CISSP-P3 Flashcards

Question

25. Regarding a patch management program, which of the following should not be done to a compromised system? a. Reformatting b. Reinstalling c. Restoring d. Remigrating

Answer 1

25. d. In most cases a compromised system should be reformatted and reinstalled or restored from a known safe and trusted backup. Remigrating deals with switching between using automated and manual patching tools and methods should not be performed on a compromised system.

Answer 2

26. b. Denial-of-service (DoS) attack is the most malicious Internet based attack because it floods the target computer with hundreds of incomplete Internet connections per second, effectively preventing any other network connections from being made to the victim network server. The result is a denial-of-service to users, consumption of system resources, or a crash in the target computer. Spoofing attacks use various techniques to subvert IP-based access control by masquerading as another system by using its IP address. Spamming attacks post identical messages to multiple unrelated newsgroups. They are often used in cheap advertising to promote pyramid schemes or simply to annoy people. Locking attack prevents users from accessing and running shared programs such as those found in Microsoft Office product.

Answer 3

27. a. Redundancy in data and/or equipment can be designed so that service cannot be removed or denied. Isolation is just the opposite of redundancy. Policies and procedures are not effective against denialof-service (DoS) attacks because they are examples of management controls. DoS requires technical controls such as redundancy.

Answer 4

28. d. In denial-of-service (DoS) attacks, some users prevent other legitimate users from using the network. Signal grounding, which is located in wiring closets, can be used to disable a network. This can prevent users from transmitting or receiving messages until the problem is fixed. Signal grounding is the least common in occurrence as compared to other choices because it requires physical access. Service overloading occurs when floods of network requests are made to a server daemon on a single computer. It cannot process regular tasks in a timely manner. Message flooding occurs when a user slows down the processing of a system on the network, to prevent the system from processing its normal workload, by “flooding” the machine with network messages addressed to it. The system spends most of its time responding to these messages. Connection clogging occurs when users make connection requests with forged source addresses that specify nonexistent or unreachable hosts that cannot be contacted. Thus, there is no way to trace the connection back; they remain until they time out or reset. The goal is to use up the limit of partially open connections.

Answer 5

29. b. Smurf attacks use a network that accepts broadcast ping packets to flood the target computer with ping reply packets. The goal of a smurf attack is to deny service. Internet Protocol (IP) address spoofing attack and transmission control protocol (TCP) sequence number attack are examples of session hijacking attacks. The IP address spoofing is falsifying the identity of a computer system. In a redirect attack, a hacker redirects the TCP stream through the hacker’s computer. The TCP sequence number attack is a prediction of the sequence number needed to carry out an unauthorized handshake.

Answer 6

30. a. Data integrity and availability are two important elements of reliable computing. Data integrity is the concept of ensuring that data can be maintained in an unimpaired condition and is not subject to unauthorized modification, whether intentional or inadvertent. Products such as backup software, antivirus software, and disk repair utility programs help protect data integrity in personal computers (PCs) and workstations. Availability is the property that a given resource will be usable during a given time period. PCs and servers are becoming an integral part of complex networks with thousands of hardware and software components (for example, hubs, routers, bridges, databases, and directory services) and the complex nature of client/server networks drives the demand for availability. System availability is increased when system downtime or outages are decreased and when fault tolerance hardware and software are used. Data security, privacy, and confidentiality are incorrect because they deal with ensuring that data is disclosed only to authorized individuals and have nothing to do with reliable computing. Modularity deals with the breaking down of a large system into small modules. Portability deals with the ability of application software source code and data to be transported without significant modification to more than one type of computer platform or more than one type of operating system. Portability has nothing to do with reliable computing. Feasibility deals with the degree to which the requirements can be implemented under existing constraint

Answer 7

31. d. An organization incorporates simulated events into incident response training to facilitate effective response by individuals in crisis situations. The other three choices are possible implementations of incident response support resources in an organization.

Answer 8

32. a. Software flaws result in potential vulnerabilities. The configuration management process can track and verify the required or anticipated flaw remediation actions. Flaws discovered during security assessments, continuous monitoring, incident-response activities, or system error handling activities become inputs to the configuration management process. Automated patch management tools should facilitate flaw remediation by promptly installing security-relevant software updates (for example, patches, service packs, and hot fixes).

Answer 9

33. c. Accountability is the existence of a record that permits the identification of an individual who performed some specific activity so that responsibility for that activity can be established through audit trails. Audit trails do not establish the other three choices.

Answer 10

34. a. Audit trails are useful in detecting unauthorized and illegal activities. They also act as a deterrent and aid in prosecution of transgressors. They are least useful in training because audit trails are recorded after the fact. They show what was done, when, and by whom.

Answer 11

35. c. Audit records contain minimum information such as timestamps, source and destination addresses, and outcome of the event (i.e., success or failure). But the most useful information is recording of privileged commands and the individual identities of group account users.

Answer 12

36. a. A natural tension often exists between computer security and computer operations functions. Some organizations embed a computer security program in computer operations to resolve this tension. The typical result of this organizational strategy is a computer security program that lacks independence, has minimal authority, receives little management attention, and has few resources to work with. The other three choices are examples of proper separation of duties.

Answer 13

37. b. Automated labeling refers to labels used on internal data structures such as records and files within the information system. Automated marking refers to labels used on external media such as hard-copy documents and output from the information system (for example, reports).

Answer 14

38. b. Media sanitization (scrubbing) means removing information from media such that information recovery is not possible. Specifically, it removes all labels, markings, and activity logs. An organization approves, controls, and monitors remotely executed maintenance and diagnostic activities. If the information system cannot be sanitized due to a system failure, remote maintenance is not allowed because it is a high-risk situation. The other three types of maintenance are low risk situations.

Answer 15

39. b. Organizations should analyze new software in a separate test library before installation in an operational environment. They should look for security impacts due to software flaws, security weaknesses, data incompatibility, or intentional malice in the test library. The development library is used solely for new development work or maintenance work. Some organizations use a quarantine library, as an intermediate library, before moving the software into operational library. The operational library is where the new software resides for day-to-day use.

Answer 16

40. d. Synchronized flood (SYNflood) attacks often target an application and daemon, like a Web server, and not the operating system (OS) itself; although the OS may get impacted due to resources used by the attack. It is good to know that current operating systems are far more resistant to SYNflood attacks, and many firewalls now offer protections against such attacks, so they have become less of a threat. Still, SYNfloods can occur if attackers initiate many thousands of transmission control protocol (TCP) connections in a short time. The other three types of attacks are more of a threat. In a reflector attack, a host sends many requests with a spoofed source address to a service on an intermediate host. Like a reflector attack, an amplified attack involves sending requests with a spoofed source address to an intermediate host. However, an amplified attack does not use a single intermediate host; instead, its goal is to use a whole network of intermediate hosts. Distributed attacks coordinate attacks among many computers (i.e., zombies).

Answer 17

41. c. The decision-making process for containing a denial-of-service (DoS) incident should be easier if recommended actions are predetermined. The containment strategy should include several solutions in sequence as shown in the correct answer.

Answer 18

42. c. An incident capability may be viewed as a component of contingency planning because it provides the ability to react quickly and efficiently to disruptions in normal processing. Incidents can be logged and analyzed to determine whether there is a recurring problem, which would not be noticed if each incident were viewed only in isolation. Statistics on the numbers and types of incidents in the organization can be used in the risk assessment process as an indication of vulnerabilities and threats. Containing and repairing damage from incidents and preventing future damages are incorrect because they are examples of primary benefits of an incident handling capability. An incident handling capability can provide enormous benefits by responding quickly to suspicious activity and coordinating incident handling with responsible offices and individuals as necessary. Incidents can be studied internally to gain a better understanding of the organization’s threats and vulnerabilities. Enhancing the training and awareness program is an example of a secondary benefit. Based on incidents reported, training personnel will have a better understanding of users’ knowledge of security issues. Training that is based on current threats and controls recommended by incident handling staff provides users with information more specifically directed to their current needs. Using the incident data in enhancing the risk assessment process is the best answer when compared to enhancing the training and awareness program.

Answer 19

43. a. Automatic file restoration requires log file and checkpoint information to recover from a system crash. A backup file is different from a log file in that it can be a simple copy of the original file whereas a log file contains specific and limited information. The other three choices do not have the log file capabilities.

Answer 20

44. d. In general, redundancy means having extra, duplicate elements to compensate for any malfunctions or emergencies that could occur during normal, day-to-day operations. The most common type of redundancy is the data backup, although the concept is often applied to cabling, server hardware, and network connectivity devices such as routers and switches.

Answer 21

45. c. Reliability minimizes the possibility of failure and availability is a measurement of uptime while serviceability is a measure of the amount of time it takes to repair a problem or to restore a system following a failure. Increasing redundancy increases reliability, availability, and serviceability.

Answer 22

46. c. Redundant electric power and cooling is an important but often overlooked part of a contingency plan. Network administrators usually plan for backup disks, processors, controllers, and system boards.

Answer 23

47. b. Link redundancy, due to redundant cabling, increases network availability because it provides a parallel path that runs next to the main data path and a routing methodology that can establish an alternative path in case the main path fails. The other three redundancies are good in their own way, but they do not increase network availability. In other words, there are two paths: a main path and an alternative path.

Answer 24

48. b. Backing up at the file server is effective for a local-area network due to its greater storage capacity. Backing up at the workstation lacks storage capacity, and redundant array of independent disks (RAID) technology is mostly used for the mainframe. Using faster network connection increases the speed but not backup.

Answer 25

49. b. An alternative network carrier as a backup provides the highest reliability. If the primary carrier goes down, the backup can still work. The other three choices do provide some reliability, but not the ultimate reliability as with the alternative network carrier.

Answer 26

50. d. Many physical problems in local-area networks (LANs) are related to cables because they can be broken or twisted. Servers can be physically damaged due to disk head crash or power irregularities such as over or under voltage conditions. An uninterruptible power supply provides power redundancy and protection to servers and workstations. Servers can be disk duplexed for redundancy. Redundant topologies such as star, mesh, or ring can provide a duplicate path should a main cable link fail. Hubs require physical controls such as lock and key because they are stored in wiring closets; although, they can also benefit from redundancy, which can be expensive. Given the choices, it is preferable to have redundant facilities for cables, servers, and power supplies.

Answer 27

51. a. Mean time to repair (MTTR) is the amount of time it takes to resume normal operation. It is expressed in minutes or hours taken to repair computer equipment. The smaller the MTTR for hardware, the more reliable it is. Mean time between failures (MTBF) is the average length of time the hardware is functional. MTBF is expressed as the average number of hours or days between failures. The larger the MTBF for hardware, the more reliable it is. Redundant computer hardware and backup computer facilities are incorrect because they are examples of system availability controls. They also address contingencies in case of a computer disaster.

Answer 28

52. a. As a part of the preventive control category, fail-soft is a continuity control. It is the selective termination of affected nonessential processing when a hardware or software failure is detected in a computer system. A computer system continues to function because of its resilience. Accuracy controls are incorrect because they include data editing and validation routines. Completeness controls are incorrect because they look for the presence of all the required values or elements. Consistency controls are incorrect because they ensure repeatability of certain transactions with the same attributes.

Answer 29

53. b. Storage media has nothing to do with information availability. Data will be stored somewhere on some media. It is not a decision criterion. Management’s goal is to gather useful information and to make it available to authorized users. System backup and recovery procedures and alternative computer equipment and facilities help ensure that the recovery is as timely as possible. Both physical and logical access controls become important. System failures and other interruptions are common.

Answer 30

54. d. Hardware backup is the first step in contingency planning. All computer installations must include formal arrangements for alternative processing capability in the event their data center or any portion of the work environment becomes disabled. These plans can take several forms and involve the use of another data center. In addition, hardware manufacturers and software vendors can be helpful in locating an alternative processing site and in some cases provide backup equipment under emergency conditions. The more common plans are service bureaus, reciprocal arrangements, and hot sites. After hardware is backed up, operating systems software is backed up next, followed by applications software backup and documentation.

Answer 31

55. c. Normally, the primary contingency strategy for applications and data is regular backup and secure offsite storage. Important decisions to be addressed include how often the backup is performed, how often it is stored offsite, and how it is transported to storage, to an alternative processing site, or to support the resumption of normal operations. How often the backup is used is not relevant because it is hoped that it may never have to be used.

Answer 32

56. b. Prevention is totally impossible because of its high cost and technical limitations. Under these conditions, detection becomes more important, which could be cheaper than prevention; although, not all attacks can be detected in time. Both correction and recovery come after prevention or detection.

Answer 33

57. b. It is possible to quantify the return on investment (ROI) for various quality improvement activities. Studies have shown that quality ROI is highest when software products are reviewed with user customers. This is followed by code inspection by programmers, design reviews with the project team, and unit testing by programmers.

Answer 34

58. d. The system 4 has the highest downtime in hours. Theoretically speaking, the higher the reliability of a system, the lower its downtime (including scheduled maintenance), and higher the availability of that system, and vice versa. In fact, this question does not require any calculations to perform because one can find out the correct answer just by looking at the reliability data given in that the lower the reliability, the higher the downtime, and vice versa. Calculations for System 1 are shown below and calculations for other systems follow the System 1 calculations. Downtime = (Total hours) × [(100 − Reliability%)/100] = 8,760 × 0.005 = 44 hours Availability for System 1 = [(Total time − Downtime)/Total time] × 100 = [(8,760 − 44)/8,760] × 100 = 99.50% Check: Availability for System 1 = [Uptime/(Uptime + Downtime)] × 100 = (8,716/8,760) × 100 = 99.50%

Answer 35

59. d. A software quality program should reduce defects, cut service costs, increase customer satisfaction, and increase productivity and revenues. To achieve these goals, commitment by all parties involved is the most important factor. The other three factors such as quality metrics, process improvement, and software reengineering have some merit, but none is sufficient on its own.

Answer 36

60. b. Maintaining the baseline configuration involves creating new baselines as the information system changes over time. The other three choices deal with information provided by the baseline configuration as a part of standard operating procedure

Answer 37

61. c. Quality is more than just defect levels. It should include customer satisfaction, time-to-market, and a culture committed to continuous process improvement. Time-to-design is not a complete answer because it is a part of time-to-market, where the latter is defined as the total time required for planning, designing, developing, and delivering a product. It is the total time from concept to delivery. These software quality values lead to quality education, process assessments, and customer satisfaction.

Answer 38

62. b. A white team is an internal team that initiates actions to respond to security incidents on an emergency basis. Both the red team and blue team perform penetration testing of a system, and the tiger team is an old name for the red team.

Answer 39

63. c. Software inventory tools scan information for unauthorized software to validate against the official list of authorized and unauthorized software programs. The other three choices are standard functions of software inventory tools.

Answer 40

64. a. An information system should provide the capability to capture/record, log, and view all the content related to a user’s session in real time. Session auditing activities are developed, integrated, and used with internal legal counsel and internal audit departments. This is because these auditing activities can have legal and audit implications. Consultants and contractors should not be contacted at all. It is too early to talk to the public affairs or media relations within the organization. External law enforcement authorities should be contacted only after the session auditing work is completed and only after there is a discovery of high-risk incidents.

Answer 41

65. c. Change windows mean changes occur only during specified times, and making unauthorized changes outside the window are easy to discover. The other three choices are also examples of access restrictions, but changes are not easy to discover in them.

Answer 42

66. d. Software quality can be expressed in two ways: defect rate and reliability. Software quality means conformance to requirements. If the software contains too many functional defects, the basic requirement of providing the desired function is not met. Defect rate is the number of defects per million lines of source code or per function point. Reliability is expressed as number of failures per “n” hours of operation, mean-time-to failure, or the probability of failure-free operation in a specified time. Reliability metrics deal with probabilities and timeframes.

Answer 43

67. b. CleanRoom operations are carried out by small independent development and certification (test) teams. In CleanRoom, all testing is based on anticipated customer usage. Test cases are designed to practice the more frequently used functions. Therefore, errors that are likely to cause frequent failures to the users are found first. For measurement, software quality is certified in terms of mean-time-to failure (MTTF). MTTF is most often used with safety-critical systems such as airline traffic control systems because it measures the time taken for a system to fail for the first time. Mean-time between failures (MTBF) is incorrect because it is the average length of time a system is functional. Mean-time-to-repair (MTTR) is incorrect because it is the total corrective maintenance time divided by the total number of corrective maintenance actions during a given period of time. Mean-time-between outages (MTBO) is incorrect because it is the mean time between equipment failures that result in loss of system continuity or unacceptable degradation.

Answer 44

68. d. A hot spare drive is a physical drive resident on the disk array which is active and connected but inactive until an active drive fails. Then the system automatically replaces the failed drive with the spare drive and rebuilds the disk array. A hot spare is a hot standby providing a failover mechanism. The RAID levels from 3 to 5 have only one disk of redundancy and because of this a second failure would cause complete failure of the disk array. On the other hand, the RAID6 level has two disks of redundancy, providing a greater protection against simultaneous failures. Hence, RAID6 level does not need a hot spare drive whereas the RAID 3 to 5 levels need a shot spare drive. The RAID6 level without a spare uses the same number of drives (i.e., 4 + 0 spare) as RAID3 to RAID 5 levels with a hot spare (i.e., 3 + 1 spare) thus protecting data against simultaneous failures. Note that a hot spare can be shared by multiple RAID sets. On the other hand, a cold spare drive or disk is not resident on the disk array and not connected with the system. A cold spare requires a hot swap, which is a physical (manual) replacement of the failed disk with a new disk done by the computer operator.

Answer 45

69. c. Software defects relate to source code instructions, and problems encountered by users relate to usage of the product. If the numerator and denominator are mixed up, poor metrics result. An example of an ill-defined metric is the metric relating total customer problems to the size of the product, where size is measured in millions of shipped source instructions. This metric has no meaningful relation. On the other hand, the other three choices are examples of meaningful metrics. To improve customer satisfaction, you need to reduce defects and overall problems.

Answer 46

70. c. Virtual machines can be difficult to monitor because they are not visible to the network when not in use. The other three choices are easy to monitor.

Answer 47

71. d. Honeypot is a fake (false) production system and acts as a decoy to study how attackers do their work. The other three choices are also acceptable deceptive measures, but they do not use honeypots. False data flows include made up (fake) data, not real data. System-status measures include active or inactive parameters. System-state indicators include startup, restart, shutdown, and abort.

Answer 48

72. a. A fault (defect) is an incorrect step, process, or data definition in a computer program, and it is an indication of reliability. Fault count models give more satisfactory results than the mean-time-betweenfailures (MTBF) model because the latter is used for hardware reliability. Simple ratio and simple regression models handle few variables and are used for small projects.

Answer 49

73. a. The goals of software quality assurance management include (i) software quality assurance activities are planned, (ii) adherence of software products and activities to the applicable standards, procedures, and requirements is verified objectively, and (iii) noncompliance issues that cannot be resolved are addressed by higher levels of management. The objectives of software configuration management are to establish and maintain the integrity of products of the software project throughout the project’s software life cycle. The objectives of software requirements management are to establish a common understanding between the customer and the software project requirements that will be addressed by the software project. The objectives of software project management are to establish reasonable plans for performing the software engineering activities and for managing the software development project.

Answer 50

74. a. Software needs to be developed using specific software development and software assurance processes to protect against or mitigate failure of the software. A complete software safety standard references other standards that address these mechanisms and includes a software safety policy identifying required functionality to protect against or mitigate failure. Software hazard analysis is incorrect because it is a part of software safety. Hazard analysis is the process of identifying and evaluating the hazards of a system, and then making change recommendations that either eliminate the hazard or reduce its risk to an acceptable level. Software hazard analysis makes recommendations to eliminate or control software hazards and hazards related to interfaces between the software and the system (includes hardware and human components). It includes analyzing the requirements, design, code, user interfaces, and changes. Software hazards may occur if the software is improperly developed (designed), the software dispatches incorrect information, or the software fails to transmit information when it should. Software fault tree analysis is incorrect because its purpose is to demonstrate that the software will not cause a system to reach an unsafe state, and to discover what environmental conditions will allow the system to reach an unsafe state. Software fault tree analysis is often conducted on the program code but can also be applied at other stages of the life cycle process (for example, requirements and design). This analysis is not always applied to all the program code, only to the portion that is safety critical. Software sneak analysis is incorrect because it is based on sneak circuit analysis, which is used to evaluate electrical circuitry—hence the name software sneak circuit analysis. Sneaks are the latest design conditions or design flaws that have inadvertently been incorporated into electrical, software, and integrated systems designs. They are not caused by component failure.

Answer 51

75. b. The goal is to identify requirements with no design elements (under-design) and design elements with no requirements (over design). It is too early to assess software design quality during system requirements definition. It is too late to assess software design quality during coding. The goal is to identify design elements with no source code and source codes with no design elements. It is too late to assess software design quality during testing.

Answer 52

76. c. An organization should employ remote disconnect verification feature at the termination of nonlocal maintenance and diagnostic sessions. If this feature is unchecked or performed incorrectly, this can increase the potential risk of introducing malicious software or intrusions due to open ports and protocols. The other three choices do not increase risk exposure. Nonlocal maintenance work is conducted through either an external network (mostly through the Internet) or an internal network.

Answer 53

77. a. Software safety is important compared to the other three choices because lack of safety considerations in a computer-based application system can cause danger or injury to people and damage to equipment and property.

Answer 54

78. c. Software is an intangible item with no physical attributes such as color and size. Although software is not a physical product, software products have a major impact on life, health, property, safety, and quality of life. Failure of software can have a serious economic impact such as loss of sales, revenues, and profits.

Answer 55

79. a. Quality should be designed at the beginning of the software development and maintenance process. Quality cannot be inspected or tested after the system is developed. Most seem to view final testing as quality testing. At best, this is quality control instead of quality assurance, hopefully preventing shipment of a defective product. Quality in the process needs to be improved, and quality assurance is a positive function. A software product displays quality to the extent that all aspects of the customer’s requirements are satisfied. This means that quality is built into the product during its development process rather than inspected at the end. It is too late to inspect the quality when the product is already built. Most assurance is provided when the needs are fully understood, captured, and transformed (designed) into a software product.

Answer 56

80. c. Separation of duties is a security principle that divides critical functions among different employees in an attempt to ensure that no one employee has enough information or access privileges to perpetrate damaging fraud or conduct other irregularities such as damaging data and/or programs. The computer operator‘s job duties should be fully and clearly separated from the others. Due to concentration of risks in one job and if the computer operator’s job duties are not fully separated from other conflicting job duties (for example, system administrator, security administrator, or system programmer), there is a potential risk that the operator can issue unprivileged commands from his console to the operating system, thus causing damage to the integrity of the system and its data. In other words, the operator has full access to the computer in terms of running the operating system, application systems, special program, and utility programs where the others do not have such full access. It is good to limit the computer operator’s access to systems and their documentation, which will help him in understanding the inner working of the systems running on the computer. At the same time it is good to limit the others’ access to the computer systems just enough to do their limited job duties.

Answer 57

81. c. Nonlocal maintenance work is conducted through either an external network (mostly through the Internet) or an internal network. Because of communicating across a network connection, nonlocal maintenance work is most risky. Local maintenance work is performed without communicating across a network connection. For local maintenance, the vendor brings the hardware and software into the IT facility for diagnostic and repair work, which is less risky. Local or nonlocal maintenance work can be either scheduled or unscheduled.

Answer 58

82. d. The RAID6 storage system can provide a total of 500GB of usable space for data storage purposes. Space efficiency represents the fraction of the sum of the disks’ capacities that is available for use. Space efficiency = [1−(2/n)] = [1−(2/4)] = 1−0.5= 0.5 Total available space for data storage = 0.5 × 4 × 250 = 500GB

Answer 59

83. a. Disk concatenation is a logical joining of two series of data or disks. In data concatenation, two or more data elements or data files are often concatenated to provide a unique name or reference. In disk concatenation, several disk address spaces are concatenated to present a single larger address spaces. The other three choices are incorrect. Disk striping has more than one disk and more than one partition, and is same as disk arrays. Disk mirroring occurs when a file server contains two physical disks and one channel, and all information is written to both disks simultaneously. Disk replication occurs when data is written to two different disks to ensure that two valid copies of the data are always available.

Answer 60

84. c. Information system components, when not operational, can result in increased risk to organizations because the security functionality intended by that component is not being provided. Examples of security-critical components include firewalls, hardware/software guards, gateways, intrusion detection and prevention systems, audit repositories, and authentication servers. The organizations need to have a maintenance vendor service-level agreement, stock spare parts inventory, and a delivery service agreement with a commercial transportation courier to deliver the required parts on time to reduce the risk of running out of components and parts. Help-desk staff, whether they are internal or external, are not needed for all types of maintenance work, whether it is scheduled or unscheduled, or whether it is normal or emergency. Their job is to help system users on routine matters (problems and issues) and escalate them to the right party when they cannot resolve these matters.

Answer 61

85. c. The basis for software reliability is design, not testing, debugging, or programming. For example, using the top-down design and development techniques and employing modular design principles, software can be made more reliable than otherwise. Reliability is the degree of confidence that a system will successfully function in a certain environment during a specified time period. Testing is incorrect because its purpose is to validate that the software meets its stated requirements. Debugging is incorrect because its purpose is to detect, locate, and correct faults in a computer program. Programming is incorrect because its purpose is to convert the design specifications into program instructions that the computer can understand.

Answer 62

86. b. Regression testing is a method to ensure that changes to one part of the software system do not adversely impact other parts. The other three choices do not have such capabilities. Black-box testing is a functional analysis of a system, and known as generalized testing. White-box testing is a structural analysis of a system, and known as detailed testing or logic testing. Gray-box testing assumes some knowledge of the internal structures and implementation details of the assessment object, and known as focused testing.

Answer 63

87. c. Usability is a set of attributes that bear on the effort needed for use, and on the individual assessment of such use, by a stated or implied set of users. In a way, usability means understandability and ease of use. Because of its subjective nature, varying from person to person, it is hard to define and test. Functionality is incorrect because it can easily be defined and tested. It is a set of attributes that bear on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Reliability is incorrect because it can easily be defined and tested. It is the ability of a component to perform its required functions under stated conditions for a specified period of time. Efficiency is incorrect because it can easily be defined and tested. It is the degree to which a component performs its designated functions with minimum consumption of resources.

Answer 64

88. c. Malicious code is capable of initiating zero-day attacks when portable and removable storage devices are not sanitized. The other three attacks are network-based, not storage device-based. A man-inthe-middle (MitM) attack occurs to take advantage of the store-andforward mechanism used by insecure networks such as the Internet. A meet-in-the-middle attack occurs when one end of the network is encrypted and the other end is decrypted, and the results are matched in the middle. A spoofing attack is an attempt to gain access to a computer system by posing as an authorized user.

Answer 65

89. c. Traceability is the ease in retracing the complete history of a software component from its current status to its requirements specification. Cross tracing should be used more often because it cuts through the functional boundaries, but it is not performed due to its difficulty in execution. The other three choices are often used due to their ease-of-use. Forward tracing is incorrect because it focuses on matching inputs to outputs to demonstrate their completeness. Similarly, backward tracing is incorrect because it focuses on matching outputs to inputs to demonstrate their completeness. Ad hoc tracing is incorrect because it involves spot-checking of reconcilement procedures to ensure output totals agree with input totals, less any rejects or spot checking of accuracy of computer calculations such as interest on deposits, late charges, service charges, and past-due loans. During system development, it is important to verify the backward and forward traceability of the following: (i) user requirements to software requirements, (ii) software requirements to design specifications, (iii) system tests to software requirements, and (iv) acceptance tests to user requirements. Requirements or constraints can also be traced downward and upward due to master-subordinate and predecessor successor relationships to one another.

Answer 66

90. d. RAID6 is used for high-availability systems due to its high tolerance for failure. Each RAID level (i.e., RAID0 to RAID6) provides a different balance between increased data reliability through redundancy and increased input/output performance. For example, in levels from RAID3 to RAID5, a minimum of three disks is required and only one disk provides a fault tolerance mechanism. In the RAID6 level, a minimum of four disks is required and two disks provide fault tolerance mechanisms. In the single disk fault tolerance mechanism, the failure of that single disk will result in reduced performance of the entire system until the failed disk has been replaced and rebuilt. On the other hand, the double parity (two disks) fault tolerance mechanism gives time to rebuild the array without the data being at risk if a single disk fails before the rebuild is complete. Hence, RAID6 is suitable for high-availability systems due to high fault tolerance mechanisms.

Answer 67

91. c. Defensive or robust programming has several attributes that makes a computer system more reliable. The major attribute is expected exception domain (i.e., errors and failures); when discovered, it makes the system reliable. N-version programming is based on design or version diversity, meaning different versions of the software are developed independently with the thinking that these versions are independent in their failure behavior. Structured programming and GOTO-less programming are part of robust programming techniques to make programs more readable and executable.

Answer 68

92. b. Software quality attributes can be classified as either dynamic or static. Dynamic quality attributes are validated by examining the dynamic behavior of software during its execution. Examples include mean time between failures (MTBF), mean-time-to-repair (MTTR), failure recovery time, and percent of available resources used (i.e., resource utilization statistics). Static quality attributes are validated by inspecting nonexecuting software products and include modularity, simplicity, and completeness. Simplicity looks for straightforward implementation of functions. It is the characteristic of software that ensures definition and implementation of functions in the most direct and understandable manner. Reliability models can be used to predict software reliability (for example, MTBF and MTTR) based on the rate of occurrence of defects and errors. There is a trade-off between complexity and security, meaning that complex systems are difficult to secure whereas simple systems are easy to secure.

Answer 69

93. b. Auditing an information system is not reliable when performed by the system to which the user being audited has privileged access. This is because the privileged user can inhibit the auditing activity or modify the audit records. The other three choices are control enhancements that reduce the risk of audit compromises by the privileged user.

Answer 70

94. c. Correctness asks, “Does it comply with requirements?” whereas interoperability asks, “Does it interface easily?” Quality factors such as efficiency, correctness, safety, and interoperability are part of the performance need. Integrity and survivability are incorrect because they are a part of functional need. Integrity asks, “How secure is it?” whereas survivability asks, “Can it survive during a failure?” Quality factors such as integrity, reliability, survivability, and usability are part of the functional need. Verifiability and manageability are incorrect because they are a part of the management need. Verifiability asks, “Is performance verification easy?” whereas manageability asks, “Is the software easily managed?” Expandability and flexibility are incorrect because they are a part of the changes needed. Expandability asks, “How easy is it to expand?” whereas flexibility asks, “How easy is it to change?”

Answer 71

a. “Critical” may be defined as pertaining to safety, efficiency, and reliability. Each application system needs a clear definition of what “critical” means to it. Software hazards analysis and fault tree analysis can be performed to trace system-level hazards (for example, unsafe conditions) through design or coding structures back to software requirements that could cause the hazards. Functions and features of software that participate in avoiding unsafe conditions are termed critical. Critical functions and data should be separated from noncritical ones with low coupling, not with high coupling. Avoiding unsafe conditions or ensuring safe conditions is achieved by separating the critical units from noncritical units, by low data coupling between critical units, and by fail-safe recovery from unsafe conditions when they occur, and by testing for unsafe conditions. Data coupling is the sharing or passing of simple data between system modules via parameter lists. A low data coupling is preferred at interfaces as it is less error prone, ensuring a safety product.

Answer 72

96. b. The proof-of-correctness (formal verification) involves the use of theoretical and mathematical models to prove the correctness of a program without executing it. Using this method, the program is represented by a theorem and is proved with first-order predicate calculus.0 The other three choices do not use mathematical theory. Multiversion software is incorrect because its goal is to provide high reliability, especially useful in applications dealing with loss of life, property, and damage. The approach is to develop more than one version of the same program to minimize the detrimental effect on reliability of latent defects. Software fault tree analysis is incorrect because it identifies and analyzes software safety requirements. It is used to determine possible causes of known hazards. This is done by creating a fault tree, whose root is the hazard. The system fault tree is expanded until it contains at its lowest level basic events that cannot be further analyzed. Software reliability models are incorrect because they can predict the future behavior of a software product, based on its past behavior, usually in terms of failure rates.

Answer 73

97. b. MTTF focuses on the potential failure of specific components of the information system that provide security capability. MTTF is the amount of mean-time to the next failure. MTTR is the amount of time it takes to resume normal operation. MTBF is the average length of time the system is functional. MTBO is the mean time between equipment failures that result in a loss of system continuity or unacceptable degradation.

Answer 74

98. d. Whitelisting is a method to control the installation of software to ensure that all software is checked against a list approved by the organization. It is a quality control check and is a part of software configuration activity. An example of blacklisting is creating a list of electronic-mail senders who have previously sent spam to a user. Black-box testing is a functional analysis of a system, whereas white box testing is a structural analysis of a system.

Answer 75

99. c. Formal technical reviews (for example, inspections and walkthroughs) are used for defect detection, not prevention. If properly conducted, formal technical reviews are the most effective way to uncover and correct errors, especially early in the life cycle, where they are relatively easy and inexpensive to correct. Documented standards are incorrect because they are just one example of defect prevention methods. Documented standards should be succinct and possibly placed into a checklist format as a ready application reference. A documented standard also permits audits for adherence and compliance with the approved method. CleanRoom processes are incorrect because they are just one example of defect prevention methods. The CleanRoom process consists of (i) defining a set of software increments that combine to form the required system, (ii) using rigorous methods for specification, development, and certification of each increment, (iii) applying strict statistical quality control during the testing process, and (iv) enforcing a strict separation of the specification and design tasks from testing activities. Documentation standards are incorrect because they are just one example of defect prevention methods. Standard methods can be applied to the development of requirements and design documents.

Answer 76

100. a. The formal technical review is a software quality assurance activity that is performed by software developers. The objectives of these reviews are to (i) uncover errors in function and logic, (ii) verify that software under review meets its requirements, (iii) ensure that software represents the predefined standards. Configuration management specifications are a part of project planning documents, not technical documents. The purpose is to establish the processes that the project uses to manage the configuration items and changes to them. Program development, quality, and configuration management plans are subject to review but are not directly germane to the subject of defect removal. The other three choices are incorrect because they are part of technical documents. The subject matter for formal technical reviews includes requirements specifications, detailed design, and code and test specifications. The objectives of reviewing the technical documents are to verify that (i) the work reviewed is traceable to the requirements set forth by the predecessor’s tasks, (ii) the work is complete, (iii) the work has been completed to standards, and (iv) the work is correct.

Answer 77

101. d. Patch management is a part of corrective controls, as it fixes software problems and errors. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment. Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

Answer 78

102. a. Locking-based attack is used to hold a critical system locked most of the time, releasing it only briefly and occasionally. The result would be a slow running browser without stopping it: degradation-of service. The degradation-of-service is a mild form of denial-of-service. Destruction of service and distribution of service are not relevant here.

Answer 79

103. b. A keyboard attack is a data scavenging method using resources available to normal system users with the help of advanced software diagnostic tools. Clearing information is the level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Clearing must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction. Purging is removing obsolete data by erasure, by overwriting of storage, or by resetting registers. Destroying is ensuring that media cannot be reused as originally intended.

Answer 80

104. c. An information system user must first categorize the information to be disposed of, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the future plans for the media.

Answer 81

105. a. Ad hoc means when needed and irregular. Ad hoc backup is not a well-thought-out strategy because there is no systematic way of backing up required data and programs. Full (normal) backup archives all selected files and marks each as having been backed up. Incremental backup archives only those files created or changed since the last normal backup and marks each file. Differential backup archives only those files that have been created or changed since the last normal backup. It does not mark the files as backed up. The backups mentioned in other three choices have a systematic procedure.

Answer 82

106. a. Remediation is the act of correcting vulnerability or eliminating a threat. A remediation plan includes remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically covers options to remove threats and vulnerabilities and priorities for performing the remediation. Three types of remediation methods include installing a software patch, adjusting a configuration setting, and removing affected software. Removing affected software requires uninstalling a software application. The fact that a remediation plan is developed does not itself provide actual remediation work because actions provide remediation work not just plans on a paper.

Answer 83

107. c. Overwriting cannot be used for media that are damaged or not rewriteable. The media type and size may also influence whether overwriting is a suitable sanitization method.

Answer 84

108. d. The correct sequence of fully and physically destroying magnetic disks such as hard drives (for example, advanced technology attachment (ATA) and serial ATA (SATA) hard drives), is disintegrate, shred, pulverize, and incinerate. This is the best recommended practice for both public and private sector organizations. Disintegration is a method of sanitizing media and is the act of separating the equipment into component parts. Here, the disintegration step comes first to make the hard drive inoperable quickly. Shredding is a method of sanitizing media and is the act of cutting or tearing into small particles. Shredding cannot be the first step because it is not practical to do for many companies. Pulverization is a method of sanitizing media and is the act of grinding to a powder or dust. Incineration is a method of sanitizing media and is the act of burning completely to ashes done in a licensed incinerator. Note that one does not need to complete all these methods, but can stop after any specific method and after reaching the final goal based on the sensitivity and criticality of data on the disk.

Answer 85

109. a. Functional users have the utmost responsibility in initiating audit trails in their computer systems for tracing and accountability purposes. Systems and security administrators help in designing and developing these audit trails. System auditors review the adequacy and completeness of audit trails and issue an opinion whether they are effectively working. Auditors do not initiate, design, or develop audit trails due to their independence in attitude and appearance as dictated by their Professional Standards.

Answer 86

110. a. The automatic termination and protection of programs when a failure is detected in a computer system is called fail-safe. The selective termination of affected nonessential processing when a failure is detected in a computer system is called a fail-soft. Fail-over means switching to a backup mechanism. Fail-open means that a program has failed to open due to errors or failures.

Answer 87

111. c. Audit trails provide one of the best and most inexpensive means for tracking possible hacker attacks, not only after attack, but also during the attack. You can learn what the attacker did to enter a computer system, and what he did after entering the system. Audit trails also detect unauthorized but abusive user activity. Firewalls, intrusion detection systems, and access controls are expensive when compared to audit trails.

Answer 88

112. c. Data remanence is the residual physical representation of data that has been in some way erased. After storage media is erased, there may be some physical characteristics that allow the data to be reconstructed, which represents a security threat. Clearing, purging, and destruction are all risks involved in storage media. In clearing and purging, data is removed, but the media can be reused. The need for destruction arises when the media reaches the end of its useful life.

Answer 89

113. c. Encryption makes the data unreadable without the proper decryption key. Degaussing is a process whereby the magnetic media is erased, i.e., returned to its initial virgin state. Overwriting is a process whereby unclassified data are written to storage locations that previously held sensitive data. The need for destruction arises when the media reaches the end of its useful life.

Answer 90

114. b. The removal of information from a storage medium such as a hard disk or tape is called sanitization. Different kinds of sanitization provide different levels of protection. Clearing information means rendering it unrecoverable by keyboard attack, with the data remaining on the storage media. There are three general methods of purging magnetic storage media: overwriting, degaussing, and destruction. Overwriting means obliterating recorded data by writing different data on the same storage surface. Degaussing means applying a variable, alternating current fields for the purpose of demagnetizing magnetic recording media, usually tapes. Destruction means damaging the contents of magnetic media through shredding, burning, or applying chemicals.

Answer 91

115. a. Disk array technology uses several disks in a single logical subsystem. To reduce or eliminate downtime from disk failure, database servers may employ disk shadowing or data mirroring. A disk shadowing, or RAID-1, subsystem includes two physical disks. User data is written to both disks at once. If one disk fails, all the data is immediately available from the other disk. Disk shadowing incurs some performance overhead (during write operations) and increases the cost of the disk subsystem because two disks are required. RAID levels 2 through 4 are more complicated than RAID-1. Each involves storage of data and error correction code information, rather than a shadow copy. Because the error correction data requires less space than the data, the subsystems have lower disk overhead.

Answer 92

116. a. Disk files can be demagnetized by overwriting three times with zeros, ones, and a special character, in that order, so that sensitive information is completely deleted.

Answer 93

117. a. If the new file is shorter than the old file, the new user could have open access to the existing file. Degaussing is best used under these conditions and is considered a sound and safe practice. Tape cleaning functions are to clean and then to properly wind and create tension in the computer magnetic tape. Recorded tapes are normally not erased during the cleaning process. Tape certification is performed to detect, count, and locate tape errors and then, if possible, repair the underlying defects so that the tape can be placed back into active status. Overflowing has nothing to do with computer tape contents. Overflowing is a memory or file size issue where contents could be lost due to size limitations.

Answer 94

118. b. Hardware malfunction, network failures, human error, logical errors, and other disasters are possible threats to ensuring data integrity. Files can be corrupted as a result of some physical (hardware) or network problems. Files can also become corrupted by some flaw in an application program’s logic. Users can contribute to this problem due to inexperience, accidents, or missed communications. Therefore, most data integrity problems are caused by file corruption. Disk failure is a hardware malfunction caused by physical wear and tear. Power failure is a hardware malfunction that can be minimized by installing power conditioning equipment and battery backup systems. Memory failure is an example of hardware malfunction due to exposure to strong electromagnetic fields. File corruption has many problem sources to consider.

Answer 95

119. c. A backbone is the high traffic density connectivity portion of any communications network. Backbones are used to connect servers and other service providing machines on the network. The use of dual backbones means that if the primary network goes down, the secondary network will carry the traffic. In packet switched networks, a backbone consists of switches and interswitch trunks. Switched networks can be managed with a network management console. Network component failures can be identified on the console and responded to quickly. Many switching devices are built modularly with hot swappable circuit boards. If a chip fails on a board in the device, it can be replaced relatively quickly just by removing the failed card and sliding in a new one. If switching devices have dual power supplies and battery backups, network uptime can be increased as well. Mirroring, shadowing, and duplexing provide application system redundancy, not network redundancy. Mirroring refers to copying data as it is written from one device or machine to another. Shadowing is where information is written in two places, one shadowing the other, for extra protection. Any changes made will be reflected in both places. Journaling is a chronological description of transactions that have taken place, either locally, centrally, or remotely.

Answer 96

120. a. Data mirroring refers to copying data as it is written from one device or machine to another. It prevents data loss. Data archiving is where files are removed from network online storage by copying them to long-term storage media such as optical disks, tapes, or cartridges. It prevents accidental deletion of files. Data correction is incorrect because it is an example of a corrective control where bad data is fixed. Data vaulting is incorrect because it is an example of corrective control. It is a way of storing critical data offsite either electronically or manually. Data backup is incorrect because it is an example of corrective control where a compromised system can be restored.

Answer 97

121. c. Fail-over mechanism is a backup concept in that when the primary system fails, the backup system is activated. This helps in recovering the system from a failure or disaster.

Answer 98

122. c. A zombie is a computer program that is installed on a personal computer to cause it to attack other computers. Attackers organize zombies as botnets to launch denial-of-server (DoS) attacks and distributed DoS attacks, not zero-day attacks. The other three choices trigger zero-day attacks. With zero-day (zero-hour) attacks, attackers try to exploit computer application vulnerabilities that are unknown to system owners and system administrators, undisclosed to software vendors, or for which no security fix is available. Malware writers can exploit zero-day vulnerabilities through several different attack vectors to compromise attacked systems or steal confidential data. Web browsers are a major target because of their widespread distribution and usage. Hackers send e-mail attachments to exploit vulnerabilities in the application opening the attachment and send other exploits to take advantage of weaknesses in common file types.

Answer 99

123. d. TEMPEST is a short name, and not an acronym. It is the study and control of spurious electronic signals emitted by electrical equipment. It is the unclassified name for the studies and investigations of compromising electromagnetic emanations from equipment. It is suggested that TEMPEST shielded equipment is used to prevent compromising emanations.

Answer 100

124. d. Policies and standards are an example of directive controls. Passwords and firewalls are an example of preventive controls. Key escrow and software escrow are an example of recovery controls. Intrusion detection systems and antivirus software are an example of detective controls.

Answer 101

125. d. Management controls are actions taken to manage the development, maintenance, and use of the system, including systemspecific policies, procedures, and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions. Administrative controls include personnel practices, assignment of responsibilities, and supervision and are part of management controls. Operational controls are the day-to-day procedures and mechanisms used to protect operational systems and applications. Operational controls affect the system and application environment. Technical controls are hardware and software controls used to provide automated protection for the IT system or application. Technical controls operate within the technical system and applications

Answer 102

126. d. The focus of a computer security incident handling capability may be external as well as internal. An incident that affects an organization may also affect its trading partners, contractors, or clients. In addition, an organization’s computer security incident handling capability may help other organizations and, therefore, help protect the industry as a whole.

Answer 103

127. c. Monitoring encourages compliance with IT security policies. Results can be used to hold managers accountable for their information security responsibilities. Use for its own sake does not help here. Reporting comes after monitoring.

Answer 104

128. c. The effectiveness of security-related controls should be measured by a person fully independent of the information systems department. The systems auditor located within an internal audit department of an organization is the right party to perform such measurement.

Answer 105

129. b. Remedial maintenance corrects faults and returns the system to operation in the event of hardware or software component fails. Preventive maintenance is incorrect because it is done to keep hardware in good operating condition. Both hardware and software maintenance are included in the remedial maintenance.

Answer 106

130. b. Audit trails have several benefits. They are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, audit trails collect events and associate them with the perceived user (i.e., the user ID provided). If a user is impersonated, the audit trail establishes events but not the identity of the user. It is true that there is interdependency between audit trails and security policy. Policy dictates who has authorized access to particular system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails. It is true that audit trails can assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files). It is true that audit trails can be used to identify breakdowns in logical access controls. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity by identifying breakdowns in logical access controls or verifying that access control restrictions are behaving as expected.

Answer 107

131. a. Hierarchical storage management follows a policy-driven strategy in that the data is migrated from one storage medium to another, based on a set of rules, including how frequently the file is accessed. On the other hand, the management of tapes, direct access storage devices, and optical disks is based on schedules, which is an operational strategy.

Answer 108

132. a. Because the intermediate host unwittingly performs the attack, that host is known as reflector. During a reflector attack, a denial-of service (DoS) could occur to the host at the spoofed address, the reflector itself, or both hosts. The amplifier attack does not use a single intermediate host, like the reflector attack, but uses a whole network of intermediate hosts. The distributed attack coordinates attacks among several computers. A synchronous (SYN) flood attack is a stealth attack because the attacker spoofs the source address of the SYN packet, thus making it difficult to identify the perpetrator.

Answer 109

133. c. Edit and limit checks are an example of preventive or detective control, file recovery is an example of corrective control, and access controls are an example of preventive control. A combination of controls is stronger than a single type of control. Edit and limit checks, digital signatures, and access controls are incorrect because they are an example of a preventive control. Preventive controls keep undesirable events from occurring. In a computing environment, preventive controls are accomplished by implementing automated procedures to prohibit unauthorized system access and to force appropriate and consistent action by users. Error reversals, automated error correction, and file recovery are incorrect because they are an example of a corrective control. Corrective controls cause or encourage a desirable event or corrective action to occur after an undesirable event has been detected. This type of control takes effect after the undesirable event has occurred and attempts to reverse the error or correct the mistake. Edit and limit checks, reconciliation, and exception reports are incorrect because they are an example of a detective control. Detective controls identify errors or events that were not prevented and identify undesirable events after they have occurred. Detective controls should identify expected error types, as well as those that are not expected to occur.

Answer 110

134. a. Social engineering involves getting system users or administrators to divulge information about computer systems, including passwords, or to reveal weaknesses in systems. Personal gain involves stealing data and subverting computer systems. Social engineering involves trickery or coercion. Electronic trashing is incorrect because it involves accessing residual data after a file has been deleted. When a file is deleted, it does not actually delete the data but simply rewrites a header record. The data is still there for a skilled person to retrieve and benefit from. Electronic piggybacking is incorrect because it involves gaining unauthorized access to a computer system via another user’s legitimate connection. Electronic harassment is incorrect because it involves sending threatening electronic-mail messages and slandering people on bulletin boards, news groups, and on the Internet. The other three choices do not involve trickery or coercion.

Answer 111

135. d. The question is asking for the correct sequence of activities that should take place when reviewing for fraud. The organization should have something of value to others. Detection of fraud is least important; prevention is most important.

Answer 112

136. a. The use of port knocking or single packet authorization daemons can provide effective protection against zero-day attacks for a small number of users. However, these techniques are not suitable for computing environments with a large number of users. The other three choices are effective protection mechanisms because they are a part of multiple layer security, providing the first line-of-defense. These include implementing access control lists (one layer), restricting network access via local server firewalling (i.e., IP tables) as another layer, and protecting the entire network with a hardware-based firewall (another layer). All three of these layers provide redundant protection in case a compromise in any one of them is discovered.

Answer 113

137. b. Access control security logs are detective controls. Access logs show who accessed what data files, when, and from what terminal, including the nature of the security violation. The other three choices are incorrect because database logs, telecommunication logs, and application transaction logs do not show who accessed what data files, when, and from what terminal, including the nature of the security violation.

Answer 114

138. a. Damage or the occurrence of an undesirable event cannot be anticipated or predicted in advance, thus making it difficult to make a query. The system design cannot handle unknown events. Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers need to understand what normal activity looks like. An audit trail review is easier if the audit trail function can be queried by user ID, terminal ID, application system name, date and time, or some other set of parameters to run reports of selected information.

Answer 115

139. b. Dumpster diving can be avoided by using a high-quality data destruction process on a regular basis. This should include paper shredding and electrical disruption of data on magnetic media such as tape, cartridge, or disk.

Answer 116

140. c. Scavenging is obtaining information that may be left in or around a computer system after the execution of a job. Data diddling involves changing data before or during input to computers or during output from a computer system. The salami technique is theft of small amounts of assets (primarily money) from a number of sources. Piggybacking can be done physically or electronically. Both methods involve gaining access to a controlled area without authorization.

Answer 117

141. c. Detecting an exception in a transaction or process is detective in nature, but reporting it is an example of corrective control. Both preventive and directive controls do not either detect or correct an error; they simply stop it if possible.

Answer 118

142. a. A log, preferably a computer log, records the actions or inactions of an individual during his access to a computer system or a data file. If any abnormal activities occur, the log can be used to trace them. The purpose of a compensating control is balancing weak controls with strong controls. The other three choices are examples of application system-based specific controls not tied to an individual action, as a log is.

Answer 119

143. d. In fraud situations, the auditor should proceed with caution. When certain about a fraud, he should report it to company management, not to external organizations. The auditor should not talk to the employee suspected of fraud. When the auditor is not certain about fraud, he should talk to the audit management.

Answer 120

144. d. There is a direct relationship between the risk level and the control level. That is, high-risk situations require stronger controls, low-risk situations require weaker controls, and medium-risk situations require medium controls. A control is defined as the policies, practices, and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events would be prevented or detected and corrected. Controls should facilitate accomplishment of an organization’s objectives.

Answer 121

145. d. Strategic planning involves long-term and major issues such as management of the computer security program and the management of risks within the organization and is not closely related to the incident handling, which is a minor issue. Incident handling is closely related to contingency planning, system support, and system operations. An incident handling capability may be viewed as a component of contingency planning because it provides the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning that responds to malicious technical threats.

Answer 122

146. a. The auditor’s objective is to determine the effectiveness of security-related controls. The auditor reviews documentation and tests security controls. The other three choices are the sole responsibilities of information systems security officers.

Answer 123

147. d. Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. It is usually considered a special case of audit trails. Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair any damage they may cause. Access control lists refer to a register of users who have been given permission to use a particular system resource and the types of access they have been permitted. Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. Centralized security administration allows control over information because the ability to make changes resides with few individuals, as opposed to many in a decentralized environment. The other three choices do not protect computer systems from intruders, as does the keystroke monitoring.

Answer 124

148. b. Security is not perfect when a system is implemented. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare over time, and procedures become outdated. Thinking risk is minimal, users may tend to bypass security measures and procedures. Operational assurance is the process of reviewing an operational system to see that security controls, both automated and manual, are functioning correctly and effectively. To maintain operational assurance, organizations use three basic methods: system audits, policies and procedures, and system monitoring. A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users. In general, the more real time an activity is, the more it falls into the category of monitoring. Policies and procedures are the backbone for both auditing and monitoring. System changes drive new requirements for changes. In response to various events such as user complaints, availability of new features and services, or the discovery of new threats and vulnerabilities, system managers and users modify the system and incorporate new features, new procedures, and software updates. System changes by themselves do not assure that controls are working properly.

Answer 125

149. d. Keystroke monitoring, e-mail monitoring, and Web browser monitoring are controversial and intrusive. These kinds of efforts could waste time and other resources due to their legal problems. On the other hand, examples of effective security policy statements include (i) passwords shall not be shared under any circumstances and (ii) password usage and composition will be monitored.

Answer 126

150. a. Here, the keyword is common, and it is relative. Discarded storage media, such as CDs/DVDs, paper documents, and reports, is a major and common problem in every organization. Telephone wiretapping and electronic bugs require expertise. Intelligent consultants gather a company’s proprietary data and business information and government trade strategies.

Answer 127

152. b. Logs, whether manual or automated, capture relevant data for further analysis and tracing. Policy, procedure, and standard are directive controls and are part of management controls because they regulate human behavior.

Answer 128

153. b. The correct order of information system’s transitional states is startup, shutdown, restart, and abort. Because the system is in transitional states, which is an unstable condition, if the restart procedures are not performed correctly or facing technical recovery problems, then the system has no choice except to abort.

Answer 129

154. b. Penetration testing is a test in which the evaluators attempt to circumvent the security features of a computer system. It is unrelated to the other three choices. Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. It is considered as a special case of audit trails. Some consider the keystroke monitoring as a special case of unauthorized telephone wiretap and others are not.

Answer 130

155. b. Intrusion detection tools detect computer attacks in several ways: (i) outside of a network’s firewall, (ii) behind a network’s firewall, or (iii) within a network to monitor insider attacks. Network discovery tools and port scanners can be used both by intruders and system administrators to find vulnerable hosts and network services. Similarly, denial-of-service test tools can be used to determine how much damage can be done to a computing site.

Answer 131

156. b. Audit trail data can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Audit analysis tools can be used in a real-time, or near real-time, fashion. Manual review of audit records in real time is not feasible on large multi-user systems due to the large volume of records generated. However, it might be possible to view all records associated with a particular user or application and view them in real time. Batch-mode analysis is incorrect because it is a traditional method of analyzing audit trails. The audit trail data are reviewed periodically. Audit records are archived during that interval for later analysis. The three incorrect choices do not provide the convenience of displaying or reporting all records associated with a user or application, as do the real-time audit analysis.

Answer 132

157. d. Before and after image reporting ensures data integrity by reporting data field values both before and after the changes so that functional users can detect data entry and update errors. File labels are incorrect because they verify internal file labels for tapes to ensure that the correct data file is used in the processing. Journaling is incorrect because it captures system transactions on a journal file so that recovery can be made should a system failure occur. Run-to-run control is incorrect because it verifies control totals resulting from one process or cycle to the subsequent process or cycle to ensure their accuracy.

Answer 133

158. b. An information attack is not relevant here because it is too general. Flaw-based attacks take advantage of a flaw in the target system’s software to cause a processing failure, escalate privileges, or to cause it to exhaust system resources. Flooding attacks simply send a system more information than it can handle. A distributed attack is a subset of denial-of-service (DoS) attacks, where the attacker uses multiple computers to launch the attack and flood the system.

Answer 134

159. b. Assignment of security responsibility is a part of management controls. Screening of personnel is another example of management controls. The other three choices are part of technical controls.

Answer 135

160. c. Users, data entry clerks, system operators, and programmers frequently make errors that contribute directly or indirectly to security problems. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors create vulnerabilities. Errors can occur during all phases of the system life cycle. Many studies indicate that 65 percent of losses to organizations are the result of errors and omissions followed by dishonest employees (13%), disgruntled employees (6%), and outsiders/hackers (3%).

Answer 136

161. c. Computer viruses that are timed to activate at a later date can be copied onto the backup media thereby infecting backup copies as well. This makes the backup copy ineffective, unusable, or risky. Backups are useful and effective (i) in the event of a catastrophic accident, (ii) in case of disruption to the network, and (iii) when they are performed automatically. Human error is eliminated.

Answer 137

162. c. It is not a good operating practice to schedule backups during regular work hours because it interrupts the business functions. It is advised to schedule backups during off hours to avoid file contention (when files are open and the backup program is scheduled to run). As the size and complexity of local-area networks (LANs) increase, backups have assumed greater importance with many options available. It is a common practice to back up servers daily, taking additional backups when extensive database changes occur. It is good to secure the backup workstations to prevent interruption of backup processes that can result in the loss of backup data. It is a better practice to use the network operating system’s file recovery utility for immediate restoration of accidentally deleted files before resorting to the time consuming process of file recovery from backup tapes.

Answer 138

163. a. Full restores are used to recover from catastrophic events or when performing system upgrades and system reorganizations and consolidations. All the data on media is fully restored. Individual file restores, by their name, restore the last version of a file that was written to media because it was deleted by accident or ruined. Redirected restores store files on a different location or system than the one they were copied from during the backup operations. Group file restores handle two or more files at a time.

Answer 139

164. d. On-demand backups refer to the operations that are done outside of the regular backup schedule. This backup method is most useful when backing up a few files/directories or when taking a full snapshot of a server prior to upgrading it. On-demand backups can act as a backup for regular backup schedules. Full backups are incorrect because they copy all data files and programs. It is a brute force method providing a peace of mind at the expense of valuable time. Incremental backups are incorrect because they are an inefficient method and copy only those files that have changed since the last backup. Differential backups are incorrect because they copy all data files that have changed since the last full backup. Only two files are needed to restore the entire system: the last full backup and the last differential backup.

Answer 140

165. b. Hot backups are taken when the database is running and updates are being written to it. They depend heavily on the ability of log files to stack up transaction instructions without actually writing any data values into database records. While these transactions are stacking up, the database tables are not being updated, and therefore can be backed up with integrity. One major problem is that if the system crashes in the middle of the backup, all the transactions stacking up in the log file are lost. The idea of cold backup is to shut down the database and back it up while no end users are working on the system. This is the best approach where data integrity is concerned, but it does not service the customer (end user) well. Logical backups use software techniques to extract data from the database and write the results to an export file, which is an image file. The logical backup approach is good for incremental backups. Offline backup is another term for cold backup.

Answer 141

166. c. The information systems’ security training program should be specifically tailored to meet the needs of computer operations staff so that they can deal with problems that have security implications. However, the computer operations staff is usually either taken for granted or completely forgotten from training plans. The information systems’ security staff is provided with periodic training to keep its knowledge current. Functional users will definitely be given training so that they know how to practice security. Corporate internal audit staff is given training because it needs to review the IT security goals, policies, procedures, standards, and practices.

Answer 142

167. b. Social engineering is a process of tricking or coercing people into divulging their passwords. Computer fraud involves deliberate misrepresentation, alteration, or disclosure of data to obtain something of value. Computer theft involves stealing of information, equipment, or software for personal gain. Computer sabotage includes planting a Trojan horse, trapdoor, time bomb, virus, or worm to perform intentional harm or damage. The difference in the other three choices is that there is no trickery or coercion involved.

Answer 143

168. d. A fault tolerant design should make a system resistant to failure and able to operate continuously. Many ways exist to develop fault tolerance in a system, including using two or more components to duplicate functionality, duplicating systems in separate locations, or using modular components in which failed components can be replaced with new ones. It does not include providing backup power supplies because it is a part of preventive maintenance, which should be used with fault tolerant design. Preventive maintenance measures reduce the likelihood of significant impairment to components.

Answer 144

169. c. The purpose of degaussing is to remove all recorded information from a computer-recorded magnetic tape. It does this by demagnetizing (removing) the recording media, the tape, or the hard drive. After degaussing is done, the magnetic media is in a fully demagnetized state. However, degaussing cannot retrieve, store, or archive information.

Answer 145

170. b. An audit trail should include sufficient information to establish what events occurred and who (or what) caused them. Date and timestamps can help determine if the user was a masquerader or the actual person specified. With date and time, one can determine whether a specific user worked on that day and at that time. The other three choices are incorrect because the masquerader could be using a fake user identification (ID) number or calling for invalid and inappropriate programs and commands. In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result.

Answer 146

171. a. Many types of tools have been developed to help reduce the amount of information contained in audit records, as well as to distill useful information from the raw data. Especially on larger systems, audit trail software can create large files, which can be extremely difficult to analyze manually. The use of automated tools is likely to be the difference between unused audit trail data and a robust program. Trend analysis and variance detection tools look for anomalies in user or system behavior. Audit data reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups. Attack signature detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example is repeated failed log-in attempts. Audit data-collection tools simply gather data for analysis later.

Answer 147

172. d. Here, supported and unsupported means whether a company management has approved the acquisition, installation, and operation of hardware and software; approved in the former case and not approved in the latter case. System administrators should be taught how to independently monitor and remediate unsupported hardware, operating systems, and applications software because unsupported resources are vulnerable to exploitation. This is because non-compliant employees could have purchased and installed the unsupported hardware and software on their personal computers, which is riskier than the supported ones. A potential risk is that the unsupported systems could be incompatible with the supported systems and may not have the required security controls. A list of supported resources is needed to analyze the inventory and identify those resources that are used within the organization. This allows the system administrators to know which hardware, operating systems, and applications will be checking for new patches, vulnerabilities, and threats. Note that not patching the unsupported systems can negatively impact the patching of the supported systems as they both coexist and operate on the same computer or network.

Answer 148

173. c. An information system media that cannot be sanitized should be destroyed. Destroying is ensuring that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive to do. Sanitization techniques include disposal, clearing, purging, and destruction. Disposal is the act of discarding media by giving up control in a manner short of destruction and is not a strong protection. Clearing is the overwriting of classified information such that that the media may be reused. Purging is the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. Clearing media would not suffice for purging.

Answer 149

174. d. There are understandable benefits in confirming that the remediations have been conducted appropriately, possibly avoiding a security incident or unplanned downtime. Central system administrators can send remediation information on a disk to local administrators as a safe alternative to an e-mail list if the network or the website is unstable or unusable.

Answer 150

175. d. Ratios, not absolute numbers, should be used when comparing the effectiveness of the security programs of multiple systems. Ratios reveal better information than absolute numbers. In addition, ratios allow effective comparison between systems. Number of patches needed and number of vulnerabilities found are incorrect because they deal with absolute numbers

Answer 151

176. a. IP address spoofing is falsifying the identity of a computer system on a network. It capitalizes on the packet address the Internet Protocol (IP) uses for transmission. It is not an example of a denial-of service attack because it does not flood the host computer. Smurf, synchronized flood (SYNflood), and sendmail attacks are examples of denial-of-service attacks. Smurf attacks use a network that accepts broadcast ping packets to flood the target computer with ping reply packets. SYN flood attack is a method of overwhelming a host computer on the Internet by sending the host a high volume of SYN packets requesting a connection, but never responding to the acknowledgment packets returned by the host. Recent attacks against sendmail include remote penetration, local penetration, and remote denial of service.

Answer 152

177. d. The ping-of-death is an example of buffer overflow attack, a part of a denial-of-service attack, where large packets are sent to overfill the system buffers, causing the system to reboot or crash. A keyboard attack is a resource starvation attack in that it consumes system resources (for example, CPU utilization and memory), depriving legitimate users. A stream attack sends TCP packets to a series of ports with random sequence numbers and random source IP addresses, resulting in high CPU usage. In a piggybacking attack, an intruder can gain unauthorized access to a system by using a valid user’s connection.

Answer 153

178. b. A denial-of-service (DoS) is an attack in which one user takes up so much of the shared resource that none of the resource is left for other users. It compromises the availability of system resources (for example, disk space, CPU, print paper, and modems), resulting in degradation or loss of service. A DoS attack does not affect integrity because the latter is a property that an object is changed only in a specified and authorized manner. A DoS attack does not affect confidentiality because the latter is a property ensuring that data is disclosed only to authorized subjects or users. A DoS attack does not affect reliability because the latter is a property defined as the probability that a given system is performing its mission adequately for a specified period of time under the expected operating conditions.

Answer 154

179. c. Of all the malware incident-response life-cycle phases, recovery phase is the most complex. Recovery involves containment, restore, and eradication. Containment addresses how to control an incident before it spreads to avoid consuming excessive resources and increasing damage caused by the incident. Restore addresses bringing systems to normal operations and hardening systems to prevent similar incidents. Eradication addresses eliminating the affected components of the incident from the overall system to minimize further damage to it. More tools and technologies are relevant to the recovery phase than to any other phase; more technologies mean more complexity. The technologies involved and the speed of malware spreading make it more difficult to recover. The other three phases such as preparation, detection, and remediation are less complex. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of detection phase covers identifying classes of incidents and defining appropriate actions to take. The scope of remediation phase covers tracking and documenting security incidents on an ongoing basis to help in forensics analysis and in establishing trends.

Answer 155

180. a. System availability is expressed as a rate between the number of hours the system is available to the users during a given period and the scheduled hours of operation. Overall hours of operation also include sufficient time for scheduled maintenance activities. Scheduled time is the hours of operation, and available time is the time during which the computer system is available to the users.

Answer 156

181. b. If a computer site is vulnerable, management may favor the protect-and-recover reaction strategy because it increases defenses available to the victim organization. Also, this strategy brings normalcy to the network’s users as quickly as possible. Management can interfere with the intruder’s activities, prevent further access, and begin damage assessment. This interference process may include shutting down the computer center, closing of access to the network, and initiating recovery efforts. Protect-and-preserve strategy is a part of a protect-and-recover strategy. Law enforcement authorities and prosecutors favor the trap and-prosecute strategy. It lets intruders continue their activities until the security administrator can identify the intruder. In the mean time, there could be system damage or data loss. Pursue-and-proceed strategy is not relevant here.

Answer 157

182. a. There are a number of start-up costs and funding issues to consider when planning an incident handling capability. Because the success of an incident handling capability relies so heavily on the users’ perceptions of its worth and whether they use it, it is important that the capability meets users’ requirements. Two important funding issues are personnel and education and training.

Answer 158

183. d. The primary benefits of an incident handling capability are containing and repairing damage from incidents and preventing future damage. Preparing for the damage is a secondary and side benefit.

Answer 159

184. c. System development activity is engaged in designing and constructing a new computer application system, whereas incident handling is needed during operation of the same application system. For example, for purposes of efficiency and cost-savings, incident handling capability is co-operated with a user help desk. Also, backups of system resources need to be used when recovering from an incident. Similarly, the risk analysis process benefits from statistics and logs showing the numbers and types of incidents that have occurred and the types of controls that are effective in preventing such incidents. This information can be used to help select appropriate security controls and practices.

Answer 160

185. a. With computer security incidents, rapid communications is important. The incident team may need to send out security advisories or collect information quickly; thus some convenient form of communication, such as electronic mail (e-mail), is generally highly desirable. With e-mail, the team can easily direct information to various subgroups within the constituency, such as system managers or network managers, and broadcast general alerts to the entire constituency as needed. When connectivity already exists, e-mail has low overhead and is easy to use. Although there are substitutes for e-mail, they tend to increase response time. An electronic bulletin board system (BBS) can work well for distributing information, especially if it provides a convenient user interface that encourages its use. A BBS connected to a network is more convenient to access than one requiring a terminal and modem; however, the latter may be the only alternative for organizations without sufficient network connectivity. In addition, telephones, physical bulletin boards, and flyers can be used, but they increase response time.

Answer 161

186. b. Detection, for many organizations, is the most challenging aspect of the incident response process. Actually detecting and assessing possible incidents is difficult. Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem is not an easy task. The other three phases such as preparation, recovery, and reporting are not that challenging. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of recovery phase includes containment, restore, and eradication. The scope of reporting phase involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports.

Answer 162

187. b. If the incident response data is not reviewed regularly, the effectiveness of detection and analysis of incidents is questionable. It does not matter whether the data is of high quality with standard format for data, or actionable data. Proper and efficient reviews of incident-related data require people with extensive specialized technical knowledge and experience.

Answer 163

188. c. For some incidents, eradication is either unnecessary or is performed during recovery. Most incidents require containment, so it is important to consider it early in the course of handling each incident. Also, it is true that containment strategies vary based on the type of incident.

Answer 164

189. b. The correct sequence of events taking place in the incident response life cycle is detection, response, reporting, recovery, and remediation. Although the correct sequence is started with detection, there are some underlying activities that should be in place prior to detection. These prior activities include preparation and prevention, addressing the plans, policies, procedures, resources, support, metrics, patch management processes, host hardening measures, and properly configuring the network perimeter. Detection involves the use of automated detection capabilities (for example, log analyzers) and manual detection capabilities (for example, user reports) to identify incidents. Response involves security staff offering advice and assistance to system users for the handling and reporting of security incidents (for example, held desk or forensic services). Reporting involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports. Recovery involves containment, restore, and eradication. Containment addresses how to control an incident before it spreads to avoid consuming excessive resources and increasing damage caused by the incident. Restore addresses bringing systems to normal operations and hardening systems to prevent similar incidents. Eradication addresses eliminating the affected components of the incident from the overall system to minimize further damage to the overall system. Remediation involves tracking and documenting security incidents on an ongoing basis.

Answer 165

190. c. Preserving the evidence is a containment strategy, whereas all the other choices are part of recovery actions. Preserving the evidence is a legal matter, not a recovery action, and is a part of the containment strategy. In recovery action, administrators restore systems to normal operation and harden systems to prevent similar incidents, including the actions taken in the other three choices.

Answer 166

192. d. In the event of an audit processing failure or audit storage capacity being reached, the information system alerts appropriate management officials and takes additional actions such as shutting down the system, overwriting the oldest-audit records, and stopping the generation of audit records. It should not continue processing, either with or without notification because the audit-related data would be lost.

Answer 167

193. a. Audit logs collect data passively on computer journals or files for later review and analysis followed by action. The other three choices are examples of active surveillance techniques where electronic (online) monitoring is done for immediate review and analysis followed by action.

Answer 168

194. c. A good incident handling capability is closely linked to an organization’s training and awareness program. It will have educated users about such incidents so users know what to do when they occur. This can increase the likelihood that incidents will be reported early, thus helping to minimize damage. The help desk is a tool to handle incidents. Intruders can use both systems software and applications software to create security incidents.

Answer 169

195. b. System users seldom consider residual data security as part of their job duties because they think it is the job of computer operations or information security staff. Residual data security means data remanence where corporate spies can scavenge discarded magnetic or paper media to gain access to valuable data. Both system users and system managers usually consider the measures mentioned in the other three choices.

Answer 170

196. b. A special privileged user is defined as an individual who has access to system control, monitoring, or administration functions. A business end-user is a normal system user performing day-to-day and routine tasks required by his job duties, and should not have special privileges as does with the system administrator, security administrator, computer operator, system programmer, system maintainer, network administrator, or desktop administrator. Privileged users have access to a set of access rights on a given system. Privileged access to privileged function should be limited to only few individuals in the IT department and should not be given to or shared with business end-users who are so many.

Answer 171

197. c. The quality of the outsourcer’s work remains an important consideration. Organizations should consider not only the current quality of work, but also the outsourcer’s efforts to ensure the quality of future work, which are the major considerations. Organizations should think about how they could audit or otherwise objectively assess the quality of the outsourcer’s work. Lack of organizationspecific knowledge will reflect in the current and future quality of work. The other three choices are minor considerations and are a part of the major considerations.

Answer 172

198. d. Patch management staff work is separate from that of the incident response staff. Effective communication channels between the patch management team and the incident response team are likely to improve the success of a patch management program when containing, eradicating, and recovering from large-scale incidents. The activities listed in the other choices are the responsibility of the incident response team.

Answer 173

199. a. The incident response policies are the foundation of the incident response program. They define which events are considered as incidents, establish the organizational structure for the incident response program, define roles and responsibilities, and list the requirements for reporting incidents.

Answer 174

200. d. There are vulnerabilities in a system that cannot be fixed, those that have not yet been fixed, those that are not known, and those that are not practical to fix due to operational constraints. Therefore, a statement that “all of a system’s identified vulnerabilities are fixed” is not correct. The other three choices can increase a system’s resilience.

Answer 175

201. b. Media sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance, in proportion to the confidentiality of the data, that the data may not be retrieved and reconstructed. The other three choices are not relevant here.

Answer 176

202. c. Degaussing reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. It is also called demagnetizing.

Answer 177

203. b. Remanence is residual information remaining on storage media after clearing. Choice (a) is incorrect because residue is data left in storage after information-processing operations are complete but before degaussing or overwriting (clearing) has taken place. Leftover data and leftover information are too general as terms to be of any use here.

Answer 178

204. c. The security goal of the overwriting process is to replace written data with random data. The process may include overwriting not only the logical storage of a file (for example, file allocation table) but also may include all addressable locations.

Answer 179

205. c. A laboratory attack is a data scavenging method through the aid of what could be precise or elaborate and powerful equipment. This attack involves using signal-processing equipment and specially trained personnel. Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack and renders the sanitized data unrecoverable. This is accomplished through the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction, and is not a strong protection. Clearing is the overwriting of classified information such that the media may be reused. Clearing media would not suffice for purging. Disinfecting is a process of removing malware within a file.

Answer 180

206. c. Audit trails indicate what actions are taken by the system. Because the system has adequate and clear audit trails deters fraud perpetrators due to fear of getting caught. For example, the fact that employees are trained, documentation is available, and employee performance appraisals are given (preventive measures) does not necessarily mean that employees act with due diligence at all times. Hence, the need for the availability of audit trails (detection measures) is very important because they provide a concrete evidence of actions and inactions.

Answer 181

207. c. Exception reports are the result of a system monitoring activity. Deviations from standards or policies will be shown in exception reports. The other three choices are needed before the monitoring process starts.

Answer 182

208. b. The selective termination of affected nonessential processing when a failure is detected in a computer system is called fail-soft. The automatic termination and protection of programs when a failure is detected in a computer system is called a fail-safe. Fail-over means switching to a backup mechanism. Fail-under is a meaningless phrase.

Answer 183

209. d. Audit trails show an attacker’s actions after detection; hence they are an example of detective controls. Recovery controls facilitate the recovery of lost or damaged files. Corrective controls fix a problem or an error. Preventive controls do not detect or correct an error; they simply stop it if possible.

Answer 184

210. a. It has been said that “An ounce of prevention equals a pound of cure.” Patch and vulnerability management is the “ounce of prevention” compared to the “pound of cure” in the incident response, in that timely patches to software reduce the chances of computer incidents. Symmetric cryptography uses the same key for both encryption and decryption, whereas asymmetric cryptography uses separate keys for encryption and decryption, or to digitally sign and verify a signature. Key rollover is the process of generating and using a new key (symmetric or asymmetric key pair) to replace one already in use.

Answer 185

211. b. Although most information can be taken automatically from the system data, the physical location of an IT resource must be manually entered. Connected network port numbers can be taken automatically from the system data. Software and hardware configuration information can be taken automatically from the system data.

Answer 186

212. c. Software flaw vulnerabilities cause a weakness in the security of a system. Threats are capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and potentially cause harm to a computer system or network. Threats usually take the form of exploit scripts, worms, viruses, rootkits, exploits, and Trojan horses.

Answer 187

213. b. There are many options available to a system administrator in remediation testing. The ability to “undo” or uninstall a patch should be considered; however, even when this option is provided, the uninstall process does not always return the system to its previous state. Disable temporarily disconnects a service. Enable or install is not relevant here.

Answer 188

214. a. Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. It is not effective for purging nonmagnetic media (i.e., optical media), such as compact discs (CD) and digital versatile discs (DVD). However, degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes.

Answer 189

215. d. Media destruction is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended, and that information is virtually impossible to recover or prohibitively expensive from that media. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverization, shredding, melting, sanding, and chemical treatment.

Answer 190

216. d. Organizations can outsource media sanitization and destruction if business and security management decide this would be the most reasonable option for maintaining confidentiality while optimizing available resources. When choosing this option, organizations exercise due diligence when entering into a contract with another party engaged in media sanitization. Due diligence requires organizations to develop and implement an effective security program to prevent and detect violation of policies and laws. Due process means each person is given an equal and a fair chance of being represented or heard and that everybody goes through the same process for consideration and approval. It means all are equal in the eyes of the law. Due law covers due process and due care. Due care means reasonable care in promoting the common good and maintaining the minimal and customary practices.

Answer 191

217. b. Forensic investigators are encountering redundant arrays of independent disks (RAID) systems with increasing frequency as businesses elect to utilize systems that provide greater data reliability. RAID provides data confidentiality, data availability, and data integrity security services to a lesser degree than data reliability.

Answer 192

218. a. Pressure includes financial and nonfinancial types, and it could be real or perceived. Opportunity includes real or perceived categories in terms of time and place. Rationalization means the illegal actions are consistent with the perpetrator’s personal code of conduct or state of mind.

Answer 193

219. b. In fail-secure, the system preserves a secure condition during and after an identified failure. System failure and fault are generic and do not preserve a secure condition like fail-secure. Fail-access is a meaningless term here.

Answer 194

220. b. The goal of fault-tolerance systems is to detect and correct a fault and to maintain the availability of a computer system. Fault tolerance systems play an important role in maintaining high data and system integrity and in ensuring high-availability of systems. Examples include disk mirroring and server mirroring techniques.

Answer 195

221. a. Disk duplexing means that the disk controller is duplicated. When one disk controller fails, the other one is ready to operate. Disk mirroring means the file server contains duplicate disks, and that all information is written to both disks simultaneously. Server consolidation, local-area network (LAN) consolidation, and disk distribution are meaningless to fault tolerance; although, they may have their own uses.

Answer 196

222. b. Manual patching is useful and necessary for many legacy and specialized systems due to their nature. Automated patching tools allow an administrator to update hundreds or even thousands of systems from a single console. Deployment is fairly simple when there are homogeneous computing platforms, with standardized desktop systems, and similarly configured servers.

Answer 197

223. c. Degaussing is demagnetizing magnetic media to remove magnetic memory and to erase the contents of media. Purging is the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. Thus, degaussing and executing the firmware Secure Purge command (for serial advanced technology attachment (SATA) drives only) are acceptable methods for purging. The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction and is not a strong protection. Clearing is the overwriting of classified information such that that the media may be reused. Clearing media would not suffice for purging. Disinfecting is a process of removing malware within a file.

Answer 198

224. c. Before performing the remediation, the system administrator may want to conduct a full backup of the system to be patched. This allows for a timely system restoration to its previous state if the patch has an unintended or unexpected impact on the host. The other three choices are part of the patch remediation testing procedures.

Answer 199

225. d. Conducting an exploit test means performing a penetration test to exploit the vulnerability. Only an experienced administrator or security officer should perform exploit tests because this involves launching actual attacks within a network or on a host. Generally, this type of testing should be performed only on nonproduction equipment and only for certain vulnerabilities. Only qualified staff who are thoroughly aware of the risk and who are fully trained should conduct the tests. Testing file settings, testing configuration settings, and reviewing patch logs are routine tasks a less experienced administrator or security officer can perform.

Answer 200

1. C. All of these are necessary security activities and procedures—they just don’t all fall under the operations umbrella. Operations is about keeping production up and running in a healthy and secure manner. Operations is not usually the entity that carries out strategic planning. It works at an operational, day-to-day level, not at the higher strategic level.

Answer 201

2. A. This is the best answer because operations has the goal of keeping everything running smoothly each and every day. Operations implements new software and hardware and carries out the necessary security tasks passed down to it. As the environment changes and security is kept in the loop with these changes, there is a smaller likelihood of opening up vulnerabilities.

Answer 202

4. C. Many times, employees who are carrying out fraudulent activities do not take the vacation they have earned because they do not want anyone to find out what they have been doing. Forcing employees to take vacations means that someone else has to do that person’s job and can possibly uncover any misdeeds.

Answer 203

3. D. Due care and due diligence are legal terms that do not just pertain to security. Due diligence involves going through the necessary steps to know what a company’s or individual’s actual risks are, while due care involves carrying out responsible actions to reduce those risks. These concepts correspond with the “prudent person” concept.

Answer 204

5. B. Rotation of duties enables a company to have more than one person trained in a position and can uncover fraudulent activities. Separation of duties is put into place to ensure that one entity cannot carry out a critical task alone.

Answer 205

6. C. This is just one of several examples of separation of duties. A system must be set up for proper code maintenance to take place when necessary, instead of allowing a programmer to make changes arbitrarily. These types of changes should go through a change control process and should have more entities involved than just one programmer.

Answer 206

7. A. There should be controls in place to make sure the data input into a system and the results generated are in the proper format and have expected values. Improper data being put into an application or system could cause bad output and security issues, such as buffer overflows.

Answer 207

8. C. Users should be able to access only the resources they need to fulfill the duties of their positions. They also should only have the level of permissions and rights for those resources that are required to carry out the exact operations they need for their jobs, and no more. This second concept is more granular than the first, but they have a symbiotic relationship.

Answer 208

9. A. Documentation is very important for data processing and networked environments. This task often gets pushed to the back burner or is totally ignored. If things are not properly documented, employees will forget what actually took place with each device. If the environment needs to be rebuilt, for example, it may be done incorrectly if the procedure was poorly or improperly documented. When new changes need to be implemented, the current infrastructure may not be totally understood. Continually documenting when virus signatures are updated would be overkill. The other answers contain events that certainly require documentation.

Answer 209

10. D. One cannot properly erase data held on a CD-ROM. If the data are sensitive and you need to ensure no one has access to the same, the media should be physically destroyed.

Answer 210

11. D. This is not a great question, but could be something that you run into on the exam. Let’s look at the answers. Different SSL versions are usually not a concern, because the two communicating systems will negotiate and agree upon the necessary version. There is no security violation issue here. SSL works at the transport layer; thus, it will not be affected by what the user does, as stated in answer B. SSL protects against network tapping and wiretapping. Answer D talks about the network segments the company does not own. You do not know at what point the other company will decrypt the SSL connection because you do not have control of that environment. Your data could be traveling unencrypted and unprotected on another network.

Answer 211

12. C. Simple Mail Transfer Protocol (SMTP) is the protocol used to allow clients to send e-mail messages to each other. It lets different mail servers exchange messages.

Answer 212

13. C. Spammers will identify the mail servers on the Internet that have relaying enabled and are “wide open,” meaning the servers will forward any e-mail messages they receive. These servers can be put on a black list, which means other mail servers will not accept mail from them.

Answer 213

14. D. The other three answers provide reasons why fax servers would be used instead of individual fax machines: ease of use, they provide more protection, and their supplies may be cheaper.

Answer 214

15. C. This is the best answer for this question. The other components could provide different levels of protection, but a fax encryptor (which is a data link encryptor) provides a higher level of protection across the board because everything is encrypted. Even if a user does not choose to encrypt something, it will be encrypted anyway before it is sent out the fax server.

Answer 215

16. C. This is a technology that wraps the different services available on a system. What this means is that if a remote user makes a request to access a service, this product will intercept this request and determine whether it is valid and legal before allowing the interaction to take place.

Answer 216

17. D. A sniffer is a device or software component that puts the NIC in promiscuous mode, meaning the NIC will pick up all frames it “sees” instead of just the frames addressed to that individual computer. The sniffer then shows the output to the user. It can have capture and filtering capabilities.

Answer 217

18. D. The first three choices are attacks that can directly affect security operations. There is no such attack as an ICMP sting.

Answer 218

19. B. For auditing purposes, the procedure should capture the user ID, time of event, type of event, and the source workstation. Capturing the user ID allows the company to hold individuals accountable for their actions.

Answer 219

20. C. Dual control requires two or more entities working together to complete a task. An example is key recovery. If a key must be recovered, and key recovery requires two or more people to authenticate to a system, the act of them coming together and carrying out these activities is known as dual control. This reduces the possibility of fraud.

Answer 220

21. A. The last three tasks fall under the job functions of an individual or department responsible for controlling access to media. Compressing and decompressing data does not.

Answer 221

22. A. Clipping levels are thresholds of acceptable user errors and suspicious activities. If the threshold is exceeded, it should be logged and the administrator should decide if malicious activities are taking place or if the user needs more training.

Answer 222

23. C. The reason to have tape library management is to have a centralized and standard way of protecting how media is stored, accessed, and destroyed.

Answer 223

24. D. A degausser is a device that generates a magnetic field (coercive magnetic force) that changes the orientation of the bits held on the media (reducing magnetic flux density to zero).

Answer 224

25. A. If operations personnel are limited in what they can access, they would need to collude with someone who actually has access to the resource. This question is not very clear, but it is very close to the way many CISSP exam questions are formatted.

Answer 225

1. A. The three elements of the DevOps model are software development, quality assurance, and IT operations. Information security is only introduced in the DevSecOps model.

Answer 226

2. B. Input validation ensures that the input provided by users matches the design parameters. Polyinstantiation includes additional records in a database for presentation to users with differing security levels as a defense against inference attacks. Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Screening is a generic term and does not represent any specific security technique in this context.

Answer 227

4. C. In a fail-secure state, the system remains in a high level of security until an administrator intervenes. In a fail-open state, the system defaults to a low level of security, disabling controls until the failure is resolved. Failure mitigation seeks to reduce the impact of a failure. Fail clear is not a valid approach.

Answer 228

3. C. Request control provides users with a framework to request changes and developers with the opportunity to prioritize those requests. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies. Request control provides an organized framework for users to request modifications. Change auditing is used to ensure that the production environment is consistent with the change accounting records.

Answer 229

5. B. The iterative waterfall model uses a seven-stage approach to software development and includes a feedback loop that allows development to return to the previous phase to correct defects discovered during the subsequent phase.

Answer 230

6. B. The activities of threat assessment, threat modeling, and security requirements are all part of the Design function under SAMM.

Answer 231

7. C. Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship. Candidate keys are sets of fields that may potentially serve as the primary key, the key used to uniquely identify database records. Alternate keys are candidate keys that are not selected as the primary key.

Answer 232

8. D. In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Polyinstantiation is the creation of different database records for users of differing security levels.

Answer 233

9. C. Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Manipulation is the authorized or unauthorized alteration of data in a database.

Answer 234

10. D. In Agile, the highest priority is to satisfy the customer through early and continuous delivery of valuable software. It is not to prioritize security over other requirements. The Agile principles also include satisfying the customer through early and continuous delivery, businesspeople and developers working together, and paying continuous attention to technical excellence.

Answer 235

11. C. Expert systems use a knowledge base consisting of a series of “if/then” statements to form decisions based on the previous experience of human experts.

Answer 236

12. D. In the Managed phase, level 4 of the SW-CMM, the organization uses quantitative measures to gain a detailed understanding of the development process.

Answer 237

13. B. Open Database Connectivity (ODBC) acts as a proxy between applications and the back-end DBMS. The software development lifecycle (SDLC) is a model for the software development process that incorporates all necessary activities. The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory framework for credit card processing. Abstraction is a software development concept that generalizes common behaviors of software objects into more abstract classes.

Answer 238

14. A. In order to conduct a static test, the tester must have access to the underlying source code. Black-box testing does not require access to source code. Dynamic testing is an example of black-box testing. Cross-site scripting is a specific type of vulnerability, and it may be discovered using both static and dynamic techniques, with or without access to the source code.

Answer 239

15. A. A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan,

Answer 240

16. C. Contamination is the mixing of data from a higher classification level and/or need-to know requirement with data from a lower classification level and/or need-to-know requirement. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Polyinstantiation includes additional records in a database for presentation to users with differing security levels as a defense against inference attacks.

Answer 241

17. D. Tonya is purchasing the software, so it is not open source. It is used widely in her industry, so it is not custom developed for her organization. There is no indication in the question that the software is an enterprise resource planning (ERP) system. The best answer here is commercial-off-the-shelf software (COTS).

Answer 242

18. C. Configuration audit is part of the configuration management process rather than the change control process. Request control, release control, and change control are all components of the configuration management process.

Answer 243

19. C. The isolation principle states that two transactions operating on the same data must be temporarily separated from each other so that one does not interfere with the other. The atomicity principle says that if any part of the transaction fails, the entire transaction must be rolled back. The consistency principle says that the database must always be in a state that complies with the database model’s rules. The durability principle says that transactions committed to the database must be preserved.

Answer 244

20. B. The cardinality of a table refers to the number of rows in the table, whereas the degree of a table is the number of columns. In this case, the table has three columns (name, telephone number, and customer ID), so it has a degree of three

Answer 245

1. Correct answer and explanation: A. DevOps is a more agile development and support model, where developers directly support operations. Incorrect answers and explanations: Answers B, C, and D are incorrect. Sashimi, spiral, and waterfall are software development methodologies that do not describe a model for developers directly supporting operations.

Answer 246

2. Correct answer and explanation: C. Polyinstantiation means “many instances,” such as two objects with the same names that have different data. Incorrect answers and explanations: Answers A, B, and D are incorrect. Delegation allows objects to delegate messages to other objects. Inheritance means an object inherits capabilities from its parent class. Polymorphism allows the ability to overload operators, performing different methods depending on the context of the input message.

Answer 247

3. Correct answer and explanation: Answer A is correct; acceptance testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective. Incorrect answers and explanations: Answers B, C, and D are incorrect. Integration testing tests multiple software components as they are combined into a working system. Regression testing tests software after updates, modifications, or patches. Unit testing consists of low-level tests of software components, such as functions, procedures, or objects.

Answer 248

4. Correct answer and explanation: A. Entity integrity means each tuple has a unique primary key that is not null. Incorrect answers and explanations: Answers B, C, and D are incorrect. Normalization seeks to make the data in a database table logically concise, organized, and consistent. Referential integrity means that every foreign key in a secondary table matches a primary key in the parent table; if this is not true, referential integrity has been broken. Semantic integrity means each attribute (column) value is consistent with the attribute data type.

Answer 249

5. Correct answer and explanation: A. Cross-site request forgery (CSRF) allows a third party to redirect static content within the security context of a trusted site. Incorrect answers and explanations: Answers B, C, and D are incorrect. XSS is a third-party execution of web scripting languages, such as Javascript, within the security context of a trusted site. XSS is similar to CSRF; the difference is XSS uses active code. PHP RFI alters normal PHP variables to reference remote content, which can lead to execution of malicious PHP code. SQL injection manipulates a back-end SQL server via a front-end web server

Answer 250

1. Answer: C. Early phases Explanation: Risk analysis and threat modeling are critical components of the early phases of the SDLC. They continue through to the architecture and design phase.

Answer 251

2. Answer: C. Waterfall Explanation: The Waterfall model requires the completion of each development phase before moving to the next. It does not allow revisiting a previous phase.

Answer 252

3. Answer: A. DevSecOps Explanation: DevOps should ideally be referred to as DevSecOps, where security is an integral part of the development process.

Answer 253

4. Answer: B. Software Assurance Maturity Model (SAMM) Explanation: OWASP’s Software Assurance Maturity Model (SAMM) is described as the prime maturity model for software assurance.

Answer 254

5. Answer: C. Smoke testing Explanation: Smoke testing focuses on quick preliminary testing after a change to identify any simple failures of the most important existing functionality that worked before the change was made.

Answer 255

6. Answer: B. Code repository Explanation: A code repository is a storage location for software and application source code.

Answer 256

7. Answer: B. Instantiating into multiple separate or independent instances Explanation: Polyinstantiation refers to something being instantiated into multiple separate or independent instances.

Answer 257

8. Answer: A. Buffer overflow Explanation: Buffer overflow is a common problem with applications and occurs when information sent to a storage buffer exceeds the buffer’s capacity.

Answer 258

9. Answer: B. Simple Object Access Protocol (SOAP) Explanation: Simple Object Access Protocol (SOAP) is an XML-based API.

Answer 259

10. Answer: C. The idea that an object can be placed inside another, protecting it by wrapping it in other objects Explanation: Encapsulation refers to the idea that an object – a piece of code – can be placed inside another. Other objects can be called by doing this, and objects can be protected by encapsulating or wrapping them in other objects.

Answer 260

11. Answer: C. Intentionally creating source code that is difficult for humans to understand Explanation: Code obfuscation refers to hiding or obscuring code to protect it from unauthorized viewing It intentionally makes source code difficult viewing. It intentionally makes source code difficult for humans to understand.

Answer 261

12. Answer: B. Spiral Method Explanation: The Spiral Method is a risk-driven development process that follows an iterative model while also including waterfall elements.

Answer 262

13. Answer: B. To manage changes in software Explanation: Software configuration management focuses explicitly on managing changes in software and is part of the overall configuration/change management.

Answer 263

14. Answer: C. Data is stored hierarchically with parent child relationships. Explanation: RDBMS systems store data in tables, not in hierarchical structures.

Answer 264

16. Answer: C. Atomicity, Consistency, Isolation, Durability Explanation: ACID stands for atomicity, consistency, isolation, and durability and relates to how information and transactions in an RDBMS environment should be treated.

Answer 265

17. Answer: C. They often have access to powerful programming tools but may lack secure coding practices. Explanation: Citizen developers often have access to powerful programming tools. Still, they’re typically self-taught and unskilled regarding secure coding practices, leading to insecure and unreliable application development.

Answer 266

18. Answer: A. Representational State Transfer (REST) Explanation: Representational State Transfer (REST) is an HTTP-based API.

Answer 267

19. Answer: A. The level of relatedness between units of a codebase Explanation: Coupling and cohesion are relational terms that indicate the level of relatedness between units of a codebase (coupling) and the level of relatedness between the code that makes up a unit of code (cohesion).

Answer 268

20. Answer: B. The level of relatedness between the code that makes up a unit of code Explanation: Cohesion refers to the level of relatedness between the code that makes up a unit of code. High cohesion means that the code within a module or class is closely related.

Answer 269

21. Answer: A. A method to test new code in isolation Explanation: Sandboxing refers to a method where new or untested code is run in a separate environment (a “sandbox”) to ensure it doesn’t affect the functioning of existing systems.

Answer 270

23. Answer: C. Cohesion Explanation: While cohesion is an important concept in software design, it is not a specific characteristic of object-oriented programming. OOP is characterized by concepts like polymorphism, encapsulation, and inheritance.

Answer 271

22. Answer: B. To verify the authenticity and integrity of the code Explanation: Code signing is a technique used to verify the authenticity and integrity of code. It ensures that the code has not been altered since it was signed.

Answer 272

25. Answer: C. To ensure the software is free from vulnerabilities Explanation: Secure coding practices aim to ensure that software is developed in a way that it is free from vulnerabilities that could be exploited by malicious actors.

Answer 273

24. Answer: A. Conditions where two or more threads access shared data simultaneously Explanation: Race conditions occur when two or more threads access shared data at the same time and at least one of them modifies the data, leading to unpredictable outcomes.

Answer 274

26. Answer: B. The process of ensuring data integrity and reducing data redundancy Explanation: Normalization is a process in database design to ensure data integrity and reduce data redundancy by organizing data in tables and establishing relationships between them.

Answer 275

27. Answer: C. Using parameterized queries Explanation: Parameterized queries ensure that input is always treated as data and not executable code, thus preventing SQL injection attacks.

Answer 276

28. Answer: C. To track and manage changes to the codebase Explanation: Version control systems track and manage changes to the codebase, allowing developers to revert to previous versions, collaborate, and understand the history of changes.

Answer 277

29. Answer: B. Testing the software by providing random and unexpected inputs Explanation: Fuzz testing, or fuzzing, involves testing software by providing random and unexpected inputs to identify potential vulnerabilities and crashes.

Answer 278

30. Answer: A. Granting users only the permissions they need to perform their tasks Explanation: The principle of least privilege emphasizes that users should be granted only the permissions they absolutely need, reducing the risk of unauthorized access or actions.

Answer 279

31. Answer: A. To identify potential threats and vulnerabilities in the software Explanation: Threat modeling is a structured approach used to identify and evaluate potential threats and vulnerabilities in a software system, helping developers address them proactively.

Answer 280

32. Answer: B. Waterfall testing Explanation: While “Waterfall” is a software development methodology, there isn’t a specific type of testing called “Waterfall testing.”

Answer 281

33. Answer: C. Rewriting certain parts of the code to improve its structure without changing its functionality Explanation: Refactoring involves restructuring existing code without changing its external behavior, aiming to improve the nonfunctional attributes of the software.

Answer 282

34. Answer: B. Reviewing the codebase without executing the program Explanation: Static code analysis involves examining the code without executing the program, aiming to find vulnerabilities, errors, or areas of improvement.

Answer 283

35. Answer: C. To ensure the quality and correctness of the code Explanation: Code reviews involve systematically examining the source code of a program with the primary goal of finding and fixing mistakes overlooked during the initial development phase, ensuring the code’s quality and correctness.

Answer 284

36. Answer: B. Data encryption Explanation: Data encryption is a method used to protect data by converting it into a code to prevent unauthorized access, ensuring data confidentiality.

Answer 285

37. Answer: B. Ensuring the data is accurate and has not been tampered with Explanation: In software development, integrity refers to the assurance that data is accurate and reliable and has not been tampered with or altered without authorization.

Answer 286

38. Answer: B. A tool that detects and prevents real-time application attacks Explanation: Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block attacks by taking advantage of information from inside the running software.

Answer 287

39. Answer: C. Potential vulnerabilities or security risks associated with the library or component Explanation: When using third-party libraries or components, a primary concern is potential vulnerabilities or security risks that they might introduce into the software.

Answer 288

40. Answer: B. Designing the software with security considerations from the outset Explanation: “Security by design” means that the software has been designed from the ground up to be secure, ensuring that security is integrated into every part of the software development process.

Answer 289

41. Answer: C. To verify that the input meets the specified criteria before it’s processed Explanation: Input validation is a process that ensures an application is rendering the correct data and prevents malicious data from harming the system.

Answer 290

42. Answer: D. Something you dislike Explanation: Authentication methods typically revolve around something you know, something you have, or something you are. “Something you dislike” is not a recognized authentication factor.

Answer 291

43. Answer: C. To identify vulnerabilities by simulating cyberattacks on the software Explanation: Penetration testing involves simulating cyberattacks on software to identify vulnerabilities that could be exploited in real-world attacks.

Answer 292

44. Answer: B. Verifying the user’s identity using two different methods or factors Explanation: Two-factor authentication (2FA) requires users to verify their identity using two different methods or factors, enhancing security.

Answer 293

45. Answer: B. Ensuring that software is accessible and usable when needed Explanation: In the CIA (confidentiality, integrity, availability) triad, “availability” refers to ensuring that resources are accessible and usable when needed.

Answer 294

46. Answer: C. Data hashing Explanation: Data hashing involves creating a fixed-size string of bytes from input data of any size, ensuring data integrity by verifying that data has not been altered.

Answer 295

47. Answer: B. Implementing multiple layers of security measures Explanation: “Defense in depth” is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information.

Answer 296

48. Answer: B. Ensuring that software data remains private and restricted to authorized individuals Explanation: In the CIA (confidentiality, integrity, availability) triad, “confidentiality” refers to ensuring that data remains private and is only accessible to those with the proper authorization.

Answer 297

49. Answer: A. Ensuring that users cannot deny their actions Explanation: Non-repudiation ensures that a user cannot deny having performed a particular action, providing proof of origin or delivery.

Answer 298

50. Answer: B. Data that is stored and not actively being used or processed Explanation: “Data at rest” refers to data that is stored in persistent storage (like hard drives) and is not actively being used, processed, or transmitted.

Answer 299

51. Answer: B. Ensuring data remains confidential while being transmitted Explanation: “Data in transit” refers to data that is being transferred over a network. The primary concern is to ensure its confidentiality and integrity during transmission.

Answer 300

52. Answer: C. To fix known security vulnerabilities in the software Explanation: Security patches are updates released by software developers to address known security vulnerabilities in the software.

Answer 301

53. Answer: C. Vulnerabilities that are unknown to the software developer and have no available patches Explanation: Zero-day vulnerabilities refer to software vulnerabilities that are unknown to the vendor. This security risk is called a “zero-day” because the developer has had zero days to fix it.

Answer 302

54. Answer: A. To detect and prevent unauthorized access to the software Explanation: Intrusion detection systems (IDS) monitor network traffic or system activities for malicious activities or policy violations and produce reports to a management station.

Answer 303

55. Answer: C. Debugger Explanation: While ransomware, adware, and trojans are types of malicious software, a debugger is a tool used by developers to test and debug their code.

Answer 304

56. Answer: C. To define a list of approved software or processes that are allowed to run Explanation: Allow listing is a security approach where a list of approved software applications or processes is created, and only those on the list are allowed to run.

Answer 305

57. Answer: B. An attack where the attacker tricks users into revealing sensitive information Explanation: Phishing is a type of social engineering attack where the attacker tricks users into revealing sensitive information, often by masquerading as a trustworthy entity.

Answer 306

58. Answer: C. To monitor and control incoming and outgoing network traffic Explanation: Firewalls are network security devices that monitor and filter incoming and outgoing network traffic based on an organization’s previously established security policies.

Answer 307

59. Answer: C. Data replication Explanation: Data replication involves creating copies of data so that this duplicate data can be used to restore the original data in case of data loss.

Answer 308

60. Answer: C. A method of detecting potential threats based on behavioral patterns Explanation: Heuristic analysis involves identifying malicious activities or threats based on behavioral patterns rather than relying on specific signatures.

Answer 309

61. Answer: C. Ensuring data is permanently deleted and cannot be recovered Explanation: Proper data disposal ensures that data is not only deleted but also cannot be recovered, preventing unauthorized access or data breaches.

Answer 310

62. Answer: C. To educate employees about security threats and best practices Explanation: Security awareness training aims to educate employees about various security threats and the best practices to prevent potential breaches.

Answer 311

63. Answer: B. Attempting to guess passwords or encryption keys through trial and error Explanation: A brute-force attack involves trying multiple combinations to guess a password or encryption key, relying on trial and error.

Answer 312

64. Answer: B. Strengthening the software against potential attacks or vulnerabilities Explanation: Hardening involves configuring a system to reduce its surface of vulnerability, making it more secure against potential threats.

Answer 313

65. Answer: D. Encryption-based IDS Explanation: While network-based, host-based, and signature-based are types of intrusion detection systems, there isn’t a specific type called “encryption-based IDS.”

Answer 314

66. Answer: A. To define user roles based on their job functions Explanation: Role-based access control (RBAC) is a method where roles are created based on job functions, and permissions to access resources are assigned to specific roles.

Answer 315

67. Answer: B. Decoy systems designed to attract potential attackers Explanation: Honeypots are decoy systems set up to lure potential attackers, allowing security professionals to study their behaviors and tactics.

Answer 316

68. Answer: A. An attack where malicious scripts are injected into trusted websites Explanation: Cross-site scripting (XSS) is a type of attack where malicious scripts are injected into otherwise benign and trusted websites.

Answer 317

69. Answer: C. To clean user input to prevent malicious data from harming the system Explanation: Input sanitization involves cleaning or filtering user input to ensure that potentially harmful or malicious data doesn’t harm or compromise the system.

Answer 318

70. Answer: A. The process of converting sensitive data into non sensitive tokens Explanation: Tokenization involves replacing sensitive data with non sensitive tokens, which can’t be reversed to the original data without a specific key.

Answer 319

71. Answer: B. Ensuring the software is free from known vulnerabilities before deployment Explanation: Secure software deployment focuses on ensuring that the software is free from known vulnerabilities and is securely configured before it’s deployed to a live environment.

Answer 320

72. Answer: B. To verify the authenticity and integrity of a message or document Explanation: Digital signatures are cryptographic equivalents of handwritten signatures, used to verify the authenticity and integrity of a message or document.

Answer 321

73. Answer: A. An attack where the attacker tricks a user into executing unwanted actions on a web application Explanation: CSRF is an attack that tricks the victim into submitting a malicious request, exploiting the trust that a website has in the user’s browser.

Answer 322

74. Answer: C. Key exchange protocol Explanation: While digital certificate, certificate authority (CA), and private key are components of PKI, a key exchange protocol is not a primary component of PKI.

Answer 323

75. Answer: B. To ensure that only signed and trusted software can run during the system startup Explanation: Secure boot is a security standard that ensures that a device boots using only software that is trusted by the manufacturer.

Answer 324

76. Answer: A. A sequence of trusted entities ensuring overall system security Explanation: The chain of trust refers to a series of trusted entities or components in a system where each component can vouch for the integrity and trustworthiness of the next component.

Answer 325

77. Answer: A. The process of segmenting software into isolated environments Explanation: Containerization involves encapsulating an application and its dependencies into a “container.” This ensures that it runs consistently across various environments.

Answer 326

78. Answer: B. To detect intrusions based on deviations from a baseline of normal behavior Explanation: Anomaly-based intrusion detection systems monitor network traffic and compare it against an established baseline to detect any deviations, which could indicate a potential intrusion.

Answer 327

79. Answer: D. Performance-based access control (PBAC) Explanation: While MAC, RBAC, and DAC are recognized types of access control methods, there isn’t a specific type called “performance-based access control (PBAC).”

Answer 328

80. Answer: B. The process of isolating applications in a restricted environment to prevent malicious activities Explanation: Sandboxing involves running applications in a controlled environment to restrict what actions they can perform, preventing potential malicious activities.

Answer 329

81. Answer: B. Ensuring the software is developed without introducing vulnerabilities Explanation: Secure coding practices focus on writing code in a way that prevents the introduction of vulnerabilities and security flaws.

Answer 330

82. Answer: C. To prevent the unintentional loss or exposure of sensitive data Explanation: Data loss prevention (DLP) tools are designed to detect and prevent the unauthorized transmission or loss of sensitive data.

Answer 331

84. Answer: C. User profiling Explanation: While user authentication, user authorization, and role-based access are components of IAM, user profiling is not a primary component of IAM.

Answer 332

83. Answer: B. The process of managing and maintaining the state of a user’s interaction with software Explanation: Session management involves maintaining and tracking a user’s state and data as they interact with an application, ensuring that the session remains secure and consistent.

Answer 333

85. Answer: A. To create a unique fixed-size output from input data Explanation: Cryptographic hashing functions take input data and produce a fixed-size string of characters, which is typically a sequence of numbers and letters. The output, called the hash value, should be the same length regardless of the length of the input.

Answer 334

86. Answer: A. A platform for managing and automating security operations Explanation: SOAR platforms allow organizations to collect data about security threats and respond to low-level security events without human intervention.

Answer 335

88. Answer: C. Digital signatures Explanation: Digital signatures are used to verify the authenticity of data, ensuring that it has not been tampered with and comes from a verified source.

Answer 336

87. Answer: C. Protecting devices like computers and mobile devices that connect to the network Explanation: Endpoint protection focuses on ensuring that devices such as computers, mobile devices, and other endpoints that connect to a network are secure from potential threats.

Answer 337

89. Answer: B. To provide real-time analysis of security alerts generated by applications and network hardware Explanation: SIEM systems provide real-time analysis of security alerts generated by various hardware and software resources in an organization.

Answer 338

90. Answer: C. The systematic identification and evaluation of potential threats to the software Explanation: Threat modeling involves identifying, understanding, and addressing potential threats in the early stages of software development.

Answer 339

91. Answer: C. Ensuring the software architecture is designed with security principles in mind Explanation: Secure software design focuses on building software that is resilient to threats by incorporating security principles into its architecture.

Answer 340

92. Answer: B. To specify which applications are allowed to run on a system Explanation: Application allow listing is a security approach where only specified applications are permitted to run, preventing unauthorized or malicious software from executing.

Answer 341

93. Answer: A. A situation where security settings are left at their default values Explanation: Security misconfiguration occurs when security settings are not appropriately configured, often left at default, making the system vulnerable.

Answer 342

94. Answer: C. Resolution of the software bug Explanation: While identification, containment, and recovery are stages of incident response, the resolution of software bugs is a part of the software development and maintenance process, not specifically incident response.

Answer 343

96. Answer: B. The process of regularly updating and managing patches for software vulnerabilities Explanation: Patch management involves the systematic acquisition, testing, and installation of updates and patches to software to address updates and patches to software to address vulnerabilities and improve security.

Answer 344

95. Answer: C. To assess and ensure the software adheres to security standards and policies Explanation: Security audits are systematic evaluations of the security of a system or application to ensure compliance with security standards and policies.

Answer 345

97. Answer: B. Attacks where the attacker intercepts and possibly alters the communication between two parties Explanation: In a man-in-the-middle attack, the attacker secretly intercepts and potentially alters the communication between two parties without their knowledge.

Answer 346

98. Answer: B. To verify user identity using multiple methods or factors Explanation: Multifactor authentication (MFA) enhances security by requiring users to provide multiple forms of identification before granting access.

Answer 347

99. Answer: B. The process of evaluating the potential risks associated with software vulnerabilities Explanation: Risk assessment involves identifying, evaluating, and prioritizing risks to determine the potential impact of software vulnerabilities and to decide on mitigation strategies.

Answer 348

100. Answer: A. Software Development Kit (SDK) Explanation: A Software Development Kit (SDK) typically includes a set of software libraries, development tools, and documentation that developers can use to create or enhance software. In this case, the social media site provides software libraries and other tools to integrate better applications, characteristic of an SDK.

Answer 349

2. d. Managing change is a difficult process. People resist change due to a certain amount of discomfort that a change may bring. It does not matter how well the change is planned, communicated, or implemented if it is not spread throughout the organization evenly. Institutionalizing the change means changing the climate of the company. This needs to be done in a consistent and orderly manner. Any major change should be done using a pilot approach. After a number of pilots have been successfully completed, it is time to use these success stories as leverage to change the entire company.

Answer 350

3. c. Configuration management is a procedure for applying technical and administrative direction and monitoring to (i) identify and document the functional and physical characteristics of an item or system, (ii) control any changes made to such characteristics, and (iii) record and report the change, process, and implementation status. The authorization process may be manual or automated. All authorized transactions should be recorded and entered into the system for processing. Validation ensures that the data entered meets predefined criteria in terms of its attributes. Error notification is as important as error correction.

Answer 351

4. c. Software configuration management (SCM) is a discipline for managing the evolution of computer products, both during the initial stages of development and through to maintenance and final product termination. Visibility into the status of the evolving software product is provided through the adoption of SCM on a software project. Software developers, testers, project managers, quality assurance staff, and the customer benefit from SCM information. SCM answers questions such as (i) what constitutes the software product at any point in time? (ii) What changes have been made to the software product? How a software product is planned, developed, or maintained does not matter because it describes the history of a software product’s evolution, as described in the other choices.

Answer 352

5. a. Software configuration management (SCM) is practiced and integrated into the software development process throughout the entire life cycle of the product. One of the main features of SCM is the tracing of all software changes. Identifying individual components is incorrect because it is a part of configuration identification function. The goals of configuration identification are to create the ability to identify the components of the system throughout its life cycle and to provide traceability between the software and related configuration identification items. Computer-assisted software engineering (CASE) tools, compilers, and assemblers are incorrect because they are examples of technical factors. SCM is essentially a discipline applying technical and administrative direction and surveillance for managing the evolution of computer program products during all stages of development and maintenance. Some examples of technical factors include use of CASE tools, compilers, and assemblers.

Answer 353

6. d. There are four elements of configuration management. The first element is configuration identification, consisting of selecting the configuration items for a system and recording their functional and physical characteristics in technical documentation. The second element is configuration change control, consisting of evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification. The third element is configuration status accounting, consisting of recording and reporting of information that is needed to manage a configuration effectively. The fourth element is software configuration audit, consisting of periodically performing a review to ensure that the SCM practices and procedures are rigorously followed. Auditing is performed last after all the elements are in place to determine whether they are properly working.

Answer 354

7. c. In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. In a buffer overflow, the input received by a system is longer than the expected input length, but the system does not check for this condition. In an access validation error, the system is vulnerable because the access control mechanism is faulty. A configuration error occurs when user controllable settings in a system are set so that the system is vulnerable. Race condition error occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation.

Answer 355

8. d. In the operation/maintenance phase of the SDLC, risk management activities are performed whenever major changes are made to an IT system in its operational (production) environment (for example, new system interfaces).

Answer 356

10. c. The action plan and milestones document is a latter part of security certification and accreditation phases, which describe the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities. The other three choices are part of the initiation phase, which is the first phase, where it is too early to develop the action plan and milestones.

Answer 357

11. a. The security certification work comes first as it determines the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired system security posture. This assurance is achieved through system security assessments. The security accreditation package documents the results of the security certification. Recertification and reaccreditation occur periodically and sequentially whenever there is a significant change to the system or its operational environment as part of ongoing monitoring of security controls.

Answer 358

13. b. To determine what security controls to select for ongoing review, organizations should first prioritize testing on “action plan and milestones” items that become closed. These newly implemented controls should be validated first. The other three documents are part of the continuous monitoring phase and come into play when there are major changes or modifications to the operational system.

Answer 359

14. d. The purpose of configuration management is to minimize the effects of negative changes or differences in configurations on an information system or network. The other three choices are examples of minor purposes, all leading to the major purpose. Note that modifications could be proper or improper where the latter leads to a negative effect and the former leads to a positive effect.

Answer 360

15. d. The primary implementation of the configuration management process is performed during the operation/maintenance phase of the SDLC, the operation/maintenance phase. The other phases are too early for this process to take place.

Answer 361

16. d. The fourth phase of the security certification and accreditation process, continuous-monitoring, primarily deals with configuration management. Documenting information system changes and assessing the potential impact those changes may have on the security of the system is an essential part of continuous monitoring and maintaining the security accreditation.

Answer 362

20. d. In the “defer” choice, immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made later. On the other hand, approve, implement, and deny choices do not require additional testing and analysis because management is already satisfied with the testing and analysis.

Answer 363

21. c. A security-test-plan, whether high level or low level, is developed in the development/acquisition phase. The other three choices are performed in the initiation phase.

Answer 364

22. b. Security controls are developed, designed, and implemented in the development/acquisition phase. Additional controls may be developed to support the controls already in place or planned.

Answer 365

23. b. Product acquisition and integration costs that can be attributed to information security over the life cycle of the system are determined in the development/acquisition phase. These costs include hardware, software, personnel, and training.

Answer 366

24. c. In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system.

Answer 367

25. b. Security and functional requirements can be expressed as technical (for example, access controls), assurances (for example, background checks for system developers), or operational practices (for example, awareness and training).

Answer 368

26. d. If new security controls are added to an existing application system or to a support system, system users must perform additional acceptance tests of these new controls. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls.

Answer 369

27. d. Documenting information system changes and assessing the potential impact of these changes on the security of a system is an essential part of continuous monitoring and key to avoiding a lapse in the system security reaccreditation. Periodic reaccreditation is done in the operation phase.

Answer 370

28. a. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed. Gray-box testing can be looked at as anything that is not tested in white-box or black-box. An integration testing is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests.

Answer 371

29. c. The new system is integrated at the operational site where it is to be deployed for operation. Security control settings and switches are enabled.

Answer 372

30. b. Formal risk assessment is conducted in the development/acquisition phase to identify system protection requirements. This analysis builds on the initial (preliminary or informal) risk assessment performed during the initiation phase, but will be more in-depth and specific.

Answer 373

31. d. Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system. This task is performed in the operation/maintenance phase so that changes can be tracked and monitored. Prior to this phase, the system is in a fluid state, meaning that initial baselines cannot be established.

Answer 374

32. a. Configuration management and controls, which is a part of system operation and maintenance phase, deals with controlling and maintaining an accurate inventory of any changes to the system. Security certification and security accreditation are part of system implementation phase, whereas continuous monitoring is a part of operation and maintenance phase.

Answer 375

33. c. System assessors or auditors do not develop security controls due to loss of objectivity in thinking and loss of independence in appearance. Security controls should be built by system designers and developers prior to performing internal control reviews, conducting penetration testing, or using security checklists by system assessors or auditors. Internal control reviews, penetration testing, and security checklists simply facilitate self-assessments or independent audits of an information system later.

Answer 376

34. c. Investment analysis is defined as the process of managing the enterprise information system portfolio and determining an appropriate investment strategy. The investment analysis optimizes the organization’s system needs within budget constraints. Fit-gap analysis identifies the differences between what is required and what is available; or how two things fit or how much gap there is between them. Risk analysis is determining the amount of risk and sensitivity analysis can determine the boundaries of the risk in terms of changing input values and the accompanying changes in output values.

Answer 377

35. d. Integrity can be examined from several perspectives. From a user’s or application owner’s perspective, integrity is the quality of data that is based on attributes such as accuracy and completeness. The other three choices do not reflect the attributes of integrity.

Answer 378

36. b. The requirements analysis task of the SDLC phase of development is an in-depth study of the need for a new system. The requirements analysis draws on and further develops the work performed during the initiation phase. The needs-determination activity is performed at a high-level x of functionality in the initiation phase.

Answer 379

37. c. A formal security risk assessment should be conducted before the approval of system design specifications. The other three choices are considered during a formal security risk assessment process.

Answer 380

38. d. The capital planning process determines how much the acquisition or development of a new system will cost over its life cycle. These costs include hardware, software, personnel, and training. Another critical area often overlooked is security.

Answer 381

39. b. Detailed plans of action and milestones (POA&M) schedules are required to document the corrective measures needed to increase the effectiveness of the security controls and to provide the requisite security for the information system prior to security authorization. The other three choices are not corrective steps requiring action plans and milestone schedules.

Answer 382

40. a. The statement of work development is a part of other planning components in the development/acquisition phase of a system development life cycle (SDLC). The other three choices are part of the security-planning document.

Answer 383

41. b. Configuration files, system files, or files with sensitive information must not be migrated to different storage media and must be retained in a secure location due to their access restrictions. The files listed in the other three choices are not sensitive; they are temporary and don't need to be retained after their use is completed.

Answer 384

42. d. Integration and acceptance testing occurs after delivery and installation of the new information system. The unit, subsystem and full system testing are not conducted for an acquired system but conducted for the in-house developed system. The integration and acceptance testing is conducted for an acquired system.

Answer 385

43. a. Prior to final system deployment, a security certification should be conducted to ensure that security controls established in response to security requirements are included as part of the system development process. The other three choices are part of the scope of the security certification process.

Answer 386

44. b. The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. The security accreditation focuses on risk, whereas system accreditation focuses on an evaluation based on tests and their results.

Answer 387

47. a. Organizations need periodic and continuous testing and evaluation of the security controls in an information system to ensure that the controls are effective in their application. Security-control monitoring means verifying the continued effectiveness of those controls over time.

Answer 388

48. c. Usually, there is no definitive end to an SDLC process because the system can become a legacy system for a long-time or it can eventually be replaced with a new system. Systems evolve or transition to the next generation as follow-on systems with changing requirements and technology. Security plans evolve with the system. Much of management and operational controls in the old, legacy system are still relevant and useful in developing the security plan for the follow-on system.

Answer 389

49. b. Some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The other parties mentioned do not have a technical focus but instead have a business focus.

Answer 390

50. b. Quality control is similar to security certification and accreditation in terms of scope of work and goals. Quality control is a technical control. Quality assurance is included in security planning, which is a management control. Operational control deals with day-to day procedures.

Answer 391

52. c. By accrediting an information system, an organization’s management official accepts the risks associated with operating the system and the associated security implications to the organization’s operations, assets, or individuals.

Answer 392

54. d. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. For this to happen, the system security plan must have been developed and in place.

Answer 393

55. c. Reauthorization should occur prior to a significant change in processing of an information system. A periodic review of controls should also contribute to future authorizations.

Answer 394

56. b. The design phase translates requirements into a representation of the software. The design is placed under configuration management control before coding begins. Requirements analysis is incorrect because it focuses on gathering requirements to understand the nature of the programs to be built. The design must be translated into code-readable form. The coding step performs this task. Code is verified, for example, through the inspection process and put under configuration management control prior to the start of formal testing. After code is generated, program testing begins. The testing focuses on the logical internals of the software, ensuring that all statements have been tested, and on the functional externals; that is, conducting tests to uncover errors to ensure that the defined input can produce actual results that agree with required results.

Answer 395

57. c. The request for proposal development, evaluation, and acceptance are a part of other planning components in the development/acquisition phase of an SDLC. It is a part of project management activities. The other three choices are part of the security planning document.

Answer 396

58. b. Worm incidents often necessitate as rapid a response as possible, because an infected system may be attacking other systems both inside and outside the organization. Organizations may choose to disconnect infected systems from networks immediately, instead of performing an analysis of the host first. Next, the analyst can examine fixed (nonvolatile) characteristics of the server’s operating system, such as looking for administrative-level user accounts and groups that may have been added by the worm. Ultimately, the analyst should gather enough information to identify the worm’s behavior in sufficient detail so that the incident response team can act effectively to contain, eradicate, and recover from the incident.

Answer 397

59. c. Host-based intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed information than network-based IDS and firewall products. For example, host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because many worms disable host-based security controls and destroy log entries, data from host-based IDS and firewall software may be limited or missing. If the software was configured to forward copies of its logs to centralized log servers, then queries to those servers may provide some useful information (assuming the host logs’ integrity is not in doubt). Network-based IDS is incorrect because it indicates which server was attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, virtual private network (VPN) gateways, and remote access servers may record information similar to that logged by network-based firewalls.

Answer 398

60. d. Media sanitization ensures that data is deleted, erased, and written over as necessary. Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of data storage media will be transferred outside positive control, and some will be reused during all phases of the SDLC. This media sanitization activity may be for maintenance reasons, system upgrades, or during a configuration update.

Answer 399

61. b. The security certification assessor is involved in assessing security controls in an information system to provide an unbiased opinion. The assessor’s independence implies that he is not involved in the information system development, implementation, or operation.

Answer 400

63. c. Organizations should identify which individuals or groups can assist in infection identification efforts. Network administrators are good at analyzing routers along with analyzing network traffic using packet sniffers and misconfigurations. The roles of administrators defined in the other three choices are different due to separation of duties, independence, and objectivity viewpoints.

Answer 401

64. c. An organization employs automated mechanisms to provide notification of failed security tests, which is a control used in the verification of security functionality. The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices for commercial off-the-shelf integrity mechanisms (for example, parity checks, cyclical redundancy checks, and cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

Answer 402

65. a. When restrictions on what authenticated users are allowed to do are not properly enforced, it leads to broken access control vulnerability in Web applications. The other three choices do not deal with accessing user accounts, viewing sensitive files, or using unauthorized functions.

Answer 403

66. b. Web applications pass parameters when they access external systems or the local operating system. Injection flaws occur when an attacker can embed malicious commands in these parameters; the external system may execute those commands on behalf of the Web application. The other three choices do not apply here because they do not embed malicious commands.

Answer 404

67. a. A unit test is a test of software elements at the lowest level of development. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been executed. Because the unit test is the first test conducted, its scope should be comprehensive enough to include both types of testing, that is, black box and white box. Integration testing is incorrect because it comes after completion of unit tests. An integration test is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests. Software integration tests check how the units interact with other software libraries and hardware. System testing is incorrect because it comes after completion of the integration tests. It tests the completely integrated system and validates that the software meets its requirements. Acceptance testing is incorrect because it comes after completion of integration tests. It is testing of user requirements in an operational mode conducted by end users and computer operations staff.

Answer 405

68. a. In general, automated controls compensate for the weaknesses in or lack of manual controls or vice versa (i.e., a compensating control). For example, an automated software management system can help in strengthening controls by moving programs from production to test libraries and back. It minimizes human errors in moving wrong programs or forgetting to move the right ones. Written policies, procedures, and standards are equally necessary in manual and automated environments.

Answer 406

69. c. System accreditation is a management’s formal acceptance of the adequacy of an application system’s security. The accreditors are responsible for evaluating the certification evidence, deciding on the acceptability of application security safeguards, approving corrective actions, ensuring that corrective actions are accomplished, and issuing the accreditation statement. System certification is the technical evaluation of compliance with security requirements for the purpose of accreditation. The technical evaluation uses a combination of security evaluation techniques (for example, risk analysis, security plans, validation, verification, testing, security safeguard evaluation, and audit) and culminates in a technical judgment of the extent to which safeguards meet security requirements. Security certification is a formal testing of the security controls (safeguards) implemented in the computer system to determine whether they meet applicable requirements and specifications. Security accreditation is the formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls. A system certification is conducted first and system accreditation is next because the former supports the latter. Security certification and security accreditation processes follow the system certification and system accreditation processes.

Answer 407

70. c. Macro viruses are nonresident viruses. A resident virus is one that loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. All boot viruses and most common file viruses are resident viruses. Macro viruses are found in documents, not in disks.

Answer 408

72. c. Most Trojan horses can be prevented and detected by a strong program change control in which every change is independently examined before being put into use. After a Trojan horse is detected, the cure is to remove it. Next, try to find all the damage it has done and correct that damage.

Answer 409

73. b. The biggest vulnerable area is in the manual handling of data before it is entered into an application system or after it has been retrieved from the system in hard copy form. Because human intervention is significant here, the risk is higher. Controls over internal and external computer processing and telecommunications and the network can be made stronger with automated controls.

Answer 410

74. c. A log file is most likely to be tampered (manipulated) with either by insiders or outsiders because it contains unsuccessful login attempts or system usage. A configuration file contains system parameters. A password file contains passwords and user IDs, whereas a system file contains general information about computer system hardware and software.

Answer 411

75. a. The objectives of the software configuration management (SCM) process are to track the different versions of the software and ensure that each version of the software contains the exact software outputs generated and approved for that version. SCM is responsible for ensuring that any changes to any software outputs during the development processes are made in a controlled and complete manner. The objective of the project management process is to establish the organizational structure of the project and assign responsibilities. This process uses the system requirements documentation and information about the purpose of the software, criticality of the software, required deliverables, and available time and resources to plan and manage the software development and software assurance processes. It establishes or approves standards, monitoring and reporting practices, and high level policy for quality, and it cites policies and regulations. The objectives of the software quality assurance process are to ensure that the software development and software assurance processes comply with software assurance plans and standards, and to recommend process improvement. This process uses the system requirements and information about the purpose and criticality of the software to evaluate the outputs of the software development and software assurance processes. The objective of the software verification and validation (SV&V) process is to comprehensively analyze and test the software concurrently with processes of software development and software maintenance. The process determines that the software performs its intended functions correctly, ensures that it performs no unintended functions, and measures its quality and reliability. SV&V is a detailed engineering assessment for evaluating how well the software is meeting its technical requirements, in particular its safety, security, and reliability objectives, and for ensuring that software requirements are not in conflict with any standards or requirements applicable to other system components.

Answer 412

76. b. The Reference Monitor concept is independent of any particular access control policy because it mediates all types of access to objects by subjects. Mandatory access control policy is a means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity. With role-based access control policy, access decisions are based on the roles (for example, teller, analyst, and manager) that individual users have as part of an organization. Discretionary access control policy is a means of restricting access to objects based on the identity of subjects.

Answer 413

78. a. Security certification is a comprehensive assessment of the management, operational, and technical controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcomes.

Answer 414

79. d. Conducting reaccreditation reviews periodically is a mechanical step (a byproduct of the goal) and a secondary goal. The primary goals of certification and accreditation of information systems are to (i) enable more consistent, comparable, and repeatable assessments of security controls in information systems, (ii) promote a better understanding of organization-related risks resulting from the operation of information systems, and (iii) create more complete, reliable, and trustworthy information for authorizing officials (management) to facilitate more informed security accreditation decisions.

Answer 415

80. d. Security impact analyses are conducted in the continuous monitoring phase whenever there are changes to the information system. The other three choices are part of the security accreditation phase, which comes before the continuous monitoring phase.

Answer 416

81. a. Usually, encryption algorithms do not fail due to their extensive testing, and the encryption key is getting longer making it more difficult to break into. Many errors reoccur, including buffer overflows, race conditions, format string errors, failing to check input for validity, and computer programs being given excessive access privileges.

Answer 417

82. c. Evaluating configuration management metric information is the responsibility of the configuration control review board, whereas the other three choices are responsibilities of the configuration manager.

Answer 418

84. c. The Software Engineering Institute (SEI) is a nationally recognized, federally funded research and development center established in the United States to address software development issues. It developed a process maturity framework that would help organizations improve their software development process. In general, the CMM serves as an indicator of the likely range of cost, schedule, and quality results to be achieved by system development projects within an organization. In the repeatable level, basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications. The other three choices are not applicable because the correct answer is based on the definition of CMM levels.

Answer 419

85. a. As a part of preventive controls, compatibility tests are used to determine whether an acceptable user is allowed to proceed in the system. This test focuses on passwords, access rules, and system privileges. A validity check is incorrect because it tests for the accuracy of codes such as state, tax rates, and vendor number. A security label check is incorrect because it tests for the specific designation assigned to a system resource such as a file, which cannot be changed except in emergency situations. A confidentiality test is incorrect because it ensures that data is disclosed only to authorized individuals.

Answer 420

86. c. Just as replication complicates concurrency control, it can affect scalability. The major concern in scalability is determining the effect of increased scale on client performance. Additional storage sites increase the amount of work servers must do to maintain a consistent state of the file system. Similarly, clients in a replicated file system may have more work to do when they make file updates. For this reason, both clients and servers share portions of system management work. Fault-tolerant mechanisms, availability, and recoverability are incorrect. Replicated servers have a positive impact on system availability and recoverability. If the primary server fails, the replicated server takes over, thus making the system available to system users. Recovery protocols help both servers and clients recover from system failures. Fault-tolerant mechanisms such as disk mirroring and disk duplexing help in recovering from a system failure. They all have a positive effect.

Answer 421

87. a. Expert systems are aimed at problems that cannot always be solved using a purely algorithmic approach. These problems are often characterized by irregular structure, incomplete or uncertain information, and considerable complexity.

Answer 422

88. d. A heuristic is a rule of thumb, a known fact, or even a known procedure that can be used to solve some problems, but it is not guaranteed to do so. It may fail. Heuristics can be conveniently regarded as simplifications of comprehensive formal descriptions of real-world systems. These heuristics are acquired through learning and experience.

Answer 423

89. b. The computing environment consists of hardware, programming languages, editors and compilers, file management facilities, browsing program code, debugging and tracing program execution, and graphic programming. This computing environment is outside the expert systems architecture because it can change from one organization to another. On the other hand, knowledge base, inference engine, and end user interface are integral parts of expert systems architecture. Knowledge is stored in the knowledge base using symbols and data structures to stand for important concepts. The symbols and data structures are said to represent knowledge. A software module called the inference engine executes inference procedures. If the user of the expert system is a person, communications with the end user are handled via an end user interface.

Answer 424

90. c. Expert system programs differ from conventional systems in four important ways. First, knowledge is separated from program control; the knowledge base and inference engine are separate. Second, knowledge is represented declaratively. Third, expert systems perform computation through symbolic reasoning. And finally, expert systems can explain their own actions.

Answer 425

91. a. The size of completed expert systems is often large, consisting of hundreds or thousands of rules. If the task is too broad, the development effort may take an inordinate amount of time, or even be impossible. Two important guidelines on evaluating the scope and size of the problem include the task must be narrowly focused and the task should be decomposable. In other words, expert system tasks should be based on a limited domain. The other three choices are areas to avoid for expert system methods. These include (i) tasks based on common sense, (ii) tasks requiring perceptual (seeing or touching) knowledge, and (iii) tasks requiring creativity. People, not expert systems, are creative.

Answer 426

92. a. The intention is not to replicate the workings of the human brain but to use a simple model to see if some of the strengths of the human brain can be shown by computers based on that model. An important goal is to develop computers that can learn from experience. In the process of learning from experience, ANNs show a capacity to generalize. That is, recognizing a new problem as being “close” to the one they know and offering the same solution. ANNs are not meant to replace or supersede the existing design of computers. They are meant to complement them.

Answer 427

93. a. Organizations should identify which individuals or groups can assist in infection identification efforts. Security administrators are good at analyzing host scans along with antivirus software, intrusion prevention system (IPS) software, firewalls, and vulnerability assessment results.

Answer 428

95. d. During the operation/maintenance phase, the organization should continuously monitor performance of the system to ensure that it is consistent with pre-established user and security requirements and that all needed system modifications are incorporated into the system. Monitoring is done in the operation/maintenance phase of the SDLC because all the development work is completed, and the system should start delivering results. During implementation phase, the system is tested, employees are trained, and the system is not yet ready to put into production operation/maintenance phase to monitor system performance.

Answer 429

96. b. System assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. Information security needs should address the appropriate level of assurance because this is a significant cost driver. The higher the assurance level required, the higher the cost and vice versa. Usually, investment analysis is structured to translate system needs and mission into high-level performance, assurance, functional, and supportability requirements. However, the assurance requirements are the significant cost driver because it integrates all the other requirements at the highest level.

Answer 430

97. b. The development and execution of necessary contracting plans and processes are a part of other planning components in the development/acquisition phase of an SDLC. The other three choices are part of the security-planning document.

Answer 431

98. c. The authorizing official in charge of the security accreditation process relies primarily on the other three choices, but not exclusively on the security test and evaluation results produced during the security control verification process. The authorizing official pays more attention to the other three choices because of their significance.

Answer 432

100. d. Configuration management change control and auditing takes place in the operation/maintenance phase of the SDLC. The phases in the other three choices are too early for this activity to take place.

Answer 433

101. c. An organization monitors changes to the information system and conducts security impact analyses to determine the effects of the changes. The other three choices are incorrect because they occur prior to the monitoring.

Answer 434

103. b. Integrity or validation controls, which are a part of technical control, include reconciliation routines in application systems. Authorization and access controls, which are a part of technical control, enable authorized individuals to access system resources. Audit trail mechanisms include transaction monitoring.

Answer 435

104. d. Malware is malicious software and malicious code. In many cases, it is most effective to use multiple identification approaches simultaneously or in sequence to provide the best results for striking a balance between speed, accuracy, and timeliness. Multiple identifications include where a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts (for example, DoS and DDoS attacks). Forensic identification is effective when data is recent; although, the data might not be comprehensive. Active identification produces the most accurate results; although, it is often not the fastest way of identifying infections due to scanning every host in an organization. Manual identification is not feasible for comprehensive enterprise wide identification, but it is a necessary part of identification when other methods are not available and can fill in gaps when other methods are insufficient.

Answer 436

105. b. Malware categories include viruses, worms, Trojan horses, and malicious mobile code, as well as combinations of these, known as blended attacks. Malware also includes attacker tools such as backdoors, rootkits, keystroke loggers, and tracking cookies used as spyware. Of all the types of malware attacker tools, rootkits are traditionally the hardest to detect because they often change the operating system at the kernel level, which allows them to be concealed from antivirus software. Newer versions of rootkits can hide in the master boot record, as do some viruses.

Answer 437

106. c. Older obfuscation techniques, including self-encryption, polymorphism, and stealth, are generally handled effectively by antivirus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for antivirus software to overcome. The idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption. Self-encryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Polymorphism is incorrect because it is a particularly robust form of self-encryption where the content of the underlying virus code body does not change; encryption alters its appearance only. Stealth virus is incorrect because it uses various techniques to conceal the characteristics of an infection, such as interfering with file sizes.

Answer 438

107. a. The intent of armoring is to write a virus so that it attempts to prevent antivirus software or human experts from analyzing the virus’s functions through disassembly (i.e., reverse engineering technique), traces, and other means. Tunneling is incorrect because it deals with the operating system. A virus that employs tunneling inserts itself into a low level of the operating system so that it can intercept low-level operating system calls. By placing itself below the antivirus software, the virus attempts to manipulate the operating system to prevent detection by antivirus software. Self-decryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Metamorphism is incorrect because the idea behind it is to alter the content of the virus itself, rather than hiding the content with encryption.

Answer 439

112. d. Incorporation of recovery requirements into system design can provide automatic backup and recovery procedures. This helps to prepare for disasters in a timely manner. Training every employee in emergency procedures is incorrect because it does not guarantee that they can respond to a disaster in an optimal manner when needed. Conducting fire drills regularly every month is incorrect because the scope of fire drill may not address all possible scenarios. Disaster recovery goes beyond fire drills; although, the fire drill is a good practice. Training all IT staff in file rotation procedures is incorrect because only key people need to be trained.

Answer 440

116. c. Applications such as word processors and spreadsheets often contain macro languages; macro viruses take advantage of this. Most common applications with macro capabilities offer macro security features that permit macros only from trusted locations or prompt the user to approve or reject each attempt to run a macro. Restricting macro use cannot stop phishing and spyware delivery. Filtering spam is incorrect because spam is often used for phishing and spyware delivery (for example, Web bugs often are contained within spam), and it sometimes contains other types of malware. Using spam filtering software on e-mail servers or clients or on network-based appliances can significantly reduce the amount of spam that reaches users, leading to a corresponding decline in spam-triggered malware incidents. Filtering website content is incorrect because website content-filtering software contains lists of phishing websites and other sites that are known as hostile (i.e., attempting to distribute malware to visitors). The software can also block undesired file types, such as by file extension. Blocking Web browser pop-up windows is incorrect because some pop-up windows are crafted to look like legitimate system message boxes or websites and can trick users into going to phony websites, including sites used for phishing, or authorizing changes to their systems, among other malicious actions. Most Web browsers can block pop-up windows; other can do so by adding a third-party pop-up blocker to the Web browser.

Answer 441

115. b. Antivirus software is an example of a threat mitigation technique for malware. Antivirus software, spyware detection and removal utility software, intrusion prevention systems, firewalls and routers, and application settings are security tools that can mitigate malware threats. Malware often attacks systems by exploiting vulnerabilities in operating systems, services, and applications. Vulnerability can usually be mitigated by patch management, least privilege, and host hardening measures.

Answer 442

117. a. Antivirus software is the primary source of data for malware incident detection. Examples of secondary sources include (i) firewall and router log files, which might show blocked connection attempts, (ii) log files from e-mail servers and network-based IPS sensors, which might record e-mail headers or attachment names, (iii) packet capture files from packet sniffers, network-based IPS sensors, and network forensic analysis tools, which might contain a recording of malware related network traffic. Host-based IPS is also a secondary source.

Answer 443

118. a. Transparency is the ability to simplify the task of developing management applications, hiding distribution details. There are different aspects of transparency such as access failure, location, migration replication, and transaction. Transparency means the network components or segments cannot be seen by insiders and outsiders, and that actions of one user group cannot be observed by other user groups. Transparency is achieved through process isolation and hardware segmentation principles. The principle of process isolation or separation is employed to preserve the object’s wholeness and subject’s adherence to a code of behavior. It is necessary to prevent objects from colliding or interfering with one another and to prevent actions of active agents (subjects) from interfering or colluding with one another. The principle of hardware segmentation provides hardware transparency when hardware is designed in a modular fashion and yet interconnected. A failure in one module should not affect the operation of other modules. Similarly, a module attacked by an intruder should not compromise the entire system. System architecture should be arranged so that vulnerable networks or network segments can be quickly isolated or taken offline in the event of an attack. Examples of hardware that need to be segmented include network switches, physical circuits, and power supply equipment. The abstraction principle is related to stepwise refinement and modularity of programs. As the software design evolves, each level of module in a program structure represents a refinement in the level of software abstraction. Abstraction is presented in levels, where a problem is defined and a solution is stated in broad terms at the highest level of abstraction (during requirements and analysis phases) and where source code is generated at the lowest levels of abstraction (during programming phase). The accountability principle holds an individual responsible for his actions. From this principle, requirements are derived to uniquely identity and authenticate the individual, to authorize his actions within the system, to establish a historical track record or account of these actions and their effects, and to monitor or audit this historical account for deviations from the specified code of action. The security kernel principle is the central part of a computer system (software and hardware) that implements the fundamental security procedures for controlling access to system resources. The principle of a reference monitor is the primary abstraction enabling an orderly evaluation of a standalone computer system with respect to its abilities to enforce both mandatory and discretionary access controls. The principle of complete mediation stresses that every access request to every object must be checked for authority. This requirement forces a global perspective for access control, during all functional phases (for example, normal operation and maintenance). Also stressed are reliable identification access request sources and reliable maintenance of changes in authority. The principle of open design stresses that design secrecy or the reliance on the user ignorance is not a sound basis for secure systems. Open design enables open debate and inspection of the strengths, or origins of a lack of strength, of that particular design. Secrecy can be implemented through the use of passwords and cryptographic keys, instead of secrecy in design.

Answer 444

119. c. Virus scanners, being one of reactive (detective) countermeasures, search for “signature strings” or use algorithmic detection methods to identify known viruses. These reactive methods have no hope of preventing fast spreading worms or worms that use zero-day exploits to carry out their attacks. The other three choices are examples of proactive (preventive) countermeasures. Packet-filtering firewalls block all incoming traffic except what is needed for the functioning of the network. Stack guarding prevents worms from gaining increased privileges on a system. A virtual machine prevents potentially malicious software from using the operating system for illicit actions.

Answer 445

120. a. Malware test systems and environments are helpful not only for analyzing current malware threats without the risk of inadvertently causing additional damage to the organization, but also for training staff in malware incident handling. An infected production system or a disk image of an infected production system could also be placed into an isolated test environment. Physical separation may not be possible at all times; although, logical separation might be possible. Both physical and logical separation are important but not as important as using an isolated test system.

Answer 446

121. b. Acquiring tools and resources is a part of the preparation phase. These tools and resources may include packet sniffers and protocol analyzers. The other three choices are incorrect because they are a part of the detection phase. The malware incident response life cycle has four phases, including (i) preparation, (ii) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.

Answer 447

122. a. Basic testing is a test methodology that assumes no knowledge of the internal structure and implementation details of the assessment object. Basic testing is also known as black-box testing. Comprehensive testing is a test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white- box testing. Focused testing is a test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Focused testing is also known as gray-box testing.

Answer 448

123. a. In a widespread incident, if malware cannot be identified by updated antivirus software, or updated signatures are not yet fully deployed, organizations should be prepared to use other security tools to contain the malware until the antivirus signatures can perform the containment effectively. Expecting antivirus software to handle the complete workload of a malware incident is unrealistic during high volume infections. By using a defense-in-depth strategy for detecting and blocking malware, an organization can spread the workload across multiple components. Antivirus software alone cannot ensure defense in-depth strategy. Automated detection methods other than antivirus software are needed to ensure defense-in-depth strategy. These detection methods include e-mail filtering, network-based intrusion prevention system (IPS) software, and host-based IPS software.

Answer 449

125. b. A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. An active stealth file virus can typically not reveal any size increase in infected files, and it must be active to exhibit its stealth qualities.

Answer 450

126. b. Spam-filtering software, whether host-based or network-based, is effective at stopping known email-based malware that uses the organization’s e-mail services and is effective at stopping some unknown malware. The most common tools for eradication are antivirus software, spyware detection and removal utility software, patch management software, and dedicated malware removal tool.

Answer 451

131. b. Requiring administrator-level privileges is a characteristic of a non managed environment, where system owners and users have substantial control over their own system. Owners and users can alter system configurations, making security weak. In a managed environment, one or more centralized groups have substantial control over the server and workstation operating system and application configurations across the enterprise. Recommended security practices include installing antivirus software on all hosts and keeping it up-to date, using deny-by-default policies on firewalls, and applying patches to operating systems and applications. These practices enable a consistent security posture to be maintained across the enterprise.

Answer 452

132. c. Conceptually, behavioral controls can be viewed as a software cage or quarantine mechanism that dynamically intercepts and thwarts attempts by the subject code to take unacceptable actions that violate policy. As with firewalls and antivirus products, methods that dynamically restrain mobile code were born out of necessity to supplement existing mechanisms, and represent an emerging class of security product. Such products are intended to complement firewall and antivirus products that respectively block network transactions or mobile code based on predefined signatures (i.e., content inspection), and may refer to methods such as dynamic sandbox, dynamic monitors, and behavior monitors, used for controlling the behavior of mobile code. In addition to mobile code, this class of product may also be applicable to stationary code or downloaded code whose trust worthiness is in doubt. Technical controls, administrative controls, and physical controls are incorrect because they are not strong enough as the behavioral controls to combat mobile code.

Answer 453

133. a. Application access is basic, low-privilege access. It may include access to data entry, data update, data query, data output, or report programs. Administrative access, privileged access, and root access are advanced levels of access to a computer system that include the ability to perform significant configuration changes to the computer’s operating system.

Answer 454

134. c. The cost not to mitigate = W × T × R, where W is the number of computers or workstations, T is the time spent fixing systems plus lost user productivity, and R is the hourly rate of time spent or lost. During downtime, the computer owner or user is without a computer to do his work, which should be added to the time required to rebuild a computer. This is translated into $560,000 (i.e., 1,000 computers × 8 hours × $70 per hour). $280,000 is incorrect because it fails to take into account the lost user productivity time. This is translated into $280,000 (i.e., 1,000 computers × 4 hours × $70 per hour). $500,000 is incorrect because it assumes the budget for in-house technical support. $600,000 is incorrect because it assumes the budget for outsourced technical support.

Answer 455

135. d. The major principle of configuration management is to provide a repeatable mechanism for effecting system modifications in a controlled environment. Achieving repeatable mechanism can automatically achieve the other three choices.

Answer 456

136. a. The Reference Monitor concept is an access control concept that refers to an abstract computer mediating all accesses to objects by subjects. It is useful to any system providing multilevel secure computing facilities and controls.

Answer 457

137. d. A common virus is a code that plants a version of itself in any program it can modify. It is a self-replicating code segment attached to a host executable. The boot-sector virus works during computer booting, where the master boot sector and boot sector code are read and executed. A worm is a self-replicating program that is self-contained and does not require a host program. A multi-partite virus combines both sector and file infector viruses.

Answer 458

138. c. Built-in security means that security features are designed into the system during its development, not after. Any feature that is installed during post-implementation of a system is an example of built-on security, not built-in. Security and control features must be built in from a cost-benefit perspective.

Answer 459

139. b. Computer virus defenses are expensive to use, ineffective over time, and ineffective against serious attackers. Virus scanning programs are effective against viruses that have been reported and ineffective against new viruses or viruses written to attack a specific organization. Program change controls limit the introduction of unauthorized changes such as viruses. Redundancy can often be used to facilitate integrity. Integrity checking with cryptographic checksums in integrity shells is important to defend against viruses. System or equipment isolation to limit the spread of viruses is good, too.

Answer 460

140. c. System assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the data and information it processes. For example, software assurance achieves trustworthiness and predictable execution. The three well-accepted and basic-level security objectives are confidentiality, integrity, and availability, and assurance can be considered an advanced-level security objective because the former culminates into the latter. What good is an information system that cannot provide full assurance with regards to its security?

Answer 461

141. b. Antivirus software is a preventive control in that it stops a known virus from getting into a computer system. It is also a detective control because it notifies upon detecting a known virus. Audit trails are detective controls; policies and procedures are directive controls, whereas contingency plans are an example of recovery controls.

Answer 462

142. c. Defending an information system requires safeguards to be applied throughout the system, as well as at points of entry. The selection and placement of security controls should be done in a way that progressively weakens or defeats all attacks. Having a series of similar controls in succession tends to only lengthen the duration of the attack, which is not good. Applying different types of controls that complement each other and are mutually supportive is a much more effective approach in achieving defense-in-depth strategy. Although the capabilities of available safeguards may overlap to some extent, the combined effect should exceed the effects of each control used individually. The other three choices are true statements in achieving security in an application environment. The information system isolates security functions from non security functions implemented via partitions and domains that control access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Safety functions should be kept separate from one another. The design of information systems and the design of protection mechanisms in those systems should be as simple as possible. Complexity is at the root of many security issues. The principle of data hiding should be useful during program testing and software maintenance.

Answer 463

143. b. During the system development phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During this phase, functional users and system/security administrators develop system controls and audit trails used during the operational phase.

Answer 464

144. b. In the repeatability level of the software capability maturity model, system requirements are defined; these include security, performance, quality, and delivery dates. The purpose is to establish a common understanding between the customer and the software development project team. The other three choices are not correct because each level deals with specific requirements.

Answer 465

145. b. Data leakage is removal of data from a system by covert means, and it might be conducted directly through the use of Trojan horse, logic bomb, or scavenging methods. Asynchronous attacks are indirect attacks on a computer program that act by altering legitimate data or codes at a time when the program is idle and then causing the changes to be added to the target program at later execution.

Answer 466

146. c. Multi-partite viruses are a combination of both sector- and file infector viruses, which can be spread by both methods. A worm is a self-replicating, self-contained program and does not require a host program. Link viruses manipulate the directory structure of the media on which they are stored, pointing the operating system to virus code instead of legitimate code. Macro viruses are stored in a spreadsheet or word processing document.

Answer 467

147. c. Hidden code attacks are based on data and information. Using layered protections and disabling active-content code (for example, ActiveX and JavaScript) from the Web browser are effective controls against such attacks. War dialing software is good at detecting trapdoors (backdoor modems) and not good against trapdoor attacks. Firewalls are effective against spoofing attacks.

Answer 468

148. a. Evaluation of change control is a part of the physical configuration audit, whereas the other choices are part of the functional configuration audit. The physical configuration audit provides an independent evaluation of whether components in the as-built version of the software map to the specifications of the software. Specifically, this audit is held to verify that the software and its documentation are internally consistent and ready for delivery. Activities typically planned and executed as part of the physical configuration audit include evaluation of product composition and structure, product functionality, and change control. The functional configuration audit provides an independent evaluation of configuration items to determine whether actual functionality and performance are consistent with the requirements specifications. Specifically, this audit is conducted prior to the software delivery to verify that all requirements specified in the requirements document have been met. Activities typically planned and executed as part of a functional configuration audit include testing of software products, tracing of system requirements from their initial specification through system testing, evaluation of the test approach and results attained, and evaluating the consistency between the baselined product elements.

Answer 469

149. a. Applets are small application programs mostly written in Java programming language that are automatically downloaded and executed by applet-enabled Web browsers.

Answer 470

150. c. The contingency processes should be tested and maintained during the implementation phase of the SDLC. The capability to recover and reconstitute data should be considered during the initiation phase. Recovery strategies should be considered during the development phase. The contingency plan should be exercised and maintained during the

Answer 471

151. c. Backdoors are also called hooks and trapdoors. Logic bomb is incorrect because it is a program that triggers an unauthorized, malicious act when some predefined condition occurs. Worms are incorrect because they search the network for idle computing resources and use them to execute the program in small segments. Trojan horses are incorrect because a Trojan horse is a production program that has access to otherwise unavailable files and is changed by adding extra, unauthorized instructions. It disguises computer viruses.

Answer 472

152. a. Some vendors can install a backdoor or a trapdoor entry for remote monitoring and maintenance purposes. The good news is that the backdoor is a convenient approach to solve operational problems. The bad news is that the backdoor is wide open for hackers. Also, the vendor can modify the software at will without the user’s knowledge or permission. An unhappy vendor can disconnect a user from accessing the software as a penalty for nonpayment or disputes in payment. Access codes should be required for remote monitoring and maintenance.

Answer 473

153. b. A macro virus is associated with a word processing file, which can damage the computer system. Macro viruses pass through the firewall with ease because they are usually passed on as either an email message or simply downloaded as a text document. The macro virus represents a significant threat because it is difficult to detect. A macro virus consists of instructions in Word Basic, Visual Basic for applications, or some other macro languages, and resides in documents. Any application that supports macros that automatically execute is a potential platform for macro viruses. Now, documents are more widely shared through networks and the Internet than via disks.

Answer 474

154. a. Because the discretionary access control system restricts access based on identity, it carries with it an inherent flaw that makes it vulnerable to Trojan horse attacks. Most programs that run on behalf of a user inherit the discretionary access control rights of that user.

Answer 475

155. c. Virus checkers monitor computers and look for malicious code. A problem is that virus-checking programs need to be installed at each computer, workstation, or network, thus duplicating the software at extra cost. The best place to use the virus-checking programs is to scan e-mail attachments at the e-mail server. This way, the majority of viruses are stopped before ever reaching the users.

Answer 476

156. d. In cross-site scripting (XSS) flaws, the Web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user.

Answer 477

157. c. Virus writers use a mutation engine to transform simple viruses into polymorphic ones for proliferation purposes and to evade detection. The other three choices do not deal with the transformation process.

Answer 478

158. d. A security kernel is defined as hardware, firmware, and software elements of a Trusted Computing Base (TCB) that implements the reference monitor concept. A security kernel cannot achieve process isolation. Techniques such as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual mapping are used to employ the process isolation or separation principle. These separation principles are supported by incorporating the principle of least privilege.

Answer 479

159. d. Organizations should identify which individuals or groups can assist in infection identification efforts. Desktop administrators are good at identifying changes in login scripts along with Windows Registry or file scans, and good at implementing changes in login scripts. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.

Answer 480

160. b. Software patching, being one of reactive (detective) countermeasures, is mostly done after vulnerability or programming/design error is discovered. These reactive methods have no hope of preventing fast-spreading worms or worms that use zero day exploits to carry out their attacks. The other three choices are examples of proactive (preventive) countermeasures. Integrity checkers keep cryptographic hashes of known good instances of files so that integrity comparisons can be made at any time. Host firewalls enforce rules that define the manner in which specific applications may use the network. Stateful firewalls keep track of network connections and monitor their state.

Answer 481

161. c. It is a common practice for some organizations to certify all removable media disks coming into the organization from outside prior to their use. This is done by a centralized group for the entire location and requires testing the disk for possible inclusion of viruses. The other three choices are effective as internal protection mechanisms against viruses.

Answer 482

162. c. Passwords are administrative controls; although, access controls are technical controls. Access controls include discretionary access controls and mandatory access controls. An audit trail is the collection of data that provides a trace of user actions, so security events can be traced to the actions of a specific individual. To fully implement an audit trails program, audit reduction and analysis tools are also required. Least privilege is a concept that deals with limiting damage through the enforcement of separation of duties. It refers to the principle that users and processes should operate with no more privileges than those needed to perform the duties of the role they are currently assuming.

Answer 483

163. b. The goal of work factor principle is to increase an attacker’s work factor in breaking an information system or a network’s security features. The amount of work required for an attacker to break the system or network (work factor) should exceed the value that the attacker would gain from a successful compromise. Various variables such as cost and benefit; effort; value (negative and positive); time; tools and techniques; gains and losses; knowledge, skills, and abilities (KSAs); and risks and opportunities involved in a successful compromise of security features must be balanced. The principle of compromise recording means computer or manual records and logs should be maintained so that if a compromise does occur, evidence of the attack is available. The recorded information can be used to better secure the host or network in the future and can assist in identifying and prosecuting attackers. The principle of psychological acceptability encourages the routine and correct use of protection mechanisms by making them easy to use, thus giving users no reason to attempt to circumvent them. The security mechanisms must match the user’s own image of protection goals. The principle of least common mechanism requires the minimal sharing of mechanisms either common to multiple users or depended upon by all users. Sharing represents possible communications paths between subjects used to circumvent security policy.

Answer 484

164. d. Certifications performed on applications under development are interleaved with the system development process. Certification and accreditation needs must be considered in the validation, verification, and testing phases employed throughout the system development process (i.e., development and implementation). It does not address the operation/maintenance phase.

Answer 485

165. d. The major outputs from the implementation (testing) phase include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, and acceptance). Security features are tested to see if they work and are then certified.

Answer 486

166. c. System testing, which is a part of implementation, is important to determine whether internal controls and security controls are operating as designed and are in accordance with established policies and procedures. In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases. However, the testing phase should not be compressed so much for quality reasons. By definition, prototyping requires some compression of activities and time due to the speedy nature of the prototyping development methodology without loss of the main features, functions, and quality.

Answer 487

167. a. Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities is still required. The difference may be in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and traditional system development project are different.

Answer 488

168. c. Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage and generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read, inserted, and deleted. A source program is precompiled, linked, and compiled to become an object or executable program. A source program is tested (errors discovered), debugged (errors removed), and logged for review and further action.

Answer 489

169. c. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment. These interrelated systems include not only those owned and managed by the organization, but also the external systems with which they interface. Unit test is incorrect because its purpose is to verify that the smallest defined module of software (i.e., individual subprograms, subroutines, or procedures) works as intended. These modules are internal to an organization. Integration test is incorrect because its purpose is to verify that units of software, when combined, work together as intended. Typically, a number of software units are integrated or linked together to form an application. Again, this test is performed internally in an organization. System acceptance test is incorrect because its purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users.

Answer 490

170. b. A test tool cannot guarantee error-free software; it is neither a cure-all nor a silver bullet. For some, it may give a false sense of security. The test tool still requires careful planning, time, effort, and experience from which it can use and benefit.

Answer 491

171. c. Errors are made in several places and times: (i) when source code is developed, (ii) when modules are initially written, (iii) when an enhancement is being added to a module, (iv) when another error is fixed, and (v) when code is being moved from one module to another. Software configuration management products have a backtracking feature to correct these types of errors. The product should list the exact source code changes that make up each build. Then, these changes are examined to identify which one can create the new error. The concept of check-in/check-out software enables multiple developers to work on a project without overwriting one another’s work. It is a fundamental method of preventing errors from being included or reintroduced into software modules.

Answer 492

172. c. The test repository consists of test plans, test cases, test procedures, test requirements, and test objectives maintained by the software test manager. Because of the concentrated work products, the test repository needs a higher level of security protection from unauthorized changes. Test procedures, test cases, and test plans are part of test repository.

Answer 493

173. b. An unattended computer terminal represents a severe security violation. An unauthorized user could seize the opportunity to access sensitive data. The data could be copied, deleted, added to, or modified. An intruder can also use this occasion to modify executable files. A virus, Trojan horse, or a password-sniffing program could easily be slipped onto the system in no time. Security logic that detects an idle terminal is needed. Unattended computer operations are incorrect because they represent a situation where most of computer operational tasks are performed by machines (robots) and less with people. Unattended software testing is incorrect because testing is conducted by automated test tools without a person watching the testing process. The test tool continues running the test sessions by replaying one or more test scripts. It handles unforeseen circumstances gracefully. Unattended facsimile machine is incorrect because it can lead to social engineering attacks. The unattended computer operations, software testing, and facsimile machine pose less risk than the unattended computer terminal.

Answer 494

174. c. Fan-in and fan-out are based on program coupling. Fan-in is a count of the number of modules that call a given module, and fan-out is a count of the number of modules that are called by a given module. Both fan-in and fan-out measure program complexity. Check-in and check-out are program change controls where documents or data/program files will have a check-in or check-out indicator in system libraries to prevent their concurrent use by programmers and computer programs.

Answer 495

175. c. A reusable library can improve software productivity and quality by increasing the efficient reuse of error-free code for both new and modified application software. “Who owns the reusable code?” is a legal question that requires a careful answer due to difficulty in tracing to the original author of the software. A test library is incorrect because it is where the new software is developed or the existing software is modified. A quality assurance library is incorrect because it is a staging area where final quality reviews and production setup procedures take place. A production library is incorrect because it is the official place where operational programs reside and execute to process data. Data ownership rights in these three libraries (test, quality assurance, and production) are clear and traceable to the author(s).

Answer 496

176. d. The big-bang approach puts all the units or modules together at once, with no stubs or drivers. In it, all the program units are compiled and tested at once. Top-down approach is incorrect because it uses stubs. The actual code for lower level units is replaced by a stub, which is a throwaway code that takes the place of the actual code. Bottom-up approach is incorrect because it uses drivers. Units at higher levels are replaced by drivers that emulate the procedure calls. Drivers are also a form of throwaway code. Sandwich approach is incorrect because it uses a combination of top-down (stubs) and bottom-up (drivers) approaches.

Answer 497

177. d. A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members ask questions and make comments about technique, style, and identify possible errors, violations of development standards, and other problems. Walkthroughs are similar to reviews but are less formal. Inspections are incorrect because they are an evaluation technique in which application software requirements, design, code, or other products are examined by a person or group other than the author to detect faults, violations of development standards, and other problems. Inspections are more formal than walkthroughs. Traceability analysis is incorrect because it is the process of verifying that each specified requirement has been implemented in the design/code, that all aspects of the design/code have their basis in the specified requirements, and that testing produces results compatible with the specified requirements. Traceability analysis is more formal than walkthroughs. Reviews are incorrect because a review is a meeting at which the requirements, design, code, or other products of software development project are presented to the user, sponsor, or other interested parties for comment and approval, often as a prerequisite for concluding a given phase of the software development process. Reviews are more formal than walkthroughs.

Answer 498

178. d. An inspection is an evaluation technique in which software requirements, design, code, or other products are examined by a person or group, other than the author, to detect faults, violations of development standards, and other problems. Input/output description errors are detected in the interface testing phase. The type of errors detected in inspections includes incomplete requirements errors, infeasible requirements errors, and conflicting requirements errors.

Answer 499

180. a. The purpose of decision tables is to provide a clear and coherent analysis of complex logical combinations and relationships. This method uses two-dimensional tables to concisely describe logical relationships between Boolean program variables (for example, AND and OR). Advantages of decision tables include (i) their conciseness and tabular nature enables the analysis of complex logical combinations expressed in code and (ii) they are potentially executable if used as specifications. Disadvantages include that they require tedious effort. The requirements analysis, which is a part of initiation phase, is the best place to use the decision table.

Answer 500

181. a. Data-flow diagrams are used to describe the data flow through a program in a diagrammatic form. They show how data input is transformed to output, with each stage representing a distinct transformation. The diagrams use three types of components: 1. Annotated bubbles represent transformation centers, and the annotation specifies the transformation. 2. Annotated arrows represent the data flow in and out of the transformation centers; annotations specify what the data is. 3. Operators (AND and OR) link the annotated arrows. Data-flow diagrams describe only data and should not include control or sequencing information. Each bubble can be considered a black box that, as soon as its inputs are available, transforms them to outputs. Each bubble should represent a distinct transformation, whose output is somehow different from its input.

Answer 501

182. c. In desk-checking, programming code is read by an expert, other than the author of the code, who performs any of the following: (i) looking over the code for obvious defects, (ii) checking for correct procedure interfaces, (iii) reading the comments to develop a sense of what the code does and then comparing it to its external specifications, (iv) comparing comments to design documentation, (v) stepping through with input conditions contrived to exercise all paths including those not directly related to the external specifications, (vi) checking for compliance with programming standards and conventions, or (vii) any combination of these. As can be seen, desk-checking is a technical exercise performed by programmers.

Answer 502

183. a. The purpose of a finite state machine (FSM) is to define or implement the control structure of a system. Many systems can be defined in terms of their states, inputs, and actions. By defining a system’s actions for each input in every state, you can completely define a system. The resulting model of the system is an FSM, which can detect incomplete or inconsistent requirements specifications.

Answer 503

184. c. The purpose of mutation analysis is to determine the thoroughness with which a program has been tested and, in the process, detect errors. This procedure involves producing a large set of version or mutation of the original program, each derived by altering a single element of the program (for example, changing an operator, variable, or constant). Each mutant is then tested with a given collection of test data sets. Because each mutant is essentially different from the original, the testing should demonstrate that each is different. If each of the outputs produced by the mutants differs from the output produced by the original program and from each other, then the program is considered adequately tested and correct. Mutation analysis requires good automated tools to be effective.

Answer 504

185. c. Sensitivity analysis is a new method of quantifying ultra reliable software during the implementation phase. It is based on a fault-failure model of software and is based on the premise that software testability can predict the probability that failure occurs when a fault exists given a particular input distribution. A sensitive location is one in which faults cannot hide during testing. The internal states are disturbed to determine sensitivity. This technique requires instrumentation of the code and produces a count of the total executions through an operation, an infection rate estimate, and a propagation analysis.

Answer 505

186. c. The purpose of boundary-value analysis is to detect and remove errors occurring at parameter limits or boundaries. The input domain of the program is divided into a number of input classes. The tests should cover the boundaries and extremes of the classes. The tests check that the boundaries of the input domain of the specification coincide with those in the program. Test cases should also be designed to force the output to its extreme values. If possible, a test case that causes output to exceed the specification boundary values should be specified. If output is a sequence of data, special attention should be given to the first and last elements and to lists containing zero, one, and two elements.

Answer 506

187. c. The purpose of error-seeding is to determine whether a set of test cases is adequate. Some known error types are inserted into the program, and the program is executed with the test cases under test conditions. If only some of the seeded errors are found, the test case set is not adequate. One can estimate the number of errors remaining by subtracting the number of real errors found from the total number of real errors. The remaining test effort can then be estimated. If all the seeded errors are found, this indicates that either the test case set is adequate or that the seeded errors were too easy to find.

Answer 507

188. a. The purpose of formal methods is to check whether software fulfills its intended function. It involves the use of theoretical and mathematical models to prove the correctness of a program without executing it. The requirements should be written in a formal specification language (for example, VDM and Z) so that these requirements can then be verified using a proof of correctness. Using this method, the program is represented by a theorem and is proved with first-order predicate calculus. A number of assertions are stated at various locations in the program and are used as pre- and post conditions to various paths in the program. The proof consists of showing that the program transfers the pre-conditions into the post conditions according to a set of logical rules, and that the program terminates.

Answer 508

189. a. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to communicate the specifier’s interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is built using high-level tools and is evaluated against the customer’s criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements of the system. A review is a meeting at which the requirements, design, code, or other products of a software development project are presented to the user, sponsor, or other interested parties for comment and approval, often as a prerequisite for concluding a given phase of the software development process. A review is usually held at the end of a phase, but it may be called when problems arise. Simulation is used to test the functions of a software system, together with its interface to the real environment, without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members ask questions and make comments about technique and style, and identify possible errors, violations of development standards, and other problems. Walkthroughs are similar to reviews but are less formal.

Answer 509

190. d. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to communicate the specifier’s interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is built using high-level tools and is evaluated against the customer’s criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements and design of the system. Simulation or modeling is used to test the functions of a software system, together with its interface to the real environment, without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A model of the system to be controlled by the actual system under test is created. This model mimics the behavior of the controlled system and is for testing purposes only. Although prototyping and simulation can be used in the system maintenance phase, the payback would be less than the development phase. Usually, the scope of system maintenance can be small and minor, making it cost-prohibitive to the use of prototyping and simulation techniques.

Answer 510

191. b. Adherence to a common standard ensures the interoperability of software components. Extensive testing is required to ensure that software components can communicate effectively in both single processor and distributed processing environments. In a networked environment, it must be remembered that, when any component is added or replaced/upgraded, a large number of tests have to be run to ensure that the integrity and performance of the network has been retained. Therefore, tests must be repeatable and well documented. Hence, regression tests are necessary. In load testing, many combinations and permutations of workload patterns can be imposed on the components of a networked configuration. Although it would be difficult, if not impossible, to test them all, a thorough analysis of the expected workload is required to identify the most likely traffic patterns for this testing procedure. By their nature, networked systems provide a great number of opportunities for violating system security. This is especially true when security levels are not uniformly imposed throughout a configuration made of multiple, interconnected local-area networks. Systemwide security testing is required to identify any security fault that may have been overlooked in the integrated system design.

Answer 511

192. c. Resiliency testing measures durability of the system. In functional testing, correctness of system operation under normal operating conditions is demonstrated. In performance testing, system throughput and response times under varying load conditions are demonstrated. In recovery testing, the ability of the system to resume operating after partial or total system failure is determined. Both the system and individual components are tested to determine the ability to operate within the fallback and recovery structure established for the system.

Answer 512

193. a. Integration testing is the cutoff point for the development project, and, after integration, it is labeled the back end. Integration is the development phase in which various parts and components are integrated to form the entire software product, and, usually after integration, the product is under formal change control. Specifically, after integration testing, every change of the software must have a specific reason and must be documented and tracked. It is too early to have a formal change control mechanism during unit testing because of constant changes to program code. It is too late to have a formal change control mechanism after completing system and acceptance testing.

Answer 513

194. d. A system development life cycle moves through the unit test, integration test, system test, and acceptance test in that sequence. Programmers perform both the unit test and integration tests, whereas system testing is conducted jointly between users and programmers. End users and production operations staff, from their own viewpoint, perform acceptance testing. The quality of a computer system is enhanced if this sequence is followed during software testing.

Answer 514

195. c. Activity logs contain a record of all the test cases executed. Incident reports show a priority assigned to test problems during test execution. All incidents logged should be resolved within a reasonable time. Software versioning controls the program source versions to ensure that there is no duplication or confusion between multiple versions. Test cases and test documentation are incorrect because test cases contain a listing of all possible tests to be executed with their associated data and test documentation includes test plans, test objectives, and approaches. Test summaries and test execution reports are incorrect because test summary is a brief description of what is changing. Key words are used so that project personnel reading the log can scan for items that may affect their work. Test execution reports show a status of software testing execution to management with summary information. Test cases rejected and test cases accepted are incorrect because they simply list what test cases were rejected or accepted. The documents such as test cases, test documentation, test summaries, test execution reports, and test cases rejected and accepted do not have the same monitoring and controlling effect as do the documents such as activity logs, incident reports, and software versioning.

Answer 515

196. a. Integration testing is conducted when software units are integrated with other software units or with system components. Its objective is to test the interfaces among separately tested program units. Software integration tests check how the units interact with other software (for example, libraries) and hardware. Integration testing is in the middle; it is neither unit testing nor system testing. The approach to integration testing varies such as top-down, bottom-up, a combination of top-down and bottom-up (sandwich), or all-at-once (big-bang) approaches. Due to a variety of ways, integration testing can be conducted and because there is no base document such as specifications to rely upon for testing creates difficulty in understanding the objectives of integration testing clearly. Unit testing and module testing are incorrect because they are best understood of all. Unit testing is the same as module testing. Unit/module test cases are derived from the detailed design documentation of the unit. Each unit or module has a defined beginning and ending and deals with specific inputs and outputs. Boundaries are also well defined. System testing is incorrect because it is better understood than integration testing. End users know what they expect from the system because it is based on functional instead of structural knowledge. System test cases are derived from the requirements specification document.

Answer 516

197. a. Functional decomposition works best when the system requirements are completely understood by the software developer or the end user. The waterfall model works with the functional decomposition principle. It assumes that system requirements can be defined thoroughly, and that end users know exactly what they wanted from the system. Incremental and evolutionary development models are incorrect because successive versions of the system are developed reflecting constrained technology or resources. Requirements are added in a layered manner. Rapid prototyping model is incorrect because it is quite opposite to the waterfall model. That is, it is good when requirements are not fully understood by both parties. Due to the iterative process, the specification-to-customer feedback cycle time is reduced, thus producing early versions of the system.

Answer 517

198. c. An application software test log has several benefits. Reporting problems for the sake of reporting/compliance to a policy or a procedure is the least beneficial. What is done with the report is more important than just reporting. The other three choices are incorrect because they are the most important benefits. The log shows a record of all problems encountered during testing so events can be traced for verification. The log can also be used as a training tool for new testers because the log shows what happened in the past. Most of all, the log indicates what the tester did or did not do during testing. It forces testers to document the actions or decisions taken place during testing.

Answer 518

199. a. Stress testing involves the response of the system to extreme conditions (for example, with an exceptionally high workload over a short span of time) to identify vulnerable points within the software and to show that the system can withstand normal workloads. Examples of testing conditions that can be applied during stress testing include the following: (i) if the size of the database plays an important role, then increase it beyond normal conditions, (ii) increase the input changes or demands per time unit beyond normal conditions, (iii) tune influential factors to their maximum or minimal speed, and (iv) for the most extreme cases, put all influential factors to the boundary conditions at the same time. Stress testing can detect design errors related to full-service requirements of system and errors in planning defaults when system is overstressed. Conversion testing is incorrect because it determines whether old data files and record balances are carried forward accurately, completely, and properly to the new system. Performance testing is incorrect because it measures resources required such as memory and disk and determines system response time. Regression testing is incorrect because it verifies that changes do not introduce new errors.

Answer 519

200. b. The notion of software component reuse has been developed with the invention of object-oriented development approach. After the design model has been created, the software developer browses a library, or repository, that contains existing program components to determine if any of the components can be used in the design at hand. If reusable components are found, they are used as building blocks to construct a prototype of the software. The waterfall model is incorrect because it takes a linear, sequential view of the software engineering process. The waterfall method is another name for the classic software development life cycle. The prototype model is incorrect because it is a process that enables the developer to create a model of the software built in an evolutionary manner. The spiral model is incorrect because it is another type of evolutionary model. It has been developed to provide the best feature of both the classic life cycle approach and prototyping. None of these three choices provide for software reuse.

Answer 520

201. a. Security categorization standards provide a common framework for expressing security needs. Categorization is based on an assessment of the potential impact (i.e., low, moderate, or high) that a loss of confidentiality, integrity, or availability of information systems would have on organizational operations, organizational assets, or individuals. It is a task performed in the initiation phase.

Answer 521

202. d. Configuration management and control ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. It is a task performed in the operation/maintenance phase.

Answer 522

203. d. Continuous monitoring ensures that controls continue to be effective in their application through periodic testing and evaluation. It is a task performed in the operation/maintenance phase.

Answer 523

204. b. Local threats in Windows XP systems include boot process, unauthorized local access, and privilege escalation. A boot process threat results when an unauthorized individual boots a computer from third-party media (for example, removable drives and universal serial bus [USB] token storage devices), which permits the attacker to circumvent operating system security measures. An unauthorized local-access threat results when an individual who is not permitted to access a computer system gains local access. A privilege escalation threat results when an authorized user with normal user-level rights escalates the account’s privileges to gain administrator-level access. Remote threats in Windows XP systems include network services, data disclosure, and malicious payloads. A network service threat results when remote attackers exploit vulnerable network services on a computer system. This includes gaining unauthorized access to services and data, and causing a denial-of-service (DoS) condition. A data disclosure threat results when a third party intercepts confidential data sent over a network. A malicious payload threat results when malicious payloads (for example, viruses, worms, Trojan horses, and active content) attack computer systems through many vectors. System end users may accidentally trigger malicious payloads.

Answer 524

205. b. According to the open Web application security project, information from Web requests is not validated before being used by a Web application leading to vulnerability from invalidated input.

Answer 525

206. c. In denial-of-service attacks, attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

Answer 526

207. d. Improper error handling means error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

Answer 527

208. a. It is during the system requirements definition phase that the project team identifies the required controls needed for the system. The identified controls are then incorporated into the system during the design phase. When there is a choice between the system requirements definition phase and the design phase, the auditor would benefit most by participating in the former phase. The analyst does not need to participate in the program development or testing phase.

Answer 528

209. a. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set to trigger at a particular time, whereas the logic bomb is set to trigger at a particular condition, event, or command. The logic bomb could be a computer program or a code fragment. Computer virus is incorrect because it “reproduces” by making copies of it and inserting them into other programs. Worm is incorrect because it searches the network for idle computing resources and uses them to execute the program in small segments. NAK (negative acknowledgment character) attack is incorrect because it is a penetration technique capitalizing on a potential weakness in an operating system that does not handle asynchronous interrupts properly, thus leaving the system in an unprotected state during such interrupts. NAK uses binary synchronous communications where a transmission control character is sent as a negative response to data received. Here, negative response means data was not received correctly or that a command was incorrect or unacceptable.

Answer 529

210. b. A Trojan horse fits the description. It is a program that performs a useful function and an unexpected action as well as a form of virus. Trapdoor is incorrect because it is an entry point built into a program created by programmers for debugging purposes. Worm is incorrect because it searches the network for idle computing resources and uses them to execute a program in small segments. Time bomb is incorrect because it is a part of a logic bomb, where a damaging act triggers at some period of time after the bomb is set.

Answer 530

211. b. Continuous process improvements are expected in the optimizing level of the software capability maturity model. It is enabled by quantitative feedback from the process an from piloting innovative ideas and technologies.

Answer 531

212. d. The purpose of security testing is to assess the robustness of the system’s security capabilities (for example, physical facilities, procedures, hardware, software, and communications) and to identify security vulnerabilities. All the tests listed in the question are part of system acceptance tests where the purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users. Functional test is incorrect because the purpose of functional or blackbox testing is to verify that the system correctly performs specified functions. Performance test is incorrect because the purpose of performance testing is to assess how well a system meets specified performance requirements. Examples include specified system response times under normal workloads (for example, defined transaction volumes) and specified levels of system availability and mean-times-to-repair. Stress test is incorrect because the purpose of stress testing is to analyze system behavior under increasingly heavy workloads (for example, higher transaction rates), severe operating conditions (for example, higher error rates, lower component availability rates), and, in particular, to identify points of system failure.

Answer 532

213. a. The application software prototype becoming the finished system is a major risk in prototyping unless this is a conscious decision, as in evolutionary prototyping where a pilot system is built, thrown away, another system is built, and so on. Inflated user expectations is a risk that can be managed with proper education and training. Paying attention to cosmetic details is not bad except that it wastes valuable time. The prototype model is supposed to be iterated many times because that is the best way to define and redefine user requirements and security features until satisfied.

Answer 533

214. b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task performed in the development/acquisition phase.

Answer 534

215. c. Security certification ensures that the controls are effectively implemented through established verification techniques and procedures and gives an organization confidence that the appropriate safeguards and countermeasures are in place to protect the organization’s information systems. Security accreditation provides the necessary security authorization of an information system to process, store, or transmit information that is required. Both security certification and accreditation tasks are performed in the implementation phase.

Answer 535

216. b. A detailed design occurs after the general design is completed where known tasks are described and identified in a much more detailed fashion and are ready for program design and coding. This includes developing screen/program flows with specifications, input and output file specifications, and report specifications. The other three choices are incorrect because, by definition, they are examples of activities taking place in the general design phase. System requirements are the input to the general design where the system is viewed from top-down and where higher-level design issues are addressed. This includes (i) identifying the purpose and major functions of the system and its subsystems, (ii) defining control, security, and audit requirements, and (iii) developing system justification for the approval of analysis of alternative design choices.

Answer 536

217. c. Broken authentication means account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other user’s identities.

Answer 537

218. a. Buffer overflows occur when web application components (for example, common gateway interface, libraries, drivers, and Web application servers) that do not properly validate input can be crashed and, in some cases, used to take control of a process.

Answer 538

219. a. Web applications frequently use cryptographic functions to protect information and credentials in storage. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.

Answer 539

220. a. Layering, abstraction, and data hiding are part of security design architecture. The other three choices deal with security control architecture. Layering uses multiple, overlapping protection mechanisms to address the people, technology, and operational aspects of IT. Abstraction is related to stepwise refinement and modularity of computer programs. Data hiding is closely related to modularity and abstraction and, subsequently, to program maintainability.

Answer 540

124. b. Organizations should identify which individuals or groups can assist in infection identification efforts. System administrators are good at identifying infected servers such as domain name system (DNS), email, and Web servers. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.

Answer 541

b. A reference monitor concept is an access control concept that refers to an abstract machine (computer) that mediates all accesses to objects by subjects. The five design requirements that must be met by a reference validation mechanism include (i) it must be tamperproof, (ii) it must not be bypassed, (iii) it must always be invoked, (iv) it must be small enough to be subject to analysis and tests, and (v) it must provide confidence that the other four items are assured. The reference monitor concept is useful to any system providing multilevel secure computing facilities and controls.

Answer 542

1. B. A Trojan horse looks like an innocent and helpful program, but in the background it is carrying out some type of malicious activity unknown to the user. The Trojan horse could be corrupting files, sending the user’s password to an attacker, or attacking another computer.

Answer 543

2. A. The whole purpose of an expert system is to look at the data it has to work with and what the user presents to it and to come up with new or different solutions. It basically performs data-mining activities, identifies patterns and relationships the user can’t see, and provides solutions. This is the same reason you would go to a human expert. You would give her your information, and she would combine it with the information she knows and give you a solution or advice, which is not necessarily the same data you gave her.

Answer 544

3. D. Some files cannot be properly sanitized by the antivirus software without destroying them or affecting their functionality. So, the administrator must replace such a file with a known uninfected file. Plus, the administrator needs to make sure he has the patched version of the file, or else he could be introducing other problems. Answer C is not the best answer because the administrator may not know the file was clean yesterday, so just restoring yesterday’s file may put him right back in the same boat.

Answer 545

4. B. Instantiation is what happens when an object is created from a class. Polyinstantiation is when more than one object is made and the other copy is modified to have different attributes. This can be done for several reasons. The example given in the chapter was a way to use polyinstantiation for security purposes to ensure that a lower-level subject could not access an object at a higher level.

Answer 546

5. C. A database view is put into place to prevent certain users from viewing specific data. This is a preventive measure, because the administrator is preventing the users from seeing data not meant for them. This is one control to prevent inference attacks.

Answer 547

6. A. Partitioning means to logically split the database into parts. Views then dictate what users can view specific parts. Cell suppression means that specific cells are not viewable by certain users. And noise and perturbation is when bogus information is inserted into the database to try to give potential attackers incorrect information.

Answer 548

7. A. The trick to this question, and any one like it, is that security should be implemented at the first possible phase of a project. Requirements are gathered and developed at the beginning of a project, which is project initiation. The other answers are steps that follow this phase, and security should be integrated right from the beginning instead of in the middle or at the end.

Answer 549

8. C. This can seem like a tricky question. It is asking you if the system detected an invalid transaction, which is most likely a user error. This error should be logged so it can be reviewed. After the review, the supervisor, or whoever makes this type of decision, will decide whether or not it was a mistake and investigate it as needed. If the system had a glitch, power fluctuation, hang-up, or any other software- or hardware-related error, it would not be an invalid transaction, and in that case the system would carry out a rollback function.

Answer 550

9. D. In a relational database, a row is referred to as a tuple, whereas a column is referred to as an attribute.

Answer 551

10. D. The following are correct characteristics of the ACID test: * Atomicity Divides transactions into units of work and ensures that all modifications take effect or none take effect. Either the changes are committed or the database is rolled back. * Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data are consistent in the different databases. * Isolation Transactions execute in isolation until completed without interacting with other transactions. The results of the modification are not available until the transaction is completed. * Durability Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.

Answer 552

12. D. There are different types of tests the software should go through because there are different potential flaws we will be looking for. The following are some of the most common testing approaches: * Unit testing Individual component is in a controlled environment where programmers validate data structure, logic, and boundary conditions. * Integration testing Verifying that components work together as outlined in design specifications. * Acceptance testing Ensuring that the code meets customer requirements. * Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection.

Answer 553

11. B. The following outlines the common phases of the software development life cycle: 1. Project initiation 2. Functional design analysis and planning 3. System design specifications 4. Software development 5. Testing 6. Installation/implementation 7. Operational/maintenance 8. Disposal

Answer 554

13. B. Garbage collection is an automated way for software to carry out part of its memory management tasks. A garbage collector identifies blocks of memory that were once allocated but are no longer in use and deallocates the blocks and marks them as free. It also gathers scattered blocks of free memory and combines them into larger blocks. It helps provide a more stable environment and does not waste precious memory. Some programming languages, such as Java, perform automatic garbage collection; others, such as C, require the developer to perform it manually, thus leaving opportunity for error.

Answer 555

14. A. The software development models and their definitions are as follows: * Joint Analysis Development (JAD) A method that uses a team approach in application development in a workshop-oriented environment. * Rapid Application Development (RAD) A method of determining user requirements and developing systems quickly to satisfy immediate needs. * Reuse Model A model that approaches software development by using progressively developed models. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the Reuse model does not require programs to be built from scratch, it drastically reduces both development cost and time. * Cleanroom An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.

Answer 556

15. C. Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the input interfaces of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.

Answer 557

16. A. The five levels of the Capability Maturity Integration Model are: * Initial Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable. * Repeatable A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined. * Defined Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement. * Managed The company has formal processes in place to collect and analyze quantitative data, and metrics are defined and fed into the process improvement program. * Optimizing The company has budgeted and integrated plans for continuous process improvement.

Answer 558

17. B. The characteristics and their associated definitions are listed as follows: * Modularity Autonomous objects, cooperation through exchanges of messages. * Deferred commitment The internal components of an object can be redefined without changing other parts of the system. * Reusability Other programs using the same objects. * Naturalness Object-oriented analysis, design, and modeling map to business needs and solutions.

Answer 559

18. D. The buffer overflow is probably the most notorious of input validation mistakes. A buffer is an area reserved by an application to store something in it, such as some user input. After the application receives the input, an instruction pointer points the application to do something with the input that’s been put in the buffer. A buffer overflow occurs when an application erroneously allows an invalid amount of input to be written into the buffer area, overwriting the instruction pointer in the code that tells the program what to do with the input. Once the instruction pointer is overwritten, whatever code has been placed in the buffer can then be executed, all under the security context of the application.

Answer 560

20. B. An object-relational database (ORD) or object-relational database management system (ORDBMS) is a relational database with a software front end that is written in an object-oriented programming language. Different companies will have different business logic that needs to be carried out on the stored data. Allowing programmers to develop this front-end software piece allows the business logic procedures to be used by requesting applications and the data within the database.

Answer 561

19. A. The nonpersistent cross-site scripting vulnerability is when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, are used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the response. The persistent XSS vulnerability occurs when the data provided by the attacker are saved by the server and then permanently displayed on “normal” pages returned to other users in the course of regular browsing without proper HTML escaping. DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript.

Answer 562

21. A. The following are correct characteristics of ADO: * It’s a high-level data access programming interface to an underlying data access technology (such as OLE DB). * It’s a set of COM objects for accessing data sources, not just database access. * It allows a developer to write programs that access data without knowing how the database is implemented. * SQL commands are not required to access a database when using ADO.

Answer 563

22. C. A semantic integrity mechanism makes sure structural and semantic rules are enforced. These rules pertain to data types, logical values, uniqueness constraints, and operations that could adversely affect the structure of the database. A database has referential integrity if all foreign keys reference existing primary keys. There should be a mechanism in place that ensures no foreign key contains a reference to a primary key of a nonexisting record, or a null value. Entity integrity guarantees that the tuples are uniquely identified by primary key values. For the sake of entity integrity, every tuple must contain one primary key. If it does not have a primary key, it cannot be referenced by the database.

Answer 564

23. B. Knowledge discovery in databases (KDD) is a field of study that works with metadata and attempts to put standards and conventions in place on the way that data are analyzed and interpreted. KDD is used to identify patterns and relationships between data. It is also called data mining.

Answer 565

24. B. Software Configuration Management (SCM) identifies the attributes of software at various points in time, and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release.

Answer 566

26. D. A mashup is the combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality. Open APIs and data sources are commonly aggregated and combined to provide a more useful and powerful resource.

Answer 567

25. D. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. This approach allows for different business applications to access the current web services available within the environment.

Answer 568

27. B. Web service provides the application functionality. The Web Services Description Language describes the web service’s specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service.

Answer 569

28. B. The characters “%20” are encoding values that attackers commonly use in URL encoding attacks. These encoding values can be used to bypass web server filtering rules and can result in the attacker being able to gain unauthorized access to components of the web server. The characters “../” can be used by attackers in similar web server requests, which instruct the web server software to traverse directories that should be inaccessible. This is commonly referred to as a path or directory traversal attack.

Answer 570

29. A. Client-side validation is being carried out. This procedure ensures that the data that are inserted into the form contain valid values before being sent to the web server for processing. The web server should not just rely upon clientside validation, but should also carry out a second set of procedures to ensure that the input values are not illegal and potentially malicious.

Answer 571

30. B. The current architecture allows for web server software to directly communicate with a back-end database. Brad should ensure that proper database access authentication is taking place so that SQL injection attacks cannot be carried out. In a SQL injection attack the attacker sends over input values that the database carries out as commands and can allow authentication to be successfully bypassed

Answer 572

1. C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include stealing passwords, eavesdropping, and social engineering.

Answer 573

2. B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad. The other options are incorrect. A security infrastructure needs to establish a network’s border perimeter security, but that is not a primary goal or objective of security. AAA services is a common component of secured systems, which can provide support for accountability, but the primary goals of security remain the elements of the CIA Triad. Ensuring that subject activities are recorded is the purpose of auditing, but that is not a primary goal or objective of security.

Answer 574

3. B. Availability means that authorized subjects are granted timely and uninterrupted access to objects. Identification is claiming an identity, the first step of AAA services. Encryption is protecting the confidentiality of data by converting plain text into cipher text. Layering is the use of multiple security mechanisms in series.

Answer 575

4. D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources. The other statements are not related to security governance. Authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA) that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.

Answer 576

5. C. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. It defines the security function and aligns it to the goals, mission, and objectives of the organization. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based on unpredicted events. An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. A rollback plan is a means to return to a prior state after a change does not meet expectations.

Answer 577

6. A, C, D, F. Acquisitions and mergers place an organization at an increased level of risk. Such risks include inappropriate information disclosure, data loss, downtime, and failure to achieve sufficient return on investment (ROI). Increased worker compliance is not a risk, but a desired security precaution against the risks of acquisitions. Additional insight into the motivations of inside attackers is not a risk, but a potential result of investigating breaches or incidents related to acquisitions.

Answer 578

7. A. Information Technology Infrastructure Library (ITIL) was initially crafted by the British government for domestic use but is now an international standard, which is a set of recommended best practices for core IT security and operational processes, and is often used as a starting point for the crafting of a customized IT security solution. The other options were not crafted by the British government. ISO 27000 is a family group of international standards that can be the basis of implementing organizational security and related management practices. The Center for Internet Security (CIS) provides OS, application, and hardware security configuration guides. NIST Cybersecurity Framework (CSF) is designed for critical infrastructure and commercial organizations and consists of five functions: Identify, Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time.

Answer 579

8. B. The security professional has the functional responsibility for security, including writing the security policy and implementing it. Senior management is ultimately responsible for the security maintained by an organization and should be most concerned about the protection of its assets. The custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Answer 580

9. A, B, C, E. The COBIT key principles are: Provide Stakeholder Value (C), Holistic Approach (A), Dynamic Governance System (E), Governance Distinct From Management (not listed), Tailored to Enterprise Needs (not listed), and End-to-End Governance System (B). The concept of maintaining authenticity and accountability are good security ideas, but not a COBIT key principle.

Answer 581

10. A, D. Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the security effort. The other options are incorrect, they have the terms inverted. The corrected statements are as follows: Due diligence is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due care is the continued application of a security structure onto the IT infrastructure of an organization. Due diligence is knowing what should be done and planning for it. Due care is doing the right action at the right time.

Answer 582

11. B. A policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. A standard defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. A procedure is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. A guideline offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users. III is the definition of a baseline, which was not included as a component option.

Answer 583

12. D. When confidential documents are exposed to unauthorized entities, this is described by the I in STRIDE, which represents information disclosure. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Answer 584

13. B. This scenario describes a proactive approach to threat modeling, which is also known as the defensive approach. A reactive approach or adversarial approach to threat modeling takes place after a product has been created and deployed. There is no threat modeling concept known as qualitative approach. Qualitative is typically associated with a form of risk assessment.

Answer 585

14. A, B, D. These statements are true: (A) Each link in the supply chain should be responsible and accountable to the next link in the chain; (B) Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips; and (D) Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms. The remaining option is incorrect. Even if a final product seems reasonable and performs all necessary functions, that does not provide assurance that it is secure or that it was not tampered with somewhere in the supply chain.

Answer 586

15. D. Though not explicitly stating hardware, this scenario describes a typical and potential risk of a supply chain, that a hardware risk results in the presence of a listening mechanism in the final product. This scenario does not provide information that would indicate that the supply chain risk is focused on software, services, or data.

Answer 587

16. B. In this scenario, Cathy should void the authorization to operate (ATO) of this vendor. This situation describes the fact that the vendor is not meeting minimal security requirements which are necessary to the protection of the service and its customers. Writing a report is not a sufficient response to this discovery. You may have assumed Cathy does or does not have the authority to perform any of the other options, but there is no indication of Cathy’s position in the organization. It is reasonable for a CEO to ask the CISO to perform such an evaluation. Regardless, the report should be submitted to the CISO, not the CIO, whose focus is primarily on ensuring that information is used effectively to accomplish business objectives, not that such use is secure. Reviewing terms and conditions will not make any difference in this scenario, as those typically apply to customers, not internal operations. And reviewing does not necessarily cause a change or improvement to insecure practices. A vendor-signed NDA has no bearing on this scenario.

Answer 588

17. A. Minimum security requirements should be modeled on your existing security policy. This is based on the idea that when working with a third party, that third party should have at least the same security as your organization. A third-party audit is when a third-party auditor is brought in to perform an unbiased review of an entity’s security infrastructure. This audit may reveal where there are problems, but the audit should not be the basis of minimum security requirements for a third party. On-site assessment is when you visit the site of the organization to interview personnel and observe their operating habits. This is not the basis for establishing minimum security requirements for a third party. Vulnerability scan results, like third-party audits, may reveal concerns, but it is not the basis for establishing minimum security requirements for a third party.

Answer 589

18. C. Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage threat modeling methodology. PASTA is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected. Visual, Agile, and Simple Threat (VAST) is a threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis. Microsoft uses a Security Development Lifecycle (SDL) with the motto “Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C). STRIDE is a threat categorization scheme developed by Microsoft.

Answer 590

19. B, C, E, F, G. The five key concepts of decomposition are trust boundaries, dataflow paths, input points, privileged operations, and details about security stance and approach. Patch or update version management is an important part of security management in general; it is just not a specific component of decomposition. Determining open vs. closed source code use is not an element of decomposition.

Answer 591

20. A, B, C, D, E, F, G, H, I. All of the listed options are terms that relate to or are based on defense in depth: layering, classifications, zones, realms, compartments, silos, segmentations, lattice structure, and protection rings.

Answer 592

1. C. Detective access controls are used to discover (and document) unwanted or unauthorized activity. Preventive access controls block the ability to perform unwanted activity. Deterrent access controls attempt to persuade the perpetrator not to perform unwanted activity. Corrective access controls restore a system to normal function in the event of a failure or system interruption.

Answer 593

2. D. Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and use all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn’t be transmitted in the clear.

Answer 594

3. B. Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don’t detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool.

Answer 595

4. B. Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering (i.e., pretending to be a technical manager) and sniffing (i.e., intercepting network traffic) are typically not considered DoS attacks. Sending message packets to a recipient who did not request them simply to be annoying may be a type of social engineering and it is definitely spam, but unless the volume of the messages is significant, it does not warrant the label of DoS.

Answer 596

5. A. Network hardware devices, including routers, function at layer 3, the Network layer. Layer 1, the Physical layer, is where repeaters and hubs operate, not routers. The Transport layer, layer 4, is where circuit level firewalls and proxies operate, not routers. Layer 5, the Session layer, does not actually exist in a modern TCP/IP network, and thus no hardware directly operates at this layer, but its functions are performed by TCP in the Transport layer, layer 4, when sessions are in use.

Answer 597

6. D. Stateful inspection firewalls (aka dynamic packet-filtering firewall) enable the real-time modification of the filtering rules based on traffic content and context. The other firewalls listed as options—static packet filtering, application level, and circuit level—are all stateless and thus do not consider the context when applying filtering rules.

Answer 598

7. D. A virtual private network (VPN) link can be established over any network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an internet connection used by a client for access to the office LAN.

Answer 599

8. C. A Trojan horse is a form of malware that uses social engineering tactics to trick a victim into installing it—the trick is to make the victim believe that the only thing they have downloaded or obtained is the host file, when in fact it has a malicious hidden payload. Viruses and logic bombs do not typically use social engineering as an element in their means of infecting a system. A worm sometimes is designed to take advantage of social engineering, such as when the worm is an executable email attachment and the message tricks the victim into opening it. However, not all worms are designed this way—this is a core design concept of a Trojan horse.

Answer 600

9. D. The components of the CIA Triad are confidentiality, availability, and integrity. The other options are not the terms that define the CIA Triad, although they are security concepts that need to be evaluated when establishing a security infrastructure.

Answer 601

10. B. Privacy is not necessary to provide accountability. The required elements of accountability, as defined in AAA services, are as follows: identification (which is sometimes considered an element of authentication, a silent first step of AAA services, or represented by IAAA), authentication (i.e., identification verification), authorization (i.e., access control), auditing (i.e., logging and monitoring), and accounting.

Answer 602

11. C. Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability. Separation of duties, restricted job responsibilities, and job rotation help establish individual accountability and control access (especially to privileged capabilities), which in turn limits or restricts collusion.

Answer 603

12. B. The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately. Senior management is ultimately responsible for the success or failure of a security endeavor. An auditor is responsible for reviewing and verifying that the security policy is properly implemented, that the derived security solutions are adequate, and that user events are in compliance with security policy. The security staff is responsible for designing, implementing, and managing the security infrastructure once approved by senior management.

Answer 604

13. C. The Managed phase (level 4) of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management. The Repeatable phase (level 2) is where basic lifecycle processes are introduced. The Defined phase (level 3) is where developers operate according to a set of formal, documented development processes. The Optimizing phase (level 5) is where a process of continuous improvement is achieved.

Answer 605

14. B. Layers 1 and 2 contain device drivers but are not normally implemented in practice, since they are often collapsed into layer 0. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist in the design concept, but it may exist in customized implementations.

Answer 606

15. B. The SYN flagged packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK flagged packet. The initiating host sends an ACK flagged packet, and the connection is then established. The FIN flagged packet is not used in the TCP three-way handshake to establish a session; it is used in the session teardown process.

Answer 607

18. A, C, E, F, I, J. There are six standard data type classifications used in either a government/military or a private sector organization in this list of options: public, private, sensitive, proprietary, critical, and confidential. The other options (healthy, internal, essential, certified, and for your eyes only) are incorrect since they are not typical or standard classifications.

Answer 608

19. C. The correct statement is regarding the data controller. The other statements are incorrect. The correct versions of those statements are as follows. A data owner is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. A data processor is the entity that performs operations on data. A data custodian is the entity assigned or delegated the day-to-day responsibility for proper storage and transport as well as protecting data, assets, and other organizational objects.

Answer 609

20. C. Any recipient can use Mike’s public key to verify the authenticity of the digital signature. Renee’s (the recipient) public key is not used in this scenario. However, it could be used to create a digital envelope to protect a symmetric session encryption key sent from Mike to Renee. Renee’s (the recipient) private key is not used in this scenario. However, it could be used if Renee becomes a sender to send Mike a digitally signed message. Mike’s (the sender) private key was used to encrypt the hash of the data to be sent to Renee, and this is what creates the digital signature.

Answer 610

21. D. In this scenario, the data is encrypted at rest with AES-256. There is no mention of encryption for transfer or processing. The data is not stored redundantly, since it is being moved, not copied, to the central data warehouse, and there is no mention of a backup.

Answer 611

22. A. The data owner is the person(s) (or entity) assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. The data controller is the entity that makes decisions about the data they are collecting. A data processor is the entity that performs operations on data on behalf of a data controller. A data custodian or steward is a subject who has been assigned or delegated the day-to-day responsibility for proper storage and transport as well as protecting data, assets, and other organizational objects.

Answer 612

23. B, D. In this scenario, the data loss prevention (DLP) alerts and log analysis are the only options that would potentially include useful information in regard to an insider exfiltrating the sensitive documents. The other options are incorrect because they do not provide relevant information. Network access control (NAC) is a security mechanism to prevent rogue devices and ensure authorized systems meet minimum security configuration requirements. Syslog is a logging service used to maintain centralized real-time copies of active log files. Malware scanner reports are not relevant here since there is no suspicious or malicious code being used but only access abuses and unauthorized file distribution. Integrity monitoring is also not relevant to this situation, since there is no indication that the documents were altered, just that they were released to the public.

Answer 613

24. C. WPA3 supports ENT (Enterprise Wi-Fi authentication, aka IEEE 802.1X) and SAE authentication. Simultaneous authentication of equals (SAE) still uses a password, but it no longer encrypts and sends that password across the connection to perform authentication. Instead, SAE performs a zero-knowledge proof process known as Dragonfly Key Exchange, which is itself a derivative of Diffie–Hellman. IEEE 802.1X defines port-based network access control that ensures that clients can’t communicate with a resource until proper authentication has taken place. It’s based on Extensible Authentication Protocol (EAP) from Point-to-Point Protocol (PPP). However, this is the technology behind the label of ENT; thus, it is not an option in this scenario. IEEE 802.1q defines the use of virtual local area network (VLAN) tags and thus is not relevant to Wi-Fi authentication. Flexible Authentication via Secure Tunneling (EAP-FAST) is a Cisco protocol proposed to replace Lightweight Extensible Authentication Protocol (LEAP), which is now obsolete, thanks to the development of WPA2, and is not supported in WPA3 either.

Answer 614

25. A, C, E, H. Biometrics are authentication factors that are based on a user’s physical attributes; they include fingerprints, voice, retina, and facial recognition. Gait is a form of biometrics, but it is not appropriate for use as authentication on a mobile device; it is used from a stationary position to monitor people walking toward or past a security point. The other options are valid authentication factors, but they are not biometrics.

Answer 615

26. B. A repair technician typically requires more than a normal level of access to perform their duties, so a privileged account for even a trusted third-party technician is appropriate. A guest account or user (normal, limited) account is insufficient for this scenario. A service account is to be used by an application or background service, not a repair technician or other user.

Answer 616

27. C. Penetration testing is the attempt to bypass security controls to test overall system security. Logging usage data is a type of auditing and is useful in the authentication, authorization, accounting (AAA) service process in order to hold subjects accountable for their actions. However, it is not a means to test security. War dialing is an attempt to locate modems and fax machines by dialing phone numbers. This process is sometimes still used by penetration testers and adversaries to find targets to attack, but it is not an actual attack or stress test itself. Deploying secured desktop workstations is a security response to the results of a penetration test, not a security testing method.

Answer 617

28. A. Auditing is a required factor to sustain and enforce accountability. Auditing is one of the elements of the AAA services concept of identification, authentication, authorizations, auditing, and accounting (or accountability). Confidentiality is a core security element of the CIA Triad, but it is not dependent on auditing. Accessibility is the assurance that locations and systems are able to be used by the widest range of people/users possible. Redundancy is the implementation of alternatives, backup options, and recovery measures and methods to avoid single points of failure to ensure that downtime is minimized while maintaining availability.

Answer 618

29. A. The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE * ARO, since SLE = AV * EF. The other formulas displayed here do not accurately reflect this calculation, since they are not valid or typical risk formulas.

Answer 619

30. A. Identification of priorities is the first step of the business impact assessment process. Likelihood assessment is the third step or phase of BIA. Risk identification is the second step of BIA. Resource prioritization is the last step of BIA.

Answer 620

31. D. Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornadoes, wildfires, and other acts of nature. Thus options A, B, and C are correct because they are natural and not human caused.

Answer 621

32. A. Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Warm sites consist of preconfigured hardware and software to run the business, neither of which possesses the vital business information. Cold sites are simply facilities designed with power and environmental support systems but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company.

Answer 622

33. D. The issue revealed by the audit report is that one account has a password that is older than the requirements allow for; thus, correcting the password maximum age security setting should resolve this. There is no information in regard to password length, lockout, or password reuse in the audit report, so these options are not of concern in this situation.

Answer 623

34. C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. Best evidence is a form of documentary evidence, but specifically it is the original document rather than a copy or description. Parol evidence is based on a rule stating that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement. Testimonial evidence consists of the testimony of a witness’s experience, either verbal testimony in court or written testimony in a recorded deposition.

Answer 624

35. A, B. If your organization depends on custom-developed software or software products produced through outsourced code development, then the risks of that arrangement need to be evaluated and mitigated. First, the quality and security of the code needs to be assessed. Second, if the third-party development group goes out of business, can you continue to operate with the code as is? You may need to abandon the existing code to switch to a new development group. It is not true that third-party code development is always more expensive; it is often less expensive. A software escrow agreement (SEA) is not an issue that John would want to bring up as a reason to keep development in house, since a SEA is a means to reduce the risk of a third-party developer group ceasing to exist.

Answer 625

36. D. HTTPS:// is the correct prefix for the use of HTTP (Hypertext Transfer Protocol) over TLS (Transport Layer Security). This was the same prefix when SSL (Secure Sockets Layer) was used to encrypt HTTP, but SSL has been deprecated. SHTTP:// is for Secure HTTP, which was SSH but SHTTP is also deprecated. TLS:// is an invalid prefix. FTPS:// is a valid prefix that can be used in some web browsers, and it uses TLS to encrypt the connection, but it is for securing FTP file exchange rather than web communications.

Answer 626

37. C. The CSO in this scenario is demonstrating the need to follow the security principle of change management. Change management usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. This scenario is not describing a BCP event. A BCP event would involve the evaluation of threats to business processes and then the creation of response scenarios to address those issues. This scenario is not describing onboarding. Onboarding is the process of integrating a new element (such as an employee or device) into an existing system of security infrastructure. Although loosely similar to change management, onboarding focuses more on ensuring compliance with existing security policies by the new member, rather than testing updates for an existing member. Static analysis is used to evaluate source code as a part of a secure development environment. Static analysis may be used as an evaluation tool in change management, but it is a tool, not the principle of security referenced in this scenario.

Answer 627

38. D. The two main types of token devices are TOTP and HOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or hash message authentication code (HMAC—a type of hash that uses a symmetric key in the hashing process) operation. HMAC is a hashing function, not a means to authenticate. Security Assertions Markup Language (SAML) is used to create authentication federation (i.e. sharing) links; it is not itself a means to authenticate.

Answer 628

39. A.. The most important security concern from this list of options in relation to a CSP is the data retention policy. The data retention policy defines what information or data is being collected by the CSP, how long it will be kept, how it is destroyed, why it is kept, and who can access it. The number of customers and what hardware is used are not significant security concerns in comparison to data retention. Whether the CSP offers MaaS, IDaaS, and SaaS is not as important as data retention, especially if these are not services your organization needs or wants. One of the keys to answering this question is to consider the range of CSP options, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), and the type of organizations that are technically CSP SaaS but that we don’t often think of as such (examples include Facebook, Google, and Amazon). These organizations absolutely have access to customer/user data, and thus, their data retention policies are of utmost concern (at least compared to the other options provided). 40. AB, C, D. Programmers need to adopt secure coding practices, which include using stored procedures, code signing, and server-side validation. A stored procedure is a subroutine or software module that can be called on or accessed by applications interacting with a relational database management system (RDBMS). Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from. Server-side data validation is suited for protecting a system against input submitted by a malicious user. Using immutable systems is not a secure coding technique; instead, an immutable system is a server or software product that, once configured and deployed, is never altered in place. File size optimization may be efficient but is not necessarily a secure coding technique. Using third-party software libraries may reduce workload to minimize the amount of new code to author, but third-party software libraries are a risk because they can introduce vulnerabilities, especially when closed source libraries are used. Thus, use of third party software libraries is not a secure coding technique unless the security posture of the externally sourced code is verified, which was not mentioned as an answer option36. D. HTTPS:// is the correct prefix for the use of HTTP (Hypertext Transfer Protocol) over TLS (Transport Layer Security). This was the same prefix when SSL (Secure Sockets Layer) was used to encrypt HTTP, but SSL has been deprecated. SHTTP:// is for Secure HTTP, which was SSH but SHTTP is also deprecated. TLS:// is an invalid prefix. FTPS:// is a valid prefix that can be used in some web browsers, and it uses TLS to encrypt the connetion, but it is for securing FTP file exchange rather than web communications. 37. C. The CSO in this scenario is demonstrating the need to follow the security principle of change management. Change management usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. This scenario is not describing a BCP event. A BCP event would involve the evaluation of threats to business processes and then the creation of response scenarios to address those issues. This scenario is not describing onboarding. Onboarding is the process of integrating a new element (such as an employee or device) into an existing system of security infrastructure. Although loosely similar to change management, onboarding focuses more on ensuring compliance with existing security policies by the new member, rather than testing updates for an existing member. Static analysis is used to evaluate source code as a part of a secure development environment. Static analysis may be used as an evaluation tool in change management, but it is a tool, not the principle of security referenced in this scenario. 38. D. The two main types of token devices are TOTP and HOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or hash message authentication code (HMAC—a type of hash that uses a symmetric key in the hashing process) operation. HMAC is a hashing function, not a means to authenticate. Security Assertions Markup Language (SAML) is used to create authentication federation (i.e. sharing) links; it is not itself a means to authenticate. 39. A.. The most important security concern from this list of options in relation to a CSP is the data retention policy. The data retention policy defines what information or data is being collected by the CSP, how long it will be kept, how it is destroyed, why it is kept, and who can access it. The number of customers and what hardware is used are not significant security concerns in comparison to data retention. Whether the CSP offers MaaS, IDaaS, and SaaS is not as important as data retention, especially if these are not services your organization needs or wants. One of the keys to answering this question is to consider the range of CSP options, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), and the type of organizations that are technically CSP SaaS but that we don’t often think of as such (examples include Facebook, Google, and Amazon). These organizations absolutely have access to customer/user data, and thus, their data retention policies are of utmost concern (at least compared to the other options provided).

Answer 629

40. AB, C, D. Programmers need to adopt secure coding practices, which include using stored procedures, code signing, and server-side validation. A stored procedure is a subroutine or software module that can be called on or accessed by applications interacting with a relational database management system (RDBMS). Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from. Server-side data validation is suited for protecting a system against input submitted by a malicious user. Using immutable systems is not a secure coding technique; instead, an immutable system is a server or software product that, once configured and deployed, is never altered in place. File size optimization may be efficient but is not necessarily a secure coding technique. Using third-party software libraries may reduce workload to minimize the amount of new code to author, but third-party software libraries are a risk because they can introduce vulnerabilities, especially when closed source libraries are used. Thus, use of third party software libraries is not a secure coding technique unless the security posture of the externally sourced code is verified, which was not mentioned as an answer option.

Answer 630

1. D. Regardless of the specifics of a security solution, humans are often considered the weakest element. No matter what physical or logical controls are deployed, humans can discover ways to avoid them, circumvent or subvert them, or disable them. Thus, it is important to take into account the humanity of your users when designing and deploying security solutions for your environment. Software products, internet connections, and security policies can all be vulnerabilities or otherwise areas of security concern, but they are not considered the most common weakest element of an organization.

Answer 631

2. A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired. Crafting job descriptions is the first step in defining security needs related to personnel and being able to seek out new hires. From the job description, a determination can be made as to the education, skills, experience, and classification required by the applicant. Then a job posting can be made to request the submission of résumés. Then, candidates can be screened to see if they meet the requirements and if they have any disqualifications.

Answer 632

3. B. Onboarding is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. Reissue is a certification function when a lost certificate is provided to the user by extracting it from the escrow backup database or when a certificate is altered to extend its expiration date. Background checks are used to verify that a job applicant is qualified but not disqualified for a specific work position. A site survey is used to optimize the placement of wireless access points (WAPs) to provide reliable connectivity throughout the organization’s facilities.

Answer 633

4. B. A termination process often focuses on eliminating an employee who has become problematic, whether that employee is committing crimes or just violating company policy. Once the worker is fired, the company has little direct control over that person. So, the only remaining leverage is legal, which often relates to a nondisclosure agreement (NDA). Hopefully, reviewing and reminding the ex-employee about their signed NDA will reduce future security issues, such as confidential data dissemination. Returning the exiting employee’s personal belongings is not really an important task to protect the company’s security interests. Evaluating the exiting employee’s performance could be done via an exit interview, but that was not mentioned in this scenario. Often when an adversarial termination occurs, an exit interview is not feasible. Canceling an exiting employee’s parking permit is not a high security priority for most organizations, at least not in comparison to the NDA.

Answer 634

5. C. Option C is correct: Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. The other statements are false. Their corrected and thus true versions would be: (A) Using service- level agreements (SLAs) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization; (B) Outsourcing can be used as a risk response option known as transference or assignment; and (D) Risk management strategies implemented by one party may in fact cause additional risks to or from another party.

Answer 635

6. A. An asset is anything used in a business process or task. A threat is any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset. A vulnerability is the weakness in an asset, or the absence or the weakness of a safeguard or countermeasure. An exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited. Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.

Answer 636

7. B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment. This scenario does not relate to virus infection or unauthorized access. Equipment damaged by fire could be considered a system malfunction, but that option is not as direct as “damage to equipment.”

Answer 637

8. D. This scenario is describing the activity of performing a quantitative risk assessment. The question describes the determination of asset value (AV) as well as the exposure factor (EF) and the annualized rate of occurrence (ARO) for each identified threat. These are the needed values to calculate the annualized loss expectancy (ALE), which is a quantitative factor. This is not an example of a qualitative risk assessment, since specific numbers are being determined rather than relying on ideas, reactions, feelings, and perspectives. This is not the Delphi technique, which is a qualitative risk assessment method that seeks to reach an anonymous consensus. This is not risk avoidance, since that is an optional risk response or treatment, and this scenario is only describing the process of risk assessment.

Answer 638

9. C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss. The other statements are not rules to follow. (A) The annual cost of the safeguard should not exceed the annual cost of the asset value or its potential value loss. (B) The cost of the safeguard should be less than the value of the asset. (D) There is no specific maximum percentage of a security budget for the cost of a safeguard. However, the security budget should be used efficiently to reduce overall risk to an acceptable level.

Answer 639

10. C. When controls are not cost effective, they are not worth implementing. Thus, risk acceptance is the risk response in this situation. Mitigation is the application of a control; that was not done in this scenario. Ignoring risk occurs when no action, not even assessment or control evaluation, is performed in relation to a risk. Since controls were evaluated in this scenario, this is not ignoring risk. Assignment is the transfer of risk to a third party; that was not done in this scenario.

Answer 640

11. A. The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard [(ALE1 – ALE2) – ACS]. This is known as the cost/benefit equation for safeguards. The other options are incorrect. (B) This is an invalid calculation. (C) This is an invalid calculation. (D) This is the concept formula for residual risk: total risk – controls gap = residual risk.

Answer 641

12. A, C, D. Statements of A, C, and D are all valid definitions of risk. The other two statements are not definitions of risk. (B) Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk. (E) The presence of a vulnerability when a related threat exists is an exposure, not a risk. A risk is a calculation of the probability of occurrence and the level of damage that could be caused if an exposure is realized (i.e., actually occurs).

Answer 642

13. A. This situation is describing inherent risk. Inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed. The new application had vulnerabilities that were not mitigated, thus enabling the opportunity for the attack. This is not a risk matrix. A risk matrix or risk heat map is a form of risk assessment that is performed on a basic graph or chart, such as a 3×3 grid comparing probability and damage potential. This is not a qualitative risk assessment, since this scenario does not describe any evaluation of the risk of the new code. This is not residual risk, since no controls were implemented to reduce risk. Residual risk is the leftover risk after countermeasures and safeguards are implemented in response to original or total risk.

Answer 643

14. C. The level of RMM named Defined requires that a common or standardized risk framework be adopted organization-wide. This is effectively level 3. The first level of RMM is not listed as an option; it is ad hoc, which is the chaotic starting point. Preliminary is RMM level 2, which demonstrates loose attempts to follow risk management processes but each department may perform risk assessment uniquely. Integrated is RMM level 4, where risk management operations are integrated into business processes, metrics are used to gather effectiveness data, and risk is considered an element in business strategy decisions. Optimized is RMM level 5, where risk management focuses on achieving objectives rather than just reacting to external threats, increasing strategic planning toward business success rather than just avoiding incidents, and reintegrating lessons learned into the risk management process.

Answer 644

15. B. The RMF phase 6 is Authorize whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable (or reasonable). The phases of RMF are (1) Prepare, (2) Categorize, (3) Select, (4) Implement, (5) Assess, (6) Authorize, (7) Monitor. (A) RMF phase (2) is categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss. (C) RMF phase (5) is assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. (D) RMF phase (7) is monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

Answer 645

16. B, F. The leaking of company proprietary data may have been caused by the content of emails received by workers. The computers of workers who clicked links from the suspicious emails may have been infected by malicious code. This malicious code may have exfiltrated documents to the social media site. This issue could occur whether workers were on company computers on the company network, on company computers on their home network, or on personal computers on their home network (especially if the workers copied company files to their personal machines to work from home). Blocking access to social media sites and personal email services from the company network reduces the risk of this same event occurring again. For example, if the suspicious emails are blocked from being received by company email servers and accounts, they could still be received into personal email accounts. Though not mentioned, blocking access to the malicious URLs would be a good security defense as well. This issue is not addressed by deploying a web application firewall, updating the company email server, using MFA on the email server, or performing an access review of company files. Although all of these options are good security practices in general, they do not relate specifically to this issue.

Answer 646

17. C. Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions. (A) Education is an endeavor in which students and users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion or career advancement. Most education programs are not hosted by the employer but by training organizations or colleges or universities. Education is not provided to workers in groups based on their job positions. (B) Awareness establishes a common baseline or foundation of security understanding across the entire organization and focuses on key or basic topics and issues related to security that all employees must understand. Although it is provided by the organization, it is not targeted to groups of workers since it applies to all employees. (D) Termination is usually targeted at individuals rather than groups of workers with similar job positions. Though large layoff events might fire groups of similar workers, this option is not as accurate as training.

Answer 647

18. B, C, D. The activity described in option A is an opportunistic unauthorized access attack, which is not a social engineering attack since there was no interaction with the victim, just the opportunity when the victim walked away. The activities described in options B (hoax), C (phishing, hoax, watering hole attack), and D (vishing) are all examples of social engineering attacks.

Answer 648

19. B. The correct answer for these blanks is security champion(s). Often a security champion is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group’s work activities. Security champions are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors. The other options are incorrect. A CISO, or chief information security officer, defines and enforces security throughout the organization. The security auditor is the person who manages security logging and reviews the audit trails for signs of compliance or violation. The custodian is the security role that accepts assets from owners and then, based on the owner-assigned classifications, places the asset in the proper IT container where the proper security protections are provided.

Answer 649

20. D. Security awareness and training can often be improved through gamification. Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change. This can include rewarding compliance behaviors and potentially punishing violating behaviors. Many aspects of game play can be integrated into security training and adoption, such as scoring points, earning achievements or badges (i.e., earn recognition), competing with others, cooperating with others (i.e., team up with coworkers), following a set of common/standard rules, having a defined goal, seeking rewards, developing group stories/experiences, and avoiding pitfalls or negative game events. (A) Program effectiveness evaluation is using some means of verification, such as giving a quiz or monitoring security incident rate changes over time, to measure whether the training is beneficial or a waste of time and resources. This question starts by indicating that security incidents are on the rise, which shows that prior training was ineffective. But the recommendations to change the training are gamification focused. (B) Onboarding is the process of adding new employees to the organization. This is not the concept being described in this scenario. (C) Compliance enforcement is the application of sanctions or consequences for failing to follow policy, training, best practices, and/or regulation

Answer 650

1. B. As the first step of the process, the business organization analysis helps guide the remainder of the work. James and his core team should conduct this analysis and use the results to aid in the selection of team members and the design of the BCP process.

Answer 651

2. C. This question requires that you exercise some judgment, as do many questions on the CISSP exam. All of these answers are plausible things that Tracy could bring up, but we’re looking for the best answer. In this case, that is ensuring that the organization is ready for an emergency—a mission-critical goal. Telling managers that the exercise is already scheduled or required by policy doesn’t address their concerns that it is a waste of time. Telling them that it won’t be time-consuming is not likely to be an effective argument because they are already raising concerns about the amount of time requested.

Answer 652

3. C. A firm’s officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place. This is an element of corporate responsibility, but that term is vague and not commonly used to describe a board’s responsibilities. Disaster requirement and going concern responsibilities are also not risk management terms.

Answer 653

4. D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

Answer 654

5. A. The quantitative portion of the priority identification should assign asset values in monetary units. The organization may also choose to assign other values to assets, but non-monetary measures should be part of a qualitative, rather than a quantitative, assessment.

Answer 655

6. C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

Answer 656

7. C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

Answer 657

8. B. The single loss expectancy (SLE) is the product of the asset value (AV) and the exposure factor (EF). From the scenario, you know that the AV is $3 million and the EF is 90 percent; based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

Answer 658

9. D. This problem requires you to compute the annualized loss expectancy (ALE), which is the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an ALE of $135,000.

Answer 659

10. A. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000.

Answer 660

11. C. Risk mitigation controls to address acceptable risks would not be in the BCP. The risk acceptance documentation should contain a thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable. For acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination. The documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation.

Answer 661

12. D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization’s employees!

Answer 662

13. C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis. The other items listed here are all more easily quantifiable.

Answer 663

14. B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

Answer 664

15. C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

Answer 665

16. C. In the provisions and processes phase, the BCP team designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

Answer 666

17. D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

Answer 667

18. C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

Answer 668

19. A. The annualized rate of occurrence (ARO) is the likelihood that the risk will materialize in any given year. The fact that a power outage did not occur in any of the past three years doesn’t change the probability that one will occur in the upcoming year. Unless other circumstances have changed, the ARO should remain the same.

Answer 669

1. C. The Bureau of Industry and Security within the Department of Commerce sets regulations on the export of encryption products outside of the United States. The other agencies listed here are not involved in regulating exports.

Answer 670

2. A. The Federal Information Security Management Act (FISMA) includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the National Institute for Standards and Technology (NIST).

Answer 671

3. D. Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.

Answer 672

4. A. The California Consumer Privacy Act (CCPA) of 2018 was the first sweeping data privacy law enacted by a U.S. state. This follows California’s passing of the first data breach notification law, which was modeled after the requirements of the European Union’s General Data Protection Regulation (GDPR).

Answer 673

5. B. The Communications Assistance for Law Enforcement Act (CALEA) required that communications carriers assist law enforcement with the implementation of wiretaps when done under an appropriate court order. CALEA only applies to communications carriers and does not apply to financial institutions, healthcare organizations, or websites.

Answer 674

6. B. The Fourth Amendment to the U.S. Constitution sets the “probable cause” standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property. The Privacy Act regulates what information government agencies may collect and maintain about individuals. The Second Amendment grants the right to keep and bear arms. The Gramm–Leach–Bliley Act regulates financial institutions, not the federal government.

Answer 675

7. A. Copyright law is the only type of intellectual property protection available to Matthew. It covers only the specific software code that Matthew used. It does not cover the process or ideas behind the software. Trademark protection is not appropriate for this type of situation because it would only protect the name and/or logo of the software, not its algorithms. Patent protection does not apply to mathematical algorithms. Matthew can’t seek trade secret protection because he plans to publish the algorithm in a public technical journal.

Answer 676

8. D. Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely. Copyright and patent protection both have expiration dates and would not meet Mary and Joe’s requirements. Trademark protection is for names and logos and would not be appropriate in this case.

Answer 677

9. C. Richard’s product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark, and Richard can begin using the ® symbol. The © symbol is used to represent a copyright. The † symbol is not associated with intellectual property protections.

Answer 678

10. A. The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances. The Electronic Communications Privacy Act (ECPA) implements safeguards against electronic eavesdropping. The Health Insurance Portability and Accountability Act (HIPAA) regulates the protection and sharing of health records. The Gramm–Leach–Bliley Act requires that financial institutions protect customer records.

Answer 679

11. D. The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/US Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but that is no longer valid. Privacy Lock is a made-up term.

Answer 680

12. A. The Children’s Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age of 13 before any information is collected (other than basic information required to obtain that consent).

Answer 681

13. D. Although state data breach notification laws vary, they generally apply to Social Security numbers, driver’s license numbers, state identification card numbers, credit/debit card numbers, and bank account numbers. These laws generally do not cover other identifiers, such as a student identification number.

Answer 682

14. B. Organizations subject to HIPAA may enter into relationships with service providers as long as the provider’s use of protected health information is regulated under a formal business associate agreement (BAA). The BAA makes the service provider liable under HIPAA.

Answer 683

15. B. Cloud services almost always include binding click-through license agreements that the user may have agreed to when signing up for the service. If that is the case, the user may have bound the organization to the terms of that agreement. This agreement does not need to be in writing. There is no indication that the user violated any laws.

Answer 684

16. B. The Gramm–Leach–Bliley Act (GLBA) provides, among other things, regulations regarding the way financial institutions can handle private information belonging to their customers.

Answer 685

17. C. U.S. patent law provides for an exclusivity period of 20 years beginning at the time a utility patent application is submitted to the Patent and Trademark Office.

Answer 686

18. C. Ryan does not likely need to be concerned about HIPAA compliance because that law applies to healthcare organizations and Ryan works for a financial institution. Instead, he should be more concerned about compliance with the Gramm–Leach–Bliley Act (GLBA). The other concerns should all be part of Ryan’s contract review.

Answer 687

19. C. The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in storing, transmitting, and processing credit card information.

Answer 688

20. D. Copyright protection generally lasts for 70 years after the death of the last surviving author of the work

Answer 689

1. B. Data classifications provide strong protection against the loss of confidentiality and are the best choice of the available answers. Data labels and proper data handling are based on first identifying data classifications. Data degaussing methods apply only to magnetic media.

Answer 690

2. D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won’t protect it if it is stored in an unstaffed warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite or offsite backups are destroyed, security is sacrificed by risking availability.

Answer 691

3. B. Destruction is the final stage in the lifecycle of backup media. Because the backup method is no longer using tapes, they should be destroyed. Degaussing and declassifying the tape is done if you plan to reuse it. Retention implies you plan to keep the media, but retention is not needed at the end of its lifecycle.

Answer 692

4. C. The data owner is the person responsible for classifying data. A data controller decides what data to process and directs the data processor to process the data. A data custodian protects the integrity and security of the data by performing day-to-day maintenance. Users simply access the data.

Answer 693

5. A. The data custodian is responsible for the tasks of implementing the protections defined by the security policy and senior management. A data controller decides what data to process and how. Data users are not responsible for implementing the security policy protections. A data processor controls the processing of data and only does what the data controller tells them to do with the data.

Answer 694

6. D. The company can implement a data collection policy of minimization to minimize the amount of data they collect and store. If they are selling digital products, they don’t need the physical address. If they are reselling products to the same customers, they can use tokenization to save tokens that match the credit card data, instead of saving and storing credit card data. Anonymization techniques remove all personal data and make the data unusable for reuse on the website. Pseudonymization replaces data with pseudonyms. Although the process can be reversed, it is not necessary.

Answer 695

7. B. Security labeling identifies the classification of data such as sensitive, secret, and so on. Media holding sensitive data should be labeled. Similarly, systems that hold or process sensitive data should also be marked. Many organizations require the labeling of all systems and media, including those that hold or process non sensitive data.

Answer 696

8. B. A data subject is a person who can be identified by an identifier such as a name, identification number, or other PII. All of these answers refer to the General Data Protection Regulation (GDPR). A data owner owns the data and has ultimate responsibility for protecting it. A data controller decides what data to process and how it should be processed. A data processor processes the data for the data controller.

Answer 697

9. B. Personnel did not follow the record retention policy for the backups sent to the warehouse. The scenario states that administrators purge onsite emails older than six months to comply with the organization’s security policy, but the leak was from emails sent over three years ago. Personnel should follow media destruction policies when the organization no longer needs the media, but the issue here is the data on the tapes. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning applies to applications, not backup tapes.

Answer 698

10. D. Record retention policies define the amount of time to keep data, and laws or regulations often drive these policies. Data remanence is data remnants on media, and proper data destruction procedures remove data remnants. Laws and regulations do outline requirements for some data roles, but they don’t specify requirements for the data user role.

Answer 699

11. D. Purging is the most reliable method among the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure that data is removed. It ensures there isn’t any data remanence. Erasing or deleting processes rarely remove the data from media but instead mark it for deletion. Solid-state drives (SSDs) do not have magnetic flux, so degaussing an SSD doesn’t destroy data.

Answer 700

12. A. Overwriting the disks multiple times will remove all existing data. This is called purging, and purged media can then be used again. Formatting the disks isn’t secure because it doesn’t typically remove the previously stored data. Degaussing the disks often damages the electronics but doesn’t reliably remove the data. Defragmenting a disk optimizes it, but it doesn’t remove data.

Answer 701

13. D. Systems with an EOS date that occurs in the following year should be a top priority for replacement. The EOS date is the date that the vendor will stop supporting a product. The EOL date is the date that a vendor stops offering a product for sale, but the vendor continues to support the product until the EOS date. Systems used for data loss prevention or to process sensitive data can remain in service.

Answer 702

14. D. Purging memory buffers removes all remnants of data after a program has used it. Asymmetric encryption (along with symmetric encryption) protects data in transit. The data is already encrypted and stored in the database. The scenario doesn’t indicate that the program modified the data, so there’s no need to overwrite the existing data in the database. Data loss prevention methods prevent unauthorized data loss but do not protect data in use.

Answer 703

15. A. Symmetric encryption methods protect data at rest, and data at rest is any data stored on media, such as a server. Data in transit is data transferred between two systems. Data in use is data in memory that is used by an application. Steps are taken to protect data from the time it is created to the time it is destroyed, but this question isn’t related to the data lifecycle.

Answer 704

16. B. Scoping is a part of the tailoring process and refers to reviewing a list of security controls and selecting the security controls that apply. Tokenization is the use of a token, such as a random string of characters, to replace other data and is unrelated to this question. Note that scoping focuses on the security of the system and tailoring ensures that the selected controls align with the organization’s mission. If the database server needs to comply with external entities, it’s appropriate to select a standard baseline provided by that entity. Imaging is done to deploy an identical configuration to multiple systems, but this is typically done after identifying security controls.

Answer 705

17. A. Tailoring refers to modifying a list of security controls to align with the organization’s mission. The IT administrators identified a list of security controls to protect the web farm during the scoping steps. Sanitization methods (such as clearing, purging, and destroying) help ensure that data cannot be recovered and is unrelated to this question. Asset classification identifies the classification of assets based on the classification of data the assets hold or process. Minimization refers to data collection. Organizations should collect and maintain only the data they need.

Answer 706

18. A. A cloud access security broker (CASB) is software placed logically between users and cloud-based resources, and it can enforce security policies used in an internal network. Data loss prevention (DLP) systems attempt to detect and block data exfiltration. CASB systems typically include DLP capabilities. Digital rights management (DRM) methods attempt to provide copyright protection for copyrighted works. End-of-life (EOL) is generally a marketing term and indicates when a company stops selling a product.

Answer 707

19. B. Network-based data loss prevention (DLP) systems can scan outgoing data and look for specific keywords and/or data patterns. DLP systems can block these outgoing transmissions. Antimalware software detects malware. Security information and event management (SIEM) provides real-time analysis of events occurring on systems throughout an organization but doesn’t necessarily scan outgoing traffic. Intrusion prevention systems (IPSs) scan incoming traffic to prevent unauthorized intrusions.

Answer 708

20. B, C, D. Persistent online authentication, automatic expiration, and a continuous audit trail are all methods used with digital rights management (DRM) technologies. Virtual licensing isn’t a valid term within DRM

Answer 709

1. A, D. Keys must be long enough to withstand attack for as long as the data is expected to remain sensitive. They should not be generated in a predictable way but, rather, should be randomly generated. Keys should be securely destroyed when they are no longer needed and not indefinitely retained. Longer keys do indeed provide greater security against brute force attacks.

Answer 710

2. A. Nonrepudiation prevents the sender of a message from later denying that they sent it. Confidentiality protects the contents of encrypted data from unauthorized disclosure. Integrity protects data from unauthorized modification. Availability is not a goal of cryptography.

Answer 711

3. B. The strongest keys supported by the Advanced Encryption Standard are 256 bits. The valid AES key lengths are 128, 192, and 256 bits.

Answer 712

4. D. The Diffie–Hellman algorithm allows the exchange of symmetric encryption keys between two parties over an insecure channel.

Answer 713

5. A, D. Confusion and diffusion are two principles underlying most cryptosystems. Confusion occurs when the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key. Diffusion occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext.

Answer 714

6. B, C, D. AES provides confidentiality, integrity, and authentication when implemented properly. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message and cannot be achieved with a symmetric cryptosystem, such as AES.

Answer 715

7. D. Assuming that it is used properly, the one-time pad is the only known cryptosystem that is not vulnerable to attacks. All other cryptosystems, including transposition ciphers, substitution ciphers, and even AES, are vulnerable to attack, even if no attack has yet been discovered.

Answer 716

8. B, C, D. The encryption key must be at least as long as the message to be encrypted. This is because each key element is used to encode only one character of the message. The three other facts listed are all characteristics of one-time pad systems.

Answer 717

9. C. In a symmetric cryptosystem, a unique key exists for each pair of users. In this case, every key involving the compromised user must be changed, meaning that the key that the user shared with each of the other 19 users must be changed.

Answer 718

10. C. Block ciphers operate on message “chunks” rather than on individual characters or bits. The other ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of a message.

Answer 719

11. A. Symmetric key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction. Therefore, James only needs to create a single symmetric key to facilitate this communication.

Answer 720

12. B. M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. M of N Control is an example of a split knowledge technique, but not all split knowledge techniques are used for key escrow.

Answer 721

13. A. An initialization vector (IV) is a random bit string (a nonce) that is the same length as the block size that is XORed with the message. IVs are used to create a unique ciphertext every time the same message is encrypted with the same key. Vigenère ciphers are an example of a substitution cipher technique. Steganography is a technique used to embed hidden messages within a binary file. Stream ciphers are used to encrypt continuous streams of data.

Answer 722

14. B. Galois/Counter Mode (GCM) and Counter with Cipher Block Chaining Message Authentication Code mode (CCM) are the only two modes that provide both confidentiality and data authenticity. Other modes, including Electronic Code Book (ECB), Output Feedback (OFB), and Counter (CTR) modes, only provide confidentiality.

Answer 723

15. D. Data that is stored in memory is being actively used by a system and is considered data in use. Data at rest is data that is stored on nonvolatile media, such as a disk. Data in motion is being actively transferred over a network.

Answer 724

16. B, C. The Advanced Encryption Standard (AES) and Rivest Cipher 6 (RC6) are modern, secure algorithms. The Data Encryption Standard (DES) and Triple DES (3DES) are outdated and no longer considered secure.

Answer 725

17. B. One important consideration when using CBC mode is that errors propagate—if one block is corrupted during transmission, it becomes impossible to decrypt that block and the next block as well. The other modes listed here do not suffer from this flaw.

Answer 726

18. C. Offline key distribution requires a side channel of trusted communication, such as in person contact. This can be difficult to arrange when users are geographically separated. Alternatively, the individuals could use the Diffie–Hellman algorithm or other asymmetric/public key encryption technique to exchange a secret key. Key escrow is a method for managing the recovery of lost keys and is not used for key distribution.

Answer 727

19. A. The AES-256 algorithm is a modern, secure cryptographic algorithm. 3DES, RC4, and Skipjack are all outdated algorithms that suffer from significant security issues.

Answer 728

20. C. A separate key is required for each pair of users who want to communicate privately. In a group of six users, this would require a total of 15 secret keys. You can calculate this value by using the formula (n * (n – 1) / 2). In this case, n = 6, resulting in (6 * 5) / 2 = 15 keys

Answer 729

1. D. Any change, no matter how minor, to a message will result in a completely different hash value. There is no relationship between the significance of the change in the message and the significance of the change in the hash value.

Answer 730

2. B. Side-channel attacks use information gathered about a system’s use of resources, timing, or other characteristics to contribute to breaking the security of encryption. Brute-force attacks seek to exhaust all possible encryption keys. Known plaintext attacks require access to both plaintext and its corresponding ciphertext. Frequency analysis attacks require access to ciphertext.

Answer 731

3. C. Richard must encrypt the message using Sue’s public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard’s private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard’s freely available public key. Richard could not encrypt the message using Sue’s private key because he does not have access to it. If he did, any user could decrypt it using Sue’s freely available public key.

Answer 732

4. C. The major disadvantage of the ElGamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plaintext message would yield a 4,096-bit ciphertext message when ElGamal is used for the encryption process.

Answer 733

5. A. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 3,072-bit RSA key is cryptographically equivalent to a 256-bit elliptic curve cryptosystem key.

Answer 734

6. B. The SHA-2 hashing algorithm comes in four variants. SHA-224 produces 224-bit digests. SHA-256 produces 256-bit digests. SHA-384 produces 384-bit digests, and SHA512 produces 512-bit digests. Of the options presented here, only 512 bits is a valid SHA-2 hash length.

Answer 735

9. B. Sue would have encrypted the message using Richard’s public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.

Answer 736

7. D. The Secure Sockets Layer (SSL) protocol is deprecated and no longer considered secure. It should never be used. The Secure Hash Algorithm 3 (SHA-3), Transport Layer Security (TLS) 1.2, and IPsec are all modern, secure protocols and standards.

Answer 737

10. B. Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard’s public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.

Answer 738

8. A. Cryptographic salt values are added to the passwords in password files before hashing to defeat rainbow table and dictionary attacks. Double hashing does not provide any added security. Adding encryption to the passwords is challenging, because then the operating system must possess the decryption key. A one-time pad is only appropriate for use in human-to-human communications and would not be practical here.

Answer 739

11. C. The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.

Answer 740

12. B. X.509 governs digital certificates and the public key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.

Answer 741

13. B. Fault injection attacks compromise the integrity of a cryptographic device by causing some type of external fault, such as the application of high-voltage electricity. Implementation attacks rely on flaws in the cryptographic algorithm. Timing attacks measure the length of time consumed by encryption operations. Chosen ciphertext attacks require access to the algorithm and work by having the attacker perform encryption that results in an expected ciphertext.

Answer 742

14. C. HTTPS uses TCP port 443 for encrypted client/server communications over TLS. Port 22 is used by the secure shell (SSH) protocol. Port 80 is used by the unencrypted HTTP protocol. Port 1433 is used for Microsoft SQL Server database connections.

Answer 743

15. A. An attacker without any special access to the system would only be able to perform ciphertext-only attacks. Known plaintext and chosen plaintext attacks require the ability to encrypt data. Fault injection attacks require physical access to the facility.

Answer 744

16. A. Rainbow tables contain precomputed hash values for commonly used passwords and may be used to increase the efficiency of password-cracking attacks.

Answer 745

18. B. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.

Answer 746

19. D. The Merkle–Hellman Knapsack algorithm, which relies on the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.

Answer 747

20. B. SSH2 adds support for simultaneous shell sessions over a single SSH connection. Both SSH1 and SSH2 are capable of supporting multifactor authentication. SSH2 actually drops support for the IDEA algorithm, whereas both SSH1 and SSH2 support 3DES

Answer 748

1. C. A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and option B describes an open system.

Answer 749

2. D. The most likely reason the attacker was able to gain access to the baby monitor was through exploitation of default configuration. Since there is no mention of the exact means used by the attacker in the question, and there is no discussion of any actions of installation, configuration, or security implementation, the only remaining option is to consider the defaults of the device. This is an unfortunately common issue with any device, but especially with IoT equipment connected to Wi-Fi networks. Unless malware was used in the attack, a malware scanner would not be relevant to this situation. This scenario did not mention malware. This type of attack is possible over any network type and all Wi-Fi frequency options. This scenario did not discuss frequencies or network types. There was no mention of any interaction with the parents, which was not required with a device using its default configuration.

Answer 750

3. B. The Blue Screen of Death (BSoD) stops all processing when a critical failure occurs in Windows. This is an example of a fail-secure approach. The BSoD is not an example of a fail open approach; a fail-open event would have required the system to continue to operate in spite of the error. A fail-open result would have protected availability, but typically by sacrificing confidentiality and integrity protections. This is not an example of a limit check, which is the verification that input is within a preset range or domain. Object-oriented is a type of programming approach, not a means of handling software failure.

Answer 751

4. C. A constrained process is one that can access only certain memory locations. Allowing a process to run for a limited time is a time limit or timeout restriction, not a confinement. Allowing a process to run only during certain times of the day is a scheduling limit, not a confinement. A process that controls access to an object is authorization, not confinement.

Answer 752

5. D. Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell–LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure. Perturbation is the use of false or misleading data in a database management system in order to redirect or thwart information confidentiality attacks. Noninterference is the concept of limiting the actions of a subject at a higher security level so that they do not affect the system state or the actions of a subject at a lower security level. If noninterference was being enforced, the writing of a file to a lower level would be prohibited, not allowed and supported. Aggregation is the act of collecting multiple pieces of non sensitive or low-value information and combining it or aggregating it to learn sensitive or high-value information.

Answer 753

6. B. An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list. Separation of duties is the division of administrative tasks into compartments or silos; it is effectively the application of the principle of least privilege to administrators. Biba is a security model that focuses on integrity protection across security levels. Clark–Wilson is a security model that protects integrity using an access control triplet.

Answer 754

7. C. The trusted computing base (TCB) has a component known as the reference monitor in theory, which becomes the security kernel in implementation. The other options do not have this feature. The Graham–Denning model is focused on the secure creation and deletion of both subjects and objects. The Harrison–Ruzzo–Ullman (HRU) model focuses on the assignment of object access rights to subjects as well as the integrity (or resilience) of those assigned rights. The Brewer and Nash model was created to permit access controls to change dynamically based on a user’s previous activity.

Answer 755

8. C. The three parts of the Clark–Wilson model’s access control relationship (aka access triple) are subject, object, and program (or interface). Input sanitization is not an element of the Clark–Wilson model.

Answer 756

9. C. The TCB is the combination of hardware, software, and controls that work together to enforce a security policy. The other options are incorrect. Hosts on a network that support secure transmissions may be able to support VPN connections, use TLS encryption, or implement some other form of data-in-transit protection mechanism. The operating system kernel, other OS components, and device drivers are located in Rings 0–2 of the protection rings concept, or in the Kernel Mode ring in the variation used by Microsoft Windows (see Chapter 9). The predetermined set or domain (i.e., a list) of objects that a subject can access is the Goguen–Meseguer model.

Answer 757

10. A, B. Although the most correct answer in the context of this chapter is option B, the imaginary boundary that separates the TCB from the rest of the system, option A, the boundary of the physically secure area surrounding your system, is also a correct answer in the context of physical security. The network where your firewall resides is not a unique concept or term, since a firewall can exist in any network as either a hardware device or a software service. A border firewall could be considered a security perimeter protection device, but that was not a provided option. Any connections to your computer system are just pathways of communication to a system’s interface—they are not labeled as a security perimeter.

Answer 758

11. C. The reference monitor validates access to every resource prior to granting the requested access. The other options are incorrect. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Option A, a TCB partition, and option B, a trusted library, are not valid TCB concept components.

Answer 759

12. B. Option B is the only option that correctly defines a security model. The other options are incorrect. Option A is a definition of a security policy. Option C is a formal evaluation of the security of a system. Option D is the definition of virtualization.

Answer 760

13. D. The Bell–LaPadula and Biba models are built on the state machine model. Take-Grant and Clark–Wilson are not directly based or built on the state machine model.

Answer 761

14. A. Only the Bell–LaPadula model addresses data confidentiality. The Biba and Clark–Wilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.

Answer 762

15. C. The no read-up property, also called the simple security property, prohibits subjects from reading a higher security level object. The other options are incorrect. Option A, the (star) security property of Bell–LaPadula, is no write-down. Option B, no write-up, is the (star) property of Biba. Option D, no read-down, is the simple property of Biba.

Answer 763

16. B. The simple property of Biba is no read-down, but the implied allowed opposite is read-up. The other options are incorrect. Option A, write-down, is the implied opposite allow of the (star) property of Biba, which is no write-up. Option C, no write-up, is the (star) property of Biba. Option D, no read-down, is the simple property of Biba.

Answer 764

17. D. Security targets (STs) specify the claims of security from the vendor that are built into a target of evaluation (TOE). STs are considered the implemented security measures or the “I will provide” from the vendor. The other options are incorrect. Option A, protection profiles (PPs), specify for a product that is to be evaluated (the TOE) the security requirements and protections, which are considered the security desires or the “I want” from a customer. Option B, Evaluation Assurance Levels (EALs), are the various levels of testing and confirmation of systems’ security capabilities, and the number of the level indicates what kind of testing and confirmation has been performed. Option C, an Authorizing Official (AO), is the entity with the authority to issue an Authorization to Operate (ATO).

Answer 765

19. B. Memory protection is a core security component that must be designed and implemented into an operating system. It must be enforced regardless of the programs executing in the system. Otherwise, instability, violation of integrity, denial of service, and disclosure are likely results. The other options are incorrect. Option A, the use of virtualization, would not cause all of those security issues. Option C, the Goguen–Meseguer model, is based on predetermining the set or domain (i.e., a list) of objects that a subject can access. Option D, the use of encryption, is a protection, not a cause of these security issues.

Answer 766

20. A. A constrained or restricted interface is implemented within an application to restrict what users can do or see based on their privileges. The purpose of a constrained interface is to limit or restrict the actions of both authorized and unauthorized users. The other options are incorrect. Option B describes authentication. Option C describes auditing and accounting. Option D describes virtual memory

Answer 767

1. A, C, D, F. The statements in options A, C, D, and F are all valid elements or considerations of shared responsibility. The other options are incorrect. Always consider the threat to both tangible and intangible assets as a tenet of risk management and BIA. Multiple layers of security are required to protect against adversary attempts to gain access to internal sensitive resources and is a general principle of security known as defense in depth.

Answer 768

2. C. Multitasking is processing more than one task at the same time. In most cases, multitasking is simulated by the OS (using multiprogramming or pseudo-simultaneous execution) even when not supported by the processor. Multicore (not listed as an option) is also able to perform simultaneous execution but does so with multiple execution cores on one or more CPUs. Multistate is a type of system that can operate at various security levels (or classifications, risk levels, etc.). Multithreading permits multiple concurrent tasks (i.e., threads) to be performed within a single process. In a multiprocessing environment, a multiprocessor computing system (that is, one with more than one CPU) harnesses the power of more than one processor to complete the execution of a multithreaded application.

Answer 769

3. C. JavaScript remains the one mobile code technology that may affect the security of modern browsers and their host OSs. Java is deprecated for general internet use and browsers do not have native support for Java. A Java add-on is still available to install, but it is not preinstalled, and general security guidance recommends avoiding it on any internet-facing browser. Flash is deprecated; no modern browser supports it natively. Adobe has abandoned it, and most browsers actively block the add-on. ActiveX is also deprecated, and though it was always only a Microsoft Windows technology, it was only supported by Internet Explorer, not Edge (either in its original form or the more recent Chromium-based version). Although Internet Explorer is still present on modern Windows 10, this scenario stated that all other browsers were disabled or blocked. Thus, this scenario is limited to the latest Edge browser.

Answer 770

4. A. In many grid computing implementations, grid members can access the contents of the distributed work segments or divisions. This grid computing over the internet is not usually the best platform for sensitive operations. Grid computing is able to handle and compensate for latency of communications, duplicate work, and capacity fluctuation.

Answer 771

5. B. Option B references a VDI or VMI instance that serves as a virtual endpoint for accessing cloud assets and services, but this concept is not specifically relevant to or a requirement of this scenario. The remaining items are relevant to the selection process in this scenario. These are all compute security–related concepts. Option A, security groups, are collections of entities, typically users, but can also be applications and devices, which can be granted or denied access to perform specific tasks or access certain resources or assets. This supports the requirement of controlling which applications can access which assets. Option C, dynamic resource allocation (aka elasticity), is the ability of a cloud process to use or consume more resources (such as compute, memory, storage, or networking) when needed. This supports the requirement of processing significant amounts of data in short periods of time. Option D is a management or security mechanism, which is able to monitor and differentiate between numerous instances of the same VM, service, app, or resource. This supports the requirement of prohibiting VM sprawl or repetition of operations.

Answer 772

6. D. A large utility company is very likely to be using supervisory control and data acquisition (SCADA) to manage and operate their equipment; therefore, that is the system that the APT group would have compromised. A multifunction printer (MFP) is not likely to be the attack point that granted the APT group access to the utility distribution nodes. A real-time OS (RTOS) may have been present on some of the utility company’s systems, but that is not the obvious target for an attack to take over control of an entire utility service. There may be system on chip (SoC) equipment present at the utility, but that would still be controlled and accessed through the SCADA system at a utility company.

Answer 773

7. C. Secondary memory is a term used to describe magnetic, optical, or flash media (i.e., typical storage devices like HDD, SSD, CD, DVD, and thumb drives). These devices will retain their contents after being removed from the computer and may later be read by another user. Static RAM and dynamic RAM are types of real memory and thus are all the same concept in relation to being volatile—meaning they lose any data they were holding when power is lost or cycled. Static RAM is faster and more costly, and dynamic RAM requires regular refreshing of the stored contents. Take notice in this question that three of the options were effectively synonyms (at least from the perspective of volatile versus nonvolatile storage). If you notice synonyms among answer options, realize that none of the synonyms can be a correct answer for single-answer multiple-choice questions.

Answer 774

8. C. The primary security concern of a distributed computing environment (DCE) is the interconnectedness of the components. This configuration could allow for error or malware propagation as well. If an adversary compromises one component, it may grant them the ability to compromise other components in the collective through pivoting and lateral movement. The other options are incorrect. Unauthorized user access, identity spoofing, and poor authentication are potential weaknesses of most systems; they are not unique to DCE solutions. However, these issues can be directly addressed through proper design, coding, and testing. However, the interconnectedness of components is a native characteristic of DCE that cannot be removed without discarding the DCE design concept itself.

Answer 775

9. C. The best means to reduce IoT risk from these options is to keep devices current on updates. Using public IP addresses will expose the IoT devices to attack from the internet. Powering off devices is not a useful defense—the benefit of IoT is that they are always running and ready to be used or take action when triggered or scheduled. Blocking access to the internet will prevent the IoT devices from obtaining updates themselves, may prevent them from being controlled through a mobile device app, and will prevent communication with any associated cloud service.

Answer 776

10. D. Microservices are an emerging feature of web-based solutions and are derivative of service-oriented architecture (SOA). A microservice is simply one element, feature, capability, business logic, or function of a web application that can be called upon or used by other web applications. It is the conversion or transformation of a capability of one web application into a microservice that can be called upon by numerous other web applications. The relationship to an application programming interface (API) is that each microservice must have a clearly defined (and secured!) API to allow for I/O between multi-microservices as well as to and from other applications. The other options are incorrect since they are not derivatives of SOA. Cyber-physical systems are devices that offer a computational means to control something in the physical world. Fog computing relies on sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing. Distributed control systems (DCSs) are typically found in industrial process plants where the need to gather data and implement control over a large-scale environment from a single location is essential.

Answer 777

11. B. This scenario describes the systems as being non persistent. A non persistent system or static system is a computer system that does not allow, support, or retain changes. Thus, between uses and/or reboots, the operating environment and installed software are exactly the same. Changes may be blocked or simply discarded after each system use. A non persistent system is able to maintain its configuration and security in spite of user attempts to implement change. This scenario is not describing a cloud solution, although a virtual desktop interface (VDI) could be implemented on premises or in the cloud. This scenario is not describing thin clients, since the existing “standard” PC endpoints are still in use but a VDI is being used instead of the local system capabilities. A VDI deployment simulates a thin client. This scenario is not describing fog computing. Fog computing relies on sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing.

Answer 778

12. B. The issue in this situation is VM sprawl. Sprawl occurs when organizations fail to plan their IT/IS needs and just deploy new systems, software, and VMs whenever their production needs demand it. This often results in obtaining underpowered equipment that is then overtaxed by inefficient implementations of software and VMs. This situation is not specifically related to end-of-service life (EOSL) systems, but EOSL systems would exacerbate the sprawl issue. This situation is not related to poor cryptography, nor is there any evidence of VM escaping issues.

Answer 779

13. C. Containerization is based on the concept of eliminating the duplication of OS elements in a virtual machine. Instead, each application is placed into a container that includes only the actual resources needed to support the enclosed application, and the common or shared OS elements are then part of the hypervisor. The system as a whole could be redeployed using a containerization solution, and each of the applications previously present in the original seven VMs could be placed into containers, as well as the six new applications. This should result in all 13 applications being able to operate reasonably well without the need for new hardware. Data sovereignty is the concept that, once information has been converted into a binary form and stored as digital files, it is subject to the laws of the country within which the storage device resides. Infrastructure as code (IaC) is a change in how hardware management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands-on, one-on-one administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevSecOps (security, development, and operations). Server less architecture is a cloud computing concept where code is managed by the customer, and the platform (i.e., supporting hardware and software) or server is managed by the CSP. This is not a solution that will work in this scenario; if management does not want to purchase additional hardware, they probably won’t approve a monthly CSP subscription, either.

Answer 780

14. B. Server less architecture is a cloud computing concept where code is managed by the customer and the platform (i.e., supporting hardware and software) or server is managed by the cloud service provider (CSP). There is always a physical server running the code, but this execution model allows the software designer/architect/programmer/developer to focus on the logic of their code and not have to be concerned about the parameters or limitations of a specific server. This is also known as function as a service (FaaS). A microservice is simply one element, feature, capability, business logic, or function of a web application that can be called on or used by other web applications. Infrastructure as code (IaC) is a change in how hardware management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands-on, one-on-one administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevSecOps (development, security, and operations). A distributed system or a distributed computing environment (DCE) is a collection of individual systems that work together to support a resource or provide a service. Often a DCE is perceived by users as a single entity rather than numerous individual servers or components.

Answer 781

15. C. Because an embedded system is often in control of a mechanism in the physical world, a security breach could cause harm to people and property (aka cyber-physical). This typically is not true of a standard PC. Power loss, internet access, and software flaws are security risks of both embedded systems and standard PCs.

Answer 782

16. A. Arduino is an open source hardware and software organization that creates single-board 8-bit microcontrollers for building digital devices. An Arduino device has limited RAM, a single USB port, and I/O pins for controlling additional electronics (such as servo motors or LED lights), and does not include an OS or support networking. Instead, Arduino can execute C++ programs specifically written to its limited instruction set. Raspberry Pi is a popular example of a 64-bit microcontroller or a single-board computer, which includes its own custom OS, although many third-party OS alternatives are available. A Raspberry Pi, another microcontroller option, has significantly more processing power than Arduino, is not limited to executing C++ programs, supports networking, and is more expensive than Arduino. Thus, a Raspberry Pi is not the best option for this scenario. A real-time operating system (RTOS) is designed to process or handle data as it arrives on the system with minimal latency or delay. RTOS is a software OS that is usually stored and executed from ROM and thus may be part of an embedded solution or hosted on a microcontroller. An RTOS is designed for mission critical operations where delay must be eliminated or minimized for safety. Thus, RTOS is not the best option for this scenario since it is about managing a garden, which does not need real-time mission-critical operations. A field-programmable gate array (FPGA) is a flexible computing device intended to be programmed by the end user or customer. FPGAs are often used as embedded devices in a wide range of products, including industrial control systems (ICSs). FPGAs can be challenging to program and are often more expensive than other more limited solutions. Thus, FPGA is not the best fit for this scenario.

Answer 783

17. D. This scenario is describing a product that requires a real-time operating system (RTOS) solution, since it mentions the need to minimize latency and delay, storing code in ROM, and optimizing for mission-critical operations. A containerized application is not a good fit for this situation because it may not be able to operate in near real time due to the virtualization infrastructure, and containerized apps are typically stored as files on the contain host rather than a ROM chip. An Arduino is a type of microcontroller, but not typically robust enough to be considered a near-real-time mechanism; it stores code on a flash chip, has a limited C++ based instruction set, and is not suited for mission-critical operations. A distributed control system (DCS) can be used to manage small-scale industrial processes, but it is not designed as a near-real-time solution. DCSs are not stored in ROM, but they may be used to manage mission-critical operations.

Answer 784

18. A. This scenario is an example of edge computing. In edge computing, the intelligence and processing is contained within each device. Thus, rather than having to send data off to a master processing entity, each device can process its own data locally. The architecture of edge computing performs computations closer to the data source, which is at or near the edge of the network. Fog computing relies on sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing. A thin client is a computer with low to modest capability or a virtual interface that is used to remotely access and control a mainframe, virtual machine, or virtual desktop infrastructure (VDI). Infrastructure as code (IaC) is a change in how hardware management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands-on, one-on-one administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevOps.

Answer 785

20. D. The best option in this scenario is corporate-owned. A corporate-owned mobile strategy is when the company purchases mobile devices that can support compliance with the security policy. These devices are to be used exclusively for company purposes, and users should not perform any personal tasks on them. This option often requires workers to carry a second device for personal use. Corporate-owned clearly assigns responsibility for device oversight to the organization. The other three options still allow for comingling of data and have unclear or vague security responsibility assignments as a concept or policy basis. BYOD is a policy that allows employees to bring their own personal mobile devices to work and use those devices to connect to business resources and/or the internet through the company network. The concept of corporate-owned, personally enabled (COPE) means the organization purchases devices and provides them to employees. Each user is then able to customize the device and use it for both work activities and personal activities. The concept of choose your own device (CYOD) provides users with a list of approved devices from which to select the device to implement

Answer 786

19. B. The risk of a lost or stolen laptop is the data loss, not the loss of the system itself, but the value of the data on the system, whether business related or personal. Thus, keeping minimal sensitive data on the system is the only way to reduce the risk. Hard drive encryption, cable locks, and strong passwords, although good ideas, are preventive tools, not means of reducing risk. They don’t keep intentional and malicious data compromise from occurring; instead, they encourage honest people to stay honest. Hard drive encryption can be bypassed using the cold boot attack or by taking advantage of an encryption service flaw or configuration mistake. Cable locks can be cut or ripped out of the chassis. Strong passwords do not prevent the theft of a device, and password cracking and/or credential stuffing may be able to overcome the protection. If not, the drive could be extracted and connected to another system to access files directly, even with the native OS running.

Answer 787

1. C. Natural training and enrichment is not a core strategy of CPTED. Crime Prevention Through Environmental Design (CPTED) has three main strategies: natural access control, natural surveillance, and natural territorial reinforcement. Natural access control is the subtle guidance of those entering and leaving a building through placement of entranceways, use of fences and bollards, and placement of lights. Natural surveillance is any means to make criminals feel uneasy through the increasing of opportunities for them to be observed. Natural territorial reinforcement is the attempt to make the area feel like an inclusive, caring community.

Answer 788

2. B. Critical path analysis is a systematic effort to identify relationships between mission critical applications, processes, and operations and all the necessary supporting elements when evaluating the security of a facility or designing a new facility. Log file audit can help detect violations to hold users accountable, but it is not a security facility design element. Risk analysis is often involved in facility design, but it is the evaluation of threats against assets in regard to rate of occurrence and levels of consequence. Taking inventory is an important part of facility and equipment management, but it is not an element in overall facility design.

Answer 789

3. A, C, F. The true statements are option A, cameras should be positioned to watch exit and entry points allowing any change in authorization or access level; option C, cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways; and option F, some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording. The remaining answer options are incorrect. The corrected statements for those options are: option B: Cameras should also be used to monitor activities around valuable assets and resources as well as to provide additional protection in public areas such as parking structures and walkways; option D: Security cameras can be overt and obvious in order to provide a deterrent benefit, or hidden and concealed in order to primarily provide a detective benefit; option E: Some cameras are fixed, whereas others support remote control of automated pan, tilt, and zoom (PTZ); option G: Simple motion recognition or motion-triggered cameras may be fooled by animals, birds, insects, weather, or foliage.

Answer 790

4. D. Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality should have a corresponding level of security restriction placed on it. A secure facility should have a separation between work and visitor areas and should restrict access to areas with higher value or importance, and confidential assets should be located in the heart or center of a facility.

Answer 791

5. A. A computer room does not need to be optimized for human workers to be efficient and secure. A server room would be more secure with a nonwater fire suppressant system (it would protect against damage caused by water suppressant). A server room should have humidity maintained between 20 and 80 percent relative humidity and maintain a temperature between 59 and 89.6 degrees Fahrenheit.

Answer 792

6. C. Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, whereas data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a media librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.

Answer 793

7. B. The humidity in a computer room should ideally be from 20 to 80 percent. Humidity above 80 percent can result in condensation, which causes corrosion. Humidity below 20 percent can result in increased static electricity buildup. However, this does require managing temperature properly as well. The other number ranges are not the relative humidity ranges recommended for a data center.

Answer 794

9. C. A preaction system is the best type of water-based fire suppression system for a computer facility because it provides the opportunity to prevent the release of water in the event of a false alarm or false initial trigger. The other options of wet pipe, dry pipe, and deluge system use only a single trigger mechanism without the ability to prevent accidental water release.

Answer 795

8. B, C, E, F, H. The primary elements of a cable plant management policy should include a mapping of the entrance facility (i.e., demarcation point), equipment room, backbone distribution system, telecommunications room, and horizontal distribution system. The other items are not elements of a cable plant. Thus, access control vestibule, fire escapes, UPSs, and the loading dock are not needed elements on a cable map.

Answer 796

10. B. The most common cause of a false positive for a water-based system is human error. If you turn off the water source after a fire and forget to turn it back on, you’ll be in trouble for the future. Also, pulling an alarm when there is no fire will trigger damaging water release throughout the office. Water shortage would be a problem, but it is not a cause for a false positive event. Ionization detectors are highly reliable, so they are usually not the cause of a false positive event. Detectors can be placed in drop ceilings in order to monitor that air space; this would only be a problem if another detector was not placed in the main area of the room. If there are only detectors in the drop ceiling, then that could result in a false negative event.

Answer 797

11. D. The cause of the hardware failures is implied by the lack of organization of the equipment, which is heat buildup. This could be addressed by better management of temperature and airflow, which would involve implementing hot aisles and cold aisles in the data center. A data center should have few if any actual visitors (such as outsiders), but anyone entering and leaving a data center should be tracked and recorded in a log. However, whether or not a visitor log is present has little to do with system failure due to poor heat management. Industrial camouflage is not relevant here since it is about hiding the purpose of a facility from outside observers. A gas-based fire suppression system is more appropriate for a data center than a water-based system, but neither would cause heat problems due to poor system organization.

Answer 798

12. B, C, D. Benefits of gas-based fire suppression include causing the least damage to computer systems and extinguishing the fire quickly by removing oxygen. Also, gas-based fire suppression may be more effective and faster than a water-based system. A gas-based fire suppression system can only be used where human presence is at a minimum, since it removes oxygen from the air.

Answer 799

13. B. The correct order of the six common physical security control mechanisms is Deter, Deny, Detect, Delay, Determine, Decide. The other options are incorrect.

Answer 800

14. C. Mean time to failure (MTTF) is the expected typical functional lifetime of the device given a specific operating environment. Mean time to repair (MTTR) is the average length of time required to perform a repair on the device. Mean time between failures (MTBF) is an estimation of the time between the first and any subsequent failures. A service level agreement (SLA) clearly defines the response time a vendor will provide in the event of an equipment failure emergency.

Answer 801

15. C. Human safety is the most important goal of all security solutions. The top priority of security should always be the protection of the lives and safety of personnel. The protection of CIA (confidentiality, integrity, and availability) of company data and other assets is the second priority after human life and safety.

Answer 802

16. C. An access control vestibule is a double set of doors that is often protected by a guard and used to contain a subject until their identity and authentication is verified. A gate is a doorway used to traverse through a fence line. A turnstile is an ingress or egress point that allows travel only in one direction and by one person at a time. A proximity detector determines whether a proximity device is nearby and whether the bearer is authorized to access the area being protected.

Answer 803

17. D. Lighting is often claimed to be the most commonly deployed physical security mechanism. However, lighting is only a deterrent and not a strong deterrent. It should not be used as the primary or sole protection mechanism except in areas with a low threat level. Your entire site, inside and out, should be well lit. This provides for easy identification of personnel and makes it easier to notice intrusions. Security guards are not as common as lighting, but they are more flexible in terms of security benefits. Fences are not as common as lighting, but they serve as a preventive control. CCTV is not as common as lighting but serves as a detection control.

Answer 804

18. A. Security guards are usually unaware of the scope of the operations within a facility and are therefore not thoroughly equipped to know how to respond to every situation. Though this is considered a disadvantage, the lack of knowledge of the scope of the operations within a facility can also be considered an advantage because this supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information. Thus, even though this answer option is ambiguous, it is still better than the three other options. The other three options are disadvantages of security guards. Not all environments and facilities support security guards. This may be because of actual human incompatibility or the layout, design, location, and construction of the facility. Not all security guards are themselves reliable. Prescreening, bonding, and training do not guarantee that you won’t end up with an ineffective or unreliable security guard.

Answer 805

19. C. Key locks are the most common and inexpensive form of physical access control device for both interior and exterior use. Lighting, security guards, and fences are all much more costly. Fences are also mostly used outdoors.

Answer 806

20. D. A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object. A wave pattern motion detector transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant or meaningful changes or disturbances in the reflected pattern. A photoelectric motion detector senses changes in visible light levels for the monitored area. Photoelectric motion detectors are usually deployed in internal rooms that have no windows and are kept dark. An infrared PIR (passive infrared) or heat-based motion detector monitors for significant or meaningful changes in the heat levels and patterns in a monitored area

Answer 807

1. A. The SYN flagged packet is first sent from the initiating host to the destination host; thus it is the first step or phase in the TCP three-way handshake sequence used to establish a TCP session. The destination host then responds with a SYN/ACK flagged packet; this is the second step or phase of the TCP three-way handshake sequence. The initiating host sends an ACK flagged packet, and the connection is then established (the final or third step or phase). The FIN flag is used to gracefully shut down an established session.

Answer 808

2. D. UDP is a simplex protocol at the Transport layer (layer 4 of the OSI model). Bits is associated with the Physical layer (layer 1). Logical addressing is associated with the Network layer (layer 3). Data reformatting is associated with the Presentation layer (layer 6).

Answer 809

3. A, B, D. The means by which IPv6 and IPv4 can coexist on the same network is to use one or more of three primary options: dual stack, tunneling, or NAT-PT. Dual stack is to have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network Address Translation-Protocol Translation (NAT-PT) (RFC-2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses. IPsec is a standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6, but it does not enable the use of both IPv4 and IPv6 on the same system (although it doesn’t prevent it either). IP sideloading is not a real concept.

Answer 810

6. C. In this scenario, the only viable option to provide performance, availability, and security for the VoIP service is to implement a new, separate network for the VoIP system that is independent of the existing data network. The current data network is already at capacity, so creating a new VLAN will not provide sufficient insurance that the VoIP service will be highly available. Replacing switches with routers is usually not a valid strategy for increasing network capacity, and 1,000 Mbps is the same as 1 Gbps. Flood guards are useful against DoS and some transmission errors (such as Ethernet floods or broadcast storms), but they do not add more capacity to a network or provide reliable uptime for a VoIP service.

Answer 811

4. A, B, E. TLS allows for use of TCP port 443; prevents tampering, spoofing, and eavesdropping; and can be used as a VPN solution. The other answers are incorrect. TLS supports both one-way and two-way authentication. TLS and SSL are not interoperable or backward compatible.

Answer 812

5. B. Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols. Encapsulation allows for encryption, flexibility, and resiliency, while also enabling covert channels, filter bypass, and overstepping network segmentation boundaries. Throughput is the capability of moving data across or through a network; this is not an implication of multilayer protocols. Hash integrity checking is a common benefit of multilayer protocols because most layers include a hash function in their header or footer. Logical addressing is a benefit of multilayer protocols; this avoids the restriction of using only physical addressing.

Answer 813

7. B, C, E. Microsegmentation can be implemented using internal segmentation firewalls (ISFWs), transactions between zones are filtered, and it can be implemented with virtual systems and virtual networks. Affinity or preference is the assignment of the cores of a CPU to perform different tasks. Microsegmentation is not related to edge and fog computing management.

Answer 814

8. A. The device in this scenario would benefit from the use of Zigbee. Zigbee is an IoT equipment communications concept that is based on Bluetooth. Zigbee has low power consumption and a low throughput rate, and it requires close proximity of devices. Zigbee communications are encrypted using a 128-bit symmetric algorithm. Bluetooth is not a good option since it is usually plaintext. Bluetooth Low Energy (BLE) might be a viable option if custom encryption was added. Fiber Channel over Ethernet (FCoE) is not a wireless technology or an IoT technology—it is a high-speed fiber optic–based storage technology. 5G is the latest mobile service technology that is available for use on mobile phones, tablets, and other equipment. Though many IoT devices may support and use 5G, it is mostly used to provide direct access to the internet rather than as a link to a local short-distance device, such as a PC or IoT hub.

Answer 815

10. B. A content distribution network (CDN), or content delivery network, is a collection of resource service hosts deployed in numerous data centers across the world in order to provide low latency, high performance, and high availability of the hosted content. VPNs are used to transport communications over an intermediary medium through the means of encapsulation (i.e., tunneling), authentication, and encryption. Software-defined networking (SDN) aims at separating the infrastructure layer from the control layer on networking hardware in order to reduce management complexity. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) (Counter-Mode/CBC-MAC Protocol) is the combination of two block cipher modes to enable streaming by a block algorithm.

Answer 816

9. A, B, D. Cellular services, such as 4G and 5G, raise numerous security and operational concerns. Although cellular service is encrypted from device to tower, there is a risk of being fooled by a false or rogue tower. A rogue tower could offer only plaintext connections, but even if it supported encrypted transactions, the encryption only applies to the radio transmissions between the device and the tower. Once the communication is on the tower, it will be decrypted, allowing for eavesdropping and content manipulation. Even without a rogue tower, eavesdropping can occur across the cellular carrier’s interior network as well as across the internet, unless a VPN link is established between the remote mobile device and the network of the organization James works for. Being able to establish a connection can be unreliable depending on exactly where James’s travel takes him. 3G, 4G, and 5G coverage is not 100 percent available everywhere. 5G coverage is the most limited since it is the latest technology and still not universally deployed, and each 5G tower covers less area than a 4G tower. If James is able to establish a connection, 4G and 5G speeds should be sufficient for most remote technician activities, since 4G supports 100 Mbps for mobile devices and 5G supports up to 10 Gbps. If connectivity is established, there should be no issues with cloud interaction or duplex conversations.

Answer 817

11. D. The true statement is: ARP poisoning can use unsolicited or gratuitous replies—specifically, ARP replies for which the local device did not transmit an ARP broadcast request. Many systems accept all ARP replies regardless of who requested them. The other statements are false. The correct versions of those statements would be: (A) MAC flooding is used to overload the memory of a switch, specifically the CAM table stored in switch memory when bogus information will cause the switch to function only in flooding mode. (B) MAC spoofing is used to falsify the physical address of a system to impersonate that of another authorized device. ARP poisoning associates an IP address with the wrong MAC address. (C) MAC spoofing relies on plaintext Ethernet headers to initially gather valid MAC addresses of legitimate network devices. ICMP crosses routers because it is carried as the payload of an IP packet.

Answer 818

12. D. The most likely cause of the inability to recover files from the SAN in this scenario is deduplication. Deduplication replaces multiple copies of a file with a pointer to one copy. If the one remaining file is damaged, then all of the linked copies are damaged or inaccessible as well. File encryption could be an issue, but the scenario mentions that groups of people work on projects and typically file encryption is employed by individuals, not by groups. Wholedrive encryption would be more appropriate for group-accessed files as well as for a SAN in general. This issue is not related to what SAN technology is used, such as Fibre Channel. This problem might be solvable by restoring files from a backup, whether real-time or not, but the loss of files is not caused by performing backups.

Answer 819

13. D. In this scenario, the malware is performing a MAC flooding attack, which causes the switch to get stuck in flooding mode. This has taken advantage of the condition that the switch had weak configuration settings. The switch should have MAC limiting enabled in order to prevent MAC flooding attacks from being successful. Although Jim was initially fooled by a social engineering email, the question asked about the malware’s activity. A MAC flooding attack is limited by network segmentation to the local switch, but the malware took advantage of weak or poor configuration on the switch and was still successful. MAC flooding is blocked by routers from crossing between switched network segments. The malware did not use ARP queries in its attack. ARP queries can be abused in an ARP poisoning attack, but that was not described in this scenario.

Answer 820

14. B. A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port. Repeaters are used to strengthen the communication signal over a cable segment as well as connect network segments that use the same protocol. A bridge is used to connect two networks together—even networks of different topologies, cabling types, and speeds—in order to connect network segments that use the same protocol. Routers are used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between the two. Routers manage traffic based on logical IP addressing.

Answer 821

16. B. A Faraday cage is an enclosure that blocks or absorbs electromagnetic fields or signals. Faraday cage containers, computer cases, rack-mount systems, rooms, or even building materials are used to create a blockage against the transmission of data, information, metadata, or other emanations from computers and other electronics. Devices inside a Faraday cage can use EM fields for communications, such as wireless or Bluetooth, but devices outside of the cage will not be able to eavesdrop on the signals of the systems within the cage. Air gaps do not contain or restrict wireless communications—in fact, for an air gap to be effective, wireless cannot even be available. Biometric authentication has nothing to do with controlling radio signals. Screen filters reduce shoulder surfing but do not address radio signals.

Answer 822

15. B. A screened subnet is a type of security zone that can be positioned so that it operates as a buffer network between the secured private network and the internet and can host publicly accessible services. A honeypot is a false network used to trap intruders; it isn’t used to host public services. An extranet is for limited outside partner access, not public. An intranet is the private secured network.

Answer 823

17. B, E, F. Network access control (NAC) involves controlling access to an environment through strict adherence to and implementation of security policy. The goals of NAC are to detect/block rogue devices, prevent or reduce zero-day attacks, confirm compliance with updates and security settings, enforce security policy throughout the network, and use identities to perform access control. NAC does not address social engineering, mapping IP addresses, or distributing IP addresses—those are handled by training, NAT, and DHCP, respectively.

Answer 824

18. A. Endpoint detection and response (EDR) is a security mechanism that is an evolution of traditional antimalware products. EDR seeks to detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users. It is a natural extension of continuous monitoring, focusing on both the endpoint device itself and network communications reaching the local interface. Some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution. The goal of EDR is to detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs, while optimizing the response time of incident response, discarding false positives, implementing blocking for advanced threats, and protecting against multiple threats occurring simultaneously and via various threat vectors. A next-generation firewall (NGFW) is a unified threat management (UTM) device that is based on a traditional firewall with numerous other integrated network and security services and is thus not the security solution needed in this scenario. A web application firewall (WAF) is an appliance, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and is not the security solution needed in this scenario. Cross-site request forgery (XSRF) is an attack against web-based services, not a malware defense.

Answer 825

19. A. An application-level firewall is able to make access control decisions based on the content of communications as well as the parameters of the associated protocol and software. Stateful inspection firewalls make access control decisions based on the content and context of communications, but are not typically limited to a single application-layer protocol. Circuit-level firewalls are able to make permit and deny decisions in regard to circuit establishment either based on simple rules for IP and port, using captive portals, requiring port authentication via 802.1X, or more complex elements such as context- or attribute-based access control. Static packet-filtering firewalls filter traffic by examining data from a message header. Usually, the rules are concerned with source and destination IP address (layer 3) and port numbers (layer 4).

Answer 826

20. A, C, D. Most appliance (i.e., hardware) firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms/alerts and even basic IDS functions. It is also true that firewalls are unable to prevent internal attacks that do not cross the firewall. Firewalls are unable to block new phishing scams. Firewalls could block a phishing scam’s URL if it was already on a block list, but a new scam likely uses a new URL that is not yet known to be malicious

Answer 827

1. B. When transparency is a characteristic of a service, security control, or access mechanism, it is unseen by users. Invisibility is not the proper term for a security control that goes unnoticed by valid users. Invisibility is sometimes used to describe a feature of a rootkit, which attempts to hide itself and other files or processes. Diversion is a feature of a honeypot but not of a typical security control. Hiding in plain sight is not a security concept; it is a mistake on the part of the observer not to notice something that they should notice. This is not the same concept as camouflage, which is when an object or subject attempts to blend into the surroundings.

Answer 828

2. A, C, D, E, G, I, J, K. More than 40 EAP methods have been defined, including LEAP, PEAP, EAP-SIM, EAP-FAST, EAP-MD5, EAP-POTP, EAP-TLS, and EAP-TTLS. The other options are not valid EAP methods.

Answer 829

3. B. Changing default passwords on PBX systems provides the most effective increase in security. PBX systems typically do not support encryption, although some VoIP PBX systems may support encryption in specific conditions. PBX transmission logs may provide a record of fraud and abuse, but they are not a preventive measure to stop it from happening. Taping and archiving all conversations is also a detective measure rather than a preventive one against fraud and abuse.

Answer 830

5. A, B, D. It is important to verify that multimedia collaboration connections are encrypted, that robust multifactor authentication is in use, and that tracking and logging of events and activities is available for the hosting organization to review. Customization of avatars and filters is not a security concern.

Answer 831

4. C. Malicious attackers known as phreakers abuse phone systems in much the same way that attackers abuse computer networks. In this scenario, they were most likely focused on the PBX. Private branch exchange (PBX) is a telephone switching or exchange system deployed in private organizations in order to enable multistation use of a small number of external PSTN lines. Phreakers generally do not focus on accounting (that would be an invoice scam), NAT (that would be a network intrusion attack), or Wi-Fi (another type of network intrusion attack).

Answer 832

6. D. The issue in this scenario is that a private IP address from RFC 1918 is assigned to the web server. RFC 1918 addresses are not internet routable or accessible because they are reserved for private or internal use only. So, even with the domain name linked to the address, any attempt to access it from an internet location will fail. Local access via jumpbox or LAN system likely uses an address in the same private IP address range and has no issues locally. The issue of the scenario (i.e., being unable to access a website using its FQDN) could be resolved by either using a public IP address or implementing static NAT on the screened subnet’s boundary firewall. The jumpbox would not prevent access to the website regardless of whether it was rebooted, in active use, or turned off. That would only affect Michael’s use of it from his desktop workstation. Split-DNS does support internet-based domain name resolution; it separates internal-only domain information from external domain information. A web browser should be compatible with the coding of most websites. Since there was no mention of custom coding and the site was intended for public use, it is probably using standard web technologies. Also, since Michael’s workstation and several worker desktops could access the website, the problem is probably not related to the browser.

Answer 833

7. A. Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It provides a means to transport the logon credentials from the client to the authentication server. CHAP protects the password by never sending it across the network; it is used in computing a response along with a random challenge number issued by the server. EAP offers some means of authentication that protects and/or encrypts credentials, but not all of the options do. RADIUS supports a range of options to protect and encrypt logon credentials.

Answer 834

8. D. Screen scraping is a technology that allows an automated tool to interact with a human interface. Remote-control remote access grants a remote user the ability to fully control another system that is physically distant from them. Virtual desktops are a form of screen scraping in which the screen on the target machine is scraped and shown to the remote operator, but this is not related to automated tool interaction of human interfaces. Remote node operation is just another name for when a remote client establishes a direct connection to a LAN, such as with wireless, VPN, or dial-up connectivity.

Answer 835

9. A, C, D. The addresses in RFC 1918 are 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. Therefore, 10.0.0.18, 172.31.8.204, and 192.168.6.43 are private IPv4 addresses. The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918.

Answer 836

10. D. An intermediary network connection is required for a VPN link to be established. A VPN can be established between devices over the internet, between devices over a LAN, or between a system on the internet and a LAN.

Answer 837

11. B. A switch is a networking device that can be used to create digital virtual network segments (i.e., VLANs) that can be altered as needed by adjusting the settings internal to the device. A router connects disparate networks (i.e., subnets) rather than creating network segments. Subnets are created by IP address and subnet mask assignment. Proxy and firewall devices do not create digital virtual network segments, but they may be positioned between network segments to control and manage traffic.

Answer 838

14. B. Quality of service (QoS) is the oversight and management of the efficiency and performance of network communications. Items to measure include throughput rate, bit rate, packet loss, latency, jitter, transmission delay, and availability. A virtual private network (VPN) is a communication channel between two entities across an intermediary untrusted network. Software-defined networking (SDN) aims at separating the infrastructure layer from the control layer on networking hardware in order to reduce management complexity. Sniffing captures network packers for analysis. QoS uses sniffing, but sniffing itself is not QoS.

Answer 839

12. B. VLANs do not impose encryption on data or traffic. Encrypted traffic can occur within a VLAN, but encryption is not imposed by the VLAN. VLANs do provide traffic isolation, traffic management and control, and a reduced vulnerability to sniffers.

Answer 840

13. B, C, D. Port security can refer to several concepts, including network access control (NAC), Transport layer ports, and RJ-45 jack ports. NAC requires authentication before devices can communicate on the network. Transport-layer port security involves using firewalls to grant or deny communications to TCP and UDP ports. RJ-45 jacks should be managed so that unused ports are disabled and that when a cable is disconnected, the port is disabled. This approach prevents the connection of unauthorized devices. Shipping container storage relates to shipping ports, which is a type of port that is not specifically related to IT or typically managed by a CISO.

Answer 841

15. D. When IPsec is used in tunnel mode, entire packets, rather than just the payload, are encrypted. Transport mode only encrypts the original payload, not the original header. Encapsulating Security Payload (ESP) is the encrypter of IPsec, not the mode of VPN connection. Authentication Header (AH) is the primary authentication mechanism of IPsec.

Answer 842

16. A. Authentication Header (AH) provides assurances of message integrity and nonrepudiation. Encapsulating Security Payload (ESP) provides confidentiality and integrity of payload contents. ESP also provides encryption, offers limited authentication, and prevents replay attacks. IP Payload Compression (IPComp) is a compression tool used by IPsec to compress data prior to ESP encrypting it in order to attempt to keep up with wire speed transmission. Internet Key Exchange (IKE) is the mechanism of IPsec that manages cryptography keys and is composed of three elements: OAKLEY, SKEME, and ISAKMP.

Answer 843

17. B. Data remanent destruction is a security concern related to storage technologies more so than an email solution. Essential email concepts, which local systems can enforce and protect, include nonrepudiation, message integrity, and access restrictions.

Answer 844

18. D. The backup method is not an important factor to discuss with end users regarding email retention. The details of an email retention policy may need to be shared with affected subjects, which may include privacy implications, how long the messages are maintained (i.e., length of retainer), and for what purposes the messages can be used (such as auditing or violation investigations).

Answer 845

19. D. Static IP addressing is not an implication of multilayer protocols; it is a feature of the IP protocol when an address is defined on the local system rather than being dynamically assigned by DHCP. Multilayer protocols include the risk of VLAN hopping, multiple encapsulation, and filter evasion using tunneling.

Answer 846

20. B. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data. Software-defined networking (SDN) is a unique approach to network operation, design, and management. SDN aims at separating the infrastructure layer (hardware and hardware-based settings) from the control layer (network services of data transmission management). A virtual private network (VPN) is a communication channel between two entities across an intermediary untrusted network. A switched virtual circuit (SVC) has to be created each time it is needed using the best paths currently available before it can be used and then disassembled after the transmission is complete

Answer 847

1. B. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn’t require all actions to be denied.

Answer 848

B. An access control matrix includes multiple objects and subjects. It identifies access granted to subjects (such as users) to objects (such as files). A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management (FIM) system for single sign-on (SSO). Creeping privileges refers to excessive privileges a subject gathers over time.

Answer 849

3. B. A discretionary access control model allows the owner (or data custodian) of a resource to grant permissions at the owner’s discretion. The other answers (MAC, RBAC, and rule-based access control) are nondiscretionary models.

Answer 850

4. A. The DAC model allows the owner of data to modify permissions on the data. In the DAC model, objects have owners, and the owners can grant or deny access to objects that they own. The MAC model uses labels to assign access based on a user’s need to know and organization policies. A rule-based access control model uses rules to grant or block access. A risk-based access control model examines the environment, the situation, and policies coded in software to determine access.

Answer 851

5. D. A role-based access control (RBAC) model can group users into roles based on the organization’s hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

Answer 852

6. A. The role-based access control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control (MAC) model uses assigned labels to identify access.

Answer 853

7. D. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally or to individual users.

Answer 854

8. B. The ABAC model is commonly used in SDNs. None of the other answers are normally used in SDNs. The MAC model uses labels to define access, and the RBAC model uses groups. In the DAC model, the owner grants access to others.

Answer 855

9. B. In a hierarchical environment, the various classification labels are assigned in an ordered structure from low security to high security. The mandatory access control (MAC) model supports three environments: hierarchical, compartmentalized, and hybrid. A compartmentalized environment ignores the levels, and instead only allows access for individual compartments on any level. A hybrid environment is a combination of a hierarchical and compartmentalized environment. A MAC model doesn’t use a centralized environment.

Answer 856

10. B. The MAC model uses labels to identify the upper and lower bounds of classification levels, and these define the level of access for subjects. MAC is a nondiscretionary access control model that uses labels. However, not all nondiscretionary access control models use labels. DAC and ABAC models do not use labels.

Answer 857

11. C. Mandatory access control (MAC) models rely on the use of labels for subjects and objects. They look similar to a lattice when drawn, so the MAC model is often referred to as a lattice-based model. None of the other answers use labels. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management, such as a rule-based access control model deployed on a firewall. Role-based access control (RBAC) models define a subject’s access based on job-related roles.

Answer 858

12. A. A risk-based access control model can require users to authenticate with multifactor authentication. None of the other access control models listed can evaluate how a user has logged on. A MAC model uses labels to grant access. An RBAC model grants access based on job roles or groups. In a DAC model, the owner grants access to resources.

Answer 859

13. A. A risk-based access control model evaluates the environment and the situation and then makes access decisions based on coded policies. A MAC model grants access using labels. An RBAC model uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs).

Answer 860

14. A. OpenID Connect (OIDC) uses a JavaScript Object Notation (JSON) Web Token (JWT) that provides both authentication and profile information for internet-based single sign-on (SSO). None of the other answers use tokens. OIDC is built on the OAuth 2.0 framework. OpenID provides authentication but doesn’t include profile information.

Answer 861

15. D. Configuring a central computer to synchronize its time with an external NTP server and all other systems to synchronize their time with the NTP will likely solve the problem and is the best choice of the available options. Kerberos requires computer times to be within 5 minutes of each other and the scenario, along with the available answers, suggested the user’s computer is not synchronized with the Kerberos server. Kerberos uses AES. However, because a user successfully logs on to one computer, it indicates Kerberos is working, and AES is installed. NAC checks a system’s health after the user authenticates. NAC doesn’t prevent a user from logging on. Some federated systems use SAML, but Kerberos doesn’t require SAML.

Answer 862

16. C. The primary purpose of Kerberos is authentication, since it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

Answer 863

17. B. The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server, and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t the primary function.

Answer 864

18. B. The best choice is to give the administrator the root password. The administrator would enter it manually when running commands that need elevated privileges by running the su command. If the user is granted sudo access, it would allow the user to run commands requiring root-level privileges, under the context of the user account. If an attacker compromised the user account, the attacker could run the elevated commands with sudo. Linux systems don’t have an administrator group or a LocalSystem account.

Answer 865

19. D. NTLM is known to be susceptible to pass-the-hash attacks, and this scenario describes a pass-the-hash attack. Kerberos attacks attempt to manipulate tickets, such as in pass-the ticket and golden ticket attacks, but these are not NTLM attacks. A rainbow table attack uses a rainbow table in an offline brute-force attack.

Answer 866

20. C. Attackers can create golden tickets after successfully exploiting Kerberos and obtaining the Kerberos service account (KRBTGT). Golden tickets are not associated with Remote Authentication Dial-in User Service (RADIUS), Security Assertion Markup Language (SAML), or OpenID Connect (OIDC)

Answer 867

1. A. Nmap is a network discovery scanning tool that reports the open ports on a remote system and the firewall status of those ports. OpenVAS is a network vulnerability scanning tool. Metasploit Framework is an exploitation framework used in penetration testing. lsof is a Linux command used to list open files on a system.

Answer 868

2. D. Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network. Port 22 is used for the Secure Shell protocol (SSH), and the filtered status indicates that nmap can’t determine whether it is open or closed. This situation does require further investigation, but it is not as alarming as a definitely exposed database server port.

Answer 869

4. C. Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities.

Answer 870

3. C. The sensitivity of information stored on the system, difficulty of performing the test, and likelihood of an attacker targeting the system are all valid considerations when planning a security testing schedule. The desire to experiment with new testing tools should not influence the production testing schedule.

Answer 871

5. A. Security assessment reports should be addressed to the organization’s management. For this reason, they should be written in plain English and avoid technical jargon.

Answer 872

6. C. Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. They are not active detection tools for intrusion, they offer no form of enticement, and they do not configure system security. In addition to testing a system for security weaknesses, they produce evaluation reports and make recommendations.

Answer 873

7. B. The server is likely running a website on port 80. Using a web browser to access the site may provide important information about the site’s purpose.

Answer 874

8. B. The SSH protocol uses port 22 to accept administrative connections to a server.

Answer 875

9. D. Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

Answer 876

10. C. The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.

Answer 877

11. D. SQL injection attacks are web vulnerabilities, and Matthew would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to be successful.

Answer 878

12. C. PCI DSS requires that Badin rescan the application at least annually and after any change in the application.

Answer 879

13. B. Metasploit Framework is an automated exploit tool that allows attackers to easily execute common attack techniques. Nmap is a port scanning tool. OpenVAS is a network vulnerability scanner and Nikto is a web application scanner. While these other tools might identify potential vulnerabilities, they do not go as far as to exploit them.

Answer 880

14. C. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.

Answer 881

15. A. Misuse case testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code.

Answer 882

16. B. User interface testing includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.

Answer 883

18. B. Unencrypted HTTP communications take place over TCP port 80 by default.

Answer 884

17. B. During a white-box penetration test, the testers have access to detailed configuration information about the system being tested.

Answer 885

20. B. The backup verification process ensures that backups are running properly and thus meeting the organization’s data protection objectives.

Answer 886

19. B. There are only two types of SOC report: Type I and Type II. Both reports provide information on the suitability of the design of security controls. Only a Type II report also provides an opinion on the operating effectiveness of those controls over an extended period of time.

Answer 887

1. B, C, D. Detection, reporting, and lessons learned are valid incident management steps. Prevention is done before an incident. Creating backups can help recover systems, but it isn’t one of the incident management steps. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

Answer 888

2. A. Your next step is to isolate the computer from the network as part of the mitigation phase. You might look at other computers later, but you should try to mitigate the problem first. Similarly, you might run an antivirus scan, but later. The lessons learned phase is last and will analyze an incident to determine the cause.

Answer 889

3. D. The first step is detection. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

Answer 890

5. B. Audit trails provide documentation on what happened, when it happened, and who did it. IT personnel create audit trails by examining logs. Authentication of individuals is also needed to ensure that the audit trails provide proof of identities listed in the logs. Identification occurs when an individual claims an identity, but identification without authentication doesn’t provide accountability. Authorization grants individuals access to resources based on their proven identity. Confidentiality ensures that unauthorized entities can’t access sensitive data and is unrelated to this question.

Answer 891

4. A, C, D. The three basic security controls listed are 1) keep systems and applications up to date 2) remove or disable unneeded services or protocols 3) use up-to-date antimalware software. SOAR technologies implement advanced methods to detect and automatically respond to incidents. It’s appropriate to place a network firewall at the border (between the internet and the internal network), but web application firewalls (WAF) should only filter traffic going to a web server.

Answer 892

6. B. The first step should be to copy existing logs to a different drive so that they are not lost. If you enable rollover logging, you are configuring the logs to overwrite old entries. It’s not necessary to review the logs before copying them. If you delete the oldest log entries first, you may delete valuable data.

Answer 893

8. A. A zero-day exploit is an attack that exploits a vulnerability that doesn’t have a patch or fix. A newly discovered vulnerability is only a vulnerability until someone tries to exploit it. Attacks on unpatched systems aren’t zero-day exploits. A virus is a type of malware that delivers its payload after a user launches an application.

Answer 894

7. A. Fraggle is a denial of service (DoS) attack that uses UDP. Other attacks, such as a SYN flood attack, use TCP. A smurf attack is similar to a fraggle attack, but it uses ICMP. SOAR is a group of technologies that provide automated responses to common attacks, not a protocol.

Answer 895

9. C. This is a false positive. The IPS falsely identified normal web traffic as an attack and blocked it. A false negative occurs when a system doesn’t detect an actual attack. A honeynet is a group of honeypots used to lure attackers. Sandboxing provides an isolated environment for testing and is unrelated to this question.

Answer 896

10. D. An anomaly-based IDS requires a baseline, and it then monitors traffic for any anomalies or changes when compared to the baseline. It’s also called behavior based and heuristics based. Pattern-based detection (also known as knowledge-based detection and signature-based detection) uses known signatures to detect attacks.

Answer 897

11. B. An NIDS will monitor all traffic and raise alerts when it detects suspicious traffic. A HIDS only monitors a single system. A honeynet is a network of honeypots used to lure attackers away from live networks. A network firewall filters traffic, but it doesn’t raise alerts on suspicious traffic.

Answer 898

12. A. This describes an NIPS. It is monitoring network traffic, and it is placed in line with the traffic. An NIDS isn’t placed in line with the traffic, so it isn’t the best choice. Host-based systems only monitor traffic sent to specific hosts, not network traffic.

Answer 899

13. D. A drawback of some HIDSs is that they interfere with a single system’s normal operation by consuming too many resources. The other options refer to applications that aren’t installed on user systems.

Answer 900

15. B. A false negative occurs when there is an attack but the IDS doesn’t detect it and raise an alarm. In contrast, a false positive occurs when an IDS incorrectly raises an alarm, even though there isn’t an attack. The attack may be a UDP-based fraggle attack or an ICMP-based smurf attack, but the attack is real, and since the IDS doesn’t detect it, it is a false negative.

Answer 901

14. B. An IDS is most likely to connect to a switch port configured as a mirrored port. An IPS is placed in line with traffic, so it is placed before the switch. A honeypot doesn’t need to see all traffic going through a switch. A sandbox is an isolated area often used for testing and would not need all traffic from a switch.

Answer 902

16. B. An anomaly-based IDS (also known as a behavior-based IDS) can detect new security threats. A signature-based IDS only detects attacks from known threats. An active IDS identifies the response after a threat is detected. A network-based IDS can be both signature based and anomaly based.

Answer 903

17. B. A security information and event management (SIEM) system is a centralized application that monitors multiple systems. Security orchestration, automation, and response (SOAR) is a group of technologies that provide automated responses to common attacks. A host-based intrusion detection system (HIDS) is decentralized because it is on one system only. A threat feed is a stream of data on current threats.

Answer 904

18. D. A network-based data loss prevention (DLP) system monitors outgoing traffic (egress monitoring) and can thwart data exfiltration attempts. Network-based intrusion detection systems (NIDSs) and intrusion protection systems (IPSs) primarily monitor incoming traffic for threats. Firewalls can block traffic or allow traffic based on rules in an access control list (ACL), but they can’t detect unauthorized data exfiltration attacks.

Answer 905

19. A. Threat hunting is the process of actively searching for infections or attacks within a network. Threat intelligence refers to the actionable intelligence created after analyzing incoming data, such as threat feeds. Threat hunters use threat intelligence to search for specific threats. Additionally, they may use a kill chain model to mitigate these threats. Artificial intelligence (AI) refers to actions by a machine, but the scenario indicates administrators are doing the work.

Answer 906

1. C. Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off. Preventing business interruption is the goal of business continuity, not disaster recovery programs. Although disaster recovery programs are involved in restoring normal activity and minimizing the impact of disasters, this is not their end goal.

Answer 907

2. C. The recovery point objective (RPO) specifies the maximum amount of data that may be lost during a disaster and should be used to guide backup strategies. The maximum tolerable downtime (MTD) and recovery time objective (RTO) are related to the duration of an outage, rather than the amount of data lost. The mean time between failures (MTBF) is related to the frequency of failure events.

Answer 908

3. D. The lessons learned session captures discoveries made during the disaster recovery process and facilitates continuous improvement. It may identify deficiencies in training and awareness or in the business impact analysis.

Answer 909

4. B. Redundant arrays of inexpensive disks (RAID) are a fault-tolerance control that allow an organization’s storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and high-availability (HA) pairs are all fault-tolerance services designed for server compute capacity, not storage.

Answer 910

5. C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location. The primary data center is a poor choice, since it may be damaged during a disaster. A field office is reasonable, but it is in a specific location and is not as flexible as a cloud-based approach. The IT manager’s home is a poor choice—the IT manager may leave the organization or may not have appropriate environmental and physical security controls in place.

Answer 911

9. C. All of these are good practices that could help improve the quality of service that Bryn provides from her website. Installing dual power supplies or deploying RAID arrays could reduce the likelihood of a server failure, but these measures only protect against a single risk each. Deploying multiple servers behind a load balancer is the best option because it protects against any type of risk that would cause a server failure. Backups are an important control for recovering operations after a disaster and different backup strategies could indeed alter the RTO, but it is even better if Bryn can design a web architecture that lowers the risk of the outage occurring in the first place.

Answer 912

8. D. When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up to date by executing all transactions on both the primary and remote sites at the same time. Electronic vaulting follows a similar process of storing all data at the remote location, but it does not do so in real time. Transaction logging and remote journaling options send logs, rather than full data replicas, to the remote location.

Answer 913

7. B. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

Answer 914

6. A, B, D. The only incorrect statement here is that business continuity planning picks up where disaster recovery planning leaves off. In fact, the opposite is true: disaster recovery planning picks up where business continuity planning leaves off. The other three statements are all accurate reflections of the role of business continuity planning and disaster recovery planning. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans, although it is highly recommended that they do so. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.

Answer 915

10. B. During the business impact analysis phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the disaster recovery planning business unit prioritization.

Answer 916

11. C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This process often takes weeks, but cold sites also have the lowest cost to implement. Hot sites, warm sites, and mobile sites all have quicker recovery times.

Answer 917

12. C. Uninterruptible power supplies (UPSs) provide a battery-backed source of power that is capable of preserving operations in the event of brief power outages. Generators take a significant amount of time to start and are more suitable for longer-term outages. Dual power supplies protect against power supply failures and not power outages. Redundant network links are a network continuity control and do not provide power.

Answer 918

13. D. Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm sites require the restoration of data from backup.

Answer 919

14. D. The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures. Checklist tests, structured walk-throughs, and simulations are all test types that do not involve actually activating the alternate site.

Answer 920

15. A. The executive summary provides a high-level view of the entire organization’s disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.

Answer 921

16. D. Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a “safety net” in the event a developer goes out of business or fails to honor the terms of a service agreement.

Answer 922

17. A. Differential backups involve always storing copies of all files modified since the most recent full backup, regardless of any incremental or differential backups created during the intervening time period.

Answer 923

18. B. People should always be your highest priority in business continuity planning. As life safety systems, fire suppression systems should always receive high prioritization.

Answer 924

19. A. Any backup strategy must include full backups at some point in the process. If a combination of full and differential backups is used, a maximum of two backups must be restored. If a combination of full and incremental backups is chosen, the number of required restorations may be large.

Answer 925

20. B. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center

Answer 926

1. C. A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer, either as the target or as a tool. Computer crimes may not be defined in an organization’s policy, since crimes are only defined in law. Illegal attacks are indeed crimes, but this is too narrow a definition. The failure to practice due diligence may be a liability but, in most cases, is not a criminal action.

Answer 927

2. B. A military and intelligence attack targets the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.

Answer 928

3. A. The Code of Ethics does not require that you protect your colleagues.

Answer 929

5. B. A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack. Although terrorists may engage in other actions, such as altering information, stealing data, or transferring funds, as part of their attacks, these items alone are not indicators of terrorist activity.

Answer 930

4. A, C, D. A financial attack focuses primarily on obtaining services and funds illegally. Accessing services that you have not purchased is an example of obtaining services illegally. Transferring funds from an unapproved source is obtaining funds illegally, as is leasing out a botnet for use in DDoS attacks. Disclosing confidential information is not necessarily financially motivated.

Answer 931

6. D. Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to “get back” at someone.

Answer 932

7. A, C. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

Answer 933

8. C. Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.

Answer 934

9. D. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

Answer 935

11. C. Criminal investigations may result in the imprisonment of individuals and, therefore, have the highest standard of evidence to protect the rights of the accused.

Answer 936

10. C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced. The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement. Testimonial evidence is evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.

Answer 937

12. B. Root cause analysis seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future. Forensic analysis is used to obtain evidence from digital systems. Network traffic analysis is an example of a forensic analysis category. Fagan inspection is a software testing technique.

Answer 938

13. A. Preservation ensures that potentially discoverable information is protected against alteration or deletion. Production places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening. Presentation displays the information to witnesses, the court, and other parties.

Answer 939

14. B. Server logs are an example of documentary evidence. Gary may ask that they be introduced in court and will then be asked to offer testimonial evidence about how he collected and preserved the evidence. This testimonial evidence authenticates the documentary evidence.

Answer 940

15. B. In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.

Answer 941

16. A. Log files contain a large volume of generally useless information. However, when you are trying to track down a problem or an incident, log files can be invaluable. Even if an incident is discovered as it is happening, it may have been preceded by other incidents. Log files provide valuable clues and should be protected and archived, often by forwarding log entries to a centralized log management system.

Answer 942

17. D. Review examines the information resulting from the Processing phase to determine what information is responsive to the request and remove any information protected by attorney client privilege. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. Collection gathers the relevant information centrally for use in the eDiscovery process. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening.

Answer 943

18. D. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

Answer 944

19. B. The second canon of the (ISC)2 Code of Ethics states how a CISSP should act, which is honorably, honestly, justly, responsibly, and legally.

Answer 945

20. B. RFC 1087 does not specifically address the statements in option A, C, or D. Although each type of activity listed is unacceptable, only “actions that compromise the privacy of users” are explicitly identified in RFC 1087

Answer 946

1. D. User and entity behavior analytics (UEBA) tools develop profiles of individual behavior and then monitor users for deviations from those profiles that may indicate malicious activity and/or compromised accounts. This type of tool would meet Dylan’s requirements. Endpoint detection and response (EDR) tools watch for unusual endpoint behavior but do not analyze user activity. Integrity monitoring is used to identify unauthorized system/file changes. Signature detection is a malware detection technique.

Answer 947

2. B. All of these technologies are able to play important roles in defending against malware and other endpoint threats. User and entity behavior analysis (UEBA) looks for behavioral anomalies. Endpoint detection and response (EDR) and next-generation endpoint protection (NGEP) identify and respond to malware infections. However, only managed detection and response (MDR) combines antimalware capabilities with a managed service that reduces the burden on the IT team.

Answer 948

3. C. If Carl has backups available, that would be his best option to recover operations. He could also pay the ransom, but this would expose his organization to legal risks and incur unnecessary costs. Rebuilding the systems from scratch would not restore his data. Installing antivirus software would be helpful in preventing future compromises, but these packages would not likely be able to decrypt the missing data.

Answer 949

4. A. Although an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks due to the cost and complexity of the research required to discover or purchase them. Social engineering, Trojans (and other malware), and SQL injection attacks are often attempted by many different types of attackers.

Answer 950

6. B. TOC/TOU is a type of timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Backdoors are code that allows those with knowledge of the backdoor to bypass authentication mechanisms. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. SQL injection attacks include SQL code in user input in the hopes that it will be passed to and executed by the backend database.

Answer 951

5. B. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. Time-of-check to time-of-use (TOCTTOU) attacks exploit timing differences that lead to race conditions. Cross-site scripting (XSS) attacks force the execution of malicious scripts in the user’s browser. Cross-site request forgery (XSRF) attacks exploit authentication trust between browser tabs.

Answer 952

7. D. The try...catch clause is used to attempt to evaluate code contained in the try clause and then handle errors with the code located in the catch clause. The other constructs listed here (if...then, case...when, and do...while) are all used for control flow.

Answer 953

8. C. In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. SQL injection attacks would contain SQL code. File upload attacks seek to upload a file to the server. Session hijacking attacks require the theft of authentication tokens or other credentials.

Answer 954

9. A. Logic bombs wait until certain conditions are met before delivering their malicious payloads. Worms are malicious code objects that move between systems under their own power, whereas viruses require some type of human intervention. Trojan horses masquerade as useful software but then carry out malicious functions after installation.

Answer 955

11. B. Developers of web applications should leverage parameterized queries to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database developers or administrators. With parameterized queries, the SQL statement is defined within the application and variables are bound to that statement in a safe manner.

Answer 956

10. D. The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

Answer 957

12. C. Although any malware may be leveraged for financial gain, depending on its payload, cryptomalware is specifically designed for this purpose. It steals computing power and uses it to mine cryptocurrency. Remote access Trojans (RATs) are designed to grant attackers remote administrative access to systems. Potentially unwanted programs (PUPs) are any type of software that is initially approved by the user but then performs undesirable actions. Worms are malicious code objects that move between systems under their own power.

Answer 958

13. A. Cross-site scripting attacks are often successful against web applications that include reflected input. This is one of the two main categories of XSS attack. In a reflected attack, the attacker can embed the attack within the URL so that it is reflected to users who follow a link.

Answer 959

14. A, B, D. A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all script-like input.

Answer 960

15. B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML What type of attack has she likely discovered? A. XSS B. SQL injection C. XSRF D. TOCTTOU

Answer 961

16. A. The use of the