CISSP STUDY QUESTIONS Flashcards
A potential problem related to the physical installation of the Iris Scanner in regards to the usage
of the iris pattern within a biometric system is:
A. Concern that the laser beam may cause eye damage.
B. The iris pattern changes as a person grows older.
C. There is a relatively high rate of false accepts.
D. The optical unit must be positioned so that the sun does not shine into the aperture.
Answer: D
Explanation: Because the optical unit utilizes a camera and infrared light to create the images,
sun light can impact the aperture so it must not be positioned in direct light of any type. Because
the subject does not need to have direct contact with the optical reader, direct light can impact the
reader.
In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item’s classification
B. The item’s classification and category set
C. The item’s category
D. The items’s need to know
Answer: B
Explanation: The following is the correct answer: the item’s classification and category set
Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.
Answer: C
Explanation: Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party
authentication protocol. It was designed and developed in the mid 1980’s by MIT. It is considered
open source but is copyrighted and owned by MIT. It relies on the user’s secret keys. The
password is used to encrypt and decrypt the keys
Which of the following is needed for System Accountability?
A. Audit mechanisms.
B. Documented design as laid out in the Common Criteria.
C. Authorization.
D. Formal verification of system design.
Answer: A
Explanation: Is a means of being able to track user actions. Through the use of audit logs and
other tools the user actions are recorded and can be used at a later date to verify what actions
were performed
What is Kerberos?
A. A three-headed dog from the egyptian mythology.
B. A trusted third-party authentication protocol.
C. A security model.
D. A remote authentication dial in user server.
Answer: B
Explanation: Is correct because that is exactly what Kerberos is.
Kerberos depends upon what encryption method? A. Public Key cryptography. B. Secret Key cryptography. C. El Gamal cryptography. D. Blowfish cryptography.
Answer: B
Explanation: Kerberos depends on Secret Keys or Symmetric Key cryptography
A confidential number used as an authentication factor to verify a user's identity is called a: A. PIN B. User ID C. Password D. Challenge
Answer: A
Explanation: PIN Stands for Personal Identification Number, as the name states it is a
combination of numbers
Individual accountability does not include which of the following? A. unique identifiers B. policies & procedures C. access rules D. audit trails
Answer: B
Explanation: Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability.
Which of the following exemplifies proper separation of duties?
A. Operators are not permitted modify the system time.
B. Programmers are permitted to use the system console.
C. Console operators are permitted to mount tapes and disks.
D. Tape operators are permitted to use the system console
Answer: A
Explanation: This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should be performed by they system administrators.
An access control policy for a bank teller is an example of the implementation of which of the following? A. Rule-based policy B. Identity-based policy C. User-based policy D. Role-based policy
Answer: D
Explanation: The position of a bank teller is a specific role within the bank, so you would
implement a role-based policy
Which one of the following authentication mechanisms creates a problem for mobile users? A. Mechanisms based on IP addresses B. Mechanism with reusable passwords C. One-time password mechanism. D. Challenge response mechanism
Answer: A
Explanation: Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP.
Organizations should consider which of the following first before allowing external access to their LANs via the Internet?
A. Plan for implementing workstation locking mechanisms.
B. Plan for protecting the modem pool.
C. Plan for providing the user with his account usage information.
D. Plan for considering proper authentication options
Answer: D
Explanation: Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms are to be used, this would include how you are going to authenticate individuals that may access your network externally through access control
Kerberos can prevent which one of the following attacks? A. Tunneling attack. B. Playback (replay) attack. C. Destructive attack. D. Process attack.
Answer: B
Explanation: Each ticket in Kerberos has a time-stamp and are subject to time expiration to help prevent these types of attacks
In discretionary access environments, which of the following entities is authorized to grant information access to other people? A. Manager B. Group Leader C. Security Manager D. Data Owner
Answer: D
Explanation: In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file
What is the main concern with single sign-on?
A. Maximum unauthorized access would be possible if a password is disclosed.
B. The security administrator’s workload would increase.
C. The users’ password would be too hard to remember.
D. User access rights would be increased
Answer: A
Explanation: A major concern with Single Sign-On (SSO) is that if a user’s ID and password are compromised, the intruder would have access to all the systems that the user was authorized for
Who developed one of the first mathematical models of a multilevel-security computer system? A. Diffie and Hellman. B. Clark and Wilson. C. Bell and LaPadula. D. Gasser and Lipner.
Answer: C
Explanation: In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system
Which of the following attacks could capture network user passwords? A. Data diddling B. Sniffing C. IP Spoofing D. Smurfing
Answer: B
Explanation: A network sniffer captures a copy every packet that traverses the network segment
the sniffer is connect to. Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment to basic workstations with
customized software.
Which of the following would constitute the best example of a password to use for access to a system by a network administrator? A. holiday B. Christmas12 C. Jenny D. GyN19Za!
Answer: D
Explanation: GyN19Za! would be the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special character making it less vulnerable to password attacks
What physical characteristic does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The pattern of light receptors at the back of the eye
D. The pattern of blood vessels at the back of the eye
Answer: D
Explanation: The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina’s four cell layers
The Computer Security Policy Model the Orange Book is based on is which of the following? A. Bell-LaPadula B. Data Encryption Standard C. Kerberos D. Tempest
Answer: A
Explanation: The Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model. Orange Book Glossary
The end result of implementing the principle of least privilege means which of the following?
A. Users would get access to only the info for which they have a need to know
B. Users can access all systems.
C. Users get new privileges added when they change positions.
D. Authorization creep.
Answer: A
Explanation: The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access any of the files on specific systems.
Which of the following is the most reliable authentication method for remote access? A. Variable callback system B. Synchronous token C. Fixed callback system D. Combination of callback and caller ID
Answer: B
Explanation: A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame.
Which of the following is true of two-factor authentication?
A. It uses the RSA public-key signature based on integers with large prime factors.
B. It requires two measurements of hand geometry.
C. It does not use single sign-on technology.
D. It relies on two independent proofs of identity.
Answer: D
Explanation: It relies on two independent proofs of identity. Two-factor authentication refers to using two independent proofs of identity, such as something the user has (e.g. a token card) and something the user knows (a password). Two-factor authentication may be used with single sign-on.
The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization
Answer: C
Explanation: non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it does not help with non-repudiation
There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following? A. public keys B. private keys C. public-key certificates D. private-key certificates
Answer: C
Explanation: A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.
In which of the following security models is the subject's clearance compared to the object's classification such that specific rules can be applied to control how the subject-to-object interactions take place? A. Bell-LaPadula model B. Biba model C. Access Matrix model D. Take-Grant model
Answer: A
Explanation: Details: The Answer: Bell-LaPadula model
The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s.
Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support? A. SESAME B. RADIUS C. KryptoKnight D. TACACS+
Answer: A
Explanation: Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.
Single Sign-on (SSO) is characterized by which of the following advantages?
A. Convenience
B. Convenience and centralized administration
C. Convenience and centralized data administration
D. Convenience and centralized network administration
Answer: B
Explanation: Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete accounts across the entire network from one user interface
What is the primary role of smartcards in a PKI?
A. Transparent renewal of user keys
B. Easy distribution of the certificates between the users
C. Fast hardware encryption of the raw data
D. Tamper resistant, mobile storage and application of private keys of the users
Answer: D
What kind of certificate is used to validate a user identity? A. Public key certificate B. Attribute certificate C. Root certificate D. Code signing certificate
Answer: A
Explanation: In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority(CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users (“endorsements”). In either case, the signatures on a certificate are attestations by the
certificate signer that the identity information and the public key belong together.
The following is NOT a security characteristic we need to consider while choosing a biometricidentification systems: A. data acquisition process B. cost C. enrollment process D. speed and user interface
Answer: B
Explanation: Cost is a factor when considering Biometrics but it is not a security characteristic All the other answers are incorrect because they are security characteristics related to Biometrics. Data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessity of answering 2 questions :
A. what was the sex of a person and his age
B. what part of body to be used and how to accomplish identification that is viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits
Answer: B
Explanation: Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is already taking place. Unique physical attributes or behavior of a person are used for that purpose.
In biometric identification systems, the parts of the body conveniently available for identification are: A. neck and mouth B. hands, face, and eyes C. feet and hair D. voice and neck
Answer: B
Explanation: Today implementation of fast, accurate, reliable, and user-acceptable biometric identification systems are already under way. Because most identity authentication takes place when a people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes
Controlling access to information systems and associated networks is necessary for the preservation of their:
A. Authenticity, confidentiality and availability
B. Confidentiality, integrity, and availability.
C. integrity and availability.
D. authenticity,confidentiality, integrity and availability
Answer: B
Explanation: Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity and availability.
To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up: A. Access Rules B. Access Matrix C. Identification controls D. Access terminal
Answer: A
Explanation: Controlling access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up access rules. These rules can be classified into three access control models: Mandatory, Discretionary, and
Non-Discretionary. An access matrix is one of the means used to implement access control
Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what category of access control?
A. Discretionary Access Control (DAC)
B. Mandatory Access control (MAC)
C. Non-Discretionary Access Control (NDAC)
D. Lattice-based Access control
Answer: C
Explanation: Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects. In general, all access control policies other than DAC are grouped in the category of nondiscretionary access control (NDAC). As the name implies, policies in this category have rules that
are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.
The type of discretionary access control (DAC) that is based on an individual's identity is also called: A. Identity-based Access control B. Rule-based Access control C. Non-Discretionary Access Control D. Lattice-based Access control
Answer: A
Explanation: An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual’s identity. DAC is good for low level security environment. The owner of the file decides who has access to the file.
Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy? A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access control
Answer: C
Explanation: Non Discretionary Access Control include Role Based Access Control (RBAC) and Rule Based Access Control (RBAC or RuBAC). RABC being a subset of NDAC, it was easy to eliminate RBAC as it was covered under NDAC already
Which of the following control pairings include: organizational policies and procedures, preemployment
background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased
supervision, security awareness training, behavior awareness, and sign-up procedures to obtain
access to information systems and networks?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing
Answer: A
Explanation: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information
systems and networks
Technical controls such as encryption and access control can be built into the operating system,be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Technical Pairing
Answer: B
Explanation: Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units.
What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources? A. Micrometrics B. Macrometrics C. Biometrics D. MicroBiometrics
Answer: C
What is called the access protection system that limits connections by calling back the number of a previously authorized location? A. Sendback systems B. Callback forward systems C. Callback systems D. Sendback forward systems
Answer: C
Explanation: The Answer: Call back Systems; Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.
What are called user interfaces that limit the functions that can be selected by a user? A. Constrained user interfaces B. Limited user interfaces C. Mini user interfaces D. Unlimited user interfaces
Answer: A
Explanation: Another method for controlling access is by restricting users to specific functions based on their role in the system. This is typically implemented by limiting available menus, data views, encryption, or by physically constraining the user interfaces
Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with: A. Preventive/physical B. Detective/technical C. Detective/physical D. Detective/administrative
Answer: D
Explanation: Additional detective/administrative controls are job rotation, the sharing of responsibilities, and reviews of audit records
The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: A. Preventive/physical B. Detective/technical C. Detective/physical D. Detective/administrative
Answer: B
Explanation: The detective/technical control measures are intended to reveal the violations of security policy using technical means
The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with: A. Preventive/physical B. Detective/technical C. Detective/physical D. Detective/administrative
Answer: C
Explanation: Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists
External consistency ensures that the data stored in the database is:
A. in-consistent with the real world.
B. remains consistant when sent from one system to another.
C. consistent with the logical world.
D. consistent with the real world.
Answer: D
Explanation: External consistency ensures that the data stored in the database is consistent with the real world.
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access control
Answer: C
Explanation: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the ‘central authority’ that determines access rights
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identification C. Authorization D. Confidentiality
Answer: B
Explanation: Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don’t know, and they ask you who they’re speaking to. When you say, “I’m Jason.”, you’ve just identified yourself
Which one of the following factors is NOT one on which Authentication is based?
A. Type 1 Something you know, such as a PIN or password
B. Type 2 Something you have, such as an ATM card or smart card
C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such
as a fingerprint or retina scan
D. Type 4 Something you are, such as a system administrator or security administrator
Answer: D
Explanation: Authentication is based on the following three factor types:
Type 1 Something you know, such as a PIN or password
Type 2 Something you have, such as an ATM card or smart card
Type 3 Something you are (Unique physical characteristic), such as a fingerprint or retina scan
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access control
Answer: C
Explanation: A central authority determines what subjects can have access to certain objects based on the organizational security policy. The key focal point of this question is the ‘central authority’ that determines access rights
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identification C. Authorization D. Confidentiality
Answer: B
Explanation: Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system.
The act of requiring two of the three factors to be used in the authentication process refers to: A. Two-Factor Authentication B. One-Factor Authentication C. Bi-Factor Authentication D. Double Authentication
Answer: A
Explanation: Two-Factor Authentication refers to the act of requiring two of the three factors to be used in the authentication process
Which type of password provides maximum security because a new password is required for each new log-on? A. One-time or dynamic password B. Congnitive password C. Static password D. Passphrase
Answer: A
Explanation: “One-time password” provides maximum security because a new password is required for each new log-on.
What is called a password that is the same for each log-on session? A. "one-time password" B. "two-time password" C. static password D. dynamic password
Answer: C
What is called a sequence of characters that is usually longer than the allotted number for a password? A. passphrase B. cognitive phrase C. anticipated phrase D. Real phrase
Answer: A
Explanation: A passphrase is a sequence of characters that is usually longer than the allotted number for a password
Which best describes a tool (i.e. keyfob, calculator, memory card or smart card) used to supply dynamic passwords? A. Tickets B. Tokens C. Token passing networks D. Coupons
Answer: B
Explanation: Tokens; Tokens in the form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords.
Which of the following would be true about Static password tokens?
A. The owner identity is authenticated by the token
B. The owner will never be authenticated by the token.
C. The owner will authenticate himself to the system.
D. The token does not authenticates the token owner but the system.
Answer: A
Explanation: Tokens are electronic devices or cards that supply a user’s password for them. A token system can be used to supply either a static or a dynamic password. There is a big difference between the static and dynamic systems, a static system will normally log a user in but
a dynamic system the user will often have to log themselves in
In Synchronous dynamic password tokens:
A. The token generates a new password value at fixed time intervals (this password could be
based on the time of day encrypted with a secret key).
B. The token generates a new non-unique password value at fixed time intervals (this password
could be based on the time of day encrypted with a secret key).
C. The unique password is not entered into a system or workstation along with an owner’s PIN.
D. The authentication entity in a system or workstation knows an owner’s secret key and PIN, and
the entity verifies that the entered password is invalid and that it was entered during the invalid
time window.
Answer: B
Explanation: Synchronous dynamic password tokens:
The token generates a new password value at fixed time intervals (this password could be the time of day encrypted with a secret key). The unique password is entered into a system or workstation along with an owner’s PIN.
The authentication entity in a system or workstation knows an owner’s secret key and PIN, and the entity verifies that the entered password is valid and that it was entered during the valid time window.
In biometrics, "one-to-many" search against database of stored biometric images is done in: A. Authentication B. Identification C. Identities D. Identity-based access control
Answer: B
Explanation: In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images.
Which of the following is true of biometrics?
A. It is used for identification in physical controls and it is not used in logical controls.
B. It is used for authentication in physical controls and for identification in logical controls.
C. It is used for identification in physical controls and for authentication in logical controls.
D. Biometrics has not role in logical controls.
Answer: C
Explanation: When used in physical control biometric Identification is performed by doing a one to many match. When you submit your biometric template a search is done through a database of templates until the matching one is found. At that point your identity is revealed and if you are a valid employee access is granted
What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Rejection Rate (TRR) or Type III Error
Answer: A
Explanation: The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type I Error
What is called the percentage of invalid subjects that are falsely accepted by a Biometric authentication system?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Acceptance Rate (TAR) or Type III Error
Answer: B
Explanation: The percentage of invalid subjects that are falsely accepted is called the False Acceptance Rate (FAR) or Type II Error.
What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. Failure to enroll rate (FTE or FER)
Answer: C
Explanation: The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.
Considerations of privacy, invasiveness, and psychological and physical comfort when using the
system are important elements for which of the following?
A. Accountability of biometrics systems
B. Acceptability of biometrics systems
C. Availability of biometrics systems
D. Adaptability of biometrics systems
Answer: B
Explanation: Acceptability refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system
Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access? A. Smart cards B. Single Sign-On (SSO) C. Symmetric Ciphers D. Public Key Infrastructure (PKI)
Answer: B
Explanation: The advantages of SSO include having the ability to use stronger passwords, easier administration as far as changing or deleting the passwords, minimize the risks of orphan accounts, and requiring less time to access resources.
Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations?
A. Once an individual obtains access to the system through the initial log-on, they have access to
all resources within the environment that the account has access to.
B. The initial logon process is cumbersome to discourage potential intruders.
C. Once a user obtains access to the system through the initial log-on, they only need to logon to
some applications.
D. Once a user obtains access to the system through the initial log-on, he has to logout from all
other systems
Answer: A
Explanation: Single Sign-On is a distrubuted Access Control methodology where an individual only has to authenticate once and would have access to all primary and secondary network domains. The individual would not be required to re-authenticate when they needed additional resources. The security issue that this creates is if a fraudster is able to compromise those credential they too would have access to all the resources that account has access to. All the other answers are incorrect as they are distractors.
Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user's identity which permit access to system services? A. Single Sign-On B. Dynamic Sign-On C. Smart cards D. Kerberos
Answer: A
Explanation: SSO can be implemented by using scripts that replay the users multiple log-ins against authentication servers to verify a user’s identity and to permit access to system services. Single Sign on was the best answer in this case because it would include Kerberos. When you have two good answers within the 4 choices presented you must select the BEST one.
The high level choice is always the best. When one choice would include the other one that would
be the best as well.
Which of the following is NOT true of the Kerberos protocol?
A. Only a single login is required per session.
B. The initial authentication steps are done using public key algorithm.
C. The KDC is aware of all systems in the network and is trusted by all of them
D. It performs mutual authentication
Answer: B
Explanation: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:
• It is secure: it never sends a password unless it is encrypted.
• Only a single login is required per session. Credentials defined at login are then passed between
resources without the need for additional logins.
• The concept depends on a trusted third party – a Key Distribution Center (KDC). The KDC is
aware of all systems in the network and is trusted by all of them.
• It performs mutual authentication, where a client proves its identity to a server and a server
proves its identity to the client
The authenticator within Kerberos provides a requested service to the client after validating which of the following? A. timestamp B. client public key C. client private key D. server public key
Answer: A
Explanation:The server also checks the authenticator and, if that timestamp is valid, it provides the requested service to the client.
Which of the following is addressed by Kerberos? A. Confidentiality and Integrity B. Authentication and Availability C. Validation and Integrity D. Auditability and Integrity
Answer: A
Explanation: Kerberos addresses the confidentiality and integrity of information. It also addresses primarily authentication but does not directly address availability.
Kerberos is vulnerable to replay in which of the following circumstances?
A. When a private key is compromised within an allotted time window.
B. When a public key is compromised within an allotted time window.
C. When a ticket is compromised within an allotted time window.
D. When the KSD is compromised within an allotted time window.
Answer: C
Explanation: Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window. The security depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threat of of replayed credentials, the KDC must be physically secured, and it should be hardened, not permitting any non-kerberos activities
Like the Kerberos protocol, SESAME is also subject to which of the following? A. time slot replay B. password guessing C. symmetric key guessing D. asymmetric key guessing
Answer: B
Explanation: Sesame is an authentication and access control protocol, that also supports communication
confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMAstyle Privilege Attribute Service
RADIUS incorporates which of the following services?
A. Authentication server and PIN codes.
B. Authentication of clients and static passwords generation.
C. Authentication of clients and dynamic passwords generation.
D. Authentication server as well as support for Static and Dynamic passwords
Answer: D
Explanation: According to RFC 2865: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to
designated RADIUS servers, and then acting on the response which is returned.
Which of the following protects a password from eavesdroppers and supports the encryption of
communication?
A. Challenge Handshake Authentication Protocol (CHAP)
B. Challenge Handshake Identification Protocol (CHIP)
C. Challenge Handshake Encryption Protocol (CHEP)
D. Challenge Handshake Substitution Protocol (CHSP)
Answer: A
Explanation: CHAP: A protocol that uses a three way hand shake The server sends the client a challenge
which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password.The authentication is successful if the client’s response is the one that the server expected.
Which of the following represents the columns of the table in a relational database? A. attributes B. relation C. record retention D. records or tuples
Answer: A
Explanation: The rows of the table represent records or tuples and the columns of the table represent the attributes
A database view is the results of which of the following operations? A. Join and Select. B. Join, Insert, and Project. C. Join, Project, and Create. D. Join, Project, and Select.
Answer: D
Explanation: 1 The formal description of how a relational database operates.
2 The mathematics which underpin SQL operations.
A number of operations can be performed in relational algebra to build relations and operate on the data
Which of the following is used to create and modify the structure of your tables and other objects in the database?
A. SQL Data Definition Language (DDL)
B. SQL Data Manipulation Language (DML)
C. SQL Data Relational Language (DRL)
D. SQL Data Identification Language (DIL)
Answer: A
Explanation: The SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations (tables). Data Definition Language. The Data Definition Language (DDL) is used to create and destroy databases and database objects. These commands will primarily be used by database administrators during the setup and removal phases of a database project. Let’s take a look at the structure and usage of four basic
Which of the following is used to monitor network traffic or to monitor host audit logs in real time to determine violations of system security policy that have taken place? A. Intrusion Detection System B. Compliance Validation System C. Intrusion Management System (IMS) D. Compliance Monitoring System
Answer: A
Explanation: An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to
monitor host audit logs in order to determine if any violations of an organization’s system security
policy have taken place
Which of the following monitors network traffic in real time? A. network-based IDS B. host-based IDS C. application-based IDS D. firewall-based IDS
Answer: A
Explanation: This type of IDS is called a network-based IDS because monitors network traffic in real time.
A host-based IDS is resident on which of the following? A. On each of the critical hosts B. decentralized hosts C. central hosts D. bastion hosts
Answer: A
Explanation: A host-based IDS is resident on a host and reviews the system and event logs in order to detect an attack on the host and to determine if the attack was successful. All critical serves should have a Host Based Intrusion Detection System (HIDS) installed. As you are well aware, network based IDS cannot make sense or detect pattern of attacks within encrypted traffic.
A HIDS might be able to detect such attack after the traffic has been decrypted on the host. This is why critical servers should have both NIDS and HIDS
Which of the following usually provides reliable, real-time information without consuming network or host resources? A. network-based IDS B. host-based IDS C. application-based IDS D. firewall-based IDS
Answer: A
Explanation: A network-based IDS usually provides reliable, real-time information without consuming network or host resources
The fact that a network-based IDS reviews packets payload and headers enable which of the following?
A. Detection of denial of service
B. Detection of all viruses
C. Detection of data corruption
D. Detection of all password guessing attacks
Answer: A
Explanation: Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected
Which of the following reviews system and event logs to detect attacks on the host and determine if the attack was successful? A. host-based IDS B. firewall-based IDS C. bastion-based IDS D. server-based IDS
Answer: A
Explanation: A host-based IDS can review the system and event logs in order to detect an attack on the host and to determine if the attack was successful
What would be considered the biggest drawback of Host-based Intrusion Detection systems (HIDS)?
A. It can be very invasive to the host operating system
B. Monitors all processes and activities on the host system only
C. Virtually eliminates limits associated with encryption
D. They have an increased level of visibility and control compared to NIDS
Answer: A
Explanation: The biggest drawback of HIDS, and the reason many organizations resist its use, is that it can be very invasive to the host operating system. HIDS must have the capability to monitor all processes and activities on the host system and this can sometimes interfere with normal system processing.
Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS)? A. signature-based IDS B. statistical anomaly-based IDS C. event-based IDS D. inferent-based IDS
Answer: A
Which of the following is an issue with signature-based intrusion detection systems?
A. Only previously identified attack signatures are detected.
B. Signature databases must be augmented with inferential elements.
C. It runs only on the windows operating system
D. Hackers can circumvent signature evaluations
Answer: A
Explanation: An issue with signature-based ID is that only attack signatures that are stored in their database are detected. New attacks without a signature would not be reported. They do require constant updates in order
to maintain their effectiveness.
Which of the following is an IDS that acquires data and defines a "normal" usage profile for the network or host? A. Statistical Anomaly-Based ID B. Signature-Based ID C. dynamical anomaly-based ID D. inferential anomaly-based ID
Answer: A
Explanation: Statistical Anomaly-Based ID - With this method, an IDS acquires data and defines a “normal” usage profile for the network or host that is being monitored.
Which of the following is most relevant to determining the maximum effective cost of access control?
A. the value of information that is protected.
B. management’s perceptions regarding data importance.
C. budget planning related to base versus incremental spending.
D. the cost to replace lost data.
Answer: A
Explanation: The cost of access control must be commensurate with the value of the information that is being protected.
Which of the following is NOT a factor related to Access Control? A. integrity B. authenticity C. confidentiality D. availability
Answer: B
Explanation: These factors cover the integrity, confidentiality, and availability components of information system security.
Which of the following is most appropriate to notify an external user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement
Answer: A
Explanation: Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system and if it is an unauthorized user then he is fully aware of trespassing.
Which of the following pairings uses technology to enforce access control policies? A. Preventive/Administrative B. Preventive/Technical C. Preventive/Physical D. Detective/Administrative
Answer: B
Explanation: The preventive/technical pairing uses technology to enforce access control policies
In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in? A. Recovery B. Containment C. Triage D. Analysis and tracking
Answer: D
Explanation: In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident
Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It does not permit management to:
A. specify what users can do
B. specify which resources they can access
C. specify how to restrain hackers
D. specify what operations they can perform on a system.
Answer: C
Explanation: Access control is the collection of mechanisms that permits managers of a system
to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system. Specifying HOW to restrain hackers is not directly linked to access control.
Access Control techniques do not include which of the following choices? A. Relevant Access Controls B. Discretionary Access Control C. Mandatory Access Control D. Lattice Based Access Control
Answer: A Explanation: Access Control Techniques Discretionary Access Control Mandatory Access Control Lattice Based Access Control Rule-Based Access Control Role-Based Access Control
Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used)?
A. A subject is not allowed to read up.
B. The *- property restriction can be escaped by temporarily downgrading a high level subject.
C. A subject is not allowed to read down.
D. It is restricted to confidentiality.
Answer: C
Explanation: It is not a property of Bell LaPadula model.
The other answers are incorrect because: A subject is not allowed to read up is a property of the ‘simple security rule’ of Bell LaPadula model
When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED? A. Type I error B. Type II error C. Type III error D. Crossover error
Answer: B
Explanation: When the biometric system accepts impostors who should have been rejected , it is
called a Type II error or False Acceptance Rate or False Accept Rate. Biometrics verifies an individual’s identity by analyzing a unique personal attribute or behavior,
which is one of the most effective and accurate methods of verifying identification