Exam Set A Flashcards
QUESTION NO: 1449 Which of the following items is NOT used to determine the types of access controls to be applied in an organization? A. Separation of duties B. Organizational policies C. Least privilege D. Relational categories
Answer: D Explanation: The item, relational categories, is a distracter. The other options are important determinants of access control implementations in an organization.
QUESTION NO: 1450 Which choice below is NOT a generally accepted benefit of security awareness, training, and education? A. A security awareness and training program can help an organization reduce the number and severity of errors and omissions. B. A security awareness and training program will help prevent natural disasters from occurring. C. A security awareness program can help operators understand the value of the information. D. A security education program can help system administrators recognize unauthorized intrusion attempts.
Answer: B Explanation: An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security awareness and training program should encompass the following seven steps: 1. Identify program scope, goals, and objectives. 2 Identify training staff. 3. Identify target audiences. 4. Motivate management and employees. 5. Administer the program. 6. Maintain the program. 7. Evaluate the program. Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.
QUESTION NO: 1451 In biometrics, a one-to-one search to verify an individual’s claim of an identity is called: A. Audit trail review. B. Accountability. C. Authentication. D. Aggregation.
Answer: C Explanation: The correct answer is Authentication. Answer “Audit trail review.” is a review of audit system data, usually done after the fact. Answer “Accountability” is holding individuals responsible for their actions, and answer d is obtaining higher-sensitivity information from a number of pieces of information of lower sensitivity.
QUESTION NO: 1452 Which one of the following statements is TRUE concerning the Terminal Access Controller Access Control System (TACACS) and TACACS+? A. TACACS supports prompting for a password change. B. TACACS+ employs a user ID and static password. C. TACACS+ employs tokens for two-factor, dynamic password authentication. D. TACACS employs tokens for two-factor, dynamic password authentication.
Answer: C Explanation: The correct answer is “TACACS+ employs tokens for two-factor, dynamic password authentication”. TACACS employs a user ID and static password and does not support prompting for password change or the use of dynamic password tokens.
QUESTION NO: 1453 Which statement below is NOT correct about safeguard selection in the risk analysis process? A. The most commonly considered criteria is the cost effectiveness of the safeguard. B. The best possible safeguard should always be implemented, regardless of cost. C. Maintenance costs need to be included in determining the total cost of the safeguard. D. Many elements need to be considered in determining the total cost of the safeguard.
Answer: B Explanation: The correct answer is “The best possible safeguard should always be implemented, regardless of cost.”. Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily outweigh the value of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, auditability, and the level of manual operations needed to maintain or operate the safeguard.
QUESTION NO: 1454 Which answer below is the BEST description of a Single Loss Expectancy (SLE)? A. An algorithm that determines the expected annual loss to an organization from a threat B. An algorithm that represents the magnitude of a loss to an asset from a threat C. An algorithm used to determine the monetary impact of each occurrence of a threat D. An algorithm that expresses the annual frequency with which a threat is expected to occur
Answer: C Explanation: The correct answer is “An algorithm used to determine the monetary impact of each occurrence of a threat”. The Single Loss Expectancy (or Exposure) figure may be created as a result of a Business Impact Assessment (BIA). The SLE represents only the estimated monetary loss of a single occurrence of a specified threat event. The SLE is determined by multiplying the value of the asset by its exposure factor. This gives the expected loss the threat will cause for one occurrence. Answer a describes the Exposure Factor (EF). The EF is expressed as a percentile of the expected value or functionality of the asset to be lost due to the realized threat event. This figure is used to calculate the SLE, above. Answer “An algorithm that expresses the annual frequency with which a threat is expected to occur” describes the Annualized Rate of Occurrence (ARO). This is an estimate of how often a given threat event may occur annually. For example, a threat expected to occur weekly would have an ARO of 52. A threat expected to occur once every five years has an ARO of 1/5 or .2. This figure is used to determine the ALE. Answer d describes the Annualized Loss Expectancy (ALE). The ALE is derived by multiplying the SLE by its ARO. This value represents the expected risk factor of an annual threat event. This figure is then integrated into the risk management process.
QUESTION NO: 1455 Which of the following is NOT a type of data network? A. WAN B. MAN C. LAN D. GAN
Answer: D Explanation: The correct answer is d. GAN does not exist. LAN stands for Local Area Network, WAN stands for Wide Area Network, and MAN stands for Metropolitan Area Network.
QUESTION NO: 1456 Which choice below is NOT a concern of policy development at the high level? A. Identifying the key business resources B. Defining roles in the organization C. Determining the capability and functionality of each role D. Identifying the type of firewalls to be used for perimeter security
Answer: D Explanation: The other options are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer “Determining the capability and functionality of each role” is the final step in the policy creation process and combines steps a and “Defining roles in the organization”. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity. Source: Surviving Security: How to Integrate People, Process, and Technology by Mandy Andress (Sams Publishing, 2001).
QUESTION NO: 1457 Which is NOT a standard type of DSL? A. HDSL B. FDSL C. ADSL D. VDSL
Answer: B Explanation: The correct answer is FDSL. FDSL does not exist.
QUESTION NO: 1458 A back door into a network refers to what? A. Mechanisms created by hackers to gain network access at a later time B. Monitoring programs implemented on dummy applications to lure intruders C. Undocumented instructions used by programmers to debug applications D. Socially engineering passwords from a subject
Answer: A Explanation: Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications. * social engineering is a technique used to manipulate users into revealing information like passwords. * Answer “Undocumented instructions used by programmers to debug applications”refers to a trap door, which are undocumented hooks into an application to assist programmers with debugging. Although intended innocently, these can be exploited by intruders. * “Monitoring programs implemented on dummy applications to lure intruders” is a honey pot or padded cell. A honey pot uses a dummy server with bogus applications as a decoy for intruders. Source: Fighting Computer Crime by Donn B. Parker (Wiley, 1998).
QUESTION NO: 1459 A type of access control that supports the management of access rights for groups of subjects is: A. Discretionary B. Rule-based C. Role-based D. Mandatory
Answer: C Explanation: Role-based access control assigns identical privileges to groups of users. This approach simplifies the management of access rights, particularly when members of the group change. Thus, access rights are assigned to a role, not to an individual. Individuals are entered as members of specific groups and are assigned the access privileges of that group. In answer Discretionary, the access rights to an object are assigned by the owner at the owner’s discretion. For large numbers of people whose duties and participation may change frequently, this type of access control can become unwieldy. Mandatory access control, answer c, uses security labels or classifications assigned to data items and clearances assigned to users. A user has access rights to data items with a classification equal to or less than the user’s clearance. Another restriction is that the user has to have a need-to-know the information; this requirement is identical to the principle of least privilege. Answer ‘rule-based access control’ assigns access rights based on stated rules. An example of a rule is Access to trade-secret data is restricted to corporate officers, the data owner and the legal department.
QUESTION NO: 1460 Which of the following is NOT a property of CSMA? A. The workstation continuously monitors the line. B. Workstations are not permitted to transmit until they are given permission from the primary host. C. It does not have a feature to avoid the problem of one workstation dominating the conversation. D. The workstation transmits the data packet when it thinks that the line is free.
Answer: B Explanation: The correct answer is “Workstations are not permitted to transmit until they are given permission from the primary host”. The polling transmission type uses primary and secondary hosts, and the secondary must wait for permission from the primary before transmitting.
QUESTION NO: 1461 Which choice below is NOT one of NIST’s 33 IT security principles? A. Assume that external systems are insecure. B. Minimize the system elements to be trusted. C. Implement least privilege. D. Totally eliminate any level of risk.
Answer: D Explanation: Risk can never be totally eliminated. NIST IT security principle #4 states: Reduce risk to an acceptable level. The National Institute of Standards and Technology’s (NIST) Information Technology Laboratory (ITL) released NIST Special Publication (SP) 800-27, Engineering Principles for Information Technology Security (EP-ITS) in June 2001 to assist in the secure design, development, deployment, and life-cycle of information systems. It presents 33 security principles which start at the design phase of the information system or application and continue until the system’s retirement and secure disposal. Some of the other 33 principles are: Principle 1. Establish a sound security policy as the foundation for design. Principle 2. Treat security as an integral part of the overall system design. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (ensure no single point of vulnerability). Principle 11. Minimize the system elements to be trusted. Principle 16. Isolate public access systems from mission critical resources (e.g., data, processes, etc.). Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), and Federal Systems Level Guidance for Securing Information Systems, James Corrie, August 16, 2001 .
QUESTION NO: 1462 What is probing used for? A. To induce a user into taking an incorrect action B. To use up all of a target’s resources C. To covertly listen to transmissions D. To give an attacker a road map of the network
Answer: D Explanation: The correct answer is “To give an attacker a road map of the network”. Probing is a procedure whereby the intruder runs programs that scan the network to create a network map for later intrusion. Answer “To induce a user into taking an incorrect action” is spoofing, c is the objective of a DoS attack, and d is passive eavesdropping.
QUESTION NO: 1463 Clipping levels are used to: A. Reduce the amount of data to be evaluated in audit logs. B. Limit errors in callback systems. C. Limit the number of letters in a password. D. Set thresholds for voltage variations.
Answer: A Explanation: The correct answer is reducing the amount of data to be evaluated by definition. Answer “Limit the number of letters in a password” is incorrect because clipping levels do not relate to letters in a password. Answer “Set thresholds for voltage variations” is incorrect because clipping levels in this context have nothing to do with controlling voltage levels. Answer “Limit errors in callback syste” is incorrect because they are not used to limit callback errors.
QUESTION NO: 1464 An attack that can be perpetrated against a remote user’s callback access control is: A. Redialing. B. Call forwarding. C. A maintenance hook. D. A Trojan horse.
Answer: B Explanation: The correct answer is Call forwarding. A cracker can have a person’s call forwarded to another number to foil the callback system. Answer “A Trojan horse” is incorrect because it is an example of malicious code embedded in useful code. Answer “A maintenance hook” is incorrect because it might enable bypassing controls of a system through a means used for debugging or maintenance. Answer Redialing is incorrect because it is a distracter.
QUESTION NO: 1465 The definition of CHAP is: A. Confidential Hash Authentication Protocol. B. Challenge Handshake Approval Protocol. C. Confidential Handshake Approval Protocol. D. Challenge Handshake Authentication Protocol.
Answer: D
QUESTION NO: 1466 Which of the following is NOT a remote computing technology? A. xDSL B. ISDN C. Wireless D. PGP
Answer: D Explanation: The correct answer is PGP. PGP stands for Pretty Good Privacy, an email encryption technology.
QUESTION NO: 1467 A relational database can provide security through view relations. Views enforce what information security principle? A. Least privilege B. Inference C. Aggregation D. Separation of duties
Answer: A Explanation: The principle of least privilege states that a subject is permitted to have access to the minimum amount of information required to perform an authorized task. When related to government security clearances, it is referred to as need-to-know. * aggregation, is defined as assembling or compiling units of information at one sensitivity level and having the resultant totality of data being of a higher sensitivity level than the individual components. *Separation of duties requires that two or more subjects are necessary to authorize an activity or task. *inference, refers to the ability of a subject to deduce information that is not authorized to be accessed by that subject from information that is authorized to that subject.
QUESTION NO: 1468 Which statement below is accurate about the reasons to implement a layered security architecture? A. A layered approach doesn’t really improve the security posture of the organization. B. A layered security approach is intended to increase the work-factor for an attacker. C. A good packet-filtering router will eliminate the need to implement a layered security architecture. D. A layered security approach is not necessary when using COTS products.
Answer: B Explanation: Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. The need for layered protections is important when commercialoffthe- shelf (COTS) products are used. The current state-of-the-art for security quality in COTS products do not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals. Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security).
QUESTION NO: 1469 Which of the choices below is NOT an OSI reference model Session Layer protocol, standard, or interface? A. SQL B. DNA SCP C. RPC D. MIDI E. ASP
Answer: D Explanation: The Musical Instrument Digital Interface (MIDI) standard is a Presentation Layer standard for digitized music. The other answers are all Session layer protocols or standards. SQL refers to the Structured Query Language database standard originally developed by IBM. Answer RPC refers to the Remote Procedure Call redirection mechanism for remote clients. ASP is the AppleTalk Session Protocol. DNA SCP refers to DECnet’s Digital Network Architecture Session Control Protocol. Source: Introduction to Cisco Router Configuration edited by Laura Chappell (Cisco Press, 1999).
QUESTION NO: 1470 An acceptable biometric throughput rate is: A. One subject per two minutes. B. Five subjects per minute. C. Ten subjects per minute. D. Two subjects per minute.
Answer: C
QUESTION NO: 1471 Authentication is: A. Not accomplished through the use of a password. B. The presentation of a user’s ID to the system. C. The verification that the claimed identity is valid. D. Only applied to remote users.
Answer: C Explanation: The correct answer is “The verification that the claimed identity is valid.”. Answer “The presentation of a user’s ID to the system” is incorrect because it is an identification act. Answer c is incorrect because authentication can be accomplished through the use of a password. Answer “Only applied to remote users” is incorrect because authentication is applied to local and remote users.
QUESTION NO: 1472 Which statement about a VPN tunnel below is incorrect? A. It can be created by implementing node authentication systems. B. It can be created by implementing IPSec devices only. C. It can be created by implementing key and certificate exchange systems. D. It can be created by installing software or hardware agents on the client or network.
Answer: B Explanation: The correct answer is “It can be created by implementing IPSec devices only”. IPSec-compatible and non-IPSec compatible devices are used to create VPNs. The other three answers are all ways in which VPNs can be created.
QUESTION NO: 1473 What is NOT true of a star-wired topology? A. It has more resiliency than a BUS topology. B. 10BaseT Ethernet is star-wired. C. Cabling termination errors can crash the entire network. D. The network nodes are connected to a central LAN device.
Answer: C Explanation: The correct answer is “Cabling termination errors can crash the entire network”. Cabling termination errors are an inherent issue with bus topology networks.
QUESTION NO: 1474 What are the detailed instructions on how to perform or implement a control called? A. Guidelines B. Standards C. Policies D. Procedures
Answer: D
QUESTION NO: 1475 Which category of UTP wiring is rated for 100BaseT Ethernet networks? A. Category 5 B. Category 1 C. Category 2 D. Category 3 E. Category 4
Answer: A Explanation: Category 5 unshielded twisted-pair (UTP) wire is rated for transmissions of up to 100 Mbps and can be used in 100BaseT Ethernet networks. It is the most commonly installed type of UTP at this time. See Table. Category 1 twisted-pair wire was used for early analog telephone communications and is not suitable for data. Category 2 twisted-pair wire, was used in AS/400 and IBM 3270 networks. Derived from IBM Type 3 cable specification. Category 3 twisted-pair wire, is rated for 10 Mbps and was used in 802.3 10Base-T Ethernet networks, and 4 Mbps Token Ring networks. Category 4 twisted-pair wire, is rated for 16 Mbps and is used in 4/16 Mbps Token Ring LANs. Source: The Electrical Industry Alliance (EIA/TIA-568).
QUESTION NO: 1476 How is an SLE derived? A. ARO × EF B. AV × EF C. (Cost - benefit) × (% of Asset Value) D. % of AV - implementation cost
Answer: B Explanation: The correct answer is AV × Ef. A Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor. The other answers do not exist.
QUESTION NO: 1477 The Simple Security Property and the Star Property are key principles in which type of access control? A. Mandatory B. Discretionary C. Rule-based D. Role-based
Answer: A Explanation: Two properties define fundamental principles of mandatory access control. These properties are: Simple Security Property. A user at one clearance level cannot read data from a higher classification level. Star Property. A user at one clearance level cannot write data to a lower classification level
QUESTION NO: 1478 A token that generates a unique password at fixed time intervals is called: A. A synchronous dynamic password token. B. A challenge-response token. C. A time-sensitive token. D. An asynchronous dynamic password token.
Answer: A Explanation: The correct answer is “A synchronous dynamic password token”.
QUESTION NO: 1479 Astatistical anomaly-based intrusion detection system: A. Acquires data to establish a normal system operating profile. B. Will detect an attack that does not significantly change the system’s operating characteristics. C. Does not report an event that caused a momentary anomaly in the system. D. Refers to a database of known attack signatures.
Answer: A Explanation: The correct answer is “Acquires data to establish a normal system operating profile”. A statistical anomaly-based intrusion detection system acquires data to establish a normal system operating profile. Answer “Refers to a database of known attack signatures” is incorrect because it is used in signature-based intrusion detection. Answer “Will detect an attack that does not significantly change the system’s operating characteristics.” is incorrect because a statistical anomaly-based intrusion detection system will not detect an attack that does not significantly change the system operating characteristics. Similarly, answer “Does not report an event that caused a momentary anomaly in the system.” is incorrect because the statistical anomaly-based IDS is susceptible to reporting an event that caused a momentary anomaly in the system.
QUESTION NO: 1480 When logging on to a workstation, the log-on process should: A. Provide a Help mechanism that provides log-on assistance. B. Not provide information on the previous successful log-on and on previous unsuccessful log-on attempts. C. Place no limits on the time allotted for log-on or on the number of unsuccessful log-on attempts. D. Validate the log-on only after all input data has been supplied.
Answer: D Explanation: This approach is necessary to ensure that all the information required for a log-on has been submitted and to avoid providing information that would aid a cracker in trying to gain unauthorized access to the workstation or network. If a log-on attempt fails, information as to which part of the requested log-on information was incorrect should not be supplied to the user. Answer “Provide a Help mechanism that provides log-on assistance” is incorrect since a Help utility would provide help to a cracker trying to gain unauthorized access to the network. For answer “Place no limits on the time allotted for log-on or on the number of unsuccessful log-on attempts”, maximum and minimum time limits should be placed on the log-on process. Also, the log-on process should limit the number of unsuccessful log-on attempts and temporarily suspend the log-on capability if that number is exceeded. One approach is to progressively increase the time interval allowed between unsuccessful log-on attempts. Answer “Not provide information on the previous successful log-on and on previous unsuccessful log-on attempts” is incorrect since providing such information will alert an authorized user if someone has been attempting to gain unauthorized access to the network from the user’s workstation.
QUESTION NO: 1481 Which choice below BEST describes the difference between the System Owner and the Information Owner? A. The System Owner is responsible for establishing the rules for appropriate use of the information. B. The Information Owner is responsible for defining the system’s operating parameters. C. One system could have multiple information owners. D. There is a one-to-one relationship between system owners and information owners.
Answer: C Explanation: The System Owner is responsible for ensuring that the security plan is prepared and for implementing the plan and monitoring its effectiveness. The System Owner is responsible for defining the system’s operating parameters, authorized functions, and security requirements. The information owner for information stored within, processed by, or transmitted by a system may or may not be the same as the System Owner. Also, a single system may utilize information from multiple Information Owners. The Information Owner is responsible for establishing the rules for appropriate use and protection of the subject data/information (rules of behavior). The Information Owner retains that responsibility even when the data/information are shared with other organizations. Source: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.
QUESTION NO: 1482 Which choice below is NOT an accurate statement about the visibility of IT security policy? A. Include the IT security policy as a regular topic at staff meetings at all levels of the organization. B. The IT security policy should not be afforded high visibility. C. The IT security policy could be visible through panel discussions with guest speakers. D. The IT security policy should be afforded high visibility.
Answer: B Explanation: Especially high visibility should be afforded the formal issuance of IT security policy. This is because nearly all employees at all levels will in some way be affected, major organizational resources are being addressed, and many new terms, procedures, and activities will be introduced. Including IT security as a regular topic at staff meetings at all levels of the organization can be helpful. Also, providing visibility through such avenues as management presentations, panel discussions, guest speakers, question/answer forums, and newsletters can be beneficial.
QUESTION NO: 1483 Which choice below does NOT relate to analog dial-up hacking? A. War Walking B. War Dialing C. Demon Dialing D. ToneLoc
Answer: A Explanation: War Walking (or War Driving) refers to scanning for 802.11-based wireless network information, by either driving or walking with a laptop, a wireless adapter in promiscuous mode, some type of scanning software such as NetStumbler or AiroPeek, and a Global Positioning System (GPS). * War Dialing, is a method used to hack into computers by using a software program to automatically call a large pool of telephone numbers to search for those that have a modem attached. * Demon Dialing, similar to War Dialing, is a tool used to attack one modem using brute force to guess the password and gain access. * ToneLoc, was one of the first war-dialing tools used by phone phreakers. Sources: Hacking Exposed by Stuart McClure, Joel Scambray, and George Kurtz (Osborne, 1999) and War Driving by the Bay by Kevin Poulsen, The Register, April 13, 2001.
QUESTION NO: 1484 Which is NOT a property of or issue with tape backup? A. One large disk created by using several disks B. Slow data transfer during backups and restores C. Server disk space utilization expands D. The possibility that some data re-entry might need to be performed after a crash
Answer: A Explanation: The correct answer is “One large disk created by using several disks”. RAID level 0 striping is the process of creating a large disk out of several smaller disks.
QUESTION NO: 1485 In mandatory access control, the authorization of a subject to have access to an object is dependent upon: A. Roles. B. Labels. C. Tasks. D. Identity.
Answer: B Explanation: The correct answer is Labels. Mandatory access controls use labels to determine whether subjects can have access to objects, depending on the subjects’ clearances. Answer roles is applied in non-discretionary access control as is tasks. Identity, is used in discretionary access control.
QUESTION NO: 1486 In a relational database, the domain of a relation is the set of allowable values: A. That tuples can take. B. Of the primary key. C. That an attribute can take. D. That a record can take.
Answer: C
QUESTION NO: 1487 In addition to accuracy, a biometric system has additional factors that determine its effectiveness. Which one of the following listed items is NOT one of these additional factors? A. Corpus B. Throughput rate C. Enrollment time D. Acceptability
Answer: A Explanation: A corpus is a biometric term that refers to collected biometric images. The corpus is stored in a database of images. Potential sources of error are the corruption of images during collection and mislabeling or other transcription problems associated with the database. Therefore, the image collection, process and storage must be performed carefully with constant checking. These images are collected during the enrollment process and thus, are critical to the correct operation of the biometric device. In enrollment, images are collected and features are extracted, but no comparison occurs. The information is stored for use in future comparison steps. Answer a, the throughput rate, refers to the rate at which individuals, once enrolled, can be processed by a biometric system. If an individual is being authenticated, the biometric system will take a sample of the individual’s characteristic to be evaluated and compare it to a template. A metric called distance is used to determine if the sample matches the template. Distance is the difference between the quantitative measure of the sample and the template. If the distance falls within a threshold value, a match is declared. If not, there is no match. * Answer “acceptability” is determined by privacy issues, invasiveness, and psychological and physical comfort when using the biometric system. *“Enrollment time” is the time it takes to initially register with a system by providing samples of the biometric characteristic to be evaluated.
QUESTION NO: 1488 Which choice below is NOT a way to get Windows NT passwords? A. Obtain root access to the /etc/passwd file. B. Use pwdump2 to dump the password hashes directly from the registry. C. Obtain the backup SAM from the repair directory. D. Boot the NT server with a floppy containing an alternate operating system.
Answer: A Explanation: The /etc/passwd file is a Unix system file. The NT Security Accounts Manager, SAM, contains the usernames and encrypted passwords of all local (and domain, if the server is a domain controller) users. The SAM uses an older, weaker LanManager hash that can be broken easily by tools like L0phtcrack. Physical access to the NT server and the rdisks must be controlled. The Sam._ file in the repair directory must be deleted after creation of an rdisk. Pwdump and pwdump2 are utilities that allow someone with Administrator rights to target the Local Security Authority Subsystem, isass.exe, from a remote system. Source: Hacking Exposed by Stuart McClure, Joel Scambray, and George Kurtz (Osborne, 1999).
QUESTION NO: 1489 Which choice below is usually the number one used criterion to determine the classification of an information object? A. Age B. Personal association C. Useful life D. Value
Answer: D Explanation: The correct answer is Value. Value of the information asset to the organization is usually the first and foremost criteria used in determining its classification. Answer Useful lif refers to declassification of an information object due to some change in situation.
QUESTION NO: 1490 To what does logon abuse refer? A. Legitimate users accessing networked services that would normally be restricted to them B. Nonbusiness or personal use of the Internet C. Intrusions via dial-up or asynchronous external network connections D. Breaking into a network primarily from an external source
Answer: A Explanation: The correct answer is “Legitimate users accessing networked services that would normally be restricted to them”. Logon abuse entails an otherwise proper user attempting to access areas of the network that are deemed offlimits. Answer “Breaking into a network primarily from an external source” is called network intrusion, and d refers to backdoor remote access.
QUESTION NO: 1491 How often should an independent review of the security controls be performed, according to OMB Circular A-130? A. Never B. Every five years C. Every three years D. Every year
Answer: C Explanation: The correct answer is “Every three years”. OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years. For general support systems, OMB Circular A-130 requires that the security controls be reviewed either by an independent audit or self review. Audits can be selfadministered or independent (either internal or external). The essential difference between a self-audit and an independent audit is objectivity; however, some systems may require a fully independent review. Source: Office of Management and Budget Circular A-130, revised November 30, 2000 .
QUESTION NO: 1492 Kerberos is an authentication scheme that can be used to implement: A. Hash functions. B. Single Sign-On (SSO). C. Public key cryptography. D. Digital signatures.
Answer: B Explanation: The correct answer is “Single Sign-On (SSO).”. Kerberos is a third-party authentication protocol that can be used to implement SSO. Answer “Public key cryptography” is incorrect because public key cryptography is not used in the basic Kerberos protocol. Answer “Digital signatures” is a public key-based capability, and answer “Hash functions” is a one-way transformation used to disguise passwords or to implement digital signatures.
QUESTION NO: 1493 The concept of limiting the routes that can be taken between a workstation and a computer resource on a network is called: A. Path limitation B. A trusted path C. An enforced path D. A security perimeter
Answer: C Explanation: Individuals are authorized access to resources on a network through specific paths and the enforced path prohibits the user from accessing a resource through a different route than is authorized to that particular user. This prevents the individual from having unauthorized access to sensitive information in areas off limits to that individual. Examples of controls to implement an enforced path include establishing virtual private networks (VPNs) for specific groups within an organization, using firewalls with access control lists, restricting user menu options, and providing specific phone numbers or dedicated lines for remote access. Answer a is a distracter. Answer c, security perimeter, refers to the boundary where security controls are in effect to protect assets. This is a general definition and can apply to physical and technical (logical) access controls. In physical security, a fence may define the security perimeter. In technical access control, a security perimeter can be defined in terms of a Trusted Computing Base (TCB). A TCB is the total combination of protection mechanisms within a computer system. These mechanisms include the firmware, hardware, and software that enforce the system security policy. The security perimeter is the boundary that separates the TCB from the remainder of the system. In answer “A trusted path” a trusted path is a path that exists to permit the user to access the TCB without being compromised by other processes or users.
QUESTION NO: 1494 The data transmission method in which data is sent continuously and doesn’t use either an internal clocking source or start/stop bits for timing is known as: A. Asynchronous B. Pleisiochronous C. Synchronous D. Isochronous
Answer: D Explanation: Isochronous data is synchronous data transmitting without a clocking source, with the bits sent continuously and no start or stop bits. All bits are of equal importance and are anticipated to occur at regular time intervals. * asynchronous, is a data transmission method using a start bit at the beginning of the data value, and a stop bit at the end of the value. * synchronous, is a messageframed transmission method that uses clocking pulses to match the speed of the data transmission. * pleisiochronous, is a transmission method that uses more than one timing source, sometimes running at different speeds. This method may require master and slave clock devices. Source: Communications Systems and Networks by Ray Horak (M&T Books, 2000).
QUESTION NO: 1495 What is a server cluster? A. A tape array backup implementation B. A group of WORM optical jukeboxes C. A primary server that mirrors its data to a secondary server D. A group of independent servers that are managed as a single system
Answer: D Explanation: The correct answer is “A group of independent servers that are managed as a single system”. A server cluster is a group of servers that appears to be a single server to the user. Answer “A primary server that mirrors its data to a secondary server” refers to redundant servers.
QUESTION NO: 1496 Which choice MOST closely depicts the difference between qualitative and quantitative risk analysis? A. Aquantitative RAdoes not use the hard costs of losses, and a qualitative RAdoes. B. Aquantitative RAcannot be automated. C. Aqualitative RAuses many complex calculations. D. Aquantitative RAuses less guesswork than a qualitative RA.
Answer: D Explanation: The correct answer is “Aquantitative RAuses less guesswork than a qualitative RA”. The other answers are incorrect.
QUESTION NO: 1497 Identity-based access control is a subset of which one of the following access control categories? A. Discretionary access control B. Lattice-based access control C. Non-discretionary access control D. Mandatory access control
Answer: A Explanation: The correct answer is “Discretionary access control”. Identity-based access control is a type of discretionary access control that grants access privileges based on the user’s identity. A related type of discretionary access control is user-directed access control that gives the user, with certain limitations, the right to alter the access control to certain objects.
QUESTION NO: 1498 What is the Network Layer of the OSI reference model primarily responsible for? A. SMTP Gateway services B. LAN bridging C. Internetwork packet routing D. Signal regeneration and repeating
Answer: C Explanation: Although many routers can perform most of the functions above, the OSI Network layer is primarily responsible for routing. * LAN bridging, is a Data Link Layer function. * gateways, most commonly function at the higher layers. * signal regeneration and repeating, is primarily a Physical layer function. Source: CCNA Study Guide by Todd Lammle, Donald Porter, and James Chellis (Sybex, 1999).
QUESTION NO: 1499 Which level of RAID is commonly referred to as disk mirroring? A. RAID 5 B. RAID 1 C. RAID 3 D. RAID 0
Answer: B Explanation: Redundant Array of Inexpensive Disks (RAID) is a method of enhancing hard disk fault tolerance, which can improve performance (see Table A.8). RAID 1 maintains a complete copy of all data by duplicating each hard drive. Performance can suffer in some implementations of RAID 1, and twice as many drives are required. Novell developed a type of disk mirroring called disk duplexing, which uses multiple disk controller cards increasing both performance and reliability. *RAID 0, gives some performance gains by striping the data across multiple drives, but reduces fault tolerance, as the failure of any single drive disables the whole volume. * RAID 3, uses a dedicated error-correction disk called a parity drive, and stripes the data across the other data drives. * RAID 5 uses all disks in the array for both data and error correction, increasing both storage capacity and performance.
QUESTION NO: 1500 In biometrics, a good measure of performance of a system is the: A. False detection. B. Positive acceptance rate. C. Sensitivity. D. Crossover Error Rate (CER).
Answer: D Explanation: The correct answer is “Crossover Error Rate (CER)”. The other items are made-up distracters.
QUESTION NO: 1501 Which is a property of a circuit-switched network as opposed to a packetswitched network? A. Physical, permanent connections exist from one point to another in a circuit-switched network. B. The data is broken up into packets. C. Packets are reassembled according to their originally assigned sequence numbers. D. The data is sent to the next destination, which is based on the router’s understanding of the best available route.
Answer: A Explanation: The correct answer is “Physical, permanent connections exist from one point to another in a circuit-switched network”. Permanent connections are a feature of circuit-switched networks. Note: strictly speaking they aren’t physical and they aren’t permanent. A phone call is circuit-switched (well, historically). The circuit wasn’t permanent, just for the duration of the call.
QUESTION NO: 1502 Which answer below is true about the difference between TCP and UDP? A. UDP is considered a connectionless protocol and TCP is connectionoriented. B. TCP is considered a connectionless protocol, and UDP is connectionoriented. C. TCP is sometimes referred to as an unreliable protocol. D. UDP acknowledges the receipt of packets, and TCP does not.
Answer: A Explanation: The correct answer is “UDP is considered a connectionless protocol and TCP is connectionoriented”. As opposed to the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP) is a connectionless protocol. It does not sequence the packets, acknowledge the receipt of packets, and is referred to as an unreliable protocol.
QUESTION NO: 1503 In a Kerberos exchange involving a message with an authenticator, the authenticator contains the client ID and which of the following? A. Client network address B. Ticket Granting Ticket (TGT) C. Timestamp D. Client/TGS session key
Answer: C Explanation: A timestamp, t, is used to check the validity of the accompanying request since a Kerberos ticket is valid for some time window, v, after it is issued. The timestamp indicates when the ticket was issued. * The TGT, is comprised of the client ID, the client network address, the starting and ending time the ticket is valid (v), and the client/TGS session key. This ticket is used by the client to request the service of a resource on the network from the TGS. * The client/TGS session key, Kc, tgs, is the symmetric key used for encrypted communication between the client and TGS for this particular session. * the client network address is included in the TGT and not in the authenticator.
QUESTION NO: 1504 Which of the following is NOT a valid database model? A. Hierarchical B. Relational C. Object-relational D. Relational-rational
Answer: D Explanation: The correct answer is “Relational-rational”, a distracter. The other answers are valid database models. Additional valid models include network and object-oriented databases.
QUESTION NO: 1505 Which statement is correct about ISDN Basic Rate Interface? A. It offers 30 B channels and 1 D channel. B. It offers 23 B channels and 1 D channel. C. It offers 2 B channels and 1 D channel. D. It offers 1 B channel and 2 D channels.
Answer: C Explanation: Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) offers two B channels which carry user data at 64 Kbps each, and one control and signaling D channel operating at 16 Kbps. Answer “It offers 23 B channels and 1 D channel.” describes ISDN Primary Rate Interface (PRI) for NorthAmerica and Japan , with 23 B channels at 64 Kbps and one 64 Kbps D channel, for a total throughput of 1.544 Mbps. Answer “It offers 30 B channels and 1 D channel.” Describes ISDN PRI for Europe , Australia , and other parts of the world, with 30 64 Kbps B channels and one D channel, for a total throughput of 2.048 Mbps. Answer “It offers 1 B channel and 2 D channels.” is a distracter. Source: Internetworking Technologies Handbook, Second Edition (Cisco Press, 1998).
QUESTION NO: 1506 A persistent collection of data items that form relations among each other is called a: A. Schema B. Database management system (DBMS) C. Database D. Data description language (DDL)
Answer: C Explanation: For a database to be viable, the data items must be stored on nonvolatile media and be protected from unauthorized modification. For answer a, a DBMS provides access to the items in the database and maintains the information in the database. *The Data description language (DDL) provides the means to define the database and schema is the description of the database.
QUESTION NO: 1507 Which of the following is NOT a network cabling type? A. Coaxial B. Token Ring C. Twisted Pair D. Fiber Optic
Answer: B Explanation: The correct answer Token Ring. Token Ring is a LAN media access method, not a cabling type.
QUESTION NO: 1508 Which choice below is the BEST definition of advisory policies? A. Non-mandated policies, but strongly suggested B. Mandatory policies implemented as a consequence of legal action C. Policies implemented due to public regulation D. Policies implemented for compliance reasons
Answer: A Explanation: The correct answer is “Non-mandated policies, but strongly suggested”. Advisory policies might have consequences of failure attached to them, but they are still considered nonmandatory. The other three answers are examples of mandatory, regulatory policies.
QUESTION NO: 1509 Which of the following is NOT a true statement about Network Address Translation (NAT)? A. Private addresses can easily be routed globally. B. NAT is used when corporations want to use private addressing ranges for internal networks. C. NAT is designed to mask the true IP addresses of internal systems. D. NAT translates private IP addresses to registered real IP addresses.
Answer: A Explanation: The correct answer is “Private addresses can easily be routed globally” Private addresses are not easily routable; hence the reason for using NAT.
QUESTION NO: 1510 Which choice MOST accurately describes the differences between standards, guidelines, and procedures? A. Procedures are the general recommendations for compliance with mandatory guidelines. B. Standards are recommended policies, and guidelines are mandatory policies. C. Procedures are step-by-step recommendations for complying with mandatory guidelines. D. Procedures are step-by-step instructions for compliance with mandatory standards.
Answer: D Explanation: The correct answer is “Procedures are step-by-step instructions for compliance with mandatory standards”. The other answers are incorrect.
QUESTION NO: 1511 In a biometric system, the time it takes to register with the system by providing samples of a biometric characteristic is called: A. Set-up time. B. Enrollment time. C. Log-in time. D. Throughput time.
Answer: B Explanation: The correct answer is “Enrollment time”. Answers Set-up time and Log-in time are distracters. Answer throughput, refers to the rate at which individuals once enrolled can be processed and identified or authenticated by a biometric system.
QUESTION NO: 1512 Identification is: A. Auser providing a shared secret to the system. B. Auser professing an identity to the system. C. Auser providing a password to the system. D. Auser being authenticated by the system.
Answer: B Explanation: The correct answer is “Auser professing an identity to the system”. A user presents an ID to the system as identification. Answer a is incorrect because presenting an ID is not an authentication act. Answer “Auser providing a password to the system” is incorrect because a password is an authentication mechanism. Answer “Auser providing a shared secret to the system” is incorrect because it refers to cryptography or authentication.
QUESTION NO: 1513 Who has the final responsibility for the preservation of the organization’s information? A. Application owners B. Senior management C. Users D. Technology providers
Answer: B Explanation: Various officials and organizational offices are typically involved with computer security. They include the following groups: Senior management Program/functional managers/application owners Computer security management Technology providers Supporting organizations Users Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. While senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.
QUESTION NO: 1514 Which statement below BEST describes the primary purpose of risk analysis? A. To quantify the impact of potential threats B. To create a clear cost-to-value ratio for implementing security controls C. To influence site selection decisions D. To influence the system design process
Answer: A Explanation: The correct answer is “To quantify the impact of potential threats”. The main purpose of performing a risk analysis is to put a hard cost or value onto the loss of a business function. The other answers are benefits of risk management but not its main purpose.
QUESTION NO: 1515 Kerberos provides an integrity check service for messages between two entities through the use of: A. A trusted, third-party authentication server B. A checksum C. Credentials D. Tickets
Answer: B Explanation: Achecksum that is derived from a Kerberos message is used to verify the integrity of the message. This checksum may be a message digest resulting from the application of a hash function to the message. At the receiving end of the transmission, the receiving party can calculate the message digest of the received message using the identical hash algorithm as the sender. Then the message digest calculated by the receiver can be compared with the message digest appended to the message by the sender. If the two message digests match, the message has not been modified en route, and its integrity has been preserved. For answers Credentials and Tickets are authenticators used in the process of granting user access to services on the network. Answer “A trusted, third-party authentication server” is the AS or authentication server that conducts the ticket-granting process.
QUESTION NO: 1516 Which is NOT a packet-switched technology? A. Frame Relay B. SMDS C. X.25 D. T1
Answer: D Explanation: The correct answer is T1. A T1 line is a type of leased line, which uses a dedicated, point-to-point technology.
QUESTION NO: 1517 According to NIST, which choice below is not an accepted security selftesting technique? A. Password Cracking B. Virus Detection C. War Dialing D. Virus Distribution
Answer: D Explanation: Common types of self-testing techniques include: Network Mapping Vulnerability Scanning Penetration Testing Password Cracking Log Review Virus Detection War Dialing Some testing techniques are predominantly human-initiated and conducted, while other tests are highly automated and require less human involvement. The staff that initiates and implements in-house security testing should have significant security and networking knowledge. These testing techniques are often combined to gain a more comprehensive assessment of the overall network security posture. For example, penetration testing almost always includes network mapping and vulnerability scanning to identify vulnerable hosts and services that may be targeted for later penetration. None of these tests by themselves will provide a complete picture of the network or its security posture. Source: NIST Special Publication 800-42, DRAFT Guideline on Network Security Testing.
QUESTION NO: 1518 Role-based access control is useful when: A. Access must be determined by the labels on the data. B. Rules are needed to determine clearances. C. There are frequent personnel changes in an organization. D. Security clearances must be used.
Answer: C Explanation: The correct answer is “There are frequent personnel changes in an organization.”. Role-based access control is part of nondiscretionary access control. The other options relate to mandatory access control.
QUESTION NO: 1519 Which choice is the BEST description of authentication as opposed to authorization? A. A system’s capability to determine the actions and behavior of a single individual within a system B. The testing or reconciliation of evidence of a user’s identity C. The means by which a user provides a claim of his or her identity to a system D. The rights and permissions granted to an individual to access a computer resource
Answer: B Explanation: The correct answer is “The testing or reconciliation of evidence of a user’s identity”. Answer “The means by which a user provides a claim of his or her identity to a system” is identification, “A system’s capability to determine the actions and behavior of a single individual within a system” is accountability, and “The rights and permissions granted to an individual to access a computer resource” is authorization.
QUESTION NO: 1520 Which TCP/IP protocol operates at the OSI Network layer? A. FTP B. IP C. UDP D. TCP
Answer: B Explanation: The correct answer is IP. IP operates at the network layer of the OSI model and at the Internet layer of the TCP/IP model. FTP operates at the application layer of the TCP/IP model, which is roughly similar to the top three layers of the OSI model: the Application, Presentation, and Session layers. TCP and UDP both operate at the OSI Transport layer, which is similar to the TCP/IP Host-to-host layer.
QUESTION NO: 1521 Which choice below BEST describes coaxial cable? A. Coax consists of a hollow outer cylindrical conductor surrounding a single, inner conductor. B. Coax does not require a fixed spacing between connections that UTP requires. C. Coax consists of two insulated wires wrapped around each other in a regular spiral pattern. D. Coax carries signals as light waves.
Answer: A Explanation: The correct answer is “Coax consists of a hollow outer cylindrical conductor surrounding a single, inner conductor”. Coax consists of a hollow outer cylindrical conductor surrounding a single, inner wire conductor. Answer “Coax consists of two insulated wires wrapped around each other in a regular spiral pattern” describes UTP. Coax requires fixed spacing between connections, and answer “Coax carries signals as light waves” describes fiber-optic cable.
QUESTION NO: 1522 Which choice below is NOT one of the legal IP address ranges specified by RFC1976 and reserved by the Internet Assigned Numbers Authority (IANA) for nonroutable private addresses? A. 192.168.0.0 - 192.168.255.255 B. 127.0.0.0 - 127.0.255.255 C. 10.0.0.0 - 10.255.255.255 D. 172.16.0.0 - 172.31.255.255
Answer: B Explanation: The other three address ranges can be used for Network Address Translation (NAT). While NAT is, in itself, not a very effective security measure, a large network can benefit from using NAT with Dynamic Host Configuration Protocol (DHCP) to help prevent certain internal routing information from being exposed. The address 127.0.0.1 is called the loopback address. Source: Designing Network Security by Merike Kaeo (Cisco Press, 1999).
QUESTION NO: 1523 What does LAN stand for? A. Local Adaptive Network B. Local Arena News C. Layered Addressed Network D. Local Area Network
Answer: D
QUESTION NO: 1524 Which statement below about the difference between analog and digital signals is incorrect? A. Adigital signal produces a saw-tooth wave form. B. Analog signals cannot be used for data communications. C. An analog signal produces an infinite waveform. D. An analog signal can be varied by amplification.
Answer: B Explanation: The correct answer is “Analog signals cannot be used for data communications”. The other answers are all properties of analog or digital signals.
QUESTION NO: 1525 What does the protocol ARP do? A. Takes a MAC address and finds an IP address to match B. Sends messages to the devices regarding the health of the network C. Takes an IP address and finds out the MAC address to which it belongs D. Facilitates file transfers
Answer: C Explanation: The correct answer is “Takes an IP address and finds out the MAC address to which it belongs”. ARP starts with an IP address, then queries the network to find the MAC or hardware address of the workstation to which it belongs. ICMP performs “Sends messages to the devices regarding the health of the network”. RARP performs “Takes a MAC address and finds an IP address to match”. FTP performs “Facilitates file transfers”.
QUESTION NO: 1526 A group of processes that share access to the same resources is called: A. A Trusted Computing Base (TCB) B. A protection domain C. An access control triple D. An access control list
Answer: B Explanation: In answer a, an access control list (ACL) is a list denoting which users have what privileges to a particular resource. Table illustrates an ACL. The table shows the subjects or users that have access to the object, FILE X and what privileges they have with respect to that file. For answer “An access control triple”, an access control triple consists of the user, program, and file with the corresponding access privileges noted for each user. The TCB, of answer “A Trusted Computing Base (TCB”, is defined in the answers as the total combination of protection mechanisms within a computer system. These mechanisms include the firmware, hardware, and software that enforce the system security policy.