CISSP Practice Questions - All CISSP Domains 120Q - 2022 #3 (2 of 2 / Anthony Today)

Question 1

You and your team are in charge of the administration of hundreds of systems, and you find it challenging to deal with all the credentials needed to connect to these systems. What would be an appropriate solution to enforce a password rotation and to reduce the burden related to it?

A. A credential management system
B. A strong password policy
C. Separation of duties
D. Single Sign On

Answer 1

A. A credential management system

Explanation:
From the listed options, implementing a credential management system would address that need specifically. A strong password policy will likely increase the burden of credential management. Separation of duties does not ease the management of the password nor does it enforce their rotation. Single sign-on would for sure reduce the burden, and remove the need for password rotation, however it is not possible to have single sign-on on all systems, especially when dealing with hundreds of them.

Question 2

What application security process are you applying when you decompose an application, rank threats, and establish countermeasures?

A. Fagan Inspection
B. Threat Modeling
C. Penetration Testing
D. Code Review

Answer 2

B. Threat Modeling

Explanation:
Threat modeling commonly involves decomposing the application to understand it and how it interacts with other components or users. Next, identifying and ranking threats allows you to focus on the threats that should be prioritized. Finally, identifying how to mitigate those threats finishes the process. Once complete, an organization can take action to handle the threats that were identified with appropriate controls.

Question 3

Albert is the security expert for a consulting firm and must enforce access controls that restrict users’ access based upon their previous activity. For example, once a consultant accesses data belonging to PentaBoisson, a consulting client, they may no longer access data belonging to any of their competitors. What would be the appropriate security model?

A. Clark-Wilson
B. Biba
C. Bell-LaPadula
D. Brewer-Nash

Answer 3

D. Brewer-Nash

Explanation:
Brewer-Nash, also known as the Chinese-Wall, addresses that security requirement, because it allows access controls to change dynamically based upon a user’s actions.

Question 4

Which process is in charge of ensuring that changes to software include acceptance testing?

A. Request Control
B. Change Control
C. Release Control
D. Configuration Control

Answer 4

C. Release Control

Explanation:
From the listed options, only the release control includes acceptance testing.

Question 5

You have been consulted to work on a data governance program. Based on your experience, who is assigning the classification level to information in an organization?

A. Data Creator
B. Data Owner
C. CISO
D. Data Custodian

Answer 5

B. Data Owner

Explanation:
The owner, and more specifically, the data owner defines the classification level of data because this person is ultimately responsible for its protection. In general such a role is taken by senior management.

Question 6

What would be the most complex decoy environment for an attacker to explore during an intrusion attempt?

A. Honeypot
B. Darknet
C. Honeynet
D. Pseudo flaw

Answer 6

A. Honeypot

Explanation:
A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A honeypot is a decoy computer system used to bait intruders into attacking. A pseudo flaw is a false vulnerability in a system that may attract an attacker.

Question 7

What term is used to describe the formal declaration by a Designated Approving Authority that an IT system is approved to operate in a specific environment?

A. Certification
B. Accreditation
C. Evaluation
D. Approval

Answer 7

B. Accreditation

Explanation:
For an IT system to operate in a described risk environment, the DAA should approve a formal accreditation.

Question 8

The person in charge of the company asked you to propose a solution for secure messaging between employees. What would you propose?

A. Use a third party messaging service
B. Implement and use a locally hosted service
C. Use HTTPS
D. Discontinue use of messaging and instead use email, which is more secure
D

Answer 8

B. Implement and use a locally hosted service

Explanation:
In order to have full control, and guarantee the security of the messages being exchanged between employees from the same company, it is recommended to implement a local solution. Such an approach would avoid the messages leaving the corporate environment, and would give you full control over the encryption algorithms used.

Question 9

What classification levels is the U.S. government’s classification label for data that could cause damage but wouldn’t cause serious or grave damage?

A. Top Secret
B. Secret
C. Confidential
D. Classified

Answer 9

C. Confidential

Explanation:
Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data could cause serious damage. “Classified” is not a level in the U.S. government classification scheme. The U.S. government uses the label Confidential for data that could cause damage if it was disclosed without authorization.

Question 10

What classification levels is the U.S. government’s classification label for data that could cause exceptionally grave damage?

A. Top Secret
B. Secret
C. Highly Secret
D. Secret Max

Answer 10

A. Top Secret

Explanation:
The U.S. government uses the label Top Secret for data that could cause exceptionally grave damage if it was disclosed without authorization.

Question 11

You join a company after having worked for law enforcement organizations for the past five years. When someone is picking up a drive or other evidence, you ask them to sign a document. By making them sign this document, what are you creating?

A. Criminal Case
B. Chain of Custody
C. Civil Evidence
D. CYA Proof

Answer 11

B. Chain of Custody

Explanation:
The document you are making them sign creates a chain of custody that records who, when and how evidence is being handled in order to be admissible in court.

Question 12

Which risk formula is not correct

A. Risk = Threat * Vulnerability
B. Threat = Risk / Vulnerability
C. Vulnerability = Risk / Threat
D. Risk = Asset / Threat

Answer 12

D. Risk = Asset / Threat

Explanation:
The most common formula is risk = threat * vulnerability. Applying basic math logic, all risk = asset / threat is obviously incorrect.

Question 13

You heard that users are complaining about poor network performance this morning, and you notice that some servers have an unusual heavy CPU workload. After reviewing your antivirus dashboard you realize that all systems are running the latest signature and that no virus has been detected. If there is a malware on your systems, what technique would be used that would prevent you from detecting it?

A. File infector virus
B. MBR Virus
C. Service Injection Virus
D. Stealth Virus

Answer 13

D. Stealth Virus

Explanation:
The system may be the victim of a zero-day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor. However, in this case, possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file.

Question 14

What is not an example of a backup tape rotation scheme?

A. Grandfather/Father/Son
B. Meet in the Middle
C. Tower of Hanoi
D. Six Cartridge Weekly

Answer 14

B. Meet in the Middle

Explanation:
Meet-in-the-middle is a cryptographic attack against 2DES encryption. The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns.

Question 15

Lembele is a mid-sized business focusing on building automation systems. They host a panel of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations. Christelle works in the Lembele IT department and is responsible, amongst others, for designing and implementing the organization’s backup strategy. She currently conducts full backups every Sunday evening at 8 p.m. and incremental backups on Monday through Friday at noon. Lembele experienced a server failure at 9 p.m. on Thursday. Christelle rebuilds the server and wants to restore data from the backups. How many backup does Christelle have to restore in order to bring the situation back to normal?

A. 1
B. 3
C. 5
D. 8

Answer 15

C. 5

Explanation:
Given the description, she will need to restore the full backup from Sunday, and the incremental backups from Monday to Thursday. Thus, a total of five backups to restore.

Question 16

If you are about to deploy the fastest possible wireless network in your house while having the widest signal coverage, which option would you choose?

A. 802.11a
B. 801.11g
C. 802.11n
D. 802.11ac

Answer 16

C. 802.11n

Explanation:
Low frequencies provide larger signal coverage, high frequencies provide better bandwidth. Given the scenario, you should determine the wireless protocol that gives the maximum bandwidth with the largest signal coverage, thus you should only consider signals on 2.4 GHz frequencies. For that reason, 802.11 supports 200+ Mbps on 2.4 GHz. The other options do not match this requirement.

Question 17

Amanda needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. Which of the following types of trust does she have to set up?

A. A shortcut trust
B. A forest trust
C. An external trust
D. A realm trust

Answer 17

D. A realm trust

Explanation:
Understand realm as a scope, or a domain. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A forest trust is a transitive trust between two forest root domains, a shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, and an external trust is a nontransitive trust between AD domains in separate forests.

Question 18

What tool would be best suited to test known exploits against a system?

A. Nikto
B. Ettercap
C. Metasploit
D. THC Hydra

Answer 18

C. Metasploit

Explanation:
Metasploit is a tool used to exploit known vulnerabilities. Ettercap is a man-in-the-middle attack tool, Nikto is a web application and server vulnerability scanning tool, and THC Hydra is a password brute-force tool.

Question 19

What is not an access control layer?

A. Physical
B. Policy
C. Administrative
D. Technical

Answer 19

B. Policy

Explanation:
Administrative, technical, and physical access controls all play an important role in security. Policy is a subset of the administrative layer of access controls.

Question 20

During a review of support incidents, Jean-Michel’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. What options would be most likely to decrease that number significantly?

A. Two-Factor Authentication
B. Biometric Authentication
C. Self-Service Password Reset
D. Passphrases

Answer 20

C. Self-Service Password Reset

Explanation:
Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don’t have the same impact that a self-service system does. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has.

Question 21

During a port scan, Samantha discovers a system running services on TCP and UDP 137-139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?

A. A Linux email service
B. A Windows SQL server
C. A Linux File Server
D. A Windows Workstation

Answer 21

B. A Windows SQL server

Explanation:
TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services. TCP and UDP ports 137-139 are used for NetBIOS services, whereas 445 is used for Active Directory.

Question 22

As part of your software testing, you play the evil’s role and try to determine how an attack would proceed to compromise your software. Once outlined, you test how the software operates should such an attack take place. What is this type of testing?

A. Misuse Case Testing
B. Use Case Testing
C. Hacker Use Case Testing
D. Static Code Analysis

Answer 22

A. Misuse Case Testing

Explanation:
The testing described is a misuse case testing, which is a process that tests code based on how it would perform if it was misused instead of used properly. Use case testing tests valid use cases, whereas static code analysis involves reviewing the code itself for flaws rather than testing the live software.

Question 23

What are the following items kind of example: files, databases, computers, programs, processes, devices?

A. Subjects
B. Objects
C. File Stores
D. Users

Answer 23

B. Objects

Explanation:
All of these options are objects. However, some could also be subjects, files, databases, and storage media can’t be.

Question 24

You are a defense contractor and carry highly sensible missions. If You request to write to the data file is blocked, but you have a Secret security clearance, and the data file has a Confidential classification. What principle of the Bell-LaPadula model blocked this request?

A. Simple Security Property
B. Simple Integrity Property
C. *-Security Property
D. Discretionary Security Property

Answer 24

C. *-Security Property

Explanation:
This question relates to pure knowledge of the Bell-LaPadula model. The process described is also known as the confinement property. The *-Security Property outlines that an individual cannot write to a file at a lower classification level than that of the individual.

Question 25

When contracting with a third party service provider for the maintenance of some of your equipment, which kind of agreement formally defines the expectations regarding performance of the services to be delivered by this third party?

A. Service-Level Agreement (SLA)
B. Operations Level Agreement (OLA)
C. Memorandum of Understanding (MOU)
D. Statement of Work (SOW)

Answer 25

A. Service-Level Agreement (SLA)

Explanation:
An OLA is between internal service organizations and does not involve customers. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An SOW is an addendum to a contract describing work to be performed.

Question 26

You are an auditor from an audit Big4 looking for evidence to determine whether your client is compliant with the rules that were established. Which of the following techniques uses statistical methods to select a small number of records from a large pool for further analysis with the aim to select a representative set of the pool?

A. Clipping
B. Randomization
C. Sampling
D. Selecting

Answer 26

C. Sampling

Explanation:
Sampling and clipping are the two main methods of choosing records from a large pool for further analysis. More specifically, sampling uses statistical techniques to choose a sample that is representative of the entire pool. On the other hand, clipping leverages threshold values to select the records exceeding the predefined threshold. As an auditor you would give the most attention to these records.

Question 27

Having a suitable authentication mechanism is at the core of every security solution. From the following options, which is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?

A. Kerberos
B. EAP
C. RADIUS
D. OAuth

Answer 27

C. RADIUS

Explanation:
Kerberos is a ticket-based authentication protocol, and is leveraged by the Active Directory solution from Windows. OAuth, which stands for Open Authentication, is an open standard for authentication allowing the use of credentials from one site on third-party sites. RADIUS is an AAA (Authentication, Authorization, Accountability) protocol used to provide authentication as well as authorization. RADIUS is used for modems, network devices and wireless networks. Requests are being sent to a central RADIUS server. And finally, EAP (Extensible Authentication Protocol), is an authentication framework used for wireless networks.

Question 28

Cyber security experts established conceptual models with the aim to ease the collaboration between the different contributors, and to standardize the communications between the multiple layers of the models. The DARPA TCP/IP model’s Application layer matches up to what three OSI model layers?

A. Application, Presentation, and Transport
B. Presentation, Session, and Transport
C. Application, Presentation and Session
D. There is no direct match because the TCP model was created before the OSI model

Answer 28

C. Application, Presentation and Session

Explanation:
Remember that the OSI model has the following composition: 1. physical layer, 2. data link layer, 3. network layer, 4. transport layer, 5. session layer, 6. presentation layer, 7. application layer. The Defense Advanced Research Projects Agency (DARPA) TCP/IP model is a four layer model, including the application layer, the transport layer, the Internet layer, and the Network interface layer. It was used to create the OSI model, and the designers of the OSI model mapped the OSI model layers to it. Typically, the Application layer of the TCP model maps to the Application, Presentation, and Session layers.

Question 29

Active Directory relies on the Kerberos authentication mechanism. What is the role of the Service Ticket (ST)?

A. It serves as the authentication host
B. It shares proof that the subject is authorized to access an object
C. It gives proof that a subject has authenticated through a KDC and can request tickets to access other objects
D. It provides ticket granting services

Answer 29

B. It shares proof that the subject is authorized to access an object

Explanation:
The Service Ticket in Kerberos authentication provides proof that a subject is authorized to access an object. Ticket Granting Systems are providing Ticket granting services.

Question 30

Which device would allow you to connect your network to other networks while controlling the traffic on your network?|

A. A switch
B. A bridge
C. A gateway
D. A router

Answer 30

D. A router

Explanation:
Based on the listed options, the router would be the appropriate equipment. By nature, it is the only device that can allow you to connect your network to others while controlling the traffic on your network. A gateway will allow you to interconnect networks of different nature, a switch does not offer the capability to control the traffic in your network.

Question 31

The EU-US Privacy Shield was a framework that used to regulate the transatlantic exchanges of personal data from EU and US citizens. Which US agency oversaw its compliance?

A. The FAA
B. The FDA
C. The DoD
D. The Department of Commerce

Answer 31

D. The Department of Commerce

Explanation:
The Department of Commerce used to oversee the EU-US Privacy Shield, but this framework is being replaced. The other US agencies were not directly involved in these interactions.

Question 32

Sharp cybersecurity professionals should be acquainted with good industry practices. Which of the following items is not a key principle of the COBIT framework for IT security control objectives?

A. Meeting stakeholder needs
B. Performing exhaustive analysis
C. Covering the enterprise end-to-end
D. Separating governance from management

Answer 32

B. Performing exhaustive analysis

Explanation:
COBIT is composed of five principles: (1) Meeting stakeholder needs, (2) Covering the enterprise end to end, (3) Applying a single integrated framework, (4) Enabling a holistic approach, and (5) Separating governance from management.

Question 33

You are a web application developer and noticed that something isn’t working as expected with the application that he just published. After troubleshooting the situation, you find that the application has a flaw and that logged-in users can take non-allowed actions. What is such a vulnerability?

A. Data Validation
B. Session management
C. Authorization
D. Error handling

Answer 33

C. Authorization

Explanation:
If a logged-in user can take unauthorized actions it is an authorization issue. Based on the situation described it is not about session management because a legitimately logged-in user could also take unauthorized actions. Error handling refers to mechanisms to deal with errors, while data validation is invoked when users are providing inputs to the applications.

Question 34

Your company has recently been the target of a cyber attack. What concept from the Federal Rules of Civil Procedure (FCRP) aims to give sufficient time and ensure that expenses are not incurred as part of electronic discovery when the benefits do not outweigh the costs?

A. Tool-assisted review
B. Cooperation
C. Spoilation
D. Proportionality

Answer 34

D. Proportionality

Explanation:
In general, the benefits of additional discovery must be proportional to the additional costs that they will require. The requests would have to justify disproportionate requests, which in most cases prevents unusual efforts.

Question 35

You are advising the COO of your company regarding the steps to take in case of a major incident. From the following options, which one would be part of the business continuity plan of your company?

A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

Answer 35

B. Implementing RAID

Explanation:
From the listed options, implementing RAID is the only one that deals with continuity, while all other options are focusing on recovery after a disaster.

Question 36

You have been requested to deploy an AAA server for wireless network services in your organization but you have been advised to not use proprietary technology. What technology are you selecting?

A. OAuth
B. RADIUS
C. XTACACS
D. TACACS+

Answer 36

B. RADIUS

Explanation:
Both, TACACS+ and XTACACS are Cisco proprietary protocols and could therefore not be the right answer here. RADIUS is a common Authentication, Authorization, and Accountability solution that can be used for wireless network services. And finally, OAuth, which is an authentication protocol used to allow applications to operate password-less on user’s behalf, is per se, not a suitable approach.

Question 37

What type of vulnerability scan can access both, the configuration information of a system, and the services of the systems?

A. Authenticated Scans
B. Web application scans
C. Unauthenticated scans
D. Port Scans

Answer 37

A. Authenticated Scans

Explanation:
From the listed option, the only type of vulnerability scan that can access the configuration files and the services on the systems are the authenticated scans. Other forms of scanning have limited abilities.

Question 38

Your company won a contract that will support governmental activities. What law applies to the information systems used in this contract?

A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA

Answer 38

A. FISMA

Explanation:
The Government Information Security Reform Act (GISRA) preceded the Federal Information Security Management Act (FISMA). The FISMA is very specific to government contractors. HIPAA applies to healthcare while PCI DSS is applicable for credit card information.

Question 39

If you are the owner of a system as part of a university’ infrastructure, according to NIST SP 800-18, what should be done in the case of a substantial system change?

A. You should develop a data confidentiality plan
B. You should update the system security plan
C. You must classify the data the system contains
D. You must select custodians to handle day to day operational tasks

Answer 39

B. You should update the system security plan

Explanation:
NIST SP 800-18 requires a system owner to update the security plan following a substantial system change.

Question 40

In order to follow a risk-based approach for the decisions taken in your company, you have been requested to determine and assess the areas at risk. You want to be able to see how the risks evolve over time. What should be the first step of your approach?

A. Perform yearly risk assessments
B. Hire a penetration testing firm to regularly test organizational security
C. Identify and track key risk indicators
D. Monitor events and logs using a SIEM device

Answer 40

C. Identify and track key risk indicators

Explanation:
Based on the situation described, identifying key risk indicators (KRIs) and monitoring them can help to identify high-risk areas earlier in their life cycle. In general, KRIs are leveraged to picture how risky an activity is, and what would be the impact toward the risk profile. Additionally, yearly risk assessments provide only a point in time view, whereas penetration tests may focus on identifying vulnerabilities rather than overall risks. Finally, monitoring events and logs via a SIEM solution may help detect issues but won’t be specific on showing risk trends.

Question 41

You just got confirmation that your company hired ten freshly freshly graduated students. What term is used to describe the default set of privileges assigned to a user when a new account is created?

A. Aggregation
B. Transitivity
C. Baseline
D. Entitlement

Answer 41

D. Entitlement

Explanation:
Aggregation and transitivity are terms used when manipulating data from databases. Baseline refers to a predefined configuration, often used as a reference point by system administrators. Entitlement refers to the privileges granted to users when an account is first provisioned.

Question 42

You are a system engineer that is about to build a fault-tolerant server on a RAID 1 storage bay. How many physical hard drives will you need at minimum?

A. 1
B. 2
C. 3
D. 5

Answer 42

B. 2

Explanation:
RAID 1, which is generally referenced as disk mirroring, requires two physical disks that will contain copies of the same data.

Question 43

How would you characterize an attack conducted with Low Orbit Ion Cannon?

A. DDoS
B. Ionization
C. Zombie Hoard
D. Teardrop

Answer 43

A. DDoS

Explanation:
LOIC is an open-source network stress testing tool and can be categorized as Distributed Denial-of-Service (DDoS) attacks.

Question 44

Before leaving for lunch, your colleague ensures that her laptop is well attached to the lock. Which of the following types of access controls do not describe a lock?

A. Physical
B. Directive
C. Preventative
D. Deterrent

Answer 44

B. Directive

Explanation:
A lock can be described as a physical security measure because it physically protects the laptop from a theft. Additionally, it can also be a deterrent measure because the simple presence of a lock might lure away a potential robber. And finally, it is also a preventative because even if someone tries to steal the laptop, having a lock will likely prevent them from being successful.

Question 45

You have been tasked to decommission a system that is no longer in use, and have been informed that it contains proprietary data. What is the best way to ensure that data is unrecoverable from a SSD?

A. Use the built-in erase commands
B. Use a random pattern wipe of 1s and 0s
C. Physically destroy the drive
D. Degauss the drive

Answer 45

C. Physically destroy the drive

Explanation:
SSDs are flash media, thus they can’t degauss them. As a result, the physical destruction of the drive is the most appropriate way to ensure that there is no remnant data on the drive. Random pattern writes and the built-in erase commands have proven to cause challenges related to remanent data as well as unreliable erasing commands.

Question 46

You are the IT manager of LightTheHouse Systems, and you decided to stop offering public NTP services because of multiple attack templates. Your service was leveraged for amplifying attacks. What is the risk management strategy that you are taking regarding this NTP service?

A. Risk mitigation
B. Risk acceptance
C. Risk Transference
D. Risk avoidance

Answer 46

D. Risk avoidance

Explanation:
By stopping the offer of NTP services, you avoid taking the risk of being leveraged in future attacks. As a reminder, NTP services are used to set a time reference to the systems.

Question 47

In TLS, what type of key is used to encrypt the actual content of communications between a web server and a client?

A. Ephemeral session key
B. Clients public key
C. Server’s public key
D. Server’s private key

Answer 47

A. Ephemeral session key

Explanation:
In Transport Layer Security (TLS) both the client and the server first communicate using an ephemeral symmetric session key. The client and the server exchange this key using asymmetric cryptography, but all following encrypted communication is protected using symmetric cryptography.

Question 48

From your cybersecurity courses, you recall that data can be found in different situations. What scenario describes data at rest?

A. Data in an IPSec Tunnel
B. Data in an e-commerce transaction
C. Data stored on a hard drive
D. Data stored in RAM

Answer 48

C. Data stored on a hard drive

Explanation:
In an IPSec tunnel or in e-commerce transactions, the data is in motion. Data stored in RAM is ephemeral, hence cannot be considered as active. When stored on a physical drive, the data can be considered at rest.

Question 49

Ali, the system administrator, is implementing some changes on some virtual servers. Which of the following AAA protocols is the most commonly used?

A. TACACS
B. TACACS+
C. XTACACS
D. Super TACACS

Answer 49

B. TACACS+

Explanation:

Let’s start with an obvious wrong answer: Super TACACS. TACACS and XTACACS include encryptions of all authentication information but are not commonly used. TACACS+ is the most commonly AAA protocol used.

Question 50

What type of important identity systems does the X.500 standards cover ?

A. Kerberos
B. Provisioning services
C. Biometric authentication systems
D. Directory services

Answer 50

D. Directory services

Explanation:
Directory services are covered by the X.500 series of standards. Kerberos is described in RFCs. Provisioning standards include for example SCIM and SPML. Biometric systems are covered by a variety of standards, including ISO standards.

Question 51

You joined the system engineering team and have some questions regarding the authentication solution being used in the company. Which of the following is a ticket-based authentication protocol designed to provide secure communication?

A. RADIUS
B. OAuth
C. SAML
D. Kerberos

Answer 51

D. Kerberos

Explanation:
Although RADIUS is an authentication solution, it does not provide the protocol described. Kerberos is an authentication protocol that uses tickets and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. SAML is a markup language whereas OAuth is designed to allow third-party websites to rely on credentials from other sites like Microsoft or Google.

Question 52

Models have been defined to standardize the communication between layers. What layer of the OSI model is associated with datagrams?

A. Session
B. Transport
C. Network
D. Data Link

Answer 52

B. Transport

Explanation:
Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP).

Question 53

A software company developed two systems that share information. System X provides information to the input of System Z, which then reciprocates by providing information back to System X as input. What type of composition theory best describes this practice?

A. Cascading
B. Feedback
C. Hookup
D. Elementary

Answer 53

B. Feedback

Explanation:
This is a specialized case of the cascading model, so the feedback model is the most appropriate answer. The feedback model of composition theory occurs when one system provides input for a second system and then the second system provides input for the first system. The other options listed here are not in line with the situation described.

Question 54

You manager asked you to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 9 a.m. and 5 p.m”. What access control system would allow you such a setup?

A. ABAC
B. RBAC
C. DAC
D. MAC

Answer 54

A. ABAC

Explanation:
Based on the requirements described, it is a typical attribute-based access control (ABAC) system that will rely on a set of contextual requirements. Mandatory access controls (MACs) would be based on classifications. Discretionary access control (DAC) is based on object owners’ choices. Rule-based access control system (RBAC) is a rigid implementation of rules that can be found in traditional firewalls.

Question 55

Based on a Californian law, which of the following information would not be considered as personally identifiable information?

A. Student Identification Number
B. Social Security Number
C. Driver’s license Number
D. Credit Card Number

Answer 55

A. Student Identification Number

Explanation:
From the options listed, only the student identification number is not commonly defined as personally identifiable information.

Question 56

When a new joiner joins your company, what term is used to describe the default set of privileges assigned to him or her when the account is created?

A. Aggregation
B. Transitivity
C. Baseline
D. Entitlement

Answer 56

D. Entitlement

Explanation:
Entitlement refers to the privileges granted to users when an account is first provisioned. The other terms listed here are not related to the user access management.

Question 57

One of your colleagues calls you for support and uses a code word agreed in your company as being used in the case an employee is being forced to perform an action. How would you qualify such a situation?

A. Social Engieering
B. Duress
C. Force Majeure
D. Stockholm Syndrome

Answer 57

B. Duress

Explanation:
Duress, or having to act under threat of violence or other constraints, are taken into consideration by organizations where attackers require physical access to assets of value. In general, employees are trained to act according to such procedures.

Question 58

Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?

A. Banks
B. Defense Contractors
C. School Districts
D. Hospitals

Answer 58

B. Defense Contractors

Explanation:
The Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. The other types of organizations are subject to specific regulations list COPPA, GLBA or HIPAA.

Question 59

You are selecting an application management approach for your organization. Employees need the flexibility to install software on their systems, but you are keen on protecting your organization against the installation of prohibited softwares. What would be the appropriate approach?

A. Antivirus
B. Whitelist
C. Blacklist
D. Heuristic

Answer 59

C. Blacklist

Explanation:
The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach allows only the installation of a predefined list of approved applications. Antivirus software would detect the installation of malicious software after the fact, hence too late to prevent the action from occurring. A heuristic detection is an alternative antivirus software.

Question 60

You are scheduling the software development phases for an important project and represent the start and end of the different activities on a graph. What chart are you likely creating?

A. Work breakdown structure
B. Functional Requirements
C. PERT Chart
D. Gantt Chart

Answer 60

D. Gantt Chart

Explanation:
Based on the description, it is likely to be a Gantt chart. Work Breakdown Structure (WBS) representations focus on the division of bigger tasks into smaller chunks, where Program Evaluation Review Technique (PERT) charts outline a project schedule as a series of numbered nodes.