CISSP-P3 Flashcards

Question 1

Q

Regarding media sanitization, which of the following is the
correct order for fully and physically destroying hand-held
devices, such as cell phones?
Incinerate
Disintegrate
Pulverize
Shred

a. 3, 2, 1, and 4
b. 4, 2, 3, and 1
c. 1, 4, 3, and 2
d. 1, 2, 4, and 3

Answer

A

b. The correct order for fully and physically destroying hand-held
devices such as cell phones is shred, disintegrate, pulverize, and
incinerate. This is the best recommended practice for both public and
private sector organizations.
Shredding is a method of sanitizing media and is the act of cutting or
tearing into small particles. Here, the shredding step comes first to
make the cell phone inoperable quickly. Disintegration is a method of
sanitizing media and is the act of separating the equipment into
component parts. Disintegration cannot be the first step because some
determined attacker can assemble these parts and can make the cell
phone work. Pulverization is a method of sanitizing media and is the
act of grinding to a powder or dust. Incineration is a method of
sanitizing media and is the act of burning completely to ashes done in a
licensed incinerator. Note that one does not need to complete all these
methods, but can stop after any specific method and after reaching the
final goal based on the sensitivity and criticality of data on the device.

Question 2

Q

Which of the following detects unauthorized changes to software
and information for commercial off-the-shelf integrity
mechanisms?
Tamper-evident system components
Parity checks
Cyclical redundancy checks
Cryptographic hashes

a. 2 only
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4

Answer

A

d. Organizations employ integrity verification mechanisms to look
for evidence of tampering, errors, and omissions. Software engineering
techniques such as parity checks, cyclical redundancy checks, and
cryptographic hashes are applied to the information system. In
addition, tamper-evident system components are required to ship from
software vendors to operational sites, and during their operation.

Question 3

Q

Effective configuration change controls for hardware, software,
and firmware include:
Auditing the enforcement actions
Preventing the installation of software without a signed certificate
Enforcing the two-person rule for changes to systems
Limiting the system developer/integrator privileges

a. 1 only
b. 3 only
c. 2 and 4
d. 1, 2, 3, and 4

Answer

A

d. All four items are effective in managing configuration changes to
hardware, software, and firmware components of a system.

Question 4

Q

An information system can be protected against denial-of service (DoS) attacks through:
Network perimeter devices
Increased capacity
Increased bandwidth
Service redundancy

a. 2 only
b. 3 only
c. 4 only
d. 1, 2, 3, and 4

Answer

A

d. Network perimeter devices can filter certain types of packets to
protect devices on an organization’s internal network from being
directly affected by denial-of-service (DoS) attacks. Employing
increased capacity and increased bandwidth combined with service
redundancy may reduce the susceptibility to some type of DoS attacks.
A side-benefit of this is enabling availability of data, which is a good
thing.

Question 5

Q

What is the major purpose of conducting a post-incident analysis
for a computer security incident?

a. To determine how security threats and vulnerabilities were
addressed
b. To learn how the attack was done
c. To re-create the original attack
d. To execute the response to an attack

Answer

A

a. The major reason for conducting a post-incident analysis is to
determine whether security weaknesses were properly and effectively
addressed. Security holes must be plugged to prevent recurrence. The
other three choices are minor reasons.

Question 6

Q

Which of the following is an example of a reactive approach to
software security?

a. Patch-and-patch
b. Penetrate-and-patch
c. Patch-and-penetrate
d. Penetrate-and-penetrate

Answer

A

b. Crackers and hackers attempt to break into computer systems by
finding flaws in software, and then system administrators apply
patches sent by vendors to fix the flaws. In this scenario of penetrate and-patch, patches are applied after penetration has occurred, which is
an example of a reactive approach. The scenario of patch-and patch is
good because one is always patching, which is a proactive approach.
The scenario of patch-and-penetrate is a proactive approach in which
organizations apply vendor patches in a timely manner. There is not
much damage done when crackers and hackers penetrate (break) into
the computer system because all known flaws are fixed. In this
scenario, patches are applied before penetration occurs. The scenario
of penetrate-and-penetrate is bad because patches are not applied at all
or are not effective.

Question 7

Q

Regarding a patch management program, which of the following
is an example of vulnerability?

a. Misconfigurations
b. Rootkits
c. Trojan horses
d. Exploits

Answer

A

a. Misconfiguration vulnerabilities cause a weakness in the security
of a system. Vulnerabilities can be exploited by a malicious entity to
violate policies such as gaining greater access or permission than is
authorized on a computer. Threats are capabilities or methods of attack
developed by malicious entities to exploit vulnerabilities and
potentially cause harm to a computer system or network. Threats
usually take the form of exploit scripts, worms, viruses, rootkits,
Trojan horses, and other exploits.

Question 8

Q

An information system initiates session auditing work at system:

a. Restart
b. Shutdown
c. Startup
d. Abort

Question 9

Q

The major reason for retaining older versions of baseline
configuration is to support:

a. Roll forward
b. Rollback
c. Restart
d. Restore

Answer

A

b. A rollback is restoring a database from one point in time to an
earlier point. A roll forward is restoring the database from a point in
time when it is known to be correct to a later time. A restart is the
resumption of the execution of a computer system using the data
recorded at a checkpoint. A restore is the process of retrieving a dataset
migrated to offline storage and restoring it to online storage.

Question 10

Q

Which of the following updates the applications software and
the systems software with patches and new versions?

a. Preventive maintenance
b. Component maintenance
c. Hardware maintenance
d. Periodic maintenance

Answer

A

a. The scope of preventive maintenance includes updating
applications software and systems software with patches and new
versions, replacing failed hardware components, and more.
The other three choices are incorrect because they can be a part of
corrective maintenance (fixing errors) or remedial maintenance (fixing
faults).

Question 11

Q

Regarding incident handling, dynamic reconfiguration does not
include changes to which of the following?

a. Router rules
b. Access control lists
c. Filter rules
d. Software libraries

Answer

A

d. Software libraries are part of access restrictions for change so
changes are controlled. Dynamic reconfiguration (i.e., changes on-thefly) can include changes to router rules, access control lists, intrusion
detection and prevention systems (IDPS) parameters, and filter rules
for firewalls and gateways.

Question 12

Q

Prior to initiating maintenance work by maintenance vendor
personnel who do not have the needed security clearances and
access authorization to classified information, adequate controls
include:
Sanitize all volatile information storage components
Remove all nonvolatile storage media
Physically disconnect the storage media from the system
Properly secure the storage media with physical or logical access
controls

a. 1 only
b. 2 only
c. 2, 3, and 4
d. 1, 2, 3, and 4

Answer

A

d. All four items are adequate controls to reduce the risk resulting
from maintenance vendor personnel’s access to classified information.
For handling classified information, maintenance personnel should
possess security clearance levels equal to the highest level of security
required for an information system.

Question 13

Q

A security configuration checklist is referred to as which of the
following?
Lockdown guide
Hardening guide
Security guide
Benchmark guide

a. 1 and 2
b. 1 and 3
c. 2 and 3
d. 1, 2, 3, and 4

Answer

A

d. A security configuration checklist is referred to as several
names, such as a lockdown guide, hardening guide, security technical
implementation guide, or benchmark guide. These guides provide a
series of instructions or procedures for configuring an information
system’s components to meet operational needs and regulatory
requirements.

Question 14

Q

Regarding the verification of correct operation of security
functions, which of the following is the correct order of alternative
actions when anomalies are discovered?
Report the results.
Notify the system administrator.
Shut down the system.
Restart the system.

a. 1, 2, 3, and 4
b. 3, 4, 2, and 1
c. 2, 1, 3, and 4
d. 2, 3, 4, and 1

Answer

A

d. The correct order of alternative actions is notify the system
administrator, shut down the system, restart the system, and report the
results of security function verification.

Question 15

Q

The audit log does not include which of the following?

a. Timestamp
b. User’s identity
c. Object’s identity
d. The results of action taken
15. d. The audit log includes a timestamp, user’s identity, object’s
identity, and type of action taken, but not the results from the action
taken. The person reviewing the audit log needs to verify that the
results of the action taken were appropriate.

Question 16

Q

Which of the following fault tolerance metrics are most
applicable to the proper functioning of redundant array of disks
(RAID) systems?
Mean time between failures (MTBF)
Mean time to data loss (MTTDL)
Mean time to recovery (MTTR)
Mean time between outages (MTBO)

a. 1 and 2
b. 1 and 3
c. 2 and 3
d. 3 and 4

Answer

A

c. Rapid replacement of RAID’s failed drives or disks and
rebuilding them quickly is important, which is facilitated specifically
and mostly through applying MTTDL and MTTR metrics. The
MTTDL metric measures the average time before a loss of data
occurred in a given disk array. The MTTR metric measures the amount
of time it takes to resume normal operation, and includes the time to
replace a failed disk and the time to rebuild the disk array. Thus,
MTTDL and MTTR metrics prevent data loss and ensure data
recovery.
MTBF and MTBO metrics are incorrect because they are broad
measures of providing system reliability and availability respectively,
and are not specifically applicable to RAID systems. The MTBF
metric measures the average time interval between system failures and
the MTBO metric measures the mean time between equipment
failures.

Question 17

Q

All the following have redundancy built in except:

a. Fast Ethernet
b. Fiber distributed data interface
c. Normal Ethernet
d. Synchronous optical network

Answer

A

c. Normal Ethernet does not have a built-in redundancy. Fast
Ethernet has built-in redundancy with redundant cabling for file
servers and network switches. Fiber distributed data interface (FDDI)
offers an optional bypass switch at each node for addressing failures.
Synchronous optical network (SONET) is inherently redundant and
fault tolerant by design.

Question 18

Q

Which of the following go hand-in-hand?

a. Zero-day warez and content delivery networks
b. Zero-day warez and ad-hoc networks
c. Zero-day warez and wireless sensor networks
d. Zero-day warez and converged networks

Answer

A

a. Zero-day warez (negative day or zero-day) refers to software,
games, music, or movies (media) unlawfully released or obtained on
the day of public release. An internal employee of a content delivery
company or an external hacker obtains illegal copies on the day of the
official release. Content delivery networks distribute such media from
the content owner. The other three networks do not distribute such
media.
Bluetooth mobile devices use ad-hoc networks, wireless sensor
networks monitor security of a building perimeter and environmental
status in a building (temperature and humidity), and converged
networks combine two different networks such as voice and data.

Question 19

Q

Which of the following provides total independence?

a. Single-person control
b. Dual-person control
c. Two physical keys
d. Two hardware tokens

Answer

A

a. Single-person control means total independence because there is
only one person performing a task or activity. In the other three
choices, two individuals or two devices (for example, keys and tokens)
work together, which is difficult to bypass unless collusion is involved.

Question 20

Q

The use of a no-trespassing warning banner at a computer
system’s initial logon screen is an example of which of the
following?

a. Correction tactic
b. Detection tactic
c. Compensating tactic
d. Deterrence tactic

Answer

A

d. The use of no-trespassing warning banners on initial logon
screens is a deterrent tactic to scare system intruders and to provide
legal evidence. The other three choices come after the deterrence
tactic

Question 21

Q

Countermeasures applied when inappropriate and/or
unauthorized modifications have occurred to security functions
include:
Reversing the change
Halting the system
Triggering an audit alert
Reviewing the records of change

a. 1 only
b. 2 only
c. 3 only
d. 1, 2, 3, and 4

Answer

A

d. Safeguards and countermeasures (controls) applied when
inappropriate and/or unauthorized modifications have occurred to
security functions and mechanisms include reversing the change,
halting the system, triggering an audit alert, and reviewing the records
of change. These countermeasures would reduce the risk to an
information system.

Question 22

Q

Which of the following situations provides no security
protection?

a. Controls that are designed and implemented
b. Controls that are developed and implemented
c. Controls that are planned and implemented
d. Controls that are available, but not implemented

Answer

A

d. Controls that are available in a computer system, but not
implemented, provide no protection.

Question 23

Q

A computer system is clogged in which of the following
attacks?

a. Brute force attack
b. Denial-of-service attack
c. IP spoofing attack
d. Web spoofing attack

Answer

A

b. The denial-of-service (DoS) type of attack denies services to
users by either clogging the system with a series of irrelevant messages
or sending disruptive commands to the system. It does not damage the
data. A brute force attack is trying every possible decryption key
combination to break into a computer system. An Internet Protocol (IP)
spoofing attack means intruders creating packets with spoofed source
IP addresses. The intruder then takes over an open-terminal and login connections. In a Web spoofing attack, the intruder sits between the
victim user and the Web, thereby making it a man-in-the-middle attack.
The user is duped into supplying the intruder with passwords, credit
card information, and other sensitive and useful data.

Question 24

Q

Which of the following is not an effective, active, and
preventive technique to protect the integrity of audit information
and audit tools?

a. Backing up the audit records
b. Using a cryptographic-signed hash
c. Protecting the key used to generate the hash
d. Using the public key to verify the hash

Answer

A

a. Backing up the audit records is a passive and detective action,
and hence not effective in protecting integrity. In general, backups
provide availability of data, not integrity of data, and they are there
when needed. The other three choices, which are active and preventive,
use cryptographic mechanisms (for example, keys and hashes), and
therefore are effective in protecting the integrity of audit-related
information.

Question 25

Q

Regarding a patch management program, which of the
following should not be done to a compromised system?

a. Reformatting
b. Reinstalling
c. Restoring
d. Remigrating

Answer

A

d. In most cases a compromised system should be reformatted and
reinstalled or restored from a known safe and trusted backup.
Remigrating deals with switching between using automated and
manual patching tools and methods should not be performed on a
compromised system.

Question 26

Q

Which of the following is the most malicious Internet-based
attack?

a. Spoofing attack
b. Denial-of-service attack
c. Spamming attack
d. Locking attack

Answer

A

b. Denial-of-service (DoS) attack is the most malicious Internet based attack because it floods the target computer with hundreds of
incomplete Internet connections per second, effectively preventing any
other network connections from being made to the victim network
server. The result is a denial-of-service to users, consumption of
system resources, or a crash in the target computer. Spoofing attacks
use various techniques to subvert IP-based access control by
masquerading as another system by using its IP address. Spamming
attacks post identical messages to multiple unrelated newsgroups. They
are often used in cheap advertising to promote pyramid schemes or
simply to annoy people. Locking attack prevents users from accessing
and running shared programs such as those found in Microsoft Office
product.

Question 27

Q

Denial-of-service attacks can be prevented by which of the
following?

a. Redundancy
b. Isolation
c. Policies
d. Procedures

Answer

A

a. Redundancy in data and/or equipment can be designed so that
service cannot be removed or denied. Isolation is just the opposite of
redundancy. Policies and procedures are not effective against denialof-service (DoS) attacks because they are examples of management
controls. DoS requires technical controls such as redundancy.

Question 28

Q

Which of the following denial-of-service attacks in networks is
least common in occurrence?

a. Service overloading
b. Message flooding
c. Connection clogging
d. Signal grounding

Answer

A

d. In denial-of-service (DoS) attacks, some users prevent other
legitimate users from using the network. Signal grounding, which is
located in wiring closets, can be used to disable a network. This can
prevent users from transmitting or receiving messages until the
problem is fixed. Signal grounding is the least common in occurrence
as compared to other choices because it requires physical access.
Service overloading occurs when floods of network requests are made
to a server daemon on a single computer. It cannot process regular
tasks in a timely manner.
Message flooding occurs when a user slows down the processing of a
system on the network, to prevent the system from processing its
normal workload, by “flooding” the machine with network messages
addressed to it. The system spends most of its time responding to these
messages.
Connection clogging occurs when users make connection requests with
forged source addresses that specify nonexistent or unreachable hosts
that cannot be contacted. Thus, there is no way to trace the connection
back; they remain until they time out or reset. The goal is to use up the
limit of partially open connections.

Question 29

Q

Smurf is an example of which of the following?

a. IP address spoofing attack
b. Denial-of-service attack
c. Redirect attack
d. TCP sequence number attack

Answer

A

b. Smurf attacks use a network that accepts broadcast ping packets
to flood the target computer with ping reply packets. The goal of a
smurf attack is to deny service.
Internet Protocol (IP) address spoofing attack and transmission control
protocol (TCP) sequence number attack are examples of session
hijacking attacks. The IP address spoofing is falsifying the identity of a
computer system. In a redirect attack, a hacker redirects the TCP
stream through the hacker’s computer. The TCP sequence number
attack is a prediction of the sequence number needed to carry out an
unauthorized handshake.

Question 30

Q

The demand for reliable computing is increasing. Reliable
computing has which of the following desired elements in
computer systems?

a. Data integrity and availability
b. Data security and privacy
c. Confidentiality and modularity
d. Portability and feasibility

Answer

A

a. Data integrity and availability are two important elements of
reliable computing. Data integrity is the concept of ensuring that data
can be maintained in an unimpaired condition and is not subject to
unauthorized modification, whether intentional or inadvertent.
Products such as backup software, antivirus software, and disk repair
utility programs help protect data integrity in personal computers (PCs)
and workstations. Availability is the property that a given resource will
be usable during a given time period. PCs and servers are becoming an
integral part of complex networks with thousands of hardware and
software components (for example, hubs, routers, bridges, databases,
and directory services) and the complex nature of client/server
networks drives the demand for availability. System availability is
increased when system downtime or outages are decreased and when
fault tolerance hardware and software are used.
Data security, privacy, and confidentiality are incorrect because they
deal with ensuring that data is disclosed only to authorized individuals
and have nothing to do with reliable computing. Modularity deals with
the breaking down of a large system into small modules. Portability
deals with the ability of application software source code and data to
be transported without significant modification to more than one type
of computer platform or more than one type of operating system.
Portability has nothing to do with reliable computing. Feasibility deals
with the degree to which the requirements can be implemented under
existing constraint

Question 31

Q

Which of the following is not a part of implementation of
incident response support resources in an organization?

a. Help desk
b. Assistance group
c. Forensics services
d. Simulated events

Answer

A

d. An organization incorporates simulated events into incident
response training to facilitate effective response by individuals in crisis
situations. The other three choices are possible implementations of
incident response support resources in an organization.

Question 32

Q

Software flaw remediation is best when it is incorporated into
which of the following?

a. Configuration management process
b. Security assessments
c. Continuous monitoring
d. Incident response activities

Answer

A

a. Software flaws result in potential vulnerabilities. The
configuration management process can track and verify the required or
anticipated flaw remediation actions.
Flaws discovered during security assessments, continuous monitoring,
incident-response activities, or system error handling activities become
inputs to the configuration management process. Automated patch
management tools should facilitate flaw remediation by promptly
installing security-relevant software updates (for example, patches,
service packs, and hot fixes).

Question 33

Q

Audit trails establish which of the following information
security objectives?

a. Confidentiality
b. Integrity
c. Accountability
d. Availability

Answer

A

c. Accountability is the existence of a record that permits the
identification of an individual who performed some specific activity so
that responsibility for that activity can be established through audit
trails. Audit trails do not establish the other three choices.

Question 34

Q

Audit trails are least useful to which of the following?

a. Training
b. Deterrence
c. Detection
d. Prosecution

Answer

A

a. Audit trails are useful in detecting unauthorized and illegal
activities. They also act as a deterrent and aid in prosecution of
transgressors. They are least useful in training because audit trails are
recorded after the fact. They show what was done, when, and by
whom.

Question 35

Q

In terms of audit records, which of the following information is
most useful?
Timestamps
Source and destination address
Privileged commands
Group account users

a. 1 only
b. 1 and 2
c. 3 and 4
d. 1, 2, 3, and 4

Answer

A

c. Audit records contain minimum information such as timestamps,
source and destination addresses, and outcome of the event (i.e.,
success or failure). But the most useful information is recording of
privileged commands and the individual identities of group account
users.

Question 36

Q

Which of the following is an example of improper separation of
duties?

a. Computer security is embedded into computer operations.
b. Security administrators are separate from security auditors.
c. Mission-critical functions and support functions are separate
from each other.
d. Quality assurance is separate from network security.

Answer

A

a. A natural tension often exists between computer security and
computer operations functions. Some organizations embed a computer
security program in computer operations to resolve this tension. The
typical result of this organizational strategy is a computer security
program that lacks independence, has minimal authority, receives little
management attention, and has few resources to work with. The other
three choices are examples of proper separation of duties.

Question 37

Q

What are labels used on internal data structures called?

a. Automated marking
b. Automated labeling
c. Hard-copy labeling
d. Output labeling

Answer

A

b. Automated labeling refers to labels used on internal data
structures such as records and files within the information system.
Automated marking refers to labels used on external media such as
hard-copy documents and output from the information system (for
example, reports).

Question 38

Q

Which of the following is not allowed when an information
system cannot be sanitized due to a system failure?

a. Periodic maintenance
b. Remote maintenance
c. Preventive maintenance
d. Detective maintenance

Answer

A

b. Media sanitization (scrubbing) means removing information
from media such that information recovery is not possible.
Specifically, it removes all labels, markings, and activity logs. An
organization approves, controls, and monitors remotely executed
maintenance and diagnostic activities. If the information system cannot
be sanitized due to a system failure, remote maintenance is not allowed
because it is a high-risk situation. The other three types of maintenance
are low risk situations.

Question 39

Q

Regarding configuration change management, organizations
should analyze new software in which of the following libraries
before installation?

a. Development library
b. Test library
c. Quarantine library
d. Operational library

Answer

A

b. Organizations should analyze new software in a separate test
library before installation in an operational environment. They should
look for security impacts due to software flaws, security weaknesses,
data incompatibility, or intentional malice in the test library. The
development library is used solely for new development work or
maintenance work. Some organizations use a quarantine library, as an
intermediate library, before moving the software into operational
library. The operational library is where the new software resides for
day-to-day use.

Question 40

Q

Current operating systems are far more resistant to which of
the following types of denial-of-service attacks and have become
less of a threat?

a. Reflector attack
b. Amplified attack
c. Distributed attack
d. SYNflood attack

Answer

A

d. Synchronized flood (SYNflood) attacks often target an
application and daemon, like a Web server, and not the operating
system (OS) itself; although the OS may get impacted due to resources
used by the attack. It is good to know that current operating systems
are far more resistant to SYNflood attacks, and many firewalls now
offer protections against such attacks, so they have become less of a
threat. Still, SYNfloods can occur if attackers initiate many thousands
of transmission control protocol (TCP) connections in a short time.
The other three types of attacks are more of a threat. In a reflector
attack, a host sends many requests with a spoofed source address to a
service on an intermediate host. Like a reflector attack, an amplified
attack involves sending requests with a spoofed source address to an
intermediate host. However, an amplified attack does not use a single
intermediate host; instead, its goal is to use a whole network of
intermediate hosts. Distributed attacks coordinate attacks among many
computers (i.e., zombies).

Question 41

Q

Which of the following is the correct sequence of solutions for
containing a denial-of-service incident?
Relocate the target computer.
Have the Internet service provider implement filtering.
Implement filtering based on the characteristics of the attack.
Correct the vulnerability that is being exploited.

a. 2, 3, 1, and 4
b. 2, 4, 3, and 1
c. 3, 4, 2, and 1
d. 4, 3, 1, and 2

Answer

A

c. The decision-making process for containing a denial-of-service
(DoS) incident should be easier if recommended actions are
predetermined. The containment strategy should include several
solutions in sequence as shown in the correct answer.

Question 42

Q

Computer security incident handling can be considered that
portion of contingency planning that responds to malicious
technical threats (for example, a virus). Which of the following
best describes a secondary benefit of an incident handling
capability?

a. Containing and repairing damage from incidents
b. Preventing future damage
c. Using the incident data in enhancing the risk assessment process
d. Enhancing the training and awareness program

Answer

A

c. An incident capability may be viewed as a component of
contingency planning because it provides the ability to react quickly
and efficiently to disruptions in normal processing. Incidents can be
logged and analyzed to determine whether there is a recurring problem,
which would not be noticed if each incident were viewed only in
isolation. Statistics on the numbers and types of incidents in the
organization can be used in the risk assessment process as an
indication of vulnerabilities and threats.
Containing and repairing damage from incidents and preventing future
damages are incorrect because they are examples of primary benefits
of an incident handling capability. An incident handling capability can
provide enormous benefits by responding quickly to suspicious activity
and coordinating incident handling with responsible offices and
individuals as necessary. Incidents can be studied internally to gain a
better understanding of the organization’s threats and vulnerabilities.
Enhancing the training and awareness program is an example of a
secondary benefit. Based on incidents reported, training personnel will
have a better understanding of users’ knowledge of security issues.
Training that is based on current threats and controls recommended by
incident handling staff provides users with information more
specifically directed to their current needs. Using the incident data in
enhancing the risk assessment process is the best answer when
compared to enhancing the training and awareness program.

Question 43

Q

Automatic file restoration requires which of the following?

a. Log file and checkpoint information
b. Access file and check digit information
c. Transaction file and parity bit information
d. Backup file and checkpoint information

Answer

A

a. Automatic file restoration requires log file and checkpoint
information to recover from a system crash. A backup file is different
from a log file in that it can be a simple copy of the original file
whereas a log file contains specific and limited information. The other
three choices do not have the log file capabilities.

Question 44

Q

Which of the following is the most common type of
redundancy?

a. Cable backup
b. Server backup
c. Router backup
d. Data backup

Answer

A

d. In general, redundancy means having extra, duplicate elements
to compensate for any malfunctions or emergencies that could occur
during normal, day-to-day operations. The most common type of
redundancy is the data backup, although the concept is often applied to
cabling, server hardware, and network connectivity devices such as
routers and switches.

Question 45

Q

Increasing which one of the following items increases the other
three items?

a. Reliability
b. Availability
c. Redundancy
d. Serviceability

Answer

A

c. Reliability minimizes the possibility of failure and availability is
a measurement of uptime while serviceability is a measure of the
amount of time it takes to repair a problem or to restore a system
following a failure. Increasing redundancy increases reliability,
availability, and serviceability.

Question 46

Q

Which of the following is often overlooked in building
redundancy?

a. Disks
b. Processors
c. Electrical power
d. Controllers

Answer

A

c. Redundant electric power and cooling is an important but often
overlooked part of a contingency plan. Network administrators usually
plan for backup disks, processors, controllers, and system boards.

Question 47

Q

Network availability is increased with which of the following?

a. Data redundancy
b. Link redundancy
c. Software redundancy
d. Power redundancy

Answer

A

b. Link redundancy, due to redundant cabling, increases network
availability because it provides a parallel path that runs next to the
main data path and a routing methodology that can establish an
alternative path in case the main path fails. The other three
redundancies are good in their own way, but they do not increase
network availability. In other words, there are two paths: a main path
and an alternative path.

Question 48

Q

What does an effective backup method for handling large
volumes of data in a local-area-network environment include?

a. Backing up at the workstation
b. Backing up at the file server
c. Using faster network connection
d. Using RAID technology

Answer

A

b. Backing up at the file server is effective for a local-area network
due to its greater storage capacity. Backing up at the workstation lacks
storage capacity, and redundant array of independent disks (RAID)
technology is mostly used for the mainframe. Using faster network
connection increases the speed but not backup.

Question 49

Q

Network reliability is increased most with which of the
following?

a. Alternative cable
b. Alternative network carrier
c. Alternative supplies
d. Alternative controllers

Answer

A

b. An alternative network carrier as a backup provides the highest
reliability. If the primary carrier goes down, the backup can still work.
The other three choices do provide some reliability, but not the
ultimate reliability as with the alternative network carrier.

Question 50

Q

In a local-area network environment, which of the following
requires the least redundancy planning?

a. Cables
b. Servers
c. Power supplies
d. Hubs

Answer

A

d. Many physical problems in local-area networks (LANs) are
related to cables because they can be broken or twisted. Servers can be
physically damaged due to disk head crash or power irregularities such
as over or under voltage conditions. An uninterruptible power supply
provides power redundancy and protection to servers and workstations.
Servers can be disk duplexed for redundancy. Redundant topologies
such as star, mesh, or ring can provide a duplicate path should a main
cable link fail. Hubs require physical controls such as lock and key
because they are stored in wiring closets; although, they can also
benefit from redundancy, which can be expensive. Given the choices, it
is preferable to have redundant facilities for cables, servers, and power
supplies.

Question 51

Q

System reliability controls for hardware include which of the
following?

a. Mechanisms to decrease mean time to repair and to increase
mean time between failures
b. Redundant computer hardware
c. Backup computer facilities
d. Contingency plans

Answer

A

a. Mean time to repair (MTTR) is the amount of time it takes to
resume normal operation. It is expressed in minutes or hours taken to
repair computer equipment. The smaller the MTTR for hardware, the
more reliable it is. Mean time between failures (MTBF) is the average
length of time the hardware is functional. MTBF is expressed as the
average number of hours or days between failures. The larger the
MTBF for hardware, the more reliable it is.
Redundant computer hardware and backup computer facilities are
incorrect because they are examples of system availability controls.
They also address contingencies in case of a computer disaster.

Question 52

Q

Fail-soft control is an example of which of the following?

a. Continuity controls
b. Accuracy controls
c. Completeness controls
d. Consistency controls

Answer

A

a. As a part of the preventive control category, fail-soft is a
continuity control. It is the selective termination of affected
nonessential processing when a hardware or software failure is
detected in a computer system. A computer system continues to
function because of its resilience.
Accuracy controls are incorrect because they include data editing and
validation routines. Completeness controls are incorrect because they
look for the presence of all the required values or elements.
Consistency controls are incorrect because they ensure repeatability of
certain transactions with the same attributes.

Question 53

Q

Information availability controls do not include which of the
following?

a. Backup and recovery
b. Storage media
c. Physical and logical security
d. Alternative computer equipment and facilities

Answer

A

b. Storage media has nothing to do with information availability.
Data will be stored somewhere on some media. It is not a decision
criterion. Management’s goal is to gather useful information and to
make it available to authorized users. System backup and recovery
procedures and alternative computer equipment and facilities help
ensure that the recovery is as timely as possible. Both physical and
logical access controls become important. System failures and other
interruptions are common.

Question 54

Q

From an operations viewpoint, the first step in contingency
planning is to perform a(n):

a. Operating systems software backup
b. Applications software backup
c. Documentation backup
d. Hardware backup

Answer

A

d. Hardware backup is the first step in contingency planning. All
computer installations must include formal arrangements for
alternative processing capability in the event their data center or any
portion of the work environment becomes disabled. These plans can
take several forms and involve the use of another data center. In
addition, hardware manufacturers and software vendors can be helpful
in locating an alternative processing site and in some cases provide
backup equipment under emergency conditions. The more common
plans are service bureaus, reciprocal arrangements, and hot sites.
After hardware is backed up, operating systems software is backed up
next, followed by applications software backup and documentation.

Question 55

Q

The primary contingency strategy for application systems and
data is regular backup and secure offsite storage. From an
operations viewpoint, which of the following decisions is least
important to address?

a. How often is the backup performed?
b. How often is the backup stored offsite?
c. How often is the backup used?
d. How often is the backup transported?

Answer

A

c. Normally, the primary contingency strategy for applications and
data is regular backup and secure offsite storage. Important decisions
to be addressed include how often the backup is performed, how often
it is stored offsite, and how it is transported to storage, to an alternative
processing site, or to support the resumption of normal operations.
How often the backup is used is not relevant because it is hoped that it
may never have to be used.

Question 56

Q

Which of the following is not totally possible from a security
control viewpoint?

a. Detection
b. Prevention
c. Correction
d. Recovery

Answer

A

b. Prevention is totally impossible because of its high cost and
technical limitations. Under these conditions, detection becomes more
important, which could be cheaper than prevention; although, not all
attacks can be detected in time. Both correction and recovery come
after prevention or detection.

Question 57

Q

The return on investment on quality is highest in which of the
following software defect prevention activities?

a. Code inspection
b. Reviews with users
c. Design reviews
d. Unit test

Answer

A

b. It is possible to quantify the return on investment (ROI) for
various quality improvement activities. Studies have shown that
quality ROI is highest when software products are reviewed with user
customers. This is followed by code inspection by programmers,
design reviews with the project team, and unit testing by programmers.

Question 58

Q

The IT operations management of KPT Corporation is
concerned about the reliability and availability data for its four
major, mission-critical information systems that are used by
business end-users. The KPT corporate management’s goal is to
improve the reliability and availability of these four systems in
order to increase customer satisfaction both internally and
externally. The IT operations management collected the following
data on percent reliability. Assume 365 operating days per year
and 24 hours per day for all these systems. The IT operations
management thinks that system reliability is important in
providing quality of service to end-users.
System Reliability downtime hours Availability Percent
1 99.50 44 99.50
2 97.50 219 97.50
3 98.25 153 98.25
4 95.25 416 95.25
Which of the following systems has the highest downtime in a year
expressed in hours and rounded up?

a. System 1
b. System 2
c. System 3
d. System 4

Answer

A

d. The system 4 has the highest downtime in hours. Theoretically
speaking, the higher the reliability of a system, the lower its downtime
(including scheduled maintenance), and higher the availability of that
system, and vice versa. In fact, this question does not require any
calculations to perform because one can find out the correct answer
just by looking at the reliability data given in that the lower the
reliability, the higher the downtime, and vice versa.
Calculations for System 1 are shown below and calculations for other
systems follow the System 1 calculations.
Downtime = (Total hours) × [(100 − Reliability%)/100] = 8,760 ×
0.005 = 44 hours
Availability for System 1 = [(Total time − Downtime)/Total time] ×
100 = [(8,760 − 44)/8,760] × 100 = 99.50%
Check: Availability for System 1 = [Uptime/(Uptime + Downtime)]
× 100 = (8,716/8,760) × 100 = 99.50%

Question 59

Q

Which of the following is the most important requirement for a
software quality program to work effectively?

a. Quality metrics
b. Process improvement
c. Software reengineering
d. Commitment from all parties

Answer

A

d. A software quality program should reduce defects, cut service
costs, increase customer satisfaction, and increase productivity and
revenues. To achieve these goals, commitment by all parties involved
is the most important factor. The other three factors such as quality
metrics, process improvement, and software reengineering have some
merit, but none is sufficient on its own.

Question 60

Q

As the information system changes over time, which of the
following is required to maintain the baseline configuration?

a. Enterprise architecture
b. New baselines
c. Operating system
d. Network topology

Answer

A

b. Maintaining the baseline configuration involves creating new
baselines as the information system changes over time. The other three
choices deal with information provided by the baseline configuration
as a part of standard operating procedure

Question 61

Q

Software quality is not measured by:

a. Defect levels
b. Customer satisfaction
c. Time-to-design
d. Continuous process improvement

Answer

A

c. Quality is more than just defect levels. It should include
customer satisfaction, time-to-market, and a culture committed to
continuous process improvement. Time-to-design is not a complete
answer because it is a part of time-to-market, where the latter is
defined as the total time required for planning, designing, developing,
and delivering a product. It is the total time from concept to delivery.
These software quality values lead to quality education, process
assessments, and customer satisfaction.

Question 62

Q

Which of the following responds to security incidents on an
emergency basis?

a. Tiger team
b. White team
c. Red team
d. Blue team

Answer

A

b. A white team is an internal team that initiates actions to respond
to security incidents on an emergency basis. Both the red team and
blue team perform penetration testing of a system, and the tiger team is
an old name for the red team.

Question 63

Q

Which of the following is the most important function of
software inventory tools in maintaining a consistent baseline
configuration?

a. Track operating system version numbers.
b. Track installed application systems.
c. Scan for unauthorized software.
d. Maintain current patch levels.

Answer

A

c. Software inventory tools scan information for unauthorized
software to validate against the official list of authorized and
unauthorized software programs. The other three choices are standard
functions of software inventory tools.

Question 64

Q

A user’s session auditing activities are performed in
consultation with which of the following?

a. Internal legal counsel and internal audit
b. Consultants and contractors
c. Public affairs or media relations
d. External law enforcement authorities and previous court cases

Answer

A

a. An information system should provide the capability to
capture/record, log, and view all the content related to a user’s session
in real time. Session auditing activities are developed, integrated, and
used with internal legal counsel and internal audit departments. This is
because these auditing activities can have legal and audit implications.
Consultants and contractors should not be contacted at all. It is too
early to talk to the public affairs or media relations within the
organization. External law enforcement authorities should be contacted
only after the session auditing work is completed and only after there
is a discovery of high-risk incidents.

Answer 63

A

c. Change windows mean changes occur only during specified
times, and making unauthorized changes outside the window are easy
to discover. The other three choices are also examples of access
restrictions, but changes are not easy to discover in them.

Answer 64

A

d. Software quality can be expressed in two ways: defect rate and
reliability. Software quality means conformance to requirements. If the
software contains too many functional defects, the basic requirement
of providing the desired function is not met. Defect rate is the number
of defects per million lines of source code or per function point.
Reliability is expressed as number of failures per “n” hours of
operation, mean-time-to failure, or the probability of failure-free
operation in a specified time. Reliability metrics deal with probabilities
and timeframes.

Answer 65

A

b. CleanRoom operations are carried out by small independent
development and certification (test) teams. In CleanRoom, all testing is
based on anticipated customer usage. Test cases are designed to
practice the more frequently used functions. Therefore, errors that are
likely to cause frequent failures to the users are found first. For
measurement, software quality is certified in terms of mean-time-to
failure (MTTF). MTTF is most often used with safety-critical systems
such as airline traffic control systems because it measures the time
taken for a system to fail for the first time.
Mean-time between failures (MTBF) is incorrect because it is the
average length of time a system is functional. Mean-time-to-repair
(MTTR) is incorrect because it is the total corrective maintenance time
divided by the total number of corrective maintenance actions during a
given period of time. Mean-time-between outages (MTBO) is incorrect
because it is the mean time between equipment failures that result in
loss of system continuity or unacceptable degradation.

Answer 66

A

d. A hot spare drive is a physical drive resident on the disk array
which is active and connected but inactive until an active drive fails.
Then the system automatically replaces the failed drive with the spare
drive and rebuilds the disk array. A hot spare is a hot standby
providing a failover mechanism.
The RAID levels from 3 to 5 have only one disk of redundancy and
because of this a second failure would cause complete failure of the
disk array. On the other hand, the RAID6 level has two disks of
redundancy, providing a greater protection against simultaneous
failures. Hence, RAID6 level does not need a hot spare drive whereas
the RAID 3 to 5 levels need a shot spare drive.
The RAID6 level without a spare uses the same number of drives (i.e.,
4 + 0 spare) as RAID3 to RAID 5 levels with a hot spare (i.e., 3 + 1
spare) thus protecting data against simultaneous failures. Note that a
hot spare can be shared by multiple RAID sets. On the other hand, a
cold spare drive or disk is not resident on the disk array and not
connected with the system. A cold spare requires a hot swap, which is
a physical (manual) replacement of the failed disk with a new disk
done by the computer operator.

Answer 67

A

c. Software defects relate to source code instructions, and problems
encountered by users relate to usage of the product. If the numerator
and denominator are mixed up, poor metrics result. An example of an
ill-defined metric is the metric relating total customer problems to the
size of the product, where size is measured in millions of shipped
source instructions. This metric has no meaningful relation. On the
other hand, the other three choices are examples of meaningful
metrics. To improve customer satisfaction, you need to reduce defects
and overall problems.

Answer 68

A

c. Virtual machines can be difficult to monitor because they are not
visible to the network when not in use. The other three choices are
easy to monitor.

Answer 69

A

d. Honeypot is a fake (false) production system and acts as a decoy
to study how attackers do their work. The other three choices are also
acceptable deceptive measures, but they do not use honeypots. False
data flows include made up (fake) data, not real data. System-status
measures include active or inactive parameters. System-state indicators
include startup, restart, shutdown, and abort.

Answer 70

A

a. A fault (defect) is an incorrect step, process, or data definition in
a computer program, and it is an indication of reliability. Fault count
models give more satisfactory results than the mean-time-betweenfailures (MTBF) model because the latter is used for hardware
reliability. Simple ratio and simple regression models handle few
variables and are used for small projects.

Answer 71

A

a. The goals of software quality assurance management include (i)
software quality assurance activities are planned, (ii) adherence of
software products and activities to the applicable standards,
procedures, and requirements is verified objectively, and (iii)
noncompliance issues that cannot be resolved are addressed by higher
levels of management.
The objectives of software configuration management are to establish
and maintain the integrity of products of the software project
throughout the project’s software life cycle. The objectives of software
requirements management are to establish a common understanding
between the customer and the software project requirements that will
be addressed by the software project. The objectives of software
project management are to establish reasonable plans for performing
the software engineering activities and for managing the software
development project.

Answer 72

A

a. Software needs to be developed using specific software
development and software assurance processes to protect against or
mitigate failure of the software. A complete software safety standard
references other standards that address these mechanisms and includes
a software safety policy identifying required functionality to protect
against or mitigate failure.
Software hazard analysis is incorrect because it is a part of software
safety. Hazard analysis is the process of identifying and evaluating the
hazards of a system, and then making change recommendations that
either eliminate the hazard or reduce its risk to an acceptable level.
Software hazard analysis makes recommendations to eliminate or
control software hazards and hazards related to interfaces between the
software and the system (includes hardware and human components).
It includes analyzing the requirements, design, code, user interfaces,
and changes. Software hazards may occur if the software is improperly
developed (designed), the software dispatches incorrect information, or
the software fails to transmit information when it should.
Software fault tree analysis is incorrect because its purpose is to
demonstrate that the software will not cause a system to reach an
unsafe state, and to discover what environmental conditions will allow
the system to reach an unsafe state. Software fault tree analysis is often
conducted on the program code but can also be applied at other stages
of the life cycle process (for example, requirements and design). This
analysis is not always applied to all the program code, only to the
portion that is safety critical.
Software sneak analysis is incorrect because it is based on sneak circuit
analysis, which is used to evaluate electrical circuitry—hence the name
software sneak circuit analysis. Sneaks are the latest design conditions
or design flaws that have inadvertently been incorporated into
electrical, software, and integrated systems designs. They are not
caused by component failure.

Answer 73

A

b. The goal is to identify requirements with no design elements
(under-design) and design elements with no requirements (over design). It is too early to assess software design quality during system
requirements definition. It is too late to assess software design quality
during coding. The goal is to identify design elements with no source
code and source codes with no design elements. It is too late to assess
software design quality during testing.

Answer 74

A

c. An organization should employ remote disconnect verification
feature at the termination of nonlocal maintenance and diagnostic
sessions. If this feature is unchecked or performed incorrectly, this can
increase the potential risk of introducing malicious software or
intrusions due to open ports and protocols. The other three choices do
not increase risk exposure. Nonlocal maintenance work is conducted
through either an external network (mostly through the Internet) or an
internal network.

Answer 75

A

a. Software safety is important compared to the other three choices
because lack of safety considerations in a computer-based application
system can cause danger or injury to people and damage to equipment
and property.

Answer 76

A

c. Software is an intangible item with no physical attributes such as
color and size. Although software is not a physical product, software
products have a major impact on life, health, property, safety, and
quality of life. Failure of software can have a serious economic impact
such as loss of sales, revenues, and profits.

Answer 77

A

a. Quality should be designed at the beginning of the software
development and maintenance process. Quality cannot be inspected or
tested after the system is developed. Most seem to view final testing as
quality testing. At best, this is quality control instead of quality
assurance, hopefully preventing shipment of a defective product.
Quality in the process needs to be improved, and quality assurance is a
positive function.
A software product displays quality to the extent that all aspects of the
customer’s requirements are satisfied. This means that quality is built
into the product during its development process rather than inspected
at the end. It is too late to inspect the quality when the product is
already built. Most assurance is provided when the needs are fully
understood, captured, and transformed (designed) into a software
product.

Answer 78

A

c. Separation of duties is a security principle that divides critical
functions among different employees in an attempt to ensure that no
one employee has enough information or access privileges to
perpetrate damaging fraud or conduct other irregularities such as
damaging data and/or programs.
The computer operator‘s job duties should be fully and clearly
separated from the others. Due to concentration of risks in one job and
if the computer operator’s job duties are not fully separated from other
conflicting job duties (for example, system administrator, security
administrator, or system programmer), there is a potential risk that the
operator can issue unprivileged commands from his console to the
operating system, thus causing damage to the integrity of the system
and its data. In other words, the operator has full access to the
computer in terms of running the operating system, application
systems, special program, and utility programs where the others do not
have such full access. It is good to limit the computer operator’s access
to systems and their documentation, which will help him in
understanding the inner working of the systems running on the
computer. At the same time it is good to limit the others’ access to the
computer systems just enough to do their limited job duties.

Answer 79

A

c. Nonlocal maintenance work is conducted through either an
external network (mostly through the Internet) or an internal network.
Because of communicating across a network connection, nonlocal
maintenance work is most risky. Local maintenance work is performed
without communicating across a network connection. For local
maintenance, the vendor brings the hardware and software into the IT
facility for diagnostic and repair work, which is less risky. Local or
nonlocal maintenance work can be either scheduled or unscheduled.

Answer 80

A

d. The RAID6 storage system can provide a total of 500GB of
usable space for data storage purposes. Space efficiency represents the
fraction of the sum of the disks’ capacities that is available for use.
Space efficiency = [1−(2/n)] = [1−(2/4)] = 1−0.5= 0.5
Total available space for data storage = 0.5 × 4 × 250 = 500GB

Answer 81

A

a. Disk concatenation is a logical joining of two series of data or
disks. In data concatenation, two or more data elements or data files
are often concatenated to provide a unique name or reference. In disk
concatenation, several disk address spaces are concatenated to present
a single larger address spaces.
The other three choices are incorrect. Disk striping has more than one
disk and more than one partition, and is same as disk arrays. Disk
mirroring occurs when a file server contains two physical disks and
one channel, and all information is written to both disks
simultaneously. Disk replication occurs when data is written to two
different disks to ensure that two valid copies of the data are always
available.

Answer 82

A

c. Information system components, when not operational, can
result in increased risk to organizations because the security
functionality intended by that component is not being provided.
Examples of security-critical components include firewalls,
hardware/software guards, gateways, intrusion detection and
prevention systems, audit repositories, and authentication servers. The
organizations need to have a maintenance vendor service-level
agreement, stock spare parts inventory, and a delivery service
agreement with a commercial transportation courier to deliver the
required parts on time to reduce the risk of running out of components
and parts. Help-desk staff, whether they are internal or external, are not needed for all types of maintenance work, whether it is scheduled or
unscheduled, or whether it is normal or emergency. Their job is to help
system users on routine matters (problems and issues) and escalate
them to the right party when they cannot resolve these matters.

Answer 83

A

c. The basis for software reliability is design, not testing,
debugging, or programming. For example, using the top-down design
and development techniques and employing modular design principles,
software can be made more reliable than otherwise. Reliability is the
degree of confidence that a system will successfully function in a
certain environment during a specified time period.
Testing is incorrect because its purpose is to validate that the software
meets its stated requirements. Debugging is incorrect because its
purpose is to detect, locate, and correct faults in a computer program.
Programming is incorrect because its purpose is to convert the design
specifications into program instructions that the computer can
understand.

Answer 84

A

b. Regression testing is a method to ensure that changes to one part
of the software system do not adversely impact other parts. The other
three choices do not have such capabilities. Black-box testing is a
functional analysis of a system, and known as generalized testing.
White-box testing is a structural analysis of a system, and known as
detailed testing or logic testing. Gray-box testing assumes some
knowledge of the internal structures and implementation details of the
assessment object, and known as focused testing.

Answer 85

A

c. Usability is a set of attributes that bear on the effort needed for
use, and on the individual assessment of such use, by a stated or
implied set of users. In a way, usability means understandability and
ease of use. Because of its subjective nature, varying from person to
person, it is hard to define and test.
Functionality is incorrect because it can easily be defined and tested. It
is a set of attributes that bear on the existence of a set of functions and
their specified properties. The functions are those that satisfy stated or
implied needs. Reliability is incorrect because it can easily be defined
and tested. It is the ability of a component to perform its required
functions under stated conditions for a specified period of time.
Efficiency is incorrect because it can easily be defined and tested. It is
the degree to which a component performs its designated functions
with minimum consumption of resources.

Answer 86

A

c. Malicious code is capable of initiating zero-day attacks when
portable and removable storage devices are not sanitized. The other
three attacks are network-based, not storage device-based. A man-inthe-middle (MitM) attack occurs to take advantage of the store-andforward mechanism used by insecure networks such as the Internet. A
meet-in-the-middle attack occurs when one end of the network is
encrypted and the other end is decrypted, and the results are matched
in the middle. A spoofing attack is an attempt to gain access to a
computer system by posing as an authorized user.

Answer 87

A

c. Traceability is the ease in retracing the complete history of a
software component from its current status to its requirements
specification. Cross tracing should be used more often because it cuts
through the functional boundaries, but it is not performed due to its
difficulty in execution. The other three choices are often used due to
their ease-of-use.
Forward tracing is incorrect because it focuses on matching inputs to
outputs to demonstrate their completeness. Similarly, backward tracing
is incorrect because it focuses on matching outputs to inputs to
demonstrate their completeness. Ad hoc tracing is incorrect because it
involves spot-checking of reconcilement procedures to ensure output
totals agree with input totals, less any rejects or spot checking of
accuracy of computer calculations such as interest on deposits, late
charges, service charges, and past-due loans.
During system development, it is important to verify the backward and
forward traceability of the following: (i) user requirements to software
requirements, (ii) software requirements to design specifications, (iii)
system tests to software requirements, and (iv) acceptance tests to user
requirements. Requirements or constraints can also be traced
downward and upward due to master-subordinate and predecessor successor relationships to one another.

Answer 88

A

d. RAID6 is used for high-availability systems due to its high
tolerance for failure. Each RAID level (i.e., RAID0 to RAID6)
provides a different balance between increased data reliability through
redundancy and increased input/output performance. For example, in
levels from RAID3 to RAID5, a minimum of three disks is required
and only one disk provides a fault tolerance mechanism. In the RAID6
level, a minimum of four disks is required and two disks provide fault
tolerance mechanisms.
In the single disk fault tolerance mechanism, the failure of that single
disk will result in reduced performance of the entire system until the
failed disk has been replaced and rebuilt. On the other hand, the double
parity (two disks) fault tolerance mechanism gives time to rebuild the
array without the data being at risk if a single disk fails before the
rebuild is complete. Hence, RAID6 is suitable for high-availability
systems due to high fault tolerance mechanisms.

Answer 89

A

c. Defensive or robust programming has several attributes that
makes a computer system more reliable. The major attribute is
expected exception domain (i.e., errors and failures); when discovered,
it makes the system reliable.
N-version programming is based on design or version diversity,
meaning different versions of the software are developed
independently with the thinking that these versions are independent in
their failure behavior. Structured programming and GOTO-less
programming are part of robust programming techniques to make
programs more readable and executable.

Answer 90

A

b. Software quality attributes can be classified as either dynamic or
static. Dynamic quality attributes are validated by examining the
dynamic behavior of software during its execution. Examples include
mean time between failures (MTBF), mean-time-to-repair (MTTR),
failure recovery time, and percent of available resources used (i.e.,
resource utilization statistics).
Static quality attributes are validated by inspecting nonexecuting
software products and include modularity, simplicity, and
completeness. Simplicity looks for straightforward implementation of
functions. It is the characteristic of software that ensures definition and
implementation of functions in the most direct and understandable
manner.
Reliability models can be used to predict software reliability (for
example, MTBF and MTTR) based on the rate of occurrence of defects
and errors. There is a trade-off between complexity and security,
meaning that complex systems are difficult to secure whereas simple
systems are easy to secure.

Answer 91

A

b. Auditing an information system is not reliable when performed
by the system to which the user being audited has privileged access.
This is because the privileged user can inhibit the auditing activity or
modify the audit records. The other three choices are control
enhancements that reduce the risk of audit compromises by the
privileged user.

Answer 92

A

c. Correctness asks, “Does it comply with requirements?” whereas
interoperability asks, “Does it interface easily?” Quality factors such as
efficiency, correctness, safety, and interoperability are part of the
performance need.
Integrity and survivability are incorrect because they are a part of
functional need. Integrity asks, “How secure is it?” whereas
survivability asks, “Can it survive during a failure?” Quality factors
such as integrity, reliability, survivability, and usability are part of the
functional need. Verifiability and manageability are incorrect because
they are a part of the management need. Verifiability asks, “Is
performance verification easy?” whereas manageability asks, “Is the
software easily managed?” Expandability and flexibility are incorrect
because they are a part of the changes needed. Expandability asks,
“How easy is it to expand?” whereas flexibility asks, “How easy is it to
change?”

Answer 93

A

a. “Critical” may be defined as pertaining to safety, efficiency, and reliability. Each application system needs a clear definition of what “critical” means to it. Software hazards analysis and fault tree analysis
can be performed to trace system-level hazards (for example, unsafe conditions) through design or coding structures back to software requirements that could cause the hazards. Functions and features of
software that participate in avoiding unsafe conditions are termed critical. Critical functions and data should be separated from noncritical ones with low coupling, not with high coupling. Avoiding unsafe conditions or ensuring safe conditions is achieved by separating the critical units from noncritical units, by low data
coupling between critical units, and by fail-safe recovery from unsafe
conditions when they occur, and by testing for unsafe conditions. Data
coupling is the sharing or passing of simple data between system
modules via parameter lists. A low data coupling is preferred at
interfaces as it is less error prone, ensuring a safety product.

Answer 94

A

b. The proof-of-correctness (formal verification) involves the use
of theoretical and mathematical models to prove the correctness of a
program without executing it. Using this method, the program is
represented by a theorem and is proved with first-order predicate
calculus.0 The other three choices do not use mathematical theory. Multiversion software is incorrect because its goal is to provide high reliability, especially useful in applications dealing with loss of life, property, and damage. The approach is to develop more than one version of the same program to minimize the detrimental effect on reliability of latent defects.
Software fault tree analysis is incorrect because it identifies and
analyzes software safety requirements. It is used to determine possible
causes of known hazards. This is done by creating a fault tree, whose
root is the hazard. The system fault tree is expanded until it contains at
its lowest level basic events that cannot be further analyzed.
Software reliability models are incorrect because they can predict the
future behavior of a software product, based on its past behavior,
usually in terms of failure rates.

Answer 95

A

b. MTTF focuses on the potential failure of specific components of
the information system that provide security capability. MTTF is the
amount of mean-time to the next failure. MTTR is the amount of time
it takes to resume normal operation. MTBF is the average length of
time the system is functional. MTBO is the mean time between
equipment failures that result in a loss of system continuity or
unacceptable degradation.

Answer 96

A

d. Whitelisting is a method to control the installation of software to
ensure that all software is checked against a list approved by the
organization. It is a quality control check and is a part of software
configuration activity. An example of blacklisting is creating a list of
electronic-mail senders who have previously sent spam to a user.
Black-box testing is a functional analysis of a system, whereas white box testing is a structural analysis of a system.

Answer 97

A

c. Formal technical reviews (for example, inspections and
walkthroughs) are used for defect detection, not prevention. If properly
conducted, formal technical reviews are the most effective way to
uncover and correct errors, especially early in the life cycle, where
they are relatively easy and inexpensive to correct.
Documented standards are incorrect because they are just one example
of defect prevention methods. Documented standards should be
succinct and possibly placed into a checklist format as a ready
application reference. A documented standard also permits audits for
adherence and compliance with the approved method.
CleanRoom processes are incorrect because they are just one example
of defect prevention methods. The CleanRoom process consists of (i)
defining a set of software increments that combine to form the required
system, (ii) using rigorous methods for specification, development, and
certification of each increment, (iii) applying strict statistical quality
control during the testing process, and (iv) enforcing a strict separation
of the specification and design tasks from testing activities.
Documentation standards are incorrect because they are just one
example of defect prevention methods. Standard methods can be
applied to the development of requirements and design documents.

Answer 98

A

a. The formal technical review is a software quality assurance
activity that is performed by software developers. The objectives of
these reviews are to (i) uncover errors in function and logic, (ii) verify
that software under review meets its requirements, (iii) ensure that
software represents the predefined standards. Configuration
management specifications are a part of project planning documents,
not technical documents. The purpose is to establish the processes that
the project uses to manage the configuration items and changes to
them. Program development, quality, and configuration management
plans are subject to review but are not directly germane to the subject
of defect removal.
The other three choices are incorrect because they are part of technical
documents. The subject matter for formal technical reviews includes
requirements specifications, detailed design, and code and test
specifications. The objectives of reviewing the technical documents are
to verify that (i) the work reviewed is traceable to the requirements set
forth by the predecessor’s tasks, (ii) the work is complete, (iii) the
work has been completed to standards, and (iv) the work is correct.

Answer 99

A

d. Patch management is a part of corrective controls, as it fixes
software problems and errors. Corrective controls are procedures to
react to security incidents and to take remedial actions on a timely
basis. Corrective controls require proper planning and preparation as
they rely more on human judgment.
Directive controls are broad-based controls to handle security
incidents, and they include management’s policies, procedures, and
directives. Preventive controls deter security incidents from happening
in the first place. Detective controls enhance security by monitoring
the effectiveness of preventive controls and by detecting security
incidents where preventive controls were circumvented.

Answer 100

A

a. Locking-based attack is used to hold a critical system locked
most of the time, releasing it only briefly and occasionally. The result
would be a slow running browser without stopping it: degradation-of service. The degradation-of-service is a mild form of denial-of-service.
Destruction of service and distribution of service are not relevant here.

Answer 101

A

b. A keyboard attack is a data scavenging method using resources
available to normal system users with the help of advanced software
diagnostic tools. Clearing information is the level of media sanitization
that protects the confidentiality of information against a robust
keyboard attack. Clearing must be resistant to keystroke recovery
attempts executed from standard input devices and from data
scavenging tools.
The other three choices are incorrect. Disposal is the act of discarding
media by giving up control in a manner short of destruction. Purging is
removing obsolete data by erasure, by overwriting of storage, or by
resetting registers. Destroying is ensuring that media cannot be reused
as originally intended.

Answer 102

A

c. An information system user must first categorize the
information to be disposed of, assess the nature of the medium on
which it is recorded, assess the risk to confidentiality, and determine
the future plans for the media.

Answer 103

A

a. Ad hoc means when needed and irregular. Ad hoc backup is not
a well-thought-out strategy because there is no systematic way of
backing up required data and programs. Full (normal) backup archives
all selected files and marks each as having been backed up.
Incremental backup archives only those files created or changed since
the last normal backup and marks each file. Differential backup
archives only those files that have been created or changed since the
last normal backup. It does not mark the files as backed up. The
backups mentioned in other three choices have a systematic procedure.

Answer 104

A

a. Remediation is the act of correcting vulnerability or eliminating
a threat. A remediation plan includes remediation of one or more
threats or vulnerabilities facing an organization’s systems. The plan
typically covers options to remove threats and vulnerabilities and
priorities for performing the remediation.
Three types of remediation methods include installing a software
patch, adjusting a configuration setting, and removing affected
software. Removing affected software requires uninstalling a software
application. The fact that a remediation plan is developed does not
itself provide actual remediation work because actions provide
remediation work not just plans on a paper.

Answer 105

A

c. Overwriting cannot be used for media that are damaged or not
rewriteable. The media type and size may also influence whether
overwriting is a suitable sanitization method.

Answer 106

A

d. The correct sequence of fully and physically destroying
magnetic disks such as hard drives (for example, advanced technology
attachment (ATA) and serial ATA (SATA) hard drives), is disintegrate,
shred, pulverize, and incinerate. This is the best recommended practice
for both public and private sector organizations.
Disintegration is a method of sanitizing media and is the act of
separating the equipment into component parts. Here, the
disintegration step comes first to make the hard drive inoperable
quickly. Shredding is a method of sanitizing media and is the act of
cutting or tearing into small particles. Shredding cannot be the first
step because it is not practical to do for many companies. Pulverization
is a method of sanitizing media and is the act of grinding to a powder
or dust. Incineration is a method of sanitizing media and is the act of
burning completely to ashes done in a licensed incinerator.
Note that one does not need to complete all these methods, but can
stop after any specific method and after reaching the final goal based
on the sensitivity and criticality of data on the disk.

Answer 107

A

a. Functional users have the utmost responsibility in initiating
audit trails in their computer systems for tracing and accountability
purposes. Systems and security administrators help in designing and
developing these audit trails. System auditors review the adequacy and
completeness of audit trails and issue an opinion whether they are
effectively working. Auditors do not initiate, design, or develop audit
trails due to their independence in attitude and appearance as dictated
by their Professional Standards.

Answer 108

A

a. The automatic termination and protection of programs when a
failure is detected in a computer system is called fail-safe. The
selective termination of affected nonessential processing when a failure
is detected in a computer system is called a fail-soft. Fail-over means
switching to a backup mechanism. Fail-open means that a program has
failed to open due to errors or failures.

Answer 109

A

c. Audit trails provide one of the best and most inexpensive means
for tracking possible hacker attacks, not only after attack, but also
during the attack. You can learn what the attacker did to enter a
computer system, and what he did after entering the system. Audit
trails also detect unauthorized but abusive user activity. Firewalls,
intrusion detection systems, and access controls are expensive when
compared to audit trails.

Answer 110

A

c. Data remanence is the residual physical representation of data
that has been in some way erased. After storage media is erased, there
may be some physical characteristics that allow the data to be
reconstructed, which represents a security threat. Clearing, purging,
and destruction are all risks involved in storage media. In clearing and
purging, data is removed, but the media can be reused. The need for
destruction arises when the media reaches the end of its useful life.

Answer 111

A

c. Encryption makes the data unreadable without the proper
decryption key. Degaussing is a process whereby the magnetic media
is erased, i.e., returned to its initial virgin state. Overwriting is a
process whereby unclassified data are written to storage locations that
previously held sensitive data. The need for destruction arises when the
media reaches the end of its useful life.

Answer 112

A

b. The removal of information from a storage medium such as a
hard disk or tape is called sanitization. Different kinds of sanitization
provide different levels of protection. Clearing information means
rendering it unrecoverable by keyboard attack, with the data remaining
on the storage media. There are three general methods of purging
magnetic storage media: overwriting, degaussing, and destruction.
Overwriting means obliterating recorded data by writing different data
on the same storage surface. Degaussing means applying a variable,
alternating current fields for the purpose of demagnetizing magnetic
recording media, usually tapes. Destruction means damaging the
contents of magnetic media through shredding, burning, or applying
chemicals.

Answer 113

A

a. Disk array technology uses several disks in a single logical
subsystem. To reduce or eliminate downtime from disk failure,
database servers may employ disk shadowing or data mirroring. A disk
shadowing, or RAID-1, subsystem includes two physical disks. User
data is written to both disks at once. If one disk fails, all the data is
immediately available from the other disk. Disk shadowing incurs
some performance overhead (during write operations) and increases
the cost of the disk subsystem because two disks are required. RAID
levels 2 through 4 are more complicated than RAID-1. Each involves
storage of data and error correction code information, rather than a
shadow copy. Because the error correction data requires less space than
the data, the subsystems have lower disk overhead.

Answer 114

A

a. Disk files can be demagnetized by overwriting three times with
zeros, ones, and a special character, in that order, so that sensitive
information is completely deleted.

Answer 115

A

a. If the new file is shorter than the old file, the new user could
have open access to the existing file. Degaussing is best used under
these conditions and is considered a sound and safe practice. Tape
cleaning functions are to clean and then to properly wind and create
tension in the computer magnetic tape. Recorded tapes are normally
not erased during the cleaning process. Tape certification is performed
to detect, count, and locate tape errors and then, if possible, repair the
underlying defects so that the tape can be placed back into active
status. Overflowing has nothing to do with computer tape contents.
Overflowing is a memory or file size issue where contents could be
lost due to size limitations.

Answer 116

A

b. Hardware malfunction, network failures, human error, logical
errors, and other disasters are possible threats to ensuring data
integrity. Files can be corrupted as a result of some physical
(hardware) or network problems. Files can also become corrupted by
some flaw in an application program’s logic. Users can contribute to
this problem due to inexperience, accidents, or missed
communications. Therefore, most data integrity problems are caused
by file corruption.
Disk failure is a hardware malfunction caused by physical wear and
tear. Power failure is a hardware malfunction that can be minimized by
installing power conditioning equipment and battery backup systems.
Memory failure is an example of hardware malfunction due to
exposure to strong electromagnetic fields. File corruption has many
problem sources to consider.

Answer 117

A

c. A backbone is the high traffic density connectivity portion of
any communications network. Backbones are used to connect servers
and other service providing machines on the network. The use of dual
backbones means that if the primary network goes down, the
secondary network will carry the traffic.
In packet switched networks, a backbone consists of switches and
interswitch trunks. Switched networks can be managed with a network
management console. Network component failures can be identified on
the console and responded to quickly. Many switching devices are built
modularly with hot swappable circuit boards. If a chip fails on a board
in the device, it can be replaced relatively quickly just by removing the
failed card and sliding in a new one. If switching devices have dual
power supplies and battery backups, network uptime can be increased
as well.
Mirroring, shadowing, and duplexing provide application system
redundancy, not network redundancy. Mirroring refers to copying data
as it is written from one device or machine to another. Shadowing is
where information is written in two places, one shadowing the other,
for extra protection. Any changes made will be reflected in both
places. Journaling is a chronological description of transactions that
have taken place, either locally, centrally, or remotely.

Answer 118

A

a. Data mirroring refers to copying data as it is written from one
device or machine to another. It prevents data loss. Data archiving is
where files are removed from network online storage by copying them
to long-term storage media such as optical disks, tapes, or cartridges. It
prevents accidental deletion of files.
Data correction is incorrect because it is an example of a corrective
control where bad data is fixed. Data vaulting is incorrect because it is
an example of corrective control. It is a way of storing critical data
offsite either electronically or manually. Data backup is incorrect
because it is an example of corrective control where a compromised
system can be restored.

Answer 119

A

c. Fail-over mechanism is a backup concept in that when the
primary system fails, the backup system is activated. This helps in
recovering the system from a failure or disaster.

Answer 120

A

c. A zombie is a computer program that is installed on a personal
computer to cause it to attack other computers. Attackers organize
zombies as botnets to launch denial-of-server (DoS) attacks and
distributed DoS attacks, not zero-day attacks. The other three choices
trigger zero-day attacks.
With zero-day (zero-hour) attacks, attackers try to exploit computer
application vulnerabilities that are unknown to system owners and
system administrators, undisclosed to software vendors, or for which
no security fix is available. Malware writers can exploit zero-day
vulnerabilities through several different attack vectors to compromise
attacked systems or steal confidential data. Web browsers are a major
target because of their widespread distribution and usage. Hackers send
e-mail attachments to exploit vulnerabilities in the application opening
the attachment and send other exploits to take advantage of
weaknesses in common file types.

Answer 121

A

d. TEMPEST is a short name, and not an acronym. It is the study
and control of spurious electronic signals emitted by electrical
equipment. It is the unclassified name for the studies and investigations
of compromising electromagnetic emanations from equipment. It is
suggested that TEMPEST shielded equipment is used to prevent
compromising emanations.

Answer 122

A

d. Policies and standards are an example of directive controls.
Passwords and firewalls are an example of preventive controls. Key
escrow and software escrow are an example of recovery controls.
Intrusion detection systems and antivirus software are an example of
detective controls.

Answer 123

A

d. Management controls are actions taken to manage the
development, maintenance, and use of the system, including systemspecific policies, procedures, and rules of behavior, individual roles
and responsibilities, individual accountability, and personnel security
decisions.
Administrative controls include personnel practices, assignment of
responsibilities, and supervision and are part of management controls.
Operational controls are the day-to-day procedures and mechanisms
used to protect operational systems and applications. Operational
controls affect the system and application environment. Technical
controls are hardware and software controls used to provide automated
protection for the IT system or application. Technical controls operate
within the technical system and applications

Answer 124

A

d. The focus of a computer security incident handling capability
may be external as well as internal. An incident that affects an
organization may also affect its trading partners, contractors, or clients.
In addition, an organization’s computer security incident handling
capability may help other organizations and, therefore, help protect the
industry as a whole.

Answer 125

A

c. Monitoring encourages compliance with IT security policies.
Results can be used to hold managers accountable for their information
security responsibilities. Use for its own sake does not help here.
Reporting comes after monitoring.

Answer 126

A

c. The effectiveness of security-related controls should be
measured by a person fully independent of the information systems
department. The systems auditor located within an internal audit
department of an organization is the right party to perform such
measurement.

Answer 127

A

b. Remedial maintenance corrects faults and returns the system to
operation in the event of hardware or software component fails.
Preventive maintenance is incorrect because it is done to keep
hardware in good operating condition. Both hardware and software
maintenance are included in the remedial maintenance.

Answer 128

A

b. Audit trails have several benefits. They are tools often used to
help hold users accountable for their actions. To be held accountable,
the users must be known to the system (usually accomplished through
the identification and authentication process). However, audit trails
collect events and associate them with the perceived user (i.e., the user
ID provided). If a user is impersonated, the audit trail establishes
events but not the identity of the user.
It is true that there is interdependency between audit trails and security
policy. Policy dictates who has authorized access to particular system
resources. Therefore it specifies, directly or indirectly, what violations
of policy should be identified through audit trails.
It is true that audit trails can assist in contingency planning by leaving
a record of activities performed on the system or within a specific
application. In the event of a technical malfunction, this log can be
used to help reconstruct the state of the system (or specific files).
It is true that audit trails can be used to identify breakdowns in logical
access controls. Logical access controls restrict the use of system
resources to authorized users. Audit trails complement this activity by
identifying breakdowns in logical access controls or verifying that
access control restrictions are behaving as expected.

Answer 129

A

a. Hierarchical storage management follows a policy-driven
strategy in that the data is migrated from one storage medium to
another, based on a set of rules, including how frequently the file is
accessed. On the other hand, the management of tapes, direct access
storage devices, and optical disks is based on schedules, which is an
operational strategy.

Answer 130

A

a. Because the intermediate host unwittingly performs the attack,
that host is known as reflector. During a reflector attack, a denial-of service (DoS) could occur to the host at the spoofed address, the
reflector itself, or both hosts. The amplifier attack does not use a single
intermediate host, like the reflector attack, but uses a whole network of
intermediate hosts. The distributed attack coordinates attacks among
several computers. A synchronous (SYN) flood attack is a stealth
attack because the attacker spoofs the source address of the SYN
packet, thus making it difficult to identify the perpetrator.

Answer 131

A

c. Edit and limit checks are an example of preventive or detective
control, file recovery is an example of corrective control, and access
controls are an example of preventive control. A combination of
controls is stronger than a single type of control.
Edit and limit checks, digital signatures, and access controls are
incorrect because they are an example of a preventive control.
Preventive controls keep undesirable events from occurring. In a
computing environment, preventive controls are accomplished by
implementing automated procedures to prohibit unauthorized system
access and to force appropriate and consistent action by users.
Error reversals, automated error correction, and file recovery are
incorrect because they are an example of a corrective control.
Corrective controls cause or encourage a desirable event or corrective
action to occur after an undesirable event has been detected. This type
of control takes effect after the undesirable event has occurred and
attempts to reverse the error or correct the mistake.
Edit and limit checks, reconciliation, and exception reports are
incorrect because they are an example of a detective control. Detective
controls identify errors or events that were not prevented and identify
undesirable events after they have occurred. Detective controls should
identify expected error types, as well as those that are not expected to
occur.

Answer 132

A

a. Social engineering involves getting system users or
administrators to divulge information about computer systems,
including passwords, or to reveal weaknesses in systems. Personal gain
involves stealing data and subverting computer systems. Social
engineering involves trickery or coercion.
Electronic trashing is incorrect because it involves accessing residual
data after a file has been deleted. When a file is deleted, it does not
actually delete the data but simply rewrites a header record. The data is
still there for a skilled person to retrieve and benefit from.
Electronic piggybacking is incorrect because it involves gaining
unauthorized access to a computer system via another user’s legitimate
connection. Electronic harassment is incorrect because it involves
sending threatening electronic-mail messages and slandering people on
bulletin boards, news groups, and on the Internet. The other three
choices do not involve trickery or coercion.

Answer 133

A

d. The question is asking for the correct sequence of activities that
should take place when reviewing for fraud. The organization should
have something of value to others. Detection of fraud is least
important; prevention is most important.

Answer 134

A

a. The use of port knocking or single packet authorization
daemons can provide effective protection against zero-day attacks for a
small number of users. However, these techniques are not suitable for
computing environments with a large number of users. The other three
choices are effective protection mechanisms because they are a part of
multiple layer security, providing the first line-of-defense. These
include implementing access control lists (one layer), restricting
network access via local server firewalling (i.e., IP tables) as another
layer, and protecting the entire network with a hardware-based firewall
(another layer). All three of these layers provide redundant protection
in case a compromise in any one of them is discovered.

Answer 135

A

b. Access control security logs are detective controls. Access logs
show who accessed what data files, when, and from what terminal,
including the nature of the security violation. The other three choices
are incorrect because database logs, telecommunication logs, and
application transaction logs do not show who accessed what data files,
when, and from what terminal, including the nature of the security
violation.

Answer 136

A

a. Damage or the occurrence of an undesirable event cannot be
anticipated or predicted in advance, thus making it difficult to make a
query. The system design cannot handle unknown events. Audit trails
can be used to review what occurred after an event, for periodic
reviews, and for real-time analysis. Reviewers need to understand what
normal activity looks like. An audit trail review is easier if the audit
trail function can be queried by user ID, terminal ID, application
system name, date and time, or some other set of parameters to run
reports of selected information.

Answer 137

A

b. Dumpster diving can be avoided by using a high-quality data
destruction process on a regular basis. This should include paper
shredding and electrical disruption of data on magnetic media such as
tape, cartridge, or disk.

Answer 138

A

c. Scavenging is obtaining information that may be left in or
around a computer system after the execution of a job. Data diddling
involves changing data before or during input to computers or during
output from a computer system. The salami technique is theft of small
amounts of assets (primarily money) from a number of sources.
Piggybacking can be done physically or electronically. Both methods
involve gaining access to a controlled area without authorization.

Answer 139

A

c. Detecting an exception in a transaction or process is detective
in nature, but reporting it is an example of corrective control. Both
preventive and directive controls do not either detect or correct an
error; they simply stop it if possible.

Answer 140

A

a. A log, preferably a computer log, records the actions or
inactions of an individual during his access to a computer system or a
data file. If any abnormal activities occur, the log can be used to trace
them. The purpose of a compensating control is balancing weak
controls with strong controls. The other three choices are examples of
application system-based specific controls not tied to an individual
action, as a log is.

Answer 141

A

d. In fraud situations, the auditor should proceed with caution.
When certain about a fraud, he should report it to company
management, not to external organizations. The auditor should not talk
to the employee suspected of fraud. When the auditor is not certain
about fraud, he should talk to the audit management.

Answer 142

A

d. There is a direct relationship between the risk level and the
control level. That is, high-risk situations require stronger controls,
low-risk situations require weaker controls, and medium-risk situations
require medium controls. A control is defined as the policies, practices,
and organizational structure designed to provide reasonable assurance
that business objectives will be achieved and that undesired events
would be prevented or detected and corrected. Controls should
facilitate accomplishment of an organization’s objectives.

Answer 143

A

d. Strategic planning involves long-term and major issues such as
management of the computer security program and the management of
risks within the organization and is not closely related to the incident
handling, which is a minor issue.
Incident handling is closely related to contingency planning, system
support, and system operations. An incident handling capability may
be viewed as a component of contingency planning because it provides
the ability to react quickly and efficiently to disruptions in normal
processing. Broadly speaking, contingency planning addresses events
with the potential to interrupt system operations. Incident handling can
be considered that portion of contingency planning that responds to
malicious technical threats.

Answer 144

A

a. The auditor’s objective is to determine the effectiveness of
security-related controls. The auditor reviews documentation and tests
security controls. The other three choices are the sole responsibilities
of information systems security officers.

Answer 145

A

d. Keystroke monitoring is the process used to view or record
both the keystrokes entered by a computer user and the computer’s
response during an interactive session. It is usually considered a
special case of audit trails. Keystroke monitoring is conducted in an
effort to protect systems and data from intruders who access the
systems without authority or in excess of their assigned authority.
Monitoring keystrokes typed by intruders can help administrators
assess and repair any damage they may cause.
Access control lists refer to a register of users who have been given
permission to use a particular system resource and the types of access
they have been permitted. Host-based authentication grants access
based upon the identity of the host originating the request, instead of
the identity of the user making the request. Centralized security
administration allows control over information because the ability to
make changes resides with few individuals, as opposed to many in a
decentralized environment. The other three choices do not protect
computer systems from intruders, as does the keystroke monitoring.

Answer 146

A

b. Security is not perfect when a system is implemented. Changes
in the system or the environment can create new vulnerabilities. Strict
adherence to procedures is rare over time, and procedures become
outdated. Thinking risk is minimal, users may tend to bypass security
measures and procedures. Operational assurance is the process of
reviewing an operational system to see that security controls, both
automated and manual, are functioning correctly and effectively.
To maintain operational assurance, organizations use three basic
methods: system audits, policies and procedures, and system
monitoring. A system audit is a one-time or periodic event to evaluate
security. Monitoring refers to an ongoing activity that examines either
the system or the users. In general, the more real time an activity is, the
more it falls into the category of monitoring. Policies and procedures
are the backbone for both auditing and monitoring.
System changes drive new requirements for changes. In response to
various events such as user complaints, availability of new features and
services, or the discovery of new threats and vulnerabilities, system
managers and users modify the system and incorporate new features,
new procedures, and software updates. System changes by themselves
do not assure that controls are working properly.

Answer 147

A

d. Keystroke monitoring, e-mail monitoring, and Web browser
monitoring are controversial and intrusive. These kinds of efforts could
waste time and other resources due to their legal problems. On the
other hand, examples of effective security policy statements include (i)
passwords shall not be shared under any circumstances and (ii)
password usage and composition will be monitored.

Answer 148

A

a. Here, the keyword is common, and it is relative. Discarded
storage media, such as CDs/DVDs, paper documents, and reports, is a
major and common problem in every organization. Telephone
wiretapping and electronic bugs require expertise. Intelligent
consultants gather a company’s proprietary data and business
information and government trade strategies.

Answer 149

A

b. Logs, whether manual or automated, capture relevant data for
further analysis and tracing. Policy, procedure, and standard are
directive controls and are part of management controls because they
regulate human behavior.

Answer 150

A

b. The correct order of information system’s transitional states is
startup, shutdown, restart, and abort. Because the system is in
transitional states, which is an unstable condition, if the restart
procedures are not performed correctly or facing technical recovery
problems, then the system has no choice except to abort.

Answer 151

A

b. Penetration testing is a test in which the evaluators attempt to
circumvent the security features of a computer system. It is unrelated
to the other three choices. Keystroke monitoring is the process used to
view or record both the keystrokes entered by a computer user and the
computer’s response during an interactive session. It is considered as a
special case of audit trails. Some consider the keystroke monitoring as
a special case of unauthorized telephone wiretap and others are not.

Answer 152

A

b. Intrusion detection tools detect computer attacks in several
ways: (i) outside of a network’s firewall, (ii) behind a network’s
firewall, or (iii) within a network to monitor insider attacks. Network
discovery tools and port scanners can be used both by intruders and
system administrators to find vulnerable hosts and network services.
Similarly, denial-of-service test tools can be used to determine how
much damage can be done to a computing site.

Answer 153

A

b. Audit trail data can be used to review what occurred after an
event, for periodic reviews, and for real-time analysis. Audit analysis
tools can be used in a real-time, or near real-time, fashion. Manual
review of audit records in real time is not feasible on large multi-user
systems due to the large volume of records generated. However, it
might be possible to view all records associated with a particular user
or application and view them in real time.
Batch-mode analysis is incorrect because it is a traditional method of
analyzing audit trails. The audit trail data are reviewed periodically.
Audit records are archived during that interval for later analysis. The
three incorrect choices do not provide the convenience of displaying or
reporting all records associated with a user or application, as do the
real-time audit analysis.

Answer 154

A

d. Before and after image reporting ensures data integrity by
reporting data field values both before and after the changes so that
functional users can detect data entry and update errors.
File labels are incorrect because they verify internal file labels for
tapes to ensure that the correct data file is used in the processing.
Journaling is incorrect because it captures system transactions on a
journal file so that recovery can be made should a system failure occur.
Run-to-run control is incorrect because it verifies control totals
resulting from one process or cycle to the subsequent process or cycle
to ensure their accuracy.

Answer 155

A

b. An information attack is not relevant here because it is too
general. Flaw-based attacks take advantage of a flaw in the target
system’s software to cause a processing failure, escalate privileges, or
to cause it to exhaust system resources. Flooding attacks simply send a
system more information than it can handle. A distributed attack is a
subset of denial-of-service (DoS) attacks, where the attacker uses
multiple computers to launch the attack and flood the system.

Answer 156

A

b. Assignment of security responsibility is a part of management
controls. Screening of personnel is another example of management
controls. The other three choices are part of technical controls.

Answer 157

A

c. Users, data entry clerks, system operators, and programmers
frequently make errors that contribute directly or indirectly to security
problems. In some cases, the error is the threat, such as a data entry
error or a programming error that crashes a system. In other cases, the
errors create vulnerabilities. Errors can occur during all phases of the
system life cycle. Many studies indicate that 65 percent of losses to
organizations are the result of errors and omissions followed by
dishonest employees (13%), disgruntled employees (6%), and
outsiders/hackers (3%).

Answer 158

A

c. Computer viruses that are timed to activate at a later date can
be copied onto the backup media thereby infecting backup copies as
well. This makes the backup copy ineffective, unusable, or risky.
Backups are useful and effective (i) in the event of a catastrophic
accident, (ii) in case of disruption to the network, and (iii) when they
are performed automatically. Human error is eliminated.

Answer 159

A

c. It is not a good operating practice to schedule backups during
regular work hours because it interrupts the business functions. It is
advised to schedule backups during off hours to avoid file contention
(when files are open and the backup program is scheduled to run). As
the size and complexity of local-area networks (LANs) increase,
backups have assumed greater importance with many options
available. It is a common practice to back up servers daily, taking
additional backups when extensive database changes occur. It is good
to secure the backup workstations to prevent interruption of backup
processes that can result in the loss of backup data. It is a better
practice to use the network operating system’s file recovery utility for
immediate restoration of accidentally deleted files before resorting to
the time consuming process of file recovery from backup tapes.

Answer 160

A

a. Full restores are used to recover from catastrophic events or
when performing system upgrades and system reorganizations and
consolidations. All the data on media is fully restored.
Individual file restores, by their name, restore the last version of a file
that was written to media because it was deleted by accident or ruined.
Redirected restores store files on a different location or system than the
one they were copied from during the backup operations. Group file
restores handle two or more files at a time.

Answer 161

A

d. On-demand backups refer to the operations that are done
outside of the regular backup schedule. This backup method is most
useful when backing up a few files/directories or when taking a full
snapshot of a server prior to upgrading it. On-demand backups can act
as a backup for regular backup schedules.
Full backups are incorrect because they copy all data files and
programs. It is a brute force method providing a peace of mind at the
expense of valuable time. Incremental backups are incorrect because
they are an inefficient method and copy only those files that have
changed since the last backup. Differential backups are incorrect
because they copy all data files that have changed since the last full
backup. Only two files are needed to restore the entire system: the last
full backup and the last differential backup.

Answer 162

A

b. Hot backups are taken when the database is running and
updates are being written to it. They depend heavily on the ability of
log files to stack up transaction instructions without actually writing
any data values into database records. While these transactions are
stacking up, the database tables are not being updated, and therefore
can be backed up with integrity. One major problem is that if the
system crashes in the middle of the backup, all the transactions
stacking up in the log file are lost.
The idea of cold backup is to shut down the database and back it up
while no end users are working on the system. This is the best
approach where data integrity is concerned, but it does not service the
customer (end user) well.
Logical backups use software techniques to extract data from the
database and write the results to an export file, which is an image file.
The logical backup approach is good for incremental backups. Offline
backup is another term for cold backup.

Answer 163

A

c. The information systems’ security training program should be
specifically tailored to meet the needs of computer operations staff so
that they can deal with problems that have security implications.
However, the computer operations staff is usually either taken for
granted or completely forgotten from training plans.
The information systems’ security staff is provided with periodic
training to keep its knowledge current. Functional users will definitely
be given training so that they know how to practice security. Corporate
internal audit staff is given training because it needs to review the IT
security goals, policies, procedures, standards, and practices.

Answer 164

A

b. Social engineering is a process of tricking or coercing people
into divulging their passwords. Computer fraud involves deliberate
misrepresentation, alteration, or disclosure of data to obtain something
of value. Computer theft involves stealing of information, equipment,
or software for personal gain. Computer sabotage includes planting a
Trojan horse, trapdoor, time bomb, virus, or worm to perform
intentional harm or damage. The difference in the other three choices is
that there is no trickery or coercion involved.

Answer 165

A

d. A fault tolerant design should make a system resistant to failure
and able to operate continuously. Many ways exist to develop fault
tolerance in a system, including using two or more components to
duplicate functionality, duplicating systems in separate locations, or
using modular components in which failed components can be
replaced with new ones. It does not include providing backup power
supplies because it is a part of preventive maintenance, which should
be used with fault tolerant design. Preventive maintenance measures
reduce the likelihood of significant impairment to components.

Answer 166

A

c. The purpose of degaussing is to remove all recorded
information from a computer-recorded magnetic tape. It does this by
demagnetizing (removing) the recording media, the tape, or the hard
drive. After degaussing is done, the magnetic media is in a fully
demagnetized state. However, degaussing cannot retrieve, store, or
archive information.

Answer 167

A

b. An audit trail should include sufficient information to establish
what events occurred and who (or what) caused them. Date and
timestamps can help determine if the user was a masquerader or the
actual person specified. With date and time, one can determine whether
a specific user worked on that day and at that time.
The other three choices are incorrect because the masquerader could be
using a fake user identification (ID) number or calling for invalid and
inappropriate programs and commands.
In general, an event record should specify when the event occurred, the
user ID associated with the event, the program or command used to
initiate the event, and the result.

Answer 168

A

a. Many types of tools have been developed to help reduce the
amount of information contained in audit records, as well as to distill
useful information from the raw data. Especially on larger systems,
audit trail software can create large files, which can be extremely
difficult to analyze manually. The use of automated tools is likely to be
the difference between unused audit trail data and a robust program.
Trend analysis and variance detection tools look for anomalies in user
or system behavior.
Audit data reduction tools are preprocessors designed to reduce the
volume of audit records to facilitate manual review. These tools
generally remove records generated by specified classes of events,
such as records generated by nightly backups.
Attack signature detection tools look for an attack signature, which is a
specific sequence of events indicative of an unauthorized access
attempt. A simple example is repeated failed log-in attempts. Audit
data-collection tools simply gather data for analysis later.

Answer 169

A

d. Here, supported and unsupported means whether a company
management has approved the acquisition, installation, and operation
of hardware and software; approved in the former case and not
approved in the latter case. System administrators should be taught
how to independently monitor and remediate unsupported hardware,
operating systems, and applications software because unsupported
resources are vulnerable to exploitation. This is because non-compliant
employees could have purchased and installed the unsupported
hardware and software on their personal computers, which is riskier
than the supported ones. A potential risk is that the unsupported
systems could be incompatible with the supported systems and may
not have the required security controls.
A list of supported resources is needed to analyze the inventory and
identify those resources that are used within the organization. This
allows the system administrators to know which hardware, operating
systems, and applications will be checking for new patches,
vulnerabilities, and threats. Note that not patching the unsupported
systems can negatively impact the patching of the supported systems
as they both coexist and operate on the same computer or network.

Answer 170

A

c. An information system media that cannot be sanitized should
be destroyed. Destroying is ensuring that media cannot be reused as
originally intended and that information is virtually impossible to
recover or prohibitively expensive to do.
Sanitization techniques include disposal, clearing, purging, and
destruction. Disposal is the act of discarding media by giving up
control in a manner short of destruction and is not a strong protection.
Clearing is the overwriting of classified information such that that the
media may be reused. Purging is the removal of obsolete data by
erasure, by overwriting of storage, or by resetting registers. Clearing
media would not suffice for purging.

Answer 171

A

d. There are understandable benefits in confirming that the
remediations have been conducted appropriately, possibly avoiding a
security incident or unplanned downtime. Central system
administrators can send remediation information on a disk to local
administrators as a safe alternative to an e-mail list if the network or
the website is unstable or unusable.

Answer 172

A

d. Ratios, not absolute numbers, should be used when comparing
the effectiveness of the security programs of multiple systems. Ratios
reveal better information than absolute numbers. In addition, ratios
allow effective comparison between systems. Number of patches
needed and number of vulnerabilities found are incorrect because they
deal with absolute numbers

Answer 173

A

a. IP address spoofing is falsifying the identity of a computer
system on a network. It capitalizes on the packet address the Internet
Protocol (IP) uses for transmission. It is not an example of a denial-of service attack because it does not flood the host computer.
Smurf, synchronized flood (SYNflood), and sendmail attacks are
examples of denial-of-service attacks. Smurf attacks use a network that
accepts broadcast ping packets to flood the target computer with ping
reply packets. SYN flood attack is a method of overwhelming a host
computer on the Internet by sending the host a high volume of SYN
packets requesting a connection, but never responding to the
acknowledgment packets returned by the host. Recent attacks against
sendmail include remote penetration, local penetration, and remote
denial of service.

Answer 174

A

d. The ping-of-death is an example of buffer overflow attack, a
part of a denial-of-service attack, where large packets are sent to
overfill the system buffers, causing the system to reboot or crash.
A keyboard attack is a resource starvation attack in that it consumes
system resources (for example, CPU utilization and memory),
depriving legitimate users. A stream attack sends TCP packets to a
series of ports with random sequence numbers and random source IP
addresses, resulting in high CPU usage. In a piggybacking attack, an
intruder can gain unauthorized access to a system by using a valid
user’s connection.

Answer 175

A

b. A denial-of-service (DoS) is an attack in which one user takes
up so much of the shared resource that none of the resource is left for
other users. It compromises the availability of system resources (for
example, disk space, CPU, print paper, and modems), resulting in
degradation or loss of service.
A DoS attack does not affect integrity because the latter is a property
that an object is changed only in a specified and authorized manner. A
DoS attack does not affect confidentiality because the latter is a
property ensuring that data is disclosed only to authorized subjects or
users. A DoS attack does not affect reliability because the latter is a
property defined as the probability that a given system is performing
its mission adequately for a specified period of time under the expected
operating conditions.

Answer 176

A

c. Of all the malware incident-response life-cycle phases,
recovery phase is the most complex. Recovery involves containment,
restore, and eradication. Containment addresses how to control an
incident before it spreads to avoid consuming excessive resources and
increasing damage caused by the incident. Restore addresses bringing
systems to normal operations and hardening systems to prevent similar
incidents. Eradication addresses eliminating the affected components
of the incident from the overall system to minimize further damage to
it. More tools and technologies are relevant to the recovery phase than to
any other phase; more technologies mean more complexity. The
technologies involved and the speed of malware spreading make it
more difficult to recover. The other three phases such as preparation, detection, and remediation are less complex. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of detection phase covers identifying classes of incidents and defining appropriate actions to take. The scope of remediation phase covers tracking and documenting security incidents on an ongoing basis to help in forensics analysis and in establishing trends.

Answer 177

A

a. System availability is expressed as a rate between the number
of hours the system is available to the users during a given period and
the scheduled hours of operation. Overall hours of operation also
include sufficient time for scheduled maintenance activities. Scheduled
time is the hours of operation, and available time is the time during
which the computer system is available to the users.

Answer 178

A

b. If a computer site is vulnerable, management may favor the
protect-and-recover reaction strategy because it increases defenses
available to the victim organization. Also, this strategy brings
normalcy to the network’s users as quickly as possible. Management
can interfere with the intruder’s activities, prevent further access, and
begin damage assessment. This interference process may include
shutting down the computer center, closing of access to the network,
and initiating recovery efforts.
Protect-and-preserve strategy is a part of a protect-and-recover
strategy. Law enforcement authorities and prosecutors favor the trap and-prosecute strategy. It lets intruders continue their activities until
the security administrator can identify the intruder. In the mean time,
there could be system damage or data loss. Pursue-and-proceed
strategy is not relevant here.

Answer 179

A

a. There are a number of start-up costs and funding issues to
consider when planning an incident handling capability. Because the
success of an incident handling capability relies so heavily on the
users’ perceptions of its worth and whether they use it, it is important
that the capability meets users’ requirements. Two important funding
issues are personnel and education and training.

Answer 180

A

d. The primary benefits of an incident handling capability are
containing and repairing damage from incidents and preventing future
damage. Preparing for the damage is a secondary and side benefit.

Answer 181

A

c. System development activity is engaged in designing and
constructing a new computer application system, whereas incident
handling is needed during operation of the same application system.
For example, for purposes of efficiency and cost-savings, incident handling capability is co-operated with a user help desk. Also, backups
of system resources need to be used when recovering from an incident.
Similarly, the risk analysis process benefits from statistics and logs
showing the numbers and types of incidents that have occurred and the
types of controls that are effective in preventing such incidents. This
information can be used to help select appropriate security controls and
practices.

Answer 182

A

a. With computer security incidents, rapid communications is
important. The incident team may need to send out security advisories
or collect information quickly; thus some convenient form of
communication, such as electronic mail (e-mail), is generally highly
desirable. With e-mail, the team can easily direct information to
various subgroups within the constituency, such as system managers or
network managers, and broadcast general alerts to the entire
constituency as needed. When connectivity already exists, e-mail has
low overhead and is easy to use.
Although there are substitutes for e-mail, they tend to increase
response time. An electronic bulletin board system (BBS) can work
well for distributing information, especially if it provides a convenient
user interface that encourages its use. A BBS connected to a network is
more convenient to access than one requiring a terminal and modem;
however, the latter may be the only alternative for organizations
without sufficient network connectivity. In addition, telephones,
physical bulletin boards, and flyers can be used, but they increase
response time.

Answer 183

A

b. Detection, for many organizations, is the most challenging
aspect of the incident response process. Actually detecting and
assessing possible incidents is difficult. Determining whether an
incident has occurred and, if so, the type, extent, and magnitude of the
problem is not an easy task.
The other three phases such as preparation, recovery, and reporting are
not that challenging. The scope of preparation and prevention phase
covers establishing plans, policies, and procedures. The scope of
recovery phase includes containment, restore, and eradication. The
scope of reporting phase involves understanding the internal and
external reporting requirements in terms of the content and timeliness
of the reports.

Answer 184

A

b. If the incident response data is not reviewed regularly, the
effectiveness of detection and analysis of incidents is questionable. It
does not matter whether the data is of high quality with standard
format for data, or actionable data. Proper and efficient reviews of
incident-related data require people with extensive specialized
technical knowledge and experience.

Answer 185

A

c. For some incidents, eradication is either unnecessary or is
performed during recovery. Most incidents require containment, so it is
important to consider it early in the course of handling each incident.
Also, it is true that containment strategies vary based on the type of
incident.

Answer 186

A

b. The correct sequence of events taking place in the incident
response life cycle is detection, response, reporting, recovery, and
remediation. Although the correct sequence is started with detection,
there are some underlying activities that should be in place prior to
detection. These prior activities include preparation and prevention,
addressing the plans, policies, procedures, resources, support, metrics,
patch management processes, host hardening measures, and properly
configuring the network perimeter.
Detection involves the use of automated detection capabilities (for
example, log analyzers) and manual detection capabilities (for
example, user reports) to identify incidents. Response involves security
staff offering advice and assistance to system users for the handling
and reporting of security incidents (for example, held desk or forensic
services). Reporting involves understanding the internal and external
reporting requirements in terms of the content and timeliness of the
reports. Recovery involves containment, restore, and eradication.
Containment addresses how to control an incident before it spreads to
avoid consuming excessive resources and increasing damage caused
by the incident. Restore addresses bringing systems to normal
operations and hardening systems to prevent similar incidents.
Eradication addresses eliminating the affected components of the
incident from the overall system to minimize further damage to the
overall system. Remediation involves tracking and documenting
security incidents on an ongoing basis.

Answer 187

A

c. Preserving the evidence is a containment strategy, whereas all
the other choices are part of recovery actions. Preserving the evidence
is a legal matter, not a recovery action, and is a part of the containment
strategy. In recovery action, administrators restore systems to normal
operation and harden systems to prevent similar incidents, including
the actions taken in the other three choices.

Answer 188

A

d. In the event of an audit processing failure or audit storage
capacity being reached, the information system alerts appropriate
management officials and takes additional actions such as shutting
down the system, overwriting the oldest-audit records, and stopping
the generation of audit records. It should not continue processing,
either with or without notification because the audit-related data would
be lost.

Answer 189

A

a. Audit logs collect data passively on computer journals or files
for later review and analysis followed by action. The other three
choices are examples of active surveillance techniques where
electronic (online) monitoring is done for immediate review and
analysis followed by action.

Answer 190

A

c. A good incident handling capability is closely linked to an
organization’s training and awareness program. It will have educated
users about such incidents so users know what to do when they occur.
This can increase the likelihood that incidents will be reported early,
thus helping to minimize damage. The help desk is a tool to handle
incidents. Intruders can use both systems software and applications
software to create security incidents.

Answer 191

A

b. System users seldom consider residual data security as part of
their job duties because they think it is the job of computer operations
or information security staff. Residual data security means data
remanence where corporate spies can scavenge discarded magnetic or
paper media to gain access to valuable data. Both system users and
system managers usually consider the measures mentioned in the other
three choices.

Answer 192

A

b. A special privileged user is defined as an individual who has
access to system control, monitoring, or administration functions. A
business end-user is a normal system user performing day-to-day and
routine tasks required by his job duties, and should not have special
privileges as does with the system administrator, security
administrator, computer operator, system programmer, system
maintainer, network administrator, or desktop administrator. Privileged
users have access to a set of access rights on a given system. Privileged
access to privileged function should be limited to only few individuals
in the IT department and should not be given to or shared with
business end-users who are so many.

Answer 193

A

c. The quality of the outsourcer’s work remains an important
consideration. Organizations should consider not only the current
quality of work, but also the outsourcer’s efforts to ensure the quality
of future work, which are the major considerations. Organizations
should think about how they could audit or otherwise objectively
assess the quality of the outsourcer’s work. Lack of organizationspecific knowledge will reflect in the current and future quality of
work. The other three choices are minor considerations and are a part
of the major considerations.

Answer 194

A

d. Patch management staff work is separate from that of the
incident response staff. Effective communication channels between the
patch management team and the incident response team are likely to
improve the success of a patch management program when containing,
eradicating, and recovering from large-scale incidents. The activities
listed in the other choices are the responsibility of the incident
response team.

Answer 195

A

a. The incident response policies are the foundation of the
incident response program. They define which events are considered as
incidents, establish the organizational structure for the incident
response program, define roles and responsibilities, and list the
requirements for reporting incidents.

Answer 196

A

d. There are vulnerabilities in a system that cannot be fixed, those
that have not yet been fixed, those that are not known, and those that
are not practical to fix due to operational constraints. Therefore, a
statement that “all of a system’s identified vulnerabilities are fixed” is
not correct. The other three choices can increase a system’s resilience.

Answer 197

A

b. Media sanitization refers to the general process of removing
data from storage media, such that there is reasonable assurance, in
proportion to the confidentiality of the data, that the data may not be
retrieved and reconstructed. The other three choices are not relevant
here.

Answer 198

A

c. Degaussing reduces the magnetic flux to virtual zero by
applying a reverse magnetizing field. It is also called demagnetizing.

Answer 199

A

b. Remanence is residual information remaining on storage media
after clearing. Choice (a) is incorrect because residue is data left in
storage after information-processing operations are complete but
before degaussing or overwriting (clearing) has taken place. Leftover
data and leftover information are too general as terms to be of any use
here.

Answer 200

A

c. The security goal of the overwriting process is to replace
written data with random data. The process may include overwriting
not only the logical storage of a file (for example, file allocation table)
but also may include all addressable locations.

Answer 201

A

c. A laboratory attack is a data scavenging method through the aid
of what could be precise or elaborate and powerful equipment. This
attack involves using signal-processing equipment and specially
trained personnel. Purging information is a media sanitization process
that protects the confidentiality of information against a laboratory
attack and renders the sanitized data unrecoverable. This is
accomplished through the removal of obsolete data by erasure, by
overwriting of storage, or by resetting registers.
The other three choices are incorrect. Disposal is the act of discarding
media by giving up control in a manner short of destruction, and is not
a strong protection. Clearing is the overwriting of classified
information such that the media may be reused. Clearing media would
not suffice for purging. Disinfecting is a process of removing malware
within a file.

Answer 202

A

c. Audit trails indicate what actions are taken by the system.
Because the system has adequate and clear audit trails deters fraud
perpetrators due to fear of getting caught. For example, the fact that
employees are trained, documentation is available, and employee
performance appraisals are given (preventive measures) does not
necessarily mean that employees act with due diligence at all times.
Hence, the need for the availability of audit trails (detection measures)
is very important because they provide a concrete evidence of actions
and inactions.

Answer 203

A

c. Exception reports are the result of a system monitoring activity.
Deviations from standards or policies will be shown in exception
reports. The other three choices are needed before the monitoring
process starts.

Answer 204

A

b. The selective termination of affected nonessential processing
when a failure is detected in a computer system is called fail-soft. The
automatic termination and protection of programs when a failure is
detected in a computer system is called a fail-safe. Fail-over means
switching to a backup mechanism. Fail-under is a meaningless phrase.

Answer 205

A

d. Audit trails show an attacker’s actions after detection; hence
they are an example of detective controls. Recovery controls facilitate
the recovery of lost or damaged files. Corrective controls fix a problem
or an error. Preventive controls do not detect or correct an error; they
simply stop it if possible.

Answer 206

A

a. It has been said that “An ounce of prevention equals a pound of
cure.” Patch and vulnerability management is the “ounce of
prevention” compared to the “pound of cure” in the incident response,
in that timely patches to software reduce the chances of computer
incidents.
Symmetric cryptography uses the same key for both encryption and
decryption, whereas asymmetric cryptography uses separate keys for
encryption and decryption, or to digitally sign and verify a signature.
Key rollover is the process of generating and using a new key
(symmetric or asymmetric key pair) to replace one already in use.

Answer 207

A

b. Although most information can be taken automatically from the
system data, the physical location of an IT resource must be manually
entered. Connected network port numbers can be taken automatically
from the system data. Software and hardware configuration
information can be taken automatically from the system data.

Answer 208

A

c. Software flaw vulnerabilities cause a weakness in the security
of a system. Threats are capabilities or methods of attack developed by
malicious entities to exploit vulnerabilities and potentially cause harm
to a computer system or network. Threats usually take the form of
exploit scripts, worms, viruses, rootkits, exploits, and Trojan horses.

Answer 209

A

b. There are many options available to a system administrator in
remediation testing. The ability to “undo” or uninstall a patch should
be considered; however, even when this option is provided, the
uninstall process does not always return the system to its previous
state. Disable temporarily disconnects a service. Enable or install is not
relevant here.

Answer 210

A

a. Degaussing is exposing the magnetic media to a strong
magnetic field in order to disrupt the recorded magnetic domains. It is
not effective for purging nonmagnetic media (i.e., optical media), such
as compact discs (CD) and digital versatile discs (DVD). However,
degaussing can be an effective method for purging damaged media, for
purging media with exceptionally large storage capacities, or for
quickly purging diskettes.

Answer 211

A

d. Media destruction is the ultimate form of sanitization. After
media are destroyed, they cannot be reused as originally intended, and
that information is virtually impossible to recover or prohibitively
expensive from that media. Physical destruction can be accomplished
using a variety of methods, including disintegration, incineration,
pulverization, shredding, melting, sanding, and chemical treatment.

Answer 212

A

d. Organizations can outsource media sanitization and destruction
if business and security management decide this would be the most
reasonable option for maintaining confidentiality while optimizing
available resources. When choosing this option, organizations exercise
due diligence when entering into a contract with another party engaged
in media sanitization. Due diligence requires organizations to develop
and implement an effective security program to prevent and detect
violation of policies and laws.
Due process means each person is given an equal and a fair chance of
being represented or heard and that everybody goes through the same
process for consideration and approval. It means all are equal in the
eyes of the law. Due law covers due process and due care. Due care
means reasonable care in promoting the common good and
maintaining the minimal and customary practices.

Answer 213

A

b. Forensic investigators are encountering redundant arrays of
independent disks (RAID) systems with increasing frequency as
businesses elect to utilize systems that provide greater data reliability.
RAID provides data confidentiality, data availability, and data integrity
security services to a lesser degree than data reliability.

Answer 214

A

a. Pressure includes financial and nonfinancial types, and it could
be real or perceived. Opportunity includes real or perceived categories
in terms of time and place. Rationalization means the illegal actions
are consistent with the perpetrator’s personal code of conduct or state
of mind.

Answer 215

A

b. In fail-secure, the system preserves a secure condition during
and after an identified failure. System failure and fault are generic and
do not preserve a secure condition like fail-secure. Fail-access is a
meaningless term here.

Answer 216

A

b. The goal of fault-tolerance systems is to detect and correct a
fault and to maintain the availability of a computer system. Fault tolerance systems play an important role in maintaining high data and
system integrity and in ensuring high-availability of systems.
Examples include disk mirroring and server mirroring techniques.

Answer 217

A

a. Disk duplexing means that the disk controller is duplicated.
When one disk controller fails, the other one is ready to operate. Disk
mirroring means the file server contains duplicate disks, and that all
information is written to both disks simultaneously. Server
consolidation, local-area network (LAN) consolidation, and disk
distribution are meaningless to fault tolerance; although, they may
have their own uses.

Answer 218

A

b. Manual patching is useful and necessary for many legacy and
specialized systems due to their nature. Automated patching tools
allow an administrator to update hundreds or even thousands of
systems from a single console. Deployment is fairly simple when there
are homogeneous computing platforms, with standardized desktop
systems, and similarly configured servers.

Answer 219

A

c. Degaussing is demagnetizing magnetic media to remove
magnetic memory and to erase the contents of media. Purging is the
removal of obsolete data by erasure, by overwriting of storage, or by
resetting registers. Thus, degaussing and executing the firmware
Secure Purge command (for serial advanced technology attachment
(SATA) drives only) are acceptable methods for purging.
The other three choices are incorrect. Disposal is the act of discarding
media by giving up control in a manner short of destruction and is not
a strong protection. Clearing is the overwriting of classified
information such that that the media may be reused. Clearing media
would not suffice for purging. Disinfecting is a process of removing
malware within a file.

Answer 220

A

c. Before performing the remediation, the system administrator
may want to conduct a full backup of the system to be patched. This
allows for a timely system restoration to its previous state if the patch
has an unintended or unexpected impact on the host. The other three
choices are part of the patch remediation testing procedures.

Answer 221

A

d. Conducting an exploit test means performing a penetration test
to exploit the vulnerability. Only an experienced administrator or
security officer should perform exploit tests because this involves
launching actual attacks within a network or on a host. Generally, this
type of testing should be performed only on nonproduction equipment
and only for certain vulnerabilities. Only qualified staff who are
thoroughly aware of the risk and who are fully trained should conduct
the tests. Testing file settings, testing configuration settings, and reviewing patch logs are routine tasks a less experienced administrator or security
officer can perform.

Answer 222

A

C. All of these are necessary security activities and procedures—they just don’t all fall under the operations umbrella. Operations is about keeping production up and running in a healthy and secure manner. Operations is not usually the entity that carries out strategic planning. It works at an operational, day-to-day level, not at the higher strategic level.

Answer 223

A

A. This is the best answer because operations has the goal of keeping
everything running smoothly each and every day. Operations implements
new software and hardware and carries out the necessary security tasks passed down to it. As the environment changes and security is kept in the loop with these changes, there is a smaller likelihood of opening up vulnerabilities.

Answer 224

A

C. Many times, employees who are carrying out fraudulent activities do not take the vacation they have earned because they do not want anyone to find out what they have been doing. Forcing employees to take vacations means that someone else has to do that person’s job and can possibly uncover any misdeeds.

Answer 225

A

D. Due care and due diligence are legal terms that do not just pertain to
security. Due diligence involves going through the necessary steps to know
what a company’s or individual’s actual risks are, while due care involves
carrying out responsible actions to reduce those risks. These concepts
correspond with the “prudent person” concept.

Answer 226

A

B. Rotation of duties enables a company to have more than one person trained in a position and can uncover fraudulent activities. Separation of duties is put into place to ensure that one entity cannot carry out a critical task alone.

Answer 227

A

C. This is just one of several examples of separation of duties. A system must be set up for proper code maintenance to take place when necessary, instead of allowing a programmer to make changes arbitrarily. These types of changes should go through a change control process and should have more entities involved than just one programmer.

Answer 228

A

A. There should be controls in place to make sure the data input into a system and the results generated are in the proper format and have expected values. Improper data being put into an application or system could cause bad output and security issues, such as buffer overflows.

Answer 229

A

C. Users should be able to access only the resources they need to fulfill the
duties of their positions. They also should only have the level of permissions
and rights for those resources that are required to carry out the exact operations
they need for their jobs, and no more. This second concept is more granular
than the first, but they have a symbiotic relationship.

Answer 230

A

A. Documentation is very important for data processing and networked
environments. This task often gets pushed to the back burner or is totally
ignored. If things are not properly documented, employees will forget
what actually took place with each device. If the environment needs to be
rebuilt, for example, it may be done incorrectly if the procedure was poorly or improperly documented. When new changes need to be implemented, the current infrastructure may not be totally understood. Continually documenting when virus signatures are updated would be overkill. The other answers contain events that certainly require documentation.

Answer 231

A

D. One cannot properly erase data held on a CD-ROM. If the data are
sensitive and you need to ensure no one has access to the same, the media should be physically destroyed.

Answer 232

A

D. This is not a great question, but could be something that you run into on the exam. Let’s look at the answers. Different SSL versions are usually not a concern, because the two communicating systems will negotiate and agree upon the necessary version. There is no security violation issue here. SSL works at the transport layer; thus, it will not be affected by what the user does, as stated in answer B. SSL protects against network tapping and wiretapping. Answer D talks about the network segments the company does not own. You do not know at what point the other company will decrypt the SSL connection because you do not have control of that environment. Your data could be traveling unencrypted and unprotected on another network.

Answer 233

A

C. Simple Mail Transfer Protocol (SMTP) is the protocol used to allow clients to send e-mail messages to each other. It lets different mail servers exchange messages.

Answer 234

A

C. Spammers will identify the mail servers on the Internet that have relaying enabled and are “wide open,” meaning the servers will forward any e-mail messages they receive. These servers can be put on a black list, which means other mail servers will not accept mail from them.

Answer 235

A

D. The other three answers provide reasons why fax servers would be used instead of individual fax machines: ease of use, they provide more protection, and their supplies may be cheaper.

Answer 236

A

C. This is the best answer for this question. The other components could provide different levels of protection, but a fax encryptor (which is a data link encryptor) provides a higher level of protection across the board because everything is encrypted. Even if a user does not choose to encrypt something, it will be encrypted anyway before it is sent out the fax server.

Answer 237

A

C. This is a technology that wraps the different services available on a system. What this means is that if a remote user makes a request to access a service, this product will intercept this request and determine whether it is valid and legal before allowing the interaction to take place.

Answer 238

A

D. A sniffer is a device or software component that puts the NIC in promiscuous mode, meaning the NIC will pick up all frames it “sees” instead of just the frames addressed to that individual computer. The sniffer then shows the output to the user. It can have capture and filtering capabilities.

Answer 239

A

D. The first three choices are attacks that can directly affect security
operations. There is no such attack as an ICMP sting.

Answer 240

A

B. For auditing purposes, the procedure should capture the user ID, time of event, type of event, and the source workstation. Capturing the user ID allows the company to hold individuals accountable for their actions.

Answer 241

A

C. Dual control requires two or more entities working together to complete a task. An example is key recovery. If a key must be recovered, and key recovery requires two or more people to authenticate to a system, the act of them coming together and carrying out these activities is known as dual control. This reduces the possibility of fraud.

Answer 242

A

A. The last three tasks fall under the job functions of an individual or
department responsible for controlling access to media. Compressing and
decompressing data does not.

Answer 243

A

A. Clipping levels are thresholds of acceptable user errors and suspicious activities. If the threshold is exceeded, it should be logged and the administrator should decide if malicious activities are taking place or if the user needs more training.

Answer 244

A

C. The reason to have tape library management is to have a centralized and standard way of protecting how media is stored, accessed, and destroyed.

Answer 245

A

D. A degausser is a device that generates a magnetic field (coercive magnetic force) that changes the orientation of the bits held on the media (reducing magnetic flux density to zero).

Answer 246

A

A. If operations personnel are limited in what they can access, they would need to collude with someone who actually has access to the resource. This question is not very clear, but it is very close to the way many CISSP exam questions are formatted.

Answer 247

A

A. The three elements of the DevOps model are software development, quality assurance, and IT operations. Information security is only introduced in the DevSecOps model.

Answer 248

A

B. Input validation ensures that the input provided by users matches the design parameters. Polyinstantiation includes additional records in a database for presentation to users with differing security levels as a defense against inference attacks. Contamination is the mixing
of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Screening is a generic term and does not represent any specific security technique in this context.

Answer 249

A

C. In a fail-secure state, the system remains in a high level of security until an administrator intervenes. In a fail-open state, the system defaults to a low level of security, disabling controls until the failure is resolved. Failure mitigation seeks to reduce the impact of a failure.
Fail clear is not a valid approach.

Answer 250

A

C. Request control provides users with a framework to request changes and developers with the opportunity to prioritize those requests. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management
policies. Request control provides an organized framework for users to request modifications. Change auditing is used to ensure that the production environment is consistent with the change accounting records.

Answer 251

A

B. The iterative waterfall model uses a seven-stage approach to software development and includes a feedback loop that allows development to return to the previous phase to correct
defects discovered during the subsequent phase.

Answer 252

A

B. The activities of threat assessment, threat modeling, and security
requirements are all part of the Design function under SAMM.

Answer 253

A

C. Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship. Candidate keys are sets of fields that may potentially serve as the primary key, the key used to uniquely identify database records. Alternate keys are candidate
keys that are not selected as the primary key.

Answer 254

A

D. In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive
than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Polyinstantiation is the creation of different database records for users of differing security levels.

Answer 255

A

C. Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Manipulation is the authorized or unauthorized alteration of data in a database.

Answer 256

A

D. In Agile, the highest priority is to satisfy the customer through early and continuous delivery of valuable software. It is not to prioritize security over other requirements. The Agile principles also include satisfying the customer through early and continuous delivery, businesspeople and
developers working together, and paying continuous attention to technical excellence.

Answer 257

A

C. Expert systems use a knowledge base consisting of a series of “if/then” statements to form decisions based on the previous experience of human experts.

Answer 258

A

D. In the Managed phase, level 4 of the SW-CMM, the organization uses quantitative measures to gain a detailed understanding of the development process.

Answer 259

A

B. Open Database Connectivity (ODBC) acts as a proxy between applications and the back-end DBMS. The software development lifecycle (SDLC) is a model for the software development process that incorporates all necessary activities. The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory framework for credit card processing.
Abstraction is a software development concept that generalizes common behaviors of software objects into more abstract classes.

Answer 260

A

A. In order to conduct a static test, the tester must have access to the underlying source code. Black-box testing does not require access to source code. Dynamic testing is an example of black-box testing. Cross-site scripting is a specific type of vulnerability, and it may be discovered using both static and dynamic techniques, with or without access to the source code.

Answer 261

A

A. A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan,

Answer 262

A

C. Contamination is the mixing of data from a higher classification level and/or need-to know requirement with data from a lower classification level and/or need-to-know requirement. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be
more sensitive than the information in individual records would reveal. Inference attacks use deductive reasoning to reach conclusions from existing data. Polyinstantiation includes additional records in a database for presentation to users with differing security levels as a defense against inference attacks.

Answer 263

A

D. Tonya is purchasing the software, so it is not open source. It is used widely in her industry, so it is not custom developed for her organization. There is no indication in the question that the software is an enterprise resource planning (ERP) system. The best answer here is
commercial-off-the-shelf software (COTS).

Answer 264

A

C. Configuration audit is part of the configuration management process rather than the change control process. Request control, release control, and change control are all components of the configuration management process.

Answer 265

A

C. The isolation principle states that two transactions operating on the same data must be temporarily separated from each other so that one does not interfere with the other. The atomicity principle says that if any part of the transaction fails, the entire transaction must be rolled back. The consistency principle says that the database must always be in a state that complies with the database model’s rules. The durability principle says that transactions committed to the database must be preserved.

Answer 266

A

B. The cardinality of a table refers to the number of rows in the table, whereas the degree of a table is the number of columns. In this case, the table has three columns (name, telephone number, and customer ID), so it has a degree of three

Answer 267

A

Correct answer and explanation: A. DevOps is a more agile development and support model, where developers directly support operations.
Incorrect answers and explanations: Answers B, C, and D are incorrect.
Sashimi, spiral, and waterfall are software development methodologies that do not describe a model for developers directly supporting operations.

Answer 268

A

Correct answer and explanation: C. Polyinstantiation means “many instances,” such as two objects with the same names that have different data. Incorrect answers and explanations: Answers A, B, and D are incorrect. Delegation allows objects to delegate messages to other objects. Inheritance means an object inherits capabilities from its parent class. Polymorphism allows the ability to overload operators, performing different methods depending on the context of the input message.

Answer 269

A

Correct answer and explanation: Answer A is correct; acceptance testing
determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective.
Incorrect answers and explanations: Answers B, C, and D are incorrect.
Integration testing tests multiple software components as they are combined into a working system. Regression testing tests software after updates, modifications, or patches. Unit testing consists of low-level tests of software components, such as functions, procedures, or objects.

Answer 270

A

Correct answer and explanation: A. Entity integrity means each tuple has a unique primary key that is not null.
Incorrect answers and explanations: Answers B, C, and D are incorrect.
Normalization seeks to make the data in a database table logically concise,
organized, and consistent. Referential integrity means that every foreign key in a secondary table matches a primary key in the parent table; if this is not true, referential integrity has been broken. Semantic integrity means each attribute (column) value is consistent with the attribute data type.

Answer 271

A

Correct answer and explanation: A. Cross-site request forgery (CSRF) allows a third party to redirect static content within the security context of a trusted site. Incorrect answers and explanations: Answers B, C, and D are incorrect. XSS is a third-party execution of web scripting languages, such as Javascript, within the security context of a trusted site. XSS is similar to CSRF; the difference is XSS uses active code. PHP RFI alters normal PHP variables to reference remote content, which can lead to execution of malicious PHP code. SQL injection manipulates a back-end SQL server via a front-end web server

Answer 272

A

Answer: C. Early phases
Explanation: Risk analysis and threat modeling
are critical components of the early phases of the
SDLC. They continue through to the architecture
and design phase.

Answer 273

A

Answer: C. Waterfall
Explanation: The Waterfall model requires the
completion of each development phase before
moving to the next. It does not allow revisiting a
previous phase.

Answer 274

A

Answer: A. DevSecOps
Explanation: DevOps should ideally be referred to
as DevSecOps, where security is an integral part of
the development process.

Answer 275

A

Answer: B. Software Assurance Maturity Model
(SAMM)
Explanation: OWASP’s Software Assurance
Maturity Model (SAMM) is described as the prime
maturity model for software assurance.

Answer 276

A

Answer: C. Smoke testing
Explanation: Smoke testing focuses on quick
preliminary testing after a change to identify any
simple failures of the most important existing
functionality that worked before the change was
made.

Answer 277

A

Answer: B. Code repository
Explanation: A code repository is a storage
location for software and application source code.

Answer 278

A

Answer: B. Instantiating into multiple separate or
independent instances
Explanation: Polyinstantiation refers to something
being instantiated into multiple separate or
independent instances.

Answer 279

A

Answer: A. Buffer overflow
Explanation: Buffer overflow is a common
problem with applications and occurs when
information sent to a storage buffer exceeds the
buffer’s capacity.

Answer 280

A

Answer: B. Simple Object Access Protocol (SOAP)
Explanation: Simple Object Access Protocol
(SOAP) is an XML-based API.

Answer 281

A

Answer: C. The idea that an object can be placed
inside another, protecting it by wrapping it in other
objects
Explanation: Encapsulation refers to the idea that
an object – a piece of code – can be placed inside
another. Other objects can be called by doing this,
and objects can be protected by encapsulating or
wrapping them in other objects.

Answer 282

A

Answer: C. Intentionally creating source code that is
difficult for humans to understand
Explanation: Code obfuscation refers to hiding or
obscuring code to protect it from unauthorized
viewing It intentionally makes source code difficult
viewing. It intentionally makes source code difficult
for humans to understand.

Answer 283

A

Answer: B. Spiral Method
Explanation: The Spiral Method is a risk-driven
development process that follows an iterative model
while also including waterfall elements.

Answer 284

A

Answer: B. To manage changes in software
Explanation: Software configuration management
focuses explicitly on managing changes in software
and is part of the overall configuration/change
management.

Answer 285

A

Answer: C. Data is stored hierarchically with parent child relationships.
Explanation: RDBMS systems store data in tables,
not in hierarchical structures.

Answer 286

A

Answer: C. Atomicity, Consistency, Isolation, Durability
Explanation: ACID stands for atomicity,
consistency, isolation, and durability and relates to
how information and transactions in an RDBMS
environment should be treated.

Answer 287

A

Answer: C. They often have access to powerful
programming tools but may lack secure coding
practices.
Explanation: Citizen developers often have access
to powerful programming tools. Still, they’re
typically self-taught and unskilled regarding secure
coding practices, leading to insecure and unreliable
application development.

Answer 288

A

Answer: A. Representational State Transfer (REST)
Explanation: Representational State Transfer
(REST) is an HTTP-based API.

Answer 289

A

Answer: A. The level of relatedness between units of
a codebase
Explanation: Coupling and cohesion are relational
terms that indicate the level of relatedness between
units of a codebase (coupling) and the level of
relatedness between the code that makes up a unit
of code (cohesion).

Answer 290

A

Answer: B. The level of relatedness between the
code that makes up a unit of code
Explanation: Cohesion refers to the level of
relatedness between the code that makes up a unit
of code. High cohesion means that the code within a
module or class is closely related.

Answer 291

A

Answer: A. A method to test new code in isolation
Explanation: Sandboxing refers to a method
where new or untested code is run in a separate
environment (a “sandbox”) to ensure it doesn’t affect
the functioning of existing systems.

Answer 292

A

Answer: C. Cohesion
Explanation: While cohesion is an important
concept in software design, it is not a specific
characteristic of object-oriented programming. OOP
is characterized by concepts like polymorphism,
encapsulation, and inheritance.

Answer 293

A

Answer: B. To verify the authenticity and integrity of
the code
Explanation: Code signing is a technique used to
verify the authenticity and integrity of code. It
ensures that the code has not been altered since it
was signed.

Answer 294

A

Answer: C. To ensure the software is free from
vulnerabilities
Explanation: Secure coding practices aim to
ensure that software is developed in a way that it is
free from vulnerabilities that could be exploited by
malicious actors.

Answer 295

A

Answer: A. Conditions where two or more threads
access shared data simultaneously
Explanation: Race conditions occur when two or
more threads access shared data at the same time
and at least one of them modifies the data, leading to
unpredictable outcomes.

Answer 296

A

Answer: B. The process of ensuring data integrity
and reducing data redundancy
Explanation: Normalization is a process in
database design to ensure data integrity and reduce
data redundancy by organizing data in tables and
establishing relationships between them.

Answer 297

A

Answer: C. Using parameterized queries
Explanation: Parameterized queries ensure that
input is always treated as data and not executable
code, thus preventing SQL injection attacks.

Answer 298

A

Answer: C. To track and manage changes to the
codebase
Explanation: Version control systems track and
manage changes to the codebase, allowing
developers to revert to previous versions,
collaborate, and understand the history of changes.

Answer 299

A

Answer: B. Testing the software by providing
random and unexpected inputs
Explanation: Fuzz testing, or fuzzing, involves
testing software by providing random and
unexpected inputs to identify potential
vulnerabilities and crashes.

Answer 300

A

Answer: A. Granting users only the permissions they
need to perform their tasks
Explanation: The principle of least privilege
emphasizes that users should be granted only the
permissions they absolutely need, reducing the risk
of unauthorized access or actions.

Answer 301

A

Answer: A. To identify potential threats and
vulnerabilities in the software
Explanation: Threat modeling is a structured
approach used to identify and evaluate potential
threats and vulnerabilities in a software system,
helping developers address them proactively.

Answer 302

A

Answer: B. Waterfall testing
Explanation: While “Waterfall” is a software
development methodology, there isn’t a specific type
of testing called “Waterfall testing.”

Answer 303

A

Answer: C. Rewriting certain parts of the code to
improve its structure without changing its
functionality
Explanation: Refactoring involves restructuring
existing code without changing its external behavior,
aiming to improve the nonfunctional attributes of the
software.

Answer 304

A

Answer: B. Reviewing the codebase without
executing the program
Explanation: Static code analysis involves
examining the code without executing the program,
aiming to find vulnerabilities, errors, or areas of
improvement.

Answer 305

A

Answer: C. To ensure the quality and correctness of
the code
Explanation: Code reviews involve systematically
examining the source code of a program with the
primary goal of finding and fixing mistakes
overlooked during the initial development phase,
ensuring the code’s quality and correctness.

Answer 306

A

Answer: B. Data encryption
Explanation: Data encryption is a method used to
protect data by converting it into a code to prevent
unauthorized access, ensuring data confidentiality.

Answer 307

A

Answer: B. Ensuring the data is accurate and has not
been tampered with
Explanation: In software development, integrity
refers to the assurance that data is accurate and
reliable and has not been tampered with or altered
without authorization.

Answer 308

A

Answer: B. A tool that detects and prevents real-time
application attacks
Explanation: Runtime application self-protection
(RASP) is a security technology that uses runtime
instrumentation to detect and block attacks by
taking advantage of information from inside the
running software.

Answer 309

A

Answer: C. Potential vulnerabilities or security risks
associated with the library or component
Explanation: When using third-party libraries or
components, a primary concern is potential
vulnerabilities or security risks that they might
introduce into the software.

Answer 310

A

Answer: B. Designing the software with security
considerations from the outset
Explanation: “Security by design” means that the
software has been designed from the ground up to
be secure, ensuring that security is integrated into
every part of the software development process.

Answer 311

A

Answer: C. To verify that the input meets the
specified criteria before it’s processed
Explanation: Input validation is a process that
ensures an application is rendering the correct data
and prevents malicious data from harming the
system.

Answer 312

A

Answer: D. Something you dislike
Explanation: Authentication methods typically
revolve around something you know, something you
have, or something you are. “Something you dislike”
is not a recognized authentication factor.

Answer 313

A

Answer: C. To identify vulnerabilities by simulating
cyberattacks on the software
Explanation: Penetration testing involves
simulating cyberattacks on software to identify
vulnerabilities that could be exploited in real-world
attacks.

Answer 314

A

Answer: B. Verifying the user’s identity using two
different methods or factors
Explanation: Two-factor authentication (2FA)
requires users to verify their identity using two
different methods or factors, enhancing security.

Answer 315

A

Answer: B. Ensuring that software is accessible and
usable when needed
Explanation: In the CIA (confidentiality, integrity,
availability) triad, “availability” refers to ensuring
that resources are accessible and usable when
needed.

Answer 316

A

Answer: C. Data hashing
Explanation: Data hashing involves creating a
fixed-size string of bytes from input data of any size,
ensuring data integrity by verifying that data has not
been altered.

Answer 317

A

Answer: B. Implementing multiple layers of security
measures
Explanation: “Defense in depth” is a strategy that
employs a series of mechanisms to slow the advance
of an attack aimed at acquiring unauthorized access
to information.

Answer 318

A

Answer: B. Ensuring that software data remains
private and restricted to authorized individuals
Explanation: In the CIA (confidentiality, integrity,
availability) triad, “confidentiality” refers to
ensuring that data remains private and is only
accessible to those with the proper authorization.

Answer 319

A

Answer: A. Ensuring that users cannot deny their
actions
Explanation: Non-repudiation ensures that a user
cannot deny having performed a particular action,
providing proof of origin or delivery.

Answer 320

A

Answer: B. Data that is stored and not actively being
used or processed
Explanation: “Data at rest” refers to data that is
stored in persistent storage (like hard drives) and is
not actively being used, processed, or transmitted.

Answer 321

A

Answer: B. Ensuring data remains confidential while
being transmitted
Explanation: “Data in transit” refers to data that
is being transferred over a network. The primary
concern is to ensure its confidentiality and integrity
during transmission.

Answer 322

A

Answer: C. To fix known security vulnerabilities in
the software
Explanation: Security patches are updates
released by software developers to address known
security vulnerabilities in the software.

Answer 323

A

Answer: C. Vulnerabilities that are unknown to the
software developer and have no available patches
Explanation: Zero-day vulnerabilities refer to
software vulnerabilities that are unknown to the
vendor. This security risk is called a “zero-day”
because the developer has had zero days to fix it.

Answer 324

A

Answer: A. To detect and prevent unauthorized
access to the software
Explanation: Intrusion detection systems (IDS)
monitor network traffic or system activities for
malicious activities or policy violations and produce
reports to a management station.

Answer 325

A

Answer: C. Debugger
Explanation: While ransomware, adware, and
trojans are types of malicious software, a debugger
is a tool used by developers to test and debug their
code.

Answer 326

A

Answer: C. To define a list of approved software or
processes that are allowed to run
Explanation: Allow listing is a security approach
where a list of approved software applications or
processes is created, and only those on the list are
allowed to run.

Answer 327

A

Answer: B. An attack where the attacker tricks users
into revealing sensitive information
Explanation: Phishing is a type of social
engineering attack where the attacker tricks users
into revealing sensitive information, often by
masquerading as a trustworthy entity.

Answer 328

A

Answer: C. To monitor and control incoming and
outgoing network traffic
Explanation: Firewalls are network security
devices that monitor and filter incoming and
outgoing network traffic based on an organization’s
previously established security policies.

Answer 329

A

Answer: C. Data replication
Explanation: Data replication involves creating
copies of data so that this duplicate data can be used
to restore the original data in case of data loss.

Answer 330

A

Answer: C. A method of detecting potential threats
based on behavioral patterns
Explanation: Heuristic analysis involves
identifying malicious activities or threats based on
behavioral patterns rather than relying on specific
signatures.

Answer 331

A

Answer: C. Ensuring data is permanently deleted
and cannot be recovered
Explanation: Proper data disposal ensures that
data is not only deleted but also cannot be
recovered, preventing unauthorized access or data
breaches.

Answer 332

A

Answer: C. To educate employees about security
threats and best practices
Explanation: Security awareness training aims to
educate employees about various security threats
and the best practices to prevent potential breaches.

Answer 333

A

Answer: B. Attempting to guess passwords or encryption keys through trial and error
Explanation: A brute-force attack involves trying
multiple combinations to guess a password or
encryption key, relying on trial and error.

Answer 334

A

Answer: B. Strengthening the software against potential attacks or vulnerabilities
Explanation: Hardening involves configuring a
system to reduce its surface of vulnerability, making
it more secure against potential threats.

Answer 335

A

Answer: D. Encryption-based IDS
Explanation: While network-based, host-based,
and signature-based are types of intrusion detection
systems, there isn’t a specific type called
“encryption-based IDS.”

Answer 336

A

Answer: A. To define user roles based on their job
functions
Explanation: Role-based access control (RBAC) is a method where roles are created based on job functions, and permissions to access resources are
assigned to specific roles.

Answer 337

A

Answer: B. Decoy systems designed to attract potential attackers
Explanation: Honeypots are decoy systems set up to lure potential attackers, allowing security professionals to study their behaviors and tactics.

Answer 338

A

Answer: A. An attack where malicious scripts are injected into trusted websites
Explanation: Cross-site scripting (XSS) is a type of attack where malicious scripts are injected into otherwise benign and trusted websites.

Answer 339

A

Answer: C. To clean user input to prevent malicious
data from harming the system
Explanation: Input sanitization involves cleaning or filtering user input to ensure that potentially harmful or malicious data doesn’t harm or
compromise the system.

Answer 340

A

Answer: A. The process of converting sensitive data
into non sensitive tokens
Explanation: Tokenization involves replacing sensitive data with non sensitive tokens, which can’t be reversed to the original data without a specific key.

Answer 341

A

Answer: B. Ensuring the software is free from known vulnerabilities before deployment
Explanation: Secure software deployment focuses on ensuring that the software is free from known vulnerabilities and is securely configured before it’s deployed to a live environment.

Answer 342

A

Answer: B. To verify the authenticity and integrity of a message or document
Explanation: Digital signatures are cryptographic equivalents of handwritten signatures, used to verify the authenticity and integrity of a message or document.

Answer 343

A

Answer: A. An attack where the attacker tricks a user into executing unwanted actions on a web application
Explanation: CSRF is an attack that tricks the victim into submitting a malicious request, exploiting the trust that a website has in the user’s browser.

Answer 344

A

Answer: C. Key exchange protocol
Explanation: While digital certificate, certificate authority (CA), and private key are components of PKI, a key exchange protocol is not a primary
component of PKI.

Answer 345

A

Answer: B. To ensure that only signed and trusted software can run during the system startup
Explanation: Secure boot is a security standard that ensures that a device boots using only software that is trusted by the manufacturer.

Answer 346

A

Answer: A. A sequence of trusted entities ensuring overall system security
Explanation: The chain of trust refers to a series of trusted entities or components in a system where each component can vouch for the integrity and trustworthiness of the next component.

Answer 347

A

Answer: A. The process of segmenting software into isolated environments
Explanation: Containerization involves encapsulating an application and its dependencies into a “container.” This ensures that it runs consistently across various environments.

Answer 348

A

Answer: B. To detect intrusions based on deviations from a baseline of normal behavior
Explanation: Anomaly-based intrusion detection systems monitor network traffic and compare it against an established baseline to detect any
deviations, which could indicate a potential intrusion.

Answer 349

A

Answer: D. Performance-based access control (PBAC)
Explanation: While MAC, RBAC, and DAC are recognized types of access control methods, there isn’t a specific type called “performance-based
access control (PBAC).”

Answer 350

A

Answer: B. The process of isolating applications in a restricted environment to prevent malicious activities
Explanation: Sandboxing involves running applications in a controlled environment to restrict what actions they can perform, preventing potential malicious activities.

Answer 351

A

Answer: B. Ensuring the software is developed without introducing vulnerabilities
Explanation: Secure coding practices focus on writing code in a way that prevents the introduction of vulnerabilities and security flaws.

Answer 352

A

Answer: C. To prevent the unintentional loss or exposure of sensitive data
Explanation: Data loss prevention (DLP) tools are designed to detect and prevent the unauthorized transmission or loss of sensitive data.

Answer 353

A

Answer: C. User profiling
Explanation: While user authentication, user authorization, and role-based access are components of IAM, user profiling is not a primary component of IAM.

Answer 354

A

Answer: B. The process of managing and maintaining the state of a user’s interaction with software
Explanation: Session management involves maintaining and tracking a user’s state and data as they interact with an application, ensuring that the
session remains secure and consistent.

Answer 355

A

Answer: A. To create a unique fixed-size output from input data
Explanation: Cryptographic hashing functions take input data and produce a fixed-size string of characters, which is typically a sequence of numbers
and letters. The output, called the hash value, should be the same length regardless of the length of the input.

Answer 356

A

Answer: A. A platform for managing and automating security operations
Explanation: SOAR platforms allow organizations to collect data about security threats and respond to low-level security events without human
intervention.

Answer 357

A

Answer: C. Digital signatures
Explanation: Digital signatures are used to verify the authenticity of data, ensuring that it has not been tampered with and comes from a verified
source.

Answer 358

A

Answer: C. Protecting devices like computers and mobile devices that connect to the network
Explanation: Endpoint protection focuses on ensuring that devices such as computers, mobile devices, and other endpoints that connect to a network are secure from potential threats.

Answer 359

A

Answer: B. To provide real-time analysis of security alerts generated by applications and network hardware
Explanation: SIEM systems provide real-time analysis of security alerts generated by various hardware and software resources in an organization.

Answer 360

A

Answer: C. The systematic identification and evaluation of potential threats to the software
Explanation: Threat modeling involves identifying, understanding, and addressing potential threats in the early stages of software development.

Answer 361

A

Answer: C. Ensuring the software architecture is designed with security principles in mind
Explanation: Secure software design focuses on building software that is resilient to threats by incorporating security principles into its architecture.

Answer 362

A

Answer: B. To specify which applications are allowed to run on a system
Explanation: Application allow listing is a security approach where only specified applications are permitted to run, preventing unauthorized or
malicious software from executing.

Answer 363

A

Answer: A. A situation where security settings are left at their default values
Explanation: Security misconfiguration occurs when security settings are not appropriately configured, often left at default, making the system
vulnerable.

Answer 364

A

Answer: C. Resolution of the software bug
Explanation: While identification, containment, and recovery are stages of incident response, the resolution of software bugs is a part of the software
development and maintenance process, not specifically incident response.

Answer 365

A

Answer: B. The process of regularly updating and managing patches for software vulnerabilities
Explanation: Patch management involves the systematic acquisition, testing, and installation of updates and patches to software to address
updates and patches to software to address vulnerabilities and improve security.

Answer 366

A

Answer: C. To assess and ensure the software adheres to security standards and policies
Explanation: Security audits are systematic evaluations of the security of a system or application to ensure compliance with security standards and
policies.

Answer 367

A

Answer: B. Attacks where the attacker intercepts and possibly alters the communication between two parties
Explanation: In a man-in-the-middle attack, the attacker secretly intercepts and potentially alters the communication between two parties without their knowledge.

Answer 368

A

Answer: B. To verify user identity using multiple methods or factors
Explanation: Multifactor authentication (MFA) enhances security by requiring users to provide multiple forms of identification before granting
access.

Answer 369

A

Answer: B. The process of evaluating the potential risks associated with software vulnerabilities
Explanation: Risk assessment involves identifying, evaluating, and prioritizing risks to determine the potential impact of software vulnerabilities and to decide on mitigation strategies.

Answer 370

A

Answer: A. Software Development Kit (SDK)
Explanation: A Software Development Kit (SDK) typically includes a set of software libraries, development tools, and documentation that developers can use to create or enhance software. In this case, the social media site provides software libraries and other tools to integrate better applications, characteristic of an SDK.

Answer 371

A

d. Managing change is a difficult process. People resist change due to a certain amount of discomfort that a change may bring. It does not matter how well the change is planned, communicated, or implemented if it is not spread throughout the organization evenly. Institutionalizing
the change means changing the climate of the company. This needs to be done in a consistent and orderly manner. Any major change should be done using a pilot approach. After a number of pilots have been successfully completed, it is time to use these success stories as leverage to change the entire company.

Answer 372

A

c. Configuration management is a procedure for applying technical and administrative direction and monitoring to (i) identify and document the functional and physical characteristics of an item or system, (ii) control any changes made to such characteristics, and (iii) record and report the change, process, and implementation status. The
authorization process may be manual or automated. All authorized transactions should be recorded and entered into the system for processing. Validation ensures that the data entered meets predefined criteria in terms of its attributes. Error notification is as important as
error correction.

Answer 373

A

c. Software configuration management (SCM) is a discipline for managing the evolution of computer products, both during the initial stages of development and through to maintenance and final product termination. Visibility into the status of the evolving software product is provided through the adoption of SCM on a software project.
Software developers, testers, project managers, quality assurance staff, and the customer benefit from SCM information. SCM answers questions such as (i) what constitutes the software product at any point in time? (ii) What changes have been made to the software product?
How a software product is planned, developed, or maintained does not matter because it describes the history of a software product’s evolution, as described in the other choices.

Answer 374

A

a. Software configuration management (SCM) is practiced and integrated into the software development process throughout the entire life cycle of the product. One of the main features of SCM is the tracing of all software changes.
Identifying individual components is incorrect because it is a part of configuration identification function. The goals of configuration identification are to create the ability to identify the components of the system throughout its life cycle and to provide traceability between the
software and related configuration identification items.
Computer-assisted software engineering (CASE) tools, compilers, and assemblers are incorrect because they are examples of technical factors. SCM is essentially a discipline applying technical and administrative direction and surveillance for managing the evolution of
computer program products during all stages of development and maintenance. Some examples of technical factors include use of CASE tools, compilers, and assemblers.

Answer 375

A

d. There are four elements of configuration management. The first element is configuration identification, consisting of selecting the configuration items for a system and recording their functional and physical characteristics in technical documentation. The second element is configuration change control, consisting of
evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification.
The third element is configuration status accounting, consisting of recording and reporting of information that is needed to manage a configuration effectively.
The fourth element is software configuration audit, consisting of periodically performing a review to ensure that the SCM practices and procedures are rigorously followed. Auditing is performed last after all the elements are in place to determine whether they are properly
working.

Answer 376

A

c. In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. In a buffer overflow, the input received by a system is longer than the expected input length, but the system does not check for this condition. In an access validation error, the system is vulnerable because the access control mechanism is faulty. A configuration error occurs when user controllable settings in a system are set so that the system is vulnerable. Race condition error occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation.

Answer 377

A

d. In the operation/maintenance phase of the SDLC, risk
management activities are performed whenever major changes are made to an IT system in its operational (production) environment (for example, new system interfaces).

Answer 378

A

c. The action plan and milestones document is a latter part of security certification and accreditation phases, which describe the measures that have been implemented or planned to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known system vulnerabilities.
The other three choices are part of the initiation phase, which is the first phase, where it is too early to develop the action plan and milestones.

Answer 379

A

a. The security certification work comes first as it determines the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired system security posture. This assurance is achieved through system security assessments. The security accreditation package
documents the results of the security certification.
Recertification and reaccreditation occur periodically and sequentially whenever there is a significant change to the system or its operational environment as part of ongoing monitoring of security controls.

Answer 380

A

b. To determine what security controls to select for ongoing review, organizations should first prioritize testing on “action plan and milestones” items that become closed. These newly implemented controls should be validated first.
The other three documents are part of the continuous monitoring phase and come into play when there are major changes or modifications to the operational system.

Answer 381

A

d. The purpose of configuration management is to minimize the effects of negative changes or differences in configurations on an information system or network. The other three choices are examples of minor purposes, all leading to the major purpose. Note that modifications could be proper or improper where the latter leads to a
negative effect and the former leads to a positive effect.

Answer 382

A

d. The primary implementation of the configuration management process is performed during the operation/maintenance phase of the SDLC, the operation/maintenance phase. The other phases are too
early for this process to take place.

Answer 383

A

d. The fourth phase of the security certification and accreditation process, continuous-monitoring, primarily deals with configuration management. Documenting information system changes and assessing
the potential impact those changes may have on the security of the system is an essential part of continuous monitoring and maintaining the security accreditation.

Answer 384

A

d. In the “defer” choice, immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made later. On the other hand, approve, implement, and deny choices do not require additional testing and analysis because management is already satisfied with the testing and analysis.

Answer 385

A

c. A security-test-plan, whether high level or low level, is
developed in the development/acquisition phase. The other three choices are performed in the initiation phase.

Answer 386

A

b. Security controls are developed, designed, and implemented in the development/acquisition phase. Additional controls may be developed to support the controls already in place or planned.

Answer 387

A

b. Product acquisition and integration costs that can be attributed to information security over the life cycle of the system are determined in the development/acquisition phase. These costs include hardware, software, personnel, and training.

Answer 388

A

c. In the implementation phase, the organization configures and enables system security features, tests the functionality of these features, installs or implements the system, and finally, obtains a formal authorization to operate the system.

Answer 389

A

b. Security and functional requirements can be expressed as technical (for example, access controls), assurances (for example, background checks for system developers), or operational practices (for example, awareness and training).

Answer 390

A

d. If new security controls are added to an existing application system or to a support system, system users must perform additional acceptance tests of these new controls. This approach ensures that new controls meet security specifications and do not conflict with or invalidate existing controls.

Answer 391

A

d. Documenting information system changes and assessing the potential impact of these changes on the security of a system is an essential part of continuous monitoring and key to avoiding a lapse in the system security reaccreditation. Periodic reaccreditation is done in
the operation phase.

Answer 392

A

a. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test
coverage, i.e., how much of the program has been executed.
Gray-box testing can be looked at as anything that is not tested in white-box or black-box. An integration testing is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests.

Answer 393

A

c. The new system is integrated at the operational site where it is to be deployed for operation. Security control settings and switches are enabled.

Answer 394

A

b. Formal risk assessment is conducted in the
development/acquisition phase to identify system protection requirements. This analysis builds on the initial (preliminary or informal) risk assessment performed during the initiation phase, but will be more in-depth and specific.

Answer 395

A

d. Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system. This task is performed in the operation/maintenance phase so that changes can be tracked and monitored. Prior to this phase, the system is in a fluid state, meaning that initial baselines cannot be established.

Answer 396

A

a. Configuration management and controls, which is a part of system operation and maintenance phase, deals with controlling and maintaining an accurate inventory of any changes to the system. Security certification and security accreditation are part of system implementation phase, whereas continuous monitoring is a part of
operation and maintenance phase.

Answer 397

A

c. System assessors or auditors do not develop security controls due to loss of objectivity in thinking and loss of independence in appearance. Security controls should be built by system designers and developers prior to performing internal control reviews, conducting
penetration testing, or using security checklists by system assessors or auditors. Internal control reviews, penetration testing, and security checklists simply facilitate self-assessments or independent audits of an information system later.

Answer 398

A

c. Investment analysis is defined as the process of managing the enterprise information system portfolio and determining an appropriate investment strategy. The investment analysis optimizes the organization’s system needs within budget constraints. Fit-gap analysis identifies the differences between what is required and what is available; or how two things fit or how much gap there is
between them. Risk analysis is determining the amount of risk and sensitivity analysis can determine the boundaries of the risk in terms of changing input values and the accompanying changes in output values.

Answer 399

A

d. Integrity can be examined from several perspectives. From a user’s or application owner’s perspective, integrity is the quality of data that is based on attributes such as accuracy and completeness. The other three choices do not reflect the attributes of integrity.

Answer 400

A

b. The requirements analysis task of the SDLC phase of
development is an in-depth study of the need for a new system. The requirements analysis draws on and further develops the work performed during the initiation phase. The needs-determination activity is performed at a high-level x of functionality in the initiation phase.

Answer 401

A

c. A formal security risk assessment should be conducted before the approval of system design specifications. The other three choices are considered during a formal security risk assessment process.

Answer 402

A

d. The capital planning process determines how much the acquisition or development of a new system will cost over its life cycle. These costs include hardware, software, personnel, and training. Another critical area often overlooked is security.

Answer 403

A

b. Detailed plans of action and milestones (POA&M) schedules are required to document the corrective measures needed to increase the effectiveness of the security controls and to provide the requisite security for the information system prior to security authorization. The other three choices are not corrective steps requiring action plans and milestone schedules.

Answer 404

A

a. The statement of work development is a part of other planning components in the development/acquisition phase of a system development life cycle (SDLC). The other three choices are part of the security-planning document.

Answer 405

A

b. Configuration files, system files, or files with sensitive
information must not be migrated to different storage media and must be retained in a secure location due to their access restrictions. The files listed in the other three choices are not sensitive; they are temporary and don’t need to be retained after their use is completed.

Answer 406

A

d. Integration and acceptance testing occurs after delivery and installation of the new information system. The unit, subsystem and full system testing are not conducted for an acquired system but conducted for the in-house developed system. The integration and acceptance testing is conducted for an acquired system.

Answer 407

A

a. Prior to final system deployment, a security
certification should be conducted to ensure that security controls established in response to security requirements are included as part of the system development process. The other three choices are part of the scope of the security
certification process.

Answer 408

A

b. The security accreditation decision is a risk-based decision that depends heavily, but not exclusively, on the security testing and evaluation results produced during the security control verification process. The security accreditation focuses on risk, whereas system accreditation focuses on an evaluation based on tests and their results.

Answer 409

A

a. Organizations need periodic and continuous testing and evaluation of the security controls in an information system to ensure that the controls are effective in their application. Security-control monitoring means verifying the continued effectiveness of those controls over time.

Answer 410

A

c. Usually, there is no definitive end to an SDLC process because the system can become a legacy system for a long-time or it can eventually be replaced with a new system. Systems evolve or transition to the next generation as follow-on systems with changing requirements and technology. Security plans evolve with the system.
Much of management and operational controls in the old, legacy system are still relevant and useful in developing the security plan for the follow-on system.

Answer 411

A

b. Some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The other parties
mentioned do not have a technical focus but instead have a business focus.

Answer 412

A

b. Quality control is similar to security certification and
accreditation in terms of scope of work and goals. Quality control is a technical control. Quality assurance is included in security planning, which is a management control. Operational control deals with day-to day procedures.

Answer 413

A

c. By accrediting an information system, an organization’s management official accepts the risks associated with operating the system and the associated security implications to the organization’s operations, assets, or individuals.

Answer 414

A

d. During the security certification and accreditation process, the system security plan is analyzed, updated, and accepted. For this to happen, the system security plan must have been developed and in place.

Answer 415

A

c. Reauthorization should occur prior to a significant change in processing of an information system. A periodic review of controls should also contribute to future authorizations.

Answer 416

A

b. The design phase translates requirements into a representation of the software. The design is placed under configuration management control before coding begins.
Requirements analysis is incorrect because it focuses on gathering requirements to understand the nature of the programs to be built. The design must be translated into code-readable form. The coding step performs this task. Code is verified, for example, through the inspection process and put under configuration management control
prior to the start of formal testing. After code is generated, program testing begins. The testing focuses on the logical internals of the software, ensuring that all statements have been tested, and on the functional externals; that is, conducting tests to uncover errors to ensure that the defined input can produce actual results that agree with
required results.

Answer 417

A

c. The request for proposal development, evaluation, and acceptance are a part of other planning components in the development/acquisition phase of an SDLC. It is a part of project management activities. The other three choices are part of the security planning document.

Answer 418

A

b. Worm incidents often necessitate as rapid a response as possible, because an infected system may be attacking other systems both inside and outside the organization. Organizations may choose to disconnect infected systems from networks immediately, instead of performing an
analysis of the host first. Next, the analyst can examine fixed (nonvolatile) characteristics of the server’s operating system, such as looking for administrative-level user accounts and groups that may have been added by the worm. Ultimately, the analyst should gather enough information to identify the worm’s behavior in sufficient detail so that the incident response team can act effectively to contain, eradicate, and recover from the incident.

Answer 419

A

c. Host-based intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed information than network-based IDS and firewall products. For example, host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information
is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because many worms disable host-based security controls and destroy log entries, data from host-based IDS and firewall software may be limited
or missing. If the software was configured to forward copies of its logs to centralized log servers, then queries to those servers may provide some useful information (assuming the host logs’ integrity is not in doubt). Network-based IDS is incorrect because it indicates which server was
attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, virtual private network (VPN) gateways, and remote access servers may
record information similar to that logged by network-based firewalls.

Answer 420

A

d. Media sanitization ensures that data is deleted, erased, and written over as necessary. Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of data storage media will be transferred outside positive control, and some will be reused during all phases of the
SDLC. This media sanitization activity may be for maintenance reasons, system upgrades, or during a configuration update.

Answer 421

A

b. The security certification assessor is involved in assessing security controls in an information system to provide an unbiased opinion. The assessor’s independence implies that he is not involved in the information system development, implementation, or operation.

Answer 422

A

c. Organizations should identify which individuals or groups can assist in infection identification efforts. Network administrators are good at analyzing routers along with analyzing network traffic using packet sniffers and misconfigurations. The roles of administrators defined in the other three choices are different due to separation of duties, independence, and objectivity viewpoints.

Answer 423

A

c. An organization employs automated mechanisms to provide notification of failed security tests, which is a control used in the verification of security functionality. The organization employs integrity verification applications on the information system to look for evidence of information tampering, errors, and omissions. The organization employs good software engineering practices for commercial off-the-shelf integrity mechanisms (for example, parity checks, cyclical redundancy checks, and cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts.

Answer 424

A

a. When restrictions on what authenticated users are allowed to do are not properly enforced, it leads to broken access control vulnerability in Web applications. The other three choices do not deal with accessing user accounts, viewing sensitive files, or using unauthorized functions.

Answer 425

A

b. Web applications pass parameters when they access external systems or the local operating system. Injection flaws occur when an attacker can embed malicious commands in these parameters; the external system may execute those commands on behalf of the Web application. The other three choices do not apply here because they do not embed malicious commands.

Answer 426

A

a. A unit test is a test of software elements at the lowest level of development. Black-box testing, also known as functional testing, executes part or all the system to validate that the user requirement is satisfied. White-box testing, also known as structural testing, examines the logic of the units and may be used to support software requirements for test coverage, i.e., how much of the program has been
executed. Because the unit test is the first test conducted, its scope should be comprehensive enough to include both types of testing, that is, black box and white box. Integration testing is incorrect because it comes after completion of unit tests. An integration test is performed to examine how units interface and interact with each other with the assumption that the units and the objects (for example, data) they manipulate have all passed their unit tests. Software integration tests check how the units interact with other software libraries and hardware. System testing is incorrect because it comes after completion of the integration tests. It tests the completely integrated system and validates that the software meets its requirements. Acceptance testing is incorrect because it comes after completion of integration tests. It is testing of user requirements in an operational mode conducted by end users and computer operations staff.

Answer 427

A

a. In general, automated controls compensate for the weaknesses in or lack of manual controls or vice versa (i.e., a compensating control). For example, an automated software management system can help in
strengthening controls by moving programs from production to test libraries and back. It minimizes human errors in moving wrong programs or forgetting to move the right ones. Written policies, procedures, and standards are equally necessary in manual and automated environments.

Answer 428

A

c. System accreditation is a management’s formal acceptance of the adequacy of an application system’s security. The accreditors are responsible for evaluating the certification evidence, deciding on the acceptability of application security safeguards, approving corrective actions, ensuring that corrective actions are accomplished, and issuing the accreditation statement. System certification is the technical evaluation of compliance with security requirements for the purpose of accreditation. The technical evaluation uses a combination of security evaluation techniques (for example, risk analysis, security plans, validation, verification, testing, security safeguard evaluation, and audit) and culminates in a technical judgment of the extent to which safeguards meet security requirements. Security certification is a formal testing of the security controls (safeguards) implemented in the computer system to determine whether they meet applicable requirements and specifications. Security accreditation is the formal authorization by the accrediting (management) official for system operation and an explicit acceptance of risk. It is usually supported by a review of the system, including its management, operational, and technical controls. A system certification is conducted first and system accreditation is
next because the former supports the latter. Security certification and security accreditation processes follow the system certification and system accreditation processes.

Answer 429

A

c. Macro viruses are nonresident viruses. A resident virus is one that loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. All boot viruses and most common file viruses are resident viruses. Macro viruses are found in documents, not in disks.

Answer 430

A

c. Most Trojan horses can be prevented and detected by a strong program change control in which every change is independently examined before being put into use. After a Trojan horse is detected, the cure is to remove it. Next, try to find all the damage it has done and correct that damage.

Answer 431

A

b. The biggest vulnerable area is in the manual handling of data before it is entered into an application system or after it has been retrieved from the system in hard copy form. Because human intervention is significant here, the risk is higher. Controls over internal and external computer processing and telecommunications and the network can be made stronger with automated controls.

Answer 432

A

c. A log file is most likely to be tampered (manipulated) with either by insiders or outsiders because it contains unsuccessful login attempts or system usage. A configuration file contains system parameters. A password file contains passwords and user IDs, whereas a system file contains general information about computer system hardware and software.

Answer 433

A

a. The objectives of the software configuration management (SCM) process are to track the different versions of the software and ensure that each version of the software contains the exact software outputs generated and approved for that version. SCM is responsible for ensuring that any changes to any software outputs during the development processes are made in a controlled and complete manner. The objective of the project management process is to establish the organizational structure of the project and assign responsibilities. This process uses the system requirements documentation and information about the purpose of the software, criticality of the software, required deliverables, and available time and resources to plan and manage the software development and software assurance processes. It establishes or approves standards, monitoring and reporting practices, and high level policy for quality, and it cites policies and regulations. The objectives of the software quality assurance process are to ensure that the software development and software assurance processes comply with software assurance plans and standards, and to recommend process improvement. This process uses the system requirements and information about the purpose and criticality of the software to evaluate the outputs of the software development and software assurance processes.
The objective of the software verification and validation (SV&V) process is to comprehensively analyze and test the software concurrently with processes of software development and software maintenance. The process determines that the software performs its intended functions correctly, ensures that it performs no unintended functions, and measures its quality and reliability. SV&V is a detailed engineering assessment for evaluating how well the software is meeting its technical requirements, in particular its safety, security, and reliability objectives, and for ensuring that software requirements are not in conflict with any standards or requirements applicable to other
system components.

Answer 434

A

b. The Reference Monitor concept is independent of any particular access control policy because it mediates all types of access to objects by subjects. Mandatory access control policy is a means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity. With role-based access control policy, access decisions are based on the roles (for example, teller, analyst, and manager) that individual users have as part of an organization. Discretionary access control policy is a means of restricting access to objects based on the identity of subjects.

Answer 435

A

a. Security certification is a comprehensive assessment of the management, operational, and technical controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcomes.

Answer 436

A

d. Conducting reaccreditation reviews periodically is a mechanical step (a byproduct of the goal) and a secondary goal. The primary goals of certification and accreditation of information systems are to (i) enable more consistent, comparable, and repeatable assessments of security controls in information systems, (ii) promote a better understanding of organization-related risks resulting from the operation of information systems, and (iii) create more complete, reliable, and trustworthy information for authorizing officials (management) to facilitate more informed security accreditation decisions.

Answer 437

A

d. Security impact analyses are conducted in the continuous monitoring phase whenever there are changes to the information system. The other three choices are part of the security accreditation phase, which comes before the continuous monitoring phase.

Answer 438

A

a. Usually, encryption algorithms do not fail due to their extensive testing, and the encryption key is getting longer making it more difficult to break into. Many errors reoccur, including buffer overflows, race conditions, format string errors, failing to check input for validity, and computer programs being given excessive access privileges.

Answer 439

A

c. Evaluating configuration management metric information is the responsibility of the configuration control review board, whereas the other three choices are responsibilities of the configuration manager.

Answer 440

A

c. The Software Engineering Institute (SEI) is a nationally
recognized, federally funded research and development center established in the United States to address software development issues. It developed a process maturity framework that would help organizations improve their software development process. In general, the CMM serves as an indicator of the likely range of cost, schedule, and quality results to be achieved by system development projects within an organization. In the repeatable level, basic project management processes are established to track cost, schedule, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications. The other three choices are not applicable because the correct answer is based on the definition of CMM levels.

Answer 441

A

a. As a part of preventive controls, compatibility tests are used to determine whether an acceptable user is allowed to proceed in the system. This test focuses on passwords, access rules, and system privileges. A validity check is incorrect because it tests for the accuracy of codes such as state, tax rates, and vendor number. A security label check is incorrect because it tests for the specific designation assigned to a system resource such as a file, which cannot be changed except in emergency situations. A confidentiality test is incorrect because it
ensures that data is disclosed only to authorized individuals.

Answer 442

A

c. Just as replication complicates concurrency control, it can affect scalability. The major concern in scalability is determining the effect of increased scale on client performance. Additional storage sites increase
the amount of work servers must do to maintain a consistent state of the file system. Similarly, clients in a replicated file system may have more work to do when they make file updates. For this reason, both clients and servers share portions of system management work. Fault-tolerant mechanisms, availability, and recoverability are incorrect. Replicated servers have a positive impact on system availability and recoverability. If the primary server fails, the replicated server takes over, thus making the system available to system users. Recovery protocols help both servers and clients recover from system
failures. Fault-tolerant mechanisms such as disk mirroring and disk duplexing help in recovering from a system failure. They all have a positive effect.

Answer 443

A

a. Expert systems are aimed at problems that cannot always be solved using a purely algorithmic approach. These problems are often characterized by irregular structure, incomplete or uncertain information, and considerable complexity.

Answer 444

A

d. A heuristic is a rule of thumb, a known fact, or even a known procedure that can be used to solve some problems, but it is not guaranteed to do so. It may fail. Heuristics can be conveniently regarded as simplifications of comprehensive formal descriptions of real-world systems. These heuristics are acquired through learning and experience.

Answer 445

A

b. The computing environment consists of hardware, programming languages, editors and compilers, file management facilities, browsing program code, debugging and tracing program execution, and graphic programming. This computing environment is outside the expert systems architecture because it can change from one organization to another. On the other hand, knowledge base, inference engine, and end user interface are integral parts of expert systems architecture. Knowledge
is stored in the knowledge base using symbols and data structures to stand for important concepts. The symbols and data structures are said to represent knowledge. A software module called the inference engine executes inference procedures. If the user of the expert system is a person, communications with the end user are handled via an end user interface.

Answer 446

A

c. Expert system programs differ from conventional systems in four important ways. First, knowledge is separated from program control; the knowledge base and inference engine are separate. Second, knowledge is represented declaratively. Third, expert systems perform computation through symbolic reasoning. And finally, expert systems can explain their own actions.

Answer 447

A

a. The size of completed expert systems is often large, consisting of hundreds or thousands of rules. If the task is too broad, the development effort may take an inordinate amount of time, or even be impossible. Two important guidelines on evaluating the scope and size of the problem include the task must be narrowly focused and the task should be decomposable. In other words, expert system tasks should be based on a limited domain. The other three choices are areas to avoid for expert system methods. These include (i) tasks based on common sense, (ii) tasks requiring perceptual (seeing or touching) knowledge, and (iii) tasks requiring creativity. People, not expert systems, are creative.

Answer 448

A

a. The intention is not to replicate the workings of the human brain but to use a simple model to see if some of the strengths of the human brain can be shown by computers based on that model. An important
goal is to develop computers that can learn from experience. In the process of learning from experience, ANNs show a capacity to generalize. That is, recognizing a new problem as being “close” to the one they know and offering the same solution. ANNs are not meant to replace or supersede the existing design of computers. They are meant to complement them.

Answer 449

A

a. Organizations should identify which individuals or groups can assist in infection identification efforts. Security administrators are good at analyzing host scans along with antivirus software, intrusion prevention system (IPS) software, firewalls, and vulnerability assessment results.

Answer 450

A

d. During the operation/maintenance phase, the organization should continuously monitor performance of the system to ensure that it is consistent with pre-established user and security requirements and that all needed system modifications are incorporated into the system. Monitoring is done in the operation/maintenance phase of the SDLC because all the development work is completed, and the system should start delivering results. During implementation phase, the system is tested, employees are trained, and the system is not yet ready to put into production operation/maintenance phase to monitor system performance.

Answer 451

A

b. System assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. Information security needs should address the appropriate level of assurance because this is a significant cost driver.
The higher the assurance level required, the higher the cost and vice versa. Usually, investment analysis is structured to translate system needs and mission into high-level performance, assurance, functional, and supportability requirements. However, the assurance requirements are the significant cost driver because it integrates all the other requirements at the highest level.

Answer 452

A

b. The development and execution of necessary contracting plans and processes are a part of other planning components in the development/acquisition phase of an SDLC. The other three choices are part of the security-planning document.

Answer 453

A

c. The authorizing official in charge of the security accreditation process relies primarily on the other three choices, but not exclusively on the security test and evaluation results produced during the security control verification process. The authorizing official pays more attention to the other three choices because of their significance.

Answer 454

A

d. Configuration management change control and auditing takes place in the operation/maintenance phase of the SDLC. The phases in the other three choices are too early for this activity to take place.

Answer 455

A

c. An organization monitors changes to the information system and conducts security impact analyses to determine the effects of the changes. The other three choices are incorrect because they occur prior to the monitoring.

Answer 456

A

b. Integrity or validation controls, which are a part of technical control, include reconciliation routines in application systems. Authorization and access controls, which are a part of technical control, enable authorized individuals to access system resources. Audit trail mechanisms include transaction monitoring.

Answer 457

A

d. Malware is malicious software and malicious code. In many cases, it is most effective to use multiple identification approaches simultaneously or in sequence to provide the best results for striking a balance between speed, accuracy, and timeliness. Multiple identifications include where a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized
access to additional hosts (for example, DoS and DDoS attacks). Forensic identification is effective when data is recent; although, the data might not be comprehensive. Active identification produces the most accurate results; although, it is often not the fastest way of identifying infections due to scanning every host in an organization. Manual identification is not feasible for comprehensive enterprise wide identification, but it is a necessary part of identification when other methods are not available and can fill in gaps when other methods are insufficient.

Answer 458

A

b. Malware categories include viruses, worms, Trojan horses, and malicious mobile code, as well as combinations of these, known as blended attacks. Malware also includes attacker tools such as backdoors, rootkits, keystroke loggers, and tracking cookies used as spyware. Of all the types of malware attacker tools, rootkits are traditionally the hardest to detect because they often change the
operating system at the kernel level, which allows them to be concealed from antivirus software. Newer versions of rootkits can hide in the master boot record, as do some viruses.

Answer 459

A

c. Older obfuscation techniques, including self-encryption, polymorphism, and stealth, are generally handled effectively by antivirus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for antivirus software to overcome. The idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption. Self-encryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Polymorphism is incorrect because it is a particularly robust form of self-encryption where the content of the underlying virus code body does not change; encryption alters its appearance only. Stealth virus is incorrect because it uses various techniques to conceal the characteristics of an infection, such as interfering with file sizes.

Answer 460

A

a. The intent of armoring is to write a virus so that it attempts to prevent antivirus software or human experts from analyzing the virus’s functions through disassembly (i.e., reverse engineering technique),
traces, and other means. Tunneling is incorrect because it deals with the operating system. A virus that employs tunneling inserts itself into a low level of the
operating system so that it can intercept low-level operating system calls. By placing itself below the antivirus software, the virus attempts to manipulate the operating system to prevent detection by antivirus software.
Self-decryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination.
Metamorphism is incorrect because the idea behind it is to alter the content of the virus itself, rather than hiding the content with encryption.

Answer 461

A

d. Incorporation of recovery requirements into system design can provide automatic backup and recovery procedures. This helps to prepare for disasters in a timely manner. Training every employee in emergency procedures is incorrect because it does not guarantee that
they can respond to a disaster in an optimal manner when needed. Conducting fire drills regularly every month is incorrect because the scope of fire drill may not address all possible scenarios. Disaster recovery goes beyond fire drills; although, the fire drill is a good practice. Training all IT staff in file rotation procedures is incorrect because only key people need to be trained.

Answer 462

A

c. Applications such as word processors and spreadsheets often contain macro languages; macro viruses take advantage of this. Most common applications with macro capabilities offer macro security features that permit macros only from trusted locations or prompt the user to approve or reject each attempt to run a macro. Restricting macro use cannot stop phishing and spyware delivery. Filtering spam is incorrect because spam is often used for phishing and spyware delivery (for example, Web bugs often are contained within spam), and it sometimes contains other types of malware. Using spam filtering software on e-mail servers or clients or on network-based appliances can significantly reduce the amount of spam that reaches users, leading to a corresponding decline in spam-triggered malware incidents. Filtering website content is incorrect because website content-filtering software contains lists of phishing websites and other sites that are known as hostile (i.e., attempting to distribute malware to visitors). The software can also block undesired file types, such as by file extension. Blocking Web browser pop-up windows is incorrect because some pop-up windows are crafted to look like legitimate system message
boxes or websites and can trick users into going to phony websites, including sites used for phishing, or authorizing changes to their systems, among other malicious actions. Most Web browsers can block pop-up windows; other can do so by adding a third-party pop-up blocker to the Web browser.

Answer 463

A

b. Antivirus software is an example of a threat mitigation technique for malware. Antivirus software, spyware detection and removal utility software, intrusion prevention systems, firewalls and routers, and application settings are security tools that can mitigate malware threats. Malware often attacks systems by exploiting
vulnerabilities in operating systems, services, and applications. Vulnerability can usually be mitigated by patch management, least privilege, and host hardening measures.

Answer 464

A

a. Antivirus software is the primary source of data for malware incident detection. Examples of secondary sources include (i) firewall and router log files, which might show blocked connection attempts, (ii) log files from e-mail servers and network-based IPS sensors, which
might record e-mail headers or attachment names, (iii) packet capture files from packet sniffers, network-based IPS sensors, and network forensic analysis tools, which might contain a recording of malware related network traffic. Host-based IPS is also a secondary source.

Answer 465

A

a. Transparency is the ability to simplify the task of developing management applications, hiding distribution details. There are different aspects of transparency such as access failure, location, migration replication, and transaction. Transparency means the network components or segments cannot be seen by insiders and outsiders, and that actions of one user group cannot be observed by
other user groups. Transparency is achieved through process isolation and hardware segmentation principles. The principle of process isolation or separation is employed to preserve the object’s wholeness and subject’s adherence to a code of behavior. It is necessary to prevent objects from colliding or interfering with one another and to prevent actions of active agents (subjects) from interfering or colluding with one another. The principle of hardware segmentation provides hardware transparency when hardware is designed in a modular fashion and yet interconnected. A failure in one module should not affect the operation of other modules. Similarly, a module attacked by an intruder should not compromise the entire system. System architecture should be arranged so that vulnerable networks or network segments can be quickly isolated or taken offline in the event of an attack. Examples of hardware that need to be segmented include network switches, physical circuits, and power supply equipment. The abstraction principle is related to stepwise refinement and modularity of programs. As the software design evolves, each level of module in a program structure represents a refinement in the level of software abstraction. Abstraction is presented in levels, where a problem is defined and a solution is stated in broad terms at the highest level of abstraction (during requirements and analysis phases) and where source code is generated at the lowest levels of abstraction
(during programming phase). The accountability principle holds an individual responsible for his actions. From this principle, requirements are derived to uniquely
identity and authenticate the individual, to authorize his actions within the system, to establish a historical track record or account of these actions and their effects, and to monitor or audit this historical account for deviations from the specified code of action. The security kernel principle is the central part of a computer system (software and hardware) that implements the fundamental security procedures for controlling access to system resources. The principle of a reference monitor is the primary abstraction enabling an orderly evaluation of a standalone computer system with respect to its abilities to enforce both mandatory and discretionary access controls. The principle of complete mediation stresses that every access request to every object must be checked for authority. This requirement forces a global perspective for access control, during all functional phases (for example, normal operation and maintenance). Also stressed are reliable identification access request sources and reliable maintenance of changes in authority. The principle of open design stresses that design secrecy or the reliance on the user ignorance is not a sound
basis for secure systems. Open design enables open debate and inspection of the strengths, or origins of a lack of strength, of that particular design. Secrecy can be implemented through the use of passwords and cryptographic keys, instead of secrecy in design.

Answer 466

A

c. Virus scanners, being one of reactive (detective)
countermeasures, search for “signature strings” or use algorithmic detection methods to identify known viruses. These reactive methods have no hope of preventing fast spreading worms or worms that use zero-day exploits to carry out their attacks. The other three choices are examples of proactive (preventive) countermeasures. Packet-filtering firewalls block all incoming traffic except what is needed for the functioning of the network. Stack guarding prevents worms from gaining increased privileges on a system. A virtual machine prevents potentially malicious software from using the operating system for illicit actions.

Answer 467

A

a. Malware test systems and environments are helpful not only for analyzing current malware threats without the risk of inadvertently causing additional damage to the organization, but also for training staff in malware incident handling. An infected production system or a disk image of an infected production system could also be placed into an isolated test environment. Physical separation may not be possible at all times; although, logical separation might be possible. Both physical and logical separation are important but not as important as using an isolated test system.

Answer 468

A

b. Acquiring tools and resources is a part of the preparation phase. These tools and resources may include packet sniffers and protocol analyzers. The other three choices are incorrect because they are a part of the detection phase. The malware incident response life cycle has four phases, including (i) preparation, (ii) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.

Answer 469

A

a. Basic testing is a test methodology that assumes no knowledge of the internal structure and implementation details of the assessment object. Basic testing is also known as black-box testing. Comprehensive testing is a test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white- box testing. Focused testing is a test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Focused testing is also known as gray-box testing.

Answer 470

A

a. In a widespread incident, if malware cannot be identified by updated antivirus software, or updated signatures are not yet fully deployed, organizations should be prepared to use other security tools to contain the malware until the antivirus signatures can perform the
containment effectively. Expecting antivirus software to handle the complete workload of a malware incident is unrealistic during high volume infections. By using a defense-in-depth strategy for detecting and blocking malware, an organization can spread the workload across
multiple components. Antivirus software alone cannot ensure defense in-depth strategy. Automated detection methods other than antivirus software are needed to ensure defense-in-depth strategy. These detection methods include e-mail filtering, network-based intrusion
prevention system (IPS) software, and host-based IPS software.

Answer 471

A

b. A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. An active stealth file virus can typically not reveal any size increase in infected files, and it must be active to exhibit its stealth qualities.

Answer 472

A

b. Spam-filtering software, whether host-based or network-based, is effective at stopping known email-based malware that uses the organization’s e-mail services and is effective at stopping some unknown malware. The most common tools for eradication are antivirus software, spyware detection and removal utility software,
patch management software, and dedicated malware removal tool.

Answer 473

A

b. Requiring administrator-level privileges is a characteristic of a non managed environment, where system owners and users have substantial control over their own system. Owners and users can alter system configurations, making security weak. In a managed environment, one or more centralized groups have substantial control over the server and workstation operating system and application configurations across the enterprise. Recommended security practices include installing antivirus software on all hosts and keeping it up-to date, using deny-by-default policies on firewalls, and applying patches to operating systems and applications. These practices enable a consistent security posture to be maintained across the enterprise.

Answer 474

A

c. Conceptually, behavioral controls can be viewed as a software cage or quarantine mechanism that dynamically intercepts and thwarts attempts by the subject code to take unacceptable actions that violate policy. As with firewalls and antivirus products, methods that dynamically restrain mobile code were born out of necessity to supplement existing mechanisms, and represent an emerging class of
security product. Such products are intended to complement firewall and antivirus products that respectively block network transactions or
mobile code based on predefined signatures (i.e., content inspection), and may refer to methods such as dynamic sandbox, dynamic monitors, and behavior monitors, used for controlling the behavior of mobile code. In addition to mobile code, this class of product may also be applicable to stationary code or downloaded code whose trust worthiness is in doubt. Technical controls, administrative controls, and physical controls are incorrect because they are not strong enough as the behavioral controls
to combat mobile code.

Answer 475

A

a. Application access is basic, low-privilege access. It may include access to data entry, data update, data query, data output, or report programs. Administrative access, privileged access, and root access are advanced levels of access to a computer system that include
the ability to perform significant configuration changes to the computer’s operating system.

Answer 476

A

c. The cost not to mitigate = W × T × R, where W is the number of computers or workstations, T is the time spent fixing systems plus lost user productivity, and R is the hourly rate of time spent or lost. During downtime, the computer owner or user is without a computer to do his work, which should be added to the time required to rebuild a computer. This is translated into $560,000 (i.e., 1,000 computers × 8 hours × $70 per hour). $280,000 is incorrect because it fails to take into account the lost user productivity time. This is translated into $280,000 (i.e., 1,000 computers × 4 hours × $70 per hour). $500,000 is incorrect because it assumes the budget for in-house technical support. $600,000 is incorrect because it assumes the budget for outsourced technical support.

Answer 477

A

d. The major principle of configuration management is to provide a repeatable mechanism for effecting system modifications in a controlled environment. Achieving repeatable mechanism can automatically achieve the other three choices.

Answer 478

A

a. The Reference Monitor concept is an access control concept that refers to an abstract computer mediating all accesses to objects by subjects. It is useful to any system providing multilevel secure computing facilities and controls.

Answer 479

A

d. A common virus is a code that plants a version of itself in any program it can modify. It is a self-replicating code segment attached to a host executable.
The boot-sector virus works during computer booting, where the master boot sector and boot sector code are read and executed. A worm is a self-replicating program that is self-contained and does not require a host program. A multi-partite virus combines both sector and file infector viruses.

Answer 480

A

c. Built-in security means that security features are designed into the system during its development, not after. Any feature that is installed during post-implementation of a system is an example of built-on security, not built-in. Security and control features must be built in from a cost-benefit perspective.

Answer 481

A

b. Computer virus defenses are expensive to use, ineffective over time, and ineffective against serious attackers. Virus scanning programs are effective against viruses that have been reported and ineffective against new viruses or viruses written to attack a specific organization. Program change controls limit the introduction of unauthorized changes such as viruses. Redundancy can often be used to facilitate integrity. Integrity checking with cryptographic checksums in integrity shells is important to defend against viruses. System or equipment isolation to limit the spread of viruses is good, too.

Answer 482

A

c. System assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the data and information it processes. For example, software assurance achieves trustworthiness and predictable execution.
The three well-accepted and basic-level security objectives are confidentiality, integrity, and availability, and assurance can be considered an advanced-level security objective because the former culminates into the latter. What good is an information system that cannot provide full assurance with regards to its security?

Answer 483

A

b. Antivirus software is a preventive control in that it stops a known virus from getting into a computer system. It is also a detective control because it notifies upon detecting a known virus. Audit trails are detective controls; policies and procedures are directive controls, whereas contingency plans are an example of recovery controls.

Answer 484

A

c. Defending an information system requires safeguards to be applied throughout the system, as well as at points of entry. The selection and placement of security controls should be done in a way that progressively weakens or defeats all attacks. Having a series of
similar controls in succession tends to only lengthen the duration of the attack, which is not good. Applying different types of controls that complement each other and are mutually supportive is a much more effective approach in achieving defense-in-depth strategy. Although the capabilities of available safeguards may overlap to some extent, the combined effect should exceed the effects of each control used individually. The other three choices are true statements in achieving security in an application environment. The information system isolates security
functions from non security functions implemented via partitions and domains that control access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Safety functions should be kept separate from one another. The design of information systems and the design of protection
mechanisms in those systems should be as simple as possible. Complexity is at the root of many security issues. The principle of data hiding should be useful during program testing and software maintenance.

Answer 485

A

b. During the system development phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During this phase, functional users and system/security administrators develop system controls and audit trails used during the operational phase.

Answer 486

A

b. In the repeatability level of the software capability maturity model, system requirements are defined; these include security, performance, quality, and delivery dates. The purpose is to establish a common understanding between the customer and the software development project team. The other three choices are not correct because each level deals with specific requirements.

Answer 487

A

b. Data leakage is removal of data from a system by covert means, and it might be conducted directly through the use of Trojan horse, logic bomb, or scavenging methods. Asynchronous attacks are indirect attacks on a computer program that act by altering legitimate data or codes at a time when the program is idle and then causing the changes to be added to the target program at later execution.

Answer 488

A

c. Multi-partite viruses are a combination of both sector- and file infector viruses, which can be spread by both methods. A worm is a self-replicating, self-contained program and does not require a host program. Link viruses manipulate the directory structure of the media on which they are stored, pointing the operating system to virus code instead of legitimate code. Macro viruses are stored in a spreadsheet or word processing document.

Answer 489

A

c. Hidden code attacks are based on data and information. Using layered protections and disabling active-content code (for example, ActiveX and JavaScript) from the Web browser are effective controls against such attacks. War dialing software is good at detecting trapdoors (backdoor modems) and not good against trapdoor attacks.
Firewalls are effective against spoofing attacks.

Answer 490

A

a. Evaluation of change control is a part of the physical
configuration audit, whereas the other choices are part of the functional configuration audit. The physical configuration audit provides an independent evaluation of whether components in the as-built version
of the software map to the specifications of the software. Specifically, this audit is held to verify that the software and its documentation are internally consistent and ready for delivery. Activities typically planned and executed as part of the physical configuration audit include evaluation of product composition and structure, product
functionality, and change control. The functional configuration audit provides an independent evaluation of configuration items to determine whether actual functionality and performance are consistent with the requirements specifications. Specifically, this audit is conducted prior to the software delivery to verify that all requirements specified in the requirements document have been met. Activities typically planned and executed as part of a functional configuration audit include testing of software products, tracing of system requirements from their initial specification through system testing, evaluation of the test approach and results attained, and evaluating the consistency between the baselined product elements.

Answer 491

A

a. Applets are small application programs mostly written in Java programming language that are automatically downloaded and executed by applet-enabled Web browsers.

Answer 492

A

c. The contingency processes should be tested and maintained during the implementation phase of the SDLC. The capability to recover and reconstitute data should be considered during the initiation phase. Recovery strategies should be considered during the development phase. The contingency plan should be exercised and maintained during the

Answer 493

A

c. Backdoors are also called hooks and trapdoors. Logic bomb is incorrect because it is a program that triggers an unauthorized, malicious act when some predefined condition occurs. Worms are incorrect because they search the network for idle computing resources and use them to execute the program in small segments. Trojan horses are incorrect because a Trojan horse is a production program that has access to otherwise unavailable files and is changed by adding extra, unauthorized instructions. It disguises computer viruses.

Answer 494

A

a. Some vendors can install a backdoor or a trapdoor entry for remote monitoring and maintenance purposes. The good news is that the backdoor is a convenient approach to solve operational problems. The bad news is that the backdoor is wide open for hackers. Also, the
vendor can modify the software at will without the user’s knowledge or permission. An unhappy vendor can disconnect a user from accessing the software as a penalty for nonpayment or disputes in payment. Access codes should be required for remote monitoring and
maintenance.

Answer 495

A

b. A macro virus is associated with a word processing file, which can damage the computer system. Macro viruses pass through the firewall with ease because they are usually passed on as either an email message or simply downloaded as a text document. The macro virus represents a significant threat because it is difficult to detect. A macro virus consists of instructions in Word Basic, Visual Basic for applications, or some other macro languages, and resides in documents. Any application that supports macros that automatically execute is a potential platform for macro viruses. Now, documents are more widely shared through networks and the Internet than via disks.

Answer 496

A

a. Because the discretionary access control system restricts access based on identity, it carries with it an inherent flaw that makes it vulnerable to Trojan horse attacks. Most programs that run on behalf of a user inherit the discretionary access control rights of that user.

Answer 497

A

c. Virus checkers monitor computers and look for malicious code. A problem is that virus-checking programs need to be installed at each computer, workstation, or network, thus duplicating the software at extra cost. The best place to use the virus-checking programs is to scan
e-mail attachments at the e-mail server. This way, the majority of viruses are stopped before ever reaching the users.

Answer 498

A

d. In cross-site scripting (XSS) flaws, the Web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user.

Answer 499

A

c. Virus writers use a mutation engine to transform simple viruses into polymorphic ones for proliferation purposes and to evade detection. The other three choices do not deal with the transformation process.

Answer 500

A

d. A security kernel is defined as hardware, firmware, and software elements of a Trusted Computing Base (TCB) that implements the reference monitor concept. A security kernel cannot achieve process isolation. Techniques such as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual mapping are used to employ the process isolation or separation principle. These separation principles are supported by incorporating the principle of least privilege.

Answer 501

A

d. Organizations should identify which individuals or groups can assist in infection identification efforts. Desktop administrators are good at identifying changes in login scripts along with Windows Registry or file scans, and good at implementing changes in login scripts. The roles of the other three administrators are different from
separation of duties, independence, and objectivity viewpoints.

Answer 502

A

b. Software patching, being one of reactive (detective)
countermeasures, is mostly done after vulnerability or
programming/design error is discovered. These reactive methods have no hope of preventing fast-spreading worms or worms that use zero day exploits to carry out their attacks. The other three choices are examples of proactive (preventive) countermeasures. Integrity checkers keep cryptographic hashes of known good instances of files so that integrity comparisons can be made at any time. Host firewalls enforce rules that define the manner
in which specific applications may use the network. Stateful firewalls keep track of network connections and monitor their state.

Answer 503

A

c. It is a common practice for some organizations to certify all removable media disks coming into the organization from outside prior to their use. This is done by a centralized group for the entire location and requires testing the disk for possible inclusion of viruses. The other three choices are effective as internal protection mechanisms against viruses.

Answer 504

A

c. Passwords are administrative controls; although, access controls are technical controls. Access controls include discretionary access controls and mandatory access controls. An audit trail is the collection of data that provides a trace of user actions, so security events can be traced to the actions of a specific individual. To fully implement an audit trails program, audit reduction and analysis tools
are also required. Least privilege is a concept that deals with limiting damage through the enforcement of separation of duties. It refers to the principle that users and processes should operate with no more privileges than those needed to perform the duties of the role they are currently assuming.

Answer 505

A

b. The goal of work factor principle is to increase an attacker’s work factor in breaking an information system or a network’s security features. The amount of work required for an attacker to break the system or network (work factor) should exceed the value that the attacker would gain from a successful compromise. Various variables such as cost and benefit; effort; value (negative and positive); time; tools and techniques; gains and losses; knowledge, skills, and abilities
(KSAs); and risks and opportunities involved in a successful
compromise of security features must be balanced.
The principle of compromise recording means computer or manual records and logs should be maintained so that if a compromise does occur, evidence of the attack is available. The recorded information can be used to better secure the host or network in the future and can assist in identifying and prosecuting attackers. The principle of psychological acceptability encourages the routine and correct use of protection mechanisms by making them easy to use,
thus giving users no reason to attempt to circumvent them. The security mechanisms must match the user’s own image of protection goals. The principle of least common mechanism requires the minimal sharing of mechanisms either common to multiple users or depended upon by all users. Sharing represents possible communications paths between subjects used to circumvent security policy.

Answer 506

A

d. Certifications performed on applications under development are interleaved with the system development process. Certification and accreditation needs must be considered in the validation, verification, and testing phases employed throughout the system development process (i.e., development and implementation). It does not address the operation/maintenance phase.

Answer 507

A

d. The major outputs from the implementation (testing) phase include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, and acceptance). Security features are tested to see if they work and are then certified.

Answer 508

A

c. System testing, which is a part of implementation, is
important to determine whether internal controls and security controls are operating as designed and are in accordance with established policies and procedures.
In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases. However, the testing phase should not be compressed so much for quality reasons. By definition, prototyping requires some compression of activities and time due to the speedy nature of the prototyping development methodology without loss of the main features, functions, and quality.

Answer 509

A

a. Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities is still required. The difference may be
in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and traditional system development project are different.

Answer 510

A

c. Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage and generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read, inserted, and deleted. A source program is precompiled, linked, and
compiled to become an object or executable program. A source program is tested (errors discovered), debugged (errors removed), and logged for review and further action.

Answer 511

A

c. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment. These interrelated systems include not only those owned and managed by the organization, but also the external
systems with which they interface. Unit test is incorrect because its purpose is to verify that the smallest
defined module of software (i.e., individual subprograms, subroutines, or procedures) works as intended. These modules are internal to an organization. Integration test is incorrect because its purpose is to verify that units of software, when combined, work together as intended. Typically, a number of software units are integrated or linked together to form an application. Again, this test is performed internally in an organization. System acceptance test is incorrect because its purpose is to verify that the complete system satisfies specified requirements and is acceptable to end users.

Answer 512

A

b. A test tool cannot guarantee error-free software; it is neither a cure-all nor a silver bullet. For some, it may give a false sense of security. The test tool still requires careful planning, time, effort, and experience from which it can use and benefit.

Answer 513

A

c. Errors are made in several places and times: (i) when source code is developed, (ii) when modules are initially written, (iii) when an enhancement is being added to a module, (iv) when another error is fixed, and (v) when code is being moved from one module to another.
Software configuration management products have a backtracking feature to correct these types of errors. The product should list the exact source code changes that make up each build. Then, these changes are examined to identify which one can create the new error.
The concept of check-in/check-out software enables multiple developers to work on a project without overwriting one another’s work. It is a fundamental method of preventing errors from being included or reintroduced into software modules.

Answer 514

A

c. The test repository consists of test plans, test cases, test procedures, test requirements, and test objectives maintained by the software test manager. Because of the concentrated work products, the test repository needs a higher level of security protection from unauthorized changes. Test procedures, test cases, and test plans are part of test repository.

Answer 515

A

b. An unattended computer terminal represents a severe security violation. An unauthorized user could seize the opportunity to access sensitive data. The data could be copied, deleted, added to, or modified. An intruder can also use this occasion to modify executable files. A virus, Trojan horse, or a password-sniffing program could easily be slipped onto the system in no time. Security logic that detects an idle terminal is needed. Unattended computer operations are incorrect because they represent a situation where most of computer operational tasks are performed by machines (robots) and less with people. Unattended software testing is incorrect because testing is conducted by automated test tools without a person watching the testing process. The test tool continues running the test sessions by replaying one or
more test scripts. It handles unforeseen circumstances gracefully. Unattended facsimile machine is incorrect because it can lead to social engineering attacks. The unattended computer operations, software testing, and facsimile machine pose less risk than the unattended computer terminal.

Answer 516

A

c. Fan-in and fan-out are based on program coupling. Fan-in is a count of the number of modules that call a given module, and fan-out is a count of the number of modules that are called by a given module. Both fan-in and fan-out measure program complexity. Check-in and check-out are program change controls where documents or data/program files will have a check-in or check-out indicator in
system libraries to prevent their concurrent use by programmers and
computer programs.

Answer 517

A

c. A reusable library can improve software productivity and quality by increasing the efficient reuse of error-free code for both new and modified application software. “Who owns the reusable code?” is a legal question that requires a careful answer due to difficulty in tracing to the original author of the software. A test library is incorrect because it is where the new software is developed or the existing software is modified. A quality assurance library is incorrect because it is a staging area where final quality reviews and production setup procedures take place. A production
library is incorrect because it is the official place where operational programs reside and execute to process data. Data ownership rights in these three libraries (test, quality assurance, and production) are clear and traceable to the author(s).

Answer 518

A

d. The big-bang approach puts all the units or modules together at once, with no stubs or drivers. In it, all the program units are compiled and tested at once.
Top-down approach is incorrect because it uses stubs. The actual code for lower level units is replaced by a stub, which is a throwaway code that takes the place of the actual code. Bottom-up approach is incorrect because it uses drivers. Units at higher levels are replaced by drivers that emulate the procedure calls. Drivers are also a form of throwaway code. Sandwich approach is incorrect because it uses a combination of top-down (stubs) and bottom-up (drivers) approaches.

Answer 519

A

d. A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members ask questions and make comments about technique, style, and identify possible errors, violations of development standards, and other problems. Walkthroughs are similar to reviews but are less formal. Inspections are incorrect because they are an evaluation technique in which application software requirements, design, code, or other products are examined by a person or group other than the author to detect faults, violations of development standards, and other problems. Inspections are more formal than walkthroughs.
Traceability analysis is incorrect because it is the process of verifying that each specified requirement has been implemented in the design/code, that all aspects of the design/code have their basis in the specified requirements, and that testing produces results compatible with the specified requirements. Traceability analysis is more formal than walkthroughs. Reviews are incorrect because a review is a meeting at which the requirements, design, code, or other products of software development project are presented to the user, sponsor, or other interested parties for comment and approval, often as a prerequisite for concluding a given phase of the software development process. Reviews are more formal than walkthroughs.

Answer 520

A

d. An inspection is an evaluation technique in which software requirements, design, code, or other products are examined by a person or group, other than the author, to detect faults, violations of development standards, and other problems. Input/output description errors are detected in the interface testing phase. The type of errors
detected in inspections includes incomplete requirements errors, infeasible requirements errors, and conflicting requirements errors.

Answer 521

A

a. The purpose of decision tables is to provide a clear and coherent analysis of complex logical combinations and relationships. This method uses two-dimensional tables to concisely describe logical relationships between Boolean program variables (for example, AND and OR). Advantages of decision tables include (i) their conciseness and tabular nature enables the analysis of complex logical combinations expressed in code and (ii) they are potentially executable
if used as specifications. Disadvantages include that they require tedious effort. The requirements analysis, which is a part of initiation phase, is the best place to use the decision table.

Answer 522

A

a. Data-flow diagrams are used to describe the data flow through a program in a diagrammatic form. They show how data input is transformed to output, with each stage representing a distinct transformation. The diagrams use three types of components:
Annotated bubbles represent transformation centers, and the annotation specifies the transformation.
Annotated arrows represent the data flow in and out of the transformation centers; annotations specify what the data is.
Operators (AND and OR) link the annotated arrows.
Data-flow diagrams describe only data and should not include control or sequencing information. Each bubble can be considered a black box that, as soon as its inputs are available, transforms them to outputs. Each bubble should represent a distinct transformation, whose output
is somehow different from its input.

Answer 523

A

c. In desk-checking, programming code is read by an expert, other than the author of the code, who performs any of the following: (i) looking over the code for obvious defects, (ii) checking for correct procedure interfaces, (iii) reading the comments to develop a sense of
what the code does and then comparing it to its external specifications, (iv) comparing comments to design documentation, (v) stepping through with input conditions contrived to exercise all paths including those not directly related to the external specifications, (vi) checking
for compliance with programming standards and conventions, or (vii) any combination of these. As can be seen, desk-checking is a technical exercise performed by programmers.

Answer 524

A

a. The purpose of a finite state machine (FSM) is to define or implement the control structure of a system. Many systems can be defined in terms of their states, inputs, and actions. By defining a system’s actions for each input in every state, you can completely define a system. The resulting model of the system is an FSM, which can detect incomplete or inconsistent requirements
specifications.

Answer 525

A

c. The purpose of mutation analysis is to determine the
thoroughness with which a program has been tested and, in the process, detect errors. This procedure involves producing a large set of version or mutation of the original program, each derived by altering a single element of the program (for example, changing an operator,
variable, or constant). Each mutant is then tested with a given collection of test data sets. Because each mutant is essentially different from the original, the testing should demonstrate that each is different. If each of the outputs produced by the mutants differs from the output
produced by the original program and from each other, then the program is considered adequately tested and correct. Mutation analysis requires good automated tools to be effective.

Answer 526

A

c. Sensitivity analysis is a new method of quantifying ultra reliable software during the implementation phase. It is based on a fault-failure model of software and is based on the premise that software testability can predict the probability that failure occurs when a fault exists given a particular input distribution. A sensitive location is one in which faults cannot hide during testing. The internal states are disturbed to determine sensitivity. This technique requires instrumentation of the code and produces a count of the total executions through an operation, an infection rate estimate, and a propagation analysis.

Answer 527

A

c. The purpose of boundary-value analysis is to detect and remove errors occurring at parameter limits or boundaries. The input domain of the program is divided into a number of input classes. The tests should cover the boundaries and extremes of the classes. The tests check that the boundaries of the input domain of the specification coincide with those in the program. Test cases should also be designed to force the output to its extreme values. If possible, a test case that causes output to exceed the specification boundary values should be specified. If
output is a sequence of data, special attention should be given to the first and last elements and to lists containing zero, one, and two elements.

Answer 528

A

c. The purpose of error-seeding is to determine whether a set of test cases is adequate. Some known error types are inserted into the program, and the program is executed with the test cases under test conditions. If only some of the seeded errors are found, the test case set is not adequate. One can estimate the number of errors remaining by subtracting the number of real errors found from the total number of real errors. The remaining test effort can then be estimated. If all the seeded errors are found, this indicates that either the test case set is adequate or that the seeded errors were too easy to find.

Answer 529

A

a. The purpose of formal methods is to check whether software fulfills its intended function. It involves the use of theoretical and mathematical models to prove the correctness of a program without executing it. The requirements should be written in a formal specification language (for example, VDM and Z) so that these requirements can then be verified using a proof of correctness. Using this method, the program is represented by a theorem and is proved with first-order predicate calculus. A number of assertions are stated at various locations in the program and are used as pre- and post conditions to various paths in the program. The proof consists of showing that the program transfers the pre-conditions into the post conditions according to a set of logical rules, and that the program terminates.

Answer 530

A

a. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to communicate the specifier’s interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is built using high-level tools and is evaluated against the customer’s
criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements of the system.
A review is a meeting at which the requirements, design, code, or other products of a software development project are presented to the user, sponsor, or other interested parties for comment and approval, often as a prerequisite for concluding a given phase of the software development process. A review is usually held at the end of a phase,
but it may be called when problems arise.
Simulation is used to test the functions of a software system, together with its interface to the real environment, without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A walkthrough is an evaluation technique in which a designer or programmer leads one or more other members of the development team through a segment of design or code, whereas the other members
ask questions and make comments about technique and style, and identify possible errors, violations of development standards, and other problems. Walkthroughs are similar to reviews but are less formal.

Answer 531

A

d. The purpose of prototyping is to check the feasibility of implementing a system against the given constraints and to communicate the specifier’s interpretation of the system to the customer to locate misunderstandings. A subset of system functions, constraints, and performance requirements are selected. A prototype is built using high-level tools and is evaluated against the customer’s
criteria; the system requirements may be modified as a result of this evaluation. Usually, prototyping is used to define user requirements and design of the system. Simulation or modeling is used to test the functions of a software system, together with its interface to the real
environment, without modifying the environment in any way. The simulation may be software only or a combination of hardware and software. A model of the system to be controlled by the actual system under test is created. This model mimics the behavior of the controlled
system and is for testing purposes only. Although prototyping and simulation can be used in the system maintenance phase, the payback would be less than the development phase. Usually, the scope of system maintenance can be small and minor, making it cost-prohibitive to the use of prototyping and simulation techniques.

Answer 532

A

b. Adherence to a common standard ensures the interoperability of software components. Extensive testing is required to ensure that software components can communicate effectively in both single processor and distributed processing environments. In a networked environment, it must be remembered that, when any
component is added or replaced/upgraded, a large number of tests have to be run to ensure that the integrity and performance of the network has been retained. Therefore, tests must be repeatable and well documented. Hence, regression tests are necessary. In load testing, many combinations and permutations of workload
patterns can be imposed on the components of a networked configuration. Although it would be difficult, if not impossible, to test them all, a thorough analysis of the expected workload is required to identify the most likely traffic patterns for this testing procedure. By their nature, networked systems provide a great number of
opportunities for violating system security. This is especially true when security levels are not uniformly imposed throughout a configuration made of multiple, interconnected local-area networks. Systemwide
security testing is required to identify any security fault that may have been overlooked in the integrated system design.

Answer 533

A

c. Resiliency testing measures durability of the system. In functional testing, correctness of system operation under normal operating conditions is demonstrated. In performance testing, system throughput and response times under varying load conditions are demonstrated. In recovery testing, the ability of the system to resume
operating after partial or total system failure is determined. Both the system and individual components are tested to determine the ability to operate within the fallback and recovery structure established for the system.

Answer 534

A

a. Integration testing is the cutoff point for the development project, and, after integration, it is labeled the back end. Integration is the development phase in which various parts and components are integrated to form the entire software product, and, usually after integration, the product is under formal change control. Specifically,
after integration testing, every change of the software must have a specific reason and must be documented and tracked. It is too early to have a formal change control mechanism during unit testing because of constant changes to program code. It is too late to have a formal change control mechanism after completing system and acceptance
testing.

Answer 535

A

d. A system development life cycle moves through the unit test, integration test, system test, and acceptance test in that sequence. Programmers perform both the unit test and integration tests, whereas system testing is conducted jointly between users and programmers. End users and production operations staff, from their own viewpoint, perform acceptance testing. The quality of a computer system is enhanced if this sequence is followed during software testing.

Answer 536

A

c. Activity logs contain a record of all the test cases executed. Incident reports show a priority assigned to test problems during test execution. All incidents logged should be resolved within a reasonable time. Software versioning controls the program source versions to ensure that there is no duplication or confusion between multiple versions.
Test cases and test documentation are incorrect because test cases contain a listing of all possible tests to be executed with their associated data and test documentation includes test plans, test objectives, and approaches.
Test summaries and test execution reports are incorrect because test summary is a brief description of what is changing. Key words are used so that project personnel reading the log can scan for items that may affect their work. Test execution reports show a status of software
testing execution to management with summary information. Test cases rejected and test cases accepted are incorrect because they simply list what test cases were rejected or accepted. The documents such as test cases, test documentation, test summaries, test execution
reports, and test cases rejected and accepted do not have the same monitoring and controlling effect as do the documents such as activity logs, incident reports, and software versioning.

Answer 537

A

a. Integration testing is conducted when software units are integrated with other software units or with system components. Its objective is to test the interfaces among separately tested program units. Software integration tests check how the units interact with other software (for example, libraries) and hardware. Integration testing is in the middle; it is neither unit testing nor system testing. The approach to integration testing varies such as top-down, bottom-up, a combination of top-down and bottom-up (sandwich), or all-at-once (big-bang) approaches. Due to a variety of ways, integration testing can be conducted and because there is no base document such as specifications to rely upon for testing creates difficulty in understanding the objectives of integration testing clearly. Unit testing and module testing are incorrect because they are best understood of all. Unit testing is the same as module testing. Unit/module test cases are derived from the detailed design documentation of the unit. Each unit or module has a defined beginning and ending and deals with specific inputs and outputs. Boundaries are also well defined. System testing is incorrect because it is better understood than integration testing. End users know what they expect from the system because it is based on functional instead of structural knowledge. System test cases are derived from the requirements specification document.

Answer 538

A

a. Functional decomposition works best when the system requirements are completely understood by the software developer or the end user. The waterfall model works with the functional decomposition principle. It assumes that system requirements can be defined thoroughly, and that end users know exactly what they wanted from the system. Incremental and evolutionary development models are incorrect because successive versions of the system are developed reflecting
constrained technology or resources. Requirements are added in a layered manner. Rapid prototyping model is incorrect because it is quite opposite to the
waterfall model. That is, it is good when requirements are not fully understood by both parties. Due to the iterative process, the specification-to-customer feedback cycle time is reduced, thus producing early versions of the system.

Answer 539

A

c. An application software test log has several benefits. Reporting problems for the sake of reporting/compliance to a policy or a procedure is the least beneficial. What is done with the report is more important than just reporting. The other three choices are incorrect because they are the most important benefits. The log shows a record of all problems encountered during testing so events can be traced for
verification. The log can also be used as a training tool for new testers because the log shows what happened in the past. Most of all, the log indicates what the tester did or did not do during testing. It forces testers to document the actions or decisions taken place during testing.

Answer 540

A

a. Stress testing involves the response of the system to extreme conditions (for example, with an exceptionally high workload over a short span of time) to identify vulnerable points within the software and to show that the system can withstand normal workloads. Examples of testing conditions that can be applied during stress testing include the following: (i) if the size of the database plays an important
role, then increase it beyond normal conditions, (ii) increase the input changes or demands per time unit beyond normal conditions, (iii) tune influential factors to their maximum or minimal speed, and (iv) for the most extreme cases, put all influential factors to the boundary conditions at the same time. Stress testing can detect design errors related to full-service requirements of system and errors in planning defaults when system is overstressed. Conversion testing is incorrect because it determines whether old data files and record balances are carried forward accurately, completely,
and properly to the new system. Performance testing is incorrect because it measures resources required such as memory and disk and determines system response time. Regression testing is incorrect because it verifies that changes do not introduce new errors.

Answer 541

A

b. The notion of software component reuse has been developed with the invention of object-oriented development approach. After the design model has been created, the software developer browses a library, or repository, that contains existing program components to
determine if any of the components can be used in the design at hand. If reusable components are found, they are used as building blocks to construct a prototype of the software. The waterfall model is incorrect because it takes a linear, sequential view of the software engineering process. The waterfall method is another name for the classic software development life cycle. The prototype model is incorrect because it is a process that enables the developer to create a model of the software built in an evolutionary manner. The spiral model is incorrect because it is another type of evolutionary model. It has been developed to provide the best feature of both the classic life cycle approach and prototyping. None of these three choices provide for software reuse.

Answer 542

A

a. Security categorization standards provide a common
framework for expressing security needs. Categorization is based on an assessment of the potential impact (i.e., low, moderate, or high) that a loss of confidentiality, integrity, or availability of information systems would have on organizational operations, organizational assets, or individuals. It is a task performed in the initiation phase.

Answer 543

A

d. Configuration management and control ensures adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. It is a task performed in the operation/maintenance phase.

Answer 544

A

d. Continuous monitoring ensures that controls continue to be effective in their application through periodic testing and evaluation. It is a task performed in the operation/maintenance phase.

Answer 545

A

b. Local threats in Windows XP systems include boot process, unauthorized local access, and privilege escalation. A boot process threat results when an unauthorized individual boots a computer from third-party media (for example, removable drives and universal serial bus [USB] token storage devices), which permits the attacker to circumvent operating system security measures. An unauthorized local-access threat results when an individual who is not permitted to access a computer system gains local access. A privilege escalation threat results when an authorized user with normal user-level rights escalates the account’s privileges to gain administrator-level access. Remote threats in Windows XP systems include network services, data
disclosure, and malicious payloads. A network service threat results when remote attackers exploit vulnerable network services on a computer system. This includes gaining unauthorized access to services and data, and causing a denial-of-service (DoS) condition. A data disclosure threat results when a third party intercepts confidential data sent over a network. A malicious payload threat results when malicious payloads (for example, viruses, worms, Trojan horses, and active content) attack computer systems through many vectors. System end users may accidentally trigger malicious payloads.

Answer 546

A

b. According to the open Web application security project, information from Web requests is not validated before being used by a Web application leading to vulnerability from invalidated input.

Answer 547

A

c. In denial-of-service attacks, attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.

Answer 548

A

d. Improper error handling means error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the Web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

Answer 549

A

a. It is during the system requirements definition phase that the project team identifies the required controls needed for the system. The identified controls are then incorporated into the system during the design phase. When there is a choice between the system requirements definition phase and the design phase, the auditor would benefit most by participating in the former phase. The analyst does not need to participate in the program development or testing phase.

Answer 550

A

a. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set to trigger at a particular time, whereas the logic bomb is set to trigger at a particular condition, event, or command. The logic bomb could be a computer program or a code fragment. Computer virus is incorrect because it “reproduces” by making copies of it and inserting them into other programs. Worm is incorrect because
it searches the network for idle computing resources and uses them to execute the program in small segments. NAK (negative acknowledgment character) attack is incorrect because it is a penetration technique capitalizing on a potential weakness in an operating system that does not handle asynchronous interrupts properly, thus leaving the system in an unprotected state during such interrupts. NAK uses binary synchronous communications where a transmission control character is sent as a negative response to data received. Here, negative response means data was not received correctly or that a command was incorrect or unacceptable.

Answer 551

A

b. A Trojan horse fits the description. It is a program that performs a useful function and an unexpected action as well as a form of virus. Trapdoor is incorrect because it is an entry point built into a program created by programmers for debugging purposes. Worm is incorrect
because it searches the network for idle computing resources and uses them to execute a program in small segments. Time bomb is incorrect because it is a part of a logic bomb, where a damaging act triggers at some period of time after the bomb is set.

Answer 552

A

b. Continuous process improvements are expected in the optimizing level of the software capability maturity model. It is enabled by quantitative feedback from the process an from piloting innovative ideas and technologies.

Answer 553

A

d. The purpose of security testing is to assess the robustness of the system’s security capabilities (for example, physical facilities, procedures, hardware, software, and communications) and to identify security vulnerabilities. All the tests listed in the question are part of system acceptance tests where the purpose is to verify that the
complete system satisfies specified requirements and is acceptable to end users. Functional test is incorrect because the purpose of functional or blackbox testing is to verify that the system correctly performs specified functions. Performance test is incorrect because the purpose of performance testing is to assess how well a system meets specified performance requirements. Examples include specified system response times under normal workloads (for example, defined transaction volumes) and specified levels of system availability and mean-times-to-repair. Stress test is incorrect because the purpose of stress testing is to analyze system behavior under increasingly heavy workloads (for example, higher transaction rates), severe operating conditions (for example, higher error rates, lower component availability rates), and, in particular, to identify points of system failure.

Answer 554

A

a. The application software prototype becoming the finished system is a major risk in prototyping unless this is a conscious decision, as in evolutionary prototyping where a pilot system is built, thrown away, another system is built, and so on. Inflated user expectations is a risk that can be managed with proper education and training. Paying attention to cosmetic details is not bad except that it wastes valuable time. The prototype model is supposed to be iterated many times because that is the best way to define and redefine user requirements and security features until satisfied.

Answer 555

A

b. Security planning ensures that agreed-upon security controls, whether planned or in place, are fully documented. It is a task performed in the
development/acquisition phase.

Answer 556

A

c. Security certification ensures that the controls are effectively implemented through established verification techniques and procedures and gives an organization confidence that the appropriate safeguards and countermeasures are in place to protect the
organization’s information systems. Security accreditation provides the necessary security authorization of an information system to process, store, or transmit information that is required. Both security
certification and accreditation tasks are performed in the
implementation phase.

Answer 557

A

b. A detailed design occurs after the general design is completed where known tasks are described and identified in a much more detailed fashion and are ready for program design and coding. This includes developing screen/program flows with specifications, input
and output file specifications, and report specifications.
The other three choices are incorrect because, by definition, they are examples of activities taking place in the general design phase. System requirements are the input to the general design where the system is viewed from top-down and where higher-level design issues are addressed. This includes (i) identifying the purpose and major functions of the system and its subsystems, (ii) defining control,
security, and audit requirements, and (iii) developing system
justification for the approval of analysis of alternative design choices.

Answer 558

A

c. Broken authentication means account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other user’s identities.

Answer 559

A

a. Buffer overflows occur when web application components (for example, common gateway interface, libraries, drivers, and Web application servers) that do not properly validate input can be crashed and, in some cases, used to take control of a process.

Answer 560

A

a. Web applications frequently use cryptographic functions to protect information and credentials in storage. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.

Answer 561

A

a. Layering, abstraction, and data hiding are part of security design architecture. The other three choices deal with security control architecture. Layering uses multiple, overlapping protection mechanisms to address the people, technology, and operational aspects of IT. Abstraction is related to stepwise refinement and modularity of
computer programs. Data hiding is closely related to modularity and abstraction and, subsequently, to program maintainability.

Answer 562

A

b. Organizations should identify which individuals or groups can assist in infection identification efforts. System administrators are good at identifying infected servers such as domain name system (DNS), email, and Web servers. The roles of the other three administrators are different from separation of duties, independence, and objectivity
viewpoints.

Answer 563

A

b. A reference monitor concept is an access control concept that refers to an abstract machine (computer) that mediates all accesses to objects by subjects. The five design requirements that must be met by a reference validation mechanism include (i) it must be tamperproof, (ii)
it must not be bypassed, (iii) it must always be invoked, (iv) it must be small enough to be subject to analysis and tests, and (v) it must provide confidence that the other four items are assured. The reference monitor concept is useful to any system providing multilevel secure computing facilities and controls.

Answer 564

A

B. A Trojan horse looks like an innocent and helpful program, but in the
background it is carrying out some type of malicious activity unknown to the
user. The Trojan horse could be corrupting files, sending the user’s password
to an attacker, or attacking another computer.

Answer 565

A

A. The whole purpose of an expert system is to look at the data it has to work
with and what the user presents to it and to come up with new or different
solutions. It basically performs data-mining activities, identifies patterns and
relationships the user can’t see, and provides solutions. This is the same reason
you would go to a human expert. You would give her your information, and
she would combine it with the information she knows and give you a solution
or advice, which is not necessarily the same data you gave her.

Answer 566

A

D. Some files cannot be properly sanitized by the antivirus software without
destroying them or affecting their functionality. So, the administrator must
replace such a file with a known uninfected file. Plus, the administrator
needs to make sure he has the patched version of the file, or else he could
be introducing other problems. Answer C is not the best answer because the
administrator may not know the file was clean yesterday, so just restoring
yesterday’s file may put him right back in the same boat.

Answer 567

A

B. Instantiation is what happens when an object is created from a class.
Polyinstantiation is when more than one object is made and the other copy is
modified to have different attributes. This can be done for several reasons. The
example given in the chapter was a way to use polyinstantiation for security
purposes to ensure that a lower-level subject could not access an object at a
higher level.

Answer 568

A

C. A database view is put into place to prevent certain users from viewing
specific data. This is a preventive measure, because the administrator is
preventing the users from seeing data not meant for them. This is one control
to prevent inference attacks.

Answer 569

A

A. Partitioning means to logically split the database into parts. Views then
dictate what users can view specific parts. Cell suppression means that
specific cells are not viewable by certain users. And noise and perturbation is
when bogus information is inserted into the database to try to give potential
attackers incorrect information.

Answer 570

A

A. The trick to this question, and any one like it, is that security should be
implemented at the first possible phase of a project. Requirements are gathered
and developed at the beginning of a project, which is project initiation.
The other answers are steps that follow this phase, and security should be
integrated right from the beginning instead of in the middle or at the end.

Answer 571

A

C. This can seem like a tricky question. It is asking you if the system detected
an invalid transaction, which is most likely a user error. This error should
be logged so it can be reviewed. After the review, the supervisor, or whoever
makes this type of decision, will decide whether or not it was a mistake and
investigate it as needed. If the system had a glitch, power fluctuation, hang-up,
or any other software- or hardware-related error, it would not be an invalid
transaction, and in that case the system would carry out a rollback function.

Answer 572

A

D. In a relational database, a row is referred to as a tuple, whereas a column is
referred to as an attribute.

Answer 573

A

D. The following are correct characteristics of the ACID test:
* Atomicity Divides transactions into units of work and ensures that
all modifications take effect or none take effect. Either the changes are
committed or the database is rolled back.
* Consistency A transaction must follow the integrity policy developed for
that particular database and ensure all data are consistent in the different
databases.
* Isolation Transactions execute in isolation until completed without
interacting with other transactions. The results of the modification are not
available until the transaction is completed.
* Durability Once the transaction is verified as accurate on all systems, it is
committed and the databases cannot be rolled back.

Answer 574

A

D. There are different types of tests the software should go through because
there are different potential flaws we will be looking for. The following are
some of the most common testing approaches:
* Unit testing Individual component is in a controlled environment where
programmers validate data structure, logic, and boundary conditions.
* Integration testing Verifying that components work together as outlined
in design specifications.
* Acceptance testing Ensuring that the code meets customer requirements.
* Regression testing After a change to a system takes place, retesting to
ensure functionality, performance, and protection.

Answer 575

A

B. The following outlines the common phases of the software development
life cycle:
Project initiation
Functional design analysis and planning
System design specifications
Software development
Testing
Installation/implementation
Operational/maintenance
Disposal

Answer 576

A

B. Garbage collection is an automated way for software to carry out part of its
memory management tasks. A garbage collector identifies blocks of memory
that were once allocated but are no longer in use and deallocates the blocks
and marks them as free. It also gathers scattered blocks of free memory and
combines them into larger blocks. It helps provide a more stable environment
and does not waste precious memory. Some programming languages, such
as Java, perform automatic garbage collection; others, such as C, require the
developer to perform it manually, thus leaving opportunity for error.

Answer 577

A

A. The software development models and their definitions are as follows:
* Joint Analysis Development (JAD) A method that uses a team approach
in application development in a workshop-oriented environment.
* Rapid Application Development (RAD) A method of determining user
requirements and developing systems quickly to satisfy immediate needs.
* Reuse Model A model that approaches software development by using
progressively developed models. Reusable programs are evolved by
gradually modifying pre-existing prototypes to customer specifications.
Since the Reuse model does not require programs to be built from scratch,
it drastically reduces both development cost and time.
* Cleanroom An approach that attempts to prevent errors or mistakes by
following structured and formal methods of developing and testing. This
approach is used for high-quality and critical applications that will be put
through a strict certification process.

Answer 578

A

C. Fuzz testing or fuzzing is a software testing technique that provides invalid,
unexpected, or random data to the input interfaces of a program. If the program
fails (for example, by crashing or failing built-in code assertions), the defects
can be noted.

Answer 579

A

A. The five levels of the Capability Maturity Integration Model are:
* Initial Development process is ad hoc or even chaotic. The company does
not use effective management procedures and plans. There is no assurance
of consistency, and quality is unpredictable.
* Repeatable A formal management structure, change control, and quality
assurance are in place. The company can properly repeat processes
throughout each project. The company does not have formal process
models defined.
* Defined Formal procedures are in place that outline and define processes
carried out in each project. The organization has a way to allow for
quantitative process improvement.
* Managed The company has formal processes in place to collect and
analyze quantitative data, and metrics are defined and fed into the process improvement program.
* Optimizing The company has budgeted and integrated plans for
continuous process improvement.

Answer 580

A

B. The characteristics and their associated definitions are listed as follows:
* Modularity Autonomous objects, cooperation through exchanges of
messages.
* Deferred commitment The internal components of an object can be
redefined without changing other parts of the system.
* Reusability Other programs using the same objects.
* Naturalness Object-oriented analysis, design, and modeling map to
business needs and solutions.

Answer 581

A

D. The buffer overflow is probably the most notorious of input validation
mistakes. A buffer is an area reserved by an application to store something
in it, such as some user input. After the application receives the input, an
instruction pointer points the application to do something with the input
that’s been put in the buffer. A buffer overflow occurs when an application
erroneously allows an invalid amount of input to be written into the buffer
area, overwriting the instruction pointer in the code that tells the program
what to do with the input. Once the instruction pointer is overwritten,
whatever code has been placed in the buffer can then be executed, all under
the security context of the application.

Answer 582

A

B. An object-relational database (ORD) or object-relational database
management system (ORDBMS) is a relational database with a software
front end that is written in an object-oriented programming language.
Different companies will have different business logic that needs to be carried
out on the stored data. Allowing programmers to develop this front-end
software piece allows the business logic procedures to be used by requesting
applications and the data within the database.

Answer 583

A

A. The nonpersistent cross-site scripting vulnerability is when the data
provided by a web client, most commonly in HTTP query parameters or
in HTML form submissions, are used immediately by server-side scripts
to generate a page of results for that user without properly sanitizing the
response. The persistent XSS vulnerability occurs when the data provided
by the attacker are saved by the server and then permanently displayed on
“normal” pages returned to other users in the course of regular browsing
without proper HTML escaping. DOM-based vulnerabilities occur in the
content processing stages performed by the client, typically in client-side
JavaScript.

Answer 584

A

A. The following are correct characteristics of ADO:
* It’s a high-level data access programming interface to an underlying data
access technology (such as OLE DB).
* It’s a set of COM objects for accessing data sources, not just database access.
* It allows a developer to write programs that access data without knowing
how the database is implemented.
* SQL commands are not required to access a database when using ADO.

Answer 585

A

C. A semantic integrity mechanism makes sure structural and semantic rules
are enforced. These rules pertain to data types, logical values, uniqueness
constraints, and operations that could adversely affect the structure of the
database. A database has referential integrity if all foreign keys reference
existing primary keys. There should be a mechanism in place that ensures
no foreign key contains a reference to a primary key of a nonexisting record,
or a null value. Entity integrity guarantees that the tuples are uniquely
identified by primary key values. For the sake of entity integrity, every tuple
must contain one primary key. If it does not have a primary key, it cannot be
referenced by the database.

Answer 586

A

B. Knowledge discovery in databases (KDD) is a field of study that works with
metadata and attempts to put standards and conventions in place on the way
that data are analyzed and interpreted. KDD is used to identify patterns and
relationships between data. It is also called data mining.

Answer 587

A

B. Software Configuration Management (SCM) identifies the attributes of
software at various points in time, and performs a methodical control of
changes for the purpose of maintaining software integrity and traceability
throughout the software development life cycle. It defines the need to track
changes and provides the ability to verify that the final delivered software has
all of the approved changes that are supposed to be included in the release.

Answer 588

A

D. A mashup is the combination of functionality, data, and presentation
capabilities of two or more sources to provide some type of new service or
functionality. Open APIs and data sources are commonly aggregated and
combined to provide a more useful and powerful resource.

Answer 589

A

D. A service-oriented architecture (SOA) provides standardized access to
the most needed services to many different applications at one time. This
approach allows for different business applications to access the current web
services available within the environment.

Answer 590

A

B. Web service provides the application functionality. The Web Services
Description Language describes the web service’s specifications. Universal
Description, Discovery, and Integration provides the mechanisms for web
services to be posted and discovered. The Simple Object Access Protocol
allows for the exchange of messages between a requester and provider of a
web service.

Answer 591

A

B. The characters “%20” are encoding values that attackers commonly use in
URL encoding attacks. These encoding values can be used to bypass web server
filtering rules and can result in the attacker being able to gain unauthorized
access to components of the web server. The characters “../” can be used by
attackers in similar web server requests, which instruct the web server software
to traverse directories that should be inaccessible. This is commonly referred
to as a path or directory traversal attack.

Answer 592

A

A. Client-side validation is being carried out. This procedure ensures that the
data that are inserted into the form contain valid values before being sent to
the web server for processing. The web server should not just rely upon clientside validation, but should also carry out a second set of procedures to ensure
that the input values are not illegal and potentially malicious.

Answer 593

A

B. The current architecture allows for web server software to directly
communicate with a back-end database. Brad should ensure that proper
database access authentication is taking place so that SQL injection attacks
cannot be carried out. In a SQL injection attack the attacker sends over
input values that the database carries out as commands and can allow
authentication to be successfully bypassed

Answer 594

A

C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include stealing passwords, eavesdropping, and social engineering.

Answer 595

A

B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad. The other options are incorrect. A security infrastructure needs to establish a network’s border perimeter security, but that is not a primary goal or objective of security. AAA services is a common component of secured systems, which can provide support for accountability, but the primary goals of security remain the elements of the CIA Triad. Ensuring that subject activities are recorded is the purpose of auditing, but that is not a primary goal or objective of security.

Answer 596

A

B. Availability means that authorized subjects are granted timely and uninterrupted access to objects. Identification is claiming an identity, the first step of AAA services. Encryption is protecting the confidentiality of data by converting plain text into cipher text. Layering is the use of multiple security mechanisms in series.

Answer 597

A

D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources. The other statements are not related to security governance. Authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA) that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.

Answer 598

A

C. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. It defines the security function and aligns it to the goals, mission, and objectives of the organization. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based on unpredicted events. An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. A rollback plan is a means to return to a prior state after a change does not meet expectations.

Answer 599

A

A, C, D, F. Acquisitions and mergers place an organization at an increased level of risk. Such risks include inappropriate information disclosure, data loss, downtime, and failure to achieve sufficient return on investment (ROI). Increased worker compliance is not a risk, but a desired security precaution against the risks of acquisitions. Additional insight into the motivations of inside attackers is not a risk, but a potential result of investigating breaches or incidents related to acquisitions.

Answer 600

A

A. Information Technology Infrastructure Library (ITIL) was initially crafted by the
British government for domestic use but is now an international standard, which is a set of recommended best practices for core IT security and operational processes, and is often used as a starting point for the crafting of a customized IT security solution. The other options were not crafted by the British government. ISO 27000 is a family group of international standards that can be the basis of implementing organizational security and related management practices. The Center for Internet Security (CIS) provides OS, application, and hardware security configuration guides. NIST Cybersecurity Framework (CSF) is designed for critical infrastructure and commercial organizations and consists of five functions: Identify, Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to
be performed on an ongoing basis for the support and improvement of security over time.

Answer 601

A

B. The security professional has the functional responsibility for security, including writing the security policy and implementing it. Senior management is ultimately responsible for the security maintained by an organization and should be most concerned about the protection of its assets. The custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Answer 602

A

A, B, C, E. The COBIT key principles are: Provide Stakeholder Value (C), Holistic Approach (A), Dynamic Governance System (E), Governance Distinct From Management (not listed), Tailored to Enterprise Needs (not listed), and End-to-End Governance System (B). The concept of maintaining authenticity and accountability are good security ideas, but not a COBIT key principle.

Answer 603

A

A, D. Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the security effort. The other options are incorrect, they have the terms inverted. The corrected statements are as follows: Due diligence is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due care is the continued application of a security structure onto the IT infrastructure of an organization. Due diligence is knowing
what should be done and planning for it. Due care is doing the right action at the right time.

Answer 604

A

B. A policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. A standard defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. A procedure is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. A guideline offers recommendations on how security requirements are implemented and serves as an operational guide for both
security professionals and users. III is the definition of a baseline, which was not included as a component option.

Answer 605

A

D. When confidential documents are exposed to unauthorized entities, this is described by the I in STRIDE, which represents information disclosure. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Answer 606

A

B. This scenario describes a proactive approach to threat modeling, which is also known as the defensive approach. A reactive approach or adversarial approach to threat modeling takes place after a product has been created and deployed. There is no threat modeling concept known as qualitative approach. Qualitative is typically associated with a form of risk assessment.

Answer 607

A

A, B, D. These statements are true: (A) Each link in the supply chain should be responsible and accountable to the next link in the chain; (B) Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips; and (D) Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms. The remaining option is incorrect. Even if a final product seems reasonable and performs all necessary functions, that does not provide
assurance that it is secure or that it was not tampered with somewhere in the supply chain.

Answer 608

A

D. Though not explicitly stating hardware, this scenario describes a typical and potential risk of a supply chain, that a hardware risk results in the presence of a listening mechanism in the final product. This scenario does not provide information that would indicate that the supply chain risk is focused on software, services, or data.

Answer 609

A

B. In this scenario, Cathy should void the authorization to operate (ATO) of this vendor. This situation describes the fact that the vendor is not meeting minimal security requirements which are necessary to the protection of the service and its customers. Writing a report is not a sufficient response to this discovery. You may have assumed Cathy does or does not have the authority to perform any of the other options, but there is no indication of Cathy’s position in the organization. It is reasonable for a CEO to ask the CISO to perform such an evaluation. Regardless, the report should be submitted to the CISO, not the CIO, whose focus is primarily on ensuring that information is used effectively to accomplish business objectives,
not that such use is secure. Reviewing terms and conditions will not make any difference in this scenario, as those typically apply to customers, not internal operations. And reviewing does not necessarily cause a change or improvement to insecure practices. A vendor-signed NDA has no bearing on this scenario.

Answer 610

A

A. Minimum security requirements should be modeled on your existing security policy. This is based on the idea that when working with a third party, that third party should have at least the same security as your organization. A third-party audit is when a third-party auditor is brought in to perform an unbiased review of an entity’s security infrastructure. This audit may reveal where there are problems, but the audit should not be the basis of minimum security requirements for a third party. On-site assessment is when you visit the site of the organization to interview personnel and observe their operating habits. This is not the basis for establishing minimum security requirements for a third party. Vulnerability scan results, like third-party audits, may reveal concerns, but it is not the basis for establishing minimum security requirements for a third party.

Answer 611

A

C. Process for Attack Simulation and Threat Analysis (PASTA) is a seven-stage threat modeling methodology. PASTA is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected. Visual, Agile, and Simple Threat (VAST) is a threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis. Microsoft uses a Security Development Lifecycle (SDL) with the motto “Secure by Design, Secure by Default, Secure in Deployment and Communication” (also known as SD3+C). STRIDE is a threat categorization scheme developed by Microsoft.

Answer 612

A

B, C, E, F, G. The five key concepts of decomposition are trust boundaries, dataflow paths, input points, privileged operations, and details about security stance and approach. Patch or update version management is an important part of security management in general; it is just not a specific component of decomposition. Determining open vs. closed source code use is not an element of decomposition.

Answer 613

A

A, B, C, D, E, F, G, H, I. All of the listed options are terms that relate to or are based on defense in depth: layering, classifications, zones, realms, compartments, silos, segmentations, lattice structure, and protection rings.

Answer 614

A

C. Detective access controls are used to discover (and document) unwanted or unauthorized activity. Preventive access controls block the ability to perform unwanted activity. Deterrent access controls attempt to persuade the perpetrator not to perform unwanted activity. Corrective access controls restore a system to normal function in the event of a failure or system interruption.

Answer 615

A

D. Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and use all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn’t be transmitted in the clear.

Answer 616

A

B. Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don’t detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool.

Answer 617

A

B. Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering (i.e., pretending to be a technical manager) and sniffing (i.e., intercepting network traffic) are typically not considered DoS attacks. Sending message packets to a recipient who did not request them simply to be annoying may be a type of social engineering and it is definitely spam, but unless the volume of the messages is significant, it does not warrant the label of DoS.

Answer 618

A

A. Network hardware devices, including routers, function at layer 3, the Network layer.
Layer 1, the Physical layer, is where repeaters and hubs operate, not routers. The Transport
layer, layer 4, is where circuit level firewalls and proxies operate, not routers. Layer 5, the
Session layer, does not actually exist in a modern TCP/IP network, and thus no hardware
directly operates at this layer, but its functions are performed by TCP in the Transport layer,
layer 4, when sessions are in use.

Answer 619

A

D. Stateful inspection firewalls (aka dynamic packet-filtering firewall) enable the real-time modification of the filtering rules based on traffic content and context. The other firewalls listed as options—static packet filtering, application level, and circuit level—are all stateless and thus do not consider the context when applying filtering rules.

Answer 620

A

D. A virtual private network (VPN) link can be established over any network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an internet connection used by a client for access to the office LAN.

Answer 621

A

C. A Trojan horse is a form of malware that uses social engineering tactics to trick a victim into installing it—the trick is to make the victim believe that the only thing they have downloaded or obtained is the host file, when in fact it has a malicious hidden payload. Viruses and logic bombs do not typically use social engineering as an element in their means of infecting a system. A worm sometimes is designed to take advantage of social engineering, such as when the worm is an executable email attachment and the message tricks the victim into opening it. However, not all worms are designed this way—this is a core design concept of a Trojan horse.

Answer 622

A

D. The components of the CIA Triad are confidentiality, availability, and integrity. The other options are not the terms that define the CIA Triad, although they are security concepts that need to be evaluated when establishing a security infrastructure.

Answer 623

A

B. Privacy is not necessary to provide accountability. The required elements of accountability, as defined in AAA services, are as follows: identification (which is sometimes considered an element of authentication, a silent first step of AAA services, or represented by IAAA), authentication (i.e., identification verification), authorization (i.e., access control), auditing (i.e., logging and monitoring), and accounting.

Answer 624

A

C. Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability. Separation of duties, restricted job responsibilities, and job rotation help establish individual accountability and control access (especially to privileged capabilities), which in turn limits or restricts collusion.

Answer 625

A

B. The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately. Senior management is ultimately responsible for the success or failure of a security endeavor. An auditor is responsible for reviewing and verifying that the security policy is properly implemented, that the derived security solutions are adequate, and that user events are in compliance with security policy. The security staff is responsible for designing, implementing, and managing the security infrastructure once approved by senior management.

Answer 626

A

C. The Managed phase (level 4) of the SW-CMM involves the use of quantitative
development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management. The Repeatable phase (level 2) is where basic lifecycle processes are introduced. The Defined phase (level 3) is where developers operate according to a set of formal, documented development processes. The Optimizing phase (level 5) is where a process of continuous improvement is achieved.

Answer 627

A

B. Layers 1 and 2 contain device drivers but are not normally implemented in practice, since they are often collapsed into layer 0. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist in the design concept, but it may exist in customized implementations.

Answer 628

A

B. The SYN flagged packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK flagged packet. The initiating host sends an ACK flagged packet, and the connection is then established. The FIN flagged packet is not used in the TCP three-way handshake to establish a session; it is used in the session teardown process.

Answer 629

A

A, C, E, F, I, J. There are six standard data type classifications used in either a government/military or a private sector organization in this list of options: public, private, sensitive, proprietary, critical, and confidential. The other options (healthy, internal, essential, certified, and for your eyes only) are incorrect since they are not typical or standard classifications.

Answer 630

A

C. The correct statement is regarding the data controller. The other statements are incorrect. The correct versions of those statements are as follows. A data owner is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. A data processor is the entity that performs operations on data. A data custodian is the entity assigned or delegated the day-to-day responsibility for proper storage and transport as well as protecting data, assets, and other organizational objects.

Answer 631

A

C. Any recipient can use Mike’s public key to verify the authenticity of the digital signature. Renee’s (the recipient) public key is not used in this scenario. However, it could be used to create a digital envelope to protect a symmetric session encryption key sent from Mike to Renee. Renee’s (the recipient) private key is not used in this scenario. However, it could be used if Renee becomes a sender to send Mike a digitally signed message. Mike’s (the sender) private key was used to encrypt the hash of the data to be sent to Renee, and this is what creates the digital signature.

Answer 632

A

D. In this scenario, the data is encrypted at rest with AES-256. There is no mention of encryption for transfer or processing. The data is not stored redundantly, since it is being moved, not copied, to the central data warehouse, and there is no mention of a backup.

Answer 633

A

A. The data owner is the person(s) (or entity) assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. The data controller is the entity that makes decisions about the data they are collecting. A data processor is the entity that performs operations on data on behalf of a data controller. A data custodian or steward is a subject who has been assigned or delegated the day-to-day responsibility for proper storage and transport as well as protecting data, assets, and other organizational objects.

Answer 634

A

B, D. In this scenario, the data loss prevention (DLP) alerts and log analysis are the only options that would potentially include useful information in regard to an insider exfiltrating the sensitive documents. The other options are incorrect because they do not provide relevant information. Network access control (NAC) is a security mechanism to prevent rogue devices and ensure authorized systems meet minimum security configuration requirements. Syslog is a logging service used to maintain centralized real-time copies of active log files. Malware scanner reports are not relevant here since there is no suspicious or malicious code being used
but only access abuses and unauthorized file distribution. Integrity monitoring is also not relevant to this situation, since there is no indication that the documents were altered, just that they were released to the public.

Answer 635

A

C. WPA3 supports ENT (Enterprise Wi-Fi authentication, aka IEEE 802.1X) and SAE
authentication. Simultaneous authentication of equals (SAE) still uses a password, but it no longer encrypts and sends that password across the connection to perform authentication. Instead, SAE performs a zero-knowledge proof process known as Dragonfly Key Exchange, which is itself a derivative of Diffie–Hellman. IEEE 802.1X defines port-based network access control that ensures that clients can’t communicate with a resource until proper authentication has taken place. It’s based on Extensible Authentication Protocol (EAP) from Point-to-Point Protocol (PPP). However, this is the technology behind the label of ENT; thus, it is not an option in this scenario. IEEE 802.1q defines the use of virtual local area network (VLAN) tags and thus is not relevant to Wi-Fi authentication. Flexible Authentication via Secure Tunneling (EAP-FAST) is a Cisco protocol proposed to replace Lightweight Extensible Authentication Protocol (LEAP), which is now obsolete, thanks to the development of
WPA2, and is not supported in WPA3 either.

Answer 636

A

A, C, E, H. Biometrics are authentication factors that are based on a user’s physical attributes; they include fingerprints, voice, retina, and facial recognition. Gait is a form of biometrics, but it is not appropriate for use as authentication on a mobile device; it is used from a stationary position to monitor people walking toward or past a security point. The other options are valid authentication factors, but they are not biometrics.

Answer 637

A

B. A repair technician typically requires more than a normal level of access to perform their duties, so a privileged account for even a trusted third-party technician is appropriate. A guest account or user (normal, limited) account is insufficient for this scenario. A service account is to be used by an application or background service, not a repair technician or other user.

Answer 638

A

C. Penetration testing is the attempt to bypass security controls to test overall system security. Logging usage data is a type of auditing and is useful in the authentication, authorization, accounting (AAA) service process in order to hold subjects accountable for their actions. However, it is not a means to test security. War dialing is an attempt to locate modems and fax machines by dialing phone numbers. This process is sometimes still used by penetration testers and adversaries to find targets to attack, but it is not an actual attack or stress test itself. Deploying secured desktop workstations is a security response to the results of a penetration test, not a security testing method.

Answer 639

A

A. Auditing is a required factor to sustain and enforce accountability. Auditing is one of the elements of the AAA services concept of identification, authentication, authorizations, auditing, and accounting (or accountability). Confidentiality is a core security element of the CIA Triad, but it is not dependent on auditing. Accessibility is the assurance that locations and systems are able to be used by the widest range of people/users possible. Redundancy is the implementation of alternatives, backup options, and recovery measures and methods to avoid single points of failure to ensure that downtime is minimized while maintaining availability.

Answer 640

A

A. The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE * ARO, since SLE = AV * EF. The other formulas displayed here do not accurately reflect this calculation, since they are not valid or typical risk formulas.

Answer 641

A

A. Identification of priorities is the first step of the business impact assessment process. Likelihood assessment is the third step or phase of BIA. Risk identification is the second step of BIA. Resource prioritization is the last step of BIA.

Answer 642

A

D. Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornadoes, wildfires, and other acts of nature. Thus options A, B, and C are correct because they are natural and not human caused.

Answer 643

A

A. Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Warm sites consist of preconfigured hardware and software to run the business, neither of which possesses the vital business information. Cold sites are simply facilities designed with power and environmental support systems but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company.

Answer 644

A

D. The issue revealed by the audit report is that one account has a password that is older than the requirements allow for; thus, correcting the password maximum age security setting should resolve this. There is no information in regard to password length, lockout, or password reuse in the audit report, so these options are not of concern in this situation.

Answer 645

A

C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. Best evidence is a form of documentary evidence, but specifically it is the original document rather than a copy or description. Parol evidence is based on a rule stating that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement. Testimonial evidence consists of the testimony of a witness’s experience, either verbal testimony in court or written testimony in a recorded deposition.

Answer 646

A

A, B. If your organization depends on custom-developed software or software products produced through outsourced code development, then the risks of that arrangement need to be evaluated and mitigated. First, the quality and security of the code needs to be assessed. Second, if the third-party development group goes out of business, can you continue to operate with the code as is? You may need to abandon the existing code to switch to a new development group. It is not true that third-party code development is always more expensive; it is often less expensive. A software escrow agreement (SEA) is not an issue that John would want to bring up as a reason to keep development in house, since a SEA is a means to reduce the risk of a third-party developer group ceasing to exist.

Answer 647

A

D. HTTPS:// is the correct prefix for the use of HTTP (Hypertext Transfer Protocol) over TLS (Transport Layer Security). This was the same prefix when SSL (Secure Sockets Layer) was used to encrypt HTTP, but SSL has been deprecated. SHTTP:// is for Secure HTTP, which was SSH but SHTTP is also deprecated. TLS:// is an invalid prefix. FTPS:// is a valid prefix that can be used in some web browsers, and it uses TLS to encrypt the connection, but it is for securing FTP file exchange rather than web communications.

Answer 648

A

C. The CSO in this scenario is demonstrating the need to follow the security principle of change management. Change management usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. This scenario is not describing a BCP event. A BCP event would involve the evaluation of threats to business processes and then the creation of response scenarios to address those issues. This scenario is not describing onboarding. Onboarding is the process of integrating a new element (such as an employee or device) into an existing system of security infrastructure. Although loosely similar to change management, onboarding focuses more on
ensuring compliance with existing security policies by the new member, rather than testing updates for an existing member. Static analysis is used to evaluate source code as a part of a secure development environment. Static analysis may be used as an evaluation tool in change management, but it is a tool, not the principle of security referenced in this scenario.

Answer 649

A

D. The two main types of token devices are TOTP and HOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or hash message authentication code (HMAC—a type of hash that uses a symmetric
key in the hashing process) operation. HMAC is a hashing function, not a means to authenticate. Security Assertions Markup Language (SAML) is used to create authentication federation (i.e. sharing) links; it is not itself a means to authenticate.

Answer 650

A

A.. The most important security concern from this list of options in relation to a CSP is the data retention policy. The data retention policy defines what information or data is being collected by the CSP, how long it will be kept, how it is destroyed, why it is kept, and who can access it. The number of customers and what hardware is used are not significant security concerns in comparison to data retention. Whether the CSP offers MaaS, IDaaS, and SaaS is not as important as data retention, especially if these are not services your organization needs or wants. One of the keys to answering this question is to consider the range of CSP options, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), and the type of organizations that are technically CSP SaaS but that we don’t often think of as such (examples include Facebook, Google, and Amazon). These organizations absolutely have access to customer/user data, and thus, their data retention policies are
of utmost concern (at least compared to the other options provided).
AB, C, D. Programmers need to adopt secure coding practices, which include using stored procedures, code signing, and server-side validation. A stored procedure is a subroutine or software module that can be called on or accessed by applications interacting with a relational database management system (RDBMS). Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from. Server-side data validation is suited for protecting a system against input submitted by a malicious user. Using immutable systems is not a secure coding technique; instead, an immutable system is a server or software product that, once configured and deployed, is never altered in place. File size optimization may be efficient but is not necessarily a secure coding technique. Using third-party software libraries may reduce workload to minimize the amount of new code to author, but third-party software libraries are a risk because they can
introduce vulnerabilities, especially when closed source libraries are used. Thus, use of third party software libraries is not a secure coding technique unless the security posture of the externally sourced code is verified, which was not mentioned as an answer option36. D. HTTPS:// is the correct prefix for the use of HTTP (Hypertext Transfer Protocol) over TLS (Transport Layer Security). This was the same prefix when SSL (Secure Sockets Layer) was used to encrypt HTTP, but SSL has been deprecated. SHTTP:// is for Secure HTTP, which was SSH but SHTTP is also deprecated. TLS:// is an invalid prefix. FTPS:// is a valid prefix that can be used in some web browsers, and it uses TLS to encrypt the connetion, but it is for securing FTP file exchange rather than web communications.
C. The CSO in this scenario is demonstrating the need to follow the security principle of change management. Change management usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. This scenario is not describing a BCP event. A BCP event would involve the evaluation of threats to business processes and then the creation of response scenarios to address those issues. This scenario is not describing onboarding. Onboarding is the process of integrating a new element (such as an employee or device) into an existing system of security infrastructure. Although loosely similar to change management, onboarding focuses more on
ensuring compliance with existing security policies by the new member, rather than testing updates for an existing member. Static analysis is used to evaluate source code as a part of a secure development environment. Static analysis may be used as an evaluation tool in change management, but it is a tool, not the principle of security referenced in this scenario.
D. The two main types of token devices are TOTP and HOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or hash message authentication code (HMAC—a type of hash that uses a symmetric
key in the hashing process) operation. HMAC is a hashing function, not a means to authenticate. Security Assertions Markup Language (SAML) is used to create authentication federation (i.e. sharing) links; it is not itself a means to authenticate.
A.. The most important security concern from this list of options in relation to a CSP is the data retention policy. The data retention policy defines what information or data is being collected by the CSP, how long it will be kept, how it is destroyed, why it is kept, and who can access it. The number of customers and what hardware is used are not significant security concerns in comparison to data retention. Whether the CSP offers MaaS, IDaaS, and SaaS is not as important as data retention, especially if these are not services your organization needs or wants. One of the keys to answering this question is to consider the range of CSP options, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), and the type of organizations that are technically CSP SaaS but that we don’t often think of as such (examples include Facebook, Google, and Amazon). These organizations absolutely have access to customer/user data, and thus, their data retention policies are
of utmost concern (at least compared to the other options provided).

Answer 651

A

AB, C, D. Programmers need to adopt secure coding practices, which include using stored procedures, code signing, and server-side validation. A stored procedure is a subroutine or software module that can be called on or accessed by applications interacting with a relational database management system (RDBMS). Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from. Server-side data validation is suited for protecting a system against input submitted by a malicious user. Using immutable systems is not a secure coding technique; instead, an immutable system is a server or software product that, once configured and deployed, is never altered in place. File size optimization may be efficient but is not necessarily a secure coding technique. Using third-party software libraries may reduce workload to minimize the amount of new code to author, but third-party software libraries are a risk because they can
introduce vulnerabilities, especially when closed source libraries are used. Thus, use of third party software libraries is not a secure coding technique unless the security posture of the externally sourced code is verified, which was not mentioned as an answer option.

Answer 652

A

D. Regardless of the specifics of a security solution, humans are often considered the weakest element. No matter what physical or logical controls are deployed, humans can discover ways to avoid them, circumvent or subvert them, or disable them. Thus, it is important to take into account the humanity of your users when designing and deploying security solutions for your environment. Software products, internet connections, and security policies can all be vulnerabilities or otherwise areas of security concern, but they are not considered the most common weakest element of an organization.

Answer 653

A

A. The first step in hiring new employees is to create a job description. Without a job
description, there is no consensus on what type of individual needs to be found and hired. Crafting job descriptions is the first step in defining security needs related to personnel and being able to seek out new hires. From the job description, a determination can be made as to the education, skills, experience, and classification required by the applicant. Then a job posting can be made to request the submission of résumés. Then, candidates can be screened to see if they meet the requirements and if they have any disqualifications.

Answer 654

A

B. Onboarding is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. Reissue is a certification function when a lost certificate is provided to the user by extracting it from the escrow backup database or when a certificate is altered to extend its expiration date. Background checks are used to verify that a job applicant is qualified but not disqualified for a specific work position. A site survey is used to optimize the placement of wireless access points (WAPs) to provide reliable connectivity throughout the organization’s facilities.

Answer 655

A

B. A termination process often focuses on eliminating an employee who has become problematic, whether that employee is committing crimes or just violating company policy. Once the worker is fired, the company has little direct control over that person. So, the only remaining leverage is legal, which often relates to a nondisclosure agreement (NDA). Hopefully, reviewing and reminding the ex-employee about their signed NDA will reduce future security issues, such as confidential data dissemination. Returning the exiting employee’s personal belongings is not really an important task to protect the company’s security interests. Evaluating the exiting employee’s performance could be done via an exit interview, but that was not mentioned in this scenario. Often when an adversarial termination occurs, an
exit interview is not feasible. Canceling an exiting employee’s parking permit is not a high security priority for most organizations, at least not in comparison to the NDA.

Answer 656

A

C. Option C is correct: Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. The other statements are false. Their corrected and thus true versions would be: (A) Using service- level agreements (SLAs) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization; (B) Outsourcing can be used as a risk response option known as transference or assignment; and (D) Risk management strategies implemented by one party may in fact cause
additional risks to or from another party.

Answer 657

A

A. An asset is anything used in a business process or task. A threat is any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset. A vulnerability is the weakness in an asset, or the absence or the weakness of a safeguard or countermeasure. An exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited. Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.

Answer 658

A

B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment. This scenario does not relate to virus infection or unauthorized access. Equipment damaged by fire could be considered a system malfunction, but that option is not as direct as “damage to equipment.”

Answer 659

A

D. This scenario is describing the activity of performing a quantitative risk assessment. The question describes the determination of asset value (AV) as well as the exposure factor (EF) and the annualized rate of occurrence (ARO) for each identified threat. These are the needed values to calculate the annualized loss expectancy (ALE), which is a quantitative factor. This is not an example of a qualitative risk assessment, since specific numbers are being determined rather than relying on ideas, reactions, feelings, and perspectives. This is not the Delphi technique, which is a qualitative risk assessment method that seeks to reach an anonymous consensus. This is not risk avoidance, since that is an optional risk response or treatment, and this scenario is only describing the process of risk assessment.

Answer 660

A

C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss. The other statements are not rules to follow. (A) The annual cost of the safeguard should not exceed the annual cost of the asset value or its potential value loss. (B) The cost of the safeguard should be less than the value of the asset. (D) There is no specific maximum percentage of a security budget for the cost of a safeguard. However, the security budget should be used efficiently to reduce overall risk to an acceptable level.

Answer 661

A

C. When controls are not cost effective, they are not worth implementing. Thus, risk acceptance is the risk response in this situation. Mitigation is the application of a control; that was not done in this scenario. Ignoring risk occurs when no action, not even assessment or control evaluation, is performed in relation to a risk. Since controls were evaluated in this scenario, this is not ignoring risk. Assignment is the transfer of risk to a third party; that was not done in this scenario.

Answer 662

A

A. The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard [(ALE1 – ALE2) – ACS]. This is known as the cost/benefit equation for safeguards. The other options are incorrect. (B) This is an invalid calculation. (C) This is an invalid calculation. (D) This is the concept formula for residual risk: total risk – controls gap = residual risk.

Answer 663

A

A, C, D. Statements of A, C, and D are all valid definitions of risk. The other two statements are not definitions of risk. (B) Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk. (E) The presence of a vulnerability when a related threat exists is an exposure, not a risk. A risk is a calculation of the probability of occurrence and the level of damage that could be caused if an exposure is realized (i.e., actually occurs).

Answer 664

A

A. This situation is describing inherent risk. Inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed. The new application had vulnerabilities that were not mitigated, thus enabling the opportunity for the attack. This is not a risk matrix. A risk matrix or risk heat map is a form of risk assessment that is performed on a basic graph or chart, such as a 3×3 grid comparing probability and damage potential. This is not a qualitative risk assessment, since this scenario does not describe any evaluation of the risk of the new code. This is not residual risk, since no controls were implemented to reduce risk. Residual risk is the leftover risk after countermeasures and safeguards are implemented in response to original
or total risk.

Answer 665

A

C. The level of RMM named Defined requires that a common or standardized risk framework be adopted organization-wide. This is effectively level 3. The first level of RMM is not listed as an option; it is ad hoc, which is the chaotic starting point. Preliminary is RMM level 2, which demonstrates loose attempts to follow risk management processes but each department may perform risk assessment uniquely. Integrated is RMM level 4, where risk management operations are integrated into business processes, metrics are used to gather effectiveness data, and risk is considered an element in business strategy decisions. Optimized is RMM level 5, where risk management focuses on achieving objectives rather than just
reacting to external threats, increasing strategic planning toward business success rather than just avoiding incidents, and reintegrating lessons learned into the risk management process.

Answer 666

A

B. The RMF phase 6 is Authorize whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable (or reasonable).
The phases of RMF are
(1) Prepare,
(2) Categorize,
(3) Select,
(4) Implement,
(5) Assess,
(6) Authorize,
(7) Monitor.

(A) RMF phase (2) is categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss.
(C) RMF phase (5) is assess the controls
to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
(D) RMF phase (7) is monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

Answer 667

A

B, F. The leaking of company proprietary data may have been caused by the content of emails received by workers. The computers of workers who clicked links from the suspicious emails may have been infected by malicious code. This malicious code may have exfiltrated documents to the social media site. This issue could occur whether workers were on company computers on the company network, on company computers on their home network, or on personal computers on their home network (especially if the workers copied company files to their personal machines to work from home). Blocking access to social media sites and personal email services from the company network reduces the risk of this same event occurring again. For example, if the suspicious emails are blocked from being
received by company email servers and accounts, they could still be received into personal email accounts. Though not mentioned, blocking access to the malicious URLs would be a good security defense as well. This issue is not addressed by deploying a web application firewall, updating the company email server, using MFA on the email server, or performing an access review of company files. Although all of these options are good security practices in general, they do not relate specifically to this issue.

Answer 668

A

C. Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.

(A) Education is an endeavor in which students and users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion or career advancement. Most education programs are not hosted by the employer but by training organizations or colleges or universities. Education is not provided to workers in groups based on their job positions.
(B) Awareness establishes a common baseline or foundation of security understanding across the entire organization and focuses on key or basic topics and issues related to security that all employees must understand. Although it is provided by the organization, it is not targeted to groups of workers since it applies to all
employees.
(D) Termination is usually targeted at individuals rather than groups of workers
with similar job positions. Though large layoff events might fire groups of similar workers, this option is not as accurate as training.

Answer 669

A

B, C, D. The activity described in option A is an opportunistic unauthorized access attack, which is not a social engineering attack since there was no interaction with the victim, just the opportunity when the victim walked away. The activities described in options B (hoax), C (phishing, hoax, watering hole attack), and D (vishing) are all examples of social engineering attacks.

Answer 670

A

B. The correct answer for these blanks is security champion(s). Often a security champion is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group’s work activities. Security champions are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors. The other options are incorrect. A CISO, or chief information security officer, defines and enforces security throughout the organization. The
security auditor is the person who manages security logging and reviews the audit trails for signs of compliance or violation. The custodian is the security role that accepts assets from owners and then, based on the owner-assigned classifications, places the asset in the proper IT container where the proper security protections are provided.

Answer 671

A

D. Security awareness and training can often be improved through gamification. Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change. This can include rewarding compliance behaviors and potentially punishing violating behaviors. Many aspects of game play can be integrated into security training and adoption, such as scoring points, earning achievements or badges (i.e., earn recognition), competing with others, cooperating with others (i.e., team up with coworkers), following a set of common/standard rules, having a defined goal, seeking rewards, developing group stories/experiences, and avoiding
pitfalls or negative game events. (A) Program effectiveness evaluation is using some means of verification, such as giving a quiz or monitoring security incident rate changes over time, to measure whether the training is beneficial or a waste of time and resources. This question starts by indicating that security incidents are on the rise, which shows that prior training was ineffective. But the recommendations to change the training are gamification focused.
(B) Onboarding is the process of adding new employees to the organization. This is not the concept being described in this scenario.
(C) Compliance enforcement is the application of sanctions or consequences for failing to follow policy, training, best practices, and/or regulation

Answer 672

A

B. As the first step of the process, the business organization analysis helps guide the remainder of the work. James and his core team should conduct this analysis and use the results to aid in the selection of team members and the design of the BCP process.

Answer 673

A

C. This question requires that you exercise some judgment, as do many questions on the CISSP exam. All of these answers are plausible things that Tracy could bring up, but we’re looking for the best answer. In this case, that is ensuring that the organization is ready for an emergency—a mission-critical goal. Telling managers that the exercise is already scheduled or required by policy doesn’t address their concerns that it is a waste of time. Telling them that it won’t be time-consuming is not likely to be an effective argument because they are already raising concerns about the amount of time requested.

Answer 674

A

C. A firm’s officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place. This is an element of corporate responsibility, but that term is vague and not commonly used to describe a board’s responsibilities. Disaster requirement and going concern responsibilities are also not risk management terms.

Answer 675

A

D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

Answer 676

A

A. The quantitative portion of the priority identification should assign asset values
in monetary units. The organization may also choose to assign other values to assets,
but non-monetary measures should be part of a qualitative, rather than a quantitative, assessment.

Answer 677

A

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

Answer 678

A

C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

Answer 679

A

B. The single loss expectancy (SLE) is the product of the asset value (AV) and the exposure factor (EF). From the scenario, you know that the AV is $3 million and the EF is 90 percent; based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

Answer 680

A

D. This problem requires you to compute the annualized loss expectancy (ALE), which is the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO). From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an ALE of $135,000.

Answer 681

A

A. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000.

Answer 682

A

C. Risk mitigation controls to address acceptable risks would not be in the BCP. The risk acceptance documentation should contain a thorough review of the risks facing the organization, including the determination as to which risks should be considered acceptable and unacceptable. For acceptable risks, the documentation should include a rationale for that decision and a list of potential future events that might warrant a reconsideration of that determination. The documentation should include a list of controls used to mitigate unacceptable risks, but it would not include controls used to mitigate acceptable risks, since acceptable risks do not require mitigation.

Answer 683

A

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization’s employees!

Answer 684

A

C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis. The other items listed here are all more easily quantifiable.

Answer 685

A

B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

Answer 686

A

C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

Answer 687

A

C. In the provisions and processes phase, the BCP team designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

Answer 688

A

D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

Answer 689

A

C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

Answer 690

A

A. The annualized rate of occurrence (ARO) is the likelihood that the risk will materialize in any given year. The fact that a power outage did not occur in any of the past three years doesn’t change the probability that one will occur in the upcoming year. Unless other circumstances have changed, the ARO should remain the same.

Answer 691

A

C. The Bureau of Industry and Security within the Department of Commerce sets regulations on the export of encryption products outside of the United States. The other agencies listed here are not involved in regulating exports.

Answer 692

A

A. The Federal Information Security Management Act (FISMA) includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the
National Institute for Standards and Technology (NIST).

Answer 693

A

D. Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.

Answer 694

A

A. The California Consumer Privacy Act (CCPA) of 2018 was the first sweeping data privacy law enacted by a U.S. state. This follows California’s passing of the first data breach notification law, which was modeled after the requirements of the European Union’s General Data Protection Regulation (GDPR).

Answer 695

A

B. The Communications Assistance for Law Enforcement Act (CALEA) required that communications carriers assist law enforcement with the implementation of wiretaps when done under an appropriate court order. CALEA only applies to communications carriers and does
not apply to financial institutions, healthcare organizations, or websites.

Answer 696

A

B. The Fourth Amendment to the U.S. Constitution sets the “probable cause” standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary
access to such property. The Privacy Act regulates what information government agencies may collect and maintain about individuals. The Second Amendment grants the right to keep and bear arms. The Gramm–Leach–Bliley Act regulates financial institutions, not the federal
government.

Answer 697

A

A. Copyright law is the only type of intellectual property protection available to Matthew. It covers only the specific software code that Matthew used. It does not cover the process or ideas behind the software. Trademark protection is not appropriate for this type of situation
because it would only protect the name and/or logo of the software, not its algorithms. Patent protection does not apply to mathematical algorithms. Matthew can’t seek trade secret protection because he plans to publish the algorithm in a public technical journal.

Answer 698

A

D. Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely. Copyright and patent protection both have expiration dates and would not meet Mary and Joe’s requirements. Trademark protection is for names and logos and would not be appropriate in
this case.

Answer 699

A

C. Richard’s product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark, and
Richard can begin using the ® symbol. The © symbol is used to represent a copyright. The † symbol is not associated with intellectual property protections.

Answer 700

A

A. The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances. The Electronic Communications Privacy Act (ECPA) implements safeguards against electronic eavesdropping. The Health Insurance Portability and Accountability Act (HIPAA) regulates the protection and sharing of health records. The Gramm–Leach–Bliley Act requires that financial institutions
protect customer records.

Answer 701

A

D. The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate
rules would also be an option. The EU/US Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but that is no longer valid. Privacy Lock is a made-up term.

Answer 702

A

A. The Children’s Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age
of 13 before any information is collected (other than basic information required to obtain that consent).

Answer 703

A

D. Although state data breach notification laws vary, they generally apply to Social Security numbers, driver’s license numbers, state identification card numbers, credit/debit card numbers, and bank account numbers. These laws generally do not cover other identifiers,
such as a student identification number.

Answer 704

A

B. Organizations subject to HIPAA may enter into relationships with service providers as long as the provider’s use of protected health information is regulated under a formal business associate agreement (BAA). The BAA makes the service provider liable under HIPAA.

Answer 705

A

B. Cloud services almost always include binding click-through license agreements that the user may have agreed to when signing up for the service. If that is the case, the user may have bound the organization to the terms of that agreement. This agreement does not need to be in
writing. There is no indication that the user violated any laws.

Answer 706

A

B. The Gramm–Leach–Bliley Act (GLBA) provides, among other things, regulations regarding the way financial institutions can handle private information belonging to their customers.

Answer 707

A

C. U.S. patent law provides for an exclusivity period of 20 years beginning at the time a utility patent application is submitted to the Patent and Trademark Office.

Answer 708

A

C. Ryan does not likely need to be concerned about HIPAA compliance because that law applies to healthcare organizations and Ryan works for a financial institution. Instead, he should be more concerned about compliance with the Gramm–Leach–Bliley Act (GLBA). The
other concerns should all be part of Ryan’s contract review.

Answer 709

A

C. The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in storing, transmitting, and processing credit card information.

Answer 710

A

D. Copyright protection generally lasts for 70 years after the death of the last surviving author of the work

Answer 711

A

B. Data classifications provide strong protection against the loss of confidentiality and are the best choice of the available answers. Data labels and proper data handling are based on first identifying data classifications. Data degaussing methods apply only to magnetic media.

Answer 712

A

D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won’t protect it if it is stored in an unstaffed warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite or offsite backups are destroyed, security is sacrificed by risking availability.

Answer 713

A

B. Destruction is the final stage in the lifecycle of backup media. Because the backup method is no longer using tapes, they should be destroyed. Degaussing and declassifying the tape is
done if you plan to reuse it. Retention implies you plan to keep the media, but retention is not needed at the end of its lifecycle.

Answer 714

A

C. The data owner is the person responsible for classifying data. A data controller decides what data to process and directs the data processor to process the data. A data custodian protects the integrity and security of the data by performing day-to-day maintenance. Users simply access the data.

Answer 715

A

A. The data custodian is responsible for the tasks of implementing the protections defined by the security policy and senior management. A data controller decides what data to process and how. Data users are not responsible for implementing the security policy protections. A
data processor controls the processing of data and only does what the data controller tells them to do with the data.

Answer 716

A

D. The company can implement a data collection policy of minimization to minimize the amount of data they collect and store. If they are selling digital products, they don’t need the physical address. If they are reselling products to the same customers, they can use tokenization to save tokens that match the credit card data, instead of saving and storing credit card
data. Anonymization techniques remove all personal data and make the data unusable for reuse on the website. Pseudonymization replaces data with pseudonyms. Although the process can be reversed, it is not necessary.

Answer 717

A

B. Security labeling identifies the classification of data such as sensitive, secret, and so on. Media holding sensitive data should be labeled. Similarly, systems that hold or process sensitive data should also be marked. Many organizations require the labeling of all systems
and media, including those that hold or process non sensitive data.

Answer 718

A

B. A data subject is a person who can be identified by an identifier such as a name, identification number, or other PII. All of these answers refer to the General Data Protection Regulation (GDPR). A data owner owns the data and has ultimate responsibility for protecting it. A data controller decides what data to process and how it should be processed. A data
processor processes the data for the data controller.

Answer 719

A

B. Personnel did not follow the record retention policy for the backups sent to the warehouse. The scenario states that administrators purge onsite emails older than six months to comply with the organization’s security policy, but the leak was from emails sent over three years ago. Personnel should follow media destruction policies when the organization no longer needs the media, but the issue here is the data on the tapes. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning applies to applications, not backup tapes.

Answer 720

A

D. Record retention policies define the amount of time to keep data, and laws or regulations often drive these policies. Data remanence is data remnants on media, and proper data destruction procedures remove data remnants. Laws and regulations do outline requirements for some data roles, but they don’t specify requirements for the data user role.

Answer 721

A

D. Purging is the most reliable method among the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure that data is removed. It ensures there isn’t any data remanence. Erasing or deleting processes rarely remove the data from media but instead mark it for deletion. Solid-state drives (SSDs) do not have magnetic flux, so degaussing an SSD doesn’t destroy data.

Answer 722

A

A. Overwriting the disks multiple times will remove all existing data. This is called purging, and purged media can then be used again. Formatting the disks isn’t secure because it doesn’t typically remove the previously stored data. Degaussing the disks often damages the electronics but doesn’t reliably remove the data. Defragmenting a disk optimizes it, but it doesn’t remove data.

Answer 723

A

D. Systems with an EOS date that occurs in the following year should be a top priority for replacement. The EOS date is the date that the vendor will stop supporting a product. The EOL date is the date that a vendor stops offering a product for sale, but the vendor continues
to support the product until the EOS date. Systems used for data loss prevention or to process sensitive data can remain in service.

Answer 724

A

D. Purging memory buffers removes all remnants of data after a program has used it. Asymmetric encryption (along with symmetric encryption) protects data in transit. The data is already encrypted and stored in the database. The scenario doesn’t indicate that the program
modified the data, so there’s no need to overwrite the existing data in the database. Data loss prevention methods prevent unauthorized data loss but do not protect data in use.

Answer 725

A

A. Symmetric encryption methods protect data at rest, and data at rest is any data stored on media, such as a server. Data in transit is data transferred between two systems. Data in use is data in memory that is used by an application. Steps are taken to protect data from the time
it is created to the time it is destroyed, but this question isn’t related to the data lifecycle.

Answer 726

A

B. Scoping is a part of the tailoring process and refers to reviewing a list of security controls and selecting the security controls that apply. Tokenization is the use of a token, such as a random string of characters, to replace other data and is unrelated to this question. Note that scoping
focuses on the security of the system and tailoring ensures that the selected controls align with the organization’s mission. If the database server needs to comply with external entities, it’s appropriate to select a standard baseline provided by that entity. Imaging is done to deploy an identical configuration to multiple systems, but this is typically done after identifying security controls.

Answer 727

A

A. Tailoring refers to modifying a list of security controls to align with the organization’s mission. The IT administrators identified a list of security controls to protect the web farm during the scoping steps. Sanitization methods (such as clearing, purging, and destroying) help ensure that data cannot be recovered and is unrelated to this question. Asset classification identifies the classification of assets based on the classification of data the assets hold or process. Minimization refers to data collection. Organizations should collect and maintain only the data they need.

Answer 728

A

A. A cloud access security broker (CASB) is software placed logically between users and cloud-based resources, and it can enforce security policies used in an internal network. Data loss prevention (DLP) systems attempt to detect and block data exfiltration. CASB systems
typically include DLP capabilities. Digital rights management (DRM) methods attempt to provide copyright protection for copyrighted works. End-of-life (EOL) is generally a marketing term and indicates when a company stops selling a product.

Answer 729

A

B. Network-based data loss prevention (DLP) systems can scan outgoing data and look for specific keywords and/or data patterns. DLP systems can block these outgoing transmissions. Antimalware software detects malware. Security information and event management (SIEM)
provides real-time analysis of events occurring on systems throughout an organization but doesn’t necessarily scan outgoing traffic. Intrusion prevention systems (IPSs) scan incoming traffic to prevent unauthorized intrusions.

Answer 730

A

B, C, D. Persistent online authentication, automatic expiration, and a continuous audit trail are all methods used with digital rights management (DRM) technologies. Virtual licensing isn’t a valid term within DRM

Answer 731

A

A, D. Keys must be long enough to withstand attack for as long as the data is expected to remain sensitive. They should not be generated in a predictable way but, rather, should be randomly generated. Keys should be securely destroyed when they are no longer needed and not indefinitely retained. Longer keys do indeed provide greater security against brute force attacks.

Answer 732

A

A. Nonrepudiation prevents the sender of a message from later denying that they sent it. Confidentiality protects the contents of encrypted data from unauthorized disclosure. Integrity protects data from unauthorized modification. Availability is not a goal of cryptography.

Answer 733

A

B. The strongest keys supported by the Advanced Encryption Standard are 256 bits. The valid AES key lengths are 128, 192, and 256 bits.

Answer 734

A

D. The Diffie–Hellman algorithm allows the exchange of symmetric encryption keys between two parties over an insecure channel.

Answer 735

A

A, D. Confusion and diffusion are two principles underlying most cryptosystems. Confusion occurs when the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key. Diffusion occurs when a change in the plaintext results in multiple changes spread throughout the ciphertext.

Answer 736

A

B, C, D. AES provides confidentiality, integrity, and authentication when implemented properly. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message and cannot be achieved with a symmetric cryptosystem, such as AES.

Answer 737

A

D. Assuming that it is used properly, the one-time pad is the only known cryptosystem that is not vulnerable to attacks. All other cryptosystems, including transposition ciphers, substitution ciphers, and even AES, are vulnerable to attack, even if no attack has yet been discovered.

Answer 738

A

B, C, D. The encryption key must be at least as long as the message to be encrypted. This is because each key element is used to encode only one character of the message. The three other facts listed are all characteristics of one-time pad systems.

Answer 739

A

C. In a symmetric cryptosystem, a unique key exists for each pair of users. In this case, every key involving the compromised user must be changed, meaning that the key that the user shared with each of the other 19 users must be changed.

Answer 740

A

C. Block ciphers operate on message “chunks” rather than on individual characters or bits. The other ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of a message.

Answer 741

A

A. Symmetric key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction. Therefore, James only needs to create a single symmetric key to facilitate this communication.

Answer 742

A

B. M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. M of N Control is an example of a split knowledge technique, but not all split knowledge techniques are used for key escrow.

Answer 743

A

A. An initialization vector (IV) is a random bit string (a nonce) that is the same length as the block size that is XORed with the message. IVs are used to create a unique ciphertext every time the same message is encrypted with the same key. Vigenère ciphers are an example of a substitution cipher technique. Steganography is a technique used to embed hidden messages within a binary file. Stream ciphers are used to encrypt continuous streams of data.

Answer 744

A

B. Galois/Counter Mode (GCM) and Counter with Cipher Block Chaining Message Authentication Code mode (CCM) are the only two modes that provide both confidentiality and data authenticity. Other modes, including Electronic Code Book (ECB), Output Feedback (OFB), and Counter (CTR) modes, only provide confidentiality.

Answer 745

A

D. Data that is stored in memory is being actively used by a system and is considered data in use. Data at rest is data that is stored on nonvolatile media, such as a disk. Data in motion is being actively transferred over a network.

Answer 746

A

B, C. The Advanced Encryption Standard (AES) and Rivest Cipher 6 (RC6) are modern, secure algorithms. The Data Encryption Standard (DES) and Triple DES (3DES) are outdated and no longer considered secure.

Answer 747

A

B. One important consideration when using CBC mode is that errors propagate—if one block is corrupted during transmission, it becomes impossible to decrypt that block and the next block as well. The other modes listed here do not suffer from this flaw.

Answer 748

A

C. Offline key distribution requires a side channel of trusted communication, such as in person contact. This can be difficult to arrange when users are geographically separated. Alternatively, the individuals could use the Diffie–Hellman algorithm or other asymmetric/public key encryption technique to exchange a secret key. Key escrow is a method for
managing the recovery of lost keys and is not used for key distribution.

Answer 749

A

A. The AES-256 algorithm is a modern, secure cryptographic algorithm. 3DES, RC4, and Skipjack are all outdated algorithms that suffer from significant security issues.

Answer 750

A

C. A separate key is required for each pair of users who want to communicate privately. In a group of six users, this would require a total of 15 secret keys. You can calculate this value by using the formula (n * (n – 1) / 2). In this case, n = 6, resulting in (6 * 5) / 2 = 15 keys

Answer 751

A

D. Any change, no matter how minor, to a message will result in a completely different hash value. There is no relationship between the significance of the change in the message and the significance of the change in the hash value.

Answer 752

A

B. Side-channel attacks use information gathered about a system’s use of resources, timing, or other characteristics to contribute to breaking the security of encryption. Brute-force attacks seek to exhaust all possible encryption keys. Known plaintext attacks require access to both plaintext and its corresponding ciphertext. Frequency analysis attacks require
access to ciphertext.

Answer 753

A

C. Richard must encrypt the message using Sue’s public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard’s private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard’s freely available public key. Richard could not encrypt the message using Sue’s private key because he does not have access to it. If he did, any user could decrypt it using Sue’s freely available public key.

Answer 754

A

C. The major disadvantage of the ElGamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plaintext message would yield a 4,096-bit ciphertext message when ElGamal is used for the encryption process.

Answer 755

A

A. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 3,072-bit RSA key is cryptographically equivalent to a 256-bit elliptic curve cryptosystem key.

Answer 756

A

B. The SHA-2 hashing algorithm comes in four variants. SHA-224 produces 224-bit digests. SHA-256 produces 256-bit digests. SHA-384 produces 384-bit digests, and SHA512 produces 512-bit digests. Of the options presented here, only 512 bits is a valid SHA-2 hash length.

Answer 757

A

B. Sue would have encrypted the message using Richard’s public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.

Answer 758

A

D. The Secure Sockets Layer (SSL) protocol is deprecated and no longer considered secure. It should never be used. The Secure Hash Algorithm 3 (SHA-3), Transport Layer Security (TLS) 1.2, and IPsec are all modern, secure protocols and standards.

Answer 759

A

B. Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard’s public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.

Answer 760

A

A. Cryptographic salt values are added to the passwords in password files before hashing to defeat rainbow table and dictionary attacks. Double hashing does not provide any added security. Adding encryption to the passwords is challenging, because then the operating system must possess the decryption key. A one-time pad is only appropriate for use in
human-to-human communications and would not be practical here.

Answer 761

A

C. The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.

Answer 762

A

B. X.509 governs digital certificates and the public key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.

Answer 763

A

B. Fault injection attacks compromise the integrity of a cryptographic device by causing some type of external fault, such as the application of high-voltage electricity. Implementation attacks rely on flaws in the cryptographic algorithm. Timing attacks measure the length of time consumed by encryption operations. Chosen ciphertext attacks require access to the algorithm and work by having the attacker perform encryption that results in an expected ciphertext.

Answer 764

A

C. HTTPS uses TCP port 443 for encrypted client/server communications over TLS. Port

22 is used by the secure shell (SSH) protocol. Port 80 is used by the unencrypted HTTP protocol. Port 1433 is used for Microsoft SQL Server database connections.

Answer 765

A

A. An attacker without any special access to the system would only be able to perform ciphertext-only attacks. Known plaintext and chosen plaintext attacks require the ability to encrypt data. Fault injection attacks require physical access to the facility.

Answer 766

A

A. Rainbow tables contain precomputed hash values for commonly used passwords and may be used to increase the efficiency of password-cracking attacks.

Answer 767

A

B. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.

Answer 768

A

D. The Merkle–Hellman Knapsack algorithm, which relies on the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.

Answer 769

A

B. SSH2 adds support for simultaneous shell sessions over a single SSH connection. Both SSH1 and SSH2 are capable of supporting multifactor authentication. SSH2 actually drops support for the IDEA algorithm, whereas both SSH1 and SSH2 support 3DES

Answer 770

A

C. A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and option B describes an open system.

Answer 771

A

D. The most likely reason the attacker was able to gain access to the baby monitor was through exploitation of default configuration. Since there is no mention of the exact means used by the attacker in the question, and there is no discussion of any actions of installation, configuration, or security implementation, the only remaining option is to consider the defaults of the device. This is an unfortunately common issue with any device, but especially with IoT equipment connected to Wi-Fi networks. Unless malware was used in the attack, a malware scanner would not be relevant to this situation. This scenario did not mention malware. This type of attack is possible over any network type and all Wi-Fi frequency options. This scenario did not discuss frequencies or network types. There was no mention of any interaction with the parents, which was not required with a device using its default configuration.

Answer 772

A

B. The Blue Screen of Death (BSoD) stops all processing when a critical failure occurs in Windows. This is an example of a fail-secure approach. The BSoD is not an example of a fail open approach; a fail-open event would have required the system to continue to operate in spite of the error. A fail-open result would have protected availability, but typically by sacrificing confidentiality and integrity protections. This is not an example of a limit check, which is the verification that input is within a preset range or domain. Object-oriented is a type of programming approach, not a means of handling software failure.

Answer 773

A

C. A constrained process is one that can access only certain memory locations. Allowing a process to run for a limited time is a time limit or timeout restriction, not a confinement. Allowing a process to run only during certain times of the day is a scheduling limit, not a confinement. A process that controls access to an object is authorization, not confinement.

Answer 774

A

D. Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star
property of Bell–LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure. Perturbation is the use of false or misleading data in a database management system in order to redirect or thwart information confidentiality attacks. Noninterference is the concept of limiting the actions of a subject at a higher security level so that they do not affect the system state or the actions of a subject at a lower security level. If noninterference was being enforced, the writing of a file to a lower level would be prohibited, not allowed and supported. Aggregation is the act of collecting multiple pieces of non sensitive or low-value
information and combining it or aggregating it to learn sensitive or high-value information.

Answer 775

A

B. An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list. Separation of duties is the division of administrative tasks into compartments or silos; it is effectively the application of the principle of least privilege to administrators. Biba is a
security model that focuses on integrity protection across security levels. Clark–Wilson is a security model that protects integrity using an access control triplet.

Answer 776

A

C. The trusted computing base (TCB) has a component known as the reference monitor in theory, which becomes the security kernel in implementation. The other options do not have this feature. The Graham–Denning model is focused on the secure creation and deletion of
both subjects and objects. The Harrison–Ruzzo–Ullman (HRU) model focuses on the assignment of object access rights to subjects as well as the integrity (or resilience) of those assigned rights. The Brewer and Nash model was created to permit access controls to change dynamically based on a user’s previous activity.

Answer 777

A

C. The three parts of the Clark–Wilson model’s access control relationship (aka access triple) are subject, object, and program (or interface). Input sanitization is not an element of the Clark–Wilson model.

Answer 778

A

C. The TCB is the combination of hardware, software, and controls that work together to enforce a security policy. The other options are incorrect. Hosts on a network that support secure transmissions may be able to support VPN connections, use TLS encryption, or implement some other form of data-in-transit protection mechanism. The operating system
kernel, other OS components, and device drivers are located in Rings 0–2 of the protection rings concept, or in the Kernel Mode ring in the variation used by Microsoft Windows (see Chapter 9). The predetermined set or domain (i.e., a list) of objects that a subject can access is the Goguen–Meseguer model.

Answer 779

A

A, B. Although the most correct answer in the context of this chapter is option B, the imaginary boundary that separates the TCB from the rest of the system, option A, the boundary of the physically secure area surrounding your system, is also a correct answer in the context of physical security. The network where your firewall resides is not a unique
concept or term, since a firewall can exist in any network as either a hardware device or a software service. A border firewall could be considered a security perimeter protection device, but that was not a provided option. Any connections to your computer system are just pathways of communication to a system’s interface—they are not labeled as a security perimeter.

Answer 780

A

C. The reference monitor validates access to every resource prior to granting the requested access. The other options are incorrect. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Option A,
a TCB partition, and option B, a trusted library, are not valid TCB concept components.

Answer 781

A

B. Option B is the only option that correctly defines a security model. The other options are incorrect. Option A is a definition of a security policy. Option C is a formal evaluation of the security of a system. Option D is the definition of virtualization.

Answer 782

A

D. The Bell–LaPadula and Biba models are built on the state machine model. Take-Grant and Clark–Wilson are not directly based or built on the state machine model.

Answer 783

A

A. Only the Bell–LaPadula model addresses data confidentiality. The Biba and Clark–Wilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.

Answer 784

A

C. The no read-up property, also called the simple security property, prohibits subjects from reading a higher security level object. The other options are incorrect. Option A, the (star) security property of Bell–LaPadula, is no write-down. Option B, no write-up, is the (star)
property of Biba. Option D, no read-down, is the simple property of Biba.

Answer 785

A

B. The simple property of Biba is no read-down, but the implied allowed opposite is read-up. The other options are incorrect. Option A, write-down, is the implied opposite allow of the (star) property of Biba, which is no write-up. Option C, no write-up, is the (star) property of
Biba. Option D, no read-down, is the simple property of Biba.

Answer 786

A

D. Security targets (STs) specify the claims of security from the vendor that are built into a target of evaluation (TOE). STs are considered the implemented security measures or the “I will provide” from the vendor. The other options are incorrect. Option A, protection profiles (PPs), specify for a product that is to be evaluated (the TOE) the security requirements
and protections, which are considered the security desires or the “I want” from a customer.
Option B, Evaluation Assurance Levels (EALs), are the various levels of testing and confirmation of systems’ security capabilities, and the number of the level indicates what kind of testing and confirmation has been performed.
Option C, an Authorizing Official (AO), is the entity with the authority to issue an Authorization to Operate (ATO).

Answer 787

A

B. Memory protection is a core security component that must be designed and implemented into an operating system. It must be enforced regardless of the programs executing in the system. Otherwise, instability, violation of integrity, denial of service, and disclosure are likely
results. The other options are incorrect.
Option A, the use of virtualization, would not cause all of those security issues.
Option C, the Goguen–Meseguer model, is based on predetermining the set or domain (i.e., a list) of objects that a subject can access.
Option D, the use of encryption, is a protection, not a cause of these security issues.

Answer 788

A

A. A constrained or restricted interface is implemented within an application to restrict what users can do or see based on their privileges. The purpose of a constrained interface is to limit or restrict the actions of both authorized and unauthorized users. The other options are
incorrect. Option B describes authentication. Option C describes auditing and accounting. Option D describes virtual memory

Answer 789

A

A, C, D, F. The statements in options A, C, D, and F are all valid elements or considerations of shared responsibility. The other options are incorrect. Always consider the threat to both tangible and intangible assets as a tenet of risk management and BIA. Multiple layers of security are required to protect against adversary attempts to gain access to internal sensitive
resources and is a general principle of security known as defense in depth.

Answer 790

A

C. Multitasking is processing more than one task at the same time. In most cases, multitasking is simulated by the OS (using multiprogramming or pseudo-simultaneous execution) even when not supported by the processor. Multicore (not listed as an option) is also able to perform simultaneous execution but does so with multiple execution cores on one
or more CPUs. Multistate is a type of system that can operate at various security levels (or classifications, risk levels, etc.). Multithreading permits multiple concurrent tasks (i.e., threads) to be performed within a single process. In a multiprocessing environment, a multiprocessor computing system (that is, one with more than one CPU) harnesses the power of
more than one processor to complete the execution of a multithreaded application.

Answer 791

A

C. JavaScript remains the one mobile code technology that may affect the security of modern browsers and their host OSs. Java is deprecated for general internet use and browsers do not have native support for Java. A Java add-on is still available to install, but it is not preinstalled, and general security guidance recommends avoiding it on any internet-facing browser.
Flash is deprecated; no modern browser supports it natively. Adobe has abandoned it, and most browsers actively block the add-on. ActiveX is also deprecated, and though it was always only a Microsoft Windows technology, it was only supported by Internet Explorer, not Edge (either in its original form or the more recent Chromium-based version). Although
Internet Explorer is still present on modern Windows 10, this scenario stated that all other browsers were disabled or blocked. Thus, this scenario is limited to the latest Edge browser.

Answer 792

A

A. In many grid computing implementations, grid members can access the contents of the distributed work segments or divisions. This grid computing over the internet is not usually the best platform for sensitive operations. Grid computing is able to handle and compensate
for latency of communications, duplicate work, and capacity fluctuation.

Answer 793

A

B. Option B references a VDI or VMI instance that serves as a virtual endpoint for accessing cloud assets and services, but this concept is not specifically relevant to or a requirement of this scenario. The remaining items are relevant to the selection process in this scenario. These are all compute security–related concepts.
Option A, security groups, are collections of entities, typically users, but can also be applications and devices, which can be granted or denied access to perform specific tasks or access certain resources or assets. This supports the requirement of controlling which applications can access which assets.
Option C, dynamic resource allocation (aka elasticity), is the ability of a cloud process to use or consume more resources (such as compute, memory, storage, or networking) when needed. This supports the requirement of processing significant amounts of data in short periods of time.
Option D is a management or security mechanism, which is able to monitor and differentiate between numerous instances of the same VM, service, app, or resource. This supports the requirement of prohibiting VM sprawl or repetition of operations.

Answer 794

A

D. A large utility company is very likely to be using supervisory control and data acquisition (SCADA) to manage and operate their equipment; therefore, that is the system that the APT group would have compromised. A multifunction printer (MFP) is not likely to be the attack point that granted the APT group access to the utility distribution nodes. A real-time
OS (RTOS) may have been present on some of the utility company’s systems, but that is not the obvious target for an attack to take over control of an entire utility service. There may be system on chip (SoC) equipment present at the utility, but that would still be controlled and
accessed through the SCADA system at a utility company.

Answer 795

A

C. Secondary memory is a term used to describe magnetic, optical, or flash media (i.e., typical storage devices like HDD, SSD, CD, DVD, and thumb drives). These devices will retain their contents after being removed from the computer and may later be read by another user.
Static RAM and dynamic RAM are types of real memory and thus are all the same concept in relation to being volatile—meaning they lose any data they were holding when power is lost or cycled. Static RAM is faster and more costly, and dynamic RAM requires regular refreshing of the stored contents. Take notice in this question that three of the options were
effectively synonyms (at least from the perspective of volatile versus nonvolatile storage). If you notice synonyms among answer options, realize that none of the synonyms can be a correct answer for single-answer multiple-choice questions.

Answer 796

A

C. The primary security concern of a distributed computing environment (DCE) is the interconnectedness of the components. This configuration could allow for error or malware propagation as well. If an adversary compromises one component, it may grant them the ability to compromise other components in the collective through pivoting and lateral movement. The other options are incorrect. Unauthorized user access, identity spoofing, and poor authentication are potential weaknesses of most systems; they are not unique to DCE
solutions. However, these issues can be directly addressed through proper design, coding, and testing. However, the interconnectedness of components is a native characteristic of DCE that cannot be removed without discarding the DCE design concept itself.

Answer 797

A

C. The best means to reduce IoT risk from these options is to keep devices current on updates. Using public IP addresses will expose the IoT devices to attack from the internet. Powering off devices is not a useful defense—the benefit of IoT is that they are always running and ready to be used or take action when triggered or scheduled. Blocking access
to the internet will prevent the IoT devices from obtaining updates themselves, may prevent them from being controlled through a mobile device app, and will prevent communication with any associated cloud service.

Answer 798

A

D. Microservices are an emerging feature of web-based solutions and are derivative of service-oriented architecture (SOA). A microservice is simply one element, feature, capability,
business logic, or function of a web application that can be called upon or used by other web applications. It is the conversion or transformation of a capability of one web application into a microservice that can be called upon by numerous other web applications. The relationship to an application programming interface (API) is that each microservice must
have a clearly defined (and secured!) API to allow for I/O between multi-microservices as well as to and from other applications. The other options are incorrect since they are not derivatives of SOA. Cyber-physical systems are devices that offer a computational means to control something in the physical world. Fog computing relies on sensors, IoT devices, or
even edge computing devices to collect data and then transfer it back to a central location for processing. Distributed control systems (DCSs) are typically found in industrial process plants where the need to gather data and implement control over a large-scale environment
from a single location is essential.

Answer 799

A

B. This scenario describes the systems as being non persistent. A non persistent system or static system is a computer system that does not allow, support, or retain changes. Thus, between uses and/or reboots, the operating environment and installed software are exactly the same. Changes may be blocked or simply discarded after each system use. A non persistent system is able to maintain its configuration and security in spite of user attempts to implement change. This scenario is not describing a cloud solution, although a virtual desktop interface (VDI) could be implemented on premises or in the cloud. This scenario is not
describing thin clients, since the existing “standard” PC endpoints are still in use but a VDI is being used instead of the local system capabilities. A VDI deployment simulates a thin client. This scenario is not describing fog computing. Fog computing relies on sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing.

Answer 800

A

B. The issue in this situation is VM sprawl. Sprawl occurs when organizations fail to plan their IT/IS needs and just deploy new systems, software, and VMs whenever their production needs demand it. This often results in obtaining underpowered equipment that is then overtaxed by inefficient implementations of software and VMs. This situation is not specifically related to end-of-service life (EOSL) systems, but EOSL systems would exacerbate the sprawl issue. This situation is not related to poor cryptography, nor is there any evidence of VM escaping issues.

Answer 801

A

C. Containerization is based on the concept of eliminating the duplication of OS elements in a virtual machine. Instead, each application is placed into a container that includes only the actual resources needed to support the enclosed application, and the common or shared OS
elements are then part of the hypervisor. The system as a whole could be redeployed using a containerization solution, and each of the applications previously present in the original seven VMs could be placed into containers, as well as the six new applications. This should result in all 13 applications being able to operate reasonably well without the need for
new hardware. Data sovereignty is the concept that, once information has been converted into a binary form and stored as digital files, it is subject to the laws of the country within which the storage device resides. Infrastructure as code (IaC) is a change in how hardware
management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands-on, one-on-one administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevSecOps (security, development, and operations). Server less architecture is a cloud computing concept where code is managed by the customer, and the platform (i.e., supporting hardware and software) or server is managed by the CSP. This is not a solution that will work in this scenario; if management does not want to purchase additional hardware, they probably won’t approve a monthly CSP subscription, either.

Answer 802

A

B. Server less architecture is a cloud computing concept where code is managed by the customer and the platform (i.e., supporting hardware and software) or server is managed by the cloud service provider (CSP). There is always a physical server running the code, but this execution model allows the software designer/architect/programmer/developer to focus on
the logic of their code and not have to be concerned about the parameters or limitations of a specific server. This is also known as function as a service (FaaS). A microservice is simply one element, feature, capability, business logic, or function of a web application that can be called on or used by other web applications. Infrastructure as code (IaC) is a change in how hardware management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands-on, one-on-one administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed
under DevSecOps (development, security, and operations). A distributed system or a distributed computing environment (DCE) is a collection of individual systems that work together to support a resource or provide a service. Often a DCE is perceived by users as a single entity rather than numerous individual servers or components.

Answer 803

A

C. Because an embedded system is often in control of a mechanism in the physical world, a security breach could cause harm to people and property (aka cyber-physical). This typically is not true of a standard PC. Power loss, internet access, and software flaws are security risks
of both embedded systems and standard PCs.

Answer 804

A

A. Arduino is an open source hardware and software organization that creates single-board 8-bit microcontrollers for building digital devices. An Arduino device has limited RAM, a single USB port, and I/O pins for controlling additional electronics (such as servo motors or
LED lights), and does not include an OS or support networking. Instead, Arduino can execute C++ programs specifically written to its limited instruction set. Raspberry Pi is a popular example of a 64-bit microcontroller or a single-board computer, which includes its own
custom OS, although many third-party OS alternatives are available. A Raspberry Pi, another microcontroller option, has significantly more processing power than Arduino, is not limited to executing C++ programs, supports networking, and is more expensive than Arduino. Thus,
a Raspberry Pi is not the best option for this scenario. A real-time operating system (RTOS) is designed to process or handle data as it arrives on the system with minimal latency or delay. RTOS is a software OS that is usually stored and executed from ROM and thus may be part
of an embedded solution or hosted on a microcontroller. An RTOS is designed for mission critical operations where delay must be eliminated or minimized for safety. Thus, RTOS is not the best option for this scenario since it is about managing a garden, which does not need
real-time mission-critical operations. A field-programmable gate array (FPGA) is a flexible computing device intended to be programmed by the end user or customer. FPGAs are often used as embedded devices in a wide range of products, including industrial control systems
(ICSs). FPGAs can be challenging to program and are often more expensive than other more limited solutions. Thus, FPGA is not the best fit for this scenario.

Answer 805

A

D. This scenario is describing a product that requires a real-time operating system (RTOS) solution, since it mentions the need to minimize latency and delay, storing code in ROM, and optimizing for mission-critical operations. A containerized application is not a good fit for this situation because it may not be able to operate in near real time due to the virtualization infrastructure, and containerized apps are typically stored as files on the contain host rather than a ROM chip. An Arduino is a type of microcontroller, but not typically robust enough to be considered a near-real-time mechanism; it stores code on a flash chip, has a limited C++
based instruction set, and is not suited for mission-critical operations. A distributed control system (DCS) can be used to manage small-scale industrial processes, but it is not designed as a near-real-time solution. DCSs are not stored in ROM, but they may be used to manage
mission-critical operations.

Answer 806

A

A. This scenario is an example of edge computing. In edge computing, the intelligence and processing is contained within each device. Thus, rather than having to send data off to a master processing entity, each device can process its own data locally. The architecture of edge computing performs computations closer to the data source, which is at or near the edge of the network. Fog computing relies on sensors, IoT devices, or even edge computing devices to collect data and then transfer it back to a central location for processing. A thin client is a computer with low to modest capability or a virtual interface that is used to remotely
access and control a mainframe, virtual machine, or virtual desktop infrastructure (VDI). Infrastructure as code (IaC) is a change in how hardware management is perceived and handled. Instead of seeing hardware configuration as a manual, direct hands-on, one-on-one
administration hassle, it is viewed as just another collection of elements to be managed in the same way that software and code are managed under DevOps.

Answer 807

A

D. The best option in this scenario is corporate-owned. A corporate-owned mobile strategy is when the company purchases mobile devices that can support compliance with the security policy. These devices are to be used exclusively for company purposes, and users should not
perform any personal tasks on them. This option often requires workers to carry a second device for personal use. Corporate-owned clearly assigns responsibility for device oversight to the organization. The other three options still allow for comingling of data and have unclear or vague security responsibility assignments as a concept or policy basis. BYOD is
a policy that allows employees to bring their own personal mobile devices to work and use those devices to connect to business resources and/or the internet through the company network. The concept of corporate-owned, personally enabled (COPE) means the organization purchases devices and provides them to employees. Each user is then able to customize the device and use it for both work activities and personal activities. The concept of choose your own device (CYOD) provides users with a list of approved devices from which to select the
device to implement

Answer 808

A

B. The risk of a lost or stolen laptop is the data loss, not the loss of the system itself, but the value of the data on the system, whether business related or personal. Thus, keeping minimal sensitive data on the system is the only way to reduce the risk. Hard drive encryption, cable locks, and strong passwords, although good ideas, are preventive tools, not means
of reducing risk. They don’t keep intentional and malicious data compromise from occurring; instead, they encourage honest people to stay honest. Hard drive encryption can be bypassed using the cold boot attack or by taking advantage of an encryption service flaw or configuration mistake. Cable locks can be cut or ripped out of the chassis. Strong passwords do not prevent the theft of a device, and password cracking and/or credential stuffing may be able to overcome the protection. If not, the drive could be extracted and connected to another
system to access files directly, even with the native OS running.

Answer 809

A

C. Natural training and enrichment is not a core strategy of CPTED. Crime Prevention Through Environmental Design (CPTED) has three main strategies: natural access control, natural surveillance, and natural territorial reinforcement. Natural access control is the subtle guidance of those entering and leaving a building through placement of entranceways,
use of fences and bollards, and placement of lights. Natural surveillance is any means to make criminals feel uneasy through the increasing of opportunities for them to be observed. Natural territorial reinforcement is the attempt to make the area feel like an inclusive, caring
community.

Answer 810

A

B. Critical path analysis is a systematic effort to identify relationships between mission critical applications, processes, and operations and all the necessary supporting elements when evaluating the security of a facility or designing a new facility. Log file audit can help detect violations to hold users accountable, but it is not a security facility design element.
Risk analysis is often involved in facility design, but it is the evaluation of threats against assets in regard to rate of occurrence and levels of consequence. Taking inventory is an important part of facility and equipment management, but it is not an element in overall
facility design.

Answer 811

A

A, C, F. The true statements are
option A, cameras should be positioned to watch exit and entry points allowing any change in authorization or access level;
option C, cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways; and option F, some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions,
such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording. The remaining answer options are incorrect. The corrected statements for those options are:
option B: Cameras should also be used to monitor activities
around valuable assets and resources as well as to provide additional protection in public areas such as parking structures and walkways;
option D: Security cameras can be overt and obvious in order to provide a deterrent benefit, or hidden and concealed in order to primarily provide a detective benefit;
option E: Some cameras are fixed, whereas others
support remote control of automated pan, tilt, and zoom (PTZ);
option G: Simple motion recognition or motion-triggered cameras may be fooled by animals, birds, insects, weather, or foliage.

Answer 812

A

D. Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality
should have a corresponding level of security restriction placed on it. A secure facility should have a separation between work and visitor areas and should restrict access to areas with higher value or importance, and confidential assets should be located in the heart or center of a facility.

Answer 813

A

A. A computer room does not need to be optimized for human workers to be efficient and secure. A server room would be more secure with a nonwater fire suppressant system (it would protect against damage caused by water suppressant). A server room should have
humidity maintained between 20 and 80 percent relative humidity and maintain a temperature between 59 and 89.6 degrees Fahrenheit.

Answer 814

A

C. Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, whereas data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a media librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.

Answer 815

A

B. The humidity in a computer room should ideally be from 20 to 80 percent. Humidity above 80 percent can result in condensation, which causes corrosion. Humidity below 20 percent can result in increased static electricity buildup. However, this does require managing
temperature properly as well. The other number ranges are not the relative humidity ranges recommended for a data center.

Answer 816

A

C. A preaction system is the best type of water-based fire suppression system for a computer facility because it provides the opportunity to prevent the release of water in the event of a false alarm or false initial trigger. The other options of wet pipe, dry pipe, and deluge system
use only a single trigger mechanism without the ability to prevent accidental water release.

Answer 817

A

B, C, E, F, H. The primary elements of a cable plant management policy should include a mapping of the entrance facility (i.e., demarcation point), equipment room, backbone distribution system, telecommunications room, and horizontal distribution system. The other items are not elements of a cable plant. Thus, access control vestibule, fire escapes, UPSs, and the loading dock are not needed elements on a cable map.

Answer 818

A

B. The most common cause of a false positive for a water-based system is human error. If you turn off the water source after a fire and forget to turn it back on, you’ll be in trouble for the future. Also, pulling an alarm when there is no fire will trigger damaging water release
throughout the office. Water shortage would be a problem, but it is not a cause for a false positive event. Ionization detectors are highly reliable, so they are usually not the cause of a false positive event. Detectors can be placed in drop ceilings in order to monitor that air space; this would only be a problem if another detector was not placed in the main area of
the room. If there are only detectors in the drop ceiling, then that could result in a false negative event.

Answer 819

A

D. The cause of the hardware failures is implied by the lack of organization of the equipment, which is heat buildup. This could be addressed by better management of temperature and airflow, which would involve implementing hot aisles and cold aisles in the data center. A
data center should have few if any actual visitors (such as outsiders), but anyone entering and leaving a data center should be tracked and recorded in a log. However, whether or not a visitor log is present has little to do with system failure due to poor heat management. Industrial
camouflage is not relevant here since it is about hiding the purpose of a facility from outside observers. A gas-based fire suppression system is more appropriate for a data center than a water-based system, but neither would cause heat problems due to poor system organization.

Answer 820

A

B, C, D. Benefits of gas-based fire suppression include causing the least damage to computer systems and extinguishing the fire quickly by removing oxygen. Also, gas-based fire suppression may be more effective and faster than a water-based system. A gas-based fire suppression
system can only be used where human presence is at a minimum, since it removes oxygen from the air.

Answer 821

A

B. The correct order of the six common physical security control mechanisms is Deter, Deny, Detect, Delay, Determine, Decide. The other options are incorrect.

Answer 822

A

C. Mean time to failure (MTTF) is the expected typical functional lifetime of the device given a specific operating environment. Mean time to repair (MTTR) is the average length of time required to perform a repair on the device. Mean time between failures (MTBF) is an estimation of the time between the first and any subsequent failures. A service level
agreement (SLA) clearly defines the response time a vendor will provide in the event of an equipment failure emergency.

Answer 823

A

C. Human safety is the most important goal of all security solutions. The top priority of security should always be the protection of the lives and safety of personnel. The protection of CIA (confidentiality, integrity, and availability) of company data and other assets is the second priority after human life and safety.

Answer 824

A

C. An access control vestibule is a double set of doors that is often protected by a guard and used to contain a subject until their identity and authentication is verified. A gate is a doorway used to traverse through a fence line. A turnstile is an ingress or egress point that allows travel only in one direction and by one person at a time. A proximity detector determines whether a proximity device is nearby and whether the bearer is authorized to access the area being protected.

Answer 825

A

D. Lighting is often claimed to be the most commonly deployed physical security mechanism. However, lighting is only a deterrent and not a strong deterrent. It should not be used as the primary or sole protection mechanism except in areas with a low threat level. Your entire site, inside and out, should be well lit. This provides for easy identification of personnel and makes it easier to notice intrusions. Security guards are not as common as lighting, but they are more flexible in terms of security benefits. Fences are not as common as lighting, but they serve as a preventive control. CCTV is not as common as lighting but serves as a
detection control.

Answer 826

A

A. Security guards are usually unaware of the scope of the operations within a facility and are therefore not thoroughly equipped to know how to respond to every situation. Though this is considered a disadvantage, the lack of knowledge of the scope of the operations within a facility can also be considered an advantage because this supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information. Thus, even though this answer option is ambiguous, it is still better than the three other options. The other three options are disadvantages of security guards. Not all environments and facilities support security guards. This may be because of actual human incompatibility or the layout, design, location, and construction of the facility. Not all security guards are themselves reliable. Prescreening, bonding, and training do
not guarantee that you won’t end up with an ineffective or unreliable security guard.

Answer 827

A

C. Key locks are the most common and inexpensive form of physical access control device for both interior and exterior use. Lighting, security guards, and fences are all much more costly. Fences are also mostly used outdoors.

Answer 828

A

D. A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object. A wave pattern motion detector transmits a consistent low ultrasonic or high microwave frequency signal into a monitored area and monitors for significant or
meaningful changes or disturbances in the reflected pattern. A photoelectric motion detector senses changes in visible light levels for the monitored area. Photoelectric motion detectors are usually deployed in internal rooms that have no windows and are kept dark. An infrared
PIR (passive infrared) or heat-based motion detector monitors for significant or meaningful changes in the heat levels and patterns in a monitored area

Answer 829

A

A. The SYN flagged packet is first sent from the initiating host to the destination host; thus it is the first step or phase in the TCP three-way handshake sequence used to establish a TCP session. The destination host then responds with a SYN/ACK flagged packet; this is the second step or phase of the TCP three-way handshake sequence. The initiating host sends an ACK flagged packet, and the connection is then established (the final or third step or phase). The FIN flag is used to gracefully shut down an established session.

Answer 830

A

D. UDP is a simplex protocol at the Transport layer (layer 4 of the OSI model). Bits is associated with the Physical layer (layer 1). Logical addressing is associated with the Network layer (layer 3). Data reformatting is associated with the Presentation layer (layer 6).

Answer 831

A

A, B, D. The means by which IPv6 and IPv4 can coexist on the same network is to use one or more of three primary options: dual stack, tunneling, or NAT-PT. Dual stack is to have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network Address Translation-Protocol Translation (NAT-PT) (RFC-2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses. IPsec is a standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6, but it does not enable the use of both IPv4 and IPv6 on the same system (although it doesn’t prevent it either). IP sideloading is not a real concept.

Answer 832

A

C. In this scenario, the only viable option to provide performance, availability, and security for the VoIP service is to implement a new, separate network for the VoIP system that is independent of the existing data network. The current data network is already at capacity,
so creating a new VLAN will not provide sufficient insurance that the VoIP service will be highly available. Replacing switches with routers is usually not a valid strategy for increasing network capacity, and 1,000 Mbps is the same as 1 Gbps. Flood guards are useful against DoS and some transmission errors (such as Ethernet floods or broadcast storms), but they do not add more capacity to a network or provide reliable uptime for a VoIP service.

Answer 833

A

A, B, E. TLS allows for use of TCP port 443; prevents tampering, spoofing, and eavesdropping; and can be used as a VPN solution. The other answers are incorrect. TLS supports both one-way and two-way authentication. TLS and SSL are not interoperable or backward compatible.

Answer 834

A

B. Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols. Encapsulation allows for encryption, flexibility, and resiliency, while also enabling covert channels, filter bypass, and overstepping network segmentation boundaries. Throughput
is the capability of moving data across or through a network; this is not an implication of multilayer protocols. Hash integrity checking is a common benefit of multilayer protocols because most layers include a hash function in their header or footer. Logical addressing is a benefit of multilayer protocols; this avoids the restriction of using only physical addressing.

Answer 835

A

B, C, E. Microsegmentation can be implemented using internal segmentation firewalls (ISFWs), transactions between zones are filtered, and it can be implemented with virtual systems and virtual networks. Affinity or preference is the assignment of the cores of a CPU
to perform different tasks. Microsegmentation is not related to edge and fog computing management.

Answer 836

A

A. The device in this scenario would benefit from the use of Zigbee. Zigbee is an IoT equipment communications concept that is based on Bluetooth. Zigbee has low power consumption and a low throughput rate, and it requires close proximity of devices. Zigbee communications are encrypted using a 128-bit symmetric algorithm. Bluetooth is not a good
option since it is usually plaintext. Bluetooth Low Energy (BLE) might be a viable option if custom encryption was added. Fiber Channel over Ethernet (FCoE) is not a wireless technology or an IoT technology—it is a high-speed fiber optic–based storage technology. 5G is the latest mobile service technology that is available for use on mobile phones, tablets, and
other equipment. Though many IoT devices may support and use 5G, it is mostly used to provide direct access to the internet rather than as a link to a local short-distance device, such as a PC or IoT hub.

Answer 837

A

B. A content distribution network (CDN), or content delivery network, is a collection of resource service hosts deployed in numerous data centers across the world in order to provide low latency, high performance, and high availability of the hosted content. VPNs are used to transport communications over an intermediary medium through the means of
encapsulation (i.e., tunneling), authentication, and encryption. Software-defined networking (SDN) aims at separating the infrastructure layer from the control layer on networking hardware in order to reduce management complexity. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) (Counter-Mode/CBC-MAC
Protocol) is the combination of two block cipher modes to enable streaming by a block algorithm.

Answer 838

A

A, B, D. Cellular services, such as 4G and 5G, raise numerous security and operational concerns. Although cellular service is encrypted from device to tower, there is a risk of being fooled by a false or rogue tower. A rogue tower could offer only plaintext connections, but even if it supported encrypted transactions, the encryption only applies to the radio transmissions between the device and the tower. Once the communication is on the tower, it will be decrypted, allowing for eavesdropping and content manipulation. Even without a rogue
tower, eavesdropping can occur across the cellular carrier’s interior network as well as across the internet, unless a VPN link is established between the remote mobile device and the network of the organization James works for. Being able to establish a connection can be
unreliable depending on exactly where James’s travel takes him. 3G, 4G, and 5G coverage is not 100 percent available everywhere. 5G coverage is the most limited since it is the latest technology and still not universally deployed, and each 5G tower covers less area than a 4G tower. If James is able to establish a connection, 4G and 5G speeds should be sufficient for
most remote technician activities, since 4G supports 100 Mbps for mobile devices and 5G supports up to 10 Gbps. If connectivity is established, there should be no issues with cloud interaction or duplex conversations.

Answer 839

A

D. The true statement is: ARP poisoning can use unsolicited or gratuitous replies—specifically, ARP replies for which the local device did not transmit an ARP broadcast request. Many systems accept all ARP replies regardless of who requested them. The other statements are
false. The correct versions of those statements would be:
(A) MAC flooding is used to overload the memory of a switch, specifically the CAM table stored in switch memory when bogus information will cause the switch to function only in flooding mode.
(B) MAC spoofing is used to falsify the physical address of a system to impersonate that of another authorized device. ARP poisoning associates an IP address with the wrong MAC address.
(C) MAC spoofing relies on plaintext Ethernet headers to initially gather valid MAC addresses of legitimate network devices.
ICMP crosses routers because it is carried as the payload of an IP packet.

Answer 840

A

D. The most likely cause of the inability to recover files from the SAN in this scenario is deduplication. Deduplication replaces multiple copies of a file with a pointer to one copy. If the one remaining file is damaged, then all of the linked copies are damaged or inaccessible as well. File encryption could be an issue, but the scenario mentions that groups of people work
on projects and typically file encryption is employed by individuals, not by groups. Wholedrive encryption would be more appropriate for group-accessed files as well as for a SAN in general. This issue is not related to what SAN technology is used, such as Fibre Channel. This
problem might be solvable by restoring files from a backup, whether real-time or not, but the loss of files is not caused by performing backups.

Answer 841

A

D. In this scenario, the malware is performing a MAC flooding attack, which causes the switch to get stuck in flooding mode. This has taken advantage of the condition that the switch had weak configuration settings. The switch should have MAC limiting enabled in order to prevent MAC flooding attacks from being successful. Although Jim was initially
fooled by a social engineering email, the question asked about the malware’s activity. A MAC flooding attack is limited by network segmentation to the local switch, but the malware took
advantage of weak or poor configuration on the switch and was still successful. MAC flooding is blocked by routers from crossing between switched network segments. The malware did not use ARP queries in its attack. ARP queries can be abused in an ARP poisoning attack,
but that was not described in this scenario.

Answer 842

A

B. A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port. Repeaters are used to strengthen the communication signal over a cable segment as well as connect network segments that
use the same protocol. A bridge is used to connect two networks together—even networks of different topologies, cabling types, and speeds—in order to connect network segments that use the same protocol. Routers are used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between the two. Routers manage traffic based on logical IP addressing.

Answer 843

A

B. A Faraday cage is an enclosure that blocks or absorbs electromagnetic fields or signals. Faraday cage containers, computer cases, rack-mount systems, rooms, or even building materials are used to create a blockage against the transmission of data, information, metadata, or other emanations from computers and other electronics. Devices inside a Faraday cage can use EM fields for communications, such as wireless or Bluetooth, but devices outside of the cage will not be able to eavesdrop on the signals of the systems within the cage. Air gaps do not contain or restrict wireless communications—in fact, for an air gap to be effective, wireless cannot even be available. Biometric authentication has nothing to do with controlling radio signals. Screen filters reduce shoulder surfing but do not address radio signals.

Answer 844

A

B. A screened subnet is a type of security zone that can be positioned so that it operates as a buffer network between the secured private network and the internet and can host publicly accessible services. A honeypot is a false network used to trap intruders; it isn’t used to host
public services. An extranet is for limited outside partner access, not public. An intranet is the private secured network.

Answer 845

A

B, E, F. Network access control (NAC) involves controlling access to an environment through strict adherence to and implementation of security policy. The goals of NAC are to detect/block rogue devices, prevent or reduce zero-day attacks, confirm compliance with updates and
security settings, enforce security policy throughout the network, and use identities to perform access control. NAC does not address social engineering, mapping IP addresses, or distributing IP addresses—those are handled by training, NAT, and DHCP, respectively.

Answer 846

A

A. Endpoint detection and response (EDR) is a security mechanism that is an evolution of traditional antimalware products. EDR seeks to detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users. It is a natural extension of continuous monitoring, focusing on both the
endpoint device itself and network communications reaching the local interface. Some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution. The goal of EDR is to detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs, while optimizing the response time of incident response, discarding false positives, implementing blocking for advanced threats, and protecting against multiple threats occurring simultaneously and via various threat vectors. A next-generation firewall (NGFW) is a unified threat management (UTM) device that is based on a traditional firewall with numerous other integrated network and security services and is thus not the security solution needed in this scenario. A web application firewall (WAF) is an appliance, server add-on, virtual service, or
system filter that defines a strict set of communication rules for a website and is not the security solution needed in this scenario. Cross-site request forgery (XSRF) is an attack against web-based services, not a malware defense.

Answer 847

A

A. An application-level firewall is able to make access control decisions based on the content of communications as well as the parameters of the associated protocol and software. Stateful inspection firewalls make access control decisions based on the content and context of communications, but are not typically limited to a single application-layer protocol. Circuit-level firewalls are able to make permit and deny decisions in regard to circuit establishment either based on simple rules for IP and port, using captive portals, requiring port authentication via 802.1X, or more complex elements such as context- or attribute-based
access control. Static packet-filtering firewalls filter traffic by examining data from a message header. Usually, the rules are concerned with source and destination IP address (layer 3) and port numbers (layer 4).

Answer 848

A

A, C, D. Most appliance (i.e., hardware) firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms/alerts and even basic IDS functions. It is also true that firewalls are unable to prevent internal attacks that do not cross the firewall. Firewalls are unable
to block new phishing scams. Firewalls could block a phishing scam’s URL if it was already on a block list, but a new scam likely uses a new URL that is not yet known to be malicious

Answer 849

A

B. When transparency is a characteristic of a service, security control, or access mechanism,
it is unseen by users. Invisibility is not the proper term for a security control that goes unnoticed by valid users. Invisibility is sometimes used to describe a feature of a rootkit, which attempts to hide itself and other files or processes. Diversion is a feature of a honeypot but not of a typical security control. Hiding in plain sight is not a security concept; it is a mistake on the part of the observer not to notice something that they should notice. This is not the same concept as camouflage, which is when an object or subject attempts to blend into the surroundings.

Answer 850

A

A, C, D, E, G, I, J, K. More than 40 EAP methods have been defined, including LEAP, PEAP,
EAP-SIM, EAP-FAST, EAP-MD5, EAP-POTP, EAP-TLS, and EAP-TTLS. The other options are not valid EAP methods.

Answer 851

A

B. Changing default passwords on PBX systems provides the most effective increase in security. PBX systems typically do not support encryption, although some VoIP PBX systems may
support encryption in specific conditions. PBX transmission logs may provide a record of
fraud and abuse, but they are not a preventive measure to stop it from happening. Taping
and archiving all conversations is also a detective measure rather than a preventive one
against fraud and abuse.

Answer 852

A

A, B, D. It is important to verify that multimedia collaboration connections are encrypted, that robust multifactor authentication is in use, and that tracking and logging of events and activities is available for the hosting organization to review. Customization of avatars and
filters is not a security concern.

Answer 853

A

C. Malicious attackers known as phreakers abuse phone systems in much the same way that attackers abuse computer networks. In this scenario, they were most likely focused on the PBX. Private branch exchange (PBX) is a telephone switching or exchange system deployed
in private organizations in order to enable multistation use of a small number of external PSTN lines. Phreakers generally do not focus on accounting (that would be an invoice scam), NAT (that would be a network intrusion attack), or Wi-Fi (another type of network intrusion attack).

Answer 854

A

D. The issue in this scenario is that a private IP address from RFC 1918 is assigned to the web server. RFC 1918 addresses are not internet routable or accessible because they are reserved for private or internal use only. So, even with the domain name linked to the address, any attempt to access it from an internet location will fail. Local access via jumpbox or LAN system likely uses an address in the same private IP address range and has no issues locally. The issue of the scenario (i.e., being unable to access a website using its FQDN) could be resolved by either using a public IP address or implementing static NAT on the screened subnet’s boundary firewall. The jumpbox would not prevent access to the website regardless of whether it was rebooted, in active use, or turned off. That
would only affect Michael’s use of it from his desktop workstation. Split-DNS does support internet-based domain name resolution; it separates internal-only domain information from external domain information. A web browser should be compatible with the coding of most websites. Since there was no mention of custom coding and the site was intended for public use, it is probably using standard web technologies. Also, since Michael’s workstation and several worker desktops could access the website, the problem is probably not related to the browser.

Answer 855

A

A. Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It provides a means to transport the logon credentials from the client to the authentication
server. CHAP protects the password by never sending it across the network; it is used in computing a response along with a random challenge number issued by the server. EAP offers some means of authentication that protects and/or encrypts credentials, but not all of the
options do. RADIUS supports a range of options to protect and encrypt logon credentials.

Answer 856

A

D. Screen scraping is a technology that allows an automated tool to interact with a human interface. Remote-control remote access grants a remote user the ability to fully control another system that is physically distant from them. Virtual desktops are a form of screen scraping in which the screen on the target machine is scraped and shown to the remote operator, but this is not related to automated tool interaction of human interfaces. Remote node operation is just another name for when a remote client establishes a direct connection to a LAN, such as with wireless, VPN, or dial-up connectivity.

Answer 857

A

A, C, D. The addresses in RFC 1918 are 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. Therefore, 10.0.0.18, 172.31.8.204, and 192.168.6.43 are private IPv4 addresses. The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918.

Answer 858

A

D. An intermediary network connection is required for a VPN link to be established. A VPN can be established between devices over the internet, between devices over a LAN, or between a system on the internet and a LAN.

Answer 859

A

B. A switch is a networking device that can be used to create digital virtual network segments (i.e., VLANs) that can be altered as needed by adjusting the settings internal to the device. A router connects disparate networks (i.e., subnets) rather than creating network segments. Subnets are created by IP address and subnet mask assignment. Proxy and firewall
devices do not create digital virtual network segments, but they may be positioned between network segments to control and manage traffic.

Answer 860

A

B. Quality of service (QoS) is the oversight and management of the efficiency and performance of network communications. Items to measure include throughput rate, bit rate, packet loss, latency, jitter, transmission delay, and availability. A virtual private network (VPN) is a communication channel between two entities across an intermediary untrusted
network. Software-defined networking (SDN) aims at separating the infrastructure layer from the control layer on networking hardware in order to reduce management complexity. Sniffing captures network packers for analysis. QoS uses sniffing, but sniffing itself is not QoS.

Answer 861

A

B. VLANs do not impose encryption on data or traffic. Encrypted traffic can occur within a VLAN, but encryption is not imposed by the VLAN. VLANs do provide traffic isolation, traffic management and control, and a reduced vulnerability to sniffers.

Answer 862

A

B, C, D. Port security can refer to several concepts, including network access control (NAC), Transport layer ports, and RJ-45 jack ports. NAC requires authentication before devices can communicate on the network. Transport-layer port security involves using firewalls to grant
or deny communications to TCP and UDP ports. RJ-45 jacks should be managed so that unused ports are disabled and that when a cable is disconnected, the port is disabled. This approach prevents the connection of unauthorized devices. Shipping container storage relates to shipping ports, which is a type of port that is not specifically related to IT or typically
managed by a CISO.

Answer 863

A

D. When IPsec is used in tunnel mode, entire packets, rather than just the payload, are encrypted. Transport mode only encrypts the original payload, not the original header. Encapsulating Security Payload (ESP) is the encrypter of IPsec, not the mode of VPN connection. Authentication Header (AH) is the primary authentication mechanism of IPsec.

Answer 864

A

A. Authentication Header (AH) provides assurances of message integrity and nonrepudiation. Encapsulating Security Payload (ESP) provides confidentiality and integrity of payload contents. ESP also provides encryption, offers limited authentication, and prevents replay
attacks. IP Payload Compression (IPComp) is a compression tool used by IPsec to compress data prior to ESP encrypting it in order to attempt to keep up with wire speed transmission. Internet Key Exchange (IKE) is the mechanism of IPsec that manages cryptography keys and
is composed of three elements: OAKLEY, SKEME, and ISAKMP.

Answer 865

A

B. Data remanent destruction is a security concern related to storage technologies more so than an email solution. Essential email concepts, which local systems can enforce and protect, include nonrepudiation, message integrity, and access restrictions.

Answer 866

A

D. The backup method is not an important factor to discuss with end users regarding email retention. The details of an email retention policy may need to be shared with affected subjects, which may include privacy implications, how long the messages are maintained (i.e., length of retainer), and for what purposes the messages can be used (such as auditing or violation investigations).

Answer 867

A

D. Static IP addressing is not an implication of multilayer protocols; it is a feature of the IP protocol when an address is defined on the local system rather than being dynamically assigned by DHCP. Multilayer protocols include the risk of VLAN hopping, multiple encapsulation, and filter evasion using tunneling.

Answer 868

A

B. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data. Software-defined networking (SDN) is a unique approach to network operation, design, and management. SDN aims at separating the infrastructure layer (hardware and hardware-based settings) from the control layer (network
services of data transmission management). A virtual private network (VPN) is a communication channel between two entities across an intermediary untrusted network. A switched virtual circuit (SVC) has to be created each time it is needed using the best paths currently available before it can be used and then disassembled after the transmission is complete

Answer 869

A

B. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn’t require all actions to be denied.

Answer 870

A

B. An access control matrix includes multiple objects and subjects. It identifies access granted to subjects (such as users) to objects (such as files). A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group
of companies that share a federated identity management (FIM) system for single sign-on (SSO). Creeping privileges refers to excessive privileges a subject gathers over time.

Answer 871

A

B. A discretionary access control model allows the owner (or data custodian) of a resource to grant permissions at the owner’s discretion. The other answers (MAC, RBAC, and rule-based access control) are nondiscretionary models.

Answer 872

A

A. The DAC model allows the owner of data to modify permissions on the data. In the DAC model, objects have owners, and the owners can grant or deny access to objects that they own. The MAC model uses labels to assign access based on a user’s need to know and organization policies. A rule-based access control model uses rules to grant or block access. A
risk-based access control model examines the environment, the situation, and policies coded in software to determine access.

Answer 873

A

D. A role-based access control (RBAC) model can group users into roles based on the organization’s hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject
access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

Answer 874

A

A. The role-based access control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control (MAC) model uses assigned labels to identify access.

Answer 875

A

D. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally or to individual users.

Answer 876

A

B. The ABAC model is commonly used in SDNs. None of the other answers are normally used in SDNs. The MAC model uses labels to define access, and the RBAC model uses groups. In the DAC model, the owner grants access to others.

Answer 877

A

B. In a hierarchical environment, the various classification labels are assigned in an ordered structure from low security to high security. The mandatory access control (MAC) model supports three environments: hierarchical, compartmentalized, and hybrid. A compartmentalized environment ignores the levels, and instead only allows access for individual compartments on any level. A hybrid environment is a combination of a hierarchical and compartmentalized environment. A MAC model doesn’t use a centralized environment.

Answer 878

A

B. The MAC model uses labels to identify the upper and lower bounds of classification levels, and these define the level of access for subjects. MAC is a nondiscretionary access control model that uses labels. However, not all nondiscretionary access control models use labels.
DAC and ABAC models do not use labels.

Answer 879

A

C. Mandatory access control (MAC) models rely on the use of labels for subjects and objects. They look similar to a lattice when drawn, so the MAC model is often referred to as a lattice-based model. None of the other answers use labels. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary
access controls have centralized management, such as a rule-based access control model deployed on a firewall. Role-based access control (RBAC) models define a subject’s access based on job-related roles.

Answer 880

A

A. A risk-based access control model can require users to authenticate with multifactor authentication. None of the other access control models listed can evaluate how a user has logged on. A MAC model uses labels to grant access. An RBAC model grants access based on job roles or groups. In a DAC model, the owner grants access to resources.

Answer 881

A

A. A risk-based access control model evaluates the environment and the situation and then makes access decisions based on coded policies. A MAC model grants access using labels. An RBAC model uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs).

Answer 882

A

A. OpenID Connect (OIDC) uses a JavaScript Object Notation (JSON) Web Token (JWT) that provides both authentication and profile information for internet-based single sign-on (SSO). None of the other answers use tokens. OIDC is built on the OAuth 2.0 framework.
OpenID provides authentication but doesn’t include profile information.

Answer 883

A

D. Configuring a central computer to synchronize its time with an external NTP server and all other systems to synchronize their time with the NTP will likely solve the problem and is the best choice of the available options. Kerberos requires computer times to be within
5 minutes of each other and the scenario, along with the available answers, suggested the user’s computer is not synchronized with the Kerberos server. Kerberos uses AES. However, because a user successfully logs on to one computer, it indicates Kerberos is working, and AES is installed. NAC checks a system’s health after the user authenticates. NAC doesn’t prevent a user from logging on. Some federated systems use SAML, but Kerberos doesn’t require SAML.

Answer 884

A

C. The primary purpose of Kerberos is authentication, since it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

Answer 885

A

B. The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server, and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t
the primary function.

Answer 886

A

B. The best choice is to give the administrator the root password. The administrator would enter it manually when running commands that need elevated privileges by running the su command. If the user is granted sudo access, it would allow the user to run commands requiring root-level privileges, under the context of the user account. If an attacker compromised the user account, the attacker could run the elevated commands with sudo. Linux systems don’t have an administrator group or a LocalSystem account.

Answer 887

A

D. NTLM is known to be susceptible to pass-the-hash attacks, and this scenario describes a pass-the-hash attack. Kerberos attacks attempt to manipulate tickets, such as in pass-the ticket and golden ticket attacks, but these are not NTLM attacks. A rainbow table attack uses a rainbow table in an offline brute-force attack.

Answer 888

A

C. Attackers can create golden tickets after successfully exploiting Kerberos and obtaining the Kerberos service account (KRBTGT). Golden tickets are not associated with Remote Authentication Dial-in User Service (RADIUS), Security Assertion Markup Language (SAML), or OpenID Connect (OIDC)

Answer 889

A

A. Nmap is a network discovery scanning tool that reports the open ports on a remote system and the firewall status of those ports. OpenVAS is a network vulnerability scanning tool. Metasploit Framework is an exploitation framework used in penetration testing. lsof is a Linux command used to list open files on a system.

Answer 890

A

D. Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network. Port 22 is used for the Secure Shell protocol (SSH), and the filtered status indicates that nmap can’t determine whether it is open or closed. This situation does require further investigation, but it is not as alarming as a definitely exposed database server port.

Answer 891

A

C. Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities.

Answer 892

A

C. The sensitivity of information stored on the system, difficulty of performing the test, and likelihood of an attacker targeting the system are all valid considerations when planning a security testing schedule. The desire to experiment with new testing tools should not influence the production testing schedule.

Answer 893

A

A. Security assessment reports should be addressed to the organization’s management. For this reason, they should be written in plain English and avoid technical jargon.

Answer 894

A

C. Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. They are not active detection tools for intrusion, they offer no form of enticement, and they do not configure system security. In addition to testing a system for security
weaknesses, they produce evaluation reports and make recommendations.

Answer 895

A

B. The server is likely running a website on port 80. Using a web browser to access the site may provide important information about the site’s purpose.

Answer 896

A

B. The SSH protocol uses port 22 to accept administrative connections to a server.

Answer 897

A

D. Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

Answer 898

A

C. The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.

Answer 899

A

D. SQL injection attacks are web vulnerabilities, and Matthew would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to
be successful.

Answer 900

A

C. PCI DSS requires that Badin rescan the application at least annually and after any change in the application.

Answer 901

A

B. Metasploit Framework is an automated exploit tool that allows attackers to easily execute common attack techniques. Nmap is a port scanning tool. OpenVAS is a network vulnerability scanner and Nikto is a web application scanner. While these other tools might identify
potential vulnerabilities, they do not go as far as to exploit them.

Answer 902

A

C. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.

Answer 903

A

A. Misuse case testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code.

Answer 904

A

B. User interface testing includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.

Answer 905

A

B. Unencrypted HTTP communications take place over TCP port 80 by default.

Answer 906

A

B. During a white-box penetration test, the testers have access to detailed configuration information about the system being tested.

Answer 907

A

B. The backup verification process ensures that backups are running properly and thus meeting the organization’s data protection objectives.

Answer 908

A

B. There are only two types of SOC report: Type I and Type II. Both reports provide information on the suitability of the design of security controls. Only a Type II report also provides an opinion on the operating effectiveness of those controls over an extended period of time.

Answer 909

A

B, C, D. Detection, reporting, and lessons learned are valid incident management steps. Prevention is done before an incident. Creating backups can help recover systems, but it isn’t one of the incident management steps. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

Answer 910

A

A. Your next step is to isolate the computer from the network as part of the mitigation phase. You might look at other computers later, but you should try to mitigate the problem first. Similarly, you might run an antivirus scan, but later. The lessons learned phase is last and will analyze an incident to determine the cause.

Answer 911

A

D. The first step is detection. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

Answer 912

A

B. Audit trails provide documentation on what happened, when it happened, and who did it. IT personnel create audit trails by examining logs. Authentication of individuals is also needed to ensure that the audit trails provide proof of identities listed in the logs. Identification occurs when an individual claims an identity, but identification without authentication doesn’t provide accountability. Authorization grants individuals access to resources based on their proven identity. Confidentiality ensures that unauthorized entities can’t access
sensitive data and is unrelated to this question.

Answer 913

A

A, C, D. The three basic security controls listed are
1) keep systems and applications up to date
2) remove or disable unneeded services or protocols
3) use up-to-date antimalware software. SOAR technologies implement advanced methods to detect and automatically respond to incidents. It’s appropriate to place a network firewall at the border (between the
internet and the internal network), but web application firewalls (WAF) should only filter traffic going to a web server.

Answer 914

A

B. The first step should be to copy existing logs to a different drive so that they are not lost. If you enable rollover logging, you are configuring the logs to overwrite old entries. It’s not necessary to review the logs before copying them. If you delete the oldest log entries first, you
may delete valuable data.

Answer 915

A

A. A zero-day exploit is an attack that exploits a vulnerability that doesn’t have a patch or fix. A newly discovered vulnerability is only a vulnerability until someone tries to exploit it. Attacks on unpatched systems aren’t zero-day exploits. A virus is a type of malware that delivers its payload after a user launches an application.

Answer 916

A

A. Fraggle is a denial of service (DoS) attack that uses UDP. Other attacks, such as a SYN flood attack, use TCP. A smurf attack is similar to a fraggle attack, but it uses ICMP. SOAR is a group of technologies that provide automated responses to common attacks, not a protocol.

Answer 917

A

C. This is a false positive. The IPS falsely identified normal web traffic as an attack and blocked it. A false negative occurs when a system doesn’t detect an actual attack. A honeynet is a group of honeypots used to lure attackers. Sandboxing provides an isolated environment for testing and is unrelated to this question.

Answer 918

A

D. An anomaly-based IDS requires a baseline, and it then monitors traffic for any anomalies or changes when compared to the baseline. It’s also called behavior based and heuristics based. Pattern-based detection (also known as knowledge-based detection and signature-based detection) uses known signatures to detect attacks.

Answer 919

A

B. An NIDS will monitor all traffic and raise alerts when it detects suspicious traffic. A HIDS only monitors a single system. A honeynet is a network of honeypots used to lure attackers away from live networks. A network firewall filters traffic, but it doesn’t raise alerts on suspicious traffic.

Answer 920

A

A. This describes an NIPS. It is monitoring network traffic, and it is placed in line with the traffic. An NIDS isn’t placed in line with the traffic, so it isn’t the best choice. Host-based systems only monitor traffic sent to specific hosts, not network traffic.

Answer 921

A

D. A drawback of some HIDSs is that they interfere with a single system’s normal operation by consuming too many resources. The other options refer to applications that aren’t installed on user systems.

Answer 922

A

B. A false negative occurs when there is an attack but the IDS doesn’t detect it and raise an alarm. In contrast, a false positive occurs when an IDS incorrectly raises an alarm, even though there isn’t an attack. The attack may be a UDP-based fraggle attack or an ICMP-based smurf attack, but the attack is real, and since the IDS doesn’t detect it, it is a
false negative.

Answer 923

A

B. An IDS is most likely to connect to a switch port configured as a mirrored port. An IPS is placed in line with traffic, so it is placed before the switch. A honeypot doesn’t need to see all traffic going through a switch. A sandbox is an isolated area often used for testing and would
not need all traffic from a switch.

Answer 924

A

B. An anomaly-based IDS (also known as a behavior-based IDS) can detect new security threats. A signature-based IDS only detects attacks from known threats. An active IDS identifies the response after a threat is detected. A network-based IDS can be both signature based
and anomaly based.

Answer 925

A

B. A security information and event management (SIEM) system is a centralized application that monitors multiple systems. Security orchestration, automation, and response (SOAR) is a group of technologies that provide automated responses to common attacks. A host-based
intrusion detection system (HIDS) is decentralized because it is on one system only. A threat feed is a stream of data on current threats.

Answer 926

A

D. A network-based data loss prevention (DLP) system monitors outgoing traffic (egress monitoring) and can thwart data exfiltration attempts. Network-based intrusion detection systems (NIDSs) and intrusion protection systems (IPSs) primarily monitor incoming traffic
for threats. Firewalls can block traffic or allow traffic based on rules in an access control list (ACL), but they can’t detect unauthorized data exfiltration attacks.

Answer 927

A

A. Threat hunting is the process of actively searching for infections or attacks within a network. Threat intelligence refers to the actionable intelligence created after analyzing incoming data, such as threat feeds. Threat hunters use threat intelligence to search for specific threats. Additionally, they may use a kill chain model to mitigate these threats.
Artificial intelligence (AI) refers to actions by a machine, but the scenario indicates administrators are doing the work.

Answer 928

A

C. Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off. Preventing business interruption is the goal of business continuity, not disaster recovery programs. Although disaster recovery programs
are involved in restoring normal activity and minimizing the impact of disasters, this is not their end goal.

Answer 929

A

C. The recovery point objective (RPO) specifies the maximum amount of data that may be lost during a disaster and should be used to guide backup strategies. The maximum tolerable downtime (MTD) and recovery time objective (RTO) are related to the duration of an outage, rather than the amount of data lost. The mean time between failures (MTBF) is related
to the frequency of failure events.

Answer 930

A

D. The lessons learned session captures discoveries made during the disaster recovery process and facilitates continuous improvement. It may identify deficiencies in training and awareness or in the business impact analysis.

Answer 931

A

B. Redundant arrays of inexpensive disks (RAID) are a fault-tolerance control that allow an organization’s storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and high-availability (HA) pairs are all fault-tolerance services designed for server compute capacity, not storage.

Answer 932

A

C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location. The primary data center is a poor choice, since it may be damaged during a disaster. A field office is reasonable, but it is in a specific location and is not as flexible as a cloud-based approach. The IT manager’s home is a poor choice—the
IT manager may leave the organization or may not have appropriate environmental and physical security controls in place.

Answer 933

A

C. All of these are good practices that could help improve the quality of service that Bryn provides from her website. Installing dual power supplies or deploying RAID arrays could reduce the likelihood of a server failure, but these measures only protect against a single risk each. Deploying multiple servers behind a load balancer is the best option because it protects against any type of risk that would cause a server failure. Backups are an important control for recovering operations after a disaster and different backup strategies could indeed alter the RTO, but it is even better if Bryn can design a web architecture that lowers the risk of the
outage occurring in the first place.

Answer 934

A

D. When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up to date by executing all transactions on both the primary and remote sites at the same time. Electronic vaulting follows a similar process of
storing all data at the remote location, but it does not do so in real time. Transaction logging and remote journaling options send logs, rather than full data replicas, to the remote location.

Answer 935

A

B. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

Answer 936

A

A, B, D. The only incorrect statement here is that business continuity planning picks up where disaster recovery planning leaves off. In fact, the opposite is true: disaster recovery planning picks up where business continuity planning leaves off. The other three statements are all accurate
reflections of the role of business continuity planning and disaster recovery planning. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. Organizations can choose whether to develop business continuity planning or disaster
recovery planning plans, although it is highly recommended that they do so. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.

Answer 937

A

B. During the business impact analysis phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the disaster recovery planning business unit prioritization.

Answer 938

A

C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This process often takes weeks, but cold sites also have the lowest cost to implement. Hot sites, warm sites, and mobile sites all have quicker recovery times.

Answer 939

A

C. Uninterruptible power supplies (UPSs) provide a battery-backed source of power that is capable of preserving operations in the event of brief power outages. Generators take a significant amount of time to start and are more suitable for longer-term outages. Dual power supplies protect against power supply failures and not power outages. Redundant network links are a network continuity control and do not provide power.

Answer 940

A

D. Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm
sites require the restoration of data from backup.

Answer 941

A

D. The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures. Checklist tests, structured walk-throughs, and simulations are all test types that do not involve actually activating the alternate site.

Answer 942

A

A. The executive summary provides a high-level view of the entire organization’s disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.

Answer 943

A

D. Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a “safety net” in the event a developer goes out of business or fails to honor the terms of a service agreement.

Answer 944

A

A. Differential backups involve always storing copies of all files modified since the most recent full backup, regardless of any incremental or differential backups created during the intervening time period.

Answer 945

A

B. People should always be your highest priority in business continuity planning. As life safety systems, fire suppression systems should always receive high prioritization.

Answer 946

A

A. Any backup strategy must include full backups at some point in the process. If a combination of full and differential backups is used, a maximum of two backups must be restored. If a combination of full and incremental backups is chosen, the number of required
restorations may be large.

Answer 947

A

B. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary
operations center

Answer 948

A

C. A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer, either as the target or as
a tool. Computer crimes may not be defined in an organization’s policy, since crimes are only defined in law. Illegal attacks are indeed crimes, but this is too narrow a definition. The failure to practice due diligence may be a liability but, in most cases, is not a criminal action.

Answer 949

A

B. A military and intelligence attack targets the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.

Answer 950

A

A. The Code of Ethics does not require that you protect your colleagues.

Answer 951

A

B. A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack. Although terrorists may engage in other actions, such as altering information, stealing data, or transferring funds, as part of their attacks, these items
alone are not indicators of terrorist activity.

Answer 952

A

A, C, D. A financial attack focuses primarily on obtaining services and funds illegally. Accessing services that you have not purchased is an example of obtaining services illegally. Transferring funds from an unapproved source is obtaining funds illegally, as is leasing out a
botnet for use in DDoS attacks. Disclosing confidential information is not necessarily financially motivated.

Answer 953

A

D. Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to “get back” at someone.

Answer 954

A

A, C. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

Answer 955

A

C. Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.

Answer 956

A

D. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

Answer 957

A

C. Criminal investigations may result in the imprisonment of individuals and, therefore, have the highest standard of evidence to protect the rights of the accused.

Answer 958

A

C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced. The parol evidence rule states
that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement. Testimonial evidence is evidence consisting of the testimony of a witness,
either verbal testimony in court or written testimony in a recorded deposition.

Answer 959

A

B. Root cause analysis seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future. Forensic analysis is used to obtain evidence from digital systems. Network traffic analysis is an example of a forensic analysis category. Fagan inspection is a
software testing technique.

Answer 960

A

A. Preservation ensures that potentially discoverable information is protected against alteration or deletion. Production places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening. Presentation displays the information to witnesses, the court, and other parties.

Answer 961

A

B. Server logs are an example of documentary evidence. Gary may ask that they be introduced in court and will then be asked to offer testimonial evidence about how he collected and preserved the evidence. This testimonial evidence authenticates the documentary evidence.

Answer 962

A

B. In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.

Answer 963

A

A. Log files contain a large volume of generally useless information. However, when you are trying to track down a problem or an incident, log files can be invaluable. Even if an incident is discovered as it is happening, it may have been preceded by other incidents. Log files provide valuable clues and should be protected and archived, often by forwarding log entries to a centralized log management system.

Answer 964

A

D. Review examines the information resulting from the Processing phase to determine what information is responsive to the request and remove any information protected by attorney client privilege. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. Collection gathers the relevant information centrally for use in the eDiscovery process. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of
information requiring detailed screening.

Answer 965

A

D. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

Answer 966

A

B. The second canon of the (ISC)2 Code of Ethics states how a CISSP should act, which is honorably, honestly, justly, responsibly, and legally.

Answer 967

A

B. RFC 1087 does not specifically address the statements in option A, C, or D. Although each
type of activity listed is unacceptable, only “actions that compromise the privacy of users”
are explicitly identified in RFC 1087

Answer 968

A

D. User and entity behavior analytics (UEBA) tools develop profiles of individual behavior and then monitor users for deviations from those profiles that may indicate malicious activity and/or compromised accounts. This type of tool would meet Dylan’s requirements. Endpoint
detection and response (EDR) tools watch for unusual endpoint behavior but do not analyze user activity. Integrity monitoring is used to identify unauthorized system/file changes. Signature detection is a malware detection technique.

Answer 969

A

B. All of these technologies are able to play important roles in defending against malware and other endpoint threats. User and entity behavior analysis (UEBA) looks for behavioral anomalies. Endpoint detection and response (EDR) and next-generation endpoint protection
(NGEP) identify and respond to malware infections. However, only managed detection and response (MDR) combines antimalware capabilities with a managed service that reduces the burden on the IT team.

Answer 970

A

C. If Carl has backups available, that would be his best option to recover operations. He could also pay the ransom, but this would expose his organization to legal risks and incur unnecessary costs. Rebuilding the systems from scratch would not restore his data. Installing antivirus software would be helpful in preventing future compromises, but these packages would not likely be able to decrypt the missing data.

Answer 971

A

A. Although an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks due to the cost and complexity of the research required to discover or purchase them. Social engineering, Trojans (and other malware), and
SQL injection attacks are often attempted by many different types of attackers.

Answer 972

A

B. TOC/TOU is a type of timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Backdoors are code that allows those with knowledge of the backdoor to bypass authentication mechanisms. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. SQL injection attacks include SQL code in user input in the
hopes that it will be passed to and executed by the backend database.

Answer 973

A

B. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. Time-of-check to time-of-use
(TOCTTOU) attacks exploit timing differences that lead to race conditions. Cross-site scripting (XSS) attacks force the execution of malicious scripts in the user’s browser. Cross-site request forgery (XSRF) attacks exploit authentication trust between browser tabs.

Answer 974

A

D. The try…catch clause is used to attempt to evaluate code contained in the try clause and then handle errors with the code located in the catch clause. The other constructs listed here (if…then, case…when, and do…while) are all used for control flow.

Answer 975

A

C. In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. SQL injection attacks
would contain SQL code. File upload attacks seek to upload a file to the server. Session hijacking attacks require the theft of authentication tokens or other credentials.

Answer 976

A

A. Logic bombs wait until certain conditions are met before delivering their malicious payloads. Worms are malicious code objects that move between systems under their own power, whereas viruses require some type of human intervention. Trojan horses masquerade as useful software but then carry out malicious functions after installation.

Answer 977

A

B. Developers of web applications should leverage parameterized queries to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database developers or administrators. With
parameterized queries, the SQL statement is defined within the application and variables are bound to that statement in a safe manner.

Answer 978

A

D. The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

Answer 979

A

C. Although any malware may be leveraged for financial gain, depending on its payload, cryptomalware is specifically designed for this purpose. It steals computing power and uses it to mine cryptocurrency. Remote access Trojans (RATs) are designed to grant attackers remote
administrative access to systems. Potentially unwanted programs (PUPs) are any type of software that is initially approved by the user but then performs undesirable actions. Worms are malicious code objects that move between systems under their own power.

Answer 980

A

A. Cross-site scripting attacks are often successful against web applications that include reflected input. This is one of the two main categories of XSS attack. In a reflected attack, the attacker can embed the attack within the URL so that it is reflected to users who
follow a link.

Answer 981

A

A, B, D. A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all script-like input.

Answer 982

A

B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML
```
 tag in the input.
```

Answer 983

A

A. The use of the

 tag is a telltale sign of a cross-site scripting (XSS) attack.

Answer 984

A

B. Backdoors are undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions. Privilege escalation attacks, such as those carried out by rootkits, seek to upgrade normal user accounts to administrative
access rights. Buffer overflows place excess input in a field in an attempt to execute attacker supplied code.

Answer 985

A

D. Elasticity provides for automatic provisioning and deprovisioning of resources to meet demand. Scalability only requires the ability to increase (but not decrease) available resources. Load balancing is the ability to share application load across multiple servers, and
fault tolerance is the resilience of a system in the face of failures.

Answer 986

A

D. The

 tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.

Answer 987

A

C. Trojan horses masquerade as useful programs (such as a game) but really contain malicious code that runs in the background. Logic bombs contain malicious code that is executed if certain specified conditions are met. Worms are malicious code objects that spread under their own power, while viruses spread through some human intervention

Brainscape's Knowledge GenomeTM

CISSP-P3 Flashcards

Brainscape's Knowledge Genome^TM