CISSP STUDY QUESTIONS Flashcards

1
Q

A potential problem related to the physical installation of the Iris Scanner in regards to the usage
of the iris pattern within a biometric system is:
A. Concern that the laser beam may cause eye damage.
B. The iris pattern changes as a person grows older.
C. There is a relatively high rate of false accepts.
D. The optical unit must be positioned so that the sun does not shine into the aperture.

A

Answer: D
Explanation: Because the optical unit utilizes a camera and infrared light to create the images,
sun light can impact the aperture so it must not be positioned in direct light of any type. Because
the subject does not need to have direct contact with the optical reader, direct light can impact the
reader.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item’s classification
B. The item’s classification and category set
C. The item’s category
D. The items’s need to know

A

Answer: B
Explanation: The following is the correct answer: the item’s classification and category set

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.

A

Answer: C
Explanation: Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party
authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered
open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The
password is used to encrypt and decrypt the keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is needed for System Accountability?
A. Audit mechanisms.
B. Documented design as laid out in the Common Criteria.
C. Authorization.
D. Formal verification of system design.

A

Answer: A
Explanation: Is a means of being able to track user actions. Through the use of audit logs and
other tools the user actions are recorded and can be used at a later date to verify what actions
were performed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Kerberos?
A. A three-headed dog from the egyptian mythology.
B. A trusted third-party authentication protocol.
C. A security model.
D. A remote authentication dial in user server.

A

Answer: B
Explanation: Is correct because that is exactly what Kerberos is.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Kerberos depends upon what encryption method?
A. Public Key cryptography.
B. Secret Key cryptography.
C. El Gamal cryptography.
D. Blowfish cryptography.
A

Answer: B
Explanation: Kerberos depends on Secret Keys or Symmetric Key cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
A confidential number used as an authentication factor to verify a user's identity is called a:
A. PIN
B. User ID
C. Password
D. Challenge
A

Answer: A
Explanation: PIN Stands for Personal Identification Number, as the name states it is a
combination of numbers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
Individual accountability does not include which of the following?
A. unique identifiers
B. policies & procedures
C. access rules
D. audit trails
A

Answer: B
Explanation: Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following exemplifies proper separation of duties?
A. Operators are not permitted modify the system time.
B. Programmers are permitted to use the system console.
C. Console operators are permitted to mount tapes and disks.
D. Tape operators are permitted to use the system console

A

Answer: A
Explanation: This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should be performed by they system administrators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
An access control policy for a bank teller is an example of the implementation of which of the
following?
A. Rule-based policy
B. Identity-based policy
C. User-based policy
D. Role-based policy
A

Answer: D
Explanation: The position of a bank teller is a specific role within the bank, so you would
implement a role-based policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
Which one of the following authentication mechanisms creates a problem for mobile users?
A. Mechanisms based on IP addresses
B. Mechanism with reusable passwords
C. One-time password mechanism.
D. Challenge response mechanism
A

Answer: A
Explanation: Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Organizations should consider which of the following first before allowing external access to their LANs via the Internet?
A. Plan for implementing workstation locking mechanisms.
B. Plan for protecting the modem pool.
C. Plan for providing the user with his account usage information.
D. Plan for considering proper authentication options

A

Answer: D
Explanation: Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms are to be used, this would include how you are going to authenticate individuals that may access your network externally through access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
Kerberos can prevent which one of the following attacks?
A. Tunneling attack.
B. Playback (replay) attack.
C. Destructive attack.
D. Process attack.
A

Answer: B
Explanation: Each ticket in Kerberos has a time-stamp and are subject to time expiration to help prevent these types of attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
In discretionary access environments, which of the following entities is authorized to grant information access to other people?
A. Manager
B. Group Leader
C. Security Manager
D. Data Owner
A

Answer: D
Explanation: In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the main concern with single sign-on?
A. Maximum unauthorized access would be possible if a password is disclosed.
B. The security administrator’s workload would increase.
C. The users’ password would be too hard to remember.
D. User access rights would be increased

A

Answer: A
Explanation: A major concern with Single Sign-On (SSO) is that if a user’s ID and password are compromised, the intruder would have access to all the systems that the user was authorized for

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
Who developed one of the first mathematical models of a multilevel-security computer system?
A. Diffie and Hellman.
B. Clark and Wilson.
C. Bell and LaPadula.
D. Gasser and Lipner.
A

Answer: C
Explanation: In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
Which of the following attacks could capture network user passwords?
A. Data diddling
B. Sniffing
C. IP Spoofing
D. Smurfing
A

Answer: B
Explanation: A network sniffer captures a copy every packet that traverses the network segment
the sniffer is connect to. Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with
customized software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
Which of the following would constitute the best example of a password to use for access to a system by a network administrator?
A. holiday
B. Christmas12
C. Jenny
D. GyN19Za!
A

Answer: D
Explanation: GyN19Za! would be the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special character making it less vulnerable to password attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What physical characteristic does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The pattern of light receptors at the back of the eye
D. The pattern of blood vessels at the back of the eye

A

Answer: D
Explanation: The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina’s four cell layers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
The Computer Security Policy Model the Orange Book is based on is which of the following?
A. Bell-LaPadula
B. Data Encryption Standard
C. Kerberos
D. Tempest
A

Answer: A
Explanation: The Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model. Orange Book Glossary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The end result of implementing the principle of least privilege means which of the following?
A. Users would get access to only the info for which they have a need to know
B. Users can access all systems.
C. Users get new privileges added when they change positions.
D. Authorization creep.

A

Answer: A
Explanation: The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access any of the files on specific systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
Which of the following is the most reliable authentication method for remote access?
A. Variable callback system
B. Synchronous token
C. Fixed callback system
D. Combination of callback and caller ID
A

Answer: B
Explanation: A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is true of two-factor authentication?
A. It uses the RSA public-key signature based on integers with large prime factors.
B. It requires two measurements of hand geometry.
C. It does not use single sign-on technology.
D. It relies on two independent proofs of identity.

A

Answer: D
Explanation: It relies on two independent proofs of identity. Two-factor authentication refers to using two independent proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a password). Two-factor authentication may be used with single sign-on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
The primary service provided by Kerberos is which of the following?
A. non-repudiation
B. confidentiality
C. authentication
D. authorization
A

Answer: C
Explanation: non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it does not help with non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the
following?
A. public keys
B. private keys
C. public-key certificates
D. private-key certificates
A

Answer: C
Explanation: A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
In which of the following security models is the subject's clearance compared to the object's classification such that specific rules can be applied to control how the subject-to-object interactions take place?
A. Bell-LaPadula model
B. Biba model
C. Access Matrix model
D. Take-Grant model
A

Answer: A
Explanation: Details: The Answer: Bell-LaPadula model
The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?
A. SESAME
B. RADIUS
C. KryptoKnight
D. TACACS+
A

Answer: A
Explanation: Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Single Sign-on (SSO) is characterized by which of the following advantages?
A. Convenience
B. Convenience and centralized administration
C. Convenience and centralized data administration
D. Convenience and centralized network administration

A

Answer: B
Explanation: Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete accounts across the entire network from one user interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the primary role of smartcards in a PKI?
A. Transparent renewal of user keys
B. Easy distribution of the certificates between the users
C. Fast hardware encryption of the raw data
D. Tamper resistant, mobile storage and application of private keys of the users

A

Answer: D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
What kind of certificate is used to validate a user identity?
A. Public key certificate
B. Attribute certificate
C. Root certificate
D. Code signing certificate
A

Answer: A
Explanation: In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority(CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the
certificate signer that the identity information and the public key belong together.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
The following is NOT a security characteristic we need to consider while choosing a biometricidentification systems:
A. data acquisition process
B. cost
C. enrollment process
D. speed and user interface
A

Answer: B
Explanation: Cost is a factor when considering Biometrics but it is not a security characteristic All the other answers are incorrect because they are security characteristics related to Biometrics. Data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessity of answering 2 questions :
A. what was the sex of a person and his age
B. what part of body to be used and how to accomplish identification that is viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits

A

Answer: B
Explanation: Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is already taking place. Unique physical attributes or behavior of a person are used for that purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
In biometric identification systems, the parts of the body conveniently available for identification are:
A. neck and mouth
B. hands, face, and eyes
C. feet and hair
D. voice and neck
A

Answer: B
Explanation: Today implementation of fast, accurate, reliable, and user-acceptable biometric identification systems are already under way. Because most identity authentication takes place when a people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Controlling access to information systems and associated networks is necessary for the preservation of their:
A. Authenticity, confidentiality and availability
B. Confidentiality, integrity, and availability.
C. integrity and availability.
D. authenticity,confidentiality, integrity and availability

A

Answer: B
Explanation: Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up:
A. Access Rules
B. Access Matrix
C. Identification controls
D. Access terminal
A

Answer: A
Explanation: Controlling access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up access rules. These rules can be classified into three access control models: Mandatory, Discretionary, and
Non-Discretionary. An access matrix is one of the means used to implement access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what category of access control?
A. Discretionary Access Control (DAC)
B. Mandatory Access control (MAC)
C. Non-Discretionary Access Control (NDAC)
D. Lattice-based Access control

A

Answer: C
Explanation: Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects. In general, all access control policies other than DAC are grouped in the category of nondiscretionary access control (NDAC). As the name implies, policies in this category have rules that
are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
The type of discretionary access control (DAC) that is based on an individual's identity is also called:
A. Identity-based Access control
B. Rule-based Access control
C. Non-Discretionary Access Control
D. Lattice-based Access control
A

Answer: A
Explanation: An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual’s identity. DAC is good for low level security environment. The owner of the file decides who has access to the file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control
A

Answer: C
Explanation: Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC). RABC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following control pairings include: organizational policies and procedures, preemployment
background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased
supervision, security awareness training, behavior awareness, and sign-up procedures to obtain
access to information systems and networks?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing

A

Answer: A
Explanation: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information
systems and networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
Technical controls such as encryption and access control can be built into the operating system,be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Technical Pairing
A

Answer: B
Explanation: Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?
A. Micrometrics
B. Macrometrics
C. Biometrics
D. MicroBiometrics
A

Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
What is called the access protection system that limits connections by calling back the number of a previously authorized location?
A. Sendback systems
B. Callback forward systems
C. Callback systems
D. Sendback forward systems
A

Answer: C
Explanation: The Answer: Call back Systems; Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
What are called user interfaces that limit the functions that can be selected by a user?
A. Constrained user interfaces
B. Limited user interfaces
C. Mini user interfaces
D. Unlimited user interfaces
A

Answer: A
Explanation: Another method for controlling access is by restricting users to specific functions based on their role in the system. This is typically implemented by limiting available menus, data views, encryption, or by physically constraining the user interfaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are
associated with:
A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative
A

Answer: D
Explanation: Additional detective/administrative controls are job rotation, the sharing of responsibilities, and reviews of audit records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:
A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative
A

Answer: B
Explanation: The detective/technical control measures are intended to reveal the violations of security policy using technical means

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:
A. Preventive/physical
B. Detective/technical
C. Detective/physical
D. Detective/administrative
A

Answer: C
Explanation: Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

External consistency ensures that the data stored in the database is:
A. in-consistent with the real world.
B. remains consistant when sent from one system to another.
C. consistent with the logical world.
D. consistent with the real world.

A

Answer: D
Explanation: External consistency ensures that the data stored in the database is consistent with the real world.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control
A

Answer: C
Explanation: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the ‘central authority’ that determines access rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?
A. Authentication
B. Identification
C. Authorization
D. Confidentiality
A

Answer: B
Explanation: Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don’t know, and they ask you who they’re speaking to. When you say, “I’m Jason.”, you’ve just identified yourself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which one of the following factors is NOT one on which Authentication is based?
A. Type 1 Something you know, such as a PIN or password
B. Type 2 Something you have, such as an ATM card or smart card
C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such
as a fingerprint or retina scan
D. Type 4 Something you are, such as a system administrator or security administrator

A

Answer: D
Explanation: Authentication is based on the following three factor types:
Type 1 Something you know, such as a PIN or password
Type 2 Something you have, such as an ATM card or smart card
Type 3 Something you are (Unique physical characteristic), such as a fingerprint or retina scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:
A. Mandatory Access Control
B. Discretionary Access Control
C. Non-Discretionary Access Control
D. Rule-based Access control
A

Answer: C
Explanation: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the ‘central authority’ that determines access rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?
A. Authentication
B. Identification
C. Authorization
D. Confidentiality
A

Answer: B
Explanation: Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q
The act of requiring two of the three factors to be used in the authentication process refers to:
A. Two-Factor Authentication
B. One-Factor Authentication
C. Bi-Factor Authentication
D. Double Authentication
A

Answer: A
Explanation: Two-Factor Authentication refers to the act of requiring two of the three factors to be used in the authentication process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q
Which type of password provides maximum security because a new password is required for each new log-on?
A. One-time or dynamic password
B. Congnitive password
C. Static password
D. Passphrase
A

Answer: A
Explanation: “One-time password” provides maximum security because a new password is required for each new log-on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q
What is called a password that is the same for each log-on session?
A. "one-time password"
B. "two-time password"
C. static password
D. dynamic password
A

Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q
What is called a sequence of characters that is usually longer than the allotted number for a password?
A. passphrase
B. cognitive phrase
C. anticipated phrase
D. Real phrase
A

Answer: A
Explanation: A passphrase is a sequence of characters that is usually longer than the allotted number for a password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q
Which best describes a tool (i.e. keyfob, calculator, memory card or smart card) used to supply dynamic passwords?
A. Tickets
B. Tokens
C. Token passing networks
D. Coupons
A

Answer: B
Explanation: Tokens; Tokens in the form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Which of the following would be true about Static password tokens?
A. The owner identity is authenticated by the token
B. The owner will never be authenticated by the token.
C. The owner will authenticate himself to the system.
D. The token does not authenticates the token owner but the system.

A

Answer: A
Explanation: Tokens are electronic devices or cards that supply a user’s password for them. A token system can be used to supply either a static or a dynamic password. There is a big difference between the static and dynamic systems, a static system will normally log a user in but
a dynamic system the user will often have to log themselves in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

In Synchronous dynamic password tokens:
A. The token generates a new password value at fixed time intervals (this password could be
based on the time of day encrypted with a secret key).
B. The token generates a new non-unique password value at fixed time intervals (this password
could be based on the time of day encrypted with a secret key).
C. The unique password is not entered into a system or workstation along with an owner’s PIN.
D. The authentication entity in a system or workstation knows an owner’s secret key and PIN, and
the entity verifies that the entered password is invalid and that it was entered during the invalid
time window.

A

Answer: B
Explanation: Synchronous dynamic password tokens:
The token generates a new password value at fixed time intervals (this password could be the time of day encrypted with a secret key). The unique password is entered into a system or workstation along with an owner’s PIN.
The authentication entity in a system or workstation knows an owner’s secret key and PIN, and the entity verifies that the entered password is valid and that it was entered during the valid time window.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q
In biometrics, "one-to-many" search against database of stored biometric images is done in:
A. Authentication
B. Identification
C. Identities
D. Identity-based access control
A

Answer: B
Explanation: In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Which of the following is true of biometrics?
A. It is used for identification in physical controls and it is not used in logical controls.
B. It is used for authentication in physical controls and for identification in logical controls.
C. It is used for identification in physical controls and for authentication in logical controls.
D. Biometrics has not role in logical controls.

A

Answer: C
Explanation: When used in physical control biometric Identification is performed by doing a one to many match. When you submit your biometric template a search is done through a database of templates until the matching one is found. At that point your identity is revealed and if you are a valid employee access is granted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Rejection Rate (TRR) or Type III Error

A

Answer: A
Explanation: The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type I Error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What is called the percentage of invalid subjects that are falsely accepted by a Biometric authentication system?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Acceptance Rate (TAR) or Type III Error

A

Answer: B
Explanation: The percentage of invalid subjects that are falsely accepted is called the False Acceptance Rate (FAR) or Type II Error.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. Failure to enroll rate (FTE or FER)

A

Answer: C
Explanation: The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Considerations of privacy, invasiveness, and psychological and physical comfort when using the
system are important elements for which of the following?
A. Accountability of biometrics systems
B. Acceptability of biometrics systems
C. Availability of biometrics systems
D. Adaptability of biometrics systems

A

Answer: B
Explanation: Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q
Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access?
A. Smart cards
B. Single Sign-On (SSO)
C. Symmetric Ciphers
D. Public Key Infrastructure (PKI)
A

Answer: B
Explanation: The advantages of SSO include having the ability to use stronger passwords, easier administration as far as changing or deleting the passwords, minimize the risks of orphan accounts, and requiring less time to access resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations?
A. Once an individual obtains access to the system through the initial log-on, they have access to
all resources within the environment that the account has access to.
B. The initial logon process is cumbersome to discourage potential intruders.
C. Once a user obtains access to the system through the initial log-on, they only need to logon to
some applications.
D. Once a user obtains access to the system through the initial log-on, he has to logout from all
other systems

A

Answer: A
Explanation: Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to. All the other answers are incorrect as they are distractors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q
Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user's identity which permit access to system services?
A. Single Sign-On
B. Dynamic Sign-On
C. Smart cards
D. Kerberos
A

Answer: A
Explanation: SSO can be implemented by using scripts that replay the users multiple log-ins against authentication servers to verify a user’s identity and to permit access to system services. Single Sign on was the best answer in this case because it would include Kerberos. When you have two good answers within the 4 choices presented you must select the BEST one.
The high level choice is always the best. When one choice would include the other one that would
be the best as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which of the following is NOT true of the Kerberos protocol?
A. Only a single login is required per session.
B. The initial authentication steps are done using public key algorithm.
C. The KDC is aware of all systems in the network and is trusted by all of them
D. It performs mutual authentication

A

Answer: B
Explanation: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:
• It is secure: it never sends a password unless it is encrypted.
• Only a single login is required per session. Credentials defined at login are then passed between
resources without the need for additional logins.
• The concept depends on a trusted third party – a Key Distribution Center (KDC). The KDC is
aware of all systems in the network and is trusted by all of them.
• It performs mutual authentication, where a client proves its identity to a server and a server
proves its identity to the client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q
The authenticator within Kerberos provides a requested service to the client after validating which of the following?
A. timestamp
B. client public key
C. client private key
D. server public key
A

Answer: A
Explanation:The server also checks the authenticator and, if that timestamp is valid, it provides the requested service to the client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q
Which of the following is addressed by Kerberos?
A. Confidentiality and Integrity
B. Authentication and Availability
C. Validation and Integrity
D. Auditability and Integrity
A

Answer: A
Explanation: Kerberos addresses the confidentiality and integrity of information. It also addresses primarily authentication but does not directly address availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Kerberos is vulnerable to replay in which of the following circumstances?
A. When a private key is compromised within an allotted time window.
B. When a public key is compromised within an allotted time window.
C. When a ticket is compromised within an allotted time window.
D. When the KSD is compromised within an allotted time window.

A

Answer: C
Explanation: Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window. The security depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threat of of replayed credentials, the KDC must be physically secured, and it should be hardened, not permitting any non-kerberos activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q
Like the Kerberos protocol, SESAME is also subject to which of the following?
A. time slot replay
B. password guessing
C. symmetric key guessing
D. asymmetric key guessing
A

Answer: B
Explanation: Sesame is an authentication and access control protocol, that also supports communication
confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMAstyle Privilege Attribute Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

RADIUS incorporates which of the following services?
A. Authentication server and PIN codes.
B. Authentication of clients and static passwords generation.
C. Authentication of clients and dynamic passwords generation.
D. Authentication server as well as support for Static and Dynamic passwords

A

Answer: D
Explanation: According to RFC 2865: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to
designated RADIUS servers, and then acting on the response which is returned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Which of the following protects a password from eavesdroppers and supports the encryption of
communication?
A. Challenge Handshake Authentication Protocol (CHAP)
B. Challenge Handshake Identification Protocol (CHIP)
C. Challenge Handshake Encryption Protocol (CHEP)
D. Challenge Handshake Substitution Protocol (CHSP)

A

Answer: A
Explanation: CHAP: A protocol that uses a three way hand shake The server sends the client a challenge
which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password.The authentication is successful if the client’s response is the one that the server expected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q
Which of the following represents the columns of the table in a relational database?
A. attributes
B. relation
C. record retention
D. records or tuples
A

Answer: A
Explanation: The rows of the table represent records or tuples and the columns of the table represent the attributes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q
A database view is the results of which of the following operations?
A. Join and Select.
B. Join, Insert, and Project.
C. Join, Project, and Create.
D. Join, Project, and Select.
A

Answer: D
Explanation: 1 The formal description of how a relational database operates.
2 The mathematics which underpin SQL operations.
A number of operations can be performed in relational algebra to build relations and operate on the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Which of the following is used to create and modify the structure of your tables and other objects in the database?
A. SQL Data Definition Language (DDL)
B. SQL Data Manipulation Language (DML)
C. SQL Data Relational Language (DRL)
D. SQL Data Identification Language (DIL)

A

Answer: A
Explanation: The SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations (tables). Data Definition Language. The Data Definition Language (DDL) is used to create and destroy databases and database objects. These commands will primarily be used by database administrators during the setup and removal phases of a database project. Let’s take a look at the structure and usage of four basic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q
Which of the following is used to monitor network traffic or to monitor host audit logs in real time to determine violations of system security policy that have taken place?
A. Intrusion Detection System
B. Compliance Validation System
C. Intrusion Management System (IMS)
D. Compliance Monitoring System
A

Answer: A
Explanation: An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to
monitor host audit logs in order to determine if any violations of an organization’s system security
policy have taken place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q
Which of the following monitors network traffic in real time?
A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS
A

Answer: A
Explanation: This type of IDS is called a network-based IDS because monitors network traffic in real time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q
A host-based IDS is resident on which of the following?
A. On each of the critical hosts
B. decentralized hosts
C. central hosts
D. bastion hosts
A

Answer: A
Explanation: A host-based IDS is resident on a host and reviews the system and event logs in order to detect an attack on the host and to determine if the attack was successful. All critical serves should have a Host Based Intrusion Detection System (HIDS) installed. As you are well aware, network based IDS cannot make sense or detect pattern of attacks within encrypted traffic.
A HIDS might be able to detect such attack after the traffic has been decrypted on the host. This is why critical servers should have both NIDS and HIDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q
Which of the following usually provides reliable, real-time information without consuming network
or host resources?
A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS
A

Answer: A
Explanation: A network-based IDS usually provides reliable, real-time information without consuming network or host resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

The fact that a network-based IDS reviews packets payload and headers enable which of the following?
A. Detection of denial of service
B. Detection of all viruses
C. Detection of data corruption
D. Detection of all password guessing attacks

A

Answer: A
Explanation: Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q
Which of the following reviews system and event logs to detect attacks on the host and determine if the attack was successful?
A. host-based IDS
B. firewall-based IDS
C. bastion-based IDS
D. server-based IDS
A

Answer: A
Explanation: A host-based IDS can review the system and event logs in order to detect an attack on the host and to determine if the attack was successful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What would be considered the biggest drawback of Host-based Intrusion Detection systems (HIDS)?
A. It can be very invasive to the host operating system
B. Monitors all processes and activities on the host system only
C. Virtually eliminates limits associated with encryption
D. They have an increased level of visibility and control compared to NIDS

A

Answer: A
Explanation: The biggest drawback of HIDS, and the reason many organizations resist its use, is that it can be very invasive to the host operating system. HIDS must have the capability to monitor all processes and activities on the host system and this can sometimes interfere with normal system processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q
Attributes that characterize an attack are stored for reference using which of the following Intrusion
Detection System (IDS)?
A. signature-based IDS
B. statistical anomaly-based IDS
C. event-based IDS
D. inferent-based IDS
A

Answer: A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Which of the following is an issue with signature-based intrusion detection systems?
A. Only previously identified attack signatures are detected.
B. Signature databases must be augmented with inferential elements.
C. It runs only on the windows operating system
D. Hackers can circumvent signature evaluations

A

Answer: A
Explanation: An issue with signature-based ID is that only attack signatures that are stored in their database are detected. New attacks without a signature would not be reported. They do require constant updates in order
to maintain their effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q
Which of the following is an IDS that acquires data and defines a "normal" usage profile for the
network or host?
A. Statistical Anomaly-Based ID
B. Signature-Based ID
C. dynamical anomaly-based ID
D. inferential anomaly-based ID
A

Answer: A
Explanation: Statistical Anomaly-Based ID - With this method, an IDS acquires data and defines a “normal” usage profile for the network or host that is being monitored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Which of the following is most relevant to determining the maximum effective cost of access control?
A. the value of information that is protected.
B. management’s perceptions regarding data importance.
C. budget planning related to base versus incremental spending.
D. the cost to replace lost data.

A

Answer: A
Explanation: The cost of access control must be commensurate with the value of the information that is being protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q
Which of the following is NOT a factor related to Access Control?
A. integrity
B. authenticity
C. confidentiality
D. availability
A

Answer: B
Explanation: These factors cover the integrity, confidentiality, and availability components of information system security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q
Which of the following is most appropriate to notify an external user that session monitoring is
being conducted?
A. Logon Banners
B. Wall poster
C. Employee Handbook
D. Written agreement
A

Answer: A
Explanation: Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system and if it is an unauthorized user then he is fully aware of trespassing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q
Which of the following pairings uses technology to enforce access control policies?
A. Preventive/Administrative
B. Preventive/Technical
C. Preventive/Physical
D. Detective/Administrative
A

Answer: B
Explanation: The preventive/technical pairing uses technology to enforce access control policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q
In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in?
A. Recovery
B. Containment
C. Triage
D. Analysis and tracking
A

Answer: D
Explanation: In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It does not permit management to:
A. specify what users can do
B. specify which resources they can access
C. specify how to restrain hackers
D. specify what operations they can perform on a system.

A

Answer: C
Explanation: Access control is the collection of mechanisms that permits managers of a system
to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. Specifying HOW to restrain hackers is not directly linked to access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q
Access Control techniques do not include which of the following choices?
A. Relevant Access Controls
B. Discretionary Access Control
C. Mandatory Access Control
D. Lattice Based Access Control
A
Answer: A
Explanation: Access Control Techniques
Discretionary Access Control
Mandatory Access Control
Lattice Based Access Control
Rule-Based Access Control
Role-Based Access Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used)?
A. A subject is not allowed to read up.
B. The *- property restriction can be escaped by temporarily downgrading a high level subject.
C. A subject is not allowed to read down.
D. It is restricted to confidentiality.

A

Answer: C
Explanation: It is not a property of Bell LaPadula model.
The other answers are incorrect because: A subject is not allowed to read up is a property of the ‘simple security rule’ of Bell LaPadula model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q
When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED?
A. Type I error
B. Type II error
C. Type III error
D. Crossover error
A

Answer: B
Explanation: When the biometric system accepts impostors who should have been rejected , it is
called a Type II error or False Acceptance Rate or False Accept Rate. Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior,
which is one of the most effective and accurate methods of verifying identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

Which of the following is the FIRST step in protecting data’s confidentiality?
A. Install a firewall
B. Implement encryption
C. Identify which information is sensitive
D. Review all user access rights

A

Answer: C
Explanation: In order to protect the confidentiality of the data

99
Q
Which of the following best ensures accountability of users for the actions taken within a system or domain?
A. Identification
B. Authentication
C. Authorization
D. Credentials
A

Answer: B
Explanation: The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim to be. After showing proper credentials, a user is authorized access to resources

100
Q

Which of the following statements pertaining to biometrics is FALSE?
A. User can be authenticated based on behavior.
B. User can be authenticated based on unique physical attributes.
C. User can be authenticated by what he knows.
D. A biometric system’s accuracy is determined by its crossover error rate (CER).

A

Answer: C
Explanation: As this is not a characteristic of Biometrics this is the rigth choice for this question. This is one of the three basic way authentication can be performed and it is not related to Biometrics. Example of something you know would be a password or PIN for example.

101
Q
Which of the following biometric devices offers the LOWEST CER?
A. Keystroke dynamics
B. Voice verification
C. Iris scan
D. Fingerprint
A

Answer: C
Explanation: From most effective (lowest CER) to least effective (highest CER) are: Iris scan, fingerprint, voice verification, keystroke dynamics

102
Q
Which of the following is the WEAKEST authentication mechanism?
A. Passphrases
B. Passwords
C. One-time passwords
D. Token devices
A

Answer: B
Explanation: Most of the time users usually choose passwords which can be guessed , hence passwords is the BEST answer out of the choices listed above.

103
Q

Which of the following statements pertaining to access control is false?
A. Users should only access data on a need-to-know basis.
B. If access is not explicitly denied, it should be implicitly allowed.
C. Access rights should be granted based on the level of trust a company has on a subject.
D. Roles can be an efficient way to assign rights to a type of user who performs certain tasks.

A

Answer: B
Explanation: Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied.

104
Q
Which of the following is NOT part of the Kerberos authentication protocol?
A. Symmetric key cryptography
B. Authentication service (AS)
C. Principals
D. Public Key
A

Answer: D
Explanation: There is no such component within kerberos environment. Kerberos uses only symmetric encryption and does not make use of any public key component

105
Q
Which access control model enables the OWNER of the resource to specify what subjects can access specific resources based on their identity?
A. Discretionary Access Control
B. Mandatory Access Control
C. Sensitive Access Control
D. Role-based Access Control
A

Answer: A
Explanation: Data owners decide who has access to resources based only on the identity of the person accessing the resource

106
Q
Which of the following access control models is based on sensitivity labels?
A. Discretionary access control
B. Mandatory access control
C. Rule-based access control
D. Role-based access control
A

Answer: B
Explanation: Access decisions are made based on the clearance of the subject and the sensitivity label of the object

107
Q
Which access control model is also called Non Discretionary Access Control (NDAC)?
A. Lattice based access control
B. Mandatory access control
C. Role-based access control
D. Label-based access control
A

Answer: C
Explanation: RBAC is sometimes also called non-discretionary access control (NDAC) (as Ferraiolo says “to distinguish it from the policy-based specifics of MAC”). Another model that fits within the NDAC category is Rule-Based Access Control (RuBAC or RBAC). Most of the CISSP books use the same acronym for both models but NIST tend to use a lowercase “u” in between R and B to differentiate the two models

108
Q
Which access model is most appropriate for companies with a high employee turnover?
A. Role-based access control
B. Mandatory access control
C. Lattice-based access control
D. Discretionary access control
A

Answer: A
Explanation: The underlying problem for a company with a lot of turnover is assuring that new
employees are assigned the correct access permissions and that those permissions are removed
when they leave the company

109
Q

In a security context what are database views used for?
A. To ensure referential integrity
B. To allow easier access to data in a database
C. To restrict user access to data in a database
D. To provide audit trails

A

Answer: C
Explanation: The use of a database view allows sensitive information to be hidden from unauthorized users. For example, the employee table might contain employee name, address, office extension and sensitive information such as social security number, etc. A view of the table
could be constructed and assigned to the switchboard operator that only included the name and office extension.

110
Q
What can be defined as a list of subjects along with their access rights that are authorized to access a specific object?
A. A capability table
B. An access control list
C. An access control matrix
D. A role-based matrix
A

Answer: B
Explanation: “It [ACL] specifies a list of users [subjects] who are allowed access to each object”

111
Q

What is the difference between Access Control Lists (ACLs) and Capability Tables?
A. Access control lists are related/attached to a subject whereas capability tables are
related/attached to an object.
B. Access control lists are related/attached to an object whereas capability tables are
related/attached to a subject.
C. Capability tables are used for objects whereas access control lists are used for users.
D. They are basically the same

A

Answer: B
Explanation: Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user’s posession of a capability (or ticket) for the object. It is a row within the matrix. To put it another way, A capabiltiy table is different from an ACL because the subject is bound to
the capability table, whereas the object is bound to the ACL.

112
Q
What can be defined as a table of subjects and objects indicating what actions individual subjects
can take upon individual objects?
A. A capacity table
B. An access control list
C. An access control matrix
D. A capability table
A

Answer: C
Explanation: The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access

113
Q
Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control?
A. DAC
B. MAC
C. Access control matrix
D. TACACS
A

Answer: B
Explanation: MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users – for example, user Joe (SECRET clearance) cannot
reclassify the “Presidential Doughnut Recipe” from “SECRET” to “CONFIDENTIAL” so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.

114
Q

What is the primary goal of setting up a honey pot?
A. To lure hackers into attacking unused systems
B. To entrap and track down possible hackers
C. To set up a sacrificial lamb on the network
D. To know when certain types of attacks are in progress and to learn about attack techniques so
the network can be fortified.

A

Answer: D
Explanation: The primary purpose of a honeypot is to study the attack methods of an attacker for the purposes of understanding their methods and improving defenses.

115
Q

Which of the following countermeasures would be the most appropriate to prevent possible intrusion or damage from war dialing attacks?
A. Monitoring and auditing for such activity
B. Require user authentication
C. Making sure only necessary phone numbers are made public
D. Using completely different numbers for voice and data accesses

A

Answer: B
Explanation: Knowlege of modem numbers is a poor access control method as an attacker can discover modem numbers by dialing all numbers in a range. Requiring user authentication before remote access is granted will help in avoiding unauthorized access over a modem line. “Monitoring and auditing for such activity” is incorrect. While monitoring and auditing can assist in
detecting a wardialing attack, they do not defend against a successful wardialing attack

116
Q
Which access control model provides upper and lower bounds of access capabilities for a subject?
A. Role-based access control
B. Lattice-based access control
C. Biba access control
D. Content-dependent access control
A

Answer: B
Explanation: In the lattice model, users are assigned security clearences and the data is classified. Access decisions are made based on the clearence of the user and the classification of the object. Lattice-based access control is an essential ingredient of formal security models such as Bell-LaPadula, Biba, Chinese Wall, etc

117
Q
Which of the following issues is not addressed by Kerberos?
A. Availability
B. Confidentiality
C. Integrity
D. Authentication
A

Answer: A
Explanation: The KDC (Kerberos Distribution Center) can be a single point of failure. Confidentiality is incorrect. Kerberos does ensure confidentiality, keeping communications private between systems over a network

118
Q

Why do buffer overflows happen? What is the main cause?
A. Because buffers can only hold so much data
B. Because of improper parameter checking within the application
C. Because they are an easy weakness to exploit
D. Because of insufficient system memory

A

Answer: B
Explanation: Buffer Overflow attack takes advantage of improper parameter checking within the
application. This is the classic form of buffer overflow and occurs because the programmer accepts whatever input the user supplies without checking to make sure that the length of the input is less than the size of the buffer in the program.

119
Q

Which of the following statements pertaining to the Bell-LaPadula is TRUE if you are NOT making
use of the strong star property?
A. It allows “read up.”
B. It addresses covert channels.
C. It addresses management of access controls.
D. It allows “write up.”

A

Answer: D
Explanation: Bell–LaPadula Confidentiality Model10 The Bell–LaPadula model is perhaps the most well-known and significant security model, in addition to being one of the oldest models used in the creation of modern secure computing systems. Like the Trusted Computer System Evaluation Criteria (or TCSEC), it was inspired by early U.S. Department of Defense security policies and the need to prove that confidentiality could be maintained. In other words, its primary goal is to prevent disclosure as the model system moves from one state (one point in time) to
another.

120
Q
Which security model introduces access to objects only through programs?
A. The Biba model
B. The Bell-LaPadula model
C. The Clark-Wilson model
D. The information flow model
A

Answer: C
Explanation: In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions).

121
Q
An Intrusion Detection System (IDS) is what type of control?
A. A preventive control.
B. A detective control.
C. A recovery control.
D. A directive control
A

Answer: B
Explanation: These controls can be used to investigate what happen after the fact. Your IDS may collect information on where the attack came from, what port was use, and other details that could be used in the investigation steps.

122
Q
Smart cards are an example of which type of control?
A. Detective control
B. Administrative control
C. Technical control
D. Physical control
A

Answer: C
Explanation: Logical or technical controls involve the restriction of access to systems and the protection of information. Smart cards and encryption are examples of these types of control.

123
Q

Which of the following statements pertaining to biometrics is false?
A. Increased system sensitivity can cause a higher false rejection rate
B. The crossover error rate is the point at which false rejection rate equals the false acceptance
rate.
C. False acceptance rate is also known as Type II error.
D. Biometrics are based on the Type 2 authentication mechanism.

A

Answer: D
Explanation: Authentication is based on three factor types: type 1 is something you know, type 2 is something you have and type 3 is something you are. Biometrics are based on the Type 3 authentication mechanism.

124
Q

Which of the following statements pertaining to Kerberos is TRUE?
A. Kerberos does not address availability
B. Kerberos does not address integrity
C. Kerberos does not make use of Symmetric Keys
D. Kerberos cannot address confidentiality of information

A

Answer: A
Explanation: The question was asking for a TRUE statement and the only correct statement is “Kerberos does not address availability”. Kerberos addresses the confidentiality and integrity of information. It does not directly address availability.

125
Q
Database views are NOT used to:
A. Implement referential integrity
B. Implement least privilege
C. To implement content-dependent access restrictions
D. Implement need-to-know
A

Answer: A
Explanation: A view is considered as a virtual table that is derived from other tables. It can be used to restrict access to certain information within the database, to hide attributes, and to implement content-dependent access restrictions. It does not implement referential integrity.

126
Q

What IDS approach relies on a database of known attacks?
A. Signature-based intrusion detection
B. Statistical anomaly-based intrusion detection
C. Behavior-based intrusion detection
D. Network-based intrusion detection

A

Answer: A
Explanation: A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack signatures that are stored in a database are detected. Network-based intrusion detection can either be signature-based or statistical anomaly-based (also called behavior-based).

127
Q
What refers to legitimate users accessing networked services that would normally be restricted to them?
A. Spoofing
B. Piggybacking
C. Eavesdropping
D. Logon abuse
A

Answer: D
Explanation: Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users who may be internal to the network but access resources they would not normally be allowed

128
Q

Which of the following is not a two-factor authentication mechanism?
A. Something you have and something you know.
B. Something you do and a password.
C. A smartcard and something you are.
D. Something you know and a password

A

Answer: D
Explanation: Something you know and a password fits within only one of the three ways authentication could be done. A password is an example of something you know, thereby something you know and a password does not constitute a two-factor authentication as both are in
the same category of factors

129
Q
Which of the following access control models introduces user security clearance and data
classification?
A. Role-based access control
B. Discretionary access control
C. Non-discretionary access control
D. Mandatory access control
A

Answer: D
Explanation: The mandatory access control model is based on a security label system. Users are given a security clearance and data is classified. The classification is stored in the security labels of the resources. Classification labels specify the level of trust a user must have to access a
certain file.

130
Q
Which of the following access control models requires security clearance for subjects?
A. Identity-based access control
B. Role-based access control
C. Discretionary access control
D. Mandatory access control
A

Answer: D
Explanation: With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance. Identity-based access control is a type of discretionary access control. A role-based access control is a type of nondiscretionary access control.

131
Q
Which of the following would describe a type of biometric error refers to as false rejection rate?
A. Type I error
B. Type II error
C. Type III error
D. CER error
A

Answer: A
Explanation: When a biometric system rejects an authorized individual, it is called a Type I error. When a system accepts impostors who should be rejected (false positive), it is called a Type II error.

132
Q
Which of the following access control models requires defining classification for objects?
A. Role-based access control
B. Discretionary access control
C. Identity-based access control
D. Mandatory access control
A

Answer: D
Explanation: With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance, and classification of objects.

133
Q

Which of the following statements pertaining to Kerberos is true?
A. Kerberos uses public key cryptography.
B. Kerberos uses X.509 certificates.
C. Kerberos is a credential-based authentication system.
D. Kerberos was developed by Microsoft

A

Answer: C
Explanation: Kerberos is a trusted, credential-based, third-party authentication protocol that was developed at MIT and that uses symmetric (secret) key cryptography to authenticate clients to other entities on a network for access to services. It does not use X.509 certificates, which are used in public key cryptography

134
Q

Which of the following statements pertaining to using Kerberos without any extension is false?
A. A client can be impersonated by password-guessing.
B. Kerberos is mostly a third-party authentication protocol.
C. Kerberos uses public key cryptography.
D. Kerberos provides robust authentication

A

Answer: C
Explanation: Kerberos is a trusted, credential-based, third-party authentication protocol that uses
symmetric (secret) key cryptography to provide robust authentication to clients accessing services on a network. Because a client’s password is used in the initiation of the Kerberos request for the service
protocol, password guessing can be used to impersonate a client

135
Q
Which access control model would a lattice-based access control model be an example of?
A. Mandatory access control.
B. Discretionary access control.
C. Non-discretionary access control.
D. Rule-based access control
A

Answer: A
Explanation: In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. In a Mandatory Access Control (MAC) model, users and data owners do not have as much freedom to determine who can access files.

136
Q
Which of the following is an example of discretionary access control?
A. Identity-based access control
B. Task-based access control
C. Role-based access control
D. Rule-based access control
A

Answer: A
Explanation: An identity-based access control is an example of discretionary access control that is based on an individual’s identity. Identity-based access control (IBAC) is access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.
Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non-discretionary access controls.

137
Q
Which of the following would be used to implement Mandatory Access Control (MAC)?
A. Clark-Wilson Access Control
B. Role-based access control
C. Lattice-based access control
D. User dictated access control
A

Answer: C
Explanation: The lattice is a mechanism use to implement Mandatory Access Control (MAC)
Under Mandatory Access Control (MAC) you have:
Mandatory Access Control
Under-Non Discretionary Access Control (NDAC) you have:
Rule-Based Access Control, Role-Based Access Control
Under Discretionary Access Control (DAC) you have:
Discretionary Access Control

138
Q
What does the simple security (ss) property mean in the Bell-LaPadula model?
A. No read up
B. No write down
C. No read down
D. No write up
A

Answer: A
Explanation: The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up).

139
Q
What does the * (star) property mean in the Bell-LaPadula model?
A. No write up
B. No read up
C. No write down
D. No read down
A

Answer: C
Explanation: The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down).

140
Q
What does the * (star) integrity axiom mean in the Biba model?
A. No read up
B. No write down
C. No read down
D. No write up
A

Answer: D
Explanation: The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up)

141
Q
What is the Biba security model concerned with?
A. Confidentiality
B. Reliability
C. Availability
D. Integrity
A

Answer: D
Explanation: The Biba security model addresses the integrity of data being threatened when subjects at lower security levels are able to write to objects at higher security levels and when
subjects can read data at lower levels.

142
Q
Which security model uses division of operations into different parts and requires different users to perform each part?
A. Bell-LaPadula model
B. Biba model
C. Clark-Wilson model
D. Non-interference model
A

Answer: C
Explanation: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users
from making unauthorized modifications to data, thereby protecting its integrity.

143
Q
Which type of control is concerned with avoiding occurrences of risks?
A. Deterrent controls
B. Detective controls
C. Preventive controls
D. Compensating controls
A

Answer: C
Explanation: Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls identify occurrences and
compensating controls are alternative controls, used to compensate weaknesses in other controls. Supervision is an example of compensating control.

144
Q
Which type of control is concerned with restoring controls?
A. Compensating controls
B. Corrective controls
C. Detective controls
D. Preventive controls
A

Answer: B
Explanation: Corrective controls are concerned with remedying circumstances and restoring controls.
Detective controls are concerned with investigating what happen after the fact such as logs and video surveillance tapes for example.
Compensating controls are alternative controls, used to compensate weaknesses in other controls.
Preventive controls are concerned with avoiding occurrences of risks.

145
Q
Which of the following biometric parameters are better suited for authentication use over a long
period of time?
A. Iris pattern
B. Voice pattern
C. Signature dynamics
D. Retina pattern
A

Answer: A
Explanation: The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to change over time, thus are not as suitable for authentication over a long
period of time without needing re-enrollment

146
Q
Which of the following is required in order to provide accountability?
A. Authentication
B. Integrity
C. Confidentiality
D. Audit trails
A

Answer: D
Explanation: Accountability can actually be seen in two different ways:
1) Although audit trails are also needed for accountability, no user can be accountable for their actions unless properly authenticated.
2) Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and network. Audit trails can be used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in
accordance with the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted

147
Q
Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure?
A. Access control lists
B. Discretionary access control
C. Role-based access control
D. Non-mandatory access control
A

Answer: C
Explanation: Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization’s
structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list (ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access
control, administration is decentralized and owners of resources control other users’ access. Nonmandatory
access control is not a defined access control technique.

148
Q
Which access control model was proposed for enforcing access control in government and military
applications?
A. Bell-LaPadula model
B. Biba model
C. Sutherland model
D. Brewer-Nash model
A

Answer: A
Explanation: The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access control in government and military applications. It supports mandatory access control by determining the access rights from the security levels associated with subjects and
objects. It also supports discretionary access control by checking access rights from an access matrix. The Biba model, introduced in 1977, the Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are concerned with integrity.

149
Q
Which access control model achieves data integrity through well-formed transactions and
separation of duties?
A. Clark-Wilson model
B. Biba model
C. Non-interference model
D. Sutherland model
A

Answer: A
Explanation: The Clark-Wilson model differs from other models that are subject- and object oriented by introducing a third access element programs resulting in what is called an access triple, which prevents unauthorized users from modifying data or programs. The Biba model uses objects and subjects and addresses integrity based on a hierarchical lattice of integrity levels. The non-interference model is related to the information flow model with restrictions on the information
flow. The Sutherland model approaches integrity by focusing on the problem of inference.

150
Q

This is a common security issue that is extremely hard to control in large environments. It occurs
when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What best describes this scenario?
A. Excessive Rights
B. Excessive Access
C. Excessive Permissions
D. Excessive Privileges

A

Answer: D
Explanation: Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented.

151
Q
Which of the following are additional access control objectives?
A. Consistency and utility
B. Reliability and utility
C. Usefulness and utility
D. Convenience and utility
A

Answer: B
Explanation: Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and
utility. These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and
the personnel who are authorized to receive that information. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system’s vulnerability to these threats, and the risk that the threat may materialize

152
Q

Controls are implemented to:
A. eliminate risk and reduce the potential for loss
B. mitigate risk and eliminate the potential for loss
C. mitigate risk and reduce the potential for loss
D. eliminate risk and eliminate the potential for loss

A

Answer: C
Explanation: Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks.
It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing.

153
Q

Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct?
A. Examples of these types of controls include policies and procedures, security awareness
training, background checks, work habit checks but do not include a review of vacation history,
and also do not include increased supervision.
B. Examples of these types of controls do not include encryption, smart cards, access lists, and
transmission protocols.
C. Examples of these types of controls are encryption, smart cards, access lists, and transmission
protocols.
D. Examples of these types of controls include policies and procedures, security awareness
training, background checks, work habit checks, a review of vacation history, and increased
supervision.

A

Answer: C
Explanation: Logical or technical controls involve the restriction of access to systems and the
protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols

154
Q

Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished:
A. through access control mechanisms that require identification and authentication and through
the audit function.
B. through logical or technical controls involving the restriction of access to systems and the
protection of information.
C. through logical or technical controls but not involving the restriction of access to systems and
the protection of information.
D. through access control mechanisms that do not require identification and authentication and do
not operate through the audit function.

A

Answer: A
Explanation: Controls provide accountability for individuals who are accessing sensitive
information. This accountability is accomplished through access control mechanisms that require
identification and authentication and through the audit function. These controls must be in
accordance with and accurately represent the organization’s security policy. Assurance
procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system

155
Q

In non-discretionary access control using Role Based Access Control (RBAC), a central authority
determines what subjects can have access to certain objects based on the organizational security
policy. The access controls may be based on:
A. The societies role in the organization
B. The individual’s role in the organization
C. The group-dynamics as they relate to the individual’s role in the organization
D. The group-dynamics as they relate to the master-slave role in the organization

A

Answer: B
Explanation: In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain objects based on
the organizational security policy. The access controls may be based on the individual’s role in the organization.

156
Q

In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because:
A. people need not use discretion
B. the access controls are based on the individual’s role or title within the organization.
C. the access controls are not based on the individual’s role or title within the organization
D. the access controls are often based on the individual’s role or title within the organization

A

Answer: B
Explanation: In an organization where there are frequent personnel changes, non-discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual’s role or title within the organization. You can easily configure a new
employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role.
These access permissions defined within the role do not need to be changed whenever a new person takes over the role. Another type of non-discretionary access control model is the Rule Based Access Control (RBAC
or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a firewall.
This question is a sneaky one, one of the choice has only one added word to it which is often.
Reading questions and their choices very carefully is a must for the real exam. Reading it twice if needed is recommended.

157
Q

Another type of access control is lattice-based access control. In this type of control a lattice model is applied. How is this type of access control concept applied?
A. The pair of elements is the subject and object, and the subject has an upper bound equal or
higher than the upper bound of the object being accessed.
B. The pair of elements is the subject and object, and the subject has an upper bound lower then
the upper bound of the object being accessed.
C. The pair of elements is the subject and object, and the subject has no special upper or lower
bound needed within the lattice.
D. The pair of elements is the subject and object, and the subject has no access rights in relation
to an object.

A

Answer: A
Explanation: In this type of control, a lattice model is applied. To apply this concept to access control, the pair of elements is the subject and object, and the subject has to have an upper bound equal or higher than the object being accessed.

158
Q

Detective/Technical measures:
A. include intrusion detection systems and automatically-generated violation reports from audit trail information.
B. do not include intrusion detection systems and automatically-generated violation reports from
audit trail information.
C. include intrusion detection systems but do not include automatically-generated violation reports
from audit trail information.
D. include intrusion detection systems and customised-generated violation reports from audit trail information.

A

Answer: A
Explanation: Detective/Technical measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from “normal” operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis
and reporting mechanisms, clipping levels can be set

159
Q

Passwords can be required to change monthly, quarterly, or at other intervals:
A. depending on the criticality of the information needing protection
B. depending on the criticality of the information needing protection and the password’s frequency
of use.
C. depending on the password’s frequency of use.
D. not depending on the criticality of the information needing protection but depending on the
password’s frequency of use.

A

Answer: B
Explanation: Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised.

160
Q

When submitting a passphrase for authentication, the passphrase is converted into …
A. a virtual password by the system.
B. a new passphrase by the system.
C. a new passphrase by the encryption technology
D. a real password by the system which can be used forever.

A

Answer: A
Explanation: Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between these two extremes.
Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised.
It is recommended to use a passphrase instead of a password. A passphrase is more resistant to attacks. The passphrase is converted into a virtual password by the system. Often time the
passphrase will exceed the maximum length supported by the system and it must be trucated into a Virtual Password

161
Q

In the context of Biometric authentication, what is a quick way to compare the accuracy of devices.
In general, the device that have the lowest value would be the most accurate. Which of the
following would be used to compare accuracy of devices?
A. the CER is used.
B. the FRR is used
C. the FAR is used
D. The FER is used

A

Answer: A
Explanation: equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate.
In the context of Biometric Authentication almost all types of detection permit a system’s sensitivity to be increased or decreased during an inspection process. If the system’s sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate (FRR).
Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase.Thus, to have a valid measure of the system performance, the CrossOver Error Rate (CER) is used.

162
Q

The throughput rate is the rate at which individuals, once enrolled, can be processed and identified
or authenticated by a biometric system. Acceptable throughput rates are in the range of:
A. 100 subjects per minute.
B. 25 subjects per minute.
C. 10 subjects per minute.
D. 50 subjects per minute.

A

Answer: C
Explanation: The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of 10 subjects per minute. Things that may impact the throughput rate for some types of biometric systems may include: A concern with retina scanning systems may be the exchange of body fluids on the eyepiece.
Another concern would be the retinal pattern that could reveal changes in a person’s health, such as diabetes or high blood pressure.

163
Q
Which of the following biometric devices has the lowest user acceptance level?
A. Retina Scan
B. Fingerprint scan
C. Hand geometry
D. Signature recognition
A

Answer: A
Explanation: According to the cited reference, of the given options, the Retina scan has the lowest user acceptance level as it is needed for the user to get his eye close to a device and it is not user friendly and very intrusive.

164
Q
Which of the following would be an example of the best password?
A. golf001
B. Elizabeth
C. T1me4g0lF
D. password
A

Answer: C
Explanation: The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two
small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn’t be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults.

165
Q
Which of the following tools is less likely to be used by a hacker?
A. l0phtcrack
B. Tripwire
C. OphCrack
D. John the Ripper
A

Answer: B
Explanation: Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or configuration files) are modified. This is a tool that is not likely to be used by hackers, other than for studying its workings in order to circumvent it. Other programs are password-cracking programs and are likely to be used by security
administrators as well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site

166
Q
What is an error called that causes a system to be vulnerable because of the environment in which
it is installed?
A. Configuration error
B. Environmental error
C. Access validation error
D. Exceptional condition handling error
A

Answer: B
Explanation: In an environmental error, the environment in which a system is installed somehow causes the system to be vulnerable. This may be due, for example, to an unexpected interaction between an application and the operating system or between two applications on the same host. A configuration error occurs when user controllable settings in a system are set such that the system is vulnerable. In an access validation error, the system is vulnerable because the access control mechanism is faulty. In an exceptional condition handling error, the system somehow becomes
vulnerable due to an exceptional condition that has arisen.

167
Q

A network-based vulnerability assessment is a type of test also referred to as:
A. An active vulnerability assessment.
B. A routing vulnerability assessment.
C. A host-based vulnerability assessment.
D. A passive vulnerability assessment

A

Answer: A
Explanation: A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses.

168
Q

Why would anomaly detection IDSs often generate a large number of false positives?
A. Because they can only identify correctly attacks they already know about.
B. Because they are application-based are more subject to attacks.
C. Because they can’t identify abnormal behavior.
D. Because normal patterns of user and system behavior can vary wildly

A

Answer: D
Explanation: Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS) based on them often produce a large number of false alarms, as normal patterns of user and system
behavior can vary wildly. Being only able to identify correctly attacks they already know about is a characteristic of misuse detection (signature-based) IDSs. Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. They
are more vulnerable to attacks than host-based IDSs. Not being able to identify abnormal behavior would not cause false positives, since they are not identified.

169
Q

Which of the following does not apply to system-generated passwords?
A. Passwords are harder to remember for users.
B. If the password-generating algorithm gets to be known, the entire system is in jeopardy.
C. Passwords are more vulnerable to brute force and dictionary attacks.
D. Passwords are harder to guess for attackers.

A

Answer: C
Explanation: Users tend to choose easier to remember passwords. System-generated passwords
can provide stronger, harder to guess passwords. Since they are based on rules provided by the administrator, they can include combinations of uppercase/lowercase letters, numbers and special
characters, making them less vulnerable to brute force and dictionary attacks. One danger is that they are also harder to remember for users, who will tend to write them down, making them more vulnerable to anyone having access to the user’s desk. Another danger with system-generated passwords is that if the password-generating algorithm gets to be known, the entire system is in jeopardy.

170
Q
Which of the following is not a preventive login control?
A. Last login message
B. Password aging
C. Minimum password length
D. Account expiration
A

Answer: A
Explanation: The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a detective control.

171
Q
What is the most critical characteristic of a biometric identifying system?
A. Perceived intrusiveness
B. Storage requirements
C. Accuracy
D. Scalability
A

Answer: C
Explanation: Accuracy is the most critical characteristic of a biometric identifying verification system. Accuracy is measured in terms of false rejection rate (FRR, or type I errors) and false acceptance
rate (FAR or type II errors).
The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy

172
Q
What is considered the most important type of error to avoid for a biometric access control
system?
A. Type I Error
B. Type II Error
C. Combined Error Rate
D. Crossover Error Rate
A

Answer: B
Explanation: When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type II error, where the system would accept an impostor.

173
Q
How can an individual/person best be identified or authenticated to prevent local masquerading
attacks?
A. User Id and password
B. Smart card and PIN code
C. Two-factor authentication
D. Biometrics
A

Answer: D
Explanation: The only way to be truly positive in authenticating identity for access is to base the
authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the
person, however they are not perfect and they would have to be supplemented by another factor

174
Q
Which authentication technique best protects against hijacking?
A. Static authentication
B. Continuous authentication
C. Robust authentication
D. Strong authentication
A

Answer: B
Explanation: A continuous authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. This is the best protection against hijacking

175
Q

Which of the following is not a security goal for remote access?
A. Reliable authentication of users and systems
B. Protection of confidential data
C. Easy to manage access control to systems and network resources
D. Automated login for remote users

A

Answer: D
Explanation: An automated login function for remote users would imply a weak authentication,
thus certainly not a security goal

176
Q

Which of the following questions is less likely to help in assessing identification and authentication controls?
A. Is a current list maintained and approved of authorized users and their access?
B. Are passwords changed at least every ninety days or earlier if needed?
C. Are inactive user identifications disabled after a specified period of time?
D. Is there a process for reporting incidents?

A

Answer: D
Explanation: Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires
that the system be able to identify and differentiate among users. Reporting incidents is more
related to incident response capability (operational control) than to identification and authentication (technical control).

177
Q
How would nonrepudiation be best classified as?
A. A preventive control
B. A logical control
C. A corrective control
D. A compensating control
A

Answer: A
Explanation: Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in non-repudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control.

178
Q

What are cognitive passwords?
A. Passwords that can be used only once.
B. Fact or opinion-based information used to verify an individual’s identity.
C. Password generators that use a challenge response scheme.
D. Passphrases

A

Answer: B
Explanation: Cognitive passwords are fact or opinion-based information used to verify an
individual’s identity. Passwords that can be used only once are one-time or dynamic passwords.
Password generators that use a challenge response scheme refer to token devices.
A passphrase is a sequence of characters that is longer than a password and is transformed into a virtual password

179
Q
Which of the following Kerberos components holds all users' and services' cryptographic keys?
A. The Key Distribution Service
B. The Authentication Service
C. The Key Distribution Center
D. The Key Granting Service
A

Answer: C
Explanation: The Key Distribution Center (KDC) holds all users’ and services’ cryptographic keys. It provides authentication services, as well as key distribution functionality. The Authentication Service is the part of the KDC that authenticates a principal. The Key Distribution Service and Key Granting Service are distracters and are not defined Kerberos components

180
Q
Most access violations are:
A. Accidental
B. Caused by internal hackers
C. Caused by external hackers
D. Related to Internet
A

Answer: A
Explanation: The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent

181
Q
Which of the following biometrics devices has the highest Crossover Error Rate (CER)?
A. Iris scan
B. Hand geometry
C. Voice pattern
D. Fingerprints
A

Answer: C
Explanation: The Crossover Error Rate (CER) is the point where false rejection rate (type I error) equals the false acceptance rate (type II error). The lower the CER, the better the accuracy of thedevice. At the time if this writing, response times and accuracy of some devices are:
System type Response time Accuracy (CER

182
Q
Which of following is not a service provided by AAA servers (Radius, TACACS and DIAMETER)?
A. Authentication
B. Administration
C. Accounting
D. Authorization
A
Answer: B
Explanation: Radius, TACACS and DIAMETER are classified as authentication, authorization,
and accounting (AAA) servers
183
Q

Which of the following protocol was used by the INITIAL version of the Terminal Access Controller
Access Control System TACACS for communication between clients and servers?
A. TCP
B. SSL
C. UDP
D. SSH

A

Answer: C
Explanation: The original TACACS, developed in the early ARPANet days, had very limited functionality and used the UDP transport. In the early 1990s, the protocol was extended to include
additional functionality and the transport changed to TCP

184
Q

Which of the following can best eliminate dial-up access through a Remote Access Server as a
hacking vector?
A. Using a TACACS+ server.
B. Installing the Remote Access Server outside the firewall and forcing legitimate users to
authenticate to the firewall.
C. Setting modem ring count to at least 5
D. Only attaching modems to non-networked hosts

A

Answer: B
Explanation: Containing the dial-up problem is conceptually easy: by installing the Remote
Access Server outside the firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet

185
Q
In the Bell-LaPadula model, the Star-property is also called:
A. The simple security property
B. The confidentiality property
C. The confinement property
D. The tranquility property
A

Answer: C
Explanation: The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity

186
Q

An attack initiated by an entity that is authorized to access system resources but uses them in a
way not approved by those who granted the authorization is known as a(n):
A. active attack.
B. outside attack
C. inside attack.
D. passive attack

A

Answer: C
Explanation: An inside attack is an attack initiated by an entity inside the security perimeter, an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization whereas an outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system. An active attack attempts to alter system
resources to affect their operation and a passive attack attempts to learn or make use of the information from the system but does not affect system resources.

187
Q

Which of the following can be defined as a framework that supports multiple, optional
authentication mechanisms for PPP, including cleartext passwords, challenge-response, and
arbitrary dialog sequences?
A. Extensible Authentication Protocol
B. Challenge Handshake Authentication Protocol
C. Remote Authentication Dial-In User Service
D. Multilevel Authentication Protocol.

A

Answer: A
Explanation: RFC 2828 (Internet Security Glossary) defines the Extensible Authentication
Protocol as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. It is intended
for use primarily by a host or router that connects to a PPP network server via switched circuits or dial-up lines. The Remote Authentication Dial-In User Service (RADIUS) is defined as an Internet
protocol for carrying dial-in user’s authentication information and configuration information between a shared, centralized authentication server and a network access server that needs to
authenticate the users of its network access ports

188
Q
What is the name of the first mathematical model of a multi-level security policy used to define the concept of a secure state, the modes of access, and rules for granting access?
A. Clark and Wilson Model
B. Harrison-Ruzzo-Ullman Model
C. Rivest and Shamir Model
D. Bell-LaPadula Model
A

Answer: D

189
Q
What is the PRIMARY use of a password?
A. Allow access to files.
B. Identify the user.
C. Authenticate the user.
D. Segregate various user's accesses
A

Answer: C

190
Q
The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and something:
A. you need.
B. you read.
C. you are.
D. you do.
A

Answer: C

191
Q
An access system that grants users only those rights necessary for them to perform their work is
operating on which security principle?
A. Discretionary Access
B. Least Privilege
C. Mandatory Access
D. Separation of Duties
A

Answer: B

192
Q

Pin, Password, Passphrases, Tokens, smart cards, and biometric devices are all items that can be
used for Authentication. When one of these item listed above in conjunction with a second factor to validate authentication, it provides robust authentication of the individual by practicing which of the following?
A. Multi-party authentication
B. Two-factor authentication
C. Mandatory authentication
D. Discretionary authentication

A

Answer: B
Explanation: Once an identity is established it must be authenticated. There exist numerous technologies and implementation of authentication methods however they almost all fall under three major areas.

193
Q

Legacy single sign on (SSO) is:
A. Technology to allow users to authenticate to every application by entering the same user ID and password each time, thus having to remember only a single password.
B. Technology to manage passwords consistently across multiple platforms, enforcing policies
such as password change intervals.
C. A mechanism where users can authenticate themselves once, and then a central repository of
their credentials is used to launch various legacy applications.
D. Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry standard single sign on mechanism

A

Answer: C
Explanation: A mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications.

194
Q

Identity Management solutions include such technologies as Directories services, Single Sign-On and Web Access management. There are many reasons for management to choose an identity
management solution.
Which of the following is a key management challenge regarding identity management solutions?
A. Increasing the number of points of failures.
B. Users will no longer be able to “recycle” their password for different applications.
C. Costs increase as identity management technologies require significant resources.
D. It must be able to scale to support high volumes of data and peak transaction rates.

A

Answer: D
Explanation: Any identity management system used in an environment where there are tens of thousands of users must be able to scale to support the volumes of data and peak transaction rates

195
Q

Which of the following describes the sequence of steps required for a Kerberos session to be established between a user (Principal P1), and an application server (Principal P2)?
A. Principals P1 and Principals P2 authenticate to the Key Distribution Center (KDC),
B. Principal P1 receives a Ticket Granting Ticket (TGT), and then Principal P2 requests a service
ticket from the KDC.
C. Principal P1 authenticates to the Key Distribution Center(KDC), Principal P1 receives a Ticket
Granting Ticket (TGT), and Principal P1 requests a service ticket from the Ticket Granting Service
(TGS) in order to access the application server P2
D. Principal P1 authenticates to the Key Distribution Center (KDC),
E. Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and then
Principal P1 requests a service ticket from the application server P2
F. Principals P1 and P2 authenticate to the Key Distribution Center (KDC), Principal P1 requests a
Ticket Granting Ticket (TGT) from the authentication server, and application server P2 requests a
service ticket from P1

A

Answer: C
Explanation: Principles P1 and P2 authenticate to the Key Distribution Center (KDC), principle P1 receives a Ticket Granting Ticket (TGT), and principle P2 requests a service ticket from the KDC.

196
Q
Which of the following term best describes a weakness that could potentially be exploited?
A. Vulnerability
B. Risk
C. Threat
D. Target of evaluation (TOE)
A

Answer: A
Explanation: A vulnerability is mostly a weakness, it could be a weakness in a piece of sotware, it could be a weakness in your physical security, it could take many forms. It is a weakness that
could be exploited by a Threat. For example an open firewall port, a password that is never changed, or a flammable carpet. A missing Control is also considered to be a Vulnerability

197
Q

Which of the following best describes an exploit?
A. An intentional hidden message or feature in an object such as a piece of software or a movie.
B. A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability
in order to cause unintended or unanticipated behavior to occur on computer software
C. An anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer
D. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system

A

Answer: B
Explanation: The following answers are incorrect:
An intentional hidden message or feature in an object such as a piece of software or a movie.
This is the definition of an “Easter Egg” which is code within code. A good example of this was a small flight simulator that was hidden within Microsoft Excel. If you know which cell to go to on your spreadsheet and the special code to type in that cell, you were able to run the flight simulator.
An anomalous condition where a process attempts to store data beyond the boundaries of a fixedlength buffer

198
Q
A smart Card that has two chips with the Capability of utilizing both Contact and Contactless
formats is called:
A. Contact Smart Cards
B. Contactless Smart Cards
C. Hybrid Cards
D. Combi Cards
A

Answer: C
Explanation: This is a contactless smart card that has two chips with the capability of utilizing
both contact and contactless formats

199
Q

An employee ensures all cables are shielded, builds concrete walls that extend from the true floor
to the true ceiling and installs a white noise generator. What attack is the employee trying to
protect against?
A. Emanation Attacks
B. Social Engineering
C. Object reuse
D. Wiretaping

A

Answer: A
Explanation: Explanation :
Emanation attacks are the act of intercepting electrical signals that radiate from computing equipment. There are several countermeasures including shielding cabling, white noise, control zones, and TEMPEST equipment (this is a Faraday cage around the equipment)

200
Q

The best technique to authenticate to a system is to:
A. Establish biometric access through a secured server or Web site.
B. Ensure the person is authenticated by something he knows and something he has.
C. Maintain correct and accurate ACLs (access control lists) to allow access to applications.
D. Allow access only through user ID and password

A

Answer: B
Explanation: Something you know and something you have is two authentication factors and is
better than a single authentication factor. Strong Authentication or Two Factor Authentication is widely accepted as the best practice for authentication.

201
Q
Business Impact Analysis (BIA) is about
A. Technology
B. Supporting the mission of the organization
C. Due Care
D. Risk Assessment
A

Answer: B
Explanation: Business impact analysis is not about technology; it is about supporting the mission
of the organization.

202
Q

You wish to make use of “port knocking” technologies. How can you BEST explain this?
A. Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as an authorized client.
B. Port knocking is where the user calls the server operator to have him start the service he wants to connect to.
C. This is where all the ports are open on the server and the connecting client scans the open port to which he wants to connect to see if it’s open and running.
D. Port knocking is where the port sequence is encrypted with 3DES and only the server has the other key to decrypt the port sequence.

A

Answer: A
Explanation: The other answers are incorrect

203
Q

Tim is a network administrator of Acme inc. He is responsible for configuring the network devices. John the new security manager reviews the configuration of the Firewall configured by Tim and
identifies an issue. This specific firewall is configured in failover mode with another firewall. A
sniffer on a PC connected to the same switch as the firewalls can decipher the credentials, used by Tim while configuring the firewalls. Which of the following should be used by Tim to ensure a that no one can eavesdrop on the communication?
A. SSH
B. SFTP
C. SCP
D. RSH

A

Answer: A
Explanation: The SSH protocol provides an encrypted terminal session to the remote firewalls. By encrypting the data, it prevents sniffing attacks using a protocol analyzer also called a sniffer.
With more and more computers installed in networked environments, it often becomes necessary
to access hosts from a remote location. This normally means that a user sends login and
password strings for authentication purposes. As long as these strings are transmitted as plain
text, they could be intercepted and misused to gain access to that user account without the
authorized user even knowing about it.

204
Q

Tim’s day to day responsibilities include monitoring health of devices on the network. He uses a
Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing through the interfaces. Which of the protocols would be BEST to use if some of the
requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets?
A. UDP
B. SNMP V1
C. SNMP V3
D. SNMP V2

A

Answer: C
Explanation: Simple Network Management Protocol (SNMP) is an Internet-standard protocol for
managing devices on IP networks. Devices that typically support SNMP include routers, switches,
servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task
Force (IETF).

205
Q

You have been approached by one of your clients . They are interested in doing some security reengineering. The client is looking at various information security models. It is a highly secure
environment where data at high classifications cannot be leaked to subjects at lower
classifications . Of primary concern to them, is the identification of potential covert channel. As an Information Security Professional, which model would you recommend to the client?
A. Information Flow Model combined with Bell Lapadula
B. Bell Lapadula
C. Biba
D. Information Flow Model

A

Answer: A
Explanation: Securing the data manipulated by computing systems has been a challenge in the past years. Several methods to limit the information disclosure exist today, such as access control
lists, firewalls, and cryptography. However, although these methods do impose limits on the
information that is released by a system, they provide no guarantees about information
propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to exchange information privately across a non-secure channel, but no guarantees about the
confidentiality of the data are given once it is decrypted

206
Q

Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port?
A. Allow the packet to be processed by the network and record the event
B. Record selected information about the packets and drop the packets
C. Resolve the destination address and process the packet
D. Translate the source address and resend the packet

A

Answer: B
Explanation: This question refers specificly to the LAND Attack. This question is testing your ability to recognize common attacks such as the Land Attack and also your understanding of what would be an acceptable action taken by your Intrusion Detection System

207
Q

What is the BEST definition of SQL injection.
A. SQL injection is a database problem.
B. SQL injection is a web Server problem.
C. SQL injection is a windows and Linux website problem that could be corrected by applying a
website vendors patch.
D. SQL injection is an input validation problem

A

Answer: D
Explanation: SQL injection is execution of unexpected SQL in the database as a result of
unsanitized user input being accepted and used in the application code to form the SQL statement.It is a coding problem which affects inhouse, open source and commercial software

208
Q
You are a security consultant who is required to perform penetration testing on a client's network.During penetration testing, you are required to use a compromised system to attack other systems on the network to avoid network restrictions like firewalls. Which method would you use in this scenario:
A. Black box Method
B. Pivoting method
C. White Box Method.
D. Grey Box Method
A

Answer: B
Explanation: Pivoting refers to method used by penetration testers that uses compromised
system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised
web server to attack other systems on the network. These types of attacks are often called multilayered
attacks. Pivoting is also known as island hopping.

209
Q
Which answer best describes a computer software attack that takes advantage of a previously
unpublished vulnerability?
A. Zero-Day Attack
B. Exploit Attack
C. Vulnerability Attack
D. Software Crack
A

Answer: A
Explanation: A zero-day (or zero-hour, or O day, or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the
vulnerability.

210
Q

Data which is properly secured and can be described with terms like genuine or not corrupted from
the original refers to data that has a high level of what?
A. Authenticity
B. Authorization
C. Availability
D. Non-Repudiation

A

Answer: A
Explanation: Authenticity refers to the characteristic of a communication, document or any data that ensures the quality of being genuine or not corrupted from the original

211
Q
Which of the following is most appropriate to notify an internal user that session monitoring is
being conducted?
A. Logon Banners
B. Wall poster
C. Employee Handbook
D. Written agreement
A

Answer: D
Explanation: This is a tricky question, the keyword in the question is Internal users.
There are two possible answers based on how the question is presented, this question could
either apply to internal users or ANY anonymous/external users. Internal users should always have a written agreement first, then logon banners serve as a constant reminder

212
Q

A Differential backup process will:
A. Backs up data labeled with archive bit 1 and leaves the data labeled as archive bit 1
B. Backs up data labeled with archive bit 1 and changes the data label to archive bit 0
C. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0
D. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1

A

Answer: A
Explanation: Archive bit 1 = On (the archive bit is set).
Archive bit 0 = Off (the archive bit is NOT set). When the archive bit is set to ON, it indicates a file that has changed and needs to be backed up. Differential backups backup all files changed since the last full. To do this, they don’t change the archive bit value when they backup a file. Instead the differential let’s the full backup make that change. An incremental only backs up data since the last incremental backup. Thus is does
change the archive bit from 1 (On) to 0 (Off).

213
Q

Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer?
A. LCL and MAC; IEEE 8022 and 8023
B. LCL and MAC; IEEE 8021 and 8023
C. Network and MAC; IEEE 8021 and 8023

A

Answer: A
Explanation: The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network
technology binary format for proper line transmission.
Layer 2 is divided into two functional sublayers

214
Q

Which of the following is NOT part of user provisioning?
A. Creation and deactivation of user accounts
B. Business process implementation
C. Maintenance and deactivation of user objects and attributes
D. Delegating user administration

A

Answer: B
Explanation: User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in
response to business processes

215
Q

Which of the following answers best describes the type of penetration testing where the analyst
has full knowledge of the network on which he is going to perform his test?
A. White-Box Penetration Testing
B. Black-Box Pen Testing
C. Penetration Testing
D. Gray-Box Pen Testing

A

Answer: A
Explanation: In general there are three ways a pen tester can test a target system.
- White-Box: The tester has full access and is testing from inside the system.
- Gray-Box: The tester has some knowledge of the system he’s testing.
- Black-Box: The tester has no knowledge of the system.
Each of these forms of testing has different benefits and can test different aspects of the system from different approaches

216
Q

Which access control method allows the data owner (the person who created the file) to control
access to the information they own?
A. DAC - Discretionary Access Control
B. MAC - Mandatory Access Control
C. RBAC - Role-Based Access Control
D. NDAC - Non-Discretionary Access Control

A

Answer: A
Explanation: DAC - Discretionary Access Control is where the user controls access to the data they create or manage.

217
Q

Suppose you are a domain administrator and are choosing an employee to carry out backups.
Which access control method do you think would be best for this scenario?
A. RBAC - Role-Based Access Control
B. MAC - Mandatory Access Control
C. DAC - Discretionary Access Control
D. RBAC - Rule-Based Access Control

A

Answer: A
Explanation: RBAC - Role-Based Access Control permissions would fit best for a backup job for the employee because the permissions correlate tightly with permissions granted to a backup
operator

218
Q

Of the seven types of Access Control Categories, which is described as such?
Designed to specify rules of acceptable behavior in the organization.
Example: Policy stating that employees may not spend time on social media websites
A. Directive Access Control
B. Deterrent Access Control
C. Preventive Access Control
D. Detective Access Control

A

Answer: A
Explanation: There are seven access control categories. Below you have the Access Control
Types and Categories.
- Access Control Types:
- Administrative
- Policies, data classification and labeling and security awareness training
- Technical
- Hardare - MAC FIltering or perimeter devices like:
- Software controls like account logons and encryption, file perms

219
Q

Question 228

A

Question 228

220
Q

What are the five forensically sound principles?
(A) Authenticity, Completeness, Integrity, Minimalization, Reproducibility
(B) Authenticity, Chain of Custody, Integrity, Minimalization, Reproducibility

A

B. Authenticity, Chain of Custody, Integrity, Minimalization, Reproducibility

221
Q

Which of the following are primarily used to ensure effective security access?
(A) Confidentiality, integrity, availability, privacy
(B) System, data, administration, design

A

B. System, data, administration, design

222
Q

What is an important factor affecting the time required to perpetrate a manual trial and error attack to gain access to a target computer system?
(A) Encryption algorithm used for password transfer
(B) Length of the passwords

A

(B) Length of the passwords

223
Q

The BEST method to maintain software code during development is through
(A) access controls.
(B) versioning

A

(B) versioning

224
Q

Firewalls filter incoming traffic according to
(A) stateful packet rules.
(B) a security policy.

A

(B) a security policy.

225
Q

Companies must be able to provide assurance that they have exercised due diligence in order to limit legal liability. The BEST way to do this is
(A) implementing a Security Management Plan.
(B) documented policies and procedures.

A

(B) documented policies and procedures.

226
Q

Which of the following is a program embedded in the database that runs every time a row is inserted and can provide automatic encryption of data before storage?
(A) Views
(B) Triggers

A

(B) Triggers

227
Q

A method for determining the behavior of suspected malware is
(A) penetration testing.
(B) disassembly.

A

(B) disassembly.

228
Q

A new worm has been released on the Internet. After investigation, you have not been able to determine if you are at risk of exposure. Management is concerned as they have heard that a number of their counterparts are being affected by the worm. How would you determine if you are at risk?
(A) Evaluate evolving environment
(B) Contact your anti-virus vendor

A

(B) Contact your anti-virus vendor

229
Q

hich of the following are the MAIN benefits of data classification?
(A) Facilitation of access control, efficiency of data protection management, simplifying data backup and storage
(B) Compliance automation, efficiency of data protection management, facilitation of access control

A

(B) Compliance automation, efficiency of data protection management, facilitation of access control

230
Q

Collecting evidence from a hard drive depends upon what factor?
(A) Elapsed time since the incident
(B) The properties of the file system

A

(B) The properties of the file system

231
Q

Intrusion detection systems primarily identify attacks based on
(A) states and patterns.
(B) signatures and anomalies

A

(B) signatures and anomalies

232
Q

Which of the following is a recommended practice when performing Business Impact Analysis (BIA) interviews?
(A) Limit the number of interviewers to one interviewer for each session
(B) Limit the number of interviewees in each session to three or less

A

(B) Limit the number of interviewees in each session to three or less

233
Q

Which of the following BEST describes the Common Criteria (CC) standard?
(A) It defines valid risk criteria for a business impact analysis.
(B) It provides criteria to evaluate trust in IT products.

A

(B) It provides criteria to evaluate trust in IT products.

234
Q

A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:
A. Concern that the laser beam may cause eye damage.
B. The iris pattern changes as a person grows older.
C. There is a relatively high rate of false accepts.
D. The optical unit must be positioned so that the sun does not shine into the aperture

A

Answer: D
Explanation:
The optical unit of the iris pattern biometric system must be positioned so that the sun does not shine into the aperture

235
Q

In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item’s classification
B. The item’s classification and category set
C.The item’s category
D. The item’s need to know

A

Answer: B
Explanation:
A sensitivity label is required for every subject and object when using the Mandatory Access Control (MAC) model. The sensitivity label is made up of a classification and different categories

236
Q

Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.

A

Answer: C
Explanation:
Kerberos makes use of symmetric key cryptography and offers end-to-end security. The majority Kerberos implementations works with shared secret keys.

237
Q

Which of the following is needed for System Accountability?
A. Audit mechanisms.
B. Documented design as laid out in the Common Criteria.
C. Authorization.
D. Formal verification of system design

A

Answer: A
Explanation:
Accountability is the ability to identify users and to be able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed

238
Q

What is Kerberos?
A. A three-headed dog from the Egyptian mythology.
B. A trusted third-party authentication protocol.
C. A security model.
D. A remote authentication dial-in user server.

A

Answer: B
Explanation:
Kerberos is a third-party authentication service that can be used to support SSO.
Kerberos (or Cerberus) was the name of the three-headed dog that guarded the entrance to Hades in Greek mythology

239
Q
Kerberos depends upon what encryption method?
A. Public Key cryptography.
B. Secret Key cryptography.
C. El Gamal cryptography
D. Blowfish cryptography.
A

Answer: B
Explanation:
Kerberos makes use of symmetric key cryptography and offers end-to-end security. The majority Kerberos implementations works with shared secret keys.

240
Q
A confidential number used as an authentication factor to verify a user's identity is called a:
A. PIN
B. User ID
C. Password
D. Challenge
A

Answer: A
Explanation:
Personal Identification Number (PIN) is a numeric password shared between a user and a system, which can be used to authenticate the user to the system.

241
Q
Individual accountability does not include which of the following?
A. unique identifiers
B. policies & procedures
C. access rules
D. audit trails
A

Answer: B
Explanation:
Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability

(References:
A: Accountability would include unique identifiers so that you can identify the individual.
C: Accountability would include access rules to define access violations.
D: Accountability would include audit trails to be able to trace violations or attempted violations.)

242
Q

Which of the following exemplifies proper separation of duties?
A. Operators are not permitted modify the system time.
B. Programmers are permitted to use the system console.
C. Console operators are permitted to mount tapes and disks.
D. Tape operators are permitted to use the system console.

A

Answer: A
Explanation:
Changing the system time would cause logged events to have the wrong time. An operator could commit fraud and cover his tracks by changing the system time to make it appear as the events happened at a different time. Ensuring that operators are not permitted modify the system time
(another person would be required to modify the system time) is an example of separation of duties. The objective of separation of duties is to ensure that one person acting alone cannot compromise the company’s security in any way. High-risk activities should be broken up into different parts and
distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent
activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time.

243
Q
An access control policy for a bank teller is an example of the implementation of which of the
following?
A. Rule-based policy
B. Identity-based policy
C. User-based policy
D. Role-based policy
A

Answer: D
Explanation:
Role-based access control is a model where access to resources is determined by job role rather than by user account. In this question, a bank teller is a job role. Therefore, an access control policy for a bank teller is a role-based policy. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights