Exam SET A Flashcards
1
Q
Which of the following items is NOT used to determine the types of
access controls to be applied in an organization?
A. Separation of duties
B. Organizational policies
C. Least privilege
D. Relational categories
A
Answer: D
Explanation: The item, relational categories, is a distracter. The other options are important determinants of access control implementations in an organization
2
Q
Which choice below is NOT a generally accepted benefit of security awareness, training, and education?
A. A security awareness and training program can help an organization reduce the number and severity of errors and omissions.
B. A security awareness and training program will help prevent natural disasters from occurring.
C. A security awareness program can help operators understand the value of the information.
D. A security education program can help system administrators recognize unauthorized intrusion attempts.
A
Answer: B
Explanation: An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security awareness and training program should encompass the following seven steps:
1. Identify program scope, goals, and objectives.
2 Identify training staff.
3. Identify target audiences.
4. Motivate management and employees.
5. Administer the program.
6. Maintain the program.
7. Evaluate the program.
Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.
3
Q
In biometrics, a one-to-one search to verify an individual's claim of an identity is called: A. Audit trail review. B. Accountability. C. Authentication. D. Aggregation.
A
Answer: C
Explanation: The correct answer is Authentication. Answer “Audit trail review.” is a review of audit system data, usually done after the fact. Answer “Accountability” is holding individuals responsible for their actions, and answer d is obtaining higher-sensitivity information from a number of pieces of information of lower sensitivity.
4
Q
Which one of the following statements is TRUE concerning the Terminal
Access Controller Access Control System (TACACS) and TACACS+?
A. TACACS supports prompting for a password change.
B. TACACS+ employs a user ID and static password.
C. TACACS+ employs tokens for two-factor, dynamic password authentication.
D. TACACS employs tokens for two-factor, dynamic password authentication.
A
Answer: C
Explanation: The correct answer is “TACACS+ employs tokens for two-factor, dynamic password authentication”. TACACS employs a user ID and static password and does not support prompting for password change or the use of dynamic password tokens.
5
Q
Which statement below is NOT correct about safeguard selection in the
risk analysis process?
A. The most commonly considered criteria is the cost effectiveness of the safeguard.
B. The best possible safeguard should always be implemented, regardless of cost.
C. Maintenance costs need to be included in determining the total cost of the safeguard.
D. Many elements need to be considered in determining the total cost of the safeguard.
A
Answer: B
Explanation: The correct answer is “The best possible safeguard should always be implemented, regardless of cost.”. Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily outweigh the value of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, auditability, and the level of manual operations needed to maintain or operate the safeguard.
6
Q
Which answer below is the BEST description of a Single Loss Expectancy (SLE)?
A. An algorithm that determines the expected annual loss to an organization from a threat
B. An algorithm that represents the magnitude of a loss to an asset from a threat
C. An algorithm used to determine the monetary impact of each occurrence of a threat
D. An algorithm that expresses the annual frequency with which a threat is expected to occur
A
Answer: C
Explanation: The correct answer is “An algorithm used to determine the monetary impact of each occurrence of a threat”. The Single Loss Expectancy (or Exposure) figure may be created as a result of a Business Impact Assessment (BIA). The SLE represents only the estimated monetary loss of a single occurrence of a specified threat event. The SLE is determined by multiplying the value of the asset by its exposure factor. This gives the expected loss the threat will cause for one occurrence. Answer a describes the Exposure Factor (EF). The EF is expressed as a percentile of the expected value or functionality of the asset to be lost due to the realized threat event. This figure is used to calculate the SLE, above.
Answer “An algorithm that expresses the annual frequency with which a threat is expected to occur” describes the Annualized Rate of Occurrence (ARO). This is an estimate of how often a given threat event may occur annually. For example, a threat expected to occur weekly would have an ARO of 52. A threat expected to occur once every five years has an ARO of 1/5 or .2. This figure is used to determine the ALE. Answer d describes the Annualized Loss Expectancy (ALE). The ALE is derived by multiplying the SLE by its ARO. This value represents the expected risk factor of an annual threat event. This figure is then integrated into the risk management process.
7
Q
Which of the following is NOT a type of data network? A. WAN B. MAN C. LAN D. GAN
A
Answer: D
Explanation: The correct answer is d. GAN does not exist. LAN stands for Local Area Network, WAN stands for Wide Area Network, and MAN stands for Metropolitan Area Network
8
Q
Which choice below is NOT a concern of policy development at the high level?
A. Identifying the key business resources
B. Defining roles in the organization
C. Determining the capability and functionality of each role
D. Identifying the type of firewalls to be used for perimeter security
A
Answer: D
Explanation: The other options are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer “Determining the capability and functionality of each role” is the final step in the policy creation process and combines steps a and “Defining roles in the organization”. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity. Source: Surviving Security: How to Integrate People, Process, and Technology by Mandy Andress (Sams Publishing, 2001).
9
Q
Which is NOT a standard type of DSL? A. HDSL B. FDSL C. ADSL D. VDSL
A
Answer: B
Explanation: The correct answer is FDSL. FDSL does not exist
10
Q
A back door into a network refers to what?
A. Mechanisms created by hackers to gain network access at a later time
B. Monitoring programs implemented on dummy applications to lure intruders
C. Undocumented instructions used by programmers to debug applications
D. Socially engineering passwords from a subject
A
Answer: A
Explanation: Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications. * social engineering is a technique used to manipulate users into revealing information like passwords. * Answer “Undocumented instructions used by programmers to debug applications”refers to a trap door, which are undocumented hooks into an application to assist programmers with debugging. Although intended innocently, these can be exploited by intruders. * “Monitoring programs implemented on dummy applications to lure intruders” is a honey pot or padded cell. A honey pot uses a dummy server with bogus applications as a decoy for intruders. Source: Fighting Computer Crime by Donn B. Parker (Wiley, 1998).
11
Q
A type of access control that supports the management of access rights for groups of subjects is: A. Discretionary B. Rule-based C. Role-based D. Mandatory
A
Answer: C
Explanation: Role-based access control assigns identical privileges to groups of users. This approach simplifies the management of access rights, particularly when members of the group change. Thus, access rights are assigned to a role, not to an individual. Individuals are entered as members of specific groups and are assigned the access privileges of that group. In answer Discretionary, the access rights to an object are assigned by the owner at the owner’s discretion. For large numbers of people whose duties and participation may change frequently, this type of access control can become unwieldy. Mandatory access control, answer c, uses security labels or classifications assigned to data items and clearances assigned to users. A user has access rights to data items with a classification equal to or less than the user’s clearance. Another restriction is that the user has to have a need-to-know the information; this requirement is identical to the principle of least privilege. Answer ‘rule-based access control’ assigns access rights based on stated rules. An example of a rule is Access to trade-secret data is restricted to corporate officers, the data owner and the legal department.
12
Q
Which of the following is NOT a property of CSMA?
A. The workstation continuously monitors the line.
B. Workstations are not permitted to transmit until they are given permission from the primary host.
C. It does not have a feature to avoid the problem of one workstation dominating the conversation.
D. The workstation transmits the data packet when it thinks that the line is free.
A
Answer: B
Explanation: The correct answer is “Workstations are not permitted to transmit until they are given permission from the primary host”. The polling transmission type uses primary and secondary hosts, and the secondary must wait for permission from the primary before transmitting.
13
Q
Which choice below is NOT one of NIST’s 33 IT security principles?
A. Assume that external systems are insecure.
B. Minimize the system elements to be trusted.
C. Implement least privilege.
D. Totally eliminate any level of risk.
A
Answer: D
Explanation: Risk can never be totally eliminated. NIST IT security principle #4 states: Reduce risk to an acceptable level. The National Institute of Standards and Technology’s (NIST) Information Technology Laboratory (ITL) released NIST Special Publication (SP) 800-27, Engineering Principles for Information Technology Security (EP-ITS) in June 2001 to assist in the secure design, development, deployment, and life-cycle of information systems. It presents 33 security principles which start at the design phase of the information system or application and continue until the system’s retirement and secure disposal. Some of the other 33 principles are: Principle 1. Establish a sound security policy as the foundation for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.
Principle 7. Implement layered security (ensure no single point of vulnerability).
Principle 11. Minimize the system elements to be trusted.
Principle 16. Isolate public access systems from mission critical resources (e.g., data, processes, etc.).
Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.
Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Principle 23. Use unique identities to ensure accountability.
Principle 24. Implement least privilege.
Source: NIST Special Publication 800-27, Engineering Principles for Infor- mation Technology Security (A Baseline for Achieving Security), and Federal Systems Level Guidance for Securing Information Systems, James Corrie, August 16, 2001 .
14
Q
What is probing used for?
A. To induce a user into taking an incorrect action
B. To use up all of a target’s resources
C. To covertly listen to transmissions
D. To give an attacker a road map of the network
A
Answer: D
Explanation: The correct answer is “To give an attacker a road map of the network”. Probing is a procedure whereby the intruder runs programs that scan the network to create a network map for later intrusion.
Answer “To induce a user into taking an incorrect action” is spoofing, c is the objective of a DoS attack, and d is passive eavesdropping.
15
Q
Clipping levels are used to:
A. Reduce the amount of data to be evaluated in audit logs.
B. Limit errors in callback systems.
C. Limit the number of letters in a password.
D. Set thresholds for voltage variations.
A
Answer: A
Explanation: The correct answer is reducing the amount of data to be evaluated by definition. Answer “Limit the number of letters in a password” is incorrect because clipping levels do not relate to letters in a password. Answer “Set thresholds for voltage variations” is incorrect because clipping levels in this context have nothing to do with controlling voltage levels. Answer “Limit errors in callback syste” is incorrect because they are not used to limit callback errors.
16
Q
An attack that can be perpetrated against a remote user's callback access control is: A. Redialing. B. Call forwarding. C. A maintenance hook. D. A Trojan horse.
A
Answer: B
Explanation: The correct answer is Call forwarding. A cracker can have a person’s call forwarded to another number to foil the callback system. Answer “A Trojan horse” is incorrect because it is an example of malicious code embedded in useful code. Answer “A maintenance hook” is incorrect because it might enable bypassing controls of a system through a means used for debugging or maintenance. Answer Redialing is incorrect because it is a distracter.
17
Q
The definition of CHAP is:
A. Confidential Hash Authentication Protocol.
B. Challenge Handshake Approval Protocol.
C. Confidential Handshake Approval Protocol.
D. Challenge Handshake Authentication Protocol.
A
Answer: D
Explanation:
18
Q
Which of the following is NOT a remote computing technology? A. xDSL B. ISDN C. Wireless D. PGP
A
Answer: D
Explanation: The correct answer is PGP. PGP stands for Pretty Good Privacy, an email encryption technology.
19
Q
A relational database can provide security through view relations. Views enforce what information security principle? A. Least privilege B. Inference C. Aggregation D. Separation of duties
A
Answer: A
Explanation: The principle of least privilege states that a subject is permitted to have access to the minimum amount of information required to perform an authorized task. When related to government security clearances, it is referred to as need-to-know. * aggregation, is defined as assembling or compiling units of information at one sensitivity level and having the resultant totality of data being of a higher sensitivity level than the individual components. *Separation of duties requires that two or more subjects are necessary to authorize an activity or task. *inference, refers to the ability of a subject to deduce information that is not authorized to be accessed by that subject from information that is authorized to that subject.
20
Q
Which statement below is accurate about the reasons to implement a
layered security architecture?
A. A layered approach doesn’t really improve the security posture of the organization.
B. A layered security approach is intended to increase the work-factor for an attacker.
C. A good packet-filtering router will eliminate the need to implement a layered security architecture.
D. A layered security approach is not necessary when using COTS products.
A
Answer: B
Explanation: Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. The need for layered protections is important when commercialoff- the-shelf (COTS) products are used. The current state-of-the-art for security quality in COTS products do not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals. Source: NIST Special Publication 800-27, Engineering Principles for Infor- mation Technology Security (A Baseline for Achieving Security).
21
Q
Which of the choices below is NOT an OSI reference model Session Layer protocol, standard, or interface? A. SQL B. DNA SCP C. RPC D. MIDI E. ASP
A
Answer: D
Explanation: The Musical Instrument Digital Interface (MIDI) standard is a Presentation Layer standard for digitized music. The other answers are all Session layer protocols or standards. SQL refers to the Structured Query Language database standard originally developed by IBM.
Answer RPC refers to the Remote Procedure Call redirection mechanism for remote clients. ASP is the AppleTalk Session Protocol. DNA SCP refers to DECnet’s Digital Network Architecture Session Control Protocol. Source: Introduction to Cisco Router Configuration edited by Laura Chappell (Cisco Press, 1999).
22
Q
An acceptable biometric throughput rate is: A. One subject per two minutes. B. Five subjects per minute. C. Ten subjects per minute. D. Two subjects per minute.
A
Answer: C
Explanation:
23
Q
Authentication is:
A. Not accomplished through the use of a password.
B. The presentation of a user’s ID to the system.
C. The verification that the claimed identity is valid.
D. Only applied to remote users.
A
Answer: C
Explanation: The correct answer is “The verification that the claimed identity is valid.”. Answer “The presentation of a user’s ID to the system” is incorrect because it is an identification act. Answer c is incorrect because authentication can be accomplished through the use of a password. Answer “Only applied to remote users” is incorrect because authentication is applied to local and remote users.
24
Q
Which statement about a VPN tunnel below is incorrect?
A. It can be created by implementing node authentication systems.
B. It can be created by implementing IPSec devices only.
C. It can be created by implementing key and certificate exchange systems.
D. It can be created by installing software or hardware agents on the client or network.
A
Answer: B
Explanation: The correct answer is “It can be created by implementing IPSec devices only”. IPSec-compatible and non-IPSec compatible devices are used to create VPNs. The other three answers are all ways in which VPNs can be created.
25
What is NOT true of a star-wired topology?
A. It has more resiliency than a BUS topology.
B. 10BaseT Ethernet is star-wired.
C. Cabling termination errors can crash the entire network.
D. The network nodes are connected to a central LAN device.
Answer: C
Explanation: The correct answer is "Cabling termination errors can crash the entire network". Cabling termination errors are an inherent issue with bus topology networks.
26
```
What are the detailed instructions on how to perform or implement a
control called?
A. Guidelines
B. Standards
C. Policies
D. Procedures
```
Answer: D
Explanation:
27
```
Which category of UTP wiring is rated for 100BaseT Ethernet networks?
A. Category 5
B. Category 1
C. Category 2
D. Category 3
E. Category 4
```
Answer: A
Explanation: Category 5 unshielded twisted-pair (UTP) wire is rated for transmissions of up to 100 Mbps and can be used in 100BaseT Ethernet networks. It is the most commonly installed type of UTP at this time. See Table.
Category 1 twisted-pair wire was used for early analog telephone communications and is not suitable for data.
Category 2 twisted-pair wire, was used in AS/400 and IBM 3270 networks. Derived from IBM Type 3 cable specification. Category 3 twisted-pair wire, is rated for 10 Mbps and was used in 802.3 10Base-T Ethernet
networks, and 4 Mbps Token Ring networks. Category 4 twisted-pair wire, is rated for 16 Mbps and is used in 4/16 Mbps Token Ring LANs. Source: The Electrical Industry Alliance (EIA/TIA-568).
28
```
How is an SLE derived?
A. ARO × EF
B. AV × EF
C. (Cost - benefit) × (% of Asset Value)
D. % of AV - implementation cost
```
Answer: B
Explanation: The correct answer is AV × Ef. A Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor. The other answers do not exist.
29
```
The Simple Security Property and the Star Property are key principles in which type of access control?
A. Mandatory
B. Discretionary
C. Rule-based
D. Role-based
```
Answer: A
Explanation: Two properties define fundamental principles of mandatory access control. These properties are: Simple Security Property. A user at one clearance level cannot read data from a higher classification level. Star Property. A user at one clearance level cannot write data to a lower classification level
30
A token that generates a unique password at fixed time intervals is called:
A. A synchronous dynamic password token.
B. A challenge-response token.
C. A time-sensitive token.
D. An asynchronous dynamic password token.
Answer: A
Explanation: The correct answer is "A synchronous dynamic password token".
31
Astatistical anomaly-based intrusion detection system:
A. Acquires data to establish a normal system operating profile.
B. Will detect an attack that does not significantly change the system's operating characteristics.
C. Does not report an event that caused a momentary anomaly in the system.
D. Refers to a database of known attack signatures.
Answer: A
Explanation: The correct answer is "Acquires data to establish a normal system operating profile". A statistical anomaly-based intrusion detection system acquires data to establish a normal system operating profile. Answer "Refers to a database of known attack signatures" is incorrect because it is used in signature-based intrusion detection. Answer "Will detect an attack that does not significantly change the system's operating characteristics." is incorrect because a statistical anomaly-based intrusion detection system will not detect an attack that does not significantly change the system operating characteristics. Similarly, answer "Does not report an event that caused a momentary anomaly in the system." is incorrect because the statistical anomaly-based IDS is susceptible to reporting an event that caused a momentary anomaly in the system.
32
When logging on to a workstation, the log-on process should:
A. Provide a Help mechanism that provides log-on assistance.
B. Not provide information on the previous successful log-on and on previous unsuccessful log-on attempts.
C. Place no limits on the time allotted for log-on or on the number of unsuccessful log-on attempts.
D. Validate the log-on only after all input data has been supplied.
Answer: D
Explanation: This approach is necessary to ensure that all the information required for a log-on has been submitted and to avoid providing information that would aid a cracker in trying to gain unauthorized access to the workstation or network. If a log-on attempt fails, information as to which part of the requested log-on information was incorrect should not be supplied to the user.
Answer "Provide a Help mechanism that provides log-on assistance" is incorrect since a Help utility would provide help to a cracker trying to gain unauthorized access to the network.
For answer "Place no limits on the time allotted for log-on or on the number of unsuccessful log-on attempts", maximum and minimum time limits should be placed on the log-on process. Also, the log-on process should limit the number of unsuccessful log-on attempts and temporarily suspend the log-on capability if that number is exceeded. One approach is to progressively increase the time interval allowed between unsuccessful log-on attempts.
Answer "Not provide information on the previous successful log-on and on previous unsuccessful log-on attempts" is incorrect since providing such information will alert an authorized user if someone has been attempting to gain unauthorized access to the network from the user's workstation.
33
Which choice below BEST describes the difference between the System
Owner and the Information Owner?
A. The System Owner is responsible for establishing the rules for appropriate use of the information.
B. The Information Owner is responsible for defining the system's operating parameters.
C. One system could have multiple information owners.
D. There is a one-to-one relationship between system owners and information owners.
Answer: C
Explanation: The System Owner is responsible for ensuring that the security plan is prepared and for implementing the plan and monitoring its effectiveness. The System Owner is responsible for defining the system's operating parameters, authorized functions, and security requirements. The information owner for information stored within, processed by, or transmitted by a system may or may not be the same as the System Owner. Also, a single system may utilize information from multiple Information Owners. The Information Owner is responsible for establishing the rules for appropriate use and protection of the subject data/information (rules of behavior). The Information Owner retains that responsibility even when the data/information are shared with other organizations. Source: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.
34
Which choice below is NOT an accurate statement about the visibility of IT security policy?
A. Include the IT security policy as a regular topic at staff meetings at all levels of the organization.
B. The IT security policy should not be afforded high visibility.
C. The IT security policy could be visible through panel discussions with guest speakers.
D. The IT security policy should be afforded high visibility.
Answer: B
Explanation: Especially high visibility should be afforded the formal issuance of IT security policy. This is because nearly all employees at all levels will in some way be affected, major organizational resources are being addressed, and many new terms, procedures, and activities will be introduced. Including IT security as a regular topic at staff meetings at all levels of the organization can be helpful. Also, providing visibility through such avenues as management presentations, panel discussions, guest speakers, question/answer forums, and newsletters can be beneficial.
35
```
Which choice below does NOT relate to analog dial-up hacking?
A. War Walking
B. War Dialing
C. Demon Dialing
D. ToneLoc
```
Answer: A
Explanation: War Walking (or War Driving) refers to scanning for 802.11-based wireless network information, by either driving or walking with a laptop, a wireless adapter in promiscuous mode, some type of scanning software such as NetStumbler or AiroPeek, and a Global Positioning System (GPS).
* War Dialing, is a method used to hack into computers by using a software program to automatically call a large pool of telephone numbers to search for those that have a modem attached. * Demon Dialing, similar to War Dialing, is a tool used to attack one modem using brute force to guess the password and gain access. * ToneLoc, was one of the first war-dialing tools used by phone phreakers. Sources: Hacking Exposed by Stuart McClure, Joel Scambray, and George Kurtz (Osborne, 1999) and War Driving by the Bay by Kevin Poulsen, The Register, April 13, 2001.
36
Which is NOT a property of or issue with tape backup?
A. One large disk created by using several disks
B. Slow data transfer during backups and restores
C. Server disk space utilization expands
D. The possibility that some data re-entry might need to be performed after a crash
Answer: A
Explanation: The correct answer is "One large disk created by using several disks". RAID level 0 striping is the process of creating a large disk out of several smaller disks.
37
```
In mandatory access control, the authorization of a subject to have access
to an object is dependent upon:
A. Roles.
B. Labels.
C. Tasks.
D. Identity.
```
Answer: B
Explanation: The correct answer is Labels. Mandatory access controls use labels to determine whether subjects can have access to objects, depending on the subjects' clearances. Answer roles is applied in non-discretionary access control as is tasks. Identity, is used in discretionary access control.
38
```
In a relational database, the domain of a relation is the set of allowable values:
A. That tuples can take.
B. Of the primary key.
C. That an attribute can take.
D. That a record can take.
```
Answer: C
Explanation:
39
```
In addition to accuracy, a biometric system has additional factors that determine its effectiveness. Which one of the following listed items is NOT one of these additional factors?
A. Corpus
B. Throughput rate
C. Enrollment time
D. Acceptability
```
Answer: A
Explanation: A corpus is a biometric term that refers to collected biometric images. The corpus is stored in a database of images. Potential sources of error are the corruption of images during collection and mislabeling or other transcription problems associated with the database. Therefore, the image collection, process and storage must be performed carefully with constant checking. These images are collected during the enrollment process and thus, are critical to the correct operation of the biometric device. In enrollment, images are collected and features are extracted, but no comparison occurs. The information is stored for use in future comparison steps. Answer a, the throughput rate, refers to the rate at which individuals, once enrolled, can be processed by a biometric system. If an individual is being authenticated, the biometric system will take a sample of the individual's characteristic to be evaluated and compare it to a template. A metric called distance is used to determine if the sample matches the template. Distance is the difference between the quantitative measure of the sample and the template. If the distance falls within a threshold value, a match is declared. If not, there is no match. * Answer "acceptability" is determined by privacy issues, invasiveness, and psychological and physical comfort when using the biometric system. *"Enrollment time" is the time it takes to initially register with a system by providing samples of the biometric characteristic to be evaluated.
40
Which choice below is NOT a way to get Windows NT passwords?
A. Obtain root access to the /etc/passwd file.
B. Use pwdump2 to dump the password hashes directly from the registry.
C. Obtain the backup SAM from the repair directory.
D. Boot the NT server with a floppy containing an alternate operating system.
Answer: A
Explanation: The /etc/passwd file is a Unix system file. The NT Security Accounts Manager, SAM, contains the usernames and encrypted passwords of all local (and domain, if the server is a domain controller) users. The SAM uses an older, weaker LanManager hash that can be broken easily by tools like L0phtcrack. Physical access to the NT server and the rdisks must be controlled. The Sam._ file in the repair directory must be deleted after creation of an rdisk. Pwdump and pwdump2 are utilities that allow someone with Administrator rights to target the Local Security Authority Subsystem, isass.exe, from a remote system. Source: Hacking Exposed by Stuart McClure, Joel Scambray, and George Kurtz (Osborne, 1999).
41
Which choice below is usually the number one used criterion to determine the classification of an information object?
A. Age
B. Personal association
C. Useful life D. Value
Answer: D
Explanation: The correct answer is Value. Value of the information asset to the organization is usually the first and foremost criteria used in determining its classification. Answer Useful lif refers to declassification of an information object due to some change in situation.
42
To what does logon abuse refer?
A. Legitimate users accessing networked services that would normally be restricted to them
B. Nonbusiness or personal use of the Internet
C. Intrusions via dial-up or asynchronous external network connections
D. Breaking into a network primarily from an external source
Answer: A
Explanation: The correct answer is "Legitimate users accessing networked services that would normally be restricted to them". Logon abuse entails an otherwise proper user attempting to access areas of the network that are deemed offlimits. Answer "Breaking into a network primarily from an external source" is called network intrusion, and d refers to backdoor remote access.
43
```
How often should an independent review of the security controls be performed, according to OMB Circular A-130?
A. Never
B. Every five years
C. Every three years
D. Every year
```
Answer: C
Explanation: The correct answer is "Every three years". OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years. For general support systems, OMB Circular A-130 requires that the security controls be reviewed either by an independent audit or self review. Audits can be selfadministered or independent (either internal or external). The essential difference between a self-audit and an independent audit is objectivity; however, some systems may require a fully independent review. Source: Office of Management and Budget Circular A-130, revised November 30, 2000 .
44
```
Kerberos is an authentication scheme that can be used to implement:
A. Hash functions.
B. Single Sign-On (SSO).
C. Public key cryptography.
D. Digital signatures.
```
Answer: B
Explanation: The correct answer is "Single Sign-On (SSO).". Kerberos is a third-party authentication
protocol that can be used to implement SSO. Answer "Public key cryptography" is incorrect because public key cryptography is not used in the basic Kerberos protocol. Answer "Digital signatures" is a public key-based capability, and answer "Hash functions" is a one-way transformation used to disguise passwords or to implement digital signatures.
45
```
The concept of limiting the routes that can be taken between a workstation and a computer resource on a network is called:
A. Path limitation
B. A trusted path
C. An enforced path
D. A security perimeter
```
Answer: C
Explanation: Individuals are authorized access to resources on a network through specific paths and the enforced path prohibits the user from accessing a resource through a different route than is authorized to that particular user. This prevents the individual from having unauthorized access to sensitive information in areas off limits to that individual. Examples of controls to implement an enforced path include establishing virtual private networks (VPNs) for specific groups within an organization, using firewalls with access control lists, restricting user menu options, and providing specific phone numbers or dedicated lines for remote access. Answer a is a distracter. Answer c, security perimeter, refers to the boundary where security controls are in effect to protect assets. This is a general definition and can apply to physical and technical (logical) access controls. In physical security, a fence may define the security perimeter. In technical access control, a security perimeter can be defined in terms of a Trusted Computing Base (TCB). A TCB is the total combination of protection mechanisms within a computer system. These mechanisms include the firmware, hardware, and software that enforce the system security policy. The security perimeter is the boundary that separates the TCB from the remainder of the system. In answer "A trusted path" a trusted path is a path that exists to permit the user to access the TCB without being compromised by other processes or users.
46
```
The data transmission method in which data is sent continuously and doesn't use either an internal clocking source or start/stop bits for timing is known as:
A. Asynchronous
B. Pleisiochronous
C. Synchronous
D. Isochronous
```
Answer: D
Explanation: Isochronous data is synchronous data transmitting without a clocking source, with the bits sent continuously and no start or stop bits. All bits are of equal importance and are anticipated to occur at regular time intervals. * asynchronous, is a data transmission method using a start bit at the beginning of the data value, and a stop bit at the end of the value. * synchronous, is a messageframed transmission method that uses clocking pulses to match the speed of the data transmission. * pleisiochronous, is a transmission method that uses more than one timing source, sometimes running at different speeds. This method may require master and slave clock devices. Source: Communications Systems and Networks by Ray Horak (M&T Books, 2000).
47
What is a server cluster?
A. A tape array backup implementation
B. A group of WORM optical jukeboxes
C. A primary server that mirrors its data to a secondary server
D. A group of independent servers that are managed as a single system
Answer: D
Explanation: The correct answer is "A group of independent servers that are managed as a single system". A server cluster is a group of servers that appears to be a single server to the user. Answer "A primary server that mirrors its data to a secondary server" refers to redundant servers.
48
Which choice MOST closely depicts the difference between qualitative and quantitative risk analysis?
A. Aquantitative RAdoes not use the hard costs of losses, and a qualitative RAdoes.
B. Aquantitative RAcannot be automated.
C. Aqualitative RAuses many complex calculations.
D. Aquantitative RAuses less guesswork than a qualitative RA.
Answer: D
Explanation: The correct answer is "Aquantitative RAuses less guesswork than a qualitative RA". The other answers are incorrect.
49
```
Identity-based access control is a subset of which one of the following access control categories?
A. Discretionary access control
B. Lattice-based access control
C. Non-discretionary access control
D. Mandatory access control
```
Answer: A
Explanation: The correct answer is "Discretionary access control". Identity-based access control is a type of discretionary access control that grants access privileges based on the user's identity. A related type of discretionary access control is user-directed access control that gives the user, with certain limitations, the right to alter the access control to certain objects
50
```
What is the Network Layer of the OSI reference model primarily responsible for?
A. SMTP Gateway services
B. LAN bridging
C. Internetwork packet routing
D. Signal regeneration and repeating
```
Answer: C
Explanation: Although many routers can perform most of the functions above, the OSI Network layer is primarily responsible for routing.
* LAN bridging, is a Data Link Layer function. * gateways, most commonly function at the higher layers. * signal regeneration and repeating, is primarily a Physical layer function. Source: CCNA Study Guide by Todd Lammle, Donald Porter, and James Chellis (Sybex, 1999).
51
```
Which level of RAID is commonly referred to as disk mirroring?
A. RAID 5
B. RAID 1
C. RAID 3
D. RAID 0
```
Answer: B
Explanation: Redundant Array of Inexpensive Disks (RAID) is a method of enhancing hard disk fault tolerance, which can improve performance (see Table A.8). RAID 1 maintains a complete copy of all data by duplicating each hard drive. Performance can suffer in some implementations of RAID 1, and twice as many drives are required. Novell developed a type of disk mirroring called disk duplexing, which uses multiple disk controller cards increasing both performance and reliability.
*RAID 0, gives some performance gains by striping the data across multiple drives, but reduces fault tolerance, as the failure of any single drive disables the whole volume. * RAID 3, uses a dedicated error-correction disk called a parity drive, and stripes the data across the other data drives. * RAID 5 uses all disks in the array for both data and error correction, increasing both storage capacity and performance.
52
```
In biometrics, a good measure of performance of a system is the:
A. False detection.
B. Positive acceptance rate.
C. Sensitivity.
D. Crossover Error Rate (CER).
```
Answer: D
Explanation: The correct answer is "Crossover Error Rate (CER)". The other items are made-up distracters.
53
Which is a property of a circuit-switched network as opposed to a packetswitched network?
A. Physical, permanent connections exist from one point to another in a circuit-switched network.
B. The data is broken up into packets.
C. Packets are reassembled according to their originally assigned sequence numbers.
D. The data is sent to the next destination, which is based on the router's understanding of the best available route.
Answer: A
Explanation: The correct answer is "Physical, permanent connections exist from one point to another in a circuit-switched network". Permanent connections are a feature of circuit-switched networks.
Note: strictly speaking they aren’t physical and they aren’t permanent. A phone call is circuit-switched (well, historically). The circuit wasn’t permanent, just for the duration of the call.
54
Which answer below is true about the difference between TCP and UDP?
A. UDP is considered a connectionless protocol and TCP is connectionoriented.
B. TCP is considered a connectionless protocol, and UDP is connectionoriented.
C. TCP is sometimes referred to as an unreliable protocol.
D. UDP acknowledges the receipt of packets, and TCP does not.
Answer: A
Explanation: The correct answer is "UDP is considered a connectionless protocol and TCP is connectionoriented". As opposed to the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP) is a connectionless protocol. It does not sequence the packets, acknowledge the receipt of packets, and is referred to as an unreliable protocol.
55
```
In a Kerberos exchange involving a message with an authenticator, the authenticator contains the client ID and which of the following?
A. Client network address
B. Ticket Granting Ticket (TGT)
C. Timestamp
D. Client/TGS session key
```
Answer: C
Explanation: A timestamp, t, is used to check the validity of the accompanying request since a Kerberos ticket is valid for some time window, v, after it is issued. The timestamp indicates when the ticket was issued. * The TGT, is comprised of the client ID, the client network address, the starting and ending time the ticket is valid (v), and the client/TGS session key. This ticket is used by the client to request the service of a resource on the network from the TGS. * The client/TGS session key, Kc, tgs, is the symmetric key used for encrypted communication between the client and TGS for this particular session. * the client network address is included in the TGT and not in the authenticator.
56
```
Which of the following is NOT a valid database model?
A. Hierarchical
B. Relational
C. Object-relational
D. Relational-rational
```
Answer: D
Explanation: The correct answer is "Relational-rational", a distracter. The other answers are valid database models. Additional valid models include network and object-oriented databases.
57
Which statement is correct about ISDN Basic Rate Interface?
A. It offers 30 B channels and 1 D channel.
B. It offers 23 B channels and 1 D channel.
C. It offers 2 B channels and 1 D channel.
D. It offers 1 B channel and 2 D channels.
Answer: C
Explanation:
Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) offers two B channels which carry user data at 64 Kbps each, and one control and signaling D channel operating at 16 Kbps. Answer "It offers 23 B channels and 1 D channel." describes ISDN Primary Rate Interface (PRI) for NorthAmerica and Japan , with 23 B channels at 64 Kbps and one 64 Kbps D channel, for a total throughput of 1.544 Mbps.
Answer "It offers 30 B channels and 1 D channel." Describes ISDN PRI for Europe , Australia , and other parts of the world, with 30 64 Kbps B channels and one D channel, for a total throughput of 2.048 Mbps.
Answer "It offers 1 B channel and 2 D channels." is a distracter. Source: Internetworking Technologies Handbook, Second Edition (Cisco Press, 1998).
58
```
A persistent collection of data items that form relations among each other is called a:
A. Schema
B. Database management system (DBMS)
C. Database
D. Data description language (DDL)
```
Answer: C
Explanation: For a database to be viable, the data items must be stored on nonvolatile media and be protected from unauthorized modification. For answer a, a DBMS provides access to the items in the database and main- tains the information in the database. *The Data description language (DDL) provides the means to define the database and schema is the description of the database.
59
```
Which of the following is NOT a network cabling type?
A. Coaxial
B. Token Ring
C. Twisted Pair
D. Fiber Optic
```
Answer: B
Explanation: The correct answer Token Ring. Token Ring is a LAN media access method, not a cabling type.
60
Which choice below is the BEST definition of advisory policies?
A. Non-mandated policies, but strongly suggested
B. Mandatory policies implemented as a consequence of legal action
C. Policies implemented due to public regulation
D. Policies implemented for compliance reasons
Answer: A
Explanation: The correct answer is "Non-mandated policies, but strongly suggested". Advisory policies might have consequences of failure attached to them, but they are still considered nonmandatory. The other three answers are examples of mandatory, regulatory policies.
61
Which of the following is NOT a true statement about Network Address Translation (NAT)?
A. Private addresses can easily be routed globally.
B. NAT is used when corporations want to use private addressing ranges for internal networks.
C. NAT is designed to mask the true IP addresses of internal systems.
D. NAT translates private IP addresses to registered real IP addresses.
Answer: A
Explanation: The correct answer is "Private addresses can easily be routed globally" Private addresses are not easily routable; hence the reason for using NAT.
62
Which choice MOST accurately describes the differences between standards,
guidelines, and procedures?
A. Procedures are the general recommendations for compliance with mandatory guidelines.
B. Standards are recommended policies, and guidelines are mandatory policies.
C. Procedures are step-by-step recommendations for complying with mandatory guidelines.
D. Procedures are step-by-step instructions for compliance with mandatory standards.
Answer: D
Explanation: The correct answer is "Procedures are step-by-step instructions for compliance with mandatory standards". The other answers are incorrect.
63
```
In a biometric system, the time it takes to register with the system by providing samples of a biometric characteristic is called:
A. Set-up time.
B. Enrollment time.
C. Log-in time.
D. Throughput time.
```
Answer: B
Explanation: The correct answer is "Enrollment time".
Answers Set-up time and Log-in time are distracters.
Answer throughput, refers to the rate at which individuals once enrolled can be processed and identified or authenticated by a biometric system.
64
Identification is:
A. Auser providing a shared secret to the system.
B. Auser professing an identity to the system.
C. Auser providing a password to the system.
D. Auser being authenticated by the system.
Answer: B
Explanation: The correct answer is "Auser professing an identity to the system". A user presents an ID to the system as identification. Answer a is incorrect because presenting an ID is not an authentication act. Answer "Auser providing a password to the system" is incorrect because a password is an authentication mechanism. Answer "Auser providing a shared secret to the system" is incorrect because it refers to cryptography or authentication.
65
```
Who has the final responsibility for the preservation of the
organization's information?
A. Application owners
B. Senior management
C. Users
D. Technology providers
```
Answer: B
Explanation: Various officials and organizational offices are typically involved with computer security. They include the following groups: Senior management Program/functional managers/application owners Computer security management Technology providers Supporting organizations Users Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. While senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.
66
Which statement below BEST describes the primary purpose of risk
analysis?
A. To quantify the impact of potential threats
B. To create a clear cost-to-value ratio for implementing security controls
C. To influence site selection decisions
D. To influence the system design process
Answer: A
Explanation: The correct answer is "To quantify the impact of potential threats". The main purpose of performing a risk analysis is to put a hard cost or value onto the loss of a business function. The other answers are benefits of risk management but not its main purpose.
67
Kerberos provides an integrity check service for messages between two entities through the use of:
A. A trusted, third-party authentication server
B. A checksum
C. Credentials
D. Tickets
Answer: B
Explanation: Achecksum that is derived from a Kerberos message is used to verify the integrity of the message. This checksum may be a message digest resulting from the application of a hash function to the message. At the receiving end of the transmission, the receiving party can calculate the message digest of the received message using the identical hash algorithm as the sender. Then the message digest calculated by the receiver can be compared with the message digest appended to the message by the sender. If the two message digests match, the message has not been modified en route, and its integrity has been preserved. For answers Credentials and Tickets are authenticators used in the process of granting user access to services on the network. Answer "A trusted, third-party authentication server" is the AS or authentication server that conducts the ticket-granting process.
68
```
Which is NOT a packet-switched technology?
A. Frame Relay
B. SMDS
C. X.25
D. T1
```
Answer: D
Explanation: The correct answer is T1. A T1 line is a type of leased line, which uses a dedicated, point-to-point technology.
69
```
According to NIST, which choice below is not an accepted security selftesting technique?
A. Password Cracking
B. Virus Detection
C. War Dialing
D. Virus Distribution
```
Answer: D
Explanation: Common types of self-testing techniques include: Network Mapping Vulnerability Scanning Penetration Testing Password Cracking Log Review Virus Detection War Dialing Some testing techniques are predominantly human-initiated and conducted, while other tests are highly automated and require less human involvement. The staff that initiates and implements in-house security testing should have significant security and networking knowledge. These testing techniques are often combined to gain a more comprehensive assessment of the overall network security posture. For example, penetration testing almost always includes network mapping and vulnerability scanning to identify vulnerable hosts and services that may be targeted for later penetration. None of these tests by themselves will provide a complete picture of the network or its security posture. Source: NIST Special Publication 800-42, DRAFT Guideline on Network Security Testing.
70
Role-based access control is useful when:
A. Access must be determined by the labels on the data.
B. Rules are needed to determine clearances.
C. There are frequent personnel changes in an organization.
D. Security clearances must be used.
Answer: C
Explanation: The correct answer is "There are frequent personnel changes in an organization.". Role-based access control is part of nondiscretionary access control. The other options relate to mandatory access control.
71
Which choice is the BEST description of authentication as opposed to authorization?
A. A system's capability to determine the actions and behavior of a single individual within a system
B. The testing or reconciliation of evidence of a user's identity
C. The means by which a user provides a claim of his or her identity to a system
D. The rights and permissions granted to an individual to access a computer resource
Answer: B
Explanation: The correct answer is "The testing or reconciliation of evidence of a user's identity". Answer "The means by which a user provides a claim of his or her identity to a system" is identification, "A system's capability to determine the actions and behavior of a single individual within a system" is accountability, and "The rights and permissions granted to an individual to access a computer resource" is authorization.
72
```
Which TCP/IP protocol operates at the OSI Network layer?
A. FTP
B. IP
C. UDP
D. TCP
```
Answer: B
Explanation: The correct answer is IP. IP operates at the network layer of the OSI model and at the Internet layer of the TCP/IP model. FTP operates at the application layer of the TCP/IP model, which is roughly similar to the top three layers of the OSI model: the Application, Presentation, and Session layers. TCP and UDP both operate at the OSI Transport layer, which is similar to the TCP/IP Host-to-host layer.
73
Which choice below BEST describes coaxial cable?
A. Coax consists of a hollow outer cylindrical conductor surrounding a single, inner conductor.
B. Coax does not require a fixed spacing between connections that UTP requires.
C. Coax consists of two insulated wires wrapped around each other in a regular spiral pattern.
D. Coax carries signals as light waves.
Answer: A
Explanation: The correct answer is "Coax consists of a hollow outer cylindrical conductor surrounding a single, inner conductor". Coax consists of a hollow outer cylindrical conductor surrounding a single, inner wire conductor. Answer "Coax consists of two insulated wires wrapped around each other in a regular spiral pattern" describes UTP. Coax requires fixed spacing between connections, and answer "Coax carries signals as light waves" describes fiber-optic cable.
74
Which choice below is NOT one of the legal IP address ranges specified by RFC1976 and reserved by the Internet Assigned Numbers Authority
(IANA) for nonroutable private addresses?
A. 192.168.0.0 - 192.168.255.255
B. 127.0.0.0 - 127.0.255.255
C. 10.0.0.0 - 10.255.255.255
D. 172.16.0.0 - 172.31.255.255
Answer: B
Explanation: The other three address ranges can be used for Network Address Translation (NAT). While NAT is, in itself, not a very effective security measure, a large network can benefit from using NAT with Dynamic Host Configuration Protocol (DHCP) to help prevent certain internal routing information from being exposed. The address 127.0.0.1 is called the loopback address. Source: Designing Network Security by Merike Kaeo (Cisco Press, 1999).
75
```
What does LAN stand for?
A. Local Adaptive Network
B. Local Arena News
C. Layered Addressed Network
D. Local Area Network
```
Answer: D
Explanation:
76
Which statement below about the difference between analog and digital
signals is incorrect?
A. Adigital signal produces a saw-tooth wave form.
B. Analog signals cannot be used for data communications.
C. An analog signal produces an infinite waveform.
D. An analog signal can be varied by amplification.
Answer: B
Explanation: The correct answer is "Analog signals cannot be used for data communications". The other
answers are all properties of analog or digital signals.
77
What does the protocol ARP do?
A. Takes a MAC address and finds an IP address to match
B. Sends messages to the devices regarding the health of the network
C. Takes an IP address and finds out the MAC address to which it belongs
D. Facilitates file transfers
Answer: C
Explanation: The correct answer is "Takes an IP address and finds out the MAC address to which it belongs". ARP starts with an IP address, then queries the network to find the MAC or hardware address of the workstation to which it belongs.
ICMP performs "Sends messages to the devices regarding the health of the network". RARP performs "Takes a MAC address and finds an IP address to match". FTP performs "Facilitates file transfers".
78
```
A group of processes that share access to the same resources is called:
A. A Trusted Computing Base (TCB)
B. A protection domain
C. An access control triple
D. An access control list
```
Answer: B
Explanation: In answer a, an access control list (ACL) is a list denoting which users have what privileges to a particular resource. Table illustrates an ACL. The table shows the subjects or users that have access to the object, FILE X and what privileges they have with respect to that file. For answer "An access control triple", an access control triple consists of the user, program, and file with the corresponding access privileges noted for each user.
The TCB, of answer "A Trusted Computing Base (TCB", is defined in the answers as the total combination of protection mechanisms within a computer system. These mechanisms include the firmware, hardware, and software that enforce the system security policy.
79
```
A database View operation implements the principle of:
A. Entity integrity.
B. Separation of duties.
C. Referential integrity.
D. Least privilege.
```
Answer: D
Explanation: The correct answer is "Least privilege". Least privilege, in the database context, requires that subjects be granted the most restricted set of access privileges to the data in the database that are consistent with the performance of their tasks.
Separation of duties, assigns parts of security-sensitive tasks to several individuals.
Entity integrity requires that each row in the relation table must have a non-NULL attribute. Relational integrity, answer d, refers to the requirement that for any foreign key attribute, the referenced relation must have the same value for its primary key.
80
Which choice below is NOT a common information-gathering technique when performing a risk analysis?
A. Employing automated risk assessment tools
B. Interviewing terminated employees
C. Reviewing existing policy documents
D. Distributing a questionnaire
Answer: B
Explanation: Any combination of the following techniques can be used in gathering information relevant to the IT system within its operational boundary: Questionnaire. The questionnaire should be distributed to the applicable technical and nontechnical management personnel who are designing or supporting the IT system. On-site Interviews. On-site visits also allow risk assessment personnel to observe and gather information about the physical, environmental, and operational security of the IT system. Document Review. Policy documents, system documentation, and security-related documentation can provide good information about the security controls used by and planned for the IT system. Use of Automated Scanning Tools. Proactive technical methods can be used to collect system information efficiently. Source: NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.
81
What is the BEST description of risk reduction?
A. Assuming all costs associated with the risk internally
B. Assigning any costs associated with risk to a third party
C. Removing all risk to the enterprise at any cost
D. Altering elements of the enterprise in response to a risk analysis
Answer: D
Explanation: The correct answer is "Altering elements of the enterprise in response to a risk analysis". Answer "Removing all risk to the enterprise at any cost" is not possible or desirable, "Assigning any costs associated with risk to a third party" is risk transference, and "Assuming all costs associated with the risk internally" is risk acceptance.
82
What are high-level policies?
A. They are step-by-step procedures to implement a safeguard.
B. They are the instructions on how to perform a Quantitative Risk Analysis.
C. They are recommendations for procedural controls.
D. They are statements that indicate a senior management's intention to support InfoSec.
Answer: D
Explanation: The correct answer is "They are statements that indicate a senior management's intention to support InfoSec". High-level policies are senior management statements of recognition of the importance of InfoSec controls.
83
What is the MOST accurate definition of a safeguard?
A. Acontrol designed to counteract a threat
B. Aguideline for policy recommendations
C. Astep-by-step instructional procedure
D. Acontrol designed to counteract an asset
Answer: A
Explanation: The correct answer is "Acontrol designed to counteract a threat". Answer "Aguideline for policy recommendations" is a guideline, "Astep-by-step instructional procedure" is a procedure, and "Acontrol designed to counteract an asset" is a distracter.
84
What does the protocol RARP do?
A. Sends messages to the devices regarding the health of the network
B. Facilitates file transfers
C. Takes an IP address and finds out the MAC address to which it belongs
D. Takes a MAC address and finds an IP address to match
Answer: D
Explanation: The correct answer is "Takes a MAC address and finds an IP address to match", the reverse of ARP. The Reverse Address Resolution Protocol knows a MAC (Media Access Control) address and asks the RARP server to match it with an IP address.
85
Which is NOT a property of a bridge?
A. Operates at Layer 2, the Data Link Layer
B. Operates at Layer 3, the Network Layer
C. Forwards the data to all other segments if the destination is not on the local segment
D. Can create a broadcast storm
Answer: B
Explanation: The correct answer is "Operates at Layer 3, the Network Layer". A bridge operates at Layer 2 and therefore does not use IP addressing to make routing decisions.
86
```
A type of preventive/physical access control is:
A. Biometrics for identification
B. An intrusion detection system
C. Biometrics for authentication
D. Motion detectors
```
Answer: A
Explanation: Biometrics applied to identification of an individual is a one-tomany search where an individual's physiological or behavioral characteristics are compared to a database of stored information. An example would be trying to match a person's fingerprints to a set in a national database of fingerprints. This search differs from the biometrics search for authentication in answer "Biometrics for authentication". That search would be a one-toone comparison of a person's physiological or behavioral characteristics with their corresponding entry in an authentication database. Answer "motion detectors" is a type of detective physical control and answer d is a detective/technical control.
87
What does an Exposure Factor (EF) describe?
A. The annual expected financial loss to an organization from a threat
B. The percentage of loss that a realized threat event would have on a specific asset
C. Anumber that represents the estimated frequency of the occurrence of an expected threat
D. Adollar figure that is assigned to a single event
Answer: B
Explanation: The correct answer is "The percentage of loss that a realized threat event would have on a specific asset". Answer "Adollar figure that is assigned to a single event" is an SLE, "Anumber that represents the estimated frequency of the occurrence of an expected threat" is an ARO, and "The annual expected financial loss to an organization from a threat" is an ALE.
88
```
Afirewall that performs stateful inspection of the data packet across all layers is considered a:
A. Fourth-generation firewall.
B. Second-generation firewall.
C. Third-generation firewall.
D. First-generation firewall.
```
Answer: C
Explanation: The correct answer is Third-generation firewall. A stateful inspection firewall is considered a thirdgeneration firewall.
89
```
Which is NOT a backup method type?
A. Incremental
B. Reactive
C. Full
D. Differential
```
Answer: B
Explanation: The correct answer is Reactive. Reactive is not a backup method.
90
```
What part of an access control matrix shows capabilities that one user has to multiple resources?
A. Rows
B. Columns
C. Rows and columns
D. Access control list
```
Answer: A
Explanation: The rows of an access control matrix indicate the capabilities that users have to a number of resources. An example of a row in the access control matrix showing the capabilities of user JIM is given in Table. Answer columns, columns in the access control matrix, define the access control list. Answer "Rows and columns" is incorrect since capabilities involve only the rows of the access control matrix. Answer "Access control list"
is incorrect since an ACL, again, is a column in the access control matrix.
91
```
Which policy type is MOST likely to contain mandatory or compulsory standards?
A. Regulatory
B. Guidelines
C. Advisory
D. Informative
```
Answer: A
Explanation: The correct answer is Regulatory. Answer Advisory, advisory policies, might specify penalties for non-compliance, but regulatory policies are required to be followed by the organization. Answers Guidelines and Informative are informational or recommended policies only.
92
```
Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation?
A. SLE × ARO
B. Asset Value (AV) × EF
C. ARO × EF - SLE
D. % of ARO ×AV
```
Answer: A
Explanation: The correct answer is SLE × ARO. Answer Asset Value (AV) × EF is the formula for an SLE, and answers ARO × EF - SLE and % of ARO ×AV are nonsense.
93
A purpose of a security awareness program is to improve:
A. The security of vendor relations.
B. The possibility for career advancement of the IT staff.
C. The company's attitude about safeguarding data.
D. The performance of a company's intranet.
Answer: C
Explanation:
94
Which choice below is NOT an accurate description of an information
policy?
A. Information policy is senior management's directive to create a computer security program.
B. Information policy is a documentation of computer security decisions.
C. An information policy could be a decision pertaining to use of the organization's fax.
D. Information policies are created after the system's infrastructure has been designed and built.
Answer: D
Explanation: Computer security policy is often defined as the documentation of computer security decisions. The term policy has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy. A security policy is an important document to develop while designing an information system, early in the System Development Life Cycle (SDLC). The security policy begins with the organization's basic commitment to information security formulated as a general policy statement. The policy is then applied to all aspects of the system design or security solution. Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security).
95
```
Which part of the 48-bit, 12-digit hexadecimal number known as the Media Access Control (MAC) address identifies the manufacturer of the network device?
A. The last three bytes
B. The first two bytes
C. The first three bytes
D. The second half of the MAC address
```
Answer: C
Explanation: The first three bytes (or first half) of the six-byte MAC address is the manufacturer's identifier (see Table). This can be a good troubleshooting aid if a network device is acting up, as it will isolate the brand of the failing device. The other answers are distracters. Source: Mastering Network Security by Chris Brenton (Sybex, 1999).
96
Windows 2000 uses which of the following as the primary mechanism
for authenticating users requesting access to a network?
A. Kerberos
B. Hash functions
C. Public key certificates
D. SESAME
Answer: A
Explanation: While Kerberos is the primary mechanism, system administrators may also use alternative authentication services running under the Security Support Provider Interface (SSPI). Answer hash
functions, are used for digital signature implementations. Answer SESAME is incorrect. It is the Secure European System for Applications in a Multivendor Environment. SESAME performs similar functions to Kerberos, but uses public key cryptography to distribute the secret keys. Answer "Public key certificates" is incorrect, since public key certificates are not used in the Windows 2000 primary authentication approach.
97
```
Procedures that ensure that the access control mechanisms correctly implement the security policy for the entire life cycle of an information system are known as:
A. Accountability procedures.
B. Authentication procedures.
C. Assurance procedures.
D. Trustworthy procedures.
```
Answer: C
Explanation: The correct answer is "Assurance procedures".
Accountability, answer a, refers to the ability to determine the actions and behaviors of a single individual within a system and to identify that individual. Answer "Authentication procedures" involves testing or reconciling of evidence of a user's identity in order to establish that identity. Answer "Trustworthy procedures" is a distracter.
98
Which choice would be an example of a cost-effective way to enhance security awareness in an organization?
A. Train only managers in implementing InfoSec controls.
B. Calculate the cost-benefit ratio of the asset valuations for a risk analysis.
C. Train every employee in advanced InfoSec.
D. Create an award or recognition program for employees.
Answer: D
Explanation:
99
```
In a relational database, security is provided to the access of data through:
A. Candidate keys.
B. Views.
C. Joins.
D. Attributes.
```
Answer: B
Explanation: The correct answer is Views. Candidate keys, are the set of unique keys from which the primary key is selected. Answer joins indicates operations that can be performed on the database, and the attributes denote the columns in the relational table.
100
The Open Group has defined functional objectives in support of a user single sign-on (SSO) interface. Which of the following is NOT one of those objectives and would possibly represent a vulnerability?
A. Provision for user-initiated change of nonuser-configured authentication information.
B. Support shall be provided for a subject to establish a default user profile.
C. The interface shall be independent of the type of authentication information handled.
D. It shall not predefine the timing of secondary sign-on operations.
Answer: A
Explanation: User configuration of nonuser-configured authentication mechanisms is not supported by the Open Group SSO interface objectives. Authentication mechanisms include items such as smart cards and magnetic badges. Strict controls must be placed to prevent a user from changing configurations that are set by another authority. Objective a supports the incorporation of a variety of authentication schemes and technologies. Answer c states that the interface functional objectives do not require that all sign-on operations be performed at the same time as the primary sign on. This prevents the creation of user sessions with all the available services even though these services are not needed by the user.
The creation of a default user profile will make the sign-on more efficient and less time-consuming. In summary, the scope of the Open Group Single Sign-On Standards is to define services in support of: The development of applications to provide a common, single end-user sign-on interface for an enterprise. The development of applications for the coordinated management of multiple user account management information bases maintained by an enterprise.
101
Which choice below is NOT an accurate statement about an organization's incident-handling capability?
A. The organization's incident-handling capability should be used to contain and repair damage done from incidents.
B. It should be used to prevent future damage from incidents.
C. The organization's incident-handling capability should be used to detect and punish senior-level executive wrong-doing.
D. It should be used to provide the ability to respond quickly and effectively to an incident.
Answer: C
Explanation: An organization should address computer security incidents by developing an incident-handling capability. The incident-handling capability should be used to: Provide the ability to respond quickly and effectively. Contain and repair the damage from incidents. When left unchecked, malicious software can significantly harm an organization's computing, depending on the technology and its connectivity. Containing the incident should include an assessment of whether the incident is part of a targeted attack on the organization or an isolated incident. Prevent future damage. An incident-handling capability should assist an organization in preventing (or at least minimizing) damage from future incidents. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities. Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.
102
```
Which is NOT a layer in the OSI architecture model?
A. Data Link
B. Internet
C. Transport
D. Session
```
Answer: B
Explanation: The correct answer is Internet. The Internet Layer is a TCP/IP architecture model layer.
103
```
Astandard data manipulation and relational database definition language is:
A. OOD
B. SQL
C. Script
D. SLL
```
Answer: B
Explanation: The correct answer is SQL. All other answers do not apply.
104
```
The main approach to obtaining the true biometric information from a collected sample of an individual's physiological or behavioral characteristics is:
A. False rejection
B. Enrollment
C. Digraphs
D. Feature extraction
```
Answer: D
Explanation: Feature extraction algorithms are a subset of signal/image processing and are used to extract the key biometric information from a sample that has been taken from an individual. Usually, the sample is taken in an environment that may have noise and other conditions that may affect the raw sample image. Neural networks are an example of a feature extraction approach.
Answer "enrollment" refers to the process of collecting samples that are averaged and then stored to use as a reference base against which future samples are compared.
Answer "False rejection" refers to the false rejection in biometrics. False rejection is the rejection of an authorized user because of a mismatch between the sample and the reference template. Conversely, false acceptance is the acceptance of an unauthorized user because of an incorrect match to the template of an authorized user. The corresponding measures in percentage are the False Rejection Rate (FRR) and False Acceptance Rate (FAR).
For answer diagraphs refer to sets of average values compiled in the biometrics area of keystroke dynamics. Keystroke dynamics involves analyzing the characteristics of a user typing on a keyboard. Keystroke duration samples as well as measures of the latency between keystrokes are taken and averaged. These averages for all pairs of keys are called diagraphs. Tri- graphs, sample sets for all key triples, can also be used as biometric samples.
105
The Secure European System for Applications in a Multivendor Environment (SESAME) implements a Kerberos-like distribution of secret keys. Which of the following is NOT a characteristic of SESAME?
A. Uses a trusted authentication server at each host
B. Incorporates two certificates or tickets, one for authentication and one defining access privileges
C. Uses secret key cryptography for the distribution of secret keys
D. Uses public key cryptography for the distribution of secret keys
Answer: C
Explanation: SESAME uses public key cryptography for the distribution of secret keys. In addition, SESAME employs the MD5 and crc32 oneway hash functions. A weakness in SESAME is that, similar to Kerberos, it is subject to password guessing.
106
```
Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network and facilitates communications through the assignment of:
A. Tokens.
B. Passwords.
C. Public keys.
D. Session keys.
```
Answer: D
Explanation: The correct answer is "Session keys". Session keys are temporary keys assigned by the KDC and used for an allotted period of time as the secret key between two entities. Answer a is incorrect because it refers to asym- metric encryption that is not used in the basic Kerberos protocol. Answer Passwords is incorrect because it is not a key, and answer Tokens is incorrect because a token generates dynamic passwords.
107
```
Which group represents the MOST likely source of an asset loss through inappropriate computer use?
A. Saboteurs
B. Hackers
C. Crackers
D. Employees
```
Answer: D
Explanation: The correct answer is Employees. Internal personnel far and away constitute the largest amount of dollar loss due to unauthorized or inappropriate computer use.
108
A reference monitor is a system component that enforces access controls on an object. Specifically, the reference monitor concept is an abstract machine that mediates all access of subjects to objects. The hardware, firmware, and software elements of a trusted computing base that
implement the reference monitor concept are called:
A. Identification and authentication (I & A) mechanisms
B. The auditing subsystem
C. The security kernel
D. The authorization database
Answer: C
Explanation: The security kernel implements the reference model concept. The reference model must have the following characteristics: It must mediate all accesses. It must be protected from modification. It must be verifiable as correct. Answer "the authorization database" is used by the reference monitor to mediate accesses by subjects to objects. When a request for access is received, the reference monitor refers to entries in the authorization database to verify that the operation requested by a subject for application to an object is permitted. The authorization database has entries or authorizations of the form subject, object, access mode.
In answer "Identification and authentication (I & A) mechanisms", the I & A operation is separate from the reference monitor. The user enters his/her identification to the I & A function. Then the user must be authenticated. Authentication is verification that the user's claimed identity is valid. Authentication is based on the following three factor types: Type 1. Something you know, such as a PIN or password Type 2. Something you have, such as an ATM card or smart card Type 3. Something you are (physically), such as a fingerprint or retina scan
Answer "The auditing subsystem" is a key complement to the reference monitor. The auditing subsystem is used by the reference monitor to keep track of the reference monitor's activities. Examples of such activities include the date and time of an access request, identification of the subject and objects involved, the access privileges requested and the result of the request.
109
```
Which choice below is NOT an element of IPSec?
A. Encapsulating Security Payload
B. Authentication Header
C. Layer Two Tunneling Protocol
D. Security Association
.
```
Answer: C
Explanation: The Layer Two Tunneling Protocol (L2TP) is a layer two tunneling protocol that allows a host to establish a virtual connection. Although L2TP, an enhancement to Layer Two Forwarding Protocol (L2F) and supporting some features of Point to Point Tunneling Protocol (PPTP), may coexist with IPSec, it is not natively an IPSec component. Answer a, the Authentication Header (AH), is an authenticating protocol that uses a hash signature in the packet header to validate the integrity of the packet data and the authenticity of the sender.
* the Security Association (SA), is a component of the IPSec architecture that contains the information the IPSec device needs to process incoming and outbound IPSec packets. IPSec devices embed a value called the Security Parameter Index (SPI) in the header to associate a datagram with its SA, and store SAs in a Security Association Database (SAD). * the Encapsulating Security Payload (ESP), is an authenticating and encrypting protocol that provides integrity, source authentication, and confidentiality services. Source: Implementing IPSec by Elizabeth Kaufman and Andrew Newman (Wiley, 1999)
110
Which choice below is an accurate statement about the difference between monitoring and auditing?
A. A system audit is an ongoing real-time activity that examines a system.
B. A system audit cannot be automated.
C. Monitoring is an ongoing activity that examines either the system or the users.
D. Monitoring is a one-time event to evaluate security.
Answer: C
Explanation: System audits and monitoring are the two methods organizations use to maintain operational assurance. Although the terms are used loosely within the computer security community, a system audit is a one-time or periodic event to evaluate security, whereas monitoring refers to an ongoing activity that examines either the system or the users. In general, the more real-time an activity is, the more it falls into the category of monitoring. Source: NIST Special Publication 800- 14, Generally Accepted Principles and Practices for Securing Information Technology Systems.
111
```
The type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can access is called:
A. Mandatory access control.
B. Rule-based access control.
C. Discretionary access control.
D. Sensitivity-based access control.
```
Answer: C
Explanation: The correct answer is "Discretionary access control". Answers "Mandatory access control" and "Rule-based access control." require strict adherence to labels and clearances. Answer "Sensitivity-based access control." is a made-up distracter.
112
The number of times a password should be changed is NOT a function of:
A. The responsibilities and clearance of the user.
B. The criticality of the information to be protected.
C. The type of workstation used.
D. The frequency of the password's use.
Answer: C
Explanation: The correct answer is "The type of workstation used.". The type of workstation used as the platform is not the determining factor. The other options are determining factors.
113
Three things that must be considered for the planning and implementation of access control mechanisms are:
A. Threats, assets, and objectives.
B. Threats, vulnerabilities, and risks.
C. Vulnerabilities, secret keys, and exposures.
D. Exposures, threats, and countermeasures.
Answer: B
Explanation: The correct answer is "Threats, vulnerabilities, and risks". Threats define the possible source of security policy violations; vulnerabilities describe weaknesses in the system that might be exploited by the threats; and the risk determines the probability of threats being realized. All three items must be present to meaningfully apply access control. Therefore, the other answers are incorrect
114
```
Access control that is a function of factors such as location, time of day, and previous access history is called:
A. Information flow
B. Context-dependent
C. Positive
D. Content-dependent
```
```
Answer: B
Explanation: In answer "Context-dependent", access is determined by the context of the decision as opposed to the information contained in the item being accessed. The latter is referred to as content-dependent access control. In content- dependent access control, for example, the manager of a department may be authorized to access employment records of a department employee, but may not be permitted to view the health records of the employee. * The term positive in access control refers to positive access rights, such as read or write. Denial rights, such as denial to write to a file, can also be conferred upon a subject. * Information flowdescribes a class of access control models. An informa- tion flow model is described by the set consisting of object, flow policy, states, and rules describing the transitions among states.
```
115
To what does covert channel eavesdropping refer?
A. Using a hidden, unauthorized network connection to communicate unauthorized information
B. The use of two-factor passwords
C. Nonbusiness or personal use of the Internet
D. Socially engineering passwords from an ISP
Answer: A
Explanation: The correct answer is "Using a hidden, unauthorized network connection to communicate unauthorized information". A Covert Channel is a connection intentionally created to transmit unauthorized information from inside a trusted network to a partner at an outside, untrusted node.
Answer "Socially engineering passwords from an ISP" is called masquerading.
116
```
In a relational database system, a primary key is chosen from a set of:
A. Candidate keys.
B. Foreign keys.
C. Secondary keys.
D. Cryptographic keys.
```
Answer: A
Explanation: The correct answer is candidate keys by definition. Answer Foreign keys is incorrect because a foreign key in one table refers to a primary key in another. Answer Secondary keys is a made-up distracter, and answer Cryptographic key refers to keys used in encipherment and decipherment.
117
Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity, and availability. Which of the following is NOT a goal of integrity?
A. Preservation of the internal and external consistency of the information
B. Prevention of the modification of information by unauthorized users
C. Prevention of the unauthorized or unintentional modification of information by authorized users
D. Prevention of authorized modifications by unauthorized users
Answer: D
Explanation: The other options are the three principles of integrity. Answer "Prevention of authorized modifications by unauthorized users" is a distracter and does not make sensE. * Internal consistency ensures that internal data correlate. For example, the total number of a particular data item in the database should be the sum of all the individual, non-identical occurrences of that data item in the database. External consistency requires that the database content be consistent with the real world items that it represents.
118
To what does 10Base-5 refer?
A. 100 Mbps unshielded twisted pair cabling
B. 10 Mbps thinnet coax cabling rated to 185 meters maximum length
C. 10 Mbps thicknet coax cabling rated to 500 meters maximum length
D. 10 Mbps baseband optical fiber
Answer: C
Explanation: The correct answer is "10 Mbps thicknet coax cabling rated to 500 meters maximum length". Answer "10 Mbps thinnet coax cabling rated to 185 meters maximum length" refers to 10Base-2. 10 Mbps baseband optical fiber refers to 10Base-F. 100 Mbps unshielded twisted pair cabling to 100Base-T.
119
Which choice below is the BEST description of an Annualized Loss Expectancy (ALE)?
A. The expected risk factor of an annual threat event, derived by multiplying the SLE by its ARO
B. The percentile of the value of the asset expected to be lost, used to calculate the SLE
C. A value determined by multiplying the value of the asset by its exposure factor
D. An estimate of how often a given threat event may occur annually
Answer: A
Explanation: Answer "An estimate of how often a given threat event may occur annually" describes the Annualized Rate of Occurrence (ARO). Answer "The percentile of the value of the asset expected to be lost, used to calculate the SLE" describes the Exposure Factor (EF). Answer "A value determined by multiplying the value of the asset by its exposure factor" describes the algorithm to determine the Single Loss Expectancy (SLE) of a threat.
120
Which statement below is accurate about the difference between issuespecific and system-specific policies?
A. Issue-specific policy commonly addresses only one system.
B. Issue-specific policy is much more technically focused.
C. System-specific policy is much more technically focused.
D. System-specific policy is similar to program policy.
Answer: C
Explanation: Often, managerial computer system security policies are categorized into three basic types: Program policy used to create an organization's computer security program Issue-specific policies used to address specific issues of concern to the organization System-specific policies technical directives taken by management to protect a particular system Program policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organization. However, they do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. System-specific policy is much more focused, since it addresses only one system. Table A.1 helps illustrate the difference between these three types of policies. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publica- tion 800-12.
121
```
Which protocol below does NOT pertain to e-mail?
A. SMTP
B. CHAP
C. POP
D. IMAP
```
Answer: B
Explanation: The Challenge Handshake Authentication Protocol (CHAP) is used at the startup of a remote link to verify the identity of a remote node.
* The Simple Mail Transfer Protocol (RFCs 821 and 1869), is used by a server to deliver e-mail over the Internet. * the Post Office Protocol (RFC 1939), enables users to read their email by downloading it from a remote server on to their local computer.
* the Internet Message Access Protocol (RFC 2060), allows users to read their e-mail on a remote server, without downloading the mail locally. Source: Handbook of Computer Crime Investigation Edited by Eoghan Casey (Academic Press, 2002).
122
```
Which one of the following security areas is directly addressed by Kerberos?
A. Confidentiality
B. Frequency analysis
C. Availability
D. Physical attacks
```
Answer: A
Explanation: Kerberos directly addresses the confidentiality and also the integrity of information.
* attacks such as frequency analysis are not considered in the basic Kerberos implementation. In addition, the Kerberos protocol does not directly address availability issues. (Answer Availability.) For answer "Physical attac", since the Kerberos TGS and the authentication servers hold all the secret keys, these servers are vulnerable to both physical attacks and attacks from malicious code. In the Kerberos exchange, the client workstation temporarily holds the client's secret key, and this key is vulnerable to compromise at the workstation.
123
In finger scan technology,
A. More storage is required than in fingerprint technology.
B. The full fingerprint is stored.
C. The technology is applicable to large, one-to-many database searches.
D. Features extracted from the fingerprint are stored.
Answer: D
Explanation: The correct answer is "Features extracted from the fingerprint are store". The features extracted from the fingerprint are stored. Answer "The full fingerprint is stored" is incorrect because the equivalent of the full fingerprint is not stored in finger scan technology. Answers "More storage is required than in fingerprint technology" and "The technology is applicable to large, one-to-many database searches" are incorrect because the opposite is true of finger scan technology.
124
```
Which of the following is NOT a VPN remote computing protocol?
A. PPTP
B. L2F
C. L2TP
D. UTP
```
Answer: D
Explanation: The correct answer is UTP. UTP stands for unshielded twisted pair wiring.
125
```
What does CSMA stand for?
A. Common Systems Methodology Applications
B. Carrier Sense Multiple Access
C. Carrier Sense Multiple Attenuation
D. Carrier Station Multi-port Actuator
```
Answer: B
Explanation: The correct answer is "Carrier Sense Multiple Access". The other acronyms do not exist.
126
```
What is the protocol that supports sending and receiving email?
A. SNMP
B. RARP
C. SMTP
D. ICMP
```
Answer: C
Explanation: The correct answer is SNMP, Simple Mail Transport Protocol. It queues and transfers email. SNMP stands for Simple Network Management Protocol. ICMP stands for Internet Control Message Protocol. RARP stands for Reverse Address Resolution Protocol
127
```
The fundamental entity in a relational database is the:
A. Cost.
B. Pointer.
C. Relation.
D. Domain.
```
Answer: C
Explanation: The correct answer is Relation. The fundamental entity in a relational database is the relation in the form of a table. Answer Domain is the set of allowable attribute values, and answers Pointer and Cost are distracters.
128
Which is NOT a property of a packet-switched network?
A. Connectionless network
B. Packets are assigned sequence numbers
C. Connection-oriented network
D. Characterized by bursty traffic
Answer: C
Explanation: The correct answer is "Connection-oriented network". Packet-switched networks are considered connectionless networks; circuit-switched networks are considered connection-oriented.
129
```
Which choice is NOT an accurate description of C.I.A.?
A. A stands for authorization.
B. I stands for integrity.
C. A stands for availability.
D. C stands for confidentiality.
```
Answer: A
Explanation:
130
```
In a wireless General Packet Radio Services (GPRS) Virtual Private Network (VPN) application, which of the following security protocols is commonly used?
A. SSL
B. IPSEC
C. TLS
D. WTP
```
Answer: B
Explanation: An example is the use of a GPRS-enabled laptop that connects to a corporate intranet via a VPN. The laptop is given an IP address and a RADIUS server authenticates the user. IPSEC is used to create the VPN. As background, GPRS is a second-generation (2G) packet data technology that is overlaid on existing Global System for Mobile communications (GSM). GSM is the wireless analog of the ISDN landline system. The key features of GPRS are that it is always on line (no dial-up needed), existing GSM networks can be upgraded with GPRS, and it can serve as the packet data core of third generation (3G) systems.
Answers SSL and TLS are similar security protocols that are used on the Internet side of the Wireless Application Protocol (WAP) Gateway.
For answer WTP is the Wireless Transaction Protocol that is part of the WAP suite of protocols. WTP is a lightweight, message-oriented, transaction protocol that provides more reliable connections than UDP, but does not have the robustness of TCP.
131
Which choice below is NOT an example of appropriate security management practice?
A. Reviewing access logs for unauthorized behavior
B. Monitoring employee performance in the workplace
C. Promoting and implementing security awareness programs
D. Researching information on new intrusion exploits
Answer: B
Explanation: Monitoring employee performance is not an example of security management, or a job function of the Information Security Officer. Employee performance issues are the domain of human resources and the employee's manager. The other three choices are appropriate practice for the information security area.
132
Which choice below is the BEST description of a vulnerability?
A. A potential incident that could cause harm
B. The minimization of loss associated with an incident C. A weakness in a system that could be exploited
D. A company resource that could be lost due to an incident
Answer: C
Explanation: The correct answer is "A weakness in a system that could be exploited". Answer "A company resource that could be lost due to an incident" describes an asset, answer "The minimization of loss associated with an incide" describes risk management, and answer "A potential incident that could cause harm"describes a threat.
133
```
The description of a relational database is called the:
A. Schema
B. Record
C. Attribute
D. Domain
```
Answer: A
Explanation: The correct answer is Schema. The other answers are portions of a relation or table.
134
Which choice below would NOT be considered an element of proper user account management?
A. A process for tracking access authorizations should be implemented.
B. Periodically re-screen personnel in sensitive positions.
C. The users' accounts should be reviewed periodically.
D. Users should never be rotated out of their current duties.
Answer: D
Explanation: Organizations should ensure effective administration of users' computer access to maintain system security, including user account management, auditing, and the timely modification or removal of access. This includes: User Account Management. Organizations should have a process for requesting, establishing, issuing, and closing user accounts, tracking users and their respective access authorizations, and managing these functions. Management Reviews. It is necessary to periodically review user accounts. Reviews should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, and whether required training has been completed. Detecting Unauthorized/Illegal Activities. Mechanisms besides auditing and analysis of audit trails should be used to detect unauthorized and illegal acts, such as rotating employees in sensitive positions, which could expose a scam that required an employee's presence, or periodic re-screening of personnel. Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.
135
```
FDDI uses what type of network topology?
A. MESH
B. RING
C. STAR
D. BUS
```
Answer: B
Explanation: The correct answer is RING. FDDI is a RING topology, like Token Ring
136
```
Which network attack below would NOT be considered a Denial of Service attack?
A. Ping of Death
B. SMURF
C. TCP SYN
D. Brute Force
```
Answer: D
Explanation: A brute force attack is an attempt to use all combinations of key patterns to decipher a message. The other three attacks are commonly used to create a Denial of Service (DoS).
* Ping of Death, exploits ICMP by sending an illegal ECHO packet of >65K octets of data, which can cause an overflow of system variables and lead to a system crash. * SMURF, is a type of attack using spoofed ICMP ECHO requests to broadcast addresses, which the routers attempt to propagate, congesting the network. Three participants are required for a SMURF attack: the attacker, the amplifying network, and the victim. * a TCP SYN flood attack, generates phony TCP SYN packets from random IP addresses at a rapid rate to fill up the connection queue and stop the system from accepting legitimate users. Source: Hacking Exposed by Stuart McClure, Joel Scambray, and George Kurtz (Osborne, 1999)
137
There are some correlations between relational data base terminology and object-oriented database terminology. Which of the following relational model terms, respectively, correspond to the object model
terms of class, attribute and instance object?
A. Relation, column, and tuple
B. Relation, domain, and column
C. Domain, relation, and column
D. Relation, tuple, and column
```
Answer: A
Explanation: Table shows the correspondence between the two models. In comparing the two models, a class is similar to a relation; however, a relation does not have the inheritance property of a class. An attribute in the object model is similar to the column of a relational table. The column has limitations on the data types it can hold while an attribute in the object model can use all data types that are supported by the Java and C++ languages. An instance object in the object model corresponds to a tuple in the relational model. Again the data structures of the tuple are limited while those of the instance object can use data structures of Java and C++.
```
138
```
Which IEEE protocol defines the Spanning Tree protocol?
A. IEEE 802.1D
B. IEEE 802.11
C. IEEE 802.5
D. IEEE 802.3
```
Answer: A
Explanation: The 802.1D spanning tree protocol is an Ethernet link-management protocol that provides link redundancy while preventing routing loops. Since only one active path can exist for an Ethernet network to route properly, the STP algorithm calculates and manages the best loop-free path through the network.
IEEE 802.5 specifies a token-passing ring access method for LANs. IEEE 802.3 specifies an Ethernet bus topology using Carrier Sense Multiple Access Control/Carrier Detect (CSMA/CD). IEEE 802.11 is the IEEE standard that specifies 1 Mbps and 2 Mbps wireless connectivity in the 2.4 MHz ISM (Industrial, Scientific, Medical) band. Source: Designing Network Security by Merike Kaeo (Cisco Press, 1999).
139
What does the Data Encapsulation in the OSI model do?
A. Provides best effort delivery of a data packet
B. Creates seven distinct layers
C. Wraps data from one layer around a data packet from an adjoining layer
D. Makes the network transmission deterministic
Answer: C
Explanation: The correct answer is "Wraps data from one layer around a data packet from an adjoining layer". Data Encapsulation attaches information from one layer to the packet as it travels from an adjoining layer. The OSI-layered architecture model creates seven layers. The TCP/IP protocol UDP provides best effort packet delivery, and a tokenpassing transmission scheme creates a deterministic network because it is possible to compute the maximum predictable delay.
140
Object-Oriented Database (OODB) systems:
A. Are useful in storing and manipulating complex data, such as images and graphics.
B. Consume minimal system resources.
C. Are ideally suited for text-only information.
D. Require minimal learning time for programmers.
Answer: A
Explanation: The correct answer is "Are useful in storing and manipulating complex data, such as images and graphics". The other answers are false, because for answer "Are ideally suited for text-only information" relational databases are ideally suited to text-only information, "Require minimal learning time for programmers" and "Consume minimal system resources". OODB systems have a steep learning curve and consume a large amount of system resources.
141
The goals of integrity do NOT include:
A. Accountability of responsible individuals
B. Prevention of the unauthorized or unintentional modification of information by authorized users
C. Preservation of internal and external consistency
D. Prevention of the modification of information by unauthorized users
Answer: A
Explanation: The correct answer is "Accountability of responsible individuals". Accountability is holding individuals responsible for their actions. The other options are the three goals of integrity.
142
Which choice below most accurately reflects the goals of risk mitigation?
A. Analyzing the effects of a business disruption and preparing the company's response
B. Analyzing and removing all vulnerabilities and threats to security within the organization
C. Defining the acceptable level of risk the organization can tolerate, and reducing risk to that level
D. Defining the acceptable level of risk the organization can tolerate, and assigning any costs associated with loss or disruption to a third party, such as an insurance carrier
Answer: C
Explanation: The correct answer is "Defining the acceptable level of risk the organization can tolerate, and reducing risk to that level ". The goal of risk mitigation is to reduce risk to a level acceptable to the organization. Therefore risk needs to be defined for the organization through risk analysis, business impact assessment, and/or vulnerability assessment. Answer "Analyzing and removing all vulnerabilities and threats to security within the organization" is not possible. Answer "Defining the acceptable level of risk the organization can tolerate, and assigning any costs associated with loss or disruption to a third party, such as an insurance carrier" is called risk transference. Answer "Analyzing the effects of a business disruption and preparing the company's response " is a distracter.
143
```
In SQL, a relation that is actually existent in the database is called a(n):
A. Base relation
B. Domain
C. View
D. Attribute
```
Answer: A
Explanation: Abase relation exists in the database while a view is a virtual relation that is not stored in the database. A view is derived by the SQL definition and is developed from base relations or, possibly, other views. An attribute, is a column in a relation table and a domain is the set of permissible values of an attribute.
144
Which choice is NOT a good criterion for selecting a safeguard?
A. The ability to recover from a reset without damaging the asset
B. Accountability features for tracking and identifying operators
C. The ability to recover from a reset with the permissions set to allow all
D. Comparing the potential dollar loss of an asset to the cost of a safeguard
Answer: C
Explanation: The correct answer is "The ability to recover from a reset with the permissions set to cllow all". Permissions should be set to deny all during reset.
145
```
Which UTP cable category is rated for 16 Mbps?
A. Category 6
B. Category 5
C. Category 7
D. Category 4
Answer: D
```
Explanation: The correct answer is a. UTP Category 4 cabling is common in later Token Ring networks and is rated for up to 16 Mbps.
Answer b, category 5, is rated for 100Mbps; answer c is rated for 155 Mbps; and answer d is rated for 1Gbps.
146
A protection mechanism to limit inferencing of information in statistical database queries is:
A. Specifying a maximum query set size
B. Specifying a minimum query set size, but prohibiting the querying of all but one of the records in the database
C. Specifying a minimum query set size
D. Specifying a maximum query set size, but prohibiting the querying of all but one of the records in the database
Answer: B
Explanation: When querying a database for statistical information, individually identifiable information should be protected. Thus, requiring a minimum size for the query set (greater than one) offers protection against gathering information on one individual. However, an attack may consist of gathering statistics on a query set size M, equal to or greater than the minimum query set size, and then requesting the same statistics on a query set size of M + 1. The second query set would be designed to include the individual whose information is being sought surreptitiously.
*Thus with answer "Specifying a minimum query set size, but prohibiting the querying of all but one of the records in the database", this type of attack could not take place. * Answer "Specifying a minimum query set size" is, therefore, incorrect since it leaves open the loophole of the M+1 set size query. Answers "Specifying a maximum query set size" and "Specifying a maximum query set size, but prohibiting the querying of all but one of the records in the database" are incorrect since the critical metric is the minimum query set size and not the maximum size. Obviously, the maximum query set size cannot be set to a value less than the minimum set size.
147
Which choice below MOST accurately describes the organization's responsibilities during an unfriendly termination?
A. The employee should be given time to remove whatever files he needs from the network.
B. Cryptographic keys can remain the employee's property.
C. System access should be removed as quickly as possible after termination.
D. Physical removal from the offices would never be necessary.
Answer: C
Explanation: Friendly terminations should be accomplished by implementing a standard set of procedures for outgoing or transferring employees. This normally includes: Removal of access privileges, computer accounts, authentication tokens. The control of keys. The briefing on the continuing responsibilities for confidentiality and privacy. Return of property. Continued availability of data. In both the manual and the electronic worlds this may involve documenting procedures or filing schemes, such as how documents are stored on the hard disk, and how they are backed up. Employees should be instructed whether or not to clean up their PC before leaving. If cryptography is used to protect data, the availability of cryptographic keys to management personnel must be ensured. Given the potential for adverse consequences during an unfriendly termination, organizations should do the following: System access should be terminated as quickly as possible when an employee is leaving a position under less-than-friendly terms. If employees are to be fired, system access should be removed at the same time (or just before) the employees are notified of their dismissal. When an employee notifies an organization of the resignation and it can be reasonably expected that it is on unfriendly terms, system access should be immediately terminated. During the notice of termination period, it may be necessary to assign the individual to a restricted area and function. This may be particularly true for employees capable of changing programs or modifying the system or applications. In some cases, physical removal from the offices may be necessary. Source: NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems.
148
Which choice below is an accurate statement about standards?
A. Standards are senior management's directives to create a computer security program.
B. Standards are used to describe how policies will be implemented within an organization.
C. Standards are the high-level statements made by senior management in support of information systems security.
D. Standards are the first element created in an effective security policy program.
Answer: B
Explanation: The other options describe policies. Guidelines, standards, and procedures often accompany policy, but always follow the senior level management's statement of policy. Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. Simply put, the three break down as follows: Standards specify the use of specific technologies in a uniform way (for example, the standardization of operating procedures). Guidelines are similar to standards but are recommended actions. Procedures are the detailed steps that must be performed for any task.
149
Which choice below is NOT a common result of a risk analysis?
A. Valuations of critical assets
B. Definition of business recovery roles
C. Likelihood of a potential threat
D. A detailed listing of relevant threats
Answer: B
Explanation: The correct answer is "Definition of business recovery roles". The first three answers are common results of a risk analysis to determine the probability and effect of threats to company assets. Answer "Definition of business recovery roles"is a distracter.
150
```
Which of the following is NOT a criterion for access control?
A. Role
B. Identity
C. Keystroke monitoring
D. Transactions
```
Answer: C
Explanation: Keystroke monitoring is associated with the auditing function and not access control. For answer a, the identity of the user is a criterion for access control. The identity must be authenticated as part of the I & A process.
Answer Role refers to role-based access control where access to information is determined by the user's job function or role in the organization. Transactions refer to access control through entering an account number or a transaction number, as may be required for bill payments by telephone, for example.
151
Which question below is NOT accurate regarding the process of risk assessment?
A. Risk assessment is the final result of the risk management methodology.
B. The likelihood of a threat must be determined as an element of the risk assessment.
C. Risk assessment is the first process in the risk management methodology
D. The level of impact of a threat must be determined as an element of the risk assessment.
Answer: A
Explanation: Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk assessment is the first process in the risk management methodology. The risk assessment process helps organizations identify appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. The likelihood that a potential vulnerability could be exercised by a given threatsource can be described as high, medium, or low. Impact refers to the magnitude of harm that could be caused by a threat's exploitation of a vulnerability. The determination of the level of impact produces a relative value for the IT assets and resources affected. Source: NIST Special Publication 800-30, Risk Management Guide for Information Tech- nology Systems.
152
```
Which LAN transmission method below describes a packet sent from a single source to multiple specific destinations?
A. Multicast
B. Unicast
C. Anycast
D. Broadcast
```
Answer: A
Explanation: The correct answer is multicast. Unicast describes a packet sent from a single source to a single destination. Broadcast describes a packet sent to all nodes on the network segment. Anycast, refers to communication between any sender and the nearest of a group of receivers in a network.
153
```
Which choice below is NOT considered an information classification role?
A. Data custodian
B. Data alterer
C. Data user
D. Data owner
```
Answer: B
Explanation: The correct answer is "Data alterer". Data owners, custodians, and users all have defined roles in the process of information classification. Answer "Data alterer" is a distracter.
154
```
An example of two-factor authentication is:
A. An ID and a PIN.
B. A PIN and an ATM card.
C. A finger print.
D. A password and an ID.
```
Answer: B
Explanation: The correct answer is "APIN and an ATM card". These items are something you know and something you have. Answer "A password and an ID" is incorrect because essentially, only one factor is being used: something you know (password.).
Answer "An ID and a PIN" is incorrect for the same reason. Answer "A finger print" is incorrect because only one biometric factor is being used.
155
Which statement below is NOT true about the difference between cutthrough and store-and-forward switching?
A. Both methods operate at layer two of the OSI reference model.
B. A cut-through switch introduces more latency than a store-andforward switch.
C. A store-and-forward switch reads the whole packet and checks its validity before sending it to the next destination.
D. A cut-through switch reads only the header on the incoming data packet.
Answer: B
Explanation: A cut-through switch provides less latency than a store-and forward switch, as it forwards the frame before it has received the complete frame. However, cut-through switches may also forward defective or empty packets. Source: Virtual LANs by Mariana Smith (McGraw-Hill, 1998).
156
Which choice below is a role of the Information Systems Security Officer?
A. The ISO is responsible for examining systems to see whether they are meeting stated security requirements.
B. The ISO is responsible for day-to-day security administration.
C. The ISO is responsible for following security procedures and reporting security problems.
D. The ISO establishes the overall goals of the organization's computer security program.
Answer: B
Explanation: Answer "The ISO establishes the overall goals of the organization's computer security program" is a responsibility of senior management. Answer "The ISO is responsible for examining systems to see whether they are meeting stated security requirements" is a description of the role of auditing. Answer "The ISO is responsible for following security procedures and reporting security problems" is the role of the user, or consumer, of security in an organization.
157
```
A password that is the same for each logon is called a:
A. Dynamic password.
B. Static password.
C. One-time pad.
D. Passphrase.
```
Answer: B
Explanation: The correct answer is "Static password.". In answer a, the password changes at each logon. For answer Passphrase, a passphrase is a long word or phrase that is converted by the system to a password. In answer "One-time pad", a one-time pad refers to a using a random key only once when sending a cryptographic message.
158
RAID refers to the:
A. Rapid And Inexpensive Digital tape backup.
B. Remote Administration of Internet Domains.
C. Redundant Arrays of Intelligent Disks.
D. Redundant And fault tolerant Internet working Devices.
Answer: C
Explanation: The correct answer is Redundant Arrays of Intelligent Disks. The other acronyms do not exist.
159
Enterprise Access Management (EAM) provides access control management services to Web-based enterprise systems. Which of the following functions is NOT normally provided by extant EAM approaches?
A. Accommodation of a variety of authentication mechanisms
B. Interoperability among EAM implementations
C. Role-based access control
D. Single sign-on
Answer: B
Explanation: In general, security credentials produced by one EAM solution are not recognized by another implementation. Thus, reauthentication is required when linking from one Web site to another related Web site if the sites have different EAM implementations.
Answer "Single sign-on" (SSO) is approached in a number of ways. For example, SSO can be implemented on Web applications in the same domain residing on different servers by using nonpersistent, encrypted cookies on the client interface. This is accomplished by providing a cookie to each application that the user wishes to access. Another solution is to build a secure credential for each user on a reverse proxy that is situated in front of the Web server. The credential is, then, presented at each instance of a user attempting to access protected Web applications. For answer b, most EAM solutions accommodate a variety of authentication technologies, including tokens, ID/passwords and digital certificates. Similarly, for answer c, EAM solutions support role-based access controls, albeit they may be implemented in different fashions. Enterprise-level roles should be defined in terms that are universally accepted across most ecommerce applications.
160
```
Which is NOT a remote security method?
A. Caller ID
B. Callback
C. VoIP
D. Restricted Address
```
Answer: C
Explanation: The correct answer is VoIP. VoIP stands for Voice-Over-IP, a digital telephony technology.
161
What is the prime directive of Risk Management?
A. Reduce all risks regardless of cost.
B. Transfer any risk to external third parties.
C. Reduce the risk to a tolerable level.
D. Prosecute any employees that are violating published security policies.
Answer: C
Explanation: The correct answer is "Reduce the risk to a tolerable level. Risk can never be eliminated, and Risk Management must find the level of risk the organization can tolerate and still function effectively.
162
```
What is NOT a feature of TACACS+?
A. Replaces older Frame Relay-switched networks
B. Enables a user to change passwords
C. Enables two-factor authentication
D. Resynchronizes security tokens
```
Answer: A
Explanation: The correct answer is "Replaces older Frame Relay-switched networks". TACACS+ has nothing to do with Frame Relay networks.
163
```
Which choice below is the earliest and the most commonly found Interior Gateway Protocol?
A. OSPF
B. RIP
C. IGRP
D. EAP
```
Answer: B
Explanation: The Routing Information Protocol (RIP) bases its routing path on the distance (number of hops) to the destination. RIP maintains optimum routing paths by sending out routing update messages if the network topology changes. For example, if a router finds that a particular link is faulty, it will update its routing table, then send a copy of the modified table to each of its neighbors.
* the Open Shortest Path First (OSPF) is a link-state hierarchical routing algorithm intended as a successor to RIP. It features least-cost routing, multipath routing, and load balancing. * the Internet Gateway Routing Protocol (IGRP) is a Cisco protocol that uses a composite metric as its routing metric, including bandwidth, delay, reliability, loading, and maximum transmission unit. * the Extensible Authentication Protocol (EAP), is a general protocol for PPP authentication that supports multiple remote authentication mechanisms. Source: Introduction to Cisco Router Configuration edited by Laura Chappell (Cisco Press, 1999).
164
```
What does TFTP stand for?
A. Trivial File Transport Protocol
B. Transport File Transfer Protocol
C. Transport for TCP/IP
D. Trivial File Transfer Protocol
```
Answer: D
Explanation: The correct answer is "Trivial File Transfer Protocol". The other acronyms do not exist.
165
An important control that should be in place for external connections to
a network that uses call-back schemes is:
A. Call enhancement
B. Breaking of a dial-up connection at the organization's computing resource side of the line
C. Breaking of a dial-up connection at the remote user's side of the line
D. Call forwarding
Answer: B
Explanation: One attack that can be applied when call back is used for remote, dial-up connections is that the caller may not hang up. If the caller had been previously authenticated and has completed his/her session, a live connection into the remote network will still be maintained. Also, an unauthenticated remote user may hold the line open, acting as if call-back authentication has taken place. Thus, an active disconnect should be effected at the computing resource's side of the line. Answer "Breaking of a dial-up connection at the remote user's side of the line" is not correct since it involves the caller hanging up. Answer "call forwarding" is a feature that should be disabled, if possible, when used with call-back schemes. With call back, a cracker can have a call forwarded from a valid phone number to an invalid phone number during the call-back process. Answer "Call enhancement" is a distracter.
166
```
An important element of database design that ensures that the attributes in a table depend only on the primary key is:
A. Data reuse.
B. Data integrity.
C. Data normalization.
D. Database management.
```
Answer: C
Explanation: The correct answer is "Data normalization". Normalization includes eliminating redundant data and eliminating attributes in a table that are not dependent on the primary key of that table. In answer a, a database management system (DBMS) provides access to the database and is used for maintaining the database. Answers "Data integrity" and "Data reuse" are distracters.
167
```
Which IEEE standard defines wireless networking in the 5GHz band with speeds of up to 54 Mbps?
A. 802.3
B. 802.11b
C. 802.5
D. 802.11a
```
Answer: D
Explanation: The correct answer is 802.11a. Answer . 802.5 defines a token-passing ring access method. Answer 802.11b defines a wireless LAN in the 2.4 GHz band with speeds up to 11 Mbps. Answer 802.3 describes a bus topology using CSMA/CD at 10 Mbps.
168
Which choice below is an incorrect description of a control?
A. Controls are the countermeasures for vulnerabilities.
B. Corrective controls reduce the likelihood of a deliberate attack.
C. Detective controls discover attacks and trigger preventative or corrective controls.
D. Corrective controls reduce the effect of an attack.
Answer: B
Explanation: Controls are the countermeasures for vulnerabilities. There are many kinds, but generally they are categorized into four types: Deterrent controls reduce the likelihood of a deliberate attack. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact. Preventative controls inhibit attempts to violate security policy. Corrective controls reduce the effect of an attack. Detective controls discover attacks and trigger preventative or corrective controls. Detective controls warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums. Source: Introduction to Risk Analysis, "Corrective controls reduce the effect of an attack" & "Detective controls discover attacks and trigger preventative or corrective controls" Security Risk Analysis Group and NIST Special Publication 800-30, Risk Management Guide for Information Technology System
169
Which statement below most accurately describes the difference between security awareness, security training, and security education?
A. Security education is required for all system operators.
B. Security training is more in depth than security education.
C. Security training teaches the skills that will help employees to perform their jobs more securely.
D. Security awareness is not necessary for high-level senior executives.
Answer: C
Explanation: Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. The purpose of training is to teach people the skills that will enable them to perform their jobs more securely. Security education is more in depth than security training and is targeted for security professionals and those whose jobs require expertise in security. Management commitment is necessary because of the resources used in developing and implementing the program and also because the program affects their staff. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12
170
Which choice MOST accurately describes the difference between the role of a data owner versus the role of a data custodian?
A. The custodian implements the information classification scheme after the initial assignment by the owner.
B. The data owner implements the information classification scheme after the initial assignment by the custodian.
C. The custodian makes the initial information classification assignments, and the operations manager implements the scheme.
D. The custodian implements the information classification scheme after the initial assignment by the operations manager.
Answer: A Explanation:
171
```
Intrusion detection systems can be all of the following types EXCEPT:
A. Signature-based.
B. Statistical anomaly-based.
C. Network-based.
D. Defined-based.
```
Answer: D
Answer: D
Explanation: The correct answer is Presentation Layer. MIDI is a Presentation layer protocol. Explanation: The correct answer is Defined-based. All the other answers are types of IDSs.
172
```
In which OSI layer does the MIDI digital music protocol standard reside?
A. Session Layer
B. Application Layer
C. Transport Layer
D. Presentation Layer
```
Answer: D
Explanation: The correct answer is Presentation Layer. MIDI is a Presentation layer protocol.
173
Which choice below is NOT an example of the appropriate external distribution
of classified information?
A. Upon senior-level approval after a confidentiality agreement
B. Compliance with a court order
C. IAW contract procurement agreements for a government project
D. To influence the value of the company's stock price
Answer: D
Explanation: The correct answer is "To influence the value of the company's stock price". Answers "Compliance with a court order", "Upon senior-level approval after a confidentiality agreement", and "IAW contract procurement agreements for a government project" are all examples of the need for possible external distribution of internal classified information.
174
```
Which is NOT a layer in the TCP/IP architecture model?
A. Internet
B. Host-to-host
C. Application
D. Session
```
Answer: D
Explanation: The correct answer is Session. The Session Layer is an OSI model layer.
175
Which choice below is NOT an example of an issue-specific policy?
A. Virus-checking disk policy
B. Defined router ACLs
C. Unfriendly employee termination policy
D. E-mail privacy policy
Answer: B
Explanation: Answer c is an example of a system-specific policy, in this case the router's access control lists. The other three answers are examples of issue-specific policy, as defined by NIST. Issue-specific policies are similar to program policies, in that they are not technically focused. While program policy is traditionally more general and strategic (the organization's computer security program, for example), issue-specific policy is a nontechnical policy addressing a single or specific issue of concern to the organization, such as the procedural guidelines for checking disks brought to work or e-mail privacy concerns. System-specific policy is technically focused and addresses only one computer system or device type. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.
176
A software interface to the operating system that implements access control by limiting the system commands that are available to a user is
called a(n):
A. Physically constrained user interface
B. Restricted shell
C. Interrupt
D. View
Answer: B
Explanation: Answer Interrupt refers to a software or hardware interrupt to a processor that causes the program to jump to another program to handle the interrupt request. Before leaving the program that was being executed at the time of the interrupt, the CPU must save the state of the computer so that the original program can continue after the interrupt has been serviced. *A physically constrained user interface is one in which a user's operations are limited by the physical characteristics of the interface device. An example would be a keypad with the choices limited to the operations permitted by each key. *View refers to database views, which restrict access to information contained in a database through content-dependent access control.
177
```
Which IEEE protocol defines wireless transmission in the 5 GHz band with data rates up to 54 Mbps?
A. IEEE 802.11b
B. IEEE 802.11g
C. IEEE 802.11a
D. IEEE 802.15
```
Answer: C
Explanation: IEEE 802.11a specifies high-speed wireless connectivity in the 5 GHz band using Orthogonal Frequency Division Multiplexing with data rates up to 54 Mbps.
IEEE 802.11b specifies highspeed wireless connectivity in the 2.4 GHz ISM band up to 11 Mbps. IEEE 802.11g is a proposed standard that offers wireless transmission over relatively short distances at speeds from 20 Mbps up to 54 Mbps and operates in the 2.4 GHz range (and is therefore expected to be backward-compatible with existing 802.11b-based networks).
IEEE 802.15, defines Wireless Personal Area Networks (WPAN), such as Bluetooth, in the 2.4-2.5 GHz band. Source: IEEE Wireless Working Groups (grouper.ieee.org).
178
```
How is authentication implemented in GSM?
A. Using public key cryptography
B. It is not implemented in GSM
C. Using secret key cryptography
D. Out-of-band verification
```
Answer: C
Explanation: Authentication is effected in GSM through the use of a common secret key, Ks, that is stored in the network operator's Authentication Center (AuC) and in the subscriber's SIM card. The SIM card may be in the subscriber's laptop, and the subscriber is not privy to Ks. To begin the authentication exchange, the home location of the subscriber's mobile station, (MS), generates a 128-bit random number (RAND) and sends it to the MS. Using an algorithm that is known to both the AuC and MS, the RAND is encrypted by both parties using the secret key, Ks. The ciphertext generated at the MS is then sent to the AuC and compared with the ciphertext generated by the Auc. If the two results match, the MS is authenticated and the access request is granted. If they do not match, the access request is denied. The other answers are, therefore, incorrect.
179
```
Biometrics is used for identification in the physical controls and for authentication in the:
A. Detective controls.
B. Corrective controls.
C. Logical controls.
D. Preventive controls.
```
Answer: C Explanation:
The correct answer is "Logical controls". The other answers are different categories of controls where preventive controls attempt to eliminate or reduce vulnerabilities before an attack occurs; detective controls attempt to determine that an attack is taking place or has taken place; and corrective controls involve taking action to restore the system to normal operation after a successful attack.
180
Authentication in which a random value is presented to a user, who
then returns a calculated number based on that random value is called:
A. Man-in-the-middle
B. Personal identification number (PIN) protocol
C. One-time password
D. Challenge-response
Answer: D Explanation:
In challenge-response authentication, the user enters a random value (challenge) sent by the authentication server into a token device. The token device shares knowledge of a cryptographic secret key with the authentication server and calculates a response based on the challenge value and the secret key. This response is entered into the authentication server, which uses the response to authenticate the identity of the user by performing the same calculation and comparing results.
Answer "man-in-the-middle" is a type of attack in which a cracker is interposed between the user and authentication server and attempts to gain access to packets for replay in order to impersonate a valid user.
A "one-time password" is a password that is used only once to gain access to a network or computer system. A typical implementation is through the use of a token that generates a number based on the time of day. The user reads this number and enters it into the authenticating device. The authenticating device calculates the same number based on the time of day and uses the same algorithm used by the token. If the token's number matches that of the authentication server, the identity of the user is validated. Obviously, the token and the authentication server must be time-synchronized for this approach to work. Also, there is allowance for small values of time skew between the authorization device and the token. Answer d refers to a PIN number that is something you know used with something you have, such as an ATM card.
181
```
What is a noncompulsory recommendation on how to achieve compliance with published standards called?
A. Policies
B. Guidelines
C. Procedures
D. Standards
```
Answer: B
Explanation:
182
Which statement below is NOT true about security awareness, training, and educational programs?
A. Security education assists management in determining who should be promoted.
B. Security improves the users' awareness of the need to protect information resources.
C. Awareness and training help users become more accountable for their actions.
D. Security education assists management in developing the in-house expertise to manage security programs.
Answer: A
Explanation: The purpose of computer security awareness, training, and education is to enhance security by: Improving awareness of the need to protect system resources Developing skills and knowledge so computer users can perform their jobs more securely Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability because without the knowledge of the necessary security measures and to how to use them, users cannot be truly accountable for their actions. Source: National Institute of Standards and Technology, An Introduction to Com- puter Security: The NIST Handbook Special Publication 800-12.
183
Which statement is NOT true about the SOCKS protocol?
A. It operates in the transport layer of the OSI model.
B. It uses an ESP for authentication and encryption.
C. It is sometimes referred to as an application-level proxy. D. Network applications need to be SOCKS-ified to operate.
Answer: B
Explanation: The correct answer is "It uses an ESP for authentication and encryptio". The Encapsulating Security Payload, (ESP) is a component of IPSec. Socket Security (SOCKS) is a transport layer, secure networking proxy protocol. SOCKS replaces the standard network systems calls with its own calls. These calls open connections to a SOCKS proxy server for client authentication, transparently to the user. Common network utilities, like TELNET or FTP, need to be SOCKSified, or have their network calls altered to recognize SOCKS proxy calls. Source: Designing Network Security by Merike Kaeo (Cisco Press, 1999).
184
```
In the DoD reference model, which layer conforms to the OSI transport layer?
A. Process/Application Layer
B. Internet Layer
C. Host-to-Host Layer
D. Network Access Layer
```
Answer: C
Explanation: In the DoD reference model, the Host-to-Host layer parallels the function of the OSI's transport layer. This layer contains the Transmission Control Protocol (TCP), and the User Datagram Protocol (UDP). * the DoD Process/Application layer, corresponds to the OSI's top three layers, the Application, Presentation, and Session layers. *The DoD Internet layer corresponds to the OSI's Network layer. * the DoD Network Access Layer, is the equivalent of the Data Link and Physical layers of the OSI model. Source: MCSE:TCP/IP Study Guide by Todd Lammle, Monica Lammle, and John Chellis (Sybex, 1997) and Handbook of Information Security Management 1999 by Micki Krause and Harold f. Tipton (Auerbach, 1999).
185
Which of the following is NOT an assumption of the basic Kerberos paradigm?
A. Specific servers and locations cannot be secured.
B. Messages are not secure from interception.
C. Cabling is not secure.
D. Client computers are not secured and are easily accessible.
Answer: A
Explanation: The correct answer is "Specific servers and locations cannot be secured". Kerberos requires that centralized servers implementing the trusted authentication mechanism must be secured.
186
Referential integrity requires that for any foreign key attribute, the referenced relation must have:
A. An attribute with the same value for its secondary key.
B. A tuple with the same value for its secondary key.
C. A tuple with the same value for its primary key.
D. An attribute with the same value for its other foreign key.
Answer: C
Explanation: The correct answer is "A tuple with the same value for its primary key". Answers "A tuple with the same value for its secondary key." and "An attribute with the same value for its secondary key." are incorrect because a secondary key is not a valid term. Answer "An attribute with the same value for its other foreign key." is a distracter, because referential integrity has a foreign key referring to a primary key in another relation.
187
```
Which of the following is NOT a technical (logical) mechanism for protecting information from unauthorized disclosure?
A. Encryption
B. Labeling (of sensitive materials)
C. Protocols
D. Smart cards
```
Answer: B
Explanation: The correct answer is "Labeling (of sensitive materials)". Labeling is an administrative control mechanism.
188
A distributed system using passwords as the authentication means can use a number of techniques to make the password system stronger. Which of the following is NOT one of these techniques?
A. Regular password reuse
B. Password generators
C. Limiting the number or frequency of log-on attempts
D. Password file protection
Answer: A
Explanation: Passwords should never be reused after the time limit on their use has expired. Answer "password generators" supply passwords upon request. These passwords are usually comprised of numbers, characters, and sometimes symbols. Passwords provided by password generators are, usually, not easy to remember.
For answer "password file protection" may consist of encrypting the password with a one-way hash function and storing it in a password file. A typical brute force attack against this type of protection is to encrypt trial password guesses using the same hash function and to compare the encrypted results with the encrypted passwords stored in the password file.
Answer "Limiting the number or frequency of log-on attempts" provides protection in that, after a specified number of unsuccessful log-on attempts, a user may be locked out of trying to log on for a period of time. An alternative is to progressively increase the time between permitted log-on tries after each unsuccessful log-on attempt.
189
Which of the following is NOT a property of a Packet Filtering Firewall?
A. Uses ACLs
B. Operates at the Application Layer
C. Considered a first-generation firewall
D. Examines the source and destination addresses of the incoming packet
Answer: B
Explanation: The correct answer is Operates at the Application Layer. A packet-filtering firewall can operate at the network or transport layers.
190
Which of the following is NOT a property of Token Ring networks?
A. All end stations are attached to a MSAU.
B. These networks were originally designed to serve sporadic and only occasionally heavy traffic.
C. These networks were originally designed to serve large, bandwidth consuming applications.
D. Workstations cannot transmit until they receive a token.
Answer: B
Explanation: The correct answer is "These networks were originally designed to serve sporadic and only occasionally heavy traffic". Ethernet networks were originally designed to work with more sporadic traffic than Token Ring networks.
191
Which is NOT a property of Fiber Optic cabling?
A. Carries signals as light waves
B. Transmits at higher speeds than copper cable
C. Very resistant to interference
D. Easier to tap than copper cabling
Answer: D
Explanation: The correct answer is "Easier to tap than copper cabling". Fiber Optic cable is much harder to tap than copper cable.
192
What is an ARO?
A. A dollar figure assigned to a single event
B. The percentage of loss that a realized threat event would have on a specific asset
C. The annual expected financial loss to an organization from a threat
D. A number that represents the estimated frequency of an occurrence of an expected threat
Answer: D
Explanation: The correct answer is "A number that represents the estimated frequency of an occurrence of an expected threat". Answer "A dollar figure assigned to a single event" is the definition of SLE, "The annual expected financial loss to an organization from a threat" is an ALE, and "The percentage of loss that a realized threat event would have on a specific asset" is an EF.
193
Which choice below represents an application or system demonstrating a need for a high level of confidentiality protection and controls?
A. The mission of this system is to produce local weather forecast information that is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure.
B. Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up by either paper documentation or on disk.
C. The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.
D. Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access.
Answer: C
Explanation: Although elements of all of the systems described could require specific controls for confidentiality, given the descriptions above, system b fits the definition most closely of a system requiring a very high level of confidentiality. Answer a is an example of a system requiring high availability. Answer c is an example of a system that requires medium integrity controls. Answer d is a system that requires only a low level of confidentiality. Asystem may need protection for one or more of the following reasons: Confidentiality. The system contains information that requires protection from unauthorized disclosure. Integrity. The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification. Availability. The system contains information or provides services which must be available on a timely basis to meet mission requirements or to avoid substantial losses. Source: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
194
Which answer below is true about the difference between FTP and TFTP?
A. FTP enables print job spooling, whereas TFTP does not.
B. FTP does not have a directory-browsing capability, whereas TFTP does.
C. FTP is less secure because session authentication does not occur.
D. TFTP is less secure because session authentication does not occur.
Answer: D
Explanation: The correct answer is "TFTP is less secure because session authentication does not occur". The Trivial File Transfer Protocol (TFTP) is considered less secure than the File Transfer Protocol (FTP) because authentication does not occur during session establishment (although FTP is very insecure in its own right).
195
```
Which of the following is typically NOT a consideration in the design of passwords?
A. Lifetime
B. Electronic monitoring
C. Authentication period
D. Composition
```
Answer: B
Explanation: Electronic monitoring is the eavesdropping on passwords that are being transmitted to the authenticating device. This issue is a technical one and is not a consideration in designing passwords. The other answers relate to very important password characteristics that must be taken into account when developing passwords. Password lifetime, in answer a, refers to the maximum period of time that a password is valid. Ideally, a password should be used only once. This approach can be implemented by token password generators and challenge response schemes. However, as a practical matter, passwords on most PC's and workstations are used repeatedly. The time period after which passwords should be changed is a function of the level of protection required for the information being accessed. In typical organizations, passwords may be changed every three to six months. Obviously, passwords should be changed when employees leave an organization or in a situation where a password may have been compromised.
Answer "the composition of a password" defines the characters that can be used in the password. The characters may be letters, numbers, or special symbols.
" The authentication period" defines the maximum acceptable period between the initial authentication of a user and any subsequent reauthorization process. For example, users may be asked to authenticate themselves again after a specified period of time of being logged on to a server containing critical information.
