Domain 3: (Security Architecture and Engineering)

Question 1

What treats user identity as the control plane and assumes compromise/breach in verifying every request?

Answer 1

Zero Trust Security

Question 2

What represents a default config reflects a restrictive and conservative enforcement of security policy?

Answer 2

Secure Defaults

Question 3

What indicates that components should fail in a state that denies rather than grants access?

Answer 3

Fail Securely

Question 4

What are the secure design principles?

Answer 4

Secure Defaults
Fail Securely
Zero Trust Security
Keep it Simple

Question 5

What was created by the IAPP and represents making privacy an integral part of every system, technology, policy, and design process?

Answer 5

Privacy by Design

Question 6

What are the seven principles of privacy by design by IAPP?

Answer 6

Proactive
Privacy as the default setting
Privacy must be embedded in the design
Privacy should be a positive-sum approach
End to end full lifecycle data protection
Visibility and transparency
Keep privacy user-centric

Question 7

What represents a cloud provider concept in which security is provided to an org through or by an online entity?

Answer 7

Security-as-a-Service

Question 8

What represents a class of devices connected to the internet in order to provide automation, remote control, or AI processing in a home or business setting?

Answer 8

Internet of Things

Question 9

What represents mobile devices that offer customization options, typically through installing apps and may use on-device or in-the-cloud AI processing?

Answer 9

Smart Devices

Question 10

What represents a system that collects data from other sources on the network, provides real-time monitoring, traffic analysis & notification of potential attacks?

Answer 10

SIEM
Security Information and Event Management

Question 11

What represents a centralized alert and response automation with threat-specific playbooks?

Answer 11

SOAR
Security Orchestration Automation, & Response

Question 12

What is the creation of discrete services that may be accessed by users in a black box fashion?

Answer 12

SOA
Service Oriented Archietchture

Question 13

What are fine-grained services with a discrete function and is a modern adaption of SOA to cloud computing?

Answer 13

Microservices

Question 14

What should be identified early in the development lifecycle?

Answer 14

Code-level vulnerabilities

Question 15

What techniques should be incorporated early in the CI/CD process to identify deficiencies before release?

Answer 15

Static code analysis
Dynamic testing

Question 16

What represents a lightweight, granular, and portable way to package apps for multiple platforms and doesn’t have their own operating system?

Answer 16

Containerization

Question 17

What reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel?

Answer 17

Containerization

Question 18

What is a set of exposed interfaces that allow programmatic interaction between services?

Answer 18

APIs

Question 19

What uses the HTTPS protocol for web communications to offer API end points?

Answer 19

REST

Question 20

What must be done prior to storing, distributing, and transmitting access keys?

Answer 20

Encryption

Question 21

What is an embedded system?

Answer 21

The technology component of an IOT device

A full computer system embedded inside of another larger system

Question 22

What are examples of embedded systems?

Answer 22

Printers, GPS, drones, semi-autonomous vehicles

Question 23

What must you consider when dealing with embedded devices to ensure they meet security best practices?

Answer 23

Authentication practices

Question 24

What represents an alternative to client-server computing model for computer-intensive operations w/ large data sets?

Answer 24

HPC
High Performance Computing

Question 25

For problems that require the use of extremely large data sets and large-scale parallel processing what type of system should you use?

Answer 25

High Performance Computing system

Question 26

What employs a centralized controller that makes computing assignments to grid members?

Answer 26

Grid Computing

Question 27

What do you use when you need to process data locally and far from the cloud?

Answer 27

Edge Computing

Question 28

What is common in various internet-of-things scenarios, like agricultural, science/space, and military?

Answer 28

Edge Computing

Question 29

What places gateway devices in the field to collect and correlate data centrally at the edge?

Answer 29

Fog Computing

Question 30

What are some key considerations when dealing with large network-connected device counts in various locations?

Answer 30

Data Encryption
Spoofing Protection
Authentication

Question 31

What cloud service provides the building blocks of support for networking, storage, compute, and datacenters?

Answer 31

IaaS
Infrastructure as a service

Question 32

What cloud service is where the customer is responsible for deployment and management of apps, while the cloud service provider manages provisioning, config, hardware, and OS?

Answer 32

PaaS
Platform as a service

Question 33

What cloud service is where the customer only configures features while the cloud service provider supports everything else?

Answer 33

SaaS
Software as a service

Question 34

What cloud service model allows scalability, agility, pay as you go, no maintenance, and low skills?

Answer 34

Public cloud

Question 35

What cloud service model is managed by the organization and allows for legacy support, control, and compliance?

Answer 35

Private cloud

Question 36

What cloud service model supports public and private clouds and run apps in the right location and allows for flexibility in legacy support, compliance, and scalability scenarios?

Answer 36

Hybrid cloud

Question 37

What is a security policy enforcement solution that may be installed on premises or in the cloud?

Answer 37

CASB
Cloud access security broker

Question 38

What key algorithm is quantum resistant, and enables better resistance against quantum computing attacks?

Answer 38

Lattice

Question 39

What encrypts each plaintext digit one at a time with the corresponding digit of the keystream?

Answer 39

Symmetric stream cipher

Question 40

What method encrypts a block of data rather than one bit at a time?

Answer 40

Block cipher

Question 41

What uses the encryption algorithm to replace each character or bit of the plaintext message with a different character?

Answer 41

Substitution cipher/ Caesar cipher

Question 42

What uses an encryption algorithm to rearrage the letters of a plaintext message?

Answer 42

Transposition cipher

Question 43

What is a random bit string that is XORed with the message and is normally the same length as the block size of the cipher?

Answer 43

Initialization vector IV

Question 44

Which cipher uses a key length of one?

Answer 44

Caesar

Question 45

Which cipher uses a longer key usually a word or sentence?

Answer 45

Vigenere

Question 46

Which cipher uses a key that is as long as the message itself?

Answer 46

One-time pad

Question 47

What criteria must be met for a one-time pad to be successful?

Answer 47

Generated randomly
Protected against physical disclosure
Used only one time

Question 48

What enables someone to prove knowledge of a fact to another individual without revealing the fact itself?

Answer 48

Zero-knowledge proof

Question 49

What describes the means that the information or privilege required to perform an operation is divided among multiple users?

Answer 49

Split knowledge

Question 50

What is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages?

Answer 50

Work function or Work factor

Question 51

What relies on the use of a shared secret key, lacks support for scalability, easy key distribution, nonrepudiation, and is faster.

Answer 51

Symmetric Key

Question 52

What uses public-private key pairs for communication between parties, support scalability, easy key distribution, nonrepudiation, and is stronger?

Answer 52

Asymmetric Key

Question 53

What is the least secure mode that processes 64-bit blocks, and produces the same encrypted block if it encounters the same block multiple times?

Answer 53

ECB
Electronic Codebook Mode

Question 54

What XORed each block of unencrypted text with block of the ciphertext immediately preceding and the decryption process decrypts the ciphertext and reverses the XOR operation.

Answer 54

CBC
Cipher Block Chaining

Question 55

What is the streaming version of CBC and works on data in real time, using memory buffers of the same block size, and uses chaining so errors propagate?

Answer 55

CFB
Cipher Feedback

Question 56

What operates similar to CFB, but XORs the plain text with a seed value. No chaining function, so errors do not propagate.

Answer 56

OFB
Output Feedback

Question 57

What uses an incrementing counter instead of a seed and errors do not propagate?

Answer 57

CTR
Counter

Question 58

What is a weakness in cryptography where a plain text message generates identical ciphertext messages using the same algorithm but using different keys?

Answer 58

Key Clustering

Question 59

When you encrypt a message what asymmetric key do you use?

Answer 59

The recipient’s public key

Question 60

When decrypting a message what asymmetric key do you use?

Answer 60

Your private key

Question 61

When signing a message what asymmetric key do you use?

Answer 61

Your private key

Question 62

When validating a signature, what asymmetric key do you use?

Answer 62

The sender’s public key

Question 63

What are the five requirements for good hash functions?

Answer 63

Allow input of any length
Provide fixed-length output
Easy to computer the hash function for any input
Provide one-way functionality
Collision free

Question 64

What can you add to passwords before hashing them to reduce the effectiveness of rainbow table attacks?

Answer 64

Salts

Question 65

What uses the SHA-1 SHA-2, and SHA-3 message digest functions, and works in conjunction with one of the three encryption algorithms (DSA, RSA, ECDSA)?

Answer 65

DSS
Digital Signature Standard

Question 66

What generates digital certificates containing the public keys of system users and certificate recipients verify a certificate using the CA’s public key?

Answer 66

Certificate Authorities

Question 67

What are the standards for encrypted messages for email?

Answer 67

S/MIME and PGP

Question 68

What is a security architecture framework that supports secure communication over IP, can be used for direct communication between cpus or over a VPN connection and uses two protocols (AH & ESP)?

Answer 68

IPsec

Question 69

What are some common cryptographic attacks?

Answer 69

Brute-force
Meet-in-the-middle
Man-in-the-middle
Birthday
Replay

Question 70

What attack attempts to randomly find the correct cryptographic key?

Answer 70

Brute-force attack

Question 71

What attack exploits protocols that use two rounds of encryption?

Answer 71

Meet-in-the-middle attacks

Question 72

What attack fools both parties into communicating with the attacker instead of directly with each other?

Answer 72

Man-in-the-middle attack

Question 73

What attack attempts to find collisions in hash functions?

Answer 73

Birthday attack

Question 74

What attack attempts to reuse authentication requests?

Answer 74

Replay attacks

Question 75

What allows content owners to enforce restrictions on the use of their content by others, and commonly protects entertainment content, such as music, movies, and e-books?

Answer 75

DRM
Digital Rights Management

Question 76

What symmetric algorithms are 64-bits in block size?

Answer 76

Blowfish
Skipjack
DES
3DES
IDEA
RC2

Question 77

What symmetric algorithms are 128-bits in block size?

Answer 77

AES
Twofish
RC5

Question 78

What symmetric algorithms are streaming bits in block size?

Answer 78

RC4

Question 79

What hash algorithms have a hash value length of 128?

Answer 79

MD2
MD4
MD5

Question 80

What are the hash value lengths of the SHA family that is still in use?

Answer 80

SHA-224
SHA-256
SHA-384
SHA-512

Question 81

What SHA algorithm is not in use anymore and has a hash value length of 160?

Answer 81

SHA-1

Question 82

What are the three major public key cryptosystems?

Answer 82

RSA
El Gamal
Elliptic Curve

Question 83

What is the most popular public key cryptosystem, developed by Rivest, Shamir, and Adleman in 1977, and depends on the difficulty of factoring the product of prime numbers?

Answer 83

RSA

Question 84

What is an extension of the Diffie-Hellman key exchange algorithm that depends on modular arithmetic and is less common?

Answer 84

El Gamal

Question 85

What algorithm provides more security than other algorithms when both are used with keys of the same length?

Answer 85

Elliptic Curve

Question 86

What encryption algorithm is currently approved based on FIPS 186-4?

Answer 86

DSA
Digital Signature Algorithm

Question 87

What encryption algorithm is currently approved for use based on ANSI X9.31?

Answer 87

RSA

Question 88

What encryption algorithm is currently approved for use based on ANSI X9.62?

Answer 88

ECDSA
Elliptic Curve Digital Signature Algorithm

Question 89

What describes a system that is always secure no matter what state it is in, is based on the finite state machine, and is a snapshot of a system at a specific moment in time?

Answer 89

State machine model

Question 90

What is it called when each possible state transition results in another secure state?

Answer 90

Secure state machine

Question 91

What model focuses on the flow of information, is based on the state machine model?

Answer 91

Information flow model

Question 92

What are two information flow models?

Answer 92

Biba
Bell-LaPadula

Question 93

What information flow model focuses on preventing information flow from a high security level to a low security level?

Answer 93

Bell-LaPadula

Question 94

What information flow model focuses on the flow of information from a low to high security level?

Answer 94

Biba

Question 95

What is loosley based on the information flow model, ensure that the actions of different objects and subjects are not seen by other objects and subjects on the same system, and is concerned with how actions of a subj of a high security level affects the system state or the actions of a subj at a lower security level?

Answer 95

Non-Interference model

Question 96

What model is used to define the levels of security that an obj may have and that a subject may have access to?

Answer 96

Lattice-based models

Question 97

What state machine model enforces confidentiality, uses mandatory access control to enforce DOD multilevel security policy, and has “no read up” and “no write down” properties?

Answer 97

Bell Lapadula

Question 98

What is a lattice-based model developed to address concerns of integrity, has a “no read down” and “no write up” properties, and prohibits a subject at one level of integrity from invoking a subject at a higher level of integrity?

Answer 98

Biba

Question 99

What uses security labels to grant access to objects?

Answer 99

Clark-Wilson

Question 100

What describes any data item whose integrity is protected by the security model?

Answer 100

Constrained Data Item
CDI

Question 101

What describes any data item that is not controlled by the security model?

Answer 101

Unconstrained Data Item
UDI

Question 102

What describes a procedure that scans data items and confirms their integrity?

Answer 102

Integrity Verification Procedure
IVP

Question 103

What are the only procedures that are allowed to modify a CDI?

Answer 103

Transformation Procedures
TP

Question 104

What is a confidentiality-based model that supports four basic operations: take, grant, create, and revoke?

Answer 104

Take Grant Model

Question 105

What is a confidentiality-based model, also called the “Chinese Wall model” that was developed to prevent conflict of interest problems?

Answer 105

Brewer and Nash Model

Question 106

What model uses a formal set of protection rules for which each object has an owner and a controller, focuses on secure creation and deletion of both subjects and objects, and has a collection of eight primary protection rules that define the boundaries of certain secure actions?

Answer 106

Graham-Denning Model

Question 107

What security mode permits access to all info processed by the sys, approval for all info processed by the sys, and valid need-to-know for all info processed by the sys through security clearance?

Answer 107

Dedicated Mode

Question 108

What security mode can process info at different levels even when all sys users don’t have the required security clearance to access all info processed by the sys?

Answer 108

Multilevel Mode

Question 109

What security mode requires users to have a valid security clearance, access approval for ALL info, and a valid need-to-know for a least SOME info on the sys?

Answer 109

System High Mode

Question 110

What security mode requires each user to have a valid security clearance, access approval for ALL info processed by the sys, but requires valid need-to-know for ALL info they will have access to on the sys?

Answer 110

Compartmented Mode

Question 111

What is the logical part of the trusted computing base that confirms whether a subject has the right to use a resource prior to granting access and enforces access control?

Answer 111

Reference monitor

Question 112

What enables an objective evaluation to validate that a particular product or sys satisfies a defined set of security requirements?

Answer 112

Common Criteria

Question 113

What is a structured set of criteria for evaluating computer security within products and systems?

Answer 113

Trusted Computer System Evaluation Criteria
TCSEC

Question 114

What are the levels of the Common Criteria and their associate label?

Answer 114

EAL0,EAL1 - Minimal/no protection
EAL2 - Discretionary security mechanisms
EAL3 - Controlled access protection
EAL4 - Labeled security protection
EAL5 - Structured security protection
EAL6 - Security domains
EAL7 - Verified security design

Question 115

What method is used to pass info over a path that is not normally used, and may not be protected by the system’s normal security controls?

Answer 115

Covert channels

Question 116

What is a multipurpose solution, for full disk encryption through key management, by providing the OS w/ access to keys, but prevents drive removal and data access?

Answer 116

Trusted Platform Module
TPM

Question 117

What enforces an access policy that is determined by the system not the object owner, relies on classification labels that are representative of security domains and realms?

Answer 117

Mandatory Access Control
MAC

Question 118

What permits the owner or creator of an obj to control and define its accessibility?

Answer 118

Discretionary Access Control

Question 119

What enables the enforcement of system-wide restrictions that override object-specific access control?

Answer 119

Non-discretionary Access Control

Question 120

What defines specific functions for access to requested objects, commonly found in firewall systems?

Answer 120

Rule-based Access Control

Question 121

What role uses a well-defined collection of named job roles to endow each one w/ specific permissions?

Answer 121

Role-based Access Control

Question 122

What permits multiple concurrent tasks to be performed within a single process?

Answer 122

Multithreading

Question 123

What are chips that have a small windows that when illuminated with a special ultraviolet light, erases contents?

Answer 123

UVEPROM

Question 124

What memory type uses electric voltages delivered to the pins of the chip to force erasure and is more flexible alternative to UVEPROM.

Answer 124

EEPROM

Question 125

What memory type if nonvolatile and can be electronically erased and rewritten?

Answer 125

Flash memory

Question 126

What storage type is the same as memory?

Answer 126

Primary storage

Question 127

What storage type consists of magnetic, flash, and optical media that must be first read into primary memory before the CPU can use the data?

Answer 127

Secondary storage

Question 128

What storage type can be read at any point by the CPU?

Answer 128

Random access storage

Question 129

What storage type requires scanning through all the data physically stored before the desired location?

Answer 129

Sequential access storage

Question 130

What are the three main security issues surrounding secondary storage devices?

Answer 130

Removable media can be used to steal data
Access controls and encryption must be applied to protect data
Data can remain on the media even after file deletion or media formatting

Question 131

What are the security risks of input and output devices?

Answer 131

Subject to eavesdropping and tapping
Can be used to smuggle data out of an org
Can be used to create unauthorized, insecure points of entry into an org’s systems and networks

Question 132

What ensures that individual processes can access only their data?

Answer 132

Process isolation

Question 133

What creates different realms of security within a process and limits communication between them?

Answer 133

Layering

Question 134

What creates black-box interfaces for programmers to use without requiring knowledge of an algorithms or device’s inner workings?

Answer 134

Abstraction

Question 135

What prevents info from being read from a different security level?

Answer 135

Data hiding

Question 136

What is also known as a Virtual machine monitor and is the component of virtualization that creates, manages, and operates the virtual machines?

Answer 136

Hypervisor

Question 137

What is a native or bare-metal hypervisor where there is no host OS, and instead the hypervisor installs directly onto the hardware where the host OS would normally operate?

Answer 137

Type I hypervisor

Question 138

What is a hosted hypervisor, where a standard regular OS is present on the hardware, and the hypervisor is then installed as a another software application?

Answer 138

Type II hypervisor

Question 139

What is the functional order of security controls?

Answer 139

Deter
Deny
Detect
Delay
Determine
Decide

Question 140

What type of fires are common combustibles such as wood, paper, etc and should be extinguished with water or soda acid?

Answer 140

Class A (ASH)

Question 141

What type of fires are burning alcohol, and oil and should be extinguished with gas or soda acid?

Answer 141

Class B (BOIL)

Question 142

What type of fires are electrical fires which are fed by electricity and must be extinguished with any type of gas?

Answer 142

Class C (CONDUCTIVE)

Question 143

What type of fires are burning metals are extinguished with dry powder?

Answer 143

Class D (DILYTHIUM)

Question 144

What type of fires are kitchen fires, such as burning oil or grease and are extinguished with wet chemicals?

Answer 144

Class K (Kitchen)

Question 145

What water suppression sys uses closed sprinkler heads and the pipe is charged with compressed air instead of water?

Answer 145

Preaction systems

Question 146

What water suppression sys are filled with water and are activated when a predefined temperature is reached?

Answer 146

Wet pipe systems

Question 147

What water suppression sys is filled with compressed air and is held back by a valve that remains closed as long as sufficient air pressure remains in the pipes?

Answer 147

Dry pipe systems

Question 148

What water suppression sys are similar to dry pipes but the sprinkler heads are open and larger than dry pipes and the pipes are empty at normal air pressure and water is held back by a deluge valve?

Answer 148

Deluge system

Question 149

What are usually more effective than water systems but should not be used in environments where people are located because it removes oxygen from the air.

Answer 149

Gas suppression systems

Question 150

What type of lock type can be easily picked?

Answer 150

Conventional locks

Question 151

What are the key elements for site selection?

Answer 151

Visibility
Composition of the surrounding area
Area accessibility
The effects of natural disasters

Question 152

How to design and configure secure work areas?

Answer 152

No equal access to all areas
Valuable and confidential assets should be located at the center of protection
Centralized server and cpu rooms should not be human compatible

Question 153

What describes when someone is using another’s security ID to gain entry to a facility?

Answer 153

Masquerading

Question 154

What are protections for media storage facilities?

Answer 154

Lock cabinets or safes
Use a librarian/custodian
Implement a check-in/check-out process
Use media sanitization

Question 155

What is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations?

Answer 155

Evidence sotrage

Question 156

What are the protections for evidence storage?

Answer 156

Lock cabinets/safes
Have a dedicated/isolated storage facility
Offline storage
Access restrictions and activity tracking
Hash management and encryption

Question 157

What are useful tools for managing physical access controls?

Answer 157

Audit trails and access logs

Question 158

What is a type of self-charging battery that can be used to:
Supply consistent, clean power to sensitive equipment
Supply power for minutes or hours in the event of a power failure?

Answer 158

UPS