Domain 3 - Security Engineering

Question 1

1. A holistic lifecycle for developing security architecture that begins with assessing business requirements and subsequently creating a ‘chain of traceability’ through phases of strategy, concept, design, implementation and metrics is characteristic of which of the following frameworks?

A. Zachman
B. SABSA
C. ISO 27000
D. TOGAF

Answer 1

B

Question 2

2. While an Enterprise Security Architecture (ESA) can be applied in many different ways, it is focused on a few key goals. Identify the proper listing of the goals for the ESA:

A. It represents a simple, long term view of control, it provides a unified vision for common security controls, it leverages existing technology investments, it provides a fixed approach to current and future threats and also the needs of peripheral functions
B. It represents a simple, long term view of control, it provides a unified vision for common security controls, it leverages new technology investments, it provides a flexible approach to current and future threats and also the needs of core functions
C. It represents a complex, short term view of control, it provides a unified vision for common security controls, it leverages existing technology investments, it provides a flexible approach to current and future threats and also the needs of core functions.
D. It represents a simple, long term view of control, it provides a unified vision for common security controls, it leverages existing technology investments, it provides a flexible approach to current and future threats and also the needs of core functions

Answer 2

D

Question 3

3. Which of the following can BEST be used to capture detailed security requirements?

A. Threat modeling, covert channels, and data classification
B. Data classification, risk assessments, and covert channels
C. Risk assessments, covert channels, and threat modeling
D. Threat modeling, data classification, and risk assessments

Answer 3

D

Question 4

4. Which of the following security standards is internationally recognized as the standards for sound security practices and is focused on the standardization and certification of an organization’s Information Security Management System (ISMS)?

A. ISO 15408
B. ISO 27001
C. ISO 9001
D. ISO 9146

Answer 4

B

Question 5

5. Which of the following describes the rules that need to be implemented to ensure that the security requirements are met?

A. Security kernel
B. Security policy
C. Security model
D. Security reference monitor

Answer 5

B

Question 6

6. A two-dimensional grouping of individual subjects into groups or roles and granting access to groups to objects is an example of which of the following types of models?

A. Multilevel lattice
B. State machine
C. Non-interference
D. Matrix-based

Answer 6

D

Question 7

7. Which of the following models ensures that a subject with clearance level of ‘Secret’ has the ability to write only to objects classified as ‘Secret’ or ‘Top Secret’ but is prevented from writing information classified as ‘Public’?

A. Biba-Integrity
B. Clark-Wilson
C. Brewer-Nash
D. Bell-LaPadula

Answer 7

D

Question 8

8. Which of the following is unique to the Biba Integrity Model?

A. Simple property
B. * (star) property
C. Invocation property
D. Strong * property

Answer 8

C

Question 9

9. Which of the following models is BEST considered in a shared data-hosting environment so that the data of one customer is not disclosed to a competitor or other customers sharing that hosted environment?

A. Brewer-Nash
B. Clark-Wilson
C. Bell-LaPadula
D. Lipner

Answer 9

A

Question 10

10. Which of the following security models is primarily concerned with how the subjects and objects are created and how subjects are assigned rights or privileges?

A. Bell-LaPadula
B. Biba-Integrity
C. Chinese Wall
D. Graham-Denning

Answer 10

D

Question 11

11. Which of the following ISO standards provides the evaluation criteria that can be used to evaluate security requirements of different products with different functions?

A. 15408
B. 27000
C. 9100
D. 27002

Answer 11

A

Question 12

12. In the Common Criteria, the common set of functional and assurance requirements for a category of vendor products deployed in a particular type of environment are known as:

A. Protection Profiles
B. Security Target
C. Trusted Computing Base
D. Ring Protection

Answer 12

A

Question 13

13. Which of the following evaluation assurance level that is formally verified, designed and tested is expected for high risk situation?

A. EAL 1
B. EAL 3
C. EAL 5
D. EAL 7

Answer 13

D

Question 14

14. Formal acceptance of an evaluated system by management is known as:

A. Certification
B. Accreditation
C. Validation
D. Verification

Answer 14

B

Question 15

15. Which stage of the Capability Maturity Model (CMM) is characterized by having organizational processes that are proactive?

A. Initial
B. Managed
C. Defined
D. Optimizing

Answer 15

C

Question 16

16. Which of the following BEST provides a method of quantifying risks associated with information technology when validating the abilities of new security controls and countermeasures to address the identified risks?

A. Threat/risk assessment
B. Penetration testing
C. Vulnerability assessment
D. Data classification

Answer 16

A

Question 17

17. The TCSEC identifies two types of covert channels, what are they? (Choose TWO)

A. Storage
B. Boundary
C. Timing
D. Monitoring

Answer 17

A|C

Question 18

18. Which of the following is the main reason for security concerns in mobile computing devices?

A. The 3G/4G protocols are inherently insecure
B. Lower processing power
C. Hackers are targeting mobile devices
D. The lack of anti-virus software.

Answer 18

B

Question 19

19. In decentralized environments device drivers that enable the OS to control and communicate with hardware need to be securely designed, developed and deployed because they are:

A. Typically installed by end-users and granted access to the supervisor state
B. Typically installed by administrators and granted access to user mode state
C. Typically installed by software without human interaction.
D. Integrated as part of the operating system.

Answer 19

A

Question 20

20. A system administrator grants rights to a group of individuals called “Accounting” instead of granting rights to each individual. This is an example of which of the following security mechanisms?

A. Layering
B. Data hiding
C. Cryptographic protections
D. Abstraction

Answer 20

D

Question 21

21. Asymmetric key cryptography is used for the following:

A. Encryption of data, Access Control, Steganography
B. Steganography, Access control, Nonrepudiation
C. Nonrepudiation, Steganography, Encryption of Data
D. Encryption of Data, Nonrepudiation, Access Control

Answer 21

D

Question 22

22. Which of the following supports asymmetric key cryptography?

A. Diffie-Hellman
B. Rijndael
C. Blowfish
D. SHA-256

Answer 22

A

Question 23

23. What is an important disadvantage of using a public key algorithm compared to a symmetric algorithm?

A. A symmetric algorithm provides better access control.
B. A symmetric algorithm is a faster process.
C. A symmetric algorithm provides nonrepudiation of delivery.
D. A symmetric algorithm is more difficult to implement.

Answer 23

B

Question 24

24. When a user needs to provide message integrity, what option is BEST?

A. Send a digital signature of the message to the recipient
B. Encrypt the message with a symmetric algorithm and send it
C. Encrypt the message with a private key so the recipient can decrypt it with the corresponding public key
D. Create a checksum, append it to the message, encrypt the message, and then send to recipient

Answer 24

D

Question 25

25. A Certificate Authority (CA) provides which benefits to a user?

A. Protection of public keys of all users
B. History of symmetric keys
C. Proof of nonrepudiation of origin
D. Validation that a public key is associated with a particular user

Answer 25

D

Question 26

26. What is the output length of a RIPEMD-160 hash?

A. 160 bits
B. 150 bits
C. 128 bits
D. 104 bits

Answer 26

A

Question 27

27. ANSI X9.17 is concerned primarily with:

A. Protection and secrecy of keys
B. Financial records and retention of encrypted data
C. Formalizing a key hierarchy
D. The lifespan of key-encrypting keys (KKMs)

Answer 27

A

Question 28

28. When a certificate is revoked, what is the proper procedure?

A. Setting new key expiry dates
B. Updating the certificate revocation list
C. Removal of the private key from all directories
D. Notification to all employees of revoked keys

Answer 28

B

Question 29

29. Which is true about link encryption?

A. Link encryption is advised for high-risk environments, provides better traffic flow confidentiality, and encrypts routing information.
B. Link encryption is often used for Frame Relay or satellite links, is advised for high-risk environments and provides better traffic flow confidentiality.
C. Link encryption encrypts routing information, is often used for Frame Relay or satellite links, and provides traffic flow confidentiality.
D. Link encryption provides better traffic flow confidentiality, is advised for high-risk environments and provides better traffic flow confidentiality

Answer 29

C

Question 30

30. NIST identifies three service models that represent different types of cloud services available, what are they?

A. Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (Paas)
B. Security as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a service (PaaS)
C. Software as a Service (SaaS), Integrity as a Service (IaaS) and Platform as a Service (Paas)
D. Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Process as a Service (Paas)

Answer 30

A

Question 31

31. The process used in most block ciphers to increase their strength is:

A. Diffusion
B. Confusion
C. Step function
D. SP-network

Answer 31

D

Question 32

32. Which of the following BEST describes fundamental methods of encrypting data:

A. Substitution and transposition
B. 3DES and PGP
C. Symmetric and asymmetric
D. DES and AES

Answer 32

C

Question 33

33. Cryptography supports all of the core principles of information security except?

A. Availability
B. Confidentiality
C. Integrity
D. Authenticity

Answer 33

D

Question 34

34. A way to defeat frequency analysis as a method to determine the key, is to use:

A. Substitution ciphers
B. Transposition ciphers
C. Polyalphabetic ciphers
D. Inversion ciphers

Answer 34

C

Question 35

35. The running key cipher is based on:

A. Modular arithmetic
B. XOR mathematics
C. Factoring
D. Exponentiation

Answer 35

A

Question 36

36. The only cipher system said to be unbreakable by brute force is:

A. AES
B. DES
C. One-time pad
D. Triple DES

Answer 36

C

Question 37

37. The main types of implementation attacks include: (Choose ALL that apply)

A. Fault analysis
B. Known plaintext
C. Probing
D. Linear

Answer 37

A|C

Question 38

38. Which is the BEST choice for implementing encryption on a smart card?

A. Blowfish
B. Elliptic Curve Cryptography
C. TwoFish
D. Quantum Cryptography

Answer 38

B

Question 39

39. An e-mail with a document attachment from a known individual is received with a digital signature. The e-mail client is unable to validate the signature. What is the BEST course of action?

A. Open the attachment to determine if the signature is valid.
B. Determine why the signature can’t be validated prior to opening the attachment.
C. Delete the e-mail
D. Forward the e-mail to another address with a new signature.

Answer 39

B

Question 40

40. The vast majority of Virtual Private Networks use:

A. SSL/TLS and IPSec.
B. El Gamal and DES.
C. 3DES and Blowfish
D. TwoFish and IDEA.

Answer 40

A