CISSP STUDY QUESTIONS Flashcards

Question 1

Q

A potential problem related to the physical installation of the Iris Scanner in regards to the usage
of the iris pattern within a biometric system is:
A. Concern that the laser beam may cause eye damage.
B. The iris pattern changes as a person grows older.
C. There is a relatively high rate of false accepts.
D. The optical unit must be positioned so that the sun does not shine into the aperture.

Answer

A

Answer: D
Explanation: Because the optical unit utilizes a camera and infrared light to create the images,
sun light can impact the aperture so it must not be positioned in direct light of any type. Because
the subject does not need to have direct contact with the optical reader, direct light can impact the
reader.

Question 2

Q

In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item’s classification
B. The item’s classification and category set
C. The item’s category
D. The items’s need to know

Answer

A

Answer: B
Explanation: The following is the correct answer: the item’s classification and category set

Question 3

Q

Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.

Answer

A

Answer: C
Explanation: Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party
authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered
open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The
password is used to encrypt and decrypt the keys

Question 4

Q

Which of the following is needed for System Accountability?
A. Audit mechanisms.
B. Documented design as laid out in the Common Criteria.
C. Authorization.
D. Formal verification of system design.

Answer

A

Answer: A
Explanation: Is a means of being able to track user actions. Through the use of audit logs and
other tools the user actions are recorded and can be used at a later date to verify what actions
were performed

Question 5

Q

What is Kerberos?
A. A three-headed dog from the egyptian mythology.
B. A trusted third-party authentication protocol.
C. A security model.
D. A remote authentication dial in user server.

Answer

A

Answer: B
Explanation: Is correct because that is exactly what Kerberos is.

Question 6

Q

Kerberos depends upon what encryption method?
A. Public Key cryptography.
B. Secret Key cryptography.
C. El Gamal cryptography.
D. Blowfish cryptography.

Answer

A

Answer: B
Explanation: Kerberos depends on Secret Keys or Symmetric Key cryptography

Question 7

Q

A confidential number used as an authentication factor to verify a user's identity is called a:
A. PIN
B. User ID
C. Password
D. Challenge

Answer

A

Answer: A
Explanation: PIN Stands for Personal Identification Number, as the name states it is a
combination of numbers

Question 8

Q

Individual accountability does not include which of the following?
A. unique identifiers
B. policies &amp; procedures
C. access rules
D. audit trails

Answer

A

Answer: B
Explanation: Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability.

Question 9

Q

Which of the following exemplifies proper separation of duties?
A. Operators are not permitted modify the system time.
B. Programmers are permitted to use the system console.
C. Console operators are permitted to mount tapes and disks.
D. Tape operators are permitted to use the system console

Answer

A

Answer: A
Explanation: This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should be performed by they system administrators.

Question 10

Q

An access control policy for a bank teller is an example of the implementation of which of the
following?
A. Rule-based policy
B. Identity-based policy
C. User-based policy
D. Role-based policy

Answer

A

Answer: D
Explanation: The position of a bank teller is a specific role within the bank, so you would
implement a role-based policy

Question 11

Q

Which one of the following authentication mechanisms creates a problem for mobile users?
A. Mechanisms based on IP addresses
B. Mechanism with reusable passwords
C. One-time password mechanism.
D. Challenge response mechanism

Answer

A

Answer: A
Explanation: Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP.

Question 12

Q

Organizations should consider which of the following first before allowing external access to their LANs via the Internet?
A. Plan for implementing workstation locking mechanisms.
B. Plan for protecting the modem pool.
C. Plan for providing the user with his account usage information.
D. Plan for considering proper authentication options

Answer

A

Answer: D
Explanation: Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms are to be used, this would include how you are going to authenticate individuals that may access your network externally through access control

Question 13

Q

Kerberos can prevent which one of the following attacks?
A. Tunneling attack.
B. Playback (replay) attack.
C. Destructive attack.
D. Process attack.

Answer

A

Answer: B
Explanation: Each ticket in Kerberos has a time-stamp and are subject to time expiration to help prevent these types of attacks

Question 14

Q

In discretionary access environments, which of the following entities is authorized to grant information access to other people?
A. Manager
B. Group Leader
C. Security Manager
D. Data Owner

Answer

A

Answer: D
Explanation: In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file

Question 15

Q

What is the main concern with single sign-on?
A. Maximum unauthorized access would be possible if a password is disclosed.
B. The security administrator’s workload would increase.
C. The users’ password would be too hard to remember.
D. User access rights would be increased

Answer

A

Answer: A
Explanation: A major concern with Single Sign-On (SSO) is that if a user’s ID and password are compromised, the intruder would have access to all the systems that the user was authorized for

Question 16

Q

Who developed one of the first mathematical models of a multilevel-security computer system?
A. Diffie and Hellman.
B. Clark and Wilson.
C. Bell and LaPadula.
D. Gasser and Lipner.

Answer

A

Answer: C
Explanation: In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system

Question 17

Q

Which of the following attacks could capture network user passwords?
A. Data diddling
B. Sniffing
C. IP Spoofing
D. Smurfing

Answer

A

Answer: B
Explanation: A network sniffer captures a copy every packet that traverses the network segment
the sniffer is connect to. Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with
customized software.

Question 18

Q

Which of the following would constitute the best example of a password to use for access to a system by a network administrator?
A. holiday
B. Christmas12
C. Jenny
D. GyN19Za!

Answer

A

Answer: D
Explanation: GyN19Za! would be the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special character making it less vulnerable to password attacks

Question 19

Q

What physical characteristic does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The pattern of light receptors at the back of the eye
D. The pattern of blood vessels at the back of the eye

Answer

A

Answer: D
Explanation: The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina’s four cell layers

Question 20

Q

The Computer Security Policy Model the Orange Book is based on is which of the following?
A. Bell-LaPadula
B. Data Encryption Standard
C. Kerberos
D. Tempest

Answer

A

Answer: A
Explanation: The Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model. Orange Book Glossary

Question 21

Q

The end result of implementing the principle of least privilege means which of the following?
A. Users would get access to only the info for which they have a need to know
B. Users can access all systems.
C. Users get new privileges added when they change positions.
D. Authorization creep.

Answer

A

Answer: A
Explanation: The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access any of the files on specific systems.

Question 22

Q

Which of the following is the most reliable authentication method for remote access?
A. Variable callback system
B. Synchronous token
C. Fixed callback system
D. Combination of callback and caller ID

Answer

A

Answer: B
Explanation: A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame.

Question 23

Q

Which of the following is true of two-factor authentication?
A. It uses the RSA public-key signature based on integers with large prime factors.
B. It requires two measurements of hand geometry.
C. It does not use single sign-on technology.
D. It relies on two independent proofs of identity.

Answer

A

Answer: D
Explanation: It relies on two independent proofs of identity. Two-factor authentication refers to using two independent proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a password). Two-factor authentication may be used with single sign-on.

Question 24

Q

The primary service provided by Kerberos is which of the following?
A. non-repudiation
B. confidentiality
C. authentication
D. authorization

Answer

A

Answer: C
Explanation: non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it does not help with non-repudiation

Question 25

Q

There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the
following?
A. public keys
B. private keys
C. public-key certificates
D. private-key certificates

Answer

A

Answer: C
Explanation: A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.

Question 26

Q

In which of the following security models is the subject's clearance compared to the object's classification such that specific rules can be applied to control how the subject-to-object interactions take place?
A. Bell-LaPadula model
B. Biba model
C. Access Matrix model
D. Take-Grant model

Answer

A

Answer: A
Explanation: Details: The Answer: Bell-LaPadula model
The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s.

Question 27

Q

Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?
A. SESAME
B. RADIUS
C. KryptoKnight
D. TACACS+

Answer

A

Answer: A
Explanation: Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.

Question 28

Q

Single Sign-on (SSO) is characterized by which of the following advantages?
A. Convenience
B. Convenience and centralized administration
C. Convenience and centralized data administration
D. Convenience and centralized network administration

Answer

A

Answer: B
Explanation: Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete accounts across the entire network from one user interface

Question 29

Q

What is the primary role of smartcards in a PKI?
A. Transparent renewal of user keys
B. Easy distribution of the certificates between the users
C. Fast hardware encryption of the raw data
D. Tamper resistant, mobile storage and application of private keys of the users

Answer

A

Answer: D

Question 30

Q

What kind of certificate is used to validate a user identity?
A. Public key certificate
B. Attribute certificate
C. Root certificate
D. Code signing certificate

Answer

A

Answer: A
Explanation: In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority(CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the
certificate signer that the identity information and the public key belong together.

Question 31

Q

The following is NOT a security characteristic we need to consider while choosing a biometricidentification systems:
A. data acquisition process
B. cost
C. enrollment process
D. speed and user interface

Answer

A

Answer: B
Explanation: Cost is a factor when considering Biometrics but it is not a security characteristic All the other answers are incorrect because they are security characteristics related to Biometrics. Data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process

Question 32

Q

In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessity of answering 2 questions :
A. what was the sex of a person and his age
B. what part of body to be used and how to accomplish identification that is viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits

Answer

A

Answer: B
Explanation: Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is already taking place. Unique physical attributes or behavior of a person are used for that purpose.

Question 33

Q

In biometric identification systems, the parts of the body conveniently available for identification are:
A. neck and mouth
B. hands, face, and eyes
C. feet and hair
D. voice and neck

Answer

A

Answer: B
Explanation: Today implementation of fast, accurate, reliable, and user-acceptable biometric identification systems are already under way. Because most identity authentication takes place when a people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes

Question 34

Q

Controlling access to information systems and associated networks is necessary for the preservation of their:
A. Authenticity, confidentiality and availability
B. Confidentiality, integrity, and availability.
C. integrity and availability.
D. authenticity,confidentiality, integrity and availability

Answer

A

Answer: B
Explanation: Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity and availability.

Question 35

Q

To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up:
A. Access Rules
B. Access Matrix
C. Identification controls
D. Access terminal

Answer

A

Answer: A
Explanation: Controlling access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up access rules. These rules can be classified into three access control models: Mandatory, Discretionary, and
Non-Discretionary. An access matrix is one of the means used to implement access control

Question 36

Q

Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what category of access control?
A. Discretionary Access Control (DAC)
B. Mandatory Access control (MAC)
C. Non-Discretionary Access Control (NDAC)
D. Lattice-based Access control

Answer

A

Answer: C
Explanation: Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects. In general, all access control policies other than DAC are grouped in the category of nondiscretionary access control (NDAC). As the name implies, policies in this category have rules that
are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.

Question 37

Q

The type of discretionary access control (DAC) that is based on an individual's identity is also called:
A. Identity-based Access control
B. Rule-based Access control
C. Non-Discretionary Access Control
D. Lattice-based Access control

Answer

A

Answer: A
Explanation: An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual’s identity. DAC is good for low level security environment. The owner of the file decides who has access to the file.

Question 38

Q

Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control

Answer

A

Answer: C
Explanation: Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC). RABC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already

Question 39

Q

Which of the following control pairings include: organizational policies and procedures, preemployment
background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased
supervision, security awareness training, behavior awareness, and sign-up procedures to obtain
access to information systems and networks?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing

Answer

A

Answer: A
Explanation: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information
systems and networks

Question 40

Q

Technical controls such as encryption and access control can be built into the operating system,be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Technical Pairing

Answer

A

Answer: B
Explanation: Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units.

Question 41

Q

What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?
A. Micrometrics
B. Macrometrics
C. Biometrics
D. MicroBiometrics

Answer

A

Answer: C

Question 42

Q

What is called the access protection system that limits connections by calling back the number of a previously authorized location?
A. Sendback systems
B. Callback forward systems
C. Callback systems
D. Sendback forward systems

Answer

A

Answer: C
Explanation: The Answer: Call back Systems; Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.

Question 43

Q

What are called user interfaces that limit the functions that can be selected by a user?
A. Constrained user interfaces
B. Limited user interfaces
C. Mini user interfaces
D. Unlimited user interfaces

Answer

A

Answer: A
Explanation: Another method for controlling access is by restricting users to specific functions based on their role in the system. This is typically implemented by limiting available menus, data views, encryption, or by physically constraining the user interfaces

Question 44

Q

Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are
associated with:
A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative

Answer

A

Answer: D
Explanation: Additional detective/administrative controls are job rotation, the sharing of responsibilities, and reviews of audit records

Question 45

Q

The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:
A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative

Answer

A

Answer: B
Explanation: The detective/technical control measures are intended to reveal the violations of security policy using technical means

Question 46

Q

The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:
A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative

Answer

A

Answer: C
Explanation: Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists

Question 47

Q

External consistency ensures that the data stored in the database is:
A. in-consistent with the real world.
B. remains consistant when sent from one system to another.
C. consistent with the logical world.
D. consistent with the real world.

Answer

A

Answer: D
Explanation: External consistency ensures that the data stored in the database is consistent with the real world.

Question 48

Q

A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control

Answer

A

Answer: C
Explanation: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the ‘central authority’ that determines access rights

Question 49

Q

What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?
A. Authentication
B. Identification
C. Authorization
D. Confidentiality

Answer

A

Answer: B
Explanation: Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don’t know, and they ask you who they’re speaking to. When you say, “I’m Jason.”, you’ve just identified yourself

Question 50

Q

Which one of the following factors is NOT one on which Authentication is based?
A. Type 1 Something you know, such as a PIN or password
B. Type 2 Something you have, such as an ATM card or smart card
C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such
as a fingerprint or retina scan
D. Type 4 Something you are, such as a system administrator or security administrator

Answer

A

Answer: D
Explanation: Authentication is based on the following three factor types:
Type 1 Something you know, such as a PIN or password
Type 2 Something you have, such as an ATM card or smart card
Type 3 Something you are (Unique physical characteristic), such as a fingerprint or retina scan

Question 51

Q

A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control

Answer

A

Answer: C
Explanation: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the ‘central authority’ that determines access rights

Question 52

Q

What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?
A. Authentication
B. Identification
C. Authorization
D. Confidentiality

Answer

A

Answer: B
Explanation: Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system.

Question 53

Q

The act of requiring two of the three factors to be used in the authentication process refers to:
A. Two-Factor Authentication
B. One-Factor Authentication
C. Bi-Factor Authentication
D. Double Authentication

Answer

A

Answer: A
Explanation: Two-Factor Authentication refers to the act of requiring two of the three factors to be used in the authentication process

Question 54

Q

Which type of password provides maximum security because a new password is required for each new log-on?
A. One-time or dynamic password
B. Congnitive password
C. Static password
D. Passphrase

Answer

A

Answer: A
Explanation: “One-time password” provides maximum security because a new password is required for each new log-on.

Question 55

Q

What is called a password that is the same for each log-on session?
A. "one-time password"
B. "two-time password"
C. static password
D. dynamic password

Answer

A

Answer: C

Question 56

Q

What is called a sequence of characters that is usually longer than the allotted number for a password?
A. passphrase
B. cognitive phrase
C. anticipated phrase
D. Real phrase

Answer

A

Answer: A
Explanation: A passphrase is a sequence of characters that is usually longer than the allotted number for a password

Question 57

Q

Which best describes a tool (i.e. keyfob, calculator, memory card or smart card) used to supply dynamic passwords?
A. Tickets
B. Tokens
C. Token passing networks
D. Coupons

Answer

A

Answer: B
Explanation: Tokens; Tokens in the form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords.

Question 58

Q

Which of the following would be true about Static password tokens?
A. The owner identity is authenticated by the token
B. The owner will never be authenticated by the token.
C. The owner will authenticate himself to the system.
D. The token does not authenticates the token owner but the system.

Answer

A

Answer: A
Explanation: Tokens are electronic devices or cards that supply a user’s password for them. A token system can be used to supply either a static or a dynamic password. There is a big difference between the static and dynamic systems, a static system will normally log a user in but
a dynamic system the user will often have to log themselves in

Question 59

Q

In Synchronous dynamic password tokens:
A. The token generates a new password value at fixed time intervals (this password could be
based on the time of day encrypted with a secret key).
B. The token generates a new non-unique password value at fixed time intervals (this password
could be based on the time of day encrypted with a secret key).
C. The unique password is not entered into a system or workstation along with an owner’s PIN.
D. The authentication entity in a system or workstation knows an owner’s secret key and PIN, and
the entity verifies that the entered password is invalid and that it was entered during the invalid
time window.

Answer

A

Answer: B
Explanation: Synchronous dynamic password tokens:
The token generates a new password value at fixed time intervals (this password could be the time of day encrypted with a secret key). The unique password is entered into a system or workstation along with an owner’s PIN.
The authentication entity in a system or workstation knows an owner’s secret key and PIN, and the entity verifies that the entered password is valid and that it was entered during the valid time window.

Question 60

Q

In biometrics, "one-to-many" search against database of stored biometric images is done in:
A. Authentication
B. Identification
C. Identities
D. Identity-based access control

Answer

A

Answer: B
Explanation: In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images.

Question 61

Q

Which of the following is true of biometrics?
A. It is used for identification in physical controls and it is not used in logical controls.
B. It is used for authentication in physical controls and for identification in logical controls.
C. It is used for identification in physical controls and for authentication in logical controls.
D. Biometrics has not role in logical controls.

Answer

A

Answer: C
Explanation: When used in physical control biometric Identification is performed by doing a one to many match. When you submit your biometric template a search is done through a database of templates until the matching one is found. At that point your identity is revealed and if you are a valid employee access is granted

Question 62

Q

What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Rejection Rate (TRR) or Type III Error

Answer

A

Answer: A
Explanation: The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type I Error

Question 63

Q

What is called the percentage of invalid subjects that are falsely accepted by a Biometric authentication system?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Acceptance Rate (TAR) or Type III Error

Answer

A

Answer: B
Explanation: The percentage of invalid subjects that are falsely accepted is called the False Acceptance Rate (FAR) or Type II Error.

Question 64

Q

What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. Failure to enroll rate (FTE or FER)

Answer

A

Answer: C
Explanation: The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.

Answer 65

A

Answer: B
Explanation: Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system

Answer 66

A

Answer: B
Explanation: The advantages of SSO include having the ability to use stronger passwords, easier administration as far as changing or deleting the passwords, minimize the risks of orphan accounts, and requiring less time to access resources.

Answer 67

A

Answer: A
Explanation: Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to. All the other answers are incorrect as they are distractors.

Answer 68

A

Answer: A
Explanation: SSO can be implemented by using scripts that replay the users multiple log-ins against authentication servers to verify a user’s identity and to permit access to system services. Single Sign on was the best answer in this case because it would include Kerberos. When you have two good answers within the 4 choices presented you must select the BEST one.
The high level choice is always the best. When one choice would include the other one that would
be the best as well.

Answer 69

A

Answer: B
Explanation: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:
• It is secure: it never sends a password unless it is encrypted.
• Only a single login is required per session. Credentials defined at login are then passed between
resources without the need for additional logins.
• The concept depends on a trusted third party – a Key Distribution Center (KDC). The KDC is
aware of all systems in the network and is trusted by all of them.
• It performs mutual authentication, where a client proves its identity to a server and a server
proves its identity to the client

Answer 70

A

Answer: A
Explanation:The server also checks the authenticator and, if that timestamp is valid, it provides the requested service to the client.

Answer 71

A

Answer: A
Explanation: Kerberos addresses the confidentiality and integrity of information. It also addresses primarily authentication but does not directly address availability.

Answer 72

A

Answer: C
Explanation: Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window. The security depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threat of of replayed credentials, the KDC must be physically secured, and it should be hardened, not permitting any non-kerberos activities

Answer 73

A

Answer: B
Explanation: Sesame is an authentication and access control protocol, that also supports communication
confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMAstyle Privilege Attribute Service

Answer 74

A

Answer: D
Explanation: According to RFC 2865: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to
designated RADIUS servers, and then acting on the response which is returned.

Answer 75

A

Answer: A
Explanation: CHAP: A protocol that uses a three way hand shake The server sends the client a challenge
which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password.The authentication is successful if the client’s response is the one that the server expected.

Answer 76

A

Answer: A
Explanation: The rows of the table represent records or tuples and the columns of the table represent the attributes

Answer 77

A

Answer: D
Explanation: 1 The formal description of how a relational database operates.
2 The mathematics which underpin SQL operations.
A number of operations can be performed in relational algebra to build relations and operate on the data

Answer 78

A

Answer: A
Explanation: The SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations (tables). Data Definition Language. The Data Definition Language (DDL) is used to create and destroy databases and database objects. These commands will primarily be used by database administrators during the setup and removal phases of a database project. Let’s take a look at the structure and usage of four basic

Answer 79

A

Answer: A
Explanation: An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to
monitor host audit logs in order to determine if any violations of an organization’s system security
policy have taken place

Answer 80

A

Answer: A
Explanation: This type of IDS is called a network-based IDS because monitors network traffic in real time.

Answer 81

A

Answer: A
Explanation: A host-based IDS is resident on a host and reviews the system and event logs in order to detect an attack on the host and to determine if the attack was successful. All critical serves should have a Host Based Intrusion Detection System (HIDS) installed. As you are well aware, network based IDS cannot make sense or detect pattern of attacks within encrypted traffic.
A HIDS might be able to detect such attack after the traffic has been decrypted on the host. This is why critical servers should have both NIDS and HIDS

Answer 82

A

Answer: A
Explanation: A network-based IDS usually provides reliable, real-time information without consuming network or host resources

Answer 83

A

Answer: A
Explanation: Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected

Answer 84

A

Answer: A
Explanation: A host-based IDS can review the system and event logs in order to detect an attack on the host and to determine if the attack was successful

Answer 85

A

Answer: A
Explanation: The biggest drawback of HIDS, and the reason many organizations resist its use, is that it can be very invasive to the host operating system. HIDS must have the capability to monitor all processes and activities on the host system and this can sometimes interfere with normal system processing.

Answer 86

A

Answer: A

Answer 87

A

Answer: A
Explanation: An issue with signature-based ID is that only attack signatures that are stored in their database are detected. New attacks without a signature would not be reported. They do require constant updates in order
to maintain their effectiveness.

Answer 88

A

Answer: A
Explanation: Statistical Anomaly-Based ID - With this method, an IDS acquires data and defines a “normal” usage profile for the network or host that is being monitored.

Answer 89

A

Answer: A
Explanation: The cost of access control must be commensurate with the value of the information that is being protected.

Answer 90

A

Answer: B
Explanation: These factors cover the integrity, confidentiality, and availability components of information system security.

Answer 91

A

Answer: A
Explanation: Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system and if it is an unauthorized user then he is fully aware of trespassing.

Answer 92

A

Answer: B
Explanation: The preventive/technical pairing uses technology to enforce access control policies

Answer 93

A

Answer: D
Explanation: In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident

Answer 94

A

Answer: C
Explanation: Access control is the collection of mechanisms that permits managers of a system
to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. Specifying HOW to restrain hackers is not directly linked to access control.

Answer 95

A

Answer: A
Explanation: Access Control Techniques
Discretionary Access Control
Mandatory Access Control
Lattice Based Access Control
Rule-Based Access Control
Role-Based Access Control

Answer 96

A

Answer: C
Explanation: It is not a property of Bell LaPadula model.
The other answers are incorrect because: A subject is not allowed to read up is a property of the ‘simple security rule’ of Bell LaPadula model

Answer 97

A

Answer: B
Explanation: When the biometric system accepts impostors who should have been rejected , it is
called a Type II error or False Acceptance Rate or False Accept Rate. Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior,
which is one of the most effective and accurate methods of verifying identification

Answer 98

A

Answer: C
Explanation: In order to protect the confidentiality of the data

Answer 99

A

Answer: B
Explanation: The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim to be. After showing proper credentials, a user is authorized access to resources

Answer 100

A

Answer: C
Explanation: As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three basic way authentication can be performed and it is not related to Biometrics. Example of something you know would be a password or PIN for example.

Answer 101

A

Answer: C
Explanation: From most effective (lowest CER) to least effective (highest CER) are: Iris scan, fingerprint, voice verification, keystroke dynamics

Answer 102

A

Answer: B
Explanation: Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST answer out of the choices listed above.

Answer 103

A

Answer: B
Explanation: Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied.

Answer 104

A

Answer: D
Explanation: There is no such component within kerberos environment. Kerberos uses only symmetric encryption and does not make use of any public key component

Answer 105

A

Answer: A
Explanation: Data owners decide who has access to resources based only on the identity of the person accessing the resource

Answer 106

A

Answer: B
Explanation: Access decisions are made based on the clearance of the subject and the sensitivity label of the object

Answer 107

A

Answer: C
Explanation: RBAC is sometimes also called non-discretionary access control (NDAC) (as Ferraiolo says “to distinguish it from the policy-based specifics of MAC”). Another model that fits within the NDAC category is Rule-Based Access Control (RuBAC or RBAC). Most of the CISSP books use the same acronym for both models but NIST tend to use a lowercase “u” in between R and B to differentiate the two models

Answer 108

A

Answer: A
Explanation: The underlying problem for a company with a lot of turnover is assuring that new
employees are assigned the correct access permissions and that those permissions are removed
when they leave the company

Answer 109

A

Answer: C
Explanation: The use of a database view allows sensitive information to be hidden from unauthorized users. For example, the employee table might contain employee name, address, office extension and sensitive information such as social security number, etc. A view of the table
could be constructed and assigned to the switchboard operator that only included the name and office extension.

Answer 110

A

Answer: B
Explanation: “It [ACL] specifies a list of users [subjects] who are allowed access to each object”

Answer 111

A

Answer: B
Explanation: Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user’s posession of a capability (or ticket) for the object. It is a row within the matrix. To put it another way, A capabiltiy table is different from an ACL because the subject is bound to
the capability table, whereas the object is bound to the ACL.

Answer 112

A

Answer: C
Explanation: The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access

Answer 113

A

Answer: B
Explanation: MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users – for example, user Joe (SECRET clearance) cannot
reclassify the “Presidential Doughnut Recipe” from “SECRET” to “CONFIDENTIAL” so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.

Answer 114

A

Answer: D
Explanation: The primary purpose of a honeypot is to study the attack methods of an attacker for the purposes of understanding their methods and improving defenses.

Answer 115

A

Answer: B
Explanation: Knowlege of modem numbers is a poor access control method as an attacker can discover modem numbers by dialing all numbers in a range. Requiring user authentication before remote access is granted will help in avoiding unauthorized access over a modem line. “Monitoring and auditing for such activity” is incorrect. While monitoring and auditing can assist in
detecting a wardialing attack, they do not defend against a successful wardialing attack

Answer 116

A

Answer: B
Explanation: In the lattice model, users are assigned security clearences and the data is classified. Access decisions are made based on the clearence of the user and the classification of the object. Lattice-based access control is an essential ingredient of formal security models such as Bell-LaPadula, Biba, Chinese Wall, etc

Answer 117

A

Answer: A
Explanation: The KDC (Kerberos Distribution Center) can be a single point of failure. Confidentiality is incorrect. Kerberos does ensure confidentiality, keeping communications private between systems over a network

Answer 118

A

Answer: B
Explanation: Buffer Overflow attack takes advantage of improper parameter checking within the
application. This is the classic form of buffer overflow and occurs because the programmer accepts whatever input the user supplies without checking to make sure that the length of the input is less than the size of the buffer in the program.

Answer 119

A

Answer: D
Explanation: Bell–LaPadula Confidentiality Model10 The Bell–LaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to
another.

Answer 120

A

Answer: C
Explanation: In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions).

Answer 121

A

Answer: B
Explanation: These controls can be used to investigate what happen after the fact. Your IDS may collect information on where the attack came from, what port was use, and other details that could be used in the investigation steps.

Answer 122

A

Answer: C
Explanation: Logical or technical controls involve the restriction of access to systems and the protection of information. Smart cards and encryption are examples of these types of control.

Answer 123

A

Answer: D
Explanation: Authentication is based on three factor types: type 1 is something you know, type 2 is something you have and type 3 is something you are. Biometrics are based on the Type 3 authentication mechanism.

Answer 124

A

Answer: A
Explanation: The question was asking for a TRUE statement and the only correct statement is “Kerberos does not address availability”. Kerberos addresses the confidentiality and integrity of information. It does not directly address availability.

Answer 125

A

Answer: A
Explanation: A view is considered as a virtual table that is derived from other tables. It can be used to restrict access to certain information within the database, to hide attributes, and to implement content-dependent access restrictions. It does not implement referential integrity.

Answer 126

A

Answer: A
Explanation: A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack signatures that are stored in a database are detected. Network-based intrusion detection can either be signature-based or statistical anomaly-based (also called behavior-based).

Answer 127

A

Answer: D
Explanation: Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users who may be internal to the network but access resources they would not normally be allowed

Answer 128

A

Answer: D
Explanation: Something you know and a password fits within only one of the three ways authentication could be done. A password is an example of something you know, thereby something you know and a password does not constitute a two-factor authentication as both are in
the same category of factors

Answer 129

A

Answer: D
Explanation: The mandatory access control model is based on a security label system. Users are given a security clearance and data is classified. The classification is stored in the security labels of the resources. Classification labels specify the level of trust a user must have to access a
certain file.

Answer 130

A

Answer: D
Explanation: With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance. Identity-based access control is a type of discretionary access control. A role-based access control is a type of nondiscretionary access control.

Answer 131

A

Answer: A
Explanation: When a biometric system rejects an authorized individual, it is called a Type I error. When a system accepts impostors who should be rejected (false positive), it is called a Type II error.

Answer 132

A

Answer: D
Explanation: With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance, and classification of objects.

Answer 133

A

Answer: C
Explanation: Kerberos is a trusted, credential-based, third-party authentication protocol that was developed at MIT and that uses symmetric (secret) key cryptography to authenticate clients to other entities on a network for access to services. It does not use X.509 certificates, which are used in public key cryptography

Answer 134

A

Answer: C
Explanation: Kerberos is a trusted, credential-based, third-party authentication protocol that uses
symmetric (secret) key cryptography to provide robust authentication to clients accessing services on a network. Because a client’s password is used in the initiation of the Kerberos request for the service
protocol, password guessing can be used to impersonate a client

Answer 135

A

Answer: A
Explanation: In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. In a Mandatory Access Control (MAC) model, users and data owners do not have as much freedom to determine who can access files.

Answer 136

A

Answer: A
Explanation: An identity-based access control is an example of discretionary access control that is based on an individual’s identity. Identity-based access control (IBAC) is access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.
Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non-discretionary access controls.

Answer 137

A

Answer: C
Explanation: The lattice is a mechanism use to implement Mandatory Access Control (MAC)
Under Mandatory Access Control (MAC) you have:
Mandatory Access Control
Under-Non Discretionary Access Control (NDAC) you have:
Rule-Based Access Control, Role-Based Access Control
Under Discretionary Access Control (DAC) you have:
Discretionary Access Control

Answer 138

A

Answer: A
Explanation: The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up).

Answer 139

A

Answer: C
Explanation: The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down).

Answer 140

A

Answer: D
Explanation: The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up)

Answer 141

A

Answer: D
Explanation: The Biba security model addresses the integrity of data being threatened when subjects at lower security levels are able to write to objects at higher security levels and when
subjects can read data at lower levels.

Answer 142

A

Answer: C
Explanation: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users
from making unauthorized modifications to data, thereby protecting its integrity.

Answer 143

A

Answer: C
Explanation: Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls identify occurrences and
compensating controls are alternative controls, used to compensate weaknesses in other controls. Supervision is an example of compensating control.

Answer 144

A

Answer: B
Explanation: Corrective controls are concerned with remedying circumstances and restoring controls.
Detective controls are concerned with investigating what happen after the fact such as logs and video surveillance tapes for example.
Compensating controls are alternative controls, used to compensate weaknesses in other controls.
Preventive controls are concerned with avoiding occurrences of risks.

Answer 145

A

Answer: A
Explanation: The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to change over time, thus are not as suitable for authentication over a long
period of time without needing re-enrollment

Answer 146

A

Answer: D
Explanation: Accountability can actually be seen in two different ways:
1) Although audit trails are also needed for accountability, no user can be accountable for their actions unless properly authenticated.
2) Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and network. Audit trails can be used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in
accordance with the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted

Answer 147

A

Answer: C
Explanation: Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization’s
structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list (ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access
control, administration is decentralized and owners of resources control other users’ access. Nonmandatory
access control is not a defined access control technique.

Answer 148

A

Answer: A
Explanation: The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access control in government and military applications. It supports mandatory access control by determining the access rights from the security levels associated with subjects and
objects. It also supports discretionary access control by checking access rights from an access matrix. The Biba model, introduced in 1977, the Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are concerned with integrity.

Answer 149

A

Answer: A
Explanation: The Clark-Wilson model differs from other models that are subject- and object oriented by introducing a third access element programs resulting in what is called an access triple, which prevents unauthorized users from modifying data or programs. The Biba model uses objects and subjects and addresses integrity based on a hierarchical lattice of integrity levels. The non-interference model is related to the information flow model with restrictions on the information
flow. The Sutherland model approaches integrity by focusing on the problem of inference.

Answer 150

A

Answer: D
Explanation: Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented.

Answer 151

A

Answer: B
Explanation: Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and
utility. These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and
the personnel who are authorized to receive that information. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system’s vulnerability to these threats, and the risk that the threat may materialize

Answer 152

A

Answer: C
Explanation: Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks.
It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing.

Answer 153

A

Answer: C
Explanation: Logical or technical controls involve the restriction of access to systems and the
protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols

Answer 154

A

Answer: A
Explanation: Controls provide accountability for individuals who are accessing sensitive
information. This accountability is accomplished through access control mechanisms that require
identification and authentication and through the audit function. These controls must be in
accordance with and accurately represent the organization’s security policy. Assurance
procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system

Answer 155

A

Answer: B
Explanation: In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain objects based on
the organizational security policy. The access controls may be based on the individual’s role in the organization.

Answer 156

A

Answer: B
Explanation: In an organization where there are frequent personnel changes, non-discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual’s role or title within the organization. You can easily configure a new
employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role.
These access permissions defined within the role do not need to be changed whenever a new person takes over the role. Another type of non-discretionary access control model is the Rule Based Access Control (RBAC
or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a firewall.
This question is a sneaky one, one of the choice has only one added word to it which is often.
Reading questions and their choices very carefully is a must for the real exam. Reading it twice if needed is recommended.

Answer 157

A

Answer: A
Explanation: In this type of control, a lattice model is applied. To apply this concept to access control, the pair of elements is the subject and object, and the subject has to have an upper bound equal or higher than the object being accessed.

Answer 158

A

Answer: A
Explanation: Detective/Technical measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from “normal” operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis
and reporting mechanisms, clipping levels can be set

Answer 159

A

Answer: B
Explanation: Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised.

Answer 160

A

Answer: A
Explanation: Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between these two extremes.
Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised.
It is recommended to use a passphrase instead of a password. A passphrase is more resistant to attacks. The passphrase is converted into a virtual password by the system. Often time the
passphrase will exceed the maximum length supported by the system and it must be trucated into a Virtual Password

Answer 161

A

Answer: A
Explanation: equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate.
In the context of Biometric Authentication almost all types of detection permit a system’s sensitivity to be increased or decreased during an inspection process. If the system’s sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate (FRR).
Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase.Thus, to have a valid measure of the system performance, the CrossOver Error Rate (CER) is used.

Answer 162

A

Answer: C
Explanation: The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of 10 subjects per minute. Things that may impact the throughput rate for some types of biometric systems may include: A concern with retina scanning systems may be the exchange of body fluids on the eyepiece.
Another concern would be the retinal pattern that could reveal changes in a person’s health, such as diabetes or high blood pressure.

Answer 163

A

Answer: A
Explanation: According to the cited reference, of the given options, the Retina scan has the lowest user acceptance level as it is needed for the user to get his eye close to a device and it is not user friendly and very intrusive.

Answer 164

A

Answer: C
Explanation: The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two
small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn’t be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.

Answer 165

A

Answer: B
Explanation: Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or configuration files) are modified. This is a tool that is not likely to be used by hackers, other than for studying its workings in order to circumvent it. Other programs are password-cracking programs and are likely to be used by security
administrators as well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site

Answer 166

A

Answer: B
Explanation: In an environmental error, the environment in which a system is installed somehow causes the system to be vulnerable. This may be due, for example, to an unexpected interaction between an application and the operating system or between two applications on the same host. A configuration error occurs when user controllable settings in a system are set such that the system is vulnerable. In an access validation error, the system is vulnerable because the access control mechanism is faulty. In an exceptional condition handling error, the system somehow becomes
vulnerable due to an exceptional condition that has arisen.

Answer 167

A

Answer: A
Explanation: A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses.

Answer 168

A

Answer: D
Explanation: Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS) based on them often produce a large number of false alarms, as normal patterns of user and system
behavior can vary wildly. Being only able to identify correctly attacks they already know about is a characteristic of misuse detection (signature-based) IDSs. Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. They
are more vulnerable to attacks than host-based IDSs. Not being able to identify abnormal behavior would not cause false positives, since they are not identified.

Answer 169

A

Answer: C
Explanation: Users tend to choose easier to remember passwords. System-generated passwords
can provide stronger, harder to guess passwords. Since they are based on rules provided by the administrator, they can include combinations of uppercase/lowercase letters, numbers and special
characters, making them less vulnerable to brute force and dictionary attacks. One danger is that they are also harder to remember for users, who will tend to write them down, making them more vulnerable to anyone having access to the user’s desk. Another danger with system-generated passwords is that if the password-generating algorithm gets to be known, the entire system is in jeopardy.

Answer 170

A

Answer: A
Explanation: The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a detective control.

Answer 171

A

Answer: C
Explanation: Accuracy is the most critical characteristic of a biometric identifying verification system. Accuracy is measured in terms of false rejection rate (FRR, or type I errors) and false acceptance
rate (FAR or type II errors).
The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy

Answer 172

A

Answer: B
Explanation: When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type II error, where the system would accept an impostor.

Answer 173

A

Answer: D
Explanation: The only way to be truly positive in authenticating identity for access is to base the
authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the
person, however they are not perfect and they would have to be supplemented by another factor

Answer 174

A

Answer: B
Explanation: A continuous authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. This is the best protection against hijacking

Answer 175

A

Answer: D
Explanation: An automated login function for remote users would imply a weak authentication,
thus certainly not a security goal

Answer 176

A

Answer: D
Explanation: Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires
that the system be able to identify and differentiate among users. Reporting incidents is more
related to incident response capability (operational control) than to identification and authentication (technical control).

Answer 177

A

Answer: A
Explanation: Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in non-repudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control.

Answer 178

A

Answer: B
Explanation: Cognitive passwords are fact or opinion-based information used to verify an
individual’s identity. Passwords that can be used only once are one-time or dynamic passwords.
Password generators that use a challenge response scheme refer to token devices.
A passphrase is a sequence of characters that is longer than a password and is transformed into a virtual password

Answer 179

A

Answer: C
Explanation: The Key Distribution Center (KDC) holds all users’ and services’ cryptographic keys. It provides authentication services, as well as key distribution functionality. The Authentication Service is the part of the KDC that authenticates a principal. The Key Distribution Service and Key Granting Service are distracters and are not defined Kerberos components

Answer 180

A

Answer: A
Explanation: The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent

Answer 181

A

Answer: C
Explanation: The Crossover Error Rate (CER) is the point where false rejection rate (type I error) equals the false acceptance rate (type II error). The lower the CER, the better the accuracy of thedevice. At the time if this writing, response times and accuracy of some devices are:
System type Response time Accuracy (CER

Answer 182

A

Answer: B
Explanation: Radius, TACACS and DIAMETER are classified as authentication, authorization,
and accounting (AAA) servers

Answer 183

A

Answer: C
Explanation: The original TACACS, developed in the early ARPANet days, had very limited functionality and used the UDP transport. In the early 1990s, the protocol was extended to include
additional functionality and the transport changed to TCP

Answer 184

A

Answer: B
Explanation: Containing the dial-up problem is conceptually easy: by installing the Remote
Access Server outside the firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet

Answer 185

A

Answer: C
Explanation: The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity

Answer 186

A

Answer: C
Explanation: An inside attack is an attack initiated by an entity inside the security perimeter, an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization whereas an outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system. An active attack attempts to alter system
resources to affect their operation and a passive attack attempts to learn or make use of the information from the system but does not affect system resources.

Answer 187

A

Answer: A
Explanation: RFC 2828 (Internet Security Glossary) defines the Extensible Authentication
Protocol as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. It is intended
for use primarily by a host or router that connects to a PPP network server via switched circuits or dial-up lines. The Remote Authentication Dial-In User Service (RADIUS) is defined as an Internet
protocol for carrying dial-in user’s authentication information and configuration information between a shared, centralized authentication server and a network access server that needs to
authenticate the users of its network access ports

Answer 188

A

Answer: D

Answer 189

A

Answer: C

Answer 190

A

Answer: C

Answer 191

A

Answer: B

Answer 192

A

Answer: B
Explanation: Once an identity is established it must be authenticated. There exist numerous technologies and implementation of authentication methods however they almost all fall under three major areas.

Answer 193

A

Answer: C
Explanation: A mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications.

Answer 194

A

Answer: D
Explanation: Any identity management system used in an environment where there are tens of thousands of users must be able to scale to support the volumes of data and peak transaction rates

Answer 195

A

Answer: C
Explanation: Principles P1 and P2 authenticate to the Key Distribution Center (KDC), principle P1 receives a Ticket Granting Ticket (TGT), and principle P2 requests a service ticket from the KDC.

Answer 196

A

Answer: A
Explanation: A vulnerability is mostly a weakness, it could be a weakness in a piece of sotware, it could be a weakness in your physical security, it could take many forms. It is a weakness that
could be exploited by a Threat. For example an open firewall port, a password that is never changed, or a flammable carpet. A missing Control is also considered to be a Vulnerability

Answer 197

A

Answer: B
Explanation: The following answers are incorrect:
An intentional hidden message or feature in an object such as a piece of software or a movie.
This is the definition of an “Easter Egg” which is code within code. A good example of this was a small flight simulator that was hidden within Microsoft Excel. If you know which cell to go to on your spreadsheet and the special code to type in that cell, you were able to run the flight simulator.
An anomalous condition where a process attempts to store data beyond the boundaries of a fixedlength buffer

Answer 198

A

Answer: C
Explanation: This is a contactless smart card that has two chips with the capability of utilizing
both contact and contactless formats

Answer 199

A

Answer: A
Explanation: Explanation :
Emanation attacks are the act of intercepting electrical signals that radiate from computing equipment. There are several countermeasures including shielding cabling, white noise, control zones, and TEMPEST equipment (this is a Faraday cage around the equipment)

Answer 200

A

Answer: B
Explanation: Something you know and something you have is two authentication factors and is
better than a single authentication factor. Strong Authentication or Two Factor Authentication is widely accepted as the best practice for authentication.

Answer 201

A

Answer: B
Explanation: Business impact analysis is not about technology; it is about supporting the mission
of the organization.

Answer 202

A

Answer: A
Explanation: The other answers are incorrect

Answer 203

A

Answer: A
Explanation: The SSH protocol provides an encrypted terminal session to the remote firewalls. By encrypting the data, it prevents sniffing attacks using a protocol analyzer also called a sniffer.
With more and more computers installed in networked environments, it often becomes necessary
to access hosts from a remote location. This normally means that a user sends login and
password strings for authentication purposes. As long as these strings are transmitted as plain
text, they could be intercepted and misused to gain access to that user account without the
authorized user even knowing about it.

Answer 204

A

Answer: C
Explanation: Simple Network Management Protocol (SNMP) is an Internet-standard protocol for
managing devices on IP networks. Devices that typically support SNMP include routers, switches,
servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task
Force (IETF).

Answer 205

A

Answer: A
Explanation: Securing the data manipulated by computing systems has been a challenge in the past years. Several methods to limit the information disclosure exist today, such as access control
lists, firewalls, and cryptography. However, although these methods do impose limits on the
information that is released by a system, they provide no guarantees about information
propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to exchange information privately across a non-secure channel, but no guarantees about the
confidentiality of the data are given once it is decrypted

Answer 206

A

Answer: B
Explanation: This question refers specificly to the LAND Attack. This question is testing your ability to recognize common attacks such as the Land Attack and also your understanding of what would be an acceptable action taken by your Intrusion Detection System

Answer 207

A

Answer: D
Explanation: SQL injection is execution of unexpected SQL in the database as a result of
unsanitized user input being accepted and used in the application code to form the SQL statement.It is a coding problem which affects inhouse, open source and commercial software

Answer 208

A

Answer: B
Explanation: Pivoting refers to method used by penetration testers that uses compromised
system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised
web server to attack other systems on the network. These types of attacks are often called multilayered
attacks. Pivoting is also known as island hopping.

Answer 209

A

Answer: A
Explanation: A zero-day (or zero-hour, or O day, or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the
vulnerability.

Answer 210

A

Answer: A
Explanation: Authenticity refers to the characteristic of a communication, document or any data that ensures the quality of being genuine or not corrupted from the original

Answer 211

A

Answer: D
Explanation: This is a tricky question, the keyword in the question is Internal users.
There are two possible answers based on how the question is presented, this question could
either apply to internal users or ANY anonymous/external users. Internal users should always have a written agreement first, then logon banners serve as a constant reminder

Answer 212

A

Answer: A
Explanation: Archive bit 1 = On (the archive bit is set).
Archive bit 0 = Off (the archive bit is NOT set). When the archive bit is set to ON, it indicates a file that has changed and needs to be backed up. Differential backups backup all files changed since the last full. To do this, they don’t change the archive bit value when they backup a file. Instead the differential let’s the full backup make that change. An incremental only backs up data since the last incremental backup. Thus is does
change the archive bit from 1 (On) to 0 (Off).

Answer 213

A

Answer: A
Explanation: The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network
technology binary format for proper line transmission.
Layer 2 is divided into two functional sublayers

Answer 214

A

Answer: B
Explanation: User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in
response to business processes

Answer 215

A

Answer: A
Explanation: In general there are three ways a pen tester can test a target system.
- White-Box: The tester has full access and is testing from inside the system.
- Gray-Box: The tester has some knowledge of the system he’s testing.
- Black-Box: The tester has no knowledge of the system.
Each of these forms of testing has different benefits and can test different aspects of the system from different approaches

Answer 216

A

Answer: A
Explanation: DAC - Discretionary Access Control is where the user controls access to the data they create or manage.

Answer 217

A

Answer: A
Explanation: RBAC - Role-Based Access Control permissions would fit best for a backup job for the employee because the permissions correlate tightly with permissions granted to a backup
operator

Answer 218

A

Answer: A
Explanation: There are seven access control categories. Below you have the Access Control
Types and Categories.
- Access Control Types:
- Administrative
- Policies, data classification and labeling and security awareness training
- Technical
- Hardare - MAC FIltering or perimeter devices like:
- Software controls like account logons and encryption, file perms

Answer 219

A

Question 228

Answer 220

A

B. Authenticity, Chain of Custody, Integrity, Minimalization, Reproducibility

Answer 221

A

B. System, data, administration, design

Answer 222

A

(B) Length of the passwords

Answer 223

A

(B) versioning

Answer 224

A

(B) a security policy.

Answer 225

A

(B) documented policies and procedures.

Answer 226

A

(B) Triggers

Answer 227

A

(B) disassembly.

Answer 228

A

(B) Contact your anti-virus vendor

Answer 229

A

(B) Compliance automation, efficiency of data protection management, facilitation of access control

Answer 230

A

(B) The properties of the file system

Answer 231

A

(B) signatures and anomalies

Answer 232

A

(B) Limit the number of interviewees in each session to three or less

Answer 233

A

(B) It provides criteria to evaluate trust in IT products.

Answer 234

A

Answer: D
Explanation:
The optical unit of the iris pattern biometric system must be positioned so that the sun does not shine into the aperture

Answer 235

A

Answer: B
Explanation:
A sensitivity label is required for every subject and object when using the Mandatory Access Control (MAC) model. The sensitivity label is made up of a classification and different categories

Answer 236

A

Answer: C
Explanation:
Kerberos makes use of symmetric key cryptography and offers end-to-end security. The majority Kerberos implementations works with shared secret keys.

Answer 237

A

Answer: A
Explanation:
Accountability is the ability to identify users and to be able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed

Answer 238

A

Answer: B
Explanation:
Kerberos is a third-party authentication service that can be used to support SSO.
Kerberos (or Cerberus) was the name of the three-headed dog that guarded the entrance to Hades in Greek mythology

Answer 239

A

Answer: B
Explanation:
Kerberos makes use of symmetric key cryptography and offers end-to-end security. The majority Kerberos implementations works with shared secret keys.

Answer 240

A

Answer: A
Explanation:
Personal Identification Number (PIN) is a numeric password shared between a user and a system, which can be used to authenticate the user to the system.

Answer 241

A

Answer: B
Explanation:
Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability

(References:
A: Accountability would include unique identifiers so that you can identify the individual.
C: Accountability would include access rules to define access violations.
D: Accountability would include audit trails to be able to trace violations or attempted violations.)

Answer 242

A

Answer: A
Explanation:
Changing the system time would cause logged events to have the wrong time. An operator could commit fraud and cover his tracks by changing the system time to make it appear as the events happened at a different time. Ensuring that operators are not permitted modify the system time
(another person would be required to modify the system time) is an example of separation of duties. The objective of separation of duties is to ensure that one person acting alone cannot compromise the company’s security in any way. High-risk activities should be broken up into different parts and
distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent
activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time.

Answer 243

A

Answer: D
Explanation:
Role-based access control is a model where access to resources is determined by job role rather than by user account. In this question, a bank teller is a job role. Therefore, an access control policy for a bank teller is a role-based policy. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights

Brainscape's Knowledge GenomeTM

CISSP STUDY QUESTIONS Flashcards

Brainscape's Knowledge Genome^TM