until it is destroyed.

Answer 300

A

C. Using the X.509 Version 3 standard helps application programs in accepting digital certificates from multiple vendor CAs, assuming that the certificates conform to a consistent Certificate Profiles. Application programs either have to be PKI-enabled, PKI-aware, or use PKI vendor plug-ins prior to the use of X.509 Version 3 standard. Version 3
is more interoperable so that an application program can accept digital certificates from multiple vendor certification authorities. Version 3 standard for digital certificates provides specific bits that can be set in a certificate to ensure that the certificate is used only for specific services such as digital signature, authentication, and encryption.

Answer 301

A

D. The digital certificate contains information about the user’s identity (for example, name, organization, and e-mail), but this information may not necessarily be unique. A one-way (hash) function can be used to construct a fingerprint (message digest) unique to a given certificate using the user’s public key.

Answer 302

A

B. DSA, RSA, and ECDSA are included in the DSS that specifies a digital signature used in computing and verifying digital signatures. DES is a symmetric algorithm and is not relevant here. DES is a block cipher and uses a 56-bit key.

Answer 303

A

B. Digital signatures provide authentication, nonrepudiation, and integrity services. Availability is a system requirement intended to ensure that systems work promptly and that service is not denied to authorized users.

Answer 304

A

A. Public-key cryptography has been recommended for distribution of secret keys and in support of digital signatures. Private-key cryptography has been recommended for encryption of messages and
can be used for message integrity check computations. Hybrid keys combine the best of both public and private keys. Primary keys are used in database design and are not relevant here.

Answer 305

A

D. The information on the digital certificate includes the owner name, the public key, and start and end dates of its validity. The certificate should not contain any owner information that changes frequently (for example, the insurance company name).

Answer 306

A

D. Digital certificates are used as a means of user authentication. Entities can prove their possession of the private key by digitally signing known data or by demonstrating knowledge of a secret exchanged using public-key cryptographic methods

Answer 307

A

Behind the firewall

Answer 308

A

75 bits - 90 is preferable

Answer 309

A

Optional-to-implement that provides a greater security

Answer 310

A

Mandatory-to-implement encryption algorithms that do not provide adequate security.

Answer 311

A

Confusion

Answer 312

A

Diffusion

Answer 313

A

A.Symmetric

Answer 314

A

B. Asymmetric

Answer 315

A

C. Hashing

Answer 316

A

A. Symmetric

Answer 317

A

A. Stream

Answer 318

A

A. True

This ensures that identical plaintexts encrypt to different ciphertexts

Answer 319

A

A. Restricting Bluetooth device discovery relies on the secrecy of the 48-bit Bluetooth MAC address. Incorrect answers and explanations: Answers B, C, and D are incorrect. While E0 is a symmetric cipher, it not used to restrict discover though it is used for data encryption. Public or private keys are also not used for Bluetooth discovery.

Answer 320

A

C. The OSI model layers from bottom to top are: Physical, Data Link, Network, Transport, Session, Presentation, and
Application. Remember “Please Do Not Throw Sausage Pizza Away” as a useful mnemonic to remember this.

Answer 321

A

A. EAP-TLS is the most secure (and costly) form of EAP because it requires both server and client-side certificates. Incorrect answers and explanations: Answers B, C, and D are incorrect. EAP TTLS and PEAP are similar and don’t require client-side certificates. LEAP is a Cisco-proprietary protocol that does not require client-side certificates; it also has fundamental security weaknesses.

Answer 322

A

D. Application-layer firewalls are the most secure, as they have the ability to filter based on OSI Layers 3–7.Incorrect answers and explanations: Answers A, B, and C are incorrect. All are firewalls. A packet filter is the least secure of the four, due to the lack of state. A stateful firewall is more secure than a packet filter, but its decisions are limited to Layers 3 and 4. Circuit-level proxy firewalls operate at Layer 5 and
cannot filter based on application-layer data.

Answer 323

A

D. Accessing an IPv6 network via an IPv4 network is called tunneling. Incorrect answers and explanations: Answers A, B, and C are incorrect. CIDR is classless Inter domain Routing, a way to create flexible subnets. NAT is network address translation, which translates one IP address for another. Translation is a distractor answer

Answer 324

A

A. The SYN flagged packet is first sent from the initiating host to the destination host; thus it is the first step or phase in the TCP three-way handshake sequence used to establish a TCP session. The destination host then responds with a SYN/ACK flagged packet; this is the second step or phase of the TCP three-way handshake sequence. The initiating host sends an ACK flagged packet, and the connection is then established (the final or third step or phase). The FIN flag is used to gracefully shut down an established session.

Answer 325

A

D. UDP is a simplex protocol at the Transport layer (layer 4 of the OSI model). Bits is associated with the Physical layer (layer 1). Logical addressing is associated with the Network layer (layer 3). Data reformatting is associated with the Presentation layer (layer 6). 3. A, B, D. The means by which IPv6 and IPv4 can coexist on the same network is to use
one or more of three primary options: dual stack, tunneling, or NAT-PT. Dual stack is to have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each
conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network address translation-Protocol Translation (NAT-PT) (RFC-2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses. IPsec is a standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6, but it does not enable the use of both IPv4 and IPv6 on the same system (although it doesn’t prevent it either). IP side loading is not a real concept.

Answer 326

A

A, B, D. The means by which IPv6 and IPv4 can coexist on the same network is to use one or more of three primary options: dual stack, tunneling, or NAT-PT. Dual stack is to
have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network address Translation-Protocol Translation (NAT-PT) (RFC-2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses. IPsec is a standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6, but it does not enable the use of both IPv4 and IPv6 on the same system (although it doesn’t prevent it either). IP sideloading is not a real concept.

Answer 327

A

A, B, E. TLS allows for use of TCP port 443; prevents tampering, spoofing, and eavesdropping; and can be used as a VPN solution. The other answers are incorrect. TLS supports both one-way and two-way authentication. TLS and SSL are not interoperable or backward compatible.

Answer 328

A

B. Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols. Encapsulation allows for encryption, flexibility, and resiliency, while also enabling covert channels, filter bypass, and overstepping network segmentation boundaries. Throughput is the capability of moving data across or through a network; this is not an implication of multilayer protocols. Hash integrity checking is a common benefit of multilayer protocols because most layers include a hash function in their header or footer. Logical addressing is a benefit of multilayer protocols; this avoids the restriction of using only physical addressing.

Answer 329

A

C. In this scenario, the only viable option to provide performance, availability, and security for the VoIP service is to implement a new, separate network for the VoIP system that is independent of the existing data network. The current data network is already at capacity, so creating a new VLAN will not provide sufficient insurance that the VoIP service will be highly available. Replacing switches with routers is usually not a valid strategy for increasing network capacity, and 1,000 Mbps is the same as 1 Gbps. Flood guards are useful against DoS and some transmission errors (such as Ethernet floods or broadcast storms), but they do not add more capacity to a network or provide reliable uptime for a VoIP service.

Answer 330

A

B, C, E. Micro segmentation can be implemented using internal segmentation firewalls (ISFWs), transactions between zones are filtered, and it can be implemented with virtual systems and virtual networks. Affinity or preference is the assignment of the cores of a CPU to perform different tasks. Micro segmentation is not related to edge and fog computing management.

Answer 331

A

A. The device in this scenario would benefit from the use of Zigbee. Zigbee is an IoT equipment communications concept that is based on Bluetooth. Zigbee has low power consumption and a low throughput rate, and it requires close proximity of devices. Zigbee communications are encrypted using a 128-bit symmetric algorithm. Bluetooth is not a good option since it is usually plaintext. Bluetooth Low Energy (BLE) might be a viable option if custom encryption was added. Fiber Channel over Ethernet (FCoE) is not a wireless technology or an IoT technology—it is a high-speed fiber optic–based storage technology. 5G is the latest mobile service technology that is available for use on mobile phones, tablets, and other equipment. Though many IoT devices may support and use 5G, it is mostly used to
provide direct access to the internet rather than as a link to a local short-distance device, such as a PC or IoT hub.

Answer 332

A

A, B, D. Cellular services, such as 4G and 5G, raise numerous security and operational concerns. Although cellular service is encrypted from device to tower, there is a risk of being fooled by a false or rogue tower. A rogue tower could offer only plaintext connections, but even if it supported encrypted transactions, the encryption only applies to the radio transmissions between the device and the tower. Once the communication is on the tower, it will be decrypted, allowing for eavesdropping and content manipulation. Even without a rogue tower, eavesdropping can occur across the cellular carrier’s interior network as well as across the internet, unless a VPN link is established between the remote mobile device and the network of the organization James works for. Being able to establish a connection can be unreliable depending on exactly where James’s travel takes him. 3G, 4G, and 5G coverage is not 100 percent available everywhere. 5G coverage is the most limited since it is the latest technology and still not universally deployed, and each 5G tower covers less area than a 4G tower. If James is able to establish a connection, 4G and 5G speeds should be sufficient for most remote technician activities, since 4G supports 100 Mbps for mobile devices and 5G supports up to 10 Gbps. If connectivity is established, there should be no issues with cloud interaction or duplex conversations.

Answer 333

A

B. A content distribution network (CDN), or content delivery network, is a collection of resource service hosts deployed in numerous data centers across the world in order to provide low latency, high performance, and high availability of the hosted content. VPNs are used to transport communications over an intermediary medium through the means of
encapsulation (i.e., tunneling), authentication, and encryption. Software-defined networking (SDN) aims at separating the infrastructure layer from the control layer on networking hardware in order to reduce management complexity. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) (Counter-Mode/CBC-MAC Protocol) is the combination of two block cipher modes to enable streaming by a block algorithm.

Answer 334

A

D. The true statement is: ARP poisoning can use unsolicited or gratuitous replies—specifically, ARP replies for which the local device did not transmit an ARP broadcast request. Many systems accept all ARP replies regardless of who requested them. The other statements are false. The correct versions of those statements would be: (A) MAC flooding is used to overload the memory of a switch, specifically the CAM table stored in switch memory when bogus information will cause the switch to function only in flooding mode. (B) MAC spoofing is used to falsify the physical address of a system to impersonate that of another authorized device. ARP poisoning associates an IP address with the wrong MAC address. (C) MAC spoofing relies on plaintext Ethernet headers to initially gather valid MAC addresses of legitimate network devices. ICMP crosses routers because it is carried as the payload of an IP packet

Answer 335

A

D. The most likely cause of the inability to recover files from the SAN in this scenario is deduplication. Deduplication replaces multiple copies of a file with a pointer to one copy. If the one remaining file is damaged, then all of the linked copies are damaged or inaccessible as well. File encryption could be an issue, but the scenario mentions that groups of people work on projects and typically file encryption is employed by individuals, not by groups. Whole drive encryption would be more appropriate for group-accessed files as well as for a SAN in general. This issue is not related to what SAN technology is used, such as Fibre Channel. This problem might be solvable by restoring files from a backup, whether real-time or not, but the loss of files is not caused by performing backups.

Answer 336

A

D. In this scenario, the malware is performing a MAC flooding attack, which causes the switch to get stuck in flooding mode. This has taken advantage of the condition that the switch had weak configuration settings. The switch should have MAC limiting enabled in order to prevent MAC flooding attacks from being successful. Although Jim was initially fooled by a social engineering email, the question asked about the malware’s activity. A MAC flooding attack is limited by network segmentation to the local switch, but the malware took advantage of weak or poor configuration on the switch and was still successful. MAC flooding is blocked by routers from crossing between switched network segments. The malware did not use ARP queries in its attack. ARP queries can be abused in an ARP poisoning attack,
but that was not described in this scenario.

Answer 337

A

B. A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port. Repeaters are used to strengthen the communication signal over a cable segment as well as connect network segments that use the same protocol. A bridge is used to connect two networks together—even networks of different topologies, cabling types, and speeds—in order to connect network segments that
use the same protocol. Routers are used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between the two. Routers manage traffic based on logical IP addressing.

Answer 338

A

B. A screened subnet is a type of security zone that can be positioned so that it operates as a buffer network between the secured private network and the internet and can host publicly accessible services. A honeypot is a false network used to trap intruders; it isn’t used to host public services. An extranet is for limited outside partner access, not public. An intranet is the private secured network.

Answer 339

A

B. A Faraday cage is an enclosure that blocks or absorbs electromagnetic fields or signals. Faraday cage containers, computer cases, rack-mount systems, rooms, or even building materials are used to create a blockage against the transmission of data, information, metadata, or other emanations from computers and other electronics. Devices inside a Faraday cage can use EM fields for communications, such as wireless or Bluetooth, but devices outside of the cage will not be able to eavesdrop on the signals of the systems within the cage. Air gaps do not contain or restrict wireless communications—in fact, for an air gap to be effective, wireless cannot even be available. Biometric authentication has nothing to do with controlling radio signals. Screen filters reduce shoulder surfing but do not address radio signals

Answer 340

A

B, E, F. Network access control (NAC) involves controlling access to an environment through strict adherence to and implementation of security policy. The goals of NAC are to detect/block rogue devices, prevent or reduce zero-day attacks, confirm compliance with updates and security settings, enforce security policy throughout the network, and use identities to perform access control. NAC does not address social engineering, mapping IP addresses, or distributing IP addresses—those are handled by training, NAT, and DHCP, respectively.

Answer 341

A

A. Endpoint detection and response (EDR) is a security mechanism that is an evolution of traditional antimalware products. EDR seeks to detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users. It is a natural extension of continuous monitoring, focusing on both the endpoint device itself and network communications reaching the local interface. Some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution. The goal of EDR is to detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs, while optimizing the response time of incident response, discarding false positives, implementing blocking for advanced threats, and protecting against multiple threats occurring simultaneously and via various threat vectors. A next-generation firewall (NGFW) is a unified threat management (UTM) device that is based on a traditional firewall with numerous other integrated network and security services and is thus not the security solution needed in this scenario. A web application firewall (WAF) is an appliance, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and is not the security solution needed in this scenario. Cross-site request forgery (XSRF) is an attack against web-based services, not a malware defense.

Answer 342

A

A. An application-level firewall is able to make access control decisions based on the content of communications as well as the parameters of the associated protocol and software. Stateful inspection firewalls make access control decisions based on the content and context of communications, but are not typically limited to a single application-layer protocol.
Circuit-level firewalls are able to make permit and deny decisions in regard to circuit establishment either based on simple rules for IP and port, using captive portals, requiring port authentication via 802.1X, or more complex elements such as context- or attribute-based access control. Static packet-filtering firewalls filter traffic by examining data from a message header. Usually, the rules are concerned with source and destination IP address (layer 3) and
port numbers (layer 4).

Answer 343

A

A, C, D. Most appliance (i.e., hardware) firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms/alerts and even basic IDS functions. It is also true that firewalls are unable to prevent internal attacks that do not cross the firewall. Firewalls are unable to block new phishing scams. Firewalls could block a phishing scam’s URL if it was already on a block list, but a new scam likely uses a new URL that is not yet known to be malicious.

Answer 344

A

D. LLC and MAC; IEEE 802.2 and 802.3

Answer 345

A

A. Open mail relay servers

Answer 346

A

C. Three-tiered model

Answer 347

A

A. Socket

Answer 348

A

C. It is commonly used to send contact information.

Answer 349

A

A. DNS spoofing

Answer 350

A

A. Limiting IP sessions going through media gateways

Answer 351

A

B. Non persistent XSS vulnerability

Answer 352

A

C. CAs are specific nodes that are responsible for routing to
nodes outside of their region.

Answer 353

A

B. Softphones are more secure than IP phones.

Answer 354

A

C. To avoid providing attackers with valuable information that can be used to prepare an attack

Answer 355

A

A. SMTP lacks an adequate authentication mechanism.

Answer 356

A

D. Security

Answer 357

A

D. Security

Answer 358

A

B. They must be within the satellite’s line of sight and footprint.

Answer 359

A

C. IM use can be stopped by simply blocking specific ports on the network firewalls.

Answer 360

A

A. IEEE 802.1AR

Answer 361

A

D. Infrastructure as a Service, Platform as Software, Software as a Service

Answer 362

A

C. DNSSEC

Answer 363

A

A. Bridge-mode virtual firewall allows the firewall to monitor
individual traffic links, and hypervisor integration allows the
firewall to monitor all activities taking place within a host
system.

Answer 364

A

2.Answer: B. ISO
Explanation: The OSI model was developed by the
International Organization for Standardization (ISO). The IEEE, IANA, and IETF are also involved in networking standards, but the OSI model is attributed explicitly to ISO.

Answer 365

A

Answer: A. Hub
Explanation: A hub operates at the OSI model’s
Physical Layer (Layer 1), simply forwarding incoming signals to all other ports without any filtering or decision-making process. In contrast, a switch, wireless access point (WAP), and bridge all have functionalities at the Data Link Layer (Layer 2). A switch uses MAC addresses to determine the
destination port for each incoming frame, a WAP allows Wi-Fi devices to connect to a wired network and can use MAC addresses for some decision making processes, and a bridge is used to divide a network into segments, filtering traffic between them using MAC addresses. Therefore, the correct
answer is A. Hub, as it is the only device not operating at the Data Link Layer.

Answer 366

A

Answer: D. UDP
Explanation: The User Datagram Protocol (UDP)
operates at the Transport Layer and is known for its
best-effort, connectionless delivery. Unlike TCP, it
does not provide error checking or guaranteed
delivery, making it faster but less reliable. ARP and
IGMP do not operate at this layer.

Answer 367

A

Answer: A. Packet
Explanation: At Layer 3 of the OSI model,
information is processed into units known as
packets. This layer is responsible for logical
addressing, routing, and path determination. The
terms frame and segment refer to Layer 2 and 4
units, respectively, while “data stream” doesn’t
specifically refer to a Layer 3 structure.

Answer 368

A

Answer: D. Physical, Data Link, Network, Transport,
Session, Presentation, Application
Explanation: When processing inbound data from
the network, the OSI model layers are traversed
from the Physical Layer (Layer 1) to the Application
Layer (Layer 7). Option D correctly lists the layers in
this order.

Answer 369

A

Answer: D. Fiber optic
Explanation: Fiber-optic cables use light signals
to transmit data, making them less susceptible to
electromagnetic interference (emanation detection).
Therefore, fiber-optic cables provide the best
protection against this type of detection compared to
other listed media types.

Answer 370

A

Answer: B. Carrier Sense Multiple Access with
Collision Detection (CSMA/CD)
Explanation: Carrier Sense Multiple Access with
Collision Detection (CSMA/CD) is based on
contention among the media access control methods
listed. In this method, devices listen to the network
and transmit when they believe the channel is free.
If a collision is detected, they stop and wait for a
random time before trying again. This contrasts with
other methods, such as the token-passing bus and
token-passing ring, where devices must wait for a
token to transmit data, ensuring orderly access, and
polling, where a master device controls access
without contention.

Answer 371

A

Answer: C. Egress filter
Explanation: An egress filter controls traffic flow
as it leaves a network, blocking traffic that should
not be exiting the network, such as packets with a
public source IP address from a private network.

Answer 372

A

Answer: A. A system that has been hardened against
attack Explanation: A bastion host is best described as a
system hardened against attack (option A). It is a
special-purpose computer on a network specifically
designed and configured to withstand attacks,
serving as a critical part of a network’s security
system. While other options may describe various
network functions, such as a default deny rule
(option B), FQDN-to-IP-address resolution (option C,
typically a DNS server) or replacing private IP
typically a DNS server), or replacing private IP
addresses with public ones as the packet exits the
private network (option D, describing Network
Address Translation), they do not define the primary
function of a bastion host.

Answer 373

A

Answer: A. Multiprotocol Label Switching (MPLS)
Explanation: Multiprotocol Label Switching
(MPLS) is a protocol that uses labels to route
packets quickly through a network. These labels are
inserted before the Layer 2 header, allowing routers
to forward the packets based on the labels without
looking at the packet’s actual content.

Answer 374

A

Answer: B. Extensible Authentication Protocol (EAP)
Explanation: Extensible Authentication Protocol
(EAP) is a framework frequently used in network
security and authentication. It supports multiple
authentication methods, including token cards,
smart cards, and public key authentication. It can
also be extended to support new authentication
mechanisms as they are developed, making it a
fitting choice for the question.

Answer 375

A

Answer: D. 802.11n
Explanation: The IEEE 802.11n specification is
designed to support multiple-input and multipleoutput (MIMO) technology, which uses several
transmitters and receivers to send and receive more
data simultaneously. This technology increases the
performance and range of wireless connections.

Answer 376

A

Answer: B. DDoS attack
Explanation: A distributed denial-of-service
(DDoS) attack involves an “army” of compromised
computers, often called zombies or bots, which an
attacker controls. These computers flood a target
system with traffic, rendering it inaccessible. Other
options listed do not typically involve using multiple
compromised computers in the same way as a DDoS
attack.

Answer 377

A

Answer: B. Layer 2 – Data Link Layer
Explanation: Ethernet (IEEE 802.3) operates at
the OSI model’s Data Link Layer (Layer 2). It is
responsible for the framing, addressing, and error
detection of data packets.

Answer 378

A

Answer: D. Perimeter surveillance and intelligence
gathering
Explanation: Among the options provided, the
BEST proactive network defense strategy would be
D. Perimeter surveillance and intelligence gathering.
While redundant firewalls (option A) increase
resilience, business continuity planning (option B) is
more reactive, and disallowing P2P traffic (option C)
is a specific measure not applicable to all
organizations, perimeter surveillance and
intelligence gathering (option D) represents a
comprehensive and proactive approach. By
monitoring the perimeter and gathering intelligence
on potential threats, an organization can identify and
mitigate risks before they materialize, making this
strategy the most holistic and effective choice for
proactive defense.

Answer 379

A

Answer: D. A man-in-the-middle attack
Explanation: A man-in-the-middle (MITM) attack
primarily targets the communication between two
parties rather than the network itself. The attacker
intercepts, alters, or relays messages between two
parties without them knowing that they are being
manipulated.

Answer 380

A

Answer: C. Traffic filtering

Explanation: Among the options provided, the MOST effective countermeasure against a distributed denial-of-service (DDoS) attack is C. Traffic filtering. While keeping a fully qualified domain name’s (FQDN’s) secret (option A) may obscure targets and having a redundant network layout (option B) can increase resilience, neither approach directly addresses the nature of DDoS
attacks. On the other hand, traffic filtering (option C) involves analyzing incoming traffic and filtering out malicious or unwanted requests. Via identifying
and blocking the traffic associated with a DDoS attack, this method can prevent the attack from reaching its target, thereby maintaining the availability of the service, making it the most effective choice for mitigating such attacks.

Answer 381

A

Answer: A. On the network perimeter, to alert the network administrator of all suspicious traffic

Explanation: Placing NIDS on the network
perimeter allows for early detection of suspicious
activity and attacks, providing a critical line of
defense.

Answer 382

A

Answer: A. File server, IP phone, security camera

Explanation: A converged IP network integrates
various services such as voice, video, and data.
Devices like IP phones, security cameras, and file
servers are common in these environments.

Answer 383

A

Answer: B. Fiber optics are more difficult to wiretap.
Explanation: Fiber-optic cables transmit data using light signals, making them more difficult to intercept or wiretap than copper cables that use electrical signals.

Answer 384

A

Answer: A. A boundary router, a firewall, a proxy server

Explanation: A robust network perimeter defense typically includes boundary routers (to route data), firewalls (to filter traffic), and proxy servers (to act as intermediaries between internal and external networks).

Answer 385

A

Answer: A. Lack of physical access control

Explanation: Wireless LANs are susceptible to risks from the lack of physical access control. Since the signals are transmitted through the air, unauthorized individuals can access the network without physical access to a network jack or cable.

Answer 386

A

Answer: D. An SSID does not provide protection
Explanation: An SSID (Service Set Identifier) is
simply a network name and does not provide any
inherent security protection. While hiding or
obscuring an SSID might make it slightly more
difficult for casual users to find the network, it does
not deter determined attackers. Tools that can
discover hidden SSIDs are readily available, so
relying on an SSID for security is not an effective
strategy. Therefore, the correct answer is that an
SSID does not provide protection, and other security
measures, such as robust encryption and
authentication methods, should be implemented to
secure a WLAN.

Answer 387

A

Answer: A. It provides mechanisms for
authentication and encryption.
Explanation: IPSec (Internet Protocol Security) is
a suite of protocols that secure Internet Protocol (IP)
communications by authenticating and encrypting
each IP packet in a data stream. The other options
are not accurate descriptions of IPSec’s primary
function.

Answer 388

A

Answer: A. Lack of authentication of servers and
thereby authenticity of records
Explanation: The principal weakness of DNS lies
in its lack of authentication, which can allow
malicious actors to perform attacks like DNS
spoofing. This can lead to false DNS responses,
redirecting users to fraudulent websites.

Answer 389

A

Answer: B. Aggregates logs from security devices and application servers looking for suspicious activity
Explanation: Security event management (SEM)
focuses on real-time monitoring, correlating events,
notifications, and console views. It aggregates log
data generated throughout the organization’s
technology infrastructure, looking for signs of
malicious or otherwise suspicious activity.

Answer 390

A

Answer: C. Using a deny list of open email relays provides a secure way for an email administrator to identify open mail relays and filter spam

Explanation: Relying solely on a denylist of open
email relays is not a secure way to filter spam. Open
relays constantly change, and denylists may become
outdated quickly, leading to false positives or
negatives.

Answer 391

A

Answer: C. A group of dispersed, compromised
machines controlled remotely for illicit reasons
Explanation: A botnet is a network of
compromised computers, known as “bots” or
“zombies,” controlled remotely by an attacker. These
machines can be commanded to perform malicious
activities such as DDoS attacks, spam distribution,
or other illicit actions.

Answer 392

A

Answer: A. Cost
Explanation: Mesh networks provide high
redundancy and resilience by creating multiple
connections between devices, but the complexity and
the need for more cabling or connections make them
more expensive to implement and maintain.

Answer 393

A

Answer: D. WPA2
Explanation: WPA2 (Wi-Fi Protected Access 2)
provides stronger data protection by using the
Advanced Encryption Standard (AES) protocol. It is
considered more secure than the other options
listed.

Answer 394

A

Answer: D. Fiber
Explanation: Fiber-optic cables use light to
transmit data, making them immune to
electromagnetic interference (EMI) and power
fluctuations. They are the most suitable option in
environments where such interference is prevalent.

Answer 395

A

Answer: C. Are often insecure by their very nature
as they were not designed to natively operate over
today’s IP networks
Explanation: Modbus and similar multilayer
protocols used in industrial control systems were
designed for closed, trusted environments. As they
were not created with modern security challenges in
mind, they often lack the necessary security features
to protect against current threats, particularly when
adapted to operate over the public Internet.

Answer 396

A

Answer: B. SSHv2
Explanation: SSHv2 (Secure Shell version 2) is a
network protocol providing secure remote server
access. Unlike TELNET, FTP, and TFTP, which send
information, including passwords, in clear text,
SSHv2 encrypts the session, making it a far more
secure option for remote administration.

Answer 397

A

Answer: C. EAP-TLS
Explanation: EAP-TLS (Extensible Authentication
Protocol–Transport Layer Security) provides strong
security by using client and server authentication
certificates. It’s considered highly secure but costly
and complex to implement due to the need for a
public key infrastructure (PKI) to manage the
certificates.

Answer 398

A

Answer: D. Cell phone hacking
Explanation: Stealing electronic serial numbers
(ESNs) is associated with cell phone hacking. ESNs
are unique identifiers for mobile devices, and
unauthorized access can be used for fraudulent
activities.

Answer 399

A

Answer: B. IPSec Tunnel mode
Explanation: IPSec Tunnel mode is suitable for
encrypting traffic between different networks, and it
supports both IPv4 and IPv6. It best fits this
scenario, providing the required encryption and
authentication for link-to-link communications.

Answer 400

A

Answer: D. NAT

Explanation: NAT (Network Address Translation) is the process of translating private IP addresses into public IP addresses for communication over the
Internet. This enables multiple devices within a local network to share a single public IP address.

Answer 401

A

Answer: D. 6to4

Explanation: 6to4 is a transition mechanism for migrating from IPv4 to IPv6, allowing IPv6 packets to be transmitted over an IPv4 network. It’s suitable for a scenario with no native connection to an IPv6 network.

Answer 402

A

Answer: D. Poison reverse
Explanation: Poison reverse is the term for a
situation where a path is no longer available and
shows an infinite hop count. Among the given
options, loopback refers to a special IP address used
for testing, split horizon is a method to prevent
routing loops by restricting route advertisement, and
Classless Inter-Domain Routing (CIDR) is a method
for allocating IP addresses. In contrast, poison
reverse is used in distance-vector routing protocols
to prevent routing loops. When a router learns that a
route is no longer available, it advertises the route
with an infinite metric, effectively “poisoning” the
route and informing other routers that it is no longer
reachable, making it the correct answer for the
described situation.

Answer 403

A

Answer: A. WPA2
Explanation: WPA2 (Wi-Fi Protected Access 2) enhances WEP (Wired Equivalent Privacy) and WPA, which provides more robust security. It has become the standard for securing wireless networks.

Answer 404

A

Answer: A. Stateless firewall

Explanation: A stateless firewall filters packets based solely on predefined rules concerning the source and destination IP addresses, ports, and protocols without keeping track of the state of active
connections. It is the simplest type of firewall and closely resembles a packet filtering device.

Answer 405

A

Answer: C. X.25

Explanation: X.25 is a protocol suite widely used in the 1980s for packet-switched network services over public data networks (including over POTS lines). It’s considered a forerunner to newer protocols like Frame Relay.

Answer 406

A

Answer: D. Authentication, authorization, and accountability

Explanation: RADIUS (Remote Authentication Dial-In User Service) is a protocol that provides centralized authentication, authorization, and
accounting (often called AAA) for network users. It is commonly used in ISP and corporate environments to manage access to network
resources.

Answer 407

A

Answer: D. ATM

Explanation: ATM (Asynchronous Transfer Mode) is a cell-switched technology that uses small, fixed size cells to transmit data. It can be used in various applications, including WAN connections, making it
suitable for the given scenario.

Answer 408

A

Answer: D. Stateful firewall

Explanation: Third-generation firewalls are
referred to as stateful firewalls. They monitor the state of active connections and make decisions based on the context of the traffic, such as TCP handshake completion and more.

Answer 409

A

Answer: D. PPP, ZIP, SPX, UDP, and TFTP
Explanation: The question requires identifying
protocols corresponding to OSI Layers 2, 6, 3, 4, and
7. The correct match for these layers would be
protocols responsible for node-to-node
communication (Layer 2), data translation including
encryption and formatting (Layer 6), routing and
forwarding (Layer 3), ensuring reliable data transfer
(Layer 4), and interfacing with applications and enduser services (Layer 7). Analyzing the given options,
the correct answer is D. PPP, ZIP, SPX, UDP, and
TFTP, as these protocols correspond respectively to
the functions of the specified OSI layers Other
the functions of the specified OSI layers. Other
options include protocols that do not typically align
with the required OSI layers for this question.

Answer 410

A

Answer: A. 802.11a
Explanation: The 802.11a standard operates in
the 5 GHz bands, specifically in the 5.15–5.35 GHz
and 5.725–5.825 GHz ranges, and typically has a
shorter range, around 60 feet, depending on the
environment and obstacles.

Answer 411

A

Answer: A. Defines procedures for managing
Security Associations, utilizes IKE, etc
Explanation: ISAKMP is a protocol that defines
procedures and packet formats for the
establishment, negotiation, modification, and
deletion of Security Associations. It typically uses
IKE (Internet Key Exchange) for key exchange but
can implement other methods, making option A the
correct description.

Answer 412

A

Answer: A. A seven-layer architecture for open systems interconnection

Explanation: The OSI (open systems
interconnection) model is a structured, layered architecture comprising seven layers. It allows open systems to interconnect and communicate with each
other using protocols.

Answer 413

A

Answer: D. Data fragmentation
Explanation: Data fragmentation is not a method
to handle collisions. The methods mentioned in the
content for handling collisions are token-based
collision avoidance, polling, and Carrier Sense
Multiple Access (CSMA).

Answer 414

A

Answer: A. Mapping IP addresses to MAC addresses
Explanation: ARP (Address Resolution Protocol)
Explanation: ARP (Address Resolution Protocol)
allows IP addresses to be mapped to physical MAC
addresses. It facilitates communication between
devices on a network.

Answer 415

A

Answer: C. Encryption

Explanation: OSPF (Open Shortest Path First) is a routing protocol routers use to manage and direct network traffic. It includes security features such as
encryption, making it a more secure routing
protocol.

Answer 416

A

Answer: B. To create virtual tunnels through physical networks to connect devices

Explanation: VLAN (Virtual Local Area Network) can be created using devices, technologies, and software. It reduces the need for physical rewiring by creating virtual tunnels through physical networks to connect devices, thereby enhancing
network management and security.

Answer 417

A

Answer: C. Fiber optic
Explanation: Fiber-optic cable utilizes light pulses
to represent 0s and 1s. It offers great advantages in
speed and security compared to other types of
cables like twisted pair and coaxial.

Answer 418

A

Answer: B. Providing feedback about problems in the
network communication environment
Explanation: ICMP (Internet Control Message
Protocol) is used for messaging and specifically
provides feedback about problems in the network
communication environment. Commands like Ping
and traceroute utilize ICMP.

Answer 419

A

Answer: D. WPA3
Explanation: WPA3 (Wi-Fi Protected Access 3) is
a security solution for the 802.11 wireless protocol
family released in 2018 It includes access control
family, released in 2018. It includes access control,
authentication, encryption, and integrity protection.

Answer 420

A

Answer: B. DoS involves a single machine, while
DDoS involves multiple machines.
Explanation: A denial-of-service (DoS) attack
involves a single machine attempting to impede or
deny functionality, while a distributed denial-of service (DDoS) attack involves multiple devices
acting in unison to achieve the same goal.

Answer 421

A

Answer: D. Fragmentation
Explanation: The OSI model consists of seven
layers: Application, Presentation, Session, Transport,
Network, Data Link, and Physical. Fragmentation is
not one of the layers in the OSI model.

Answer 422

A

Answer: A. HTTPS
Explanation: HTTPS (Hypertext Transfer Protocol
Secure) securely transmits data over the Internet. It
encrypts the client and server data, ensuring
confidentiality and integrity.

Answer 423

A

Answer: C. Providing error detection and correction
at the physical level
Explanation: The Data Link Layer in the OSI
model provides error detection and correction at the
physical level. It ensures that data frames are
transmitted without errors.

Answer 424

A

Answer: B. MAC address filtering

Explanation: MAC address filtering is a security measure that controls access to a wireless network. Allowing or denying specific MAC addresses prevents unauthorized devices from connecting to
the network.

Answer 425

A

Answer: B. Man-in-the-middle attack
Explanation: A man-in-the-middle (MITM) attack
involves an attacker intercepting and possibly
altering communications between two parties
without their knowledge. It can lead to
eavesdropping or data manipulation.

Answer 426

A

Answer: D. Increases data transmission speed

Explanation: A Virtual Private Network (VPN) encrypts data transmission, creates a virtual tunnel through the public Internet, and allows remote access to a private network. It does not inherently
increase data transmission speed.

Answer 427

A

Answer: B. Managing network devices

Explanation: SNMP (Simple Network
Management Protocol) manages network devices. It allows administrators to monitor, configure, and control network devices such as routers and switches.

Answer 428

A

Answer: B. It monitors the state of active
connections.
Explanation: A stateful firewall monitors the state
of active connections and makes decisions based on
the context of the traffic, such as TCP handshake
completion. It provides more advanced filtering
compared to stateless firewalls.

Answer 429

A

Answer: C. RC4

Explanation: WEP (Wired Equivalent Privacy)
uses the RC4 encryption algorithm. It was an early security protocol for wireless networks but has been largely replaced due to its vulnerabilities.

Answer 430

A

Answer: B. It acts as an intermediary between a client and the server.

Explanation: A proxy server is an intermediary between a client and a server. It can provide content filtering, privacy enhancement, and caching
functions.

Answer 431

A

Answer: B. It ensures reliable data transmission
between devices.
Explanation: The Transport Layer in the OSI
model is responsible for ensuring reliable data
transmission between devices. It manages error
recovery and data flow control and ensures that data
packets are delivered in the correct sequence.

Answer 432

A

Answer: C. SFTP

Explanation: SFTP (Secure File Transfer Protocol) provides secure file transfer capabilities by encrypting the data during transmission. It ensures the confidentiality and integrity of the files being
transferred.

Answer 433

A

Answer: C. It routes data between different
networks.

Explanation: The Network Layer in the OSI model is responsible for routing data between different networks. It determines the best path for data to travel from the source to the destination.

Answer 434

A

Answer: C. Two-factor authentication
Explanation: Two-factor authentication (2FA) is a common method used to authenticate users on a network. It requires two separate forms of identification, enhancing security by adding a layer of authentication.

Answer 435

A

Answer: C. Denial-of-service attack

Explanation: A denial-of-service (DoS) attack
involves overwhelming a system with traffic to make it unavailable to users. It can be executed by sending excessive requests to a target, consuming its resources.

Answer 436

A

Answer: C. Stateless
Explanation: TCP (Transmission Control Protocol) is connection oriented and ensures reliable data transmission by providing error checking and
acknowledgment of received packets. It is not stateless; rather, it maintains the state of the connection throughout the communication process.

Answer 437

A

Answer: A. It translates, encrypts, and compresses
data.
Explanation: The Presentation Layer in the OSI
model is responsible for translating, encrypting, and
compressing data. It ensures that the data is in a
format that both the sending and receiving devices
can understand.

Answer 438

A

Answer: C. SSL/TLS
Explanation: SSL/TLS (Secure Sockets
Layer/Transport Layer Security) is a protocol
designed to communicate securely over an insecure
network. It encrypts the client and server data,
ensuring confidentiality and integrity.

Answer 439

A

Answer: C. Ring
Explanation: In a Ring topology, devices are
connected in a closed loop. Each device is connected
to exactly two other devices, forming a circular
structure.

Answer 440

A

Answer: B. It acts as a buffer zone between the
internal network and untrusted external networks.
Explanation: A demilitarized zone (DMZ) acts as a
buffer zone between internal and untrusted external
networks, such as the Internet. It adds a layer of
security by isolating public-facing servers from the
internal network.

Answer 441

A

Answer: A. To manage public and private keys for
data encryption
Explanation: Public key infrastructure (PKI)
manages public and private keys for data encryption.
It ensures secure communication by providing key
management, certificate issuance, and
authentication.

Answer 442

A

Answer: C. It monitors network traffic for suspicious
activities.
Explanation: A network intrusion detection
system (NIDS) monitors network traffic for
suspicious activities and potential breaches. It can
alert administrators to possible intrusions, allowing
for a timely response.

Answer 443

A

Answer: B. It provides a secure connection over the
public Internet.
Explanation: A Virtual Private Network (VPN)
provides a secure connection over the public
Internet by encrypting the data transmission. It
allows remote access to a private network while
maintaining confidentiality and integrity.

Answer 444

A

Answer: B. Encrypting data stored on a local
network
Explanation: A firewall’s primary functions
include filtering incoming and outgoing traffic,
blocking unauthorized access, and monitoring
connections. It does not typically encrypt data stored
on a local network.

Answer 445

A

Answer: B. Mesh
Explanation: In a Mesh topology, each device is
connected to every other device. This provides
multiple paths for data transmission and enhances
redundancy and reliability.

Answer 446

A

Answer: D. SMTPS
Explanation: SMTPS (Secure Mail Transfer
Protocol Secure) is used to send email securely. It
encrypts the connection between the mail client and
server, ensuring the email content is confidential.

Answer 447

A

Answer: A. It acts as a decoy to attract attackers.
Explanation: A honeypot in network security acts
as a decoy to attract attackers. It is designed to be
vulnerable to lure potential attackers, allowing
security professionals to study their behaviors and
techniques.

Answer 448

A

Answer: B. To encrypt email content
Explanation: S/MIME (Secure/Multipurpose
Internet Mail Extensions) is a protocol to encrypt
email content. It ensures the confidentiality and
integrity of email messages by encrypting the data.

Answer 449

A

Answer: B. It filters traffic based solely on source
and destination addresses.
Explanation: A stateless firewall filters traffic
based solely on source and destination addresses
without keeping track of the state of active
connections. It provides basic filtering compared to
stateful firewalls.

Answer 450

A

Answer: A. Star
Explanation: All devices are connected to a
central hub or switch in a Star topology. This central
connection point allows for easy addition and
removal of devices but can create a single point of
failure.

Answer 451

A

Answer: B. It translates data into a user-friendly
format.
Explanation: The Physical Layer in the OSI model
manages the physical connection between devices,
defines the electrical and physical specifications,
and transmits raw bitstream over the physical
medium. It does not translate data into a user friendly format.

Answer 452

A

Answer: B. It provides real-time analysis of security
alerts.
Explanation: A security information and event
management (SIEM) system provides real-time
analysis of security alerts generated by various
hardware and software entities in an organization. It
helps in early detection and response to security
incidents.

Answer 453

A

Answer: B. To encrypt web communication
Explanation: S-HTTP (Secure Hypertext Transfer
Protocol) encrypts web communication. It ensures
the confidentiality and integrity of data transmitted
between the web browser and server.

Answer 454

A

Answer: B. It encrypts data transmission.
Explanation: A Virtual LAN (VLAN) creates
virtual tunnels through physical networks, allows
devices to be grouped logically, and enhances
network management and security. It does not
inherently encrypt data transmission.

Answer 455

A

Answer: D. Bus
Explanation: All devices are connected to a
central cable in a bus topology. This central cable is
a backbone for the network, and data is transmitted
along this single pathway.

Answer 456

A

Answer: B. Data encryption
Explanation: Data encryption is commonly used to
secure data at rest. Encrypting the data stored on a
device or within a network prevents unauthorized
access and potential breaches.

Answer 457

A

Answer: B. It provides real-time monitoring and
analysis of security events.
Explanation: A security operations center (SOC)
monitors and analyses security events within an
organization. It coordinates security measures and
responds to security incidents to protect against
threats.

Answer 458

A

Answer: B. To transfer files over a network
Explanation: FTP (File Transfer Protocol)
transfers files over a network. It allows users to
upload and download files from servers, facilitating
file sharing and management.

Answer 459

A

Answer: C. It increases data transmission speed.
Explanation: Secure Shell (SSH) provides secure
remote access, encrypts data transmission, and uses
public key cryptography to authenticate users. It
does not inherently increase data transmission
speed.

Answer 460

A

Answer: B. Mesh
Explanation: In a Mesh topology, devices are
connected to multiple other devices, providing
redundancy. This ensures that data can still be
transmitted through alternative paths if one
connection fails.

Answer 461

A

Answer: C. Security token
Explanation: Authenticating users based on
something they have often involved using a security
token. This can be a physical device or a digital
token that generates a code, providing an additional
layer of authentication.

Answer 462

A

Answer: C. It controls access to a network based on
policies.
Explanation: A network access control (NAC)
system controls access to a network based on
policies. It evaluates the security posture of devices
attempting to connect and enforces compliance with
security policies.

Answer 463

A

Answer: B. To provide a directory service for
managing user information
Explanation: LDAP (Lightweight Directory Access
Protocol) provides a directory service for collecting
user information. It allows organizations to store and
retrieve user credentials, profiles, and other
information in a structured manner.

Answer 464

A

Answer: C. It manages physical connections between
devices.
Explanation: Internet Protocol Security (IPSec)
provides secure communication over IP networks,
encrypts data at the Transport Layer, and uses
authentication headers for integrity. It does not
manage physical connections between devices

Answer 465

A

A. An on-premises identity management system will provide the organization with the most control and is the best choice. A cloud-based solution is controlled by a third party. Either an on-premises or a cloud-based solution is needed. There’s no need to have both in a hybrid solution. Identity management solutions provide single sign-on (SSO), but SSO is a benefit of identity management, not a type of identity management.

Answer 466

A

A. A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication are important as the first step in access control, but much more is needed to protect assets.

Answer 467

A

C. The subject is active and is always the entity that receives information about, or data from, the object. A subject can be a user, a program, a process, a file, a computer, a database,
and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.

Answer 468

A

D. NIST SP 800-63B recommends users only be required to change their password if their
current password is compromised. They do not recommend that users be required to change
their password regularly at any interval.

Answer 469

A

B. Password history can prevent users from rotating between two passwords. It remembers previously used passwords. Password complexity and password length help ensure that users create strong passwords. Password age ensures that users change their password regularly.

Answer 470

A

B. A passphrase is a long string of characters that is easy to remember, such as IP@$$edTheCISSPEx@m. It is not short and typically includes at least three sets of character types. It is strong and complex, making it difficult to crack.

Answer 471

A

A. A synchronous token generates and displays onetime passwords that are synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the onetime password. Smartcards do not generate onetime passwords, and common access cards are a version of a smartcard that includes a picture of the user.

Answer 472

A

C. The point at which the biometric false rejection rate and the false acceptance rate are equal is the crossover error rate (CER). It does not indicate that sensitivity is too high or too low. A lower CER indicates a higher-quality biometric device, and a higher CER indicates a less accurate device.

Answer 473

A

A. A false rejection, sometimes called a false negative authentication or a Type I error, occurs when an authentication doesn’t recognize a valid subject (Sally in this example). A false acceptance, sometimes called a false positive authentication or a Type II error, occurs when
an authentication system incorrectly recognizes an invalid subject. Crossover errors and equal errors aren’t valid terms related to biometrics. However, the crossover error rate (also called equal error rate) compares the false rejection rate to the false acceptance rate and provides an
accuracy measurement for a biometric system.

Answer 474

A

C. An authenticator app on a smartphone or tablet device is the best solution. SMS has vulnerabilities, and NIST has deprecated its use for two-factor authentication. Biometric
authentication methods, such as fingerprint scans, provide strong authentication. However, purchasing biometric readers for each employee’s home would be expensive. A PIN is in the something you know factor of authentication, so it doesn’t provide two-factor authentication when used with a password.

Answer 475

A

B. Physical biometric methods such as fingerprints and iris scans provide authentication for subjects. An account ID provides identification. A token is something you have, and it creates onetime passwords, but it is not related to physical characteristics. A personal identification number (PIN) is something you know.

Answer 476

A

B, C, D. Ridges, bifurcations, and whorls are fingerprint minutiae. Ridges are the lines in a fingerprint. Some ridges abruptly end, and some ridges bifurcate or fork into branch ridges. Whorls are a series of circles. Palm scans measure vein patterns in a palm.

Answer 477

A

A. Fingerprints can be counterfeited or duplicated. It is not possible to change fingerprints. Users will always have a finger available (except for major medical events), so they will always have a fingerprint available. It usually takes less than a minute for registration of a fingerprint.

Answer 478

A

A, D. Accurate identification and authentication are required to support accountability. Logs record events, including who took an action, but without accurate identification and authentication, the logs can’t be relied on. Authorization grants access to resources after proper authentication. Auditing occurs after logs are created, but identification and authentication must occur first.

Answer 479

A

A, D. Accurate identification and authentication are required to support accountability. Logs record events, including who took an action, but without accurate identification and authentication, the logs can’t be relied on. Authorization grants access to resources after proper authentication. Auditing occurs after logs are created, but identification and authentication must occur first.

Answer 480

A

C. Authentication is necessary to ensure a network supports accountability. Note that authentication indicates that a user claimed an identity such as with a username and proved the identity such as with a password. In other words, valid authentication includes identification. However, dentification doesn’t include authentication. If users could just claim
an identity without proving it’s their identity, the system doesn’t support accountability. Audit trails (not available as a possible answer) help provide accountability as long as users
have authenticated. Integrity provides assurances that unauthorized entities have not modified data or system settings. Confidentiality ensures that unauthorized entities can’t access sensitive data and is unrelated to this question.

Answer 481

A

C. The most likely reason (of the provided options) is to prevent sabotage. If the user’s account remains enabled, the user may log on later and cause damage. Disabling the account doesn’t remove the account or remove assigned privileges. Disabling an account doesn’t encrypt any data, but it does retain encryption keys that supervisors can use to decrypt any data encrypted by the user.

Answer 482

A

C. The most likely reason to delete the account (of the provided options) is if an employee left the organization and will start a new job tomorrow. It would not be appropriate to delete the account for any other answer options. If an administrator used their account to run services, deleting their account would prevent the services from running. It would be appropriate to disable the account of a disgruntled employee. If this employee encrypted data with their account, deleting the account would prevent access to the encrypted data. It would be appropriate to change the password of a shared account used by temporary employees

Answer 483

A

D. It’s appropriate to disable an account when an employee takes a leave of absence of 30 days or more. The account should not be deleted because the employee will return after the leave of absence. If the password is reset, someone could still log on. If nothing is done to the account, someone else may access it and impersonate the employee.

Answer 484

A

C. Account access reviews can detect security issues for service accounts such as the sa (short for system administrator) account in Microsoft SQL Server systems. Reviews can ensure that service account passwords are strong and changed often. The other options suggest
removing, disabling, or deleting the sa account, but doing so is likely to affect the database server’s performance. Account deprovisioning ensures accounts are removed when they are no longer needed. Disabling an account ensures it isn’t used, and account revocation deletes the account.

Answer 485

A

D. A periodic account access review can discover when users have more privileges than they
need and could have been used to discover that this employee had permissions from several
positions. Strong authentication methods (including multifactor authentication methods)
would not have prevented the problems in this scenario. Logging records what happened, but
it doesn’t prevent events

Answer 486

A

B. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn’t require all actions to be denied.

Answer 487

A

B. An access control matrix includes multiple objects and subjects. It identifies access granted to subjects (such as users) to objects (such as files). A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management (FIM) system for single sign-on (SSO). Creeping privileges refers to excessive privileges a subject gathers over time.

Answer 488

A

B. A discretionary access control model allows the owner (or data custodian) of a resource to grant permissions at the owner’s discretion. The other answers (MAC, RBAC, and rule-based access control) are nondiscretionary models.

Answer 489

A

A. The DAC model allows the owner of data to modify permissions on the data. In the DAC model, objects have owners, and the owners can grant or deny access to objects that they own. The MAC model uses labels to assign access based on a user’s need to know and organization policies. A rule-based access control model uses rules to grant or block access. A risk-based access control model examines the environment, the situation, and policies coded
in software to determine access.

Answer 490

A

D. A role-based access control (RBAC) model can group users into roles based on the organization’s hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model
that uses rules, not roles.

Answer 491

A

A. The role-based access control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control (MAC) model uses assigned labels to identify access.

Answer 492

A

A. The role-based access control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control (MAC) model uses assigned labels to identify access.

Answer 493

A

D. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally or to individual users.

Answer 494

A

B. The ABAC model is commonly used in SDNs. None of the other answers are normally used in SDNs. The MAC model uses labels to define access, and the RBAC model uses groups. In the DAC model, the owner grants access to others.

Answer 495

A

B. In a hierarchical environment, the various classification labels are assigned in an ordered structure from low security to high security. The mandatory access control (MAC) model
supports three environments: hierarchical, compartmentalized, and hybrid. A compartmentalized environment ignores the levels, and instead only allows access for individual compartments on any level. A hybrid environment is a combination of a hierarchical and
compartmentalized environment. A MAC model doesn’t use a centralized environment.

Answer 496

A

B. The MAC model uses labels to identify the upper and lower bounds of classification levels, and these define the level of access for subjects. MAC is a nondiscretionary access control model that uses labels. However, not all nondiscretionary access control models use labels.
DAC and ABAC models do not use labels.

Answer 497

A

C. Mandatory access control (MAC) models rely on the use of labels for subjects and objects. They look similar to a lattice when drawn, so the MAC model is often referred to as a lattice-based model. None of the other answers use labels. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management, such as a rule-based access control model deployed on a firewall. Role-based access control (RBAC) models define a subject’s access based on job-related roles.

Answer 498

A

A. A risk-based access control model can require users to authenticate with multifactor authentication. None of the other access control models listed can evaluate how a user has logged on. A MAC model uses labels to grant access. An RBAC model grants access based on job roles or groups. In a DAC model, the owner grants access to resources.

Answer 499

A

A. A risk-based access control model evaluates the environment and the situation and then makes access decisions based on coded policies. A MAC model grants access using labels. An RBAC model uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs).

Answer 500

A

A. OpenID Connect (OIDC) uses a JavaScript Object Notation (JSON) Web Token (JWT) that provides both authentication and profile information for internet-based single sign-on (SSO). None of the other answers use tokens. OIDC is built on the OAuth 2.0 framework. OpenID provides authentication but doesn’t include profile information.

Answer 501

A

D. Configuring a central computer to synchronize its time with an external NTP server and all other systems to synchronize their time with the NTP will likely solve the problem and is the best choice of the available options. Kerberos requires computer times to be within 5 minutes of each other and the scenario, along with the available answers, suggested the user’s computer is not synchronized with the Kerberos server. Kerberos uses AES. However,
because a user successfully logs on to one computer, it indicates Kerberos is working, and AES is installed. NAC checks a system’s health after the user authenticates. NAC doesn’t prevent a user from logging on. Some federated systems use SAML, but Kerberos doesn’t require SAML.

Answer 502

A

C. The primary purpose of Kerberos is authentication, since it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key
encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

Answer 503

A

B. The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server, and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t the primary function.

Answer 504

A

B. The best choice is to give the administrator the root password. The administrator would enter it manually when running commands that need elevated privileges by running the su command. If the user is granted sudo access, it would allow the user to run commands requiring root-level privileges, under the context of the user account. If an attacker compromised the user account, the attacker could run the elevated commands with sudo. Linux systems don’t have an administrator group or a LocalSystem account.

Answer 505

A

D. NTLM is known to be susceptible to pass-the-hash attacks, and this scenario describes a pass-the-hash attack. Kerberos attacks attempt to manipulate tickets, such as in pass-the ticket and golden ticket attacks, but these are not NTLM attacks. A rainbow table attack uses a rainbow table in an offline brute-force attack.

Answer 506

A

C. Attackers can create golden tickets after successfully exploiting Kerberos and obtaining the Kerberos service account (KRBTGT). Golden tickets are not associated with Remote Authentication Dial-in User Service (RADIUS), Security Assertion Markup Language (SAML), or OpenID Connect (OIDC)

Answer 507

A

B. Context-dependent access control adds
additional factors beyond username and password, such as the time of attempted access.Incorrect Answers and Explanations: Answers A, C, and D are incorrect.
Content-dependent access control uses the content, such as file contents, as an additional factor. Role-based control is based on the subject’s role, while task based access control is based on the tasks the subject needs to perform.

Answer 508

A

B. Identity as a service, also called cloud identity, allows organizations to leverage cloud service for identity
management. Incorrect answers and explanations: Answers A, C, and D are incorrect. IaaS (infrastructure as a service) provides an entire virtualized operating system, which the customer configures from the OS on up. PaaS (platform as a service) provides a preconfigured operating system, and the customer configures the applications. SaaS (software as a service) is completely configured, from the operating system to applications, and the customer simply uses the application.

Answer 509

A

C. SAML is an XML-based framework for exchanging security information, including authentication data.Incorrect answers and explanations: Answers A, B, and D are incorrect.
Kerberos is a third-party authentication service that may be used to support single sign-on. OpenID is a framework for exchanging authentication data, but it is not XML-based. SESAME stands for secure European system for applications in a multivendor environment, a single sign-on system that
supports heterogeneous environments.

Answer 510

A

B. Lightweight directory access protocol is an open protocol for interfacing and querying directory service information from network operating systems using port 389 TCP or UDP.
Incorrect answers and explanations: Answers A, C, and D are incorrect. CHAP, PAP, and RADIUS do not provide directory service information provided by network operating systems using port 389 TCP or UDP.

Answer 511

A

Correct answer and explanation: A. Decreasing the amount of minutiae will make the accuracy of the system lower, which lower false rejects but raises false accepts. Incorrect answers and explanations: Answers B, C, and D are incorrect. Increasing the amount of minutiae will make the system more accurate, increasing the FRR and lowering the FAR. Enrollment and throughput time are
not directly connected to FAR and FRR

Answer 512

A

B. The act of exploiting a bug, design flaw,
or configuration oversight in an operating system or
software application to gain elevated access to
resources
Explanation: Privilege escalation in the context of
access control systems refers to the act of exploiting
a bug, design flaw, or configuration oversight in an
operating system or software application to gain
elevated access to resources. This is a common
technique used in cyberattacks to gain unauthorized
access to systems.

Answer 513

A

B. To allow the owners of information to
control who can access their information
Explanation: Discretionary access control is a
type of access control that allows the owners of
information to control who can access their
information. It is commonly used in environments
where information sharing is encouraged, but
control is still required.

Answer 514

A

B. It can lead to “privilege creep” if access
rights are not regularly reviewed and updated.
Explanation: The main disadvantage of using
discretionary access control systems is that it can
lead to “privilege creep” if access rights are not
regularly reviewed and updated. Privilege creep
occurs when users accumulate more privileges than
they need to perform their job functions, which can
increase the risk of unauthorized access and data
breaches.

Answer 515

A

B. To provide a standard for authorizing
third-party applications to access user data without
sharing passwords
Explanation: OAuth (Open Authorization) is a
standard for authorizing third-party applications to
access user data without sharing passwords. It is
commonly used in scenarios where you want to give
an application access to your data without giving it your password.

Answer 516

A

B. The process of removing an existing user
account and its associated access rights
Explanation: Deprovisioning in the context of IAM
refers to the process of removing an existing user
account and its associated access rights. This is
typically done when an employee leaves an
organization or changes roles.

Answer 517

A

B. A flexible access control method where
access rights are granted to users through the use of
policies which combine attributes together
Explanation: Attribute-based access control
(ABAC) in the context of access control systems
refers to a flexible access control method where
access rights are granted to users through the use of
policies which combine attributes together. These
attributes can be associated with the user, the object
to be accessed, or the environment.

Answer 518

A

B. To enforce access control policies based
on the classification of information and the security
clearance of users
Explanation: Mandatory access control is a type
of access control that enforces access control
policies based on the classification of information
and the security clearance of users. It is commonly
used in government and military environments
where information must be classified and access
must be strictly controlled.

Answer 519

A

It can be difficult to manage if roles are
not clearly defined or if users have multiple roles.
Explanation: The main disadvantage of using rolebased access control systems is that it can be
difficult to manage if roles are not clearly defined or
if users have multiple roles. This can lead to users
having more access rights than they need, which can
increase the risk of unauthorized access and data
breaches.

Answer 520

A

B. To provide a standard for exchanging
authentication and authorization data between
parties
Explanation: SAML (Security Assertion Markup
Language) is a standard for exchanging
authentication and authorization data between
parties. It is commonly used in Single Sign-On (SSO)
and Federated Identity Management (FIM) systems.

Answer 521

A

B. The process of setting up a new user
account with appropriate access rights
Explanation: Provisioning in the context of IAM
refers to the process of setting up a new user
account with appropriate access rights. This
includes activities such as creating the user’s
account, assigning roles, and granting access to
resources.

Answer 522

A

B. The use of a single set of credentials to
access multiple applications or services
Explanation: Single Sign-On (SSO) in the context
of authentication systems refers to the use of a
single set of credentials to access multiple
applications or services. This simplifies the user
experience and reduces the risk of password-related
security issues.

Answer 523

A

B. To ensure that users only have the
minimum levels of access necessary to perform their
job functions
Explanation: The “principle of least privilege” in
access control is designed to ensure that users only
have the minimum levels of access necessary to
perform their job functions. This minimizes the risk
of unauthorized access and data breaches.

Answer 524

A

B. Passwords can be easily forgotten,
shared, or stolen
Explanation: The main disadvantage of using
password-based authentication systems is that
passwords can be easily forgotten, shared, or stolen.
This can lead to unauthorized access and other
security issues.

Answer 525

A

B. To provide a networking protocol that
offers centralized authentication, authorization, and
accounting (AAA) management for users who
connect and use a network service
Explanation: TACACS+ (Terminal Access
Controller Access Control System Plus) is a
networking protocol that offers centralized
authentication, authorization, and accounting (AAA)
management for users who connect and use a
network service.

Answer 526

A

B. The stages a digital identity goes through
from creation to deletion
Explanation: The identity life cycle in the context
of IAM refers to the stages a digital identity goes
through from creation to deletion. This includes
processes such as provisioning, managing, and
deprovisioning identities.

Answer 527

A

B. The use of two or more independent
credentials for verifying a user’s Identity
Explanation: Multifactor authentication (MFA) in
the context of authentication systems refers to the
use of two or more independent credentials for
verifying a user’s Identity. This typically involves a
combination of something the user knows (like a
password), something the user has (like a smart
card), and something the user is (like a biometric
trait).

Answer 528

A

D. To ensure that actions can be definitively
traced back to the individual who performed them,
and they cannot deny performing them
Explanation: The “non-repudiation” principle in
access control is designed to ensure that actions can
be definitively traced back to the individual who
performed them, and they cannot deny performing
them. This is typically important in legal contexts
where proof of action is required.

Answer 529

A

B. If the biometric data is compromised, it
cannot be changed like a password.
Explanation: The main disadvantage of using
biometric authentication systems is that if the
biometric data is compromised, it cannot be changed
like a password. This can lead to serious security
issues.

Answer 530

A

B. To provide a networking protocol that
offers centralized authentication, authorization, and
accounting (AAA) management for users who
connect and use a network service
Explanation: RADIUS (Remote Authentication
Dial-In User Service) is a networking protocol that
offers centralized authentication, authorization, and
accounting (AAA) management for users who
connect and use a network service.

Answer 531

A

C. The process of allowing different
organizations to share and manage identity
information
Explanation: Identity Federation in the context of
IAM refers to the process of allowing different
organizations to share and manage identity
information. This allows users to use the same
credentials to access services across multiple
organizations.
Answer: B To provide a networking protocol that

Answer 532

A

C. The process of verifying a user’s claimed
Identity by comparing it against one or more reliable
sources
Explanation: Identity proofing in the context of
IAM refers to the process of verifying a user’s
claimed Identity by comparing it against one or more
reliable sources. This is typically done as part of the
onboarding process when a new account is created.

Answer 533

A

B. The use of physical or behavioral
characteristics to verify a user’s Identity
Explanation: Biometrics in the context of
authentication systems refers to the use of physical
or behavioral characteristics to verify a user’s
Identity. This can include fingerprints, facial
recognition, voice recognition, and other unique
characteristics.

Answer 534

A

D. To ensure that actions can be traced
back to the individual who performed them
Explanation: The “accountability” principle in
access control is designed to ensure that actions can
be traced back to the individual who performed
them. This is typically done through the use of audit
logs and other tracking mechanisms.

Answer 535

A

B. If the FIM system is compromised, all
services that use it are potentially at risk.
Explanation: The main disadvantage of using a
Federated Identity Management (FIM) system is
that if the FIM system is compromised, all services
that use it are potentially at risk. This is because the
attacker would have access to all the systems the
user can access through the FIM system
user can access through the FIM system.

Answer 536

A

D. To provide a secure method for
transmitting information and authenticating both the
user and the server
Explanation: Kerberos is a network authentication
protocol that provides a secure method for
transmitting information and authenticating both the
user and the server. It uses secret-key cryptography
to prevent eavesdropping and replay attacks.

Answer 537

A

D. A cloud-based service that provides
Identity and Access Management functions to an
organization’s systems that reside on-premises
and/or in the cloud
Explanation: Identity as a Service (IDaaS) refers
to a cloud-based service that provides Identity and
Access Management functions to an organization’s
systems that reside on-premises and/or in the cloud.
It is typically used by organizations that want to
outsource their identity services to a third-party
provider.

Answer 538

A

A. The process of a user claiming or
professing an identity
Explanation: Identification in the context of
Access Control Services refers to the process of a
user claiming or professing an identity. This is
typically the first step in the authentication process.

Answer 539

A

B. To ensure that users only have the
minimum levels of access necessary to perform their
job functions
Explanation: The “least privilege” principle in
access control is designed to ensure that users only
have the minimum levels of access necessary to
perform their job functions. This minimizes the risk
of unauthorized access and data breaches.

Answer 540

A

B. It allows users to use the same
credentials to access services across multiple
organizations.
Explanation: The main advantage of using a
Federated Identity Management (FIM) system is
that it allows users to use the same credentials to
access services across multiple organizations. This
not only improves user convenience but also reduces
the risk of password-related security issues.

Answer 541

A

B. The process of determining what actions
a user is allowed to perform
Explanation: Authorization in the context of
Access Control Services refers to the process of
determining what actions a user is allowed to
perform. This is typically based on the user’s role,
responsibilities, and the principle of least privilege.

Answer 542

A

D. The ability to link actions to a specific
user and hold them responsible for their actions
Explanation: Accountability in the context of
Access Control Services refers to the ability to link
actions to a specific user and hold them responsible
for their actions. This is typically done through the
use of audit logs and other tracking mechanisms.

Answer 543

A

A. The process of confirming or establishing
that somebody is who they claim to be
Explanation: Authentication in the context of
Access Control Services refers to the process of
confirming or establishing that somebody is who
they claim to be. This is typically done through the
use of passwords, biometrics, or other forms of
identification.

Answer 544

A

C. To prevent any single individual from
being able to complete a significant process or
transaction on their own
Explanation: The “separation of duties” principle
in access control is designed to prevent any single
individual from being able to complete a significant
process or transaction on their own. This reduces
the risk of fraud and error.

Answer 545

A

B. If the SSO system is compromised, all
services that use it are potentially at risk.
Explanation: The main disadvantage of using a
Single Sign-On (SSO) system is that if the SSO
system is compromised, all services that use it are
potentially at risk. This is because the attacker
would have access to all the systems the user can
access through the SSO system.

Answer 546

A

D. To provide a simple identity layer on top
of the OAuth 2.0 protocol
Explanation: OpenID Connect is a protocol used
in Federated Identity Management (FIM) that
provides a simple identity layer on top of the OAuth
2.0 protocol. It allows clients to verify the Identity of
the end user based on the authentication performed
by an authorization server.

Answer 547

A

C. The process of allowing different
organizations to share and manage identity
information
Explanation: Federation in the context of
Federated Identity Management (FIM) refers to the
process of allowing different organizations to share
and manage identity information. This allows users
to use the same credentials to access services across
multiple organizations.

Answer 548

A

B. To ensure that users only have access to
the information they need to perform their job
functions
Explanation: The “need-to-know” principle in
access control is designed to ensure that users only
have access to the information they need to perform
their job functions. This minimizes the risk of
unauthorized access and data breaches.

Answer 549

A

A. It reduces the number of passwords a
user has to remember.
Explanation: The main advantage of using a
Single Sign-On (SSO) system is that it reduces the
number of passwords a user has to remember. This
not only improves user convenience but also reduces
the risk of password-related security issues.

Answer 550

A

C. To allow third-party services to access
user data without needing to know the user’s
credentials
Explanation: OAuth is a protocol used in
Federated Identity Management (FIM) that allows
third-party services to access user data without
needing to know the user’s credentials.

Answer 551

A

C. The process of terminating access when
an employee leaves the organization
Explanation: Deprovisioning in the identity life
cycle refers to the process of terminating access
when an employee leaves the organization. This
includes activities such as revoking access rights,
returning equipment, and archiving user data.

Answer 552

A

B. The elevation of user privileges for a
short period to complete necessary but infrequent
tasks
Explanation: Just-in-Time Access refers to the
elevation of user privileges to an authorized user for
a short period, so a user may complete necessary
but infrequent tasks. It mitigates the need for longterm elevation of privileges, which minimizes
potential security risks.

Answer 553

A

A. To prevent automated account creation,
spam, and brute-force password decryption attacks
Explanation: CAPTCHA is a security measure that
works by asking a user to complete a simple test to
prove they’re human and not a robot or automated
program. It is used to prevent automated account
creation, spam, and brute-force password decryption
attacks.

Answer 554

A

D. All of the above
Explanation: All the options listed are potential
risks relating to IDaaS. These include the availability
of the service, protection of critical identity data,
and entrusting a third party with sensitive or
proprietary data.

Answer 555

A

B. To provide authentication and
authorization
Explanation: SAML is a key protocol used in
Federated Identity Management (FIM) solutions,
providing both authentication and authorization.

Answer 556

A

B. The process of granting access to
systems and data to a new employee or when an
employee changes roles
Explanation: Provisioning in the identity life cycle
refers to the process of granting access to systems
and data to a new employee or when an employee
changes roles. This includes activities such as
background checks, confirming skills, and Identity
proofing.

Answer 557

A

D. Encryption
Explanation: Access Control Services consist of identification, authentication, authorization, and accountability. Encryption, while a crucial aspect of
security, is not a component of Access Control Services as defined in this context.

Answer 558

A

C. Frequent reauthentication
Explanation: The primary and best way to prevent
session hijacking is through frequent
reauthentication. This means that a user is
continually reauthenticated by the system in a
manner that is transparent to the user, making it
much more difficult for an attacker to compromise a
user’s active session.

Answer 559

A

A. Security Assertion Markup Language
Explanation: SAML stands for Security Assertion
Markup Language. It is a key protocol used in
Federated Identity Management (FIM) solutions,
providing both authentication and authorization.

Answer 560

A

D. Maximum privilege
Explanation: The fundamental principles of access
control are “need to know,” “least privilege,” and
“separation of duties.” The principle of “maximum
privilege” does not exist in access control; it
contradicts the principle of “least privilege,” which
states that a user should have the minimum levels of
access necessary to perform their job functions.

Answer 561

A

B. To control the way assets are accessed
Explanation: IAM is primarily concerned with controlling how assets are accessed within an organization. It involves managing digital identities and implementing the necessary technology to
improve user experience, cost control, and risk mitigation.

Answer 562

A

D. Though multiple systems can access the
media simultaneously, the result will be a collision,
which should be immediately detected.
Explanation: CSMA/CD is a network protocol for
carrier transmission in Ethernet networks. It allows
multiple hosts to access the media simultaneously,
but if a collision occurs (two devices transmit at the
same time), it is detected and the transmissions are
stopped to avoid corrupting data.

Answer 563

A

A. DAC is determined by the owner of the
asset, while MAC is determined by the system based
on labels.
Explanation: Discretionary access control (DAC)
means an asset owner determines who can access
the asset; access is given at the discretion of the
owner. Mandatory access control (MAC) determines
access based upon the clearance level of the subject
and classification, or sensitivity, of the object.

Answer 564

A

B. To rank the strength of authentication
processes and systems
Explanation: Authenticator Assurance Levels
(AAL) refer to the strength of authentication
processes and systems. AAL levels rank from AAL1
(least robust) to AAL3 (most robust).

Answer 565

A

D. To support both symmetric and
asymmetric cryptography
Explanation: The Secure European System for
Applications in a Multivendor Environment, better
known as SESAME, is an improved version of
Kerberos. One of the big advantages of SESAME
over Kerberos is that it supports both symmetric and
asymmetric cryptography.

Answer 566

A

D. Though multiple systems can access the
media simultaneously, the result will be a collision,
which should be immediately detected.
Explanation: CSMA/CD is a network protocol for
carrier transmission in Ethernet networks. It allows
multiple hosts to access the media simultaneously,
but if a collision occurs (two devices transmit at the
same time), it is detected and the transmissions are
stopped to avoid corrupting data.

Answer 567

A

A. Cable

Explanation: Layer 1 of the OSI model, the
Physical Layer, deals with the physical
characteristics of the network, such as the network cable. Therefore, if there’s a Layer 1 issue, it’s most likely related to the physical connection, such as the cable.

Answer 568

A

C. An attack that attempts to find collisions
in separate messages
Explanation: A birthday attack is a type of
cryptographic attack that exploits the mathematics
behind the birthday problem in probability theory.
The attack depends on finding collisions, which are
two inputs producing the same hash output.

Answer 569

A

C. One-way math
Explanation: Hashing algorithms use one-way
functions, meaning the output (the hash) cannot be
reversed to reveal the original input. This provides
the secrecy in a hashing algorithm.

Answer 570

A

C. Hash the document and then encrypt the
hash with the sender’s private key
Explanation: Non-repudiation is achieved by
creating a hash of the message and then encrypting
that hash with the sender’s private key. This creates
a digital signature that can be verified by anyone
with the sender’s public key, proving that the
message came from the sender and has not been
altered.

Answer 571

A

D. Non-repudiation
Explanation: Non-repudiation provides proof of
the origin or delivery of data to protect against
denial by the parties involved. In the context of
email, it would provide evidence that the email was
indeed sent by the claimed sender.

Answer 572

A

B. DES/3DES
Explanation: The relationship between DES and
3DES mirrors the concept of adding complexity to
encryption. 3DES, which applies the DES algorithm
three times to each data block, was developed to
provide a simple method of increasing the key size of
DES to protect against brute-force attacks.

Answer 573

A

D. Session keys
Explanation: The Vernam Cipher is a symmetric
key cipher using a one-time pad. Modern session
keys, which are used for a single session and then
discarded, are based on this concept of using a key
only once.

Answer 574

A

C. Trust describes product function;
assurance describes process reliability.
Explanation: Trust refers to the functionality and
security features of a product, while assurance
relates to the confidence in the development
process, ensuring that the product functions as
intended.

Answer 575

A

A. High
Explanation: The overall categorization of a
system is typically determined by the highest level of
potential impact among the evaluated criteria. In
this case, the high potential impact of unauthorized
disclosure would define the overall categorization.

Answer 576

A

B. There is always a trade-off for security,
so an organization has to weigh the cost vs. benefits.
Explanation: Aligning security controls with
business objectives ensures that security measures
are balanced with the organization’s goals,
resources, and risk tolerance. It helps in making
informed decisions about where to invest in security.

Answer 577

A

A. Access control list, reference monitor
Explanation: During access authorization, the
conceptual ruleset defining the access rights and
permissions for users and objects within a system is
commonly called the access control list (ACL). The
enforcement mechanism that ensures that these
access controls are properly implemented and
adhered to is known as the reference monitor.
Therefore, the correct answer to fill in the blanks is
A. Access control list, reference monitor. The other
options do not accurately represent the standard
terminology used in access control and authorization
within information security. The security kernel is a
core component of a computer’s operating system
that deals with security-related functions, and the
term “security enforcer” is not a standard term used
in this context.

Answer 578

A

B. Trusted computing base
Explanation: The trusted computing base (TCB)
includes all the components of a system that are
critical to its security, including hardware, firmware,
and software. Trust in the TCB is essential for
overall system security.

Answer 579

A

D. Segregation of duties
Explanation: Segregation of duties (SoD) ensures
that no single individual has control over all aspects
of any critical transaction. By dividing tasks and
privileges, SoD reduces the risk of a single point of
failure, which can be exploited through social
engineering.

Answer 580

A

A. Project initiation
Explanation: The commitment from senior
management is essential at the project initiation
phase of BCP. This ensures that the project has the
necessary support and resources to proceed.

Answer 581

A

C. Dual control
Explanation: Dual control requires two or more
Explanation: Dual control requires two or more
individuals to perform a task, ensuring that no single
person has complete control over critical functions.
This can mitigate the risk associated with a single
individual having access to users’ private keys.

Answer 582

A

A. Peer review
Explanation: Open design allows for transparency
and collaboration, enabling peer review of the code.
This collective examination can identify and fix
vulnerabilities, making the system more secure.

Answer 583

A

C. Trusted recovery
Explanation: Trusted recovery refers to the ability
of a system to respond to failures or security
breaches in a manner that prevents further
compromises. It ensures that the system can recover
to a secure state, even after a failure or attack.

Answer 584

A

B. Least privilege
Explanation: The principle of least privilege
dictates that individuals should have only the
permissions necessary to perform their job
functions. This minimizes the potential damage from
accidental mishaps or intentional malicious activities
by limiting access rights to the bare minimum
required to complete the task.

Answer 585

A

D. Organization’s published security policy
for data classification
Explanation: In a MAC system, data
classifications are determined by the organization’s
formal security policy. This policy defines the rules
for classifying, handling, and protecting information,
ensuring that data is accessed only by authorized
individuals.

Answer 586

A

C. All access permissions should be
reviewed.
Explanation: When an employee transfers within
an organization it’s essential to review all access
an organization, it s essential to review all access
permissions to ensure that they align with the new
role. This helps prevent privilege creep and ensures
that the employee has the appropriate access for
their new position.

Answer 587

A

B. Identity, authentication, authorization,
and auditing
Explanation: The IAAA model describes the four
key components of access control.
Identity: Establishing who the user is
Authentication: Verifying the user’s Identity
Authorization: Determining what the user is
allowed to do
Auditing: Monitoring and recording user activities

Answer 588

A

B. The procedure for confirming a user’s
Identity
Explanation: Authentication is the process of
verifying the Identity of a user, system, or device. It
ensures that the entity requesting access is who or
what it claims to be.

Answer 589

A

B. Access card and PIN
Explanation: Multifactor authentication (MFA)
requires the utilization of at least two distinct factors
from different categories of authentication, such as
something you know (knowledge), something you
have (possession), and something you are
(inherence). Analyzing the given options, the
combination of an access card (something you have)
and a PIN (something you know) represents two
different categories of authentication factors.
Therefore, option B, which combines an access card
and a PIN, exemplifies multifactor authentication.
The other options do not meet the criteria for MFA
as they either combine two factors from the same
category of something you have (option A),
something you are (option C), or something you
know (option D).

Answer 590

A

C. Public key
Explanation: In PKI, the public key is used to
encrypt messages, and only the corresponding
private key can decrypt them. By sharing the public
key, a user enables others to send them encrypted
messages that only they can read.

Answer 591

A

A. Crossover error rate
Explanation: The crossover error rate (CER) is a
measure of the point where the false acceptance rate
equals the false rejection rate. It’s a fundamental
characteristic of the system and is not something
that can be easily adjusted by an administrator,
unlike the other rates that might be influenced by
system configuration.

Answer 592

A

C. Privilege creep
Explanation: Privilege creep occurs when
individuals retain access rights after moving to a
new position that does not require those rights. In an
organization where reassignments are common, this
can lead to employees accumulating unnecessary
and potentially risky privileges.

Answer 593

A

C. Two-person control
Explanation: Two-person control requires two
individuals to approve an action before it can be
carried out. In this scenario, both Bouke and his
supervisor must confirm the request, ensuring a
higher level of scrutiny and reducing the risk of
unauthorized or accidental deletions.

Answer 594

A

D. DAC (discretionary access control)
Explanation: Windows NTFS uses discretionary
access control (DAC) by default. DAC allows the
owner of the resource to determine who can access
it and what permissions they have.

Answer 595

A

B. Authentication Server
Explanation: In Kerberos, the Authentication
Server is responsible for authenticating the client
and issuing a Ticket Granting Ticket (TGT), which is
later used to obtain service tickets from the Ticket
Granting Server.

Answer 596

A

D. Salting

Explanation: Salting involves adding random data (a “salt”) to a password before hashing it. This ensures that even if two users have the same password, their hashes will be different due to the
unique salts. Salting effectively defends against rainbow table attacks, which exploit precomputed tables to reverse cryptographic hash functions.

Answer 597

A

C. False negative
Explanation: A false negative occurs when a
legitimate user is incorrectly denied access. In this
scenario, Aly is a valid user, but the system
incorrectly rejects his authentication attempt.

Answer 598

A

A. Something you know
Explanation: A password is something that a user
knows and can recall. It’s a knowledge-based form of
authentication, as opposed to something physical
(something you have), a location (somewhere you
are), or a biometric characteristic (something you
are).

Answer 599

A

A. Two-factor authentication (2FA)
Explanation: Two-factor authentication (2FA)
requires two separate forms of identification for
access. In this case, Bouke is implementing a system
that requires something the user knows (a
password) and something the user has (a
smartphone authenticator using TOTP). This
combination of two factors enhances security by
requiring both something known and something
possessed, making unauthorized access more
difficult. Option D, MFA, is a broader term that
includes 2FA but is not as specific to this scenario.

Answer 600

A

C. Iris scan

Explanation: Iris scans are considered one of the strongest forms of biometric authentication. They capture the unique patterns in the colored part of the eye, which are highly distinctive and stable over
time. Retinal scans are also strong but are more intrusive, while fingerprint scans can be more easily spoofed. Passwords are generally considered the weakest option among these, as they can be guessed, hacked, or stolen.

Answer 601

A

A. Physical, D. Administrative

Explanation: Access controls can be broadly
categorized into three types. Technical controls: These include firewalls, encryption, and other technology-based solutions to control access to systems and data. Physical controls: These are measures like locks, gates, and turnstiles that control physical access to facilities. Administrative controls: These include policies, procedures, and guidelines that define how access is granted, reviewed, and revoked.

Answer 602

A

C. Reach out to the college’s verification
department.
Explanation: The most reliable way to verify the
authenticity of a diploma is to contact the institution
that supposedly issued it. In this case, reaching out
to the college verification department would provide
an official confirmation or denial of the diploma’s
authenticity Other options are either irrelevant
authenticity. Other options are either irrelevant
(such as running a credit check) or less reliable
(such as inspecting the paper type or contacting
references).

Answer 603

A

A. Discretionary access control (DAC)
Explanation: Discretionary access control (DAC)
is an access control model where the owner of an
object has complete control over who is allowed to
access it. In DAC, access is typically controlled
based on the Identity of the user or a group the user
belongs to, so unique user identities are an essential
part of this model.

Answer 604

A

B. Kerberos
Explanation: Kerberos is a network authentication
protocol that uses symmetric encryption and a
ticketing system to authenticate users in a network.
It relies on a trusted third party, known as the Key
Distribution Center (KDC), to facilitate secure
communication between entities.

Answer 605

A

D. Job rotation
Explanation: Job rotation is the practice of
periodically moving employees between different
roles or responsibilities. It is used to prevent fraud
or collusion by ensuring that no single individual has
control over all aspects of any critical transaction.
By rotating roles, it makes it more difficult for
employees to engage in fraudulent activities,
especially when they have worked together for an
extended period.

Answer 606

A

C. Security through obscurity
Explanation: Security through obscurity refers to
a principle in security engineering where the details
of a security mechanism, vulnerabilities, or the asset
itself are kept secret and hidden. The belief is that if
the attacker does not know the details, they will be
less likely to find vulnerabilities or successfully
attack the asset.

Answer 607

A

D. A span port
Explanation: A span port, or Switched Port
Analyzer port, is a designated port on a network
switch used to monitor and analyze network traffic.
It can be connected to an intrusion prevention
system (IPS) sensor to provide the sensor with
access to network data, allowing it to detect and
prevent malicious activities.

Answer 608

A

D. The zero-knowledge proof
Explanation: A zero-knowledge proof is a method
by which one party can prove to another party that
they know a value (such as a password) without
conveying any information about that value. In the
context of authentication, it enables a party to prove
they know the password without revealing it.

Answer 609

A

B. Identification
Explanation: Authentication is the process of
verifying the Identity of a user, device, or other
entities in a computer system, often using
usernames and passwords. The identification step is
crucial in this process, where the user claims an
identity, typically using a username. Therefore,
“identification” is the correct answer.

Answer 610

A

B. The process of elevating user privileges
for a short period to complete necessary but
infrequent tasks
Explanation: Just-in-Time Access refers to the
elevation of user privileges to an authorized user for
a short period, so a user may complete necessary
but infrequent tasks. It mitigates the need for long-
but eque t tas s. t t gates t e eed o o g
term elevation of privileges, which minimizes
potential security risks

Answer 611

A

B. The implementation or integration of
identity services in a cloud-based environment
Explanation: Identity as a Service (IDaaS) refers
to the implementation or integration of identity
services in a cloud-based environment. It has a
variety of capabilities, including provisioning,
administration, Single Sign-On (SSO), multifactor
authentication (MFA), and directory services.
101. Answer: B. The process of elevating user privileges
for a short period to complete necessary but
infrequent tasks
Explanation: Just-in-Time Access refers to the
elevation of user privileges to an authorized user for
a short period, so a user may complete necessary
but infrequent tasks. It mitigates the need for long-
term elevation of privileges, which minimizes
potential security risks

Answer 612

A

Answer: B. Identification
Explanation: Authentication is the process of verifying the Identity of a user, device, or other entities in a computer system, often using usernames and passwords. The identification step is crucial in this process, where the user claims an identity, typically using a username. Therefore, “identification” is the correct answer.

Answer 613

A

Answer: A. Physical deterrent
Explanation: A physical deterrent is a type of
control used to discourage an attacker from
proceeding with an attack. In this case, the presence
of guard dogs serves as a visible obstacle, deterring
the attacker from attempting to breach the
premises.

Answer 614

A

Answer: B. Identification
Explanation: Authentication is the process of
verifying the Identity of a user, device, or other
entities in a computer system, often using
usernames and passwords. The identification step is
crucial in this process, where the user claims an
identity, typically using a username. Therefore,
“identification” is the correct answer.

Answer 615

A

3.
Answer: D. The zero-knowledge proof
Explanation: A zero-knowledge proof is a method
by which one party can prove to another party that
they know a value (such as a password) without
conveying any information about that value. In the
context of authentication, it enables a party to prove
they know the password without revealing it.

Answer 616

A

4.
Answer: D. A span port
Explanation: A span port, or Switched Port
Analyzer port, is a designated port on a network
switch used to monitor and analyze network traffic.
It can be connected to an intrusion prevention
system (IPS) sensor to provide the sensor with
access to network data, allowing it to detect and
prevent malicious activities.

Answer 617

A

Answer: C. Security through obscurity
Explanation: Security through obscurity refers to
a principle in security engineering where the details
of a security mechanism, vulnerabilities, or the asset
itself are kept secret and hidden. The belief is that if
the attacker does not know the details, they will be
less likely to find vulnerabilities or successfully
attack the asset.
attac t e asset.

Answer 618

A

Answer: D. Job rotation
Explanation: Job rotation is the practice of
periodically moving employees between different roles or responsibilities. It is used to prevent fraud or collusion by ensuring that no single individual has control over all aspects of any critical transaction.
By rotating roles, it makes it more difficult for employees to engage in fraudulent activities, especially when they have worked together for an extended period.

Answer 619

A

Answer: B. Kerberos
Explanation: Kerberos is a network authentication protocol that uses symmetric encryption and a
ticketing system to authenticate users in a network. It relies on a trusted third party, known as the Key Distribution Center (KDC), to facilitate secure communication between entities.

Answer 620

A

Answer: A. Discretionary access control (DAC)
Explanation: Discretionary access control (DAC) is an access control model where the owner of an object has complete control over who is allowed to access it. In DAC, access is typically controlled based on the Identity of the user or a group the user
belongs to, so unique user identities are an essential part of this model.

Answer 621

A

Answer: C. Reach out to the college’s verification
department.
Explanation: The most reliable way to verify the
authenticity of a diploma is to contact the institution
that supposedly issued it. In this case, reaching out
to the college verification department would provide
an official confirmation or denial of the diploma’s
authenticity Other options are either irrelevant
authenticity. Other options are either irrelevant
(such as running a credit check) or less reliable
(such as inspecting the paper type or contacting
references).

Answer 622

A

10.Answer: A. Physical, D. Administrative
Explanation: Access controls can be broadly
categorized into three types.
Technical controls: These include firewalls,
encryption, and other technology-based solutions to control access to systems and data. Physical controls: These are measures like locks, gates, and turnstiles that control physical access to facilities.
Administrative controls: These include policies, procedures, and guidelines that define how access is granted, reviewed, and revoked.

Answer 623

A

11.Answer: C. Iris scan
Explanation: Iris scans are considered one of the strongest forms of biometric authentication. They capture the unique patterns in the colored part of the eye, which are highly distinctive and stable over
time. Retinal scans are also strong but are more intrusive, while fingerprint scans can be more easily spoofed. Passwords are generally considered the weakest option among these, as they can be guessed, hacked, or stolen.

Answer 624

A

Answer: A. Two-factor authentication (2FA)
Explanation: Two-factor authentication (2FA)
requires two separate forms of identification for
access. In this case, Bouke is implementing a system
that requires something the user knows (a
password) and something the user has (a
smartphone authenticator using TOTP). This
combination of two factors enhances security by
requiring both something known and something
possessed, making unauthorized access more
difficult. Option D, MFA, is a broader term that
includes 2FA but is not as specific to this scenario.

Answer 625

A

13.Answer: A. Something you know
Explanation: A password is something that a user
knows and can recall. It’s a knowledge-based form of
authentication, as opposed to something physical
(something you have), a location (somewhere you
are), or a biometric characteristic (something you
are).

Answer 626

A

14.
Answer: C. False negative
Explanation: A false negative occurs when a
legitimate user is incorrectly denied access. In this
scenario, Aly is a valid user, but the system
incorrectly rejects his authentication attempt.

Answer 627

A

15.
Answer: D. Salting
Explanation: Salting involves adding random data
(a “salt”) to a password before hashing it. This
ensures that even if two users have the same
password, their hashes will be different due to the
unique salts. Salting effectively defends against
rainbow table attacks, which exploit precomputed
tables to reverse cryptographic hash functions.

Answer 628

A

16.
Answer: B. Authentication Server
Explanation: In Kerberos, the Authentication
Server is responsible for authenticating the client
and issuing a Ticket Granting Ticket (TGT), which is
later used to obtain service tickets from the Ticket
Granting Server.

Answer 629

A

Answer: D. DAC (discretionary access control)
Explanation: Windows NTFS uses discretionary
access control (DAC) by default. DAC allows the
owner of the resource to determine who can access
it and what permissions they have.

Answer 630

A

18.
Answer: C. Two-person control
Explanation: Two-person control requires two
individuals to approve an action before it can be
carried out. In this scenario, both Bouke and his
supervisor must confirm the request, ensuring a
higher level of scrutiny and reducing the risk of
unauthorized or accidental deletions.

Answer 631

A

19.
Answer: C. Privilege creep
Explanation: Privilege creep occurs when
individuals retain access rights after moving to a
new position that does not require those rights. In an
organization where reassignments are common, this
can lead to employees accumulating unnecessary
and potentially risky privileges.

Answer 632

A

Answer: A. Crossover error rate
Explanation: The crossover error rate (CER) is a measure of the point where the false acceptance rate equals the false rejection rate. It’s a fundamental characteristic of the system and is not something that can be easily adjusted by an administrator,
unlike the other rates that might be influenced by system configuration.

Answer 633

A

Answer: C. Public key
Explanation: In PKI, the public key is used to
encrypt messages, and only the corresponding private key can decrypt them. By sharing the public key, a user enables others to send them encrypted
messages that only they can read.

Answer 634

A

Answer: B. Access card and PIN
Explanation: Multifactor authentication (MFA) requires the utilization of at least two distinct factors from different categories of authentication, such as something you know (knowledge), something you
have (possession), and something you are
(inherence). Analyzing the given options, the combination of an access card (something you have) and a PIN (something you know) represents two different categories of authentication factors.
Therefore, option B, which combines an access card and a PIN, exemplifies multifactor authentication. The other options do not meet the criteria for MFA
as they either combine two factors from the same category of something you have (option A), something you are (option C), or something you know (option D).

Answer 635

A

Answer: B. The procedure for confirming a user’s Identity
Explanation: Authentication is the process of verifying the Identity of a user, system, or device. It ensures that the entity requesting access is who or
what it claims to be.

Answer 636

A

Answer: B. Identity, authentication, authorization, and auditing
Explanation: The IAAA model describes the four key components of access control.
Identity: Establishing who the user is
Authentication: Verifying the user’s Identity
Authorization: Determining what the user is
allowed to do Auditing: Monitoring and recording user activities

Answer 637

A

Answer: C. All access permissions should be reviewed.
Explanation: When an employee transfers within an organization it’s essential to review all access an organization, it s essential to review all access permissions to ensure that they align with the new role. This helps prevent privilege creep and ensures that the employee has the appropriate access for their new position.

Answer 638

A

Answer: D. Organization’s published security policy for data classification
Explanation: In a MAC system, data
classifications are determined by the organization’s formal security policy. This policy defines the rules for classifying, handling, and protecting information,
ensuring that data is accessed only by authorized individuals.

Answer 639

A

Answer: B. Least privilege
Explanation: The principle of least privilege
dictates that individuals should have only the permissions necessary to perform their job functions. This minimizes the potential damage from accidental mishaps or intentional malicious activities by limiting access rights to the bare minimum
required to complete the task.

Answer 640

A

Answer: C. Trusted recovery
Explanation: Trusted recovery refers to the ability of a system to respond to failures or security breaches in a manner that prevents further compromises. It ensures that the system can recover to a secure state, even after a failure or attack.

Answer 641

A

Answer: A. Peer review
Explanation: Open design allows for transparency and collaboration, enabling peer review of the code.
This collective examination can identify and fix vulnerabilities, making the system more secure.

Answer 642

A

Answer: C. Dual control
Explanation: Dual control requires two or more Explanation: Dual control requires two or more individuals to perform a task, ensuring that no single person has complete control over critical functions.
This can mitigate the risk associated with a single individual having access to users’ private keys.

Answer 643

A

Answer: A. Project initiation
Explanation: The commitment from senior
management is essential at the project initiation phase of BCP. This ensures that the project has the necessary support and resources to proceed.

Answer 644

A

Answer: D. Segregation of duties
Explanation: Segregation of duties (SoD) ensures that no single individual has control over all aspects of any critical transaction. By dividing tasks and
privileges, SoD reduces the risk of a single point of failure, which can be exploited through social engineering.

Answer 645

A

Answer: B. Trusted computing base
Explanation: The trusted computing base (TCB) includes all the components of a system that are critical to its security, including hardware, firmware,
and software. Trust in the TCB is essential for overall system security.

Answer 646

A

Answer: A. Access control list, reference monitor
Explanation: During access authorization, the conceptual ruleset defining the access rights and permissions for users and objects within a system is commonly called the access control list (ACL). The
enforcement mechanism that ensures that these access controls are properly implemented and adhered to is known as the reference monitor. Therefore, the correct answer to fill in the blanks is
A. Access control list, reference monitor. The other options do not accurately represent the standard terminology used in access control and authorization
within information security. The security kernel is a core component of a computer’s operating system that deals with security-related functions, and the term “security enforcer” is not a standard term used
in this context.

Answer 647

A

Answer: B. There is always a trade-off for security, so an organization has to weigh the cost vs. benefits.
Explanation: Aligning security controls with
business objectives ensures that security measures are balanced with the organization’s goals, resources, and risk tolerance. It helps in making informed decisions about where to invest in security.

Answer 648

A

Answer: A. High
Explanation: The overall categorization of a
system is typically determined by the highest level of potential impact among the evaluated criteria. In this case, the high potential impact of unauthorized
disclosure would define the overall categorization.

Answer 649

A

Answer: C. Trust describes product function; assurance describes process reliability.
Explanation: Trust refers to the functionality and security features of a product, while assurance relates to the confidence in the development
process, ensuring that the product functions as intended.

Answer 650

A

Answer: D. Session keys
Explanation: The Vernam Cipher is a symmetric key cipher using a one-time pad. Modern session keys, which are used for a single session and then discarded, are based on this concept of using a key
only once.

Answer 651

A

Answer: B. DES/3DES
Explanation: The relationship between DES and 3DES mirrors the concept of adding complexity to encryption. 3DES, which applies the DES algorithm three times to each data block, was developed to
provide a simple method of increasing the key size of DES to protect against brute-force attacks.

Answer 652

A

40.Answer: D. Non-repudiation
Explanation: Non-repudiation provides proof of the origin or delivery of data to protect against denial by the parties involved. In the context of email, it would provide evidence that the email was
indeed sent by the claimed sender.

Answer 653

A

Answer: C. Hash the document and then encrypt the hash with the sender’s private key
Explanation: Non-repudiation is achieved by creating a hash of the message and then encrypting that hash with the sender’s private key. This creates a digital signature that can be verified by anyone with the sender’s public key, proving that the
message came from the sender and has not been altered.

Answer 654

A

42.Answer: C. One-way math
Explanation: Hashing algorithms use one-way functions, meaning the output (the hash) cannot be reversed to reveal the original input. This provides the secrecy in a hashing algorithm.

Answer 655

A

Answer: C. An attack that attempts to find collisions in separate messages
Explanation: A birthday attack is a type of
cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. The attack depends on finding collisions, which are two inputs producing the same hash output.

Answer 656

A

Answer: A. Cable
Explanation: Layer 1 of the OSI model, the
Physical Layer, deals with the physical
characteristics of the network, such as the network cable. Therefore, if there’s a Layer 1 issue, it’s most likely related to the physical connection, such as the
cable.

Answer 657

A

Answer: D. Though multiple systems can access the media simultaneously, the result will be a collision, which should be immediately detected.
Explanation: CSMA/CD is a network protocol for carrier transmission in Ethernet networks. It allows
multiple hosts to access the media simultaneously, but if a collision occurs (two devices transmit at the same time), it is detected and the transmissions are
stopped to avoid corrupting data.

Answer 658

A

Answer: B. Elasticity
Explanation: Elasticity in cloud computing is the ability to quickly expand or decrease computer processing, memory, and storage resources to meet changing demands without worrying about capacity planning and engineering for peak loads. It allows resources to be provisioned and deprovisioned automatically as the demand changes.

Answer 659

A

Answer: B. To control the way assets are accessed
Explanation: IAM is primarily concerned with controlling how assets are accessed within an organization. It involves managing digital identities and implementing the necessary technology to
improve user experience, cost control, and risk mitigation.

Answer 660

A

Answer: D. Maximum privilege
Explanation: The fundamental principles of access control are “need to know,” “least privilege,” and “separation of duties.” The principle of “maximum privilege” does not exist in access control; it contradicts the principle of “least privilege,” which states that a user should have the minimum levels of access necessary to perform their job functions.

Answer 661

A

Answer: A. Security Assertion Markup Language
Explanation: SAML stands for Security Assertion Markup Language. It is a key protocol used in Federated Identity Management (FIM) solutions,
providing both authentication and authorization.

Answer 662

A

Answer: C. Frequent reauthentication
Explanation: The primary and best way to prevent session hijacking is through frequent reauthentication. This means that a user is continually reauthenticated by the system in a manner that is transparent to the user, making it much more difficult for an attacker to compromise a user’s active session.

Answer 663

A

51.Answer: D. Encryption
Explanation: Access Control Services consist of identification, authentication, authorization, and accountability. Encryption, while a crucial aspect of
security, is not a component of Access Control Services as defined in this context.

Answer 664

A

Answer: B. The process of granting access to systems and data to a new employee or when an employee changes roles
Explanation: Provisioning in the identity life cycle refers to the process of granting access to systems and data to a new employee or when an employee
changes roles. This includes activities such as background checks, confirming skills, and Identity proofing.

Answer 665

A

53.Answer: B. To provide authentication and authorization
Explanation: SAML is a key protocol used in
Federated Identity Management (FIM) solutions, providing both authentication and authorization.

Answer 666

A

Answer: D. All of the above
Explanation: All the options listed are potential risks relating to IDaaS. These include the availability of the service, protection of critical identity data,
and entrusting a third party with sensitive or proprietary data.

Answer 667

A

Answer: A. To prevent automated account creation, spam, and brute-force password decryption attacks
Explanation: CAPTCHA is a security measure that works by asking a user to complete a simple test to prove they’re human and not a robot or automated
program. It is used to prevent automated account creation, spam, and brute-force password decryption attacks.

Answer 668

A

Answer: B. The elevation of user privileges for a short period to complete necessary but infrequent tasks
Explanation: Just-in-Time Access refers to the elevation of user privileges to an authorized user for a short period, so a user may complete necessary but infrequent tasks. It mitigates the need for long term elevation of privileges, which minimizes potential security risks.

Answer 669

A

Answer: C. The process of terminating access when an employee leaves the organization
Explanation: Deprovisioning in the identity life cycle refers to the process of terminating access when an employee leaves the organization. This includes activities such as revoking access rights,
returning equipment, and archiving user data.

Answer 670

A

58.Answer: C. To allow third-party services to access user data without needing to know the user’s credentials
Explanation: OAuth is a protocol used in
Federated Identity Management (FIM) that allows third-party services to access user data without needing to know the user’s credentials.

Answer 671

A

59.Answer: A. It reduces the number of passwords a user has to remember.
Explanation: The main advantage of using a
Single Sign-On (SSO) system is that it reduces the number of passwords a user has to remember. This not only improves user convenience but also reduces
the risk of password-related security issues.

Answer 672

A

Answer: B. To ensure that users only have access to the information they need to perform their job functions
Explanation: The “need-to-know” principle in access control is designed to ensure that users only have access to the information they need to perform their job functions. This minimizes the risk of unauthorized access and data breaches.

Answer 673

A

Answer: C. The process of allowing different organizations to share and manage identity information
Explanation: Federation in the context of
Federated Identity Management (FIM) refers to the process of allowing different organizations to share and manage identity information. This allows users to use the same credentials to access services across
multiple organizations.

Answer 674

A

Answer: D. To provide a simple identity layer on top of the OAuth 2.0 protocol
Explanation: OpenID Connect is a protocol used in Federated Identity Management (FIM) that provides a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the Identity of the end user based on the authentication performed
by an authorization server.

Answer 675

A

Answer: B. If the SSO system is
compromised, all services that use it are potentially at risk.
Explanation: The main disadvantage of using a Single Sign-On (SSO) system is that if the SSO system is compromised, all services that use it are potentially at risk. This is because the attacker would have access to all the systems the user can
access through the SSO system.

Answer 676

A

Answer: C. To prevent any single individual from being able to complete a significant process or transaction on their own
Explanation: The “separation of duties” principle in access control is designed to prevent any single individual from being able to complete a significant process or transaction on their own. This reduces
the risk of fraud and error.

Answer 677

A

Answer: A. The process of confirming or establishing that somebody is who they claim to be
Explanation: Authentication in the context of Access Control Services refers to the process of confirming or establishing that somebody is who they claim to be. This is typically done through the use of passwords, biometrics, or other forms of
identification.

Answer 678

A

Answer: D. The ability to link actions to a specific user and hold them responsible for their actions
Explanation: Accountability in the context of Access Control Services refers to the ability to link actions to a specific user and hold them responsible for their actions. This is typically done through the use of audit logs and other tracking mechanisms.

Answer 679

A

Answer: B. The process of determining what actions a user is allowed to perform
Explanation: Authorization in the context of
Access Control Services refers to the process of determining what actions a user is allowed to perform. This is typically based on the user’s role, responsibilities, and the principle of least privilege.

Answer 680

A

Answer: B. It allows users to use the same credentials to access services across multiple organizations.
Explanation: The main advantage of using a
Federated Identity Management (FIM) system is that it allows users to use the same credentials to access services across multiple organizations. This not only improves user convenience but also reduces the risk of password-related security issues.

Answer 681

A

Answer: B. To ensure that users only have the minimum levels of access necessary to perform their job functions
Explanation: The “least privilege” principle in access control is designed to ensure that users only have the minimum levels of access necessary to perform their job functions. This minimizes the risk
of unauthorized access and data breaches.

Answer 682

A

Answer: A. The process of a user claiming or professing an identity
Explanation: Identification in the context of
Access Control Services refers to the process of a user claiming or professing an identity. This is typically the first step in the authentication process.

Answer 683

A

Answer: D. A cloud-based service that provides Identity and Access Management functions to an organization’s systems that reside on-premises and/or in the cloud
Explanation: Identity as a Service (IDaaS) refers to a cloud-based service that provides Identity and Access Management functions to an organization’s systems that reside on-premises and/or in the cloud.
It is typically used by organizations that want to outsource their identity services to a third-party provider.

Answer 684

A

Answer: D. To provide a secure method for transmitting information and
authenticating both the user and the server
Explanation: Kerberos is a network authentication protocol that provides a secure method for transmitting information and authenticating both the user and the server. It uses secret-key cryptography
to prevent eavesdropping and replay attacks.

Answer 685

A

Answer: B. If the FIM system is compromised, all services that use it are potentially at risk.
Explanation: The main disadvantage of using a Federated Identity Management (FIM) system is that if the FIM system is compromised, all services that use it are potentially at risk. This is because the
attacker would have access to all the systems the user can access through the FIM system user can access through the FIM system.

Answer 686

A

Answer: D. To ensure that actions can be traced back to the individual who performed them
Explanation: The “accountability” principle in access control is designed to ensure that actions can be traced back to the individual who performed them. This is typically done through the use of audit
logs and other tracking mechanisms.

Answer 687

A

Answer: B. The use of physical or behavioral characteristics to verify a user’s Identity
Explanation: Biometrics in the context of
authentication systems refers to the use of physical or behavioral characteristics to verify a user’s Identity. This can include fingerprints, facial recognition, voice recognition, and other unique
characteristics.

Answer 688

A

Answer: C. The process of verifying a user’s claimed Identity by comparing it against one or more reliable sources
Explanation: Identity proofing in the context of IAM refers to the process of verifying a user’s claimed Identity by comparing it against one or more
reliable sources. This is typically done as part of the onboarding process when a new account is created.

Answer 689

A

Answer: C. The process of allowing different organizations to share and manage identity information
Explanation: Identity Federation in the context of IAM refers to the process of allowing different organizations to share and manage identity information. This allows users to use the same
credentials to access services across multiple organizations.

Answer 690

A

Answer: B. To provide a networking protocol that offers centralized authentication, authorization, and
accounting (AAA) management for users who connect and use a network service
Explanation: RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that offers centralized authentication, authorization, and
accounting (AAA) management for users who connect and use a network service.

Answer 691

A

Answer: B. If the biometric data is compromised, it cannot be changed like a password.
Explanation: The main disadvantage of using biometric authentication systems is that if the biometric data is compromised, it cannot be changed like a password. This can lead to serious security issues.

Answer 692

A

Answer: D. To ensure that actions can be definitively traced back to the individual who performed them, and they cannot deny performing them
Explanation: The “non-repudiation” principle in access control is designed to ensure that actions can be definitively traced back to the individual who
performed them, and they cannot deny performing them. This is typically important in legal contexts where proof of action is required.

Answer 693

A

Answer: B. The use of two or more independent credentials for verifying a user’s Identity Explanation: Multifactor authentication (MFA) in the context of authentication systems refers to the use of two or more independent credentials for verifying a user’s Identity. This typically involves a combination of something the user knows (like a password), something the user has (like a smart card), and something the user is (like a biometric
trait).

Answer 694

A

Answer: B. The stages a digital identity goes through from creation to deletion
Explanation: The identity life cycle in the context of IAM refers to the stages a digital identity goes through from creation to deletion. This includes processes such as provisioning, managing, and deprovisioning identities.

Answer 695

A

Answer: B. To provide a networking protocol that offers centralized authentication, authorization, and
accounting (AAA) management for users who connect and use a network service
Explanation: TACACS+ (Terminal Access
Controller Access Control System Plus) is a
networking protocol that offers centralized
authentication, authorization, and accounting (AAA) management for users who connect and use a network service.

Answer 696

A

Answer: B. Passwords can be easily forgotten, shared, or stolen
Explanation: The main disadvantage of using password-based authentication systems is that passwords can be easily forgotten, shared, or stolen. This can lead to unauthorized access and other
security issues.

Answer 697

A

Answer: B. To ensure that users only have the minimum levels of access necessary to perform their job functions
Explanation: The “principle of least privilege” in access control is designed to ensure that users only have the minimum levels of access necessary to perform their job functions. This minimizes the risk of unauthorized access and data breaches.

Answer 698

A

Answer: B. The process of setting up a new user account with appropriate access rights
Explanation: Provisioning in the context of IAM refers to the process of setting up a new user account with appropriate access rights. This includes activities such as creating the user’s account, assigning roles, and granting access to resources.

Answer 699

A

Answer: B. To provide a standard for exchanging authentication and authorization data between parties
Explanation: SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorization data between
parties. It is commonly used in Single Sign-On (SSO) and Federated Identity Management (FIM) systems.

Answer 700

A

Answer: B. It can be difficult to manage if roles are not clearly defined or if users have multiple roles.
Explanation: The main disadvantage of using role based access control systems is that it can be difficult to manage if roles are not clearly defined or if users have multiple roles. This can lead to users having more access rights than they need, which can
increase the risk of unauthorized access and data breaches.
Answer: B. To enforce access control policies based

Answer 701

A

Answer: B. A flexible access control method where access rights are granted to users through the use of policies which combine attributes together
Explanation: Attribute-based access control
(ABAC) in the context of access control systems refers to a flexible access control method where access rights are granted to users through the use of policies which combine attributes together. These
attributes can be associated with the user, the object to be accessed, or the environment.

Answer 702

A

Answer: B. The process of removing an existing user account and its associated access rights
Explanation: Deprovisioning in the context of IAM refers to the process of removing an existing user account and its associated access rights. This is typically done when an employee leaves an organization or changes roles.

Answer 703

A

Answer: B. To provide a standard for authorizing third-party applications to access user data without sharing passwords
Explanation: OAuth (Open Authorization) is a standard for authorizing third-party applications to access user data without sharing passwords. It is commonly used in scenarios where you want to give
an application access to your data without giving it your password.

Answer 704

A

Answer: B. It can lead to “privilege creep” if access rights are not regularly reviewed and updated.
Explanation: The main disadvantage of using discretionary access control systems is that it can lead to “privilege creep” if access rights are not regularly reviewed and updated. Privilege creep occurs when users accumulate more privileges than
they need to perform their job functions, which can increase the risk of unauthorized access and data breaches.

Answer 705

A

Answer: B. To allow the owners of information to control who can access their information
Explanation: Discretionary access control is a type of access control that allows the owners of information to control who can access their information. It is commonly used in environments where information sharing is encouraged, but control is still required.

Answer 706

A

Answer: B. The act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources
Explanation: Privilege escalation in the context of access control systems refers to the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain
elevated access to resources. This is a common technique used in cyberattacks to gain unauthorized access to systems.

Answer 707

A

Answer: D. To support both symmetric and asymmetric cryptography
Explanation: The Secure European System for Applications in a Multivendor
environment, better known as SESAME, is an improved version of Kerberos. One of the big advantages of SESAME over Kerberos is that it supports both symmetric and asymmetric cryptography.

Answer 708

A

Answer: B. To rank the strength of authentication processes and systems
Explanation: Authenticator Assurance Levels (AAL) refer to the strength of authentication processes and systems. AAL levels rank from AAL1 (least robust) to AAL3 (most robust).

Answer 709

A

Answer: A. DAC is determined by the owner of the asset, while MAC is determined by the system based on labels.
Explanation: Discretionary access control (DAC) means an asset owner determines who can access the asset; access is given at the discretion of the owner. Mandatory access control (MAC) determines
access based upon the clearance level of the subject and classification, or sensitivity, of the object.

Answer 710

A

Answer: B. The implementation or integration of identity services in a cloud-based environment
Explanation: Identity as a Service (IDaaS) refers to the implementation or integration of identity services in a cloud-based environment. It has a variety of capabilities, including provisioning, administration, Single Sign-On (SSO), multifactor
authentication (MFA), and directory services.

Answer 711

A

Answer: B. The process of elevating user privileges for a short period to complete necessary but infrequent tasks
Explanation: Just-in-Time Access refers to the elevation of user privileges to an authorized user for a short period, so a user may complete necessary but infrequent tasks. It mitigates the need for long-term elevation of privileges, which minimizes potential security risks

Answer 712

A

C. Acceptance testing is designed to ensure the software meets the customer’s operational requirements.
Incorrect answers and explanations: Answers A, B, and D are incorrect. Integration testing examines multiple software components as they are combined into a working system. Installation testing examines software as it is installed and first operated. Unit testing is a low-level test of software
components, such as functions, procedures, or objects.

Answer 713

A

A. Combinatorial software testing is a black box testing method that seeks to identify and test all unique combinations of software inputs. Incorrect answers and explanations: Answers B, C, and D are incorrect. Dynamic testing examines code while executing it. Misuse case testing formally models how security would be impacted by an adversary abusing the application. Static testing examines the code passively; the code is not running.
This form of testing includes walkthroughs, syntax checking, and code reviews.

Answer 714

A

D. A flag is a dummy file containing no regulated or sensitive data. It is placed in the same area of the system as the credit card data and protected with the same permissions. If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data.Incorrect answers and explanations: Answers A, B, and C are incorrect. Answer A is a vulnerability assessment, not a penetration test. Answers B and C are dangerous and could involve unauthorized access of regulated data, such as
health care records.

Answer 715

A

B. Fuzzing is a black-box testing method that does not require access to source code.Incorrect answers and explanations: Answers A, C, and D are incorrect. All are
static methods that require access to source code.

Answer 716

A

C. Attackers will often act more maliciously if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test and immediately escalate the issue. Incorrect answers and explanations: Answers A, B, and D are incorrect. The client must be notified immediately, as incident handling is not the penetration tester’s responsibility

Answer 717

A

Answer: C. To identify weaknesses in a system without exploiting them
Explanation: A vulnerability assessment aims to identify vulnerabilities in a system, application, or network without actually exploiting them. This is different from a penetration test, which attempts to exploit the vulnerabilities.

Answer 718

A

Answer: B. Knowledge of the system’s architecture and design
Explanation: In a white box test, the tester has knowledge of the system’s architecture and design, whereas in a black box test, the tester has no such knowledge and tests the system from an outsider’s perspective.

Answer 719

A

Answer: C. Reconnaissance
Explanation: The reconnaissance phase of
penetration testing involves collecting information about the target system, often without directly interacting with it. This phase helps the tester understand the system and identify potential vulnerabilities.

Answer 720

A

Answer: C. Report the vulnerability to the
organization.
Explanation: Even if the tester cannot exploit a vulnerability, it’s essential to report it to the organization. This allows the organization to take corrective measures and ensure that potential attackers cannot exploit the vulnerability in the future.

Answer 721

A

Answer: C. An identified vulnerability that does not actually exist
Explanation: A false positive refers to a situation where a security testing tool or process identifies a vulnerability that, upon further investigation, does not actually exist. It’s an erroneous alert that can lead to
wasted resources if not correctly identified.

Answer 722

A

Answer: C. Denial of service (DoS)
Explanation: IP spoofing is a technique where an attacker sends IP packets from a false source address. This is often used in denial-of-service (DoS) attacks to mask the true origin of the attack and to amplify the
attack by involving innocent third-party systems.

Answer 723

A

Answer: C. Session hijacking focuses on the TCP connection between the client and the server. If an attacker discerns the initial sequence, they can potentially take over the connection.
Explanation: Session hijacking, also known as session takeover, involves an attacker taking over a user’s session. The primary target is the TCP connection. By predicting or intercepting the session token, an attacker can impersonate the victim and
hijack their session.

Answer 724

A

Answer: B. Initiate an employee training and awareness campaign.
Explanation: While all the options have their merits, the most effective way to combat email scams, such as phishing, is through user education. Training
employees to recognize and avoid suspicious emails can significantly reduce the risk of successful attacks.

Answer 725

A

Answer: D. Conduct oneself with honor, honesty, justice, responsibility, and within the bounds of the law.
Explanation: The ISC2 Code of Ethics emphasizes professional and ethical behavior. The mentioned statement aligns with the principles set forth by ISC2
for its members.

Answer 726

A

Answer: A. Internal employees
Explanation: Insiders, or internal employees, often have access to sensitive information and systems. Their familiarity with the organization’s infrastructure
and potential grievances can make them a significant threat.

Answer 727

A

Answer: B. Trace evidence always exists.
Explanation: Locard’s exchange principle posits that every contact leaves a trace. This means that whenever two objects come into contact, there will always be an exchange of material.

Answer 728

A

Answer: D. The International Organization on Computer Evidence
Explanation: The International Organization on Computer Evidence (IOCE) was
established to provide international standards for digital evidence handling and processing.

Answer 729

A

Answer: D. Justified
Explanation: Evidence must be relevant, properly preserved, and identifiable to be admissible in court. “Justified” is not a criterion for evidence admissibility.

Answer 730

A

Answer: B. Inadmissible in court
Explanation: Hearsay evidence refers to
statements made outside of court that are presented as evidence for the truth of the matter asserted in the statement. Generally, hearsay is not admissible in
court unless it falls under specific exceptions.

Answer 731

A

Answer: B. Their primary objective is to avoid causing harm.
Explanation: Ethical hackers, also known as “white hat” hackers, are professionals who test systems for vulnerabilities with the intent of identifying and fixing them, not exploiting them. They operate with permission and aim to improve security without causing harm.

Answer 732

A

Answer: C. Random Access Memory (RAM) content
Explanation: The contents of RAM are volatile, meaning they are lost when the power is turned off. RAM can contain valuable information such as
encryption keys, running processes, and other transient data. Therefore, it’s crucial to capture this information first before it’s lost.

Answer 733

A

Answer: D. A scanner for system vulnerabilities
Explanation: SATAN (Security Administrator Tool for Analyzing Networks) is a tool designed to detect vulnerabilities in computer networks. It helps administrators identify potential security risks in their
systems.

Answer 734

A

Answer: B. Generate a bit-by-bit copy.
Explanation: In computer forensics, it’s essential to make a bit-level copy (or bit-by-bit copy) of the original evidence to ensure that all data, including deleted files and slack space, is captured. This ensures the integrity of the evidence and allows for a
thorough investigation.

Answer 735

A

Answer: A. White box testing
Explanation: White box testing, also known as clear box testing, is a method where the tester has complete knowledge of the system’s internals. In the context of penetration testing, it simulates what
insiders with knowledge of the system can access and potentially exploit.

Answer 736

A

Answer: B. Phreakers
Explanation: Phreakers are individuals who
manipulate telecommunication systems, especially to make free calls. They have historically been associated with exploring and exploiting the vulnerabilities of PBX (Private Branch Exchange) systems and other telecommunication platforms.

Answer 737

A

Answer: A. Validation checks if the right product is being built, while verification checks if the product is being built correctly.
Explanation: Validation is concerned with
answering the question: Is the right product being built? Verification follow validation and is the process that confirms an application or product is being built correctly.

Answer 738

A

Answer: C. To throw randomness at an application to see how it responds and where it might “break”
Explanation: Fuzz testing involves throwing
randomness at an application to see how it responds and where it might “break.” It is a form of dynamic testing.

Answer 739

A

Answer: B. A vulnerability assessment only identifies potential vulnerabilities, while a penetration test identifies potential vulnerabilities and attempts to exploit them.
Explanation: Both processes start the same way as they seek to identify potential vulnerabilities. However, with a vulnerability assessment, once
vulnerabilities are noted, no further action is taken apart from producing a report of findings. A penetration test goes an essential step further: after identifying vulnerabilities, an attempt is made to
exploit each vulnerability.

Answer 740

A

Answer: A. Credentialed/authenticated scans and uncredentialed/unauthenticated scans
Explanation: There are two primary types of
vulnerability scans:
credentialed/authenticated scans
and uncredentialed/unauthenticated scans.

Answer 741

A

Answer: A. To ensure that security
requirements/controls are defined, tested, and operating effectively
Explanation: Security assessment and testing ensure that security
requirements/controls are defined, tested, and operating effectively. It applies to
the development of new applications and systems as well as the ongoing operations, including end of life, related to assets.

Answer 742

A

Answer: A. SOC 1 reports focus on financial reporting risks, while SOC 2 reports focus on the controls related to the five trust principles: security, availability, confidentiality, processing integrity, and
privacy.

Explanation: SOC 1 reports are quite basic and focus on financial reporting risks. SOC 2 reports are much more involved and focus on the controls related
to the five trust principles: security, availability, confidentiality, processing integrity, and privacy.

Answer 743

A

Answer: A. Positive testing checks if the system is working as expected and designed, negative testing checks the system’s response to normal errors, and
misuse testing applies the perspective of someone trying to break or attack the system.

Explanation: Positive testing focuses on the
response of a system based on normal usage and expectations, checking if the system is working as expected and designed. Negative testing focuses on
the response of a system when normal errors are introduced. Misuse testing applies the perspective of someone trying to break or attack the system.

Answer 744

A

Answer: A. To verify that previously tested and functional software still works after updates have been made

Explanation: Regression testing is the process of verifying that previously tested and functional software still works after updates have been made. It should be performed after enhancements have been
made or after patches to address
vulnerabilities or problems have been issued.

Answer 745

A

Answer: C. The amount of code covered divided by the total amount of code in the application

Explanation: Test coverage refers to the
relationship between the amount of source code in a given application and the percentage of code that has given application and the percentage of code that has been covered by the completed tests. It is a simple mathematical formula: amount of code covered/total amount of code in application = test coverage percent.

Answer 746

A

Answer: A. STRIDE and PASTA

Explanation: Two well-known and often-used threat modeling methodologies are STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial-of-Service, Elevation of privilege) and PASTA
(Process for Attack Simulation and Threat Analysis).

Answer 747

A

Answer: B. SAST tests the underlying source code of an application, while DAST tests an application while it’s running.

Explanation: With Static Application Security Testing (SAST), an application is not running, and it’s the underlying source code that is being examined. With Dynamic Application Security Testing (DAST),
an application is running, and the focus is on the application and system as the underlying code executes.

Answer 748

A

Answer: A. False positives and false negatives

Explanation: With any type of monitoring system, two types of alerts often show up: false positives, where the system claims a vulnerability exists, but there is none, and false negatives, where the system says everything is fine, but a vulnerability exists.

Answer 749

A

Answer: C. To identify errors and anomalies that point to problems, modifications, or breaches

Explanation: Log review and analysis is a best practice that should be used in every organization. Logs should include what is relevant, be proactively reviewed, and be especially scrutinized for errors and
anomalies that point to problems, modifications, or breaches.

Answer 750

A

Answer: A. A Type 1 report focuses on the design of controls at a point in time, while a Type 2 report examines the design of a control and its operating effectiveness over a period of time.

Explanation: A Type 1 report focuses on the design of controls at a point in time. A Type 2 report examines not only the design of a control but, more importantly, the operating effectiveness over a period of time, typically a year.

Answer 751

A

Answer: B. To ensure that security controls are operating effectively and as designed

Explanation: A security audit is a systematic, measurable technical assessment of how the organization’s security policy is employed. It is used
to ensure that security controls are operating effectively and as designed.

Answer 752

A

Answer: A. In a white box test, the tester has full knowledge of the system being tested, while in a black box test, the tester has no knowledge of the system.

Explanation: In a white box test, the tester has full knowledge of the system being tested, including source code, architecture, and both the software and hardware involved. In a black box test, the tester has
no knowledge of the system being tested.

Answer 753

A

Answer: A. To identify potential vulnerabilities in the code

Explanation: A code review is a systematic
examination of computer source code intended to find and fix mistakes overlooked in the initial development
phase, improving both the overall quality of software and the developers’ skills. In the context of security, it is used to identify potential vulnerabilities in the code.

Answer 754

A

Answer: A. A credentialed scan is performed with system-level access, while an uncredentialed scan is performed without system-level access.

Explanation: A credentialed scan is performed with system-level access, and it can see everything that is happening on a given host. An uncredentialed scan is
performed without system-level access, and it can only see what is visible on the network.

Answer 755

A

Answer: B. To ensure that security controls are operating effectively and as designed

Explanation: A security control self-assessment is a process where an organization evaluates its own security controls to ensure they are operating
effectively and as designed. It is a proactive measure to identify any potential issues before they become problems.

Answer 756

A

Answer: A. To focus testing efforts on areas of greatest risk

Explanation: A risk-based approach to security testing allows an organization to focus its testing efforts on the areas of greatest risk. This approach ensures that resources are used effectively and that
high-risk areas receive the attention they require.

Answer 757

A

Answer: B. To protect the system against potential threats

Explanation: A security control is a safeguard or countermeasure designed to avoid, counteract, or minimize security risks. In the context of an organization’s security strategy, the purpose of a
security control is to protect the system against potential threats.

Answer 758

A

Answer: A. A false positive is when the system claims a vulnerability exists, but there is none, while a false negative is when the system says everything is fine,
but a vulnerability exists.

Explanation: A false positive is when the system claims a vulnerability exists, but there is none. This can lead to wasted resources as teams investigate
nonexistent issues. A false negative is when the system says everything is fine, but a vulnerability exists. This can lead to undetected breaches and significant damage.

Answer 759

A

Answer: B. To provide a starting point for the implementation of security controls

Explanation: A security control baseline provides a set of basic controls that an organization can use as a starting point for their security strategy. It provides a
foundation upon which additional, more specific controls can be built based on the organization’s unique risks and requirements.

Answer 760

A

Answer: B. To simulate potential attack scenarios and analyze threats

Explanation: The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling methodology that aims to provide a dynamic threat identification, enumeration, and scoring process. It
simulates potential attack scenarios and analyzes threats in a structured and methodical way.

Answer 761

A

Answer: A. A Type 1 report focuses on the design of controls at a point in time, while a Type 3 report examines the design of a control and its operating effectiveness over a period of time.

Explanation: A Type 1 SOC report focuses on the design of controls at a point in time. A Type 3 SOC report, on the other hand, examines not only the design of a control but also its operating effectiveness over a period of time.

Answer 762

A

Answer: B. To categorize potential threats to the system

Explanation: The STRIDE methodology is a threat modeling technique used to categorize potential threats to a system. It stands for Spoofing, Tampering, repudiation, Information disclosure,
Denial-of-Service, and Elevation of privilege.

Answer 763

A

Answer: A. A Type 2 report examines the design of a control and its operating effectiveness over a period of time, while a Type 3 report focuses on the design of
controls at a point in time.

Explanation: A Type 2 SOC report examines not only the design of a control but also its operating effectiveness over a period of time. A Type 3 SOC report, on the other hand, focuses on the design of controls at a point in time.

Answer 764

A

Answer: A. RUM is a passive monitoring technique that monitors user interactions and activity with a website or application.

Explanation: Real User Monitoring (RUM) is a passive monitoring technique that monitors user interactions and activity with a website or application. It provides insights in

Answer 765

A

Answer: B. Synthetic Performance Monitoring examines functionality as well as functionality and performance under load.

Explanation: Synthetic Performance Monitoring examines functionality as well as functionality and performance under load. Test scripts for each type of functionality can be created and then run at any time.

Answer 766

A

Answer: A. CVE is a list of records for publicly known cybersecurity vulnerabilities.

Explanation: CVE, also known as Common
Vulnerabilities and Exposures dictionary, is “a list of records – each containing an identification number, a description, and at least one public reference – for publicly known cybersecurity vulnerabilities.”

Answer 767

A

Answer: A. SAST involves examining the underlying source code when an application is not running, while
DAST involves focusing on the application and system as the underlying code executes when an application is running.

Explanation: Static Application Security Testing (SAST) involves examining the underlying source code when an application is not running. This is a
form of white box testing. Dynamic Application Security Testing (DAST), on the other hand, involves focusing on the application and system as the
underlying code executes when an application is running. This is a form of black box testing.

Answer 768

A

Answer: A. Blind testing involves the assessor being given little to no information about the target being tested, while double-blind testing involves the assessor and the IT and Security Operations teams being given little to no information about the
upcoming tests.

Explanation: In blind testing, the assessor is given little to no information about the target being tested. In double-blind testing, not only is the assessor given little to no information about the target, but the IT
and Security Operations teams are also not informed about the upcoming tests.

Answer 769

A

Answer: A. Circular overwrite limits the maximum size of a log file by overwriting entries, starting from the earliest, while clipping levels focus on when to log
a given event based upon threshold settings.

Explanation: Circular overwrite is a method of log file management that limits the maximum size of a log file by overwriting entries, starting from the earliest.
Clipping levels, on the other hand, focus on when to log a given event based upon threshold settings, which can also help limit log file sizes.

Answer 770

A

Answer: B. Internal, external, and third party

Explanation: The three types of audit strategies mentioned are internal, external, and third party. Each of these strategies has a different focus and is used in different contexts within an organization’s
overall audit strategy.

Answer 771

A

Answer: A. Black box, white box, dynamic, static, manual, automated, structural, functional, negative

Explanation: The types of coverage testing that you need to explain for the CISSP exam are black box, white box, dynamic, static, manual, automated, structural, functional, and negative.

Answer 772

A

Answer: A. Awareness refers to the “what” of an organization’s policy or procedure, training refers to the “how,” and education refers to the “why.” Explanation: Awareness refers to the “what” of an organization’s policy or procedure, aiming at knowledge retention. Training focuses on the “how,”
knowledge retention. Training focuses on the how, enabling the ability to complete a task and apply problem-solving at the application level. Education focuses on the “why,” providing an understanding of
the big picture and enabling design-level problem solving with architectural exercises.

Answer 773

A

Answer: A. Breach attack simulations are where you simulate real-world attacks across your whole environment, typically both automatic and always running.

Explanation: Breach attack simulations simulate real-world attacks across the entire environment. They are typically automatic and always running, using tools that are constantly updated and provide
remediation steps and documentation.

Answer 774

A

Answer: A. Security control compliance checks are regularly performed to assess whether the organization is currently following their controls.

Explanation: Security control compliance checks are regularly performed to assess whether the organization is currently following their controls. These checks can be automated and may use either
in-house or third-party tools. Failed compliance checks typically result in the organization investigating and remediating the issues found.

Answer 775

A

Answer: A. Internal audits are closely aligned to the organization, external audits ensure procedures/compliance are being followed with regular checks, and third-party audits provide a more in-depth, neutral audit.

Explanation: Internal audits should be closely aligned to the organization. The external strategy needs to ensure procedures/compliance are being
followed with regular checks and complement the internal strategy. The third-party strategy is an objective, neutral approach that reviews the overall
strategy for auditing the organization’s environment, methods of testing, and can also ensure that both internal and external audits are following defined policies and procedures.

Answer 776

A

Answer: A. To simulate real-world attacks across the whole environment, typically both automatic and always running

Explanation: Breach attack simulations are where you simulate real-world attacks. It is simulated across your whole environment and typically are both automatic and always running. Red and blue teams
use tools that are constantly updated and provide remediation steps and documentation.

Answer 777

A

Answer: A. To assess whether the organization is currently following their controls

Explanation: Security control compliance checks are regularly performed to assess whether the organization is currently following their controls. This may be automated and use either in-house or third party tools. Failed compliance checks normally end up in the organization investigating and remediating the
issues it found

Answer 778

A

Answer: A. To handle test results and report any results of concern to management immediately so
they can be aware of potential risks and alerts

Explanation: Those that analyze the security of organization apps and services need to know how to handle test results. Any results of concern need to be
reported to management immediately so they can be aware of potential risks and alerts. The detail in reporting to management may be on a “need-to-know”
basis.

Answer 779

A

Answer: A. Formal assessments and informal assessments
Explanation: The two primary categories of
assessments are formal assessments and informal assessments. Formal assessments are evaluations against a compliance standard, which includes
regulatory and other legal requirements.

Answer 780

A

Answer: A. Purpose, scope, results of the audit, audit events
Explanation: The key elements of an audit report are the purpose, scope, results of the audit, and audit events. The purpose outlines the reason for the audit,
the scope defines the boundaries of the audit, the results of the audit provide the findings, and the audit events detail the specific instances or activities
audited.

Answer 781

A

Answer: A. SOC 1 Type 1, SOC 1 Type 2, SOC 2, SOC 3
Explanation: The four types of SOC reports are SOC 1 Type 1, SOC 1 Type 2, SOC 2, and SOC 3. Each type of report has a different focus and is used for different purposes within an organization’s overall
audit strategy.

Answer 782

A

Answer: A. Preparations phase and Audit phase
Explanation: There are two phases in preparing for the SOC audit: the Preparations phase and the Audit
phase. The Preparations phase involves scheduling, defining the scope, inventorying controls, conducting
a readiness review, and resolving discrepancies. The Audit phase involves creating a detailed project plan,
gathering artifacts, providing physical access and workspace, conducting meetings, testing, off-site analysis, issue resolution, providing audit reports, and
conducting a lessons learned review.

Answer 783

A

Answer: A. Preparations phase and Audit phase
Explanation: There are two phases in preparing for the SOC audit: the Preparations phase and the Audit
phase. The Preparations phase involves scheduling, defining the scope, inventorying controls, conducting
a readiness review, and resolving discrepancies. The Audit phase involves creating a detailed project plan,
gathering artifacts, providing physical access and workspace, conducting meetings, testing, off-site analysis, issue resolution, providing audit reports, and
conducting a lessons learned review.

Answer 784

A

Answer: A. To present the data in a meaningful way for most people who need the data
Explanation: Security controls, vulnerability scans, penetration tests, and audits – all these activities generate a significant amount of data. Perhaps a few gifted people can review the raw data and draw
salient conclusions, but most people need the data presented to them in a meaningful way.

Answer 785

A

Answer: A. To evaluate the situation without any forewarning of the evaluation

Explanation: “No-notice” assessments, which simply means that the situation being evaluated has no forewarning of the evaluation (e.g., spot check, desk audit). A no-notice assessment isn’t really a
“type” of assessment, it’s basically a surprise audit or an informal assessment where notice isn’t given. It can likely fit into a subcategory or type of informal
assessment.

Answer 786

A

nswer: A. To see if controls meet risk expectations or to see if there are ways to improve efficiency of operations

Explanation: Internal assessments are done for the purpose of seeing if controls meet risk expectations or to see if there are ways to improve efficiency of operations and how well an organization is prepared
for an external or formal audit. An internal
assessment might follow a formal process, but is most likely considered informal by nature.

Answer 787

A

Answer: A. Nmap

Explanation: Nmap (Network Mapper) is primarily used for network discovery and port scanning. It is a versatile tool that allows for the identification of active hosts and open ports within a network.

Answer 788

A

Answer: D. Port 1433 is open.

Explanation: Port 1433 is commonly associated with Microsoft SQL Server. An open SQL Server port exposed to an external network is a significant
security risk and should be addressed immediately.

Answer 789

A

AAnswer: C. The inclination to experiment with novel testing tools

Explanation: The desire to experiment with new testing tools should not be a factor when planning a security testing schedule. The focus should be on the system’s security posture and potential risks.

Answer 790

A

Answer: A. Organizational management

Explanation: A security assessment report is primarily intended for organizational management. It provides them with an overview of the security posture of the system or network, allowing them to
make informed decisions regarding security policies and resource allocation.

Answer 791

A

Answer: B. 22
Explanation: Port 22 is the standard port used for SSH connections, commonly employed for secure server access.

Answer 792

A

Answer: D. Authenticated scan

Explanation: An authenticated scan provides the most detailed information about the security state of a server. It allows for a deeper system inspection by
using valid credentials to access it.

Answer 793

A

Answer: C. TCP SYN scan
Explanation: A TCP SYN scan, also known as a “half-open” scan, utilizes only the first two steps of the TCP three-way handshake. It sends a SYN packet and waits for a SYN-ACK response but does not send
the final ACK packet to complete the handshake.

Answer 794

A

Answer: D. Web vulnerability scanner

Explanation: A web vulnerability scanner is
specifically designed to identify
vulnerabilities in web applications, including SQL injection flaws.

Answer 795

A

Answer: B. 80

Explanation: Port 80 is the standard port for unencrypted HTTP traffic. Servers running unencrypted HTTP services typically listen on this port.

Answer 796

A

Answer: B. Vulnerability scanner
Explanation: A vulnerability scanner is specifically designed to automatically identify known vulnerabilities in systems and networks, making it the
most effective choice for this scenario.

Answer 797

A

Answer: D. Vulnerability scan
Explanation: A vulnerability scan is designed to identify known security risks in a system by probing for its configuration, software, and hardware weaknesses.

Answer 798

A

Answer: C. Ensuring that implemented changes do not compromise security

Explanation: One of the primary goals of a change management program is to ensure that any changes made to systems or processes do not adversely affect
the organization’s security posture.

Answer 799

A

Answer: A. Infrastructure as a Service (IaaS)

Explanation: Infrastructure as a Service (IaaS) provides an organization with the most control over its cloud resources, including virtual machines, storage, and networking. However, this level of control comes with the responsibility of managing and maintaining the operating systems and applications.

Answer 800

A

Answer: C. Implementing vulnerability mitigation measures

Explanation: A security assessment focuses on identifying vulnerabilities, assessing risks, and evaluating threats. The actual mitigation of vulnerabilities is usually a separate process that follows the assessment.

Answer 801

A

Answer: A. Organizational management
Explanation: A security assessment report is primarily intended for organizational management. It provides them with an overview of the security posture of the system or network, allowing them to
make informed decisions regarding security policies and resource allocation.

Answer 802

A

Answer: A. Response
Explanation: In the (ISC) 2 framework for incident management, the first step is usually the “Response” phase, where the incident is initially addressed and contained.

Answer 803

A

Answer: B. Audit trails
Explanation: The term “audit trails” best describes the body of data collected through event logging. Audit trails are records that provide documentary
evidence of sequences of activities that have affected at any time a specific operation, procedure, or event.

Answer 804

A

Answer: B. An intrusion detection system (IDS) Explanation: A mirrored port is often used to connect an intrusion detection system (IDS) for monitoring network traffic.

Answer 805

A

Answer: B. A false negative
Explanation: A false negative occurs when an intrusion detection system fails to detect an actual attack, allowing it to penetrate the network without raising an alarm.

Answer 806

A

Answer: B. Disrupting communication capabilities in preparation for a physical attack Explanation: Disrupting an organization’s ability to communicate and respond to a physical attack is most indicative of a terrorist attack, as it aims to cause widespread harm and panic.

Answer 807

A

Answer: D. Utilizing automated tools to scan for vulnerable ports on the organization’s systems
Explanation: Grudge attacks are usually motivated by personal vendettas and aim to cause embarrassment or harm to the target. Scanning for vulnerable ports is more indicative of a broader
cyberattack rather than a grudge attack.

Answer 808

A

Answer: C. Avoid altering the evidence during the collection process

Explanation: The integrity of evidence is crucial in any investigation. Therefore, avoiding any modification to the evidence during its collection is paramount.

Answer 809

A

Answer: C. Documentary evidence

Explanation: Documentary evidence refers to written documents that are used in court to prove a fact.

Answer 810

A

Answer: C. Criminal
Explanation: Criminal investigations require the highest standard of evidence, often “beyond a reasonable doubt,” due to the severe consequences involved, such as imprisonment.

Answer 811

A

Answer: B. Act honorably, honestly, justly,
responsibly, and legally

Explanation: The (ISC) 2 Code of Ethics outlines that CISSPs are expected to act honorably, honestly,
justly, responsibly, and legally.

Answer 812

A

Answer: B. Cloud based

Explanation: A cloud-based identity platform typically offers high availability and redundancy, making it a suitable choice when availability is the organization’s biggest priority.

Answer 813

A

Answer: C. Federation

Explanation: The Federation allows for sharing identity information across different organizations and systems, making it the most appropriate choice for sharing identity information with a business partner.

Answer 814

A

Answer: C. Due care

Explanation: The principle of “due care” requires that an individual should act responsibly and take the necessary steps to complete their responsibilities accurately and in a timely manner.

Answer 815

A

Answer: A. Maximum tolerable downtime (MTD)

Explanation: Maximum tolerable downtime (MTD) is the metric that indicates the longest period of time a business process can be inoperative before causing irreparable harm to the organization

Answer 816

A

Answer: C. To identify weaknesses in a system without exploiting them

Explanation: A vulnerability assessment aims to identify vulnerabilities in a system, application, or network without actually exploiting them. This is
different from a penetration test, which attempts to exploit the vulnerabilities.

Answer 817

A

Answer: B. Knowledge of the system’s architecture
and design

Explanation: In a white box test, the tester has knowledge of the system’s architecture and design, whereas in a black box test, the tester has no such knowledge and tests the system from an outsider’s perspective.

Answer 818

A

Answer: C. Reconnaissance

Explanation: The reconnaissance phase of penetration testing involves collecting information about the target system, often without directly
interacting with it. This phase helps the tester understand the system and identify potential vulnerabilities.

Answer 819

A

Answer: C. Report the vulnerability to the
organization.

Explanation: Even if the tester cannot exploit a vulnerability, it’s essential to report it to the organization. This allows the organization to take corrective measures and ensure that potential attackers cannot exploit the vulnerability in the future.

Answer 820

A

Answer: C. An identified vulnerability that does not
actually exist

Explanation: A false positive refers to a situation where a security testing tool or process identifies a vulnerability that, upon further investigation, does not actually exist. It’s an erroneous alert that can lead to wasted resources if not correctly identified.

Answer 821

A

Answer: C. Denial of service (DoS)

Explanation: IP spoofing is a technique where an attacker sends IP packets from a false source address. This is often used in denial-of-service (DoS) attacks to mask the true origin of the attack and to amplify the attack by involving innocent third-party systems.

Answer 822

A

Answer: C. Session hijacking focuses on the TCP connection between the client and the server. If an attacker discerns the initial sequence, they can potentially take over the connection.

Explanation: Session hijacking, also known as session takeover, involves an attacker taking over a user’s session. The primary target is the TCP connection. By predicting or intercepting the session token, an attacker can impersonate the victim and hijack their session.

Answer 823

A

Answer: B. Initiate an employee training and
awareness campaign.

Explanation: While all the options have their merits, the most effective way to combat email scams, such as phishing, is through user education. Training employees to recognize and avoid suspicious emails can significantly reduce the risk of successful attacks.

Answer 824

A

Answer: D. Conduct oneself with honor, honesty, justice, responsibility, and within the bounds of the law.

Explanation: The ISC2 Code of Ethics emphasizes professional and ethical behavior. The mentioned statement aligns with the principles set forth by ISC2 for its members.

Answer 825

A

Answer: A. Internal employees
Explanation: Insiders, or internal employees, often have access to sensitive information and systems. Their familiarity with the organization’s infrastructure and potential grievances can make them a significant
threat.

Answer 826

A

Answer: B. Trace evidence always exists.

Explanation: Locard’s exchange principle posits that every contact leaves a trace. This means that whenever two objects come into contact, there will always be an exchange of material.

Answer 827

A

Answer: D. The International Organization on Computer Evidence

Explanation: The International Organization on Computer Evidence (IOCE) was established to provide international standards for digital evidence handling and processing.

Answer 828

A

Answer: D. Justified

Explanation: Evidence must be relevant, properly preserved, and identifiable to be admissible in court. “Justified” is not a criterion for evidence admissibility.

Answer 829

A

Answer: B. Inadmissible in court

Explanation: Hearsay evidence refers to statements made outside of court that are presented
as evidence for the truth of the matter asserted in the statement. Generally, hearsay is not admissible in court unless it falls under specific exceptions.

Answer 830

A

Answer: B. Their primary objective is to avoid causing harm.

Explanation: Ethical hackers, also known as “white hat” hackers, are professionals who test systems for vulnerabilities with the intent of identifying and fixing them, not exploiting them. They operate with permission and aim to improve security without causing harm.

Answer 831

A

Answer: C. Random Access Memory (RAM) content

Explanation: The contents of RAM are volatile, meaning they are lost when the power is turned off.
RAM can contain valuable information such as encryption keys, running processes, and other
transient data. Therefore, it’s crucial to capture this information first before it’s lost.

Answer 832

A

Answer: D. A scanner for system vulnerabilities

Explanation: SATAN (Security Administrator Tool for Analyzing Networks) is a tool designed to detect
vulnerabilities in computer networks. It helps administrators identify potential security risks in their
systems.

Answer 833

A

Answer: B. Generate a bit-by-bit copy.

Explanation: In computer forensics, it’s essential to make a bit-level copy (or bit-by-bit copy) of the
original evidence to ensure that all data, including deleted files and slack space, is captured. This
ensures the integrity of the evidence and allows for a thorough investigation.

Answer 834

A

Answer: A. White box testing

Explanation: White box testing, also known as clear box testing, is a method where the tester has
complete knowledge of the system’s internals. In the context of penetration testing, it simulates what insiders with knowledge of the system can access and potentially exploit.

Answer 835

A

Answer: B. Phreakers

Explanation: Phreakers are individuals who manipulate telecommunication systems, especially to
make free calls. They have historically been associated with exploring and exploiting the
vulnerabilities of PBX (Private Branch Exchange) systems and other telecommunication platforms.

Answer 836

A

Answer: A. Validation checks if the right product is being built, while verification checks if the product is being built correctly.

Explanation: Validation is concerned with answering the question: Is the right product being built? Verification follows validation and is the process that confirms an application or product is being built correctly.

Answer 837

A

Answer: C. To throw randomness at an application to see how it responds and where it might “break”

Explanation: Fuzz testing involves throwing randomness at an application to see how it responds and where it might “break.” It is a form of dynamic testing.

Answer 838

A

Answer: B. A vulnerability assessment only identifies potential vulnerabilities, while a penetration test identifies potential vulnerabilities and attempts to exploit them.

Explanation: Both processes start the same way as they seek to identify potential vulnerabilities. However, with a vulnerability assessment, once vulnerabilities are noted, no further action is taken apart from producing a report of findings. A penetration test goes an essential step further: after
identifying vulnerabilities, an attempt is made to exploit each vulnerability.

Answer 839

A

Answer: A. Credentialed/authenticated scans and uncredentialed/unauthenticated scans

Explanation: There are two primary types of vulnerability scans: credentialed/authenticated scans and uncredentialed/unauthenticated scans.

Answer 840

A

Answer: A. To ensure that security requirements/controls are defined, tested, and operating effectively

Explanation: Security assessment and testing ensure that security requirements/controls are defined, tested, and operating effectively. It applies to the development of new applications and systems as well as the ongoing operations, including end of life, related to assets.

Answer 841

A

Answer: A. SOC 1 reports focus on financial reporting risks, while SOC 2 reports focus on the controls related to the five trust principles: security, availability, confidentiality, processing integrity, and privacy.

Explanation: SOC 1 reports are quite basic and focus on financial reporting risks. SOC 2 reports are
much more involved and focus on the controls related to the five trust principles: security, availability, confidentiality, processing integrity, and privacy.

Answer 842

A

Answer: A. Positive testing checks if the system is working as expected and designed, negative testing checks the system’s response to normal errors, and misuse testing applies the perspective of someone trying to break or attack the system.

Explanation: Positive testing focuses on the response of a system based on normal usage and expectations, checking if the system is working as expected and designed. Negative testing focuses on the response of a system when normal errors are introduced. Misuse testing applies the perspective of someone trying to break or attack the system.

Answer 843

A

Answer: A. To verify that previously tested and functional software still works after updates have been made

Explanation: Regression testing is the process of
verifying that previously tested and functional
software still works after updates have been made. It
should be performed after enhancements have been
made or after patches to address vulnerabilities or
problems have been issued.

Answer 844

A

Answer: C. The amount of code covered divided by the total amount of code in the application

Explanation: Test coverage refers to the relationship between the amount of source code in a given application and the percentage of code that has given application and the percentage of code that has been covered by the completed tests. It is a simple mathematical formula: amount of code covered/total amount of code in application = test coverage percent.

Answer 845

A

Answer: A. STRIDE and PASTA
Explanation: Two well-known and often-used threat modeling methodologies are STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial-of-Service, Elevation of privilege) and PASTA
(Process for Attack Simulation and Threat Analysis).

Answer 846

A

Answer: B. Knowledge of the system’s architecture and design

Explanation: In a white box test, the tester has knowledge of the system’s architecture and design, whereas in a black box test, the tester has no such knowledge and tests the system from an outsider’s perspective.

Answer 847

A

Answer: C. Reconnaissance

Explanation: The reconnaissance phase of
penetration testing involves collecting information about the target system, often without directly interacting with it. This phase helps the tester understand the system and identify potential vulnerabilities.

Answer 848

A

Answer: C. Report the vulnerability to the organization.

Explanation: Even if the tester cannot exploit a vulnerability, it’s essential to report it to the organization. This allows the organization to take corrective measures and ensure that potential attackers cannot exploit the vulnerability in the future.

Answer 849

A

Answer: C. An identified vulnerability that does not actually exist

Explanation: A false positive refers to a situation where a security testing tool or process identifies a vulnerability that, upon further investigation, does not actually exist. It’s an erroneous alert that can lead to wasted resources if not correctly identified.

Answer 850

A

Answer: C. Denial of service (DoS)

Explanation: IP spoofing is a technique where an attacker sends IP packets from a false source address. This is often used in denial-of-service (DoS) attacks to mask the true origin of the attack and to amplify the attack by involving innocent third-party systems.

Answer 851

A

Answer: C. Session hijacking focuses on the TCP connection between the client and the server. If an attacker discerns the initial sequence, they can potentially take over the connection.

Explanation: Session hijacking, also known as session takeover, involves an attacker taking over a user’s session. The primary target is the TCP connection. By predicting or intercepting the session token, an attacker can impersonate the victim and
hijack their session.

Answer 852

A

Answer: B. Initiate an employee training and awareness campaign.

Explanation: While all the options have their merits, the most effective way to combat email scams, such as phishing, is through user education. Training employees to recognize and avoid suspicious emails can significantly reduce the risk of successful attacks.

Answer 853

A

Answer: D. Conduct oneself with honor, honesty, justice, responsibility, and within the bounds of the law.

Explanation: The ISC2 Code of Ethics emphasizes professional and ethical behavior. The mentioned statement aligns with the principles set forth by ISC2 for its members.

Answer 854

A

Answer: A. Internal employees

Explanation: Insiders, or internal employees, often have access to sensitive information and systems. Their familiarity with the organization’s infrastructure and potential grievances can make them a significant threat.

Answer 855

A

Answer: B. Trace evidence always exists.

Explanation: Locard’s exchange principle posits that every contact leaves a trace. This means that whenever two objects come into contact, there will
always be an exchange of material.

Answer 856

A

Answer: B. SAST tests the underlying source code of an application, while DAST tests an application while it’s running.

Explanation: With Static Application Security Testing (SAST), an application is not running, and it’s the underlying source code that is being examined. With Dynamic Application Security Testing (DAST), an application is running, and the focus is on the application and system as the underlying code executes.

Answer 857

A

32.Answer: A. False positives and false negatives

Explanation: With any type of monitoring system, two types of alerts often show up: false positives, where the system claims a vulnerability exists, but there is none, and false negatives, where the system says everything is fine, but a vulnerability exists.

Answer 858

A

Answer: C. To identify errors and anomalies that point to problems, modifications, or breaches

Explanation: Log review and analysis is a best practice that should be used in every organization. Logs should include what is relevant, be proactively reviewed, and be especially scrutinized for errors and anomalies that point to problems, modifications, or breaches.

Answer 859

A

Answer: A. A Type 1 report focuses on the design of controls at a point in time, while a Type 2 report examines the design of a control and its operating effectiveness over a period of time.

Explanation: A Type 1 report focuses on the design of controls at a point in time. A Type 2 report examines not only the design of a control but, more importantly, the operating effectiveness over a period of time, typically a year.

Answer 860

A

Answer: B. To ensure that security controls are operating effectively and as designed

Explanation: A security audit is a systematic, measurable technical assessment of how the organization’s security policy is employed. It is used to ensure that security controls are operating effectively and as designed.

Answer 861

A

Answer: A. In a white box test, the tester has full knowledge of the system being tested, while in a black box test, the tester has no knowledge of the system.

Explanation: In a white box test, the tester has full knowledge of the system being tested, including source code, architecture, and both the software and hardware involved. In a black box test, the tester has no knowledge of the system being tested.

Answer 862

A

Answer: A. To identify potential vulnerabilities in the code

Explanation: A code review is a systematic examination of computer source code intended to find and fix mistakes overlooked in the initial development phase, improving both the overall quality of software and the developers’ skills. In the context of security, it is used to identify potential vulnerabilities in the code.

Answer 863

A

38.Answer: A. A credentialed scan is performed with system-level access, while an uncredentialed scan is performed without system-level access.

Explanation: A credentialed scan is performed with system-level access, and it can see everything that is happening on a given host. An uncredentialed scan is performed without system-level access, and it can only see what is visible on the network.

Answer 864

A

Answer: B. To ensure that security controls are operating effectively and as designed

Explanation: A security control self-assessment is a process where an organization evaluates its own
security controls to ensure they are operating effectively and as designed. It is a proactive measure
to identify any potential issues before they become problems.

Answer 865

A

Answer: A. To focus testing efforts on areas of greatest risk

Explanation: A risk-based approach to security testing allows an organization to focus its testing
efforts on the areas of greatest risk. This approach ensures that resources are used effectively and that high-risk areas receive the attention they require.

Answer 866

A

Answer: B. To protect the system against potential threats

Explanation: A security control is a safeguard or countermeasure designed to avoid, counteract, or
minimize security risks. In the context of an organization’s security strategy, the purpose of a
security control is to protect the system against potential threats.

Answer 867

A

Answer: A. A false positive is when the system claims a vulnerability exists, but there is none, while a false negative is when the system says everything is fine, but a vulnerability exists.

Explanation: A false positive is when the system claims a vulnerability exists, but there is none. This can lead to wasted resources as teams investigate nonexistent issues. A false negative is when the system says everything is fine, but a vulnerability exists. This can lead to undetected breaches and significant damage.

Answer 868

A

Answer: B. To provide a starting point for the implementation of security controls

Explanation: A security control baseline provides a set of basic controls that an organization can use as a starting point for their security strategy. It provides a foundation upon which additional, more specific controls can be built based on the organization’s unique risks and requirements.

Answer 869

A

Answer: B. To simulate potential attack scenarios and analyze threats

Explanation: The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling methodology that aims to provide a dynamic threat identification, enumeration, and scoring process. It simulates potential attack scenarios and analyzes threats in a structured and methodical way.

Answer 870

A

Answer: A. A Type 1 report focuses on the design of controls at a point in time, while a Type 3 report examines the design of a control and its operating effectiveness over a period of time.

Explanation: A Type 1 SOC report focuses on the design of controls at a point in time. A Type 3 SOC report, on the other hand, examines not only the design of a control but also its operating effectiveness over a period of time

Answer 871

A

Answer: B. To categorize potential threats to the system

Explanation: The STRIDE methodology is a threat modeling technique used to categorize potential threats to a system. It stands for Spoofing, Tampering, Repudiation, Information disclosure,
Denial-of-Service, and Elevation of privilege.

Answer 872

A

Answer: A. A Type 2 report examines the design of a control and its operating effectiveness over a period of time, while a Type 3 report focuses on the design of controls at a point in time.

Explanation: A Type 2 SOC report examines not only the design of a control but also its operating effectiveness over a period of time. A Type 3 SOC report, on the other hand, focuses on the design of
controls at a point in time.

Answer 873

A

Answer: A. RUM is a passive monitoring technique that monitors user interactions and activity with a website or application.

Explanation: Real User Monitoring (RUM) is a passive monitoring technique that monitors user interactions and activity with a website or application. It provides insights into how users are interacting with the system in real time.

Answer 874

A

Answer: A. CVSS reflects a method to characterize a vulnerability through a scoring system considering various characteristics.

Explanation: The Common Vulnerability Scoring System (CVSS) reflects a method to characterize a vulnerability through a scoring system considering various characteristics. It provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

Answer 875

A

Answer: B. Synthetic Performance Monitoring examines functionality as well as functionality and performance under load.

Explanation: Synthetic Performance Monitoring examines functionality as well as functionality and performance under load. Test scripts for each type of functionality can be created and then run at any time.

Answer 876

A

Answer: A. CVE is a list of records for publicly known cybersecurity vulnerabilities.

Explanation: CVE, also known as Common Vulnerabilities and Exposures dictionary, is “a list of records – each containing an identification number, a description, and at least one public reference – for publicly known cybersecurity vulnerabilities.”

Answer 877

A

Answer: A. SAST involves examining the underlying source code when an application is not running, while DAST involves focusing on the application and system as the underlying code executes when an application is running.

Explanation: Static Application Security Testing (SAST) involves examining the underlying source code when an application is not running. This is a form of white box testing. Dynamic Application Security Testing (DAST), on the other hand, involves focusing on the application and system as the
underlying code executes when an application is running. This is a form of black box testing.

Answer 878

A

Answer: A. Blind testing involves the assessor being given little to no information about the target being tested, while double-blind testing involves the assessor and the IT and Security Operations teams being given little to no information about the upcoming tests.

Explanation: In blind testing, the assessor is given little to no information about the target being tested. In double-blind testing, not only is the assessor given little to no information about the target, but the IT and Security Operations teams are also not informed about the upcoming tests.

Answer 879

A

54.Answer: A. Circular overwrite limits the maximum size of a log file by overwriting entries, starting from the earliest, while clipping levels focus on when to log a given event based upon threshold settings.

Explanation: Circular overwrite is a method of log file management that limits the maximum size of a log file by overwriting entries, starting from the earliest. Clipping levels, on the other hand, focus on when to log a given event based upon threshold settings, which can also help limit log file sizes.

Answer 880

A

55.Answer: B. Internal, external, and third party Explanation: The three types of audit strategies mentioned are internal, external, and third party. Each of these strategies has a different focus and is used in different contexts within an organization’s overall audit strategy.

Answer 881

A

56.Answer: A. Black box, white box, dynamic, static, manual, automated, structural, functional, negative

Explanation: The types of coverage testing that you need to explain for the CISSP exam are black box, white box, dynamic, static, manual, automated, structural, functional, and negative.

Answer 882

A

Answer: A. Awareness refers to the “what” of an organization’s policy or procedure, training refers to the “how,” and education refers to the “why.”

Explanation: Awareness refers to the “what” of an organization’s policy or procedure, aiming at knowledge retention. Training focuses on the “how,” knowledge retention. Training focuses on the how, enabling the ability to complete a task and apply problem-solving at the application level. Education focuses on the “why,” providing an understanding of the big picture and enabling design-level problem solving with architectural exercises.

Answer 883

A

Answer: A. Breach attack simulations are where you simulate real-world attacks across your whole environment, typically both automatic and always running.

Explanation: Breach attack simulations simulate real-world attacks across the entire environment. They are typically automatic and always running, using tools that are constantly updated and provide remediation steps and documentation.

Answer 884

A

Answer: A. Security control compliance checks are regularly performed to assess whether the organization is currently following their controls.

Explanation: Security control compliance checks are regularly performed to assess whether the organization is currently following their controls. These checks can be automated and may use either in-house or third-party tools. Failed compliance checks typically result in the organization
investigating and remediating the issues found.

Answer 885

A

Answer: A. Internal audits are closely aligned to the organization, external audits ensure procedures/compliance are being followed with regular checks, and third-party audits provide a more in-depth, neutral audit.

Explanation: Internal audits should be closely aligned to the organization. The external strategy needs to ensure procedures/compliance are being followed with regular checks and complement the internal strategy. The third-party strategy is an objective, neutral approach that reviews the overall strategy for auditing the organization’s environment, methods of testing, and can also ensure that both internal and external audits are following defined policies and procedures.

Answer 886

A

Answer: A. To simulate real-world attacks across the whole environment, typically both automatic and always running

Explanation: Breach attack simulations are where you simulate real-world attacks. It is simulated across your whole environment and typically are both automatic and always running. Red and blue teams use tools that are constantly updated and provide remediation steps and documentation.

Answer 887

A

Answer: A. To assess whether the organization is currently following their controls

Explanation: Security control compliance checks are regularly performed to assess whether the
organization is currently following their controls. This may be automated and use either in-house or third party tools. Failed compliance checks normally end up in the organization investigating and remediating the issues it found.

Answer 888

A

Answer: A. To handle test results and report any results of concern to management immediately so they can be aware of potential risks and alerts

Explanation: Those that analyze the security of organization apps and services need to know how to handle test results. Any results of concern need to be reported to management immediately so they can be aware of potential risks and alerts. The detail in reporting to management may be on a “need-to-know” basis.

Answer 889

A

Answer: A. Formal assessments and informal assessments

Explanation: The two primary categories of assessments are formal assessments and informal assessments. Formal assessments are evaluations against a compliance standard, which includes
regulatory and other legal requirements.

Answer 890

A

Answer: A. Purpose, scope, results of the audit, audit events

Explanation: The key elements of an audit report are the purpose, scope, results of the audit, and audit events. The purpose outlines the reason for the audit, the scope defines the boundaries of the audit, the results of the audit provide the findings, and the audit events detail the specific instances or activities audited.

Answer 891

A

Answer: A. SOC 1 Type 1, SOC 1 Type 2, SOC 2, SOC3

Explanation: The four types of SOC reports are SOC 1 Type 1, SOC 1 Type 2, SOC 2, and SOC 3. Each
type of report has a different focus and is used for different purposes within an organization’s overall audit strategy.

Answer 892

A

Answer: A. Preparations phase and Audit phase

Explanation: There are two phases in preparing for the SOC audit: the Preparations phase and the Audit phase. The Preparations phase involves scheduling, defining the scope, inventorying controls, conducting a readiness review, and resolving discrepancies. The Audit phase involves creating a detailed project plan, gathering artifacts, providing physical access and workspace, conducting meetings, testing, off-site analysis, issue resolution, providing audit reports, and
conducting a lessons learned review.

Answer 893

A

Answer: A. To present the data in a meaningful way for most people who need the data

Explanation: Security controls, vulnerability scans, penetration tests, and audits – all these activities
generate a significant amount of data. Perhaps a few gifted people can review the raw data and draw salient conclusions, but most people need the data presented to them in a meaningful way.

Answer 894

A

Answer: A. To evaluate the situation without any forewarning of the evaluation
Explanation: “No-notice” assessments, which simply means that the situation being evaluated has
no forewarning of the evaluation (e.g., spot check, desk audit). A no-notice assessment isn’t really a
“type” of assessment, it’s basically a surprise audit or an informal assessment where notice isn’t given. It can likely fit into a subcategory or type of informal assessment.

Answer 895

A

Answer: A. To see if controls meet risk expectations or to see if there are ways to improve efficiency of operations

Explanation: Internal assessments are done for the purpose of seeing if controls meet risk expectations or to see if there are ways to improve efficiency of operations and how well an organization is prepared for an external or formal audit. An internal assessment might follow a formal process, but is most likely considered informal by nature.

Answer 896

A

Answer: A. Nmap
Explanation: Nmap (Network Mapper) is primarily used for network discovery and port scanning. It is a versatile tool that allows for the identification of active hosts and open ports within a network.

Answer 897

A

Answer: D. Port 1433 is open.
Explanation: Port 1433 is commonly associated with Microsoft SQL Server. An open SQL Server port exposed to an external network is a significant security risk and should be addressed immediately.

Answer 898

A

73.Answer: C. The inclination to experiment with novel testing tools

Explanation: The desire to experiment with new testing tools should not be a factor when planning a security testing schedule. The focus should be on the system’s security posture and potential risks.

Answer 899

A

74.Answer: A. Organizational management Explanation: A security assessment report is primarily intended for organizational management. It provides them with an overview of the securityposture of the system or network, allowing them to make informed decisions regarding security policies and resource allocation.

Answer 900

A

75.Answer: B. 22

Explanation: Port 22 is the standard port used for SSH connections, commonly employed for secure server access.

Answer 901

A

Answer: D. Authenticated scan

Explanation: An authenticated scan provides the most detailed information about the security state of a server. It allows for a deeper system inspection by using valid credentials to access it.

Answer 902

A

77.Answer: C. TCP SYN scan

Explanation: A TCP SYN scan, also known as a “half-open” scan, utilizes only the first two steps of the TCP three-way handshake. It sends a SYN packet and waits for a SYN-ACK response but does not send the final ACK packet to complete the handshake.

Answer 903

A

Answer: D. Web vulnerability scanner

Explanation: A web vulnerability scanner is specifically designed to identify vulnerabilities in web applications, including SQL injection flaws.

Answer 904

A

79.Answer: B. 80

Explanation: Port 80 is the standard port for unencrypted HTTP traffic. Servers running unencrypted HTTP services typically listen on this port.

Answer 905

A

Answer: B. Vulnerability scanner

Explanation: A vulnerability scanner is specifically designed to automatically identify known vulnerabilities in systems and networks, making it the most effective choice for this scenario.

Answer 906

A

Answer: D. Vulnerability scan

Explanation: A vulnerability scan is designed to identify known security risks in a system by probing for its configuration, software, and hardware weaknesses.

Answer 907

A

Answer: C. Ensuring that implemented changes do
not compromise security

Explanation: One of the primary goals of a change management program is to ensure that any changes made to systems or processes do not adversely affect the organization’s security posture.

Answer 908

A

Answer: A. Infrastructure as a Service (IaaS)

Explanation: Infrastructure as a Service (IaaS) provides an organization with the most control over its cloud resources, including virtual machines, storage, and networking. However, this level of control comes with the responsibility of managing and maintaining the operating systems and applications.

Answer 909

A

Answer: C. Implementing vulnerability mitigation measures

Explanation: A security assessment focuses on identifying vulnerabilities, assessing risks, and evaluating threats. The actual mitigation of vulnerabilities is usually a separate process that follows the assessment.

Answer 910

A

Answer: A. Organizational management

Explanation: A security assessment report is primarily intended for organizational management. It provides them with an overview of the security posture of the system or network, allowing them to make informed decisions regarding security policies and resource allocation.

Answer 911

A

Answer: A. Response

Explanation: In the (ISC) 2 framework for incident management, the first step is usually the “Response” phase, where the incident is initially addressed and contained.

Answer 912

A

Answer: B. Audit trails

Explanation: The term “audit trails” best describes the body of data collected through event logging. Audit trails are records that provide documentary evidence of sequences of activities that have affected at any time a specific operation, procedure, or event.

Answer 913

A

Answer: B. An intrusion detection system (IDS)

Explanation: A mirrored port is often used to connect an intrusion detection system (IDS) for
monitoring network traffic.

Answer 914

A

Answer: B. A false negative

Explanation: A false negative occurs when an intrusion detection system fails to detect an actual
attack, allowing it to penetrate the network without raising an alarm.

Answer 915

A

Answer: B. Disrupting communication capabilities in preparation for a physical attack

Explanation: Disrupting an organization’s ability to communicate and respond to a physical attack is most indicative of a terrorist attack, as it aims to cause widespread harm and panic.

Answer 916

A

Answer: D. Utilizing automated tools to scan for vulnerable ports on the organization’s systems

Explanation: Grudge attacks are usually motivated by personal vendettas and aim to cause
embarrassment or harm to the target. Scanning for vulnerable ports is more indicative of a broader
cyberattack rather than a grudge attack.

Answer 917

A

Answer: C. Avoid altering the evidence during the collection process

Explanation: The integrity of evidence is crucial in any investigation. Therefore, avoiding any
modification to the evidence during its collection is paramount.

Answer 918

A

Answer: C. Documentary evidence

Explanation: Documentary evidence refers to written documents that are used in court to prove a
fact.

Answer 919

A

Answer: C. Criminal

Explanation: Criminal investigations require the highest standard of evidence, often “beyond a
reasonable doubt,” due to the severe consequences0 involved, such as imprisonment.

Answer 920

A

Answer: B. Act honorably, honestly, justly, responsibly, and legally

Explanation: The (ISC) 2 Code of Ethics outlines that CISSPs are expected to act honorably, honestly,
justly, responsibly, and legally.

Answer 921

A

Answer: B. Cloud based

Explanation: A cloud-based identity platform typically offers high availability and redundancy,
making it a suitable choice when availability is the organization’s biggest priority.

Answer 922

A

Answer: C. Federation

Explanation: The Federation allows for sharing identity information across different organizations
and systems, making it the most appropriate choice for sharing identity information with a business
partner.

Answer 923

A

Answer: C. Due care

Explanation: The principle of “due care” requires that an individual should act responsibly and take the necessary steps to complete their responsibilities accurately and in a timely manner.

Answer 924

A

Answer: A. Maximum tolerable downtime (MTD)

Explanation: Maximum tolerable downtime (MTD) is the metric that indicates the longest period of time a business process can be inoperative before causing irreparable harm to the organization

Answer 925

A

d. Security-control monitoring and reporting the status of the information system to appropriate management authorities are essential activities of a comprehensive information security program. Information preservation is a part of the disposal phase, whereas security test and evaluation is a part of the implementation phase of a
system development life cycle (SDLC). Security-control monitoring and security status reporting are a part of the operation and maintenance phase of an SDLC, which facilitate ongoing work.

Answer 926

A

b. The Reference Monitor concept is independent of any particular access control policy because it mediates all types of access to objects by subjects. Mandatory access control policy is a means of restricting access to objects based on the sensitivity of the information contained
in the objects and the formal authorization of subjects to access information of such sensitivity. With role-based access control policy, access decisions are based on the roles (for example, teller, analyst, and manager) that individual users have as part of an organization. Discretionary access control policy is a means of restricting access to objects based on the identity of subjects.

Answer 927

A

a. Security certification is a comprehensive assessment of the management, operational, and technical controls in an information system, made in support of security accreditation, to determine the
extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcomes.

Answer 928

A

d. Security impact analyses are conducted in the continuous monitoring phase whenever there are changes to the information system. The other three choices are part of the security accreditation phase, which comes before the continuous monitoring phase

Answer 929

A

d. Conducting reaccreditation reviews periodically is a mechanical step (a byproduct of the goal) and a secondary goal. The primary goals of certification and accreditation of information systems are to (i) enable more consistent, comparable, and repeatable assessments of security controls in information systems, (ii) promote a better understanding of organization-related risks resulting from the operation of information systems, and (iii) create more complete, reliable, and trustworthy information for authorizing officials (management) to facilitate more informed security accreditation decisions.

Answer 930

A

a. Usually, encryption algorithms do not fail due to their extensive testing, and the encryption key is getting longer making it more difficult to break into. Many errors reoccur, including buffer overflows,
race conditions, format string errors, failing to check input for validity, and computer programs being given excessive access privileges.

Answer 931

A

d. The configuration management (CM) process calls for continuous system monitoring to ensure that it is operating as intended and that implemented changes do not adversely impact either the
performance or security posture of the system. Configuration verification tests, system audits, patch management, and risk
management activities are performed to achieve the CM goal.

Answer 932

A

c. Evaluating configuration management metric information is the responsibility of the configuration control review board, whereas the other three choices are responsibilities of the configuration manager.

Answer 933

A

Answer: D. The International Organization on Computer Evidence

Explanation: The International Organization on Computer Evidence (IOCE) was established to provide international standards for digital evidence handling
and processing.

Answer 934

A

Answer: D. Justified

Explanation: Evidence must be relevant, properly preserved, and identifiable to be admissible in court. “Justified” is not a criterion for evidence admissibility.

Answer 935

A

Answer: B. Inadmissible in court

Explanation: Hearsay evidence refers to
statements made outside of court that are presented as evidence for the truth of the matter asserted in the statement. Generally, hearsay is not admissible in
court unless it falls under specific exceptions.

Answer 936

A

Answer: B. Their primary objective is to avoid causing harm.

Explanation: Ethical hackers, also known as “white hat” hackers, are professionals who test systems for vulnerabilities with the intent of identifying and fixing
them, not exploiting them. They operate with permission and aim to improve security without causing harm.

Answer 937

A

Answer: C. Random Access Memory (RAM) content
Explanation: The contents of RAM are volatile, meaning they are lost when the power is turned off. RAM can contain valuable information such as encryption keys, running processes, and other
transient data. Therefore, it’s crucial to capture this information first before it’s lost.

Answer 938

A

Answer: D. A scanner for system vulnerabilities

Explanation: SATAN (Security Administrator Tool for Analyzing Networks) is a tool designed to detect vulnerabilities in computer networks. It helps
administrators identify potential security risks in their systems.

Answer 939

A

Answer: B. Generate a bit-by-bit copy.

Explanation: In computer forensics, it’s essential to make a bit-level copy (or bit-by-bit copy) of the original evidence to ensure that all data, including deleted files and slack space, is captured. This ensures the integrity of the evidence and allows for a
thorough investigation.

Answer 940

A

Answer: A. White box testing

Explanation: White box testing, also known as clear box testing, is a method where the tester has complete knowledge of the system’s internals. In the context of penetration testing, it simulates what
insiders with knowledge of the system can access and potentially exploit.

Answer 941

A

Answer: B. Phreakers

Explanation: Phreakers are individuals who
manipulate telecommunication systems, especially to make free calls. They have historically been associated with exploring and exploiting the vulnerabilities of PBX (Private Branch Exchange) systems and other telecommunication platforms.

Answer 942

A

Answer: A. Validation checks if the right product is being built, while verification checks if the product is being built correctly.

Explanation: Validation is concerned with
answering the question: Is the right product being built? Verification follows validation and is the process that confirms an application or product is being built
correctly.

Answer 943

A

Answer: C. To throw randomness at an application to see how it responds and where it might “break”

Explanation: Fuzz testing involves throwing
randomness at an application to see how it responds and where it might “break.” It is a form of dynamic testing.

Answer 944

A

Answer: B. A vulnerability assessment only identifies potential vulnerabilities, while a penetration test identifies potential vulnerabilities and attempts to exploit them.

Explanation: Both processes start the same way as they seek to identify potential vulnerabilities. However, with a vulnerability assessment, once vulnerabilities are noted, no further action is taken apart from producing a report of findings. A penetration test goes an essential step further: after identifying vulnerabilities, an attempt is made to
exploit each vulnerability.

Answer 945

A

Answer: A. Credentialed/authenticated scans and uncredentialed/unauthenticated scans

Explanation: There are two primary types of
vulnerability scans: credentialed/authenticated scans

Answer 946

A

Answer: A. To ensure that security
requirements/controls are defined, tested, and operating effectively

Explanation: Security assessment and testing ensure that security requirements/controls are defined, tested, and operating effectively. It applies to
the development of new applications and systems as well as the ongoing operations, including end of life, related to assets.
reporting

Answer 947

A

Answer: A. SOC 1 reports focus on financial risks, while SOC 2 reports focus on the controls related to the five trust principles: security, availability, confidentiality, processing integrity, and
privacy.

Explanation: SOC 1 reports are quite basic and focus on financial reporting risks. SOC 2 reports are much more involved and focus on the controls related to the five trust principles: security, availability,
confidentiality, processing integrity, and privacy.

Answer 948

A

Answer: A. Positive testing checks if the system is working as expected and designed, negative testing checks the system’s response to normal errors, and
misuse testing applies the perspective of someone trying to break or attack the system.

Explanation: Positive testing focuses on the
response of a system based on normal usage and expectations, checking if the system is working as expected and designed. Negative testing focuses on
the response of a system when normal errors are introduced. Misuse testing applies the perspective of someone trying to break or attack the system.

Answer 949

A

Answer: A. To verify that previously tested and functional software still works after updates have been made

Explanation: Regression testing is the process of verifying that previously tested and functional software still works after updates have been made. It should be performed after enhancements have been
made or after patches to address vulnerabilities or problems have been issued.

Answer 950

A

Answer: C. The amount of code covered divided by the total amount of code in the application

Explanation: Test coverage refers to the
relationship between the amount of source code in a given application and the percentage of code that has given application and the percentage of code that has been covered by the completed tests. It is a simple mathematical formula: amount of code covered/total amount of code in application = test coverage percent.

Answer 951

A

Answer: A. STRIDE and PASTA

Explanation: Two well-known and often-used threat modeling methodologies are STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial-of-Service, Elevation of privilege) and PASTA
(Process for Attack Simulation and Threat Analysis).

Answer 952

A

Answer: B. SAST tests the underlying source code of an application, while DAST tests an application while it’s running.

Explanation: With Static Application Security Testing (SAST), an application is not running, and it’s the underlying source code that is being examined. With Dynamic Application Security Testing (DAST),
an application is running, and the focus is on the application and system as the underlying code executes.

Answer 953

A

Answer: A. False positives and false negatives

Explanation: With any type of monitoring system, two types of alerts often show up: false positives, where the system claims a vulnerability exists, but there is none, and false negatives, where the system
says everything is fine, but a vulnerability exists.

Answer 954

A

Answer: C. To identify errors and anomalies that point
to problems, modifications, or breaches

Explanation: Log review and analysis is a best practice that should be used in every organization. Logs should include what is relevant, be proactively reviewed, and be especially scrutinized for errors and
anomalies that point to problems, modifications, or breaches.

Answer 955

A

Answer: B. To ensure that security controls are operating effectively and as designed

Explanation: A security audit is a systematic, measurable technical assessment of how the organization’s security policy is employed. It is used
to ensure that security controls are operating effectively and as designed.

Answer 956

A

Answer: A. In a white box test, the tester has full knowledge of the system being tested, while in a black box test, the tester has no knowledge of the system.

Explanation: In a white box test, the tester has full knowledge of the system being tested, including source code, architecture, and both the software and hardware involved. In a black box test, the tester has
no knowledge of the system being tested.

Answer 957

A

Answer: A. To identify potential vulnerabilities in the code

Explanation: A code review is a systematic
examination of computer source code intended to find and fix mistakes overlooked in the initial development
phase, improving both the overall quality of software and the developers’ skills. In the context of security, it is used to identify potential vulnerabilities in the code

Answer 958

A

Answer: A. A credentialed scan is performed with system-level access, while an uncredentialed scan is performed without system-level access.

Explanation: A credentialed scan is performed with system-level access, and it can see everything that is happening on a given host. An uncredentialed scan is
performed without system-level access, and it can only see what is visible on the network.

Answer 959

A

Answer: B. To ensure that security controls are operating effectively and as designed

Explanation: A security control self-assessment is a process where an organization evaluates its own
security controls to ensure they are operating effectively and as designed. It is a proactive measure to identify any potential issues before they become problems.

Answer 960

A

Answer: A. To focus testing efforts on areas of greatest risk

Explanation: A risk-based approach to security testing allows an organization to focus its testing efforts on the areas of greatest risk. This approach ensures that resources are used effectively and that
high-risk areas receive the attention they require.

Answer 961

A

Answer: B. To protect the system against potential threats

Explanation: A security control is a safeguard or countermeasure designed to avoid, counteract, or minimize security risks. In the context of an organization’s security strategy, the purpose of a
security control is to protect the system against potential threats.

Answer 962

A

Answer: A. A false positive is when the system claims a vulnerability exists, but there is none, while a false negative is when the system says everything is fine,
but a vulnerability exists.

Explanation: A false positive is when the system claims a vulnerability exists, but there is none. This can lead to wasted resources as teams investigate
nonexistent issues. A false negative is when the system says everything is fine, but a vulnerability exists. This can lead to undetected breaches and significant damage.

Answer 963

A

Answer: B. To provide a starting point for the implementation of security controls

Explanation: A security control baseline provides a set of basic controls that an organization can use as a starting point for their security strategy. It provides a
foundation upon which additional, more specific controls can be built based on the organization’s unique risks and requirements.

Answer 964

A

Answer: B. To simulate potential attack scenarios and analyze threats

Explanation: The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling methodology that aims to provide a dynamic threat identification, enumeration, and scoring process. It
simulates potential attack scenarios and analyzes threats in a structured and methodical way.

Answer 965

A

Answer: A. A Type 1 report focuses on the design of controls at a point in time, while a Type 3 report examines the design of a control and its operating
effectiveness over a period of time.

Explanation: A Type 1 SOC report focuses on the design of controls at a point in time. A Type 3 SOC report, on the other hand, examines not only the design of a control but also its operating effectiveness over a period of time over a period of time.

Answer 966

A

Answer: B. To categorize potential threats to the system

Explanation: The STRIDE methodology is a threat modeling technique used to categorize potential threats to a system. It stands for Spoofing, Tampering, Repudiation, Information disclosure,
Denial-of-Service, and Elevation of privilege.

Answer 967

A

Answer: A. A Type 2 report examines the design of a control and its operating effectiveness over a period of time, while a Type 3 report focuses on the design of
controls at a point in time.

Explanation: A Type 2 SOC report examines not only the design of a control but also its operating effectiveness over a period of time. A Type 3 SOC report, on the other hand, focuses on the design of controls at a point in time.

Answer 968

A

Answer: A. RUM is a passive monitoring technique that monitors user interactions and activity with a website or application.

Explanation: Real User Monitoring (RUM) is a passive monitoring technique that monitors user interactions and activity with a website or application. It provides insights into how users are interacting with the system in real time.

Answer 969

A

Answer: A. CVSS reflects a method to characterize a vulnerability through a scoring system considering various characteristics.

Explanation: The Common Vulnerability Scoring System (CVSS) reflects a method to characterize a vulnerability through a scoring system considering various characteristics. It provides a way to capture
the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

Answer 970

A

Answer: B. Synthetic Performance Monitoring examines functionality as well as functionality and performance under load.
Explanation: Synthetic Performance Monitoring examines functionality as well as functionality and performance under load. Test scripts for each type of
functionality can be created and then run at any time.

Answer 971

A

Answer: A. CVE is a list of records for publicly known cybersecurity vulnerabilities.

Explanation: CVE, also known as Common
Vulnerabilities and Exposures dictionary, is “a list of records – each containing an identification number, a description, and at least one public reference – for publicly known cybersecurity vulnerabilities.”

Answer 972

A

Answer: A. SAST involves examining the underlying source code when an application is not running, while
DAST involves focusing on the application and system as the underlying code executes when an application is running.

Explanation: Static Application Security Testing (SAST) involves examining the underlying source code when an application is not running. This is a
form of white box testing. Dynamic Application Security Testing (DAST), on the other hand, involves focusing on the application and system as the underlying code executes when an application is
running. This is a form of black box testing.

Answer 973

A

Answer: A. Circular overwrite limits the maximum size of a log file by overwriting entries, starting from the earliest, while clipping levels focus on when to log
a given event based upon threshold settings.

Explanation: Circular overwrite is a method of log file management that limits the maximum size of a log file by overwriting entries, starting from the earliest.
Clipping levels, on the other hand, focus on when to log a given event based upon threshold settings, which can also help limit log file sizes.

Answer 974

A

Answer: B. Internal, external, and third party

Explanation: The three types of audit strategies mentioned are internal, external, and third party. Each of these strategies has a different focus and is used in different contexts within an organization’s
overall audit strategy.

Answer 975

A

Answer: A. Black box, white box, dynamic, static, manual, automated, structural, functional, negative

Explanation: The types of coverage testing that you need to explain for the CISSP exam are black box, white box, dynamic, static, manual, automated,
structural, functional, and negative.

Answer 976

A

Answer: A. Awareness refers to the “what” of an organization’s policy or procedure, training refers to the “how,” and education refers to the “why.”

Explanation: Awareness refers to the “what” of an organization’s policy or procedure, aiming at knowledge retention. Training focuses on the “how,” knowledge retention. Training focuses on the how, enabling the ability to complete a task and apply
problem-solving at the application level. Education focuses on the “why,” providing an understanding of the big picture and enabling design-level problem solving with architectural exercises.

Answer 977

A

Answer: A. Breach attack simulations are where you simulate real-world attacks across your whole environment, typically both automatic and always running.

Explanation: Breach attack simulations simulate real-world attacks across the entire environment. They are typically automatic and always running,
using tools that are constantly updated and provide remediation steps and documentation.

Answer 978

A

Answer: A. Security control compliance checks are regularly performed to assess whether the organization is currently following their controls.

Explanation: Security control compliance checks are regularly performed to assess whether the organization is currently following their controls. These checks can be automated and may use either
in-house or third-party tools. Failed compliance checks typically result in the organization investigating and remediating the issues found.

Answer 979

A

Answer: A. Internal audits are closely aligned to the organization, external audits ensure procedures/compliance are being followed with regular checks, and third-party audits provide a more in-depth, neutral audit.

Explanation: Internal audits should be closely aligned to the organization. The external strategy needs to ensure procedures/compliance are being
followed with regular checks and complement the internal strategy. The third-party strategy is an objective, neutral approach that reviews the overall
strategy for auditing the organization’s environment, methods of testing, and can also ensure that both internal and external audits are following defined policies and procedures.

Answer 980

A

Answer: A. To simulate real-world attacks across the whole environment, typically both automatic and always running

Explanation: Breach attack simulations are where you simulate real-world attacks. It is simulated across your whole environment and typically are both automatic and always running. Red and blue teams
use tools that are constantly updated and provide remediation steps and documentation.

Answer 981

A

Answer: A. To assess whether the organization is currently following their controls

Explanation: Security control compliance checks are regularly performed to assess whether the organization is currently following their controls. This may be automated and use either in-house or third party tools. Failed compliance checks normally end up in the organization investigating and remediating the
issues it found.

Answer 982

A

Answer: A. To handle test results and report any results of concern to management immediately so they can be aware of potential risks and alerts

Explanation: Those that analyze the security of organization apps and services need to know how to handle test results. Any results of concern need to be
reported to management immediately so they can be aware of potential risks and alerts. The detail in reporting to management may be on a “need-to-know”
basis.

Answer 983

A

Answer: A. Formal assessments and informal assessments

Explanation: The two primary categories of
assessments are formal assessments and informal assessments. Formal assessments are evaluations against a compliance standard, which includes regulatory and other legal requirements.

Answer 984

A

Answer: A. Purpose, scope, results of the audit, audit events

Explanation: The key elements of an audit report are the purpose, scope, results of the audit, and audit events. The purpose outlines the reason for the audit, the scope defines the boundaries of the audit, the
results of the audit provide the findings, and the audit events detail the specific instances or activities audited.

Answer 985

A

Answer: A. SOC 1 Type 1, SOC 1 Type 2, SOC 2, SOC 3

Explanation: The four types of SOC reports are SOC 1 Type 1, SOC 1 Type 2, SOC 2, and SOC 3. Each type of report has a different focus and is used for different purposes within an organization’s overall audit strategy.

Answer 986

A

Answer: A. Preparations phase and Audit phase

Explanation: There are two phases in preparing for the SOC audit: the Preparations phase and the Audit
phase. The Preparations phase involves scheduling, defining the scope, inventorying controls, conducting
a readiness review, and resolving discrepancies. The Audit phase involves creating a detailed project plan,
gathering artifacts, providing physical access and workspace, conducting meetings, testing, off-site analysis, issue resolution, providing audit reports, and
conducting a lessons learned review.

Answer 987

A

Answer: A. To present the data in a meaningful way for most people who need the data

Explanation: Security controls, vulnerability scans, penetration tests, and audits – all these activities generate a significant amount of data. Perhaps a few gifted people can review the raw data and draw
salient conclusions, but most people need the data presented to them in a meaningful way.

Answer 988

A

Answer: A. To evaluate the situation without any forewarning of the evaluation

Explanation: “No-notice” assessments, which simply means that the situation being evaluated has no forewarning of the evaluation (e.g., spot check, desk audit). A no-notice assessment isn’t really a “type” of assessment, it’s basically a surprise audit or
an informal assessment where notice isn’t given. It can likely fit into a subcategory or type of informal assessment.

Answer 989

A

Answer: A. To see if controls meet risk expectations or to see if there are ways to improve efficiency of operations

Explanation: Internal assessments are done for the purpose of seeing if controls meet risk expectations or to see if there are ways to improve efficiency of operations and how well an organization is prepared
for an external or formal audit. An internal
assessment might follow a formal process, but is most likely considered informal by nature.

Answer 990

A

Answer: A. Nmap

Explanation: Nmap (Network Mapper) is primarily used for network discovery and port scanning. It is a versatile tool that allows for the identification of active hosts and open ports within a network.

Answer 991

A

Answer: D. Port 1433 is open.
Explanation: Port 1433 is commonly associated with Microsoft SQL Server. An open SQL Server port exposed to an external network is a significant
security risk and should be addressed immediately.

Answer 992

A

Answer: C. The inclination to experiment with novel testing tools

Explanation: The desire to experiment with new testing tools should not be a factor when planning a security testing schedule. The focus should be on the system’s security posture and potential risks.

Answer 993

A

Answer: A. Organizational management

Explanation: A security assessment report is primarily intended for organizational management. It provides them with an overview of the security posture of the system or network, allowing them to
make informed decisions regarding security policies and resource allocation.

Answer 994

A

Answer: B. 22

Explanation: Port 22 is the standard port used for SSH connections, commonly employed for secure server access.

Answer 995

A

Answer: D. Authenticated scan

Explanation: An authenticated scan provides the most detailed information about the security state of a server. It allows for a deeper system inspection by
using valid credentials to access it.

Answer 996

A

Answer: C. TCP SYN scan

Explanation: A TCP SYN scan, also known as a “half-open” scan, utilizes only the first two steps of the TCP three-way handshake. It sends a SYN packet and waits for a SYN-ACK response but does not send the final ACK packet to complete the handshake.
Answer: D. Web vulnerability scanner

Answer 997

A

Answer: D. Web vulnerability scanner

Explanation: A web vulnerability scanner is
specifically designed to identify
vulnerabilities in web applications, including SQL injection flaws.

Answer 998

A

Answer: B. 80

Explanation: Port 80 is the standard port for unencrypted HTTP traffic. Servers running unencrypted HTTP services typically listen on this port.

Answer 999

A

Answer: B. Vulnerability scanner

Explanation: A vulnerability scanner is specifically designed to automatically identify known vulnerabilities in systems and networks, making it the most effective choice for this scenario.

Answer 1000

A

Answer: D. Vulnerability scan

Explanation: A vulnerability scan is designed to identify known security risks in a system by probing for its configuration, software, and hardware
weaknesses.

Answer 1001

A

Answer: C. Ensuring that implemented changes do not compromise security

Explanation: One of the primary goals of a change management program is to ensure that any changes made to systems or processes do not adversely affect
the organization’s security posture.

Answer 1002

A

Answer: A. Infrastructure as a Service (IaaS)

Explanation: Infrastructure as a Service (IaaS) provides an organization with the most control over its cloud resources, including virtual machines, storage, and networking. However, this level of
control comes with the responsibility of managing and maintaining the operating systems and applications.

Answer 1003

A

Answer: C. Implementing vulnerability mitigation measures

Explanation: A security assessment focuses on identifying vulnerabilities, assessing risks, and evaluating threats. The actual mitigation of vulnerabilities is usually a separate process that follows the assessment.

Answer 1004

A

Answer: A. Organizational management

Explanation: A security assessment report is primarily intended for organizational management. It provides them with an overview of the security posture of the system or network, allowing them to
make informed decisions regarding security policies and resource allocation.

Answer 1005

A

Answer: A. Response

Explanation: In the (ISC) 2 framework for incident management, the first step is usually the “Response” phase, where the incident is initially addressed and contained.

Answer 1006

A

Answer: B. Audit trails

Explanation: The term “audit trails” best describes the body of data collected through event logging. Audit trails are records that provide documentary
evidence of sequences of activities that have affected at any time a specific operation, procedure, or event.

Answer 1007

A

Answer: B. An intrusion detection system (IDS)

Explanation: A mirrored port is often used to connect an intrusion detection system (IDS) for monitoring network traffic.

Answer 1008

A

Answer: B. A false negative

Explanation: A false negative occurs when an intrusion detection system fails to detect an actual attack, allowing it to penetrate the network without raising an alarm.

Answer 1009

A

Answer: B. Disrupting communication capabilities in preparation for a physical attack

Explanation: Disrupting an organization’s ability to communicate and respond to a physical attack is most
indicative of a terrorist attack, as it aims to cause widespread harm and panic.

Answer 1010

A

Answer: D. Utilizing automated tools to scan for vulnerable ports on the organization’s systems

Explanation: Grudge attacks are usually motivated by personal vendettas and aim to cause embarrassment or harm to the target. Scanning for vulnerable ports is more indicative of a broader cyberattack rather than a grudge attack.

Answer 1011

A

Answer: C. Avoid altering the evidence during the collection process

Explanation: The integrity of evidence is crucial in any investigation. Therefore, avoiding any modification to the evidence during its collection is paramount.

Answer 1012

A

Answer: C. Documentary evidence

Explanation: Documentary evidence refers to written documents that are used in court to prove a fact.

Answer 1013

A

Answer: C. Criminal

Explanation: Criminal investigations require the highest standard of evidence, often “beyond a reasonable doubt,” due to the severe consequences involved, such as imprisonment.

Answer 1014

A

Answer: B. Act honorably, honestly, justly, responsibly, and legally

Explanation: The (ISC) 2 Code of Ethics outlines that CISSPs are expected to act honorably, honestly, justly, responsibly, and legally.

Answer 1015

A

Answer: B. Cloud based

Explanation: A cloud-based identity platform typically offers high availability and redundancy, making it a suitable choice when availability is the organization’s biggest priority.

Answer 1016

A

Answer: C. Federation

Explanation: The Federation allows for sharing identity information across different organizations and systems, making it the most appropriate choice
for sharing identity information with a business partner.

Answer 1017

A

Answer: C. Due care

Explanation: The principle of “due care” requires that an individual should act responsibly and take the necessary steps to complete their responsibilities accurately and in a timely manner.

Answer 1018

A

Answer: A. Maximum tolerable downtime (MTD)

Explanation: Maximum tolerable downtime (MTD) is the metric that indicates the longest period of time a business process can be inoperative before causing irreparable harm to the organization

Answer 1019

A

D. Managing change is a difficult process. People resist change due to a certain amount of discomfort that a change may bring. It does not matter how well the change is planned, communicated, or implemented if it is not spread throughout the organization evenly. Institutionalizing
the change means changing the climate of the company. This needs to be done in a consistent and orderly manner. Any major change should be done using a pilot approach. After a number of pilots have been successfully completed, it is time to use these success stories as leverage to change the entire company.

Answer 1020

A

C. Any application software change must start with a change request from a functional user. An information technology (IT) person can plan, test, and release the change after approved by the functional user.

Answer 1021

A

C. Configuration management is a procedure for applying technical and administrative direction and monitoring to (i) identify and document the functional and physical characteristics of an item or
system, (ii) control any changes made to such characteristics, and (iii) record and report the change, process, and implementation status. The authorization process may be manual or automated. All authorized transactions should be recorded and entered into the system for
processing. Validation ensures that the data entered meets predefined criteria in terms of its attributes. Error notification is as important as error correction.

Answer 1022

A

C. Software configuration management (SCM) is a discipline for managing the evolution of computer products, both during the initial stages of development and through to maintenance and final product termination. Visibility into the status of the evolving software product
is provided through the adoption of SCM on a software project. Software developers, testers, project managers, quality assurance staff, and the customer benefit from SCM information. SCM answers
questions such as (i) what constitutes the software product at any point in time? (ii) What changes have been made to the software product? How a software product is planned, developed, or maintained does not matter because it describes the history of a software product’s evolution, as described in the other choices.

Answer 1023

A

A. Software configuration management (SCM) is practiced and integrated into the software development process throughout the entire life cycle of the product. One of the main features of SCM is the tracing of all software changes. Identifying individual components is incorrect because it is a part of configuration identification function. The goals of configuration identification are to create the ability to identify the components of the system throughout its life cycle and to provide traceability between the software and related configuration identification items.
Computer-assisted software engineering (CASE) tools, compilers, and assemblers are incorrect because they are examples of technical factors. SCM is essentially a discipline applying technical and administrative direction and surveillance for managing the evolution of computer program products during all stages of development and maintenance. Some examples of technical factors include use of CASE tools, compilers, and assemblers.

Answer 1024

A

d. There are four elements of configuration management. The first element is configuration identification, consisting of selecting the configuration items for a system and recording their functional and physical characteristics in technical documentation. The second element is configuration change control, consisting of
evaluation, coordination, approval or disapproval, and implementation
of changes to configuration items after formal establishment of their
configuration identification. The third element is configuration status accounting, consisting of recording and reporting of information that is needed to manage a configuration effectively. The fourth element is software configuration audit, consisting of periodically performing a review to ensure that the SCM practices and procedures are rigorously followed. Auditing is performed last after all the elements are in place to determine whether they are properly
working.

Answer 1025

A

c. In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. In a buffer overflow, the input
received by a system is longer than the expected input length, but the system does not check for this condition. In an access validation error, the system is vulnerable because the access control mechanism is faulty. A configuration error occurs when
user controllable settings in a system are set so that the system is vulnerable. Race condition error occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation.

Answer 1026

A

d. In the operation/maintenance phase of the SDLC, risk management activities are performed whenever major changes are
made to an IT system in its operational (production) environment (for
example, new system interfaces).

Answer 1027

A

c. The action plan and milestones document is a latter part of security certification and accreditation phases, which describe the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to
reduce or eliminate known system vulnerabilities. The other three choices are part of the initiation phase, which is the
first phase, where it is too early to develop the action plan and milestones.

Answer 1028

A

b. To determine what security controls to select for ongoing review, organizations should first prioritize testing on “action plan and milestones” items that become closed. These newly implemented controls should be validated first. The other three documents are part of the continuous monitoring phase and come into play when there are major changes or modifications to the operational system.

Answer 1029

A

B. Instantiation is what happens when an object is created from a class.
Polyinstantiation is when more than one object is made and the other copy is
modified to have different attributes. This can be done for several reasons. The
example given in the chapter was a way to use polyinstantiation for security
purposes to ensure that a lower-level subject could not access an object at a
higher level.

Answer 1030

A

C. A database view is put into place to prevent certain users from viewing
specific data. This is a preventive measure, because the administrator is preventing the users from seeing data not meant for them. This is one control to prevent inference attacks.

Answer 1031

A

A. Partitioning means to logically split the database into parts. Views then dictate what users can view specific parts. Cell suppression means that specific cells are not viewable by certain users. And noise and perturbation is when bogus information is inserted into the database to try to give potential attackers incorrect information.

Answer 1032

A

D. Some files cannot be properly sanitized by the antivirus software without
destroying them or affecting their functionality. So, the administrator must
replace such a file with a known uninfected file. Plus, the administrator needs to make sure he has the patched version of the file, or else he could be introducing other problems. Answer C is not the best answer because the administrator may not know the file was clean yesterday, so just restoring yesterday’s file may put him right back in the same boat.

Answer 1033

A

A. The Capability Maturity Model Integration (CMMI) for development is a comprehensive integrated set of guidelines
for developing products and software. It addresses the different phases of a software development life cycle,
including concept definition, requirements analysis, design, development, integration, installation, operations, and maintenance and what should happen in each phase. The model describes procedures, principles, and practices that underlie software development process maturity. This model was developed to help software vendors improve their development processes by providing an evolutionary path from an ad hoc “fly by the seat of your pants” approach to a more disciplined and repeatable method that improves software quality, reduces the life cycle of
development, provides better project management capabilities, allows for
milestones to be created and met in a timely manner, and takes a more proactive approach than the less effective reactive approach.
B is incorrect because the system development life cycle (SDLC) addresses how a system should be developed and
maintained throughout its life cycle and does not entail process improvement. Each system has its own life cycle, which is made up of the following phases: initiation,
acquisition/development, implementation,
operation/maintenance, and disposal. A system development life cycle is different from a software development life cycle,
even though they are commonly confused. The industry as a whole is starting to differentiate between system and
software life-cycle processes because at a certain point of granularity, the manner in which a computer system is dealt with is different from how a piece of software is dealt with. A computer system should be installed properly, tested, patched, scanned continuously for vulnerabilities, monitored,
and replaced when needed. A piece of software should be designed, coded, tested, documented, released, and
maintained. In either case, the question is asking for a type of process improvement model for software development, which is the focus of Capability Maturity Model Integration and not a system development life cycle.
C is incorrect because ISO/IEC 27002 is an international standard created by the International Organization for Standardization (ISO) and by the international Electrotechnical Commission (IEC) that outlines how to create and maintain an organizational information security management system (ISMS). While ISO/IEC 27002 has a section that deals with information systems acquisition,
development, and maintenance, it does not provide a process improvement model for software development. It provides guidance on how to build security into applications, but it does not provide guidance on how to create standardized development procedures for a team of
programmers. The focus of ISO/IEC 27002 is how to build a security program within an organization.
D is incorrect because a certification and accreditation (C&A) process deals with testing and evaluating systems against a
predefined criteria. This does not have anything to do with software development process improvement. The
certification process is the technical testing of a system.
Established verification procedures are followed to ensure
the effectiveness of the system and its security controls.
Accreditation is the formal authorization given by
management to allow a system to operate in a specific
environment. The accreditation decision is based upon the
results of the certification process. C&A procedures are
commonly carried out within government and military
environments to ensure that systems and software are
providing the necessary functionality and security to support
critical missions.

Answer 1034

A

d. Major outputs from the testing phase include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, and acceptance). Security is tested to see if it works and is then certified.

Answer 1035

A

D. Due to its iterative process and end-user involvement, the rapid prototype model brings the operational viewpoint to the requirements specification phase. Requirements are defined, refined, tested, and changed until the end user cannot change it any more. Later, these requirements will become input to the design work. Waterfall model is incorrect because it will not bring the operational
viewpoint to the requirements phase until the system is completely implemented. Although the incremental development model and the evolutionary development models are better than the waterfall model, they are not as good as rapid prototyping in terms of bringing the operational viewpoint to the requirements specification.

Answer 1036

A

d. Adequate information security means (i) security commensurate with the risk and the magnitude of harm resulting from
the loss, misuse, or unauthorized access to or modification of information, (ii) operating systems and applications operate effectively, (iii) operating systems and applications provide appropriate confidentiality (C), integrity (I), and availability (A), known as CIA security objectives, and (iv) security objectives use cost-effective management, operational, and technical controls (security controls).

Answer 1037

A

C. Confidentiality is not affected by the presence of computer viruses in computer systems because confidentiality is ensuring that data is disclosed only to authorized subjects. However, computer viruses affect integrity, availability, and usability. Computer programs can be deleted or modified, thus losing their integrity, the computer system may not be available due to disruption or denial of computer services, and end users may not use the system due to loss of files or disruption of services.

Answer 1038

A

A. Access to source code can provide tremendous assistance to any criminal wishing to penetrate a system’s security. Without the source code, an intruder has to probe through a system to find its flaws.
Access to the source code helps the intruder to identify gaps or flaws in
security. It is important to ensure that adequate security is provided for
the system’s source code. It is not good to allow source code to reside on client machines or on the server. It should be located only on a workstation belonging to the configuration management group. The
workstation should have extremely limited access. If the workstation can be disconnected from the network most of the time, that would provide additional security for the source code. Moreover, the source
code is in human-readable format while the other three types of codes listed are not.

Answer 1039

A

B. A reference monitor concept is an access control concept that refers to an abstract machine (computer) that mediates all accesses to objects by subjects. The five design requirements that must be met by a reference validation mechanism include (i) it must be tamperproof, (ii) it must not be bypassed, (iii) it must always be invoked, (iv) it must be small enough to be subject to analysis and tests, and (v) it must provide
confidence that the other four items are assured. The reference monitor concept is useful to any system providing multilevel secure computing facilities and controls.

Answer 1040

A

A. Layering, abstraction, and data hiding are part of security design architecture. The other three choices deal with security control architecture. Layering uses multiple, overlapping protection
mechanisms to address the people, technology, and operational aspects
of IT. Abstraction is related to stepwise refinement and modularity of computer programs. Data hiding is closely related to modularity and abstraction and, subsequently, to program maintainability.

Answer 1041

A

C. In denial-of-service attacks, attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

Answer 1042

A

D. Improper error handling means error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

Answer 1043

A

C. Reauthorization should occur prior to a significant change in processing of an information system. A periodic review of controls should also contribute to future authorizations.

Answer 1044

A

B. The design phase translates requirements into a representation of
the software. The design is placed under configuration management control before coding begins. Requirements analysis is incorrect because it focuses on gathering
requirements to understand the nature of the programs to be built. The design must be translated into code-readable form. The coding step performs this task. Code is verified, for example, through the inspection process and put under configuration management control prior to the start of formal testing. After code is generated, program testing begins. The testing focuses on the logical internals of the software, ensuring that all statements have been tested, and on the functional externals; that is, conducting tests to uncover errors to ensure that the defined input can produce actual results that agree with required results.

Answer 1045

A

C. The request for proposal development, evaluation, and acceptance are a part of other planning components in the
development/acquisition phase of an SDLC. It is a part of project management activities. The other three choices are part of the security planning document.

Answer 1046

A

b. Worm incidents often necessitate as rapid a response as possible, because an infected system may be attacking other systems both inside and outside the organization. Organizations may choose to disconnect infected systems from networks immediately, instead of performing an
analysis of the host first. Next, the analyst can examine fixed (nonvolatile) characteristics of the server’s operating system, such as looking for administrative-level user accounts and groups that may
have been added by the worm. Ultimately, the analyst should gather enough information to identify the worm’s behavior in sufficient detail so that the incident response team can act effectively to contain, eradicate, and recover from the incident.

Answer 1047

A

c. Host-based intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed
information than network-based IDS and firewall products. For example, host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information
is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because
many worms disable host-based security controls and destroy log entries, data from host-based IDS and firewall software may be limited or missing. If the software was configured to forward copies of its logs
to centralized log servers, then queries to those servers may provide some useful information (assuming the host logs’ integrity is not in doubt). Network-based IDS is incorrect because it indicates which server was attacked and on what port number, which indicates which network
service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that
the worm traffic may have passed through, such as routers, virtual private network (VPN) gateways, and remote access se

Answer 1048

A

d. Media sanitization ensures that data is deleted, erased, and written over as necessary. Media sanitization and information disposition activity is usually most intense during the disposal phase of
the system life cycle. However, throughout the life of an information system, many types of data storage media will be transferred outside positive control, and some will be reused during all phases of the SDLC. This media sanitization activity may be for maintenance reasons, system upgrades, or during a configuration update.

Answer 1049

A

b. The security certification assessor is involved in assessing
security controls in an information system to provide an unbiased
opinion. The assessor’s independence implies that he is not involved in
the information system development, implementation, or operation.

Answer 1050

A

d. Both phishing and virus hoaxes rely entirely on social engineering, which is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such
as downloading and executing files that appear to be benign but are actually malicious. Phishing refers to using deceptive computer-based means to trick individuals into disclosing sensitive personal information. Virus hoaxes are false virus warnings. The majority of
virus alerts that are sent via e-mail among users are actually hoaxes. Trojan horse is incorrect because it is a nonreplicating program that appears to be benign but actually has a hidden malicious purpose.
Mobile code is incorrect because it is software that is transmitted from
a remote system to be executed on a local system, typically without the user’s explicit instruction. Trojan horse and mobile code do not rely on social engineering.

Answer 1051

A

c. Organizations should identify which individuals or groups can assist in infection identification efforts. Network administrators are good at analyzing routers along with analyzing network traffic using packet sniffers and misconfigurations. The roles of
administrators defined in the other three choices are different due to separation of
duties, independence, and objectivity viewpoints.

Answer 1052

A

C. An organization employs automated mechanisms to provide notification of failed security tests, which is a control used in the verification of security functionality. The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions.
The organization employs good software engineering practices for commercial off-the-shelf integrity mechanisms (for example, parity checks, cyclical redundancy checks, and cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

Answer 1053

A

A. When restrictions on what authenticated users are allowed to do are not properly enforced, it leads to broken access control vulnerability in Web applications. The other three choices do not deal with accessing user accounts, viewing sensitive files, or using unauthorized functions.

Answer 1054

A

a. A unit test is a test of software elements at the lowest level of development. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is
satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software
requirements for test coverage, i.e., how much of the program has been executed. Because the unit test is the first test conducted, its scope should be comprehensive enough to include both types of testing, that is, black box and white box. Integration testing is incorrect because it comes after completion of unit tests. An integration test is performed to examine how units interface and interact with each other with the assumption that the units
and the objects (for example, data) they manipulate have all passed their unit tests. Software integration tests check how the units interact with other software libraries and hardware. System testing is incorrect because it comes after completion of the
integration tests. It tests the completely integrated system and validates
that the software meets its requirements.
Acceptance testing is incorrect because it comes after completion of
integration tests. It is testing of user requirements in an operational
mode conducted by end users and computer operations staff.

Answer 1055

A

a. In general, automated controls compensate for the weaknesses in
or lack of manual controls or vice versa (i.e., a compensating control). For example, an automated software management system can help in strengthening controls by moving programs from production to test
libraries and back. It minimizes human errors in moving wrong programs or forgetting to move the right ones. Written policies, procedures, and standards are equally necessary in manual and
automated environments.

Answer 1056

A

c. System accreditation is a management’s formal acceptance of the adequacy of an application system’s security. The accreditors are responsible for evaluating the certification evidence, deciding on the
acceptability of application security safeguards, approving corrective
actions, ensuring that corrective actions are accomplished, and issuing the accreditation statement. System certification is the technical evaluation of compliance with
security requirements for the purpose of accreditation. The technical evaluation uses a combination of security evaluation techniques (for example, risk analysis, security plans, validation, verification, testing, security safeguard evaluation, and audit) and culminates in a technical
judgment of the extent to which safeguards meet security requirements.
Security certification is a formal testing of the security controls (safeguards) implemented in the computer system to determine whether they meet applicable requirements and specifications.
Security accreditation is the formal authorization by the accrediting
(management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls.
A system certification is conducted first and system accreditation is next because the former supports the latter. Security certification and security accreditation processes follow the system certification and system accreditation processes.

Answer 1057

A

c. Macro viruses are nonresident viruses. A resident virus is one that loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. All boot viruses and most
common file viruses are resident viruses. Macro viruses are found in documents, not in disks.

Answer 1058

A

a. Programmers frequently create entry points (backdoors) into a program for debugging purposes and/or insertion of new program codes at a later date. The other three choices do not apply here because they do not deal with entry points.

Answer 1059

A

b. The biggest vulnerable area is in the manual handling of data before it is entered into an application system or after it has been retrieved from the system in hard copy form. Because human intervention is significant here, the risk is higher. Controls over internal and external computer processing and telecommunications and the network can be made stronger with automated controls.

Answer 1060

A

c. A log file is most likely to be tampered (manipulated) with either by insiders or outsiders because it contains unsuccessful login attempts or system usage. A configuration file contains system parameters. A password file contains passwords and user IDs, whereas a system file contains general information about computer system hardware and
software.

Answer 1061

A

a. The objectives of the software configuration management (SCM) process are to track the different versions of the software and ensure that each version of the software contains the exact software
outputs generated and approved for that version. SCM is responsible for ensuring that any changes to any software outputs during the development processes are made in a controlled and complete manner. The objective of the project management process is to establish the
organizational structure of the project and assign responsibilities. This process uses the system requirements documentation and information about the purpose of the software, criticality of the software, required deliverables, and available time and resources to plan and manage the
software development and software assurance processes. It establishes
or approves standards, monitoring and reporting practices, and high level policy for quality, and it cites policies and regulations.
The objectives of the software quality assurance process are to ensure
that the software development and software assurance processes
comply with software assurance plans and standards, and to recommend process improvement. This process uses the system
requirements and information about the purpose and criticality of the software to evaluate the outputs of the software development and software assurance processes. The objective of the software verification and validation (SV&V)
process is to comprehensively analyze and test the software concurrently with processes of software development and software maintenance. The process determines that the software performs its
intended functions correctly, ensures that it performs no unintended functions, and measures its quality and reliability. SV&V is a detailed engineering assessment for evaluating how well the software is meeting its technical requirements, in particular its safety, security, and reliability objectives, and for ensuring that software
requirements are not in conflict with any standards or requirements applicable to other system components.

Answer 1062

A

d. The purpose of configuration management is to minimize the effects of negative changes or differences in configurations on an information system or network. The other three choices are examples of minor purposes, all leading to the major purpose. Note that modifications could be proper or improper where the latter leads to a negative effect and the former leads to a positive effect.

Answer 1063

A

d. The primary implementation of the configuration management process is performed during the operation/maintenance phase of the
SDLC, the operation/maintenance phase. The other phases are too early for this process to take place.

Answer 1064

A

d. The fourth phase of the security certification and accreditation
process, continuous-monitoring, primarily deals with configuration management. Documenting information system changes and assessing the potential impact those changes may have on the security of the system is an essential part of continuous monitoring and maintaining the security accreditation.

Answer 1065

A

d. Constant monitoring of a system is performed to identify possible risks to the system so that these can be addressed through the risk management, security certification and accreditation, and
configuration management processes.

Answer 1066

A

c. Conducting impact analysis of changes and notifying users of system changes are the responsibilities of the configuration manager, whereas discussing change requests and requesting funding to implement changes are the responsibilities of the configuration control review board.

Answer 1067

A

b. After initiating a change request, the effects that the change may have on a specific system or other interrelated systems must be evaluated. An impact analysis of the change is conducted in the “evaluate change request” step. Evaluation is the end result of identifying changes, deciding what changes to approve and how to implement them, and actually implementing the approved changes.

Answer 1068

A

d. In the “defer” choice, immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made later. On the other hand, approve, implement, and deny choices do not
require additional testing and analysis because management is already
satisfied with the testing and analysis.

Answer 1069

A

c. A security-test-plan, whether high level or low level, is
developed in the development/acquisition phase. The other three
choices are performed in the initiation phase.

Answer 1070

A

b. Security controls are developed, designed, and implemented in the development/acquisition phase. Additional controls may be developed to support the controls already in place or planned.

Answer 1071

A

b. Product acquisition and integration costs that can be attributed to information security over the life cycle of the system are determined in the development/acquisition phase. These costs include hardware,
software, personnel, and training.

Answer 1072

A

d. If new security controls are added to an existing application system or to a support system, system users must perform additional acceptance tests of these new controls. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls.

Answer 1073

A

c. In the implementation phase, the organization configures and
enables system security features, tests the functionality of these
features, installs or implements the system, and finally, obtains a
formal authorization to operate the system.

Answer 1074

A

b. Security and functional requirements can be expressed as technical (for example, access controls), assurances (for example, background checks for system developers), or operational practices (for example, awareness and training).

Answer 1075

A

d. Documenting information system changes and assessing the potential impact of these changes on the security of a system is an essential part of continuous monitoring and key to avoiding a lapse in the system security reaccreditation. Periodic reaccreditation is done in the operation phase.

Answer 1076

A

a. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed. Gray-box testing can be looked at as anything that is not tested in
white-box or black-box. An integration testing is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests.

Answer 1077

A

c. The new system is integrated at the operational site where it is to be deployed for operation. Security control settings and switches are enabled.

Answer 1078

A

b. Formal risk assessment is conducted in the development/acquisition phase to identify system protection requirements. This analysis builds on the initial (preliminary or informal) risk assessment performed during the initiation phase, but
will be more in-depth and specific

Answer 1079

A

d. Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system. This task is performed in the
operation/maintenance phase so that changes can be tracked and monitored. Prior to this phase, the system is in a fluid state, meaning that initial baselines cannot be established.

Answer 1080

A

a. Configuration management and controls, which is a part of system operation and maintenance phase, deals with controlling and maintaining an accurate inventory of any changes to the system. Security certification and security accreditation are part of system implementation phase, whereas continuous monitoring is a part of
operation and maintenance phase.

Answer 1081

A

c. System assessors or auditors do not develop security controls due to loss of objectivity in thinking and loss of independence in appearance. Security controls should be built by system designers and developers prior to performing internal control reviews, conducting penetration testing, or using security checklists by system assessors or auditors. Internal control reviews, penetration testing, and security
checklists simply facilitate self-assessments or independent audits of an information system later.

Answer 1082

A

c. Investment analysis is defined as the process of managing the enterprise information system portfolio and determining an appropriate
investment strategy. The investment analysis optimizes the organization’s system needs within budget constraints.
Fit-gap analysis identifies the differences between what is required and what is available; or how two things fit or how much gap there is between them. Risk analysis is determining the amount of risk and sensitivity analysis can determine the boundaries of the risk in terms of changing input values and the accompanying changes in output values.

Answer 1083

A

d. Integrity can be examined from several perspectives. From a user’s or application owner’s perspective, integrity is the quality of data that is based on attributes such as accuracy and completeness. The other three choices do not reflect the attributes of integrity.

Answer 1084

A

b. The requirements analysis task of the SDLC phase of development is an in-depth study of the need for a new system. The requirements analysis draws on and further develops the work performed during the initiation phase. The needs-determination activity is performed at a high-level x of functionality in the initiation
phase.

Answer 1085

A

c. A formal security risk assessment should be conducted before the approval of system design specifications. The other three choices are considered during a formal security risk assessment process.

Answer 1086

A

d. The capital planning process determines how much the acquisition or development of a new system will cost over its life cycle. These costs include hardware, software, personnel, and training. Another critical area often overlooked is security.

Answer 1087

A

b. Detailed plans of action and milestones (POA&M) schedules are required to document the corrective measures needed to increase the effectiveness of the security controls and to provide the requisite security for the information system prior to security authorization. The other three choices are not corrective steps requiring action plans and milestone schedules.

Answer 1088

A

a. The statement of work development is a part of other planning components in the development/acquisition phase of a system
development life cycle (SDLC). The other three choices are part of the security-planning document.

Answer 1089

A

b. Configuration files, system files, or files with sensitive information must not be migrated to different storage media and must be retained in a secure location due to their access restrictions. The files listed in the other three choices are not sensitive; they are temporary and don’t need to be retained after their use is completed.

Answer 1090

A

d. Integration and acceptance testing occurs after delivery and installation of the new information system. The unit, subsystem and full system testing are not conducted for an acquired system but
conducted for the in-house developed system. The integration and acceptance testing is conducted for an acquired system.

Answer 1091

A

a. Prior to final system deployment, a security certification should be conducted to ensure that security controls established in response to security requirements are included as part of the system development process. The other three choices are part of the scope of the security certification process.

Answer 1092

A

b. The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. The security accreditation focuses on risk, whereas system accreditation focuses on an evaluation based on tests and their results.

Answer 1093

A

d. Managing and controlling the configuration of the system and providing for a process of continuous monitoring are the two key information security steps of the operation/maintenance phase of an SDLC. Information preservation is an activity of the disposal phase, whereas security accreditation is an activity of the implementation phase of an SDLC.

Answer 1094

A

d. The ongoing monitoring of security control effectiveness can be accomplished in a variety of ways including security reviews, self assessments, security test and evaluation, and independent security audits.

Answer 1095

A

a. Organizations need periodic and continuous testing and evaluation of the security controls in an information system to ensure that the controls are effective in their application. Security-control
monitoring means verifying the continued effectiveness of those controls over time.

Answer 1096

A

c. Usually, there is no definitive end to an SDLC process because the system can become a legacy system for a long-time or it can eventually be replaced with a new system. Systems evolve or transition to the next generation as follow-on systems with changing requirements and technology. Security plans evolve with the system. Much of management and operational controls in the old, legacy system are still relevant and useful in developing the security plan for the follow-on system.

Answer 1097

A

b. Some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The other parties mentioned do not have a technical focus but instead have a business focus.

Answer 1098

A

b. Quality control is similar to security certification and accreditation in terms of scope of work and goals. Quality control is a technical control. Quality assurance is included in security planning, which is a management control. Operational control deals with day-to day procedures.

Answer 1099

A

b. Both risk assessment and security plans are essential components of the security certification and accreditation process. These two components accurately reflect the security requirements and security controls through the system development life cycle (SDLC) methodology. Security requirements and security controls (planned or designed) drive the risk assessment process and security plans.

Answer 1100

A

c. By accrediting an information system, an organization’s management official accepts the risks associated with operating the
system and the associated security implications to the organization’s operations, assets, or individuals.

Answer 1101

A

d. System assurance is the grounds for confidence that a system meets its security expectations. Good understanding of the threat environment, evaluation of system requirements sets, knowledge of
hardware and software engineering principles, and the availability of product and system evaluation results are required for system assurance.

Answer 1102

A

d. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. For this to happen, the system security plan must have been developed and in place.

Answer 1103

A

c. The Software Engineering Institute (SEI) is a nationally recognized, federally funded research and development center
established in the United States to address software development issues. It developed a process maturity framework that would help organizations improve their software development process. In general,
the CMM serves as an indicator of the likely range of cost, schedule, and quality results to be achieved by system development projects within an organization. In the repeatable level, basic project
management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications. The other three
choices are not applicable because the correct answer is based on the definition of CMM levels.

Answer 1104

A

a. As a part of preventive controls, compatibility tests are used to determine whether an acceptable user is allowed to proceed in the system. This test focuses on passwords, access rules, and system privileges. A validity check is incorrect because it tests for the accuracy of codes such as state, tax rates, and vendor number. A security label check is incorrect because it tests for the specific designation assigned to a system resource such as a file, which cannot be changed except in emergency situations. A confidentiality test is incorrect because it ensures that data is disclosed only to authorized individuals.

Answer 1105

A

c. Just as replication complicates concurrency control, it can affect
scalability. The major concern in scalability is determining the effect of increased scale on client performance. Additional storage sites increase the amount of work servers must do to maintain a consistent state of
the file system. Similarly, clients in a replicated file system may have more work to do when they make file updates. For this reason, both clients and servers share portions of system management work.
Fault-tolerant mechanisms, availability, and recoverability are incorrect. Replicated servers have a positive impact on system
availability and recoverability. If the primary server fails, the replicated server takes over, thus making the system available to system users. Recovery protocols help both servers and clients recover from system
failures. Fault-tolerant mechanisms such as disk mirroring and disk duplexing help in recovering from a system failure. They all have a positive effect.

Answer 1106

A

a. Expert systems are aimed at problems that cannot always be solved using a purely algorithmic approach. These problems are often characterized by irregular structure, incomplete or uncertain information, and considerable complexity.

Answer 1107

A

d. A heuristic is a rule of thumb, a known fact, or even a known procedure that can be used to solve some problems, but it is not guaranteed to do so. It may fail. Heuristics can be conveniently regarded as simplifications of comprehensive formal descriptions of real-world systems. These heuristics are acquired through learning and experience.

Answer 1108

A

b. The computing environment consists of hardware, programming languages, editors and compilers, file management facilities, browsing program code, debugging and tracing program execution, and graphic
programming. This computing environment is outside the expert systems architecture because it can change from one organization to another. On the other hand, knowledge base, inference engine, and end user interface are integral parts of expert systems architecture. Knowledge
is stored in the knowledge base using symbols and data structures to stand for important concepts. The symbols and data structures are said to represent knowledge. A software module called the inference engine executes inference procedures. If the user of the expert system is a person, communications with the end user are handled via an end user interface.

Answer 1109

A

c. Expert system programs differ from conventional systems in four important ways. First, knowledge is separated from program control; the knowledge base and inference engine are separate. Second,
knowledge is represented declaratively. Third, expert systems perform computation through symbolic reasoning. And finally, expert systems can explain their own actions.

Answer 1110

A

a. The size of completed expert systems is often large, consisting of hundreds or thousands of rules. If the task is too broad, the development effort may take an inordinate amount of time, or even be
impossible. Two important guidelines on evaluating the scope and size of the problem include the task must be narrowly focused and the task should be decomposable. In other words, expert system tasks should be based on a limited domain. The other three choices are areas to avoid for expert system methods.
These include (i) tasks based on common sense, (ii) tasks requiring perceptual (seeing or touching) knowledge, and (iii) tasks requiring creativity. People, not expert systems, are creative.

Answer 1111

A

a. The intention is not to replicate the workings of the human brain but to use a simple model to see if some of the strengths of the human brain can be shown by computers based on that model. An important goal is to develop computers that can learn from experience. In the
process of learning from experience, ANNs show a capacity to generalize. That is, recognizing a new problem as being “close” to the one they know and offering the same solution. ANNs are not meant to
replace or supersede the existing design of computers. They are meant to complement them

Answer 1112

A

d. System design reviews and system tests should be performed in the implementation phase before placing the system into production operation to ensure that it meets all required security specifications. The results of the design reviews or system tests should be fully
documented, updating as new reviews or tests are performed. Analysis of functional requirements and assurance requirements is done in the development/acquisition phase, which is prior to the implementation
phase.

Answer 1113

A

a. Organizations should identify which individuals or groups can assist in infection identification efforts. Security administrators are good at analyzing host scans along with antivirus software, intrusion prevention system (IPS) software, firewalls, and vulnerability assessment results.

Answer 1114

A

d. During the operation/maintenance phase, the organization should
continuously monitor performance of the system to ensure that it is consistent with pre-established user and security requirements and that all needed system modifications are incorporated into the system. Monitoring is done in the operation/maintenance phase of the SDLC
because all the development work is completed, and the system should
start delivering results. During implementation phase, the system is
tested, employees are trained, and the system is not yet ready to put
into production operation/maintenance phase to monitor system performance.

Answer 1115

A

b. System assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. Information security needs should address the
appropriate level of assurance because this is a significant cost driver. The higher the assurance level required, the higher the cost and vice versa. Usually, investment analysis is structured to translate system
needs and mission into high-level performance, assurance, functional,
and supportability requirements. However, the assurance requirements are the significant cost driver because it integrates all the other requirements at the highest level.

Answer 1116

A

b. The development and execution of necessary contracting plans and processes are a part of other planning components in the development/acquisition phase of an SDLC. The other three choices are part of the security-planning document.

Answer 1117

A

c. The authorizing official in charge of the security accreditation process relies primarily on the other three choices, but not exclusively on the security test and evaluation results produced during the security control verification process. The authorizing official pays more attention to the other three choices because of their significance.

Answer 1118

A

c. If there were a significant change addressed in the configuration
management process, then the system must be recertified and reaccredited. System certification and system accreditation are done when a new system is installed and implemented, prior to any changes.

Answer 1119

A

d. Configuration management change control and auditing takes place in the operation/maintenance phase of the SDLC. The phases in the other three choices are too early for this activity to take place.

Answer 1120

A

c. An organization monitors changes to the information system and conducts security impact analyses to determine the effects of the changes. The other three choices are incorrect because they occur prior
to the monitoring.

Answer 1121

A

d. The information system physically or logically separates the user functionality (including user interface services) from information storage and management services (for example, database
management). Separation may be accomplished through the use of
different computers, different CPUs, different instances of the operating system, different network addresses, or a combination of these methods.

Answer 1122

A

b. Integrity or validation controls, which are a part of technical control, include reconciliation routines in application systems. Authorization and access controls, which are a part of technical control, enable authorized individuals to access system resources. Audit trail mechanisms include transaction monitoring.

Answer 1123

A

d. Malware is malicious software and malicious code. In many cases, it is most effective to use multiple identification approaches simultaneously or in sequence to provide the best results for striking a
balance between speed, accuracy, and timeliness. Multiple identifications include where a malicious code infection leads to
unauthorized access to a host, which is then used to gain unauthorized
access to additional hosts (for example, DoS and DDoS attacks). Forensic identification is effective when data is recent; although, the data might not be comprehensive. Active identification produces the most accurate results; although, it is often not the fastest way of
identifying infections due to scanning every host in an organization. Manual identification is not feasible for comprehensive enterprise wide identification, but it is a necessary part of identification when other methods are not available and can fill in gaps when other
methods are insufficient.

Answer 1124

A

b. Malware categories include viruses, worms, Trojan horses, and malicious mobile code, as well as combinations of these, known as blended attacks. Malware also includes attacker tools such as
backdoors, rootkits, keystroke loggers, and tracking cookies used as spyware. Of all the types of malware attacker tools, rootkits are traditionally the hardest to detect because they often change the operating system at the kernel level, which allows them to be concealed from antivirus software. Newer versions of rootkits can hide in the master boot record, as do some viruses.

Answer 1125

A

c. Older obfuscation techniques, including self-encryption, polymorphism, and stealth, are generally handled effectively by
antivirus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for antivirus software to overcome. The idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption. Self-encryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Polymorphism is incorrect because it is a particularly robust form of self-encryption where the content of the underlying
virus code body does not change; encryption alters its appearance only.
Stealth virus is incorrect because it uses various techniques to conceal the characteristics of an infection, such as interfering with file sizes.

Answer 1126

A

a. The intent of armoring is to write a virus so that it attempts to prevent antivirus software or human experts from analyzing the virus’s functions through disassembly (i.e., reverse engineering technique),
traces, and other means. Tunneling is incorrect because it deals with the operating system. A virus that employs tunneling inserts itself into a low level of the operating system so that it can intercept low-level operating system
calls. By placing itself below the antivirus software, the virus attempts to manipulate the operating system to prevent detection by antivirus software. Self-decryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination.
Metamorphism is incorrect because the idea behind it is to alter the content of the virus itself, rather than hiding the content with encryption.

Answer 1127

A

d. Although some worms are intended mainly to waste system and network resources, many worms damage systems by installing backdoors, perform distributed denial-of-service (DDoS) attacks
against other hosts, or perform other malicious acts.

Answer 1128

A

d. A blended attack is an instance of malware that uses multiple infection or transmission methods. Blended attacks can spread through such services as instant messaging and peer-to-peer (P2P) file sharing. Blended attacks do not have to use multiple methods simultaneously to spread; they can also perform multiple infections in sequence.

Answer 1129

A

d. Malicious mobile code differs significantly from viruses and worms in that it does not infect files or does not attempt to propagate itself. Instead of exploiting particular vulnerabilities, it often affects
systems by taking advantage of the default privileges granted to mobile code. It uses popular languages such as Java, ActiveX, JavaScript, and VBScript. Although mobile code is typically benign, attackers have
learned that malicious code can be an effective way of attacking systems, as well as a good mechanism for transmitting viruses, worms, and Trojan horses to users’ workstations.

Answer 1130

A

d. Backdoor is a general term for a malicious program that listens for commands on a certain TCP or UDP port. Most backdoors consist of a client component and a server component. The client resides on the intruder’s remote computer, and the server resides on the infected system. When a connection between client and server is established,
the remote intruder has some degree of control over the infected computer. Both source port and destination port are incorrect because they are too generic to be of any use here.

Answer 1131

A

d. Incorporation of recovery requirements into system design can provide automatic backup and recovery procedures. This helps to prepare for disasters in a timely manner. Training every employee in
emergency procedures is incorrect because it does not guarantee that they can respond to a disaster in an optimal manner when needed. Conducting fire drills regularly every month is incorrect because the scope of fire drill may not address all possible scenarios. Disaster recovery goes beyond fire drills; although, the fire drill is a good practice. Training all IT staff in file rotation procedures is incorrect because only key people need to be trained.

Answer 1132

A

d. A rootkit is a collection of files installed on a system to alter the standard functionality of the system in a malicious and stealthy way. Rootkits are often used to install attacker tools such as backdoors and
keystroke loggers on a system. A Web browser plug-in provides a way for certain types of content to be displayed or executed through a Web browser. Attackers sometimes create malicious plug-ins that act as spyware. An example is the
spyware dialer, which uses modem lines to dial phone numbers without the user’s permission or knowledge. Some dialers are in forms other than Web browser plug-ins, such as Trojan horses. Malware can deliver an e-mail-generating program to a system, which can be used to create and send large quantities of e-mail to other systems without the user’s permission or knowledge. Attackers often configure e-mail generators to send malware, spyware, spam, or other unwanted content to e-mail addresses on a predetermined list.

Answer 1133

A

d. There are two forms of non malware threats that are often associated with malware. The first is phishing attacks, which frequently place malware or other attacker tools onto systems. The second is virus hoaxes, which are false warnings of new malware threats. Viruses and worms are true forms of malware threats.

Answer 1134

A

c. Applications such as word processors and spreadsheets often contain macro languages; macro viruses take advantage of this. Most common applications with macro capabilities offer macro security features that permit macros only from trusted locations or prompt the user to approve or reject each attempt to run a macro. Restricting macro use cannot stop phishing and spyware delivery. Filtering spam is incorrect because spam is often used for phishing and spyware delivery (for example, Web bugs often are contained within spam), and it sometimes contains other types of malware. Using spam filtering software on e-mail servers or clients or on network-based appliances can significantly reduce the amount of spam that reaches
users, leading to a corresponding decline in spam-triggered malware incidents.
Filtering website content is incorrect because website content-filtering
software contains lists of phishing websites and other sites that are known as hostile (i.e., attempting to distribute malware to visitors). The software can also block undesired file types, such as by file extension. Blocking Web browser pop-up windows is incorrect because some pop-up windows are crafted to look like legitimate system message boxes or websites and can trick users into going to phony websites, including sites used for phishing, or authorizing changes to their systems, among other malicious actions. Most Web browsers can block pop-up windows; other can do so by adding a third-party pop-up blocker to the Web browser.

Answer 1135

A

b. Antivirus software is an example of a threat mitigation technique for malware. Antivirus software, spyware detection and removal utility software, intrusion prevention systems, firewalls and routers, and application settings are security tools that can mitigate malware threats. Malware often attacks systems by exploiting vulnerabilities in operating systems, services, and applications. Vulnerability can usually be mitigated by patch management, least privilege, and host hardening measures.

Answer 1136

A

a. Antivirus software is the primary source of data for malware incident detection. Examples of secondary sources include (i) firewall and router log files, which might show blocked connection attempts,
(ii) log files from e-mail servers and network-based IPS sensors, which might record e-mail headers or attachment names, (iii) packet capture files from packet sniffers, network-based IPS sensors, and network forensic analysis tools, which might contain a recording of malware related network traffic. Host-based IPS is also a secondary source.

Answer 1137

A

a. Transparency is the ability to simplify the task of developing management applications, hiding distribution details. There are different aspects of transparency such as access failure, location, migration replication, and transaction. Transparency means the network components or segments cannot be seen by insiders and
outsiders, and that actions of one user group cannot be observed by other user groups. Transparency is achieved through process isolation and hardware segmentation principles. The principle of process isolation or separation is employed to preserve the object’s wholeness and subject’s adherence to a code of
behavior. It is necessary to prevent objects from colliding or interfering with one another and to prevent actions of active agents (subjects) from interfering or colluding with one another. The principle of hardware segmentation provides hardware
transparency when hardware is designed in a modular fashion and yet interconnected. A failure in one module should not affect the operation of other modules. Similarly, a module attacked by an intruder should
not compromise the entire system. System architecture should be arranged so that vulnerable networks or network segments can be quickly isolated or taken offline in the event of an attack. Examples of
hardware that need to be segmented include network switches, physical circuits, and power supply equipment. The abstraction principle is related to stepwise refinement and modularity of programs. As the software design evolves, each level of
module in a program structure represents a refinement in the level of software abstraction. Abstraction is presented in levels, where a problem is defined and a solution is stated in broad terms at the highest level of abstraction (during requirements and analysis phases) and
where source code is generated at the lowest levels of abstraction (during programming phase). The accountability principle holds an individual responsible for his actions. From this principle,
requirements are derived to uniquely
identity and authenticate the individual, to authorize his actions within the system, to establish a historical track record or account of these actions and their effects, and to monitor or audit this historical account for deviations from the specified code of action. The security kernel principle is the central part of a computer system
(software and hardware) that implements the fundamental security procedures for controlling access to system resources. The principle of a reference monitor is the primary abstraction enabling an orderly
evaluation of a standalone computer system with respect to its abilities to enforce both mandatory and discretionary access controls. The principle of complete mediation stresses that every access request to every object must be checked for authority. This requirement forces
a global perspective for access control, during all functional phases (for example, normal operation and maintenance). Also stressed are reliable identification access request sources and reliable maintenance
of changes in authority. The principle of open design stresses that design secrecy or the reliance on the user ignorance is not a sound basis for secure systems. Open design enables open debate and inspection of the strengths, or origins of a lack of strength, of that particular design. Secrecy can be implemented through the use of
passwords and cryptographic keys, instead of secrecy in design.

Answer 1138

A

a. Malware test systems and environments are helpful not only for analyzing current malware threats without the risk of inadvertently causing additional damage to the organization, but also for training
staff in malware incident handling. An infected production system or a
disk image of an infected production system could also be placed into
an isolated test environment. Physical separation may not be possible at all times; although, logical separation might be possible. Both physical and logical separation are important but not as important as using an isolated test system.

Brainscape's Knowledge GenomeTM

CISSP-P2 Flashcards

Brainscape's Knowledge Genome^TM