Extra 1257-1356 Flashcards
QUESTION NO: 1257 A packet filtering firewall looks at the data packet to get information about the source and destination addresses of an incoming packet, the session’s communications protocol (TCP, UDP or ICMP), and the source destination application port for the? A. Desired service B. Dedicated service C. Delayed service D. Distributed service.
Answer: A Explanation: This is true, the packets filters show the desired service port (Remember that they are layer 3 devices), this is because you can have many different referenced port number in the destination port field of the different packets. You have to look for the well-known port numbers of the service desired. For example, look in port 80 for HTTP and port 21 for FTP. This is the correct terminology, see the features of Packet Filters in your CISSP documentation.
QUESTION NO: 1258 Packet Filtering Firewalls system is considered a? A. First generation firewall. B. Second generation firewall. C. Third generation firewall. D. Fourth generation firewall.
Answer: A Explanation: Firewall technology is a young but quickly maturing industry. The first generation of firewall architectures has been around almost as long as routers, first appearing around 1985 and coming out of Cisco’s IOS software division. These firewalls are called packet filter firewalls. However, the first paper describing the screening process used by packet filter firewalls did not appear until 1988, when Jeff Mogul from Digital Equipment Corporation published his studies. At this time we are in the Fourth generation of firewall devices and software.
QUESTION NO: 1259 When should a post-mortem review meeting be held after an intrusion has been properly taken care of? A. Within the first three months after the investigation of the intrusion is completed. B. Within the first week after prosecution of intruders have taken place, whether successful or not. C. Within the first month after the investigation of the intrusion is completed. D. Within the first week of completing the investigation of the intrusion.
Answer: D Explanation: As stated in CISSP documentation, you should make post mortem review meetings after taking care of the intrusion, and no more than one week after the facts. Its not a good practice to wait more than this time, it’s a matter of common sense too, three months, one month, 2 weeks, its too much time.
QUESTION NO: 1260 Which of the following can be used as a covert channel? A. Storage and timing. B. Storage and low bits. C. Storage and permissions. D. Storage and classification.
Answer: A Explanation: Those are the proper elements, you can use these two to achieve a covert channel. Low bits is not a term related to covert channels. Permissions are related to authentication, they do not achieve what the question wants. Also, classification is could not selected as a correct choice. Check your official CISSP documentation to see what can be used as a covert channel. “An active variation on eavesdropping is called Covert Channel eavesdropping, which consists of using a hidden unauthorized network connection to communicate unauthorized information. A Covert Storage Channel operates by writing information to storage by one process and then reading by using another process from a different security level. A Covert Timing Channel signals information to another process by modulating its own resource use to affect the response time of another.” Pg. 101 Krutz: The CISSP Prep Guide: Gold Edition
QUESTION NO: 1261 Which software development model is actually a meta-model that incorporates a number of the software development models? A. The Waterfall model. B. The modified Waterfall model. C. The Spiral model. D. The Critical Patch Model (CPM).
Answer: C Explanation: The spiral model for software engineering has evolved to encompass the best features of the classic waterfall model, while at the same time adding an element known as risk analysis. The spiral model is more appropriate for large, industrial software projects and has four main blocks/quadrants. Each release or version of the software requires going through new planning, risk analysis, engineering and customer evaluation phases and this is illustrated in the model by the spiral evolution outwards from the center. For each new release of a software product, a risk analysis audit should be performed to decide whether the new objectives can be completed within budget (time and costs), and decisions have to be made about whether to proceed. The level of planning and customer evaluation is missing from the waterfall model which is mainly concerned with small software programs. The spiral model also illustrated the evolutionary development of software where a solution may be initially proposed which is very basic (first time round the loop) and then later releases add new features and possibly a more elaborate GUI.
QUESTION NO: 1262 What is not true with pre-shared key authentication within IKE / IPsec protocol: A. Pre-shared key authentication is normally based on simple passwords. B. Needs a PKI to work. C. Only one preshared key for all VPN connections is needed. D. Costly key management on large user groups.
Answer: B Explanation: Pre-Shared Secret is usually used when both ends of the VPN lacks access to a compatible certificate server. Once you have defined all the endpoints in your VPN, you can establish a password that is used to authenticate the other end of the connection, this is the Pre- Shared secret. Since you are using Pre-Shared key because you don’t have an available / compatible certificate server, IPSEC and IKE do not need to use PKI in this case (that actually provides the certificate server infrastructure).
QUESTION NO: 1263 Which question is NOT true concerning Application Control? A. It limits end users of applications in such a way that only particular screens are visible. B. Only specific records can be requested choice. C. Particular uses of the application can be recorded for audit purposes. D. Is non-transparent to the endpoint applications so changes are needed to the applications involved.
Answer: D Explanation: Application control provides a transparent feeling to endpoint applications when changes are needed, this is one of the features of it. With application control you can audit certain use of the applications involved and only specify record of your choice. There is also the possibility to limit the end users applications to provide access to only certain screens. Check your CISSP documentation about Application Control.
QUESTION NO: 1264 In order to ensure the privacy and integrity of the data, connections between firewalls over public networks should use? A. Screened subnets B. Digital certificates C. Encrypted Virtual Private Networks D. Encryption
Answer: C Explanation: This is the correct answer, since firewall does not mean “VPN” we have to select “Encrypted Virtual Private Networks”. With a VPN and encryption we can provide secure communication in a transparent way for the users between the endpoints achieving “Confidentiality”. This confidentiality is achieved through encryption, and this encryption relies on encryption algorithms like AES, DES, CAST and others. Screened Subnet are not related to secure data over public networks, it’s a place to put our network services accessible from the outside. Digital certificates do not provide confidentiality, they only provide integrity.
QUESTION NO: 1265 What is necessary for a subject to have write access to an object in a Multi-Level Security Policy? A. The subject’s sensitivity label must dominate the object’s sensitivity label. B. The subject’s sensitivity label subordinates the object’s sensitivity label. C. The subject’s sensitivity label is subordinated by the object’s sensitivity label. D. The subject’s sensitivity label is dominated by the object’s sensitivity label.
Answer: A Explanation: The correct answer is: The subject’s sensitivity label must dominate the object’s sensitivity label. With a Multi-level security policy you have information that has different sensitivity labels. In order to read an object the subject’s sensitivity label must be equal to or greater than that of the object. So it would be considered to dominate it, no read up. The following answers are incorrect: The subject’s sensitivity label subordinates the object’s sensitivity label. Is incorrect because if the subject’s sensitivity label subordinates the object’s sensitivity label that would mean it is lower and the subject should not have read access to the object. The subject’s sensitivity label is subordinated by the object’s sensitivity label. Is incorrect because the this would not allow for read access if the sensitivity lables were equal. So the subject’s sensitivity label is not subordinated by the object’s sensitivity label, the subject’s label must dominate the object’s label. Remember dominate means equal to or greater than where subordinate means less than. The subject’s sensitivity label is dominated by the object’s sensitivity label. Is incorrect because if the object’s sensitivity label dominates the subject’s sensitivity label then the subject should not have access, it is the subject that must dominate the object and not the other way around. Remember dominate means equal to or greater than so this would mean that the object’s sensitivity label is equal to or greater than the subject. According to the OIG, Multi-level security is defined as a class of system-containing information with different sensitivities that simultaneously permits access by users with different security clearances and need-to-know, but prevents users from obtaining access to information for which they lack authorization. The Subject’s sensitivity label must be equal to or greater than the object’s sensitivity label in order for the subject to have read access to it, no read up.
QUESTION NO: 1266 What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account? A. Data fiddling B. Data diddling C. Data hiding D. Data masking
Answer: B Explanation: This kind of an attack involves altering the raw data just before it is processed by a computer and then changing it back after the processing is completed. This kind of attack was used in the past to make what is stated in the question, steal small quantities of money and transfer them to the attackers account. See “Data deddling crimes” on the Web. The most correct answer is ‘Salami’, but since that is not an option the most correct answer is data diddling. “A salami attack is committing several small crimes with the hope that the overall larger crime will go unnoticed. ….An example would be if an employee altered a banking software program to subtract 5 cents from each of the bank’s customers’ accounts once a month and moved this amount to the employee’s bank account. If this happened to all of the bank’s 50,000 customer accounts, the intruder could make up to $ 30,000 a year. Data diddling refers to the alteration of existing data. Many times this modification happens before it is entered into an application or as soon as it completes processing and is outputted from an application. There was an incident in 1997, in Maryland, where a Taco Bell employee was sentenced to ten years in jail because he reprogrammed the drive-up window cash register to ring up ever 42.99 order as one penny. He collected the full amount from the customer, put the penny in the till, and pocketed the other $2.98. He made $3600 before his arrest.”
QUESTION NO: 1267 Which of the following is unlike the other three? A. El Gamal B. Teardrop C. Buffer Overflow D. Smurf
Answer: A Explanation: Options B, C and D are all Denial of Service attacks. El Gamal is the Diffie-Hellman key exchange algorithm and is usually described as an active exchange of keys by two parties. The buffer overflow attack objective is consume the available memory for the TCP/IP protocol stack to make the machine crash. Teardrop and Smurf are DoS attacks that make use of spoofing.
QUESTION NO: 1268 Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud manipulates the line voltage to receive a tool-free call? A. Red Boxes B. Blue Boxes C. White Boxes D. Black Boxes
Answer: D Explanation: A Black Box is a device that is hooked up to your phone that fixes your phone so that when you get a call, the caller doesn’t get charged for the call. This is good for calls up to 1/2 hour, after 1/2 hour the Phone Co. gets suspicious, and then you can guess what happens. The Red box basically simulates the sounds of coins being dropped into the coin slot of a payphone. The traditional Red Box consisting of a pair of Wien-bridge oscillators with the timing controlled by 555 timer chips. The Blue Box, The mother of all boxes, The first box in history, which started the whole phreaking scene. Invented by John Draper (aka “Captain Crunch”) in the early 60s, who discovered that by sending a tone of 2600Hz over the telephone lines of AT&T, it was possible to make free calls. The White Box turns a normal touch tone keypad into a portable unit. This kind of box can be commonly found in a phone shop.
QUESTION NO: 1269 Which of the following groups represents the leading source of computer crime losses? A. Hackers B. Industrial saboteurs C. Foreign intelligence officers D. Employees
Answer: D Explanation: This can be checked at the computer crime static’s on the web. Most of the attacks, actually 70% of them, come from inside the company, and 80% of them from employees of it. This is a reality, when we protect our infrastructure be sure to give great importance to internal security, we don’t when is one of the company employees going to make a strike. Hackers are also important, but less than our own employees.
QUESTION NO: 1270 Which of the following steps should be performed first in a business impact analysis (BIA)? A. Identify all business units within the organization. B. Evaluate the impact of disruptive events. C. Estimate the Recovery Time Objectives (RTO). D. Evaluate the criticality of business functions.
Answer: A Explanation: Remember that when we talk about a BIA (Business Impact Analysis), we are analyzing and identifying possible issues about our infrastructure. It’s an analysis about the business, the process that it relays on, the level of the systems and a estimative of the financial impact, or in other words, how much many we loose with our systems down. The first step on it should always be the identifying of the business units in the company. You can then go to other requirements like estimate losses and downtime costs.
QUESTION NO: 1271 Which of the following embodies all the detailed actions that personnel are required to follow? A. Standards B. Guidelines C. Procedures D. Baselines
Answer: C Explanation: As stated in the dictionary, here are 3 definitions of procedure: Its pretty visible that this is the term we are looking for as stated in the questions, you can check your CISSP documentation too.
QUESTION NO: 1272 Immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length (up to two kilometers in some cases) is? A. Coaxial cable B. Twisted Pair cable C. Axial cable D. Fiber Optic cable
Answer: D Explanation: Since fiber optics does not use electrical signals to transmit the information (it uses lights that goes through the mirrored silvered cable from source to end), its not affected by EMI (Electro Magnetic Interference) like other copper transmission methods like 10base5 and 10base2, therefore EMI does not affect the possible transmission distance. Fiber optics can have a great distance between end points, much greater than the copper transmission methods. Examples of Fiber optics standards are: 100BaseFX and 1000BaseFX.
QUESTION NO: 1273 Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or cassette? A. Degaussing B. Parity Bit Manipulation C. Certification D. Buffer overflow
Answer: A Explanation: An alternating current (AC) bulk eraser (degausser) is used for complete erasure of data and other signal on magnetic media. Degaussing is a process where magnetic media is exposed to a powerful, alternating magnetic field. Degaussing removes any previously written data, leaving the media in a magnetically randomized (blank) state. The degausser must subject the media to an alternating magnetic field of sufficient intensity to saturate the media and then by slowly withdrawing or reducing the field leaves the magnetic media in a magnetically neutral state.
QUESTION NO: 1274 Which of the following is an advantage of prototyping? A. Prototype systems can provide significant time and cost savings. B. Change control is often less complicated with prototype systems. C. It ensures that functions or extras are not added to the intended system. D. Strong internal controls are easier to implement.
Answer: A Explanation: The Prototype Phase is also called the “Proof of Concept” Phase. Whether it’s called one or the other depends on what the creator is trying to “prove.” If the main deliverable of the Phase includes a working version of the product’s technical features, it’s a “prototype.” If the main deliverable just looks like it has the product’s technical features, then it’s a “proof of concept.” Prototypes can save time and money because you can test some functionality earlier in the process. You don’t have to make the whole final product to begin testing it.
QUESTION NO: 1275 The IS security analyst’s participation in which of the following system development life cycle phases provides maximum benefit to the organization? A. System requirements definition. B. System design. C. Program development. D. Program testing.
Answer: B
QUESTION NO: 1276 Controls are implemented to? A. Eliminate risk and reduce the potential for loss. B. Mitigate risk and eliminate the potential for loss. C. Mitigate risk and reduce the potential for loss. D. Eliminate risk and eliminate the potential for loss.
Answer: C Explanation: That’s the essence of Controls, you put them in your environment to minimize the impact of a potential loss, with them you can also mitigate the risk and obtain the first through this. Controls are a very good practice to secure an environment, they should be considered by any security professional, CISSP or not, the risk should be minimized as much as you can.
QUESTION NO: 1277 A circuit level gateway is ________ when compared to an application level firewall. A. Easier to maintain. B. More difficult to maintain. C. More secure. D. Slower
Answer: A Explanation: Since circuit level gateways are not as high in the OSI model for the inspection as Application level firewalls, they are easier to maintain and configure. Application layer firewalls are up to layer 7 of the OSI model and provide a great bunch of options and complex configurations. Application layer firewalls are more secure than circuit level gateway because they can track and analyze information up to layer 7, a drawback to this, is that this functionality makes them slower.
QUESTION NO: 1278 In IPSec, if the communication mode is gateway-gateway or host-gateway: A. Only tunnel mode can be used. B. Only transport mode can be used. C. Encapsulating Security Payload (ESP) authentication must be used. D. Both tunnel and transport mode can be used.
Answer: D Explanation: “IPSec can work in one of two modes: transport mode, where the payload of the message is protected, and tunnel mode, where the payload and the routing and header information is protected.” Pg 527 Shon Harris: All-in-One CISSP Certification Not:” Encapsulating Security Payload (ESP) authentication must be used” “IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to be used, but it is an open, modular framework that provides a lot of flexibility for companies when they choose to use this type of technology. IPSec uses two basic security protocols: Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity.” Pg 527 Shon Harris: All-in-One CISSP Certification
QUESTION NO: 1279 Which integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure? A. The Take-Grant model B. The Biba integrity model C. The Clark Wilson integrity model D. The Bell-LaPadula integrity model
Answer: C Explanation: The Clark-Wilson model was developed to address security issues in commercial environments. The model uses two categories of mechanisms to realize integrity: well-formed transactions and separation of duty. It defines a constraint data item, a integrity verification and a transformation of that object. A possible way to represent a constraint that only certain trusted programs can modify objects is using application:checksum condition, where the checksum ensures authenticity of the application. Another way is using application:endorser condition, which indicates that a valid certificate, stating that the application has been endorsed by the specified endorser, must be presented. Static separation of duty is enforced by the security administrator when assigning group membership. Dynamic separation of duty enforces control over how permissions are used at the access time
QUESTION NO: 1280 Which of the following rules pertaining to a Business Continuity Plan/Disaster Recovery Plan is incorrect? A. In order to facilitate recover, a single plan should cover all locations. B. There should be requirements for to form a committee to decide a course of action. These decisions should be made ahead of time and incorporated into the plan. C. In its procedures and tasks, the plan should refer to functions, not specific individuals. D. Critical vendors should be contacted ahead of time to validate equipment can be obtained in a timely manner.
Answer: A Explanation: This is not the best practice, even more for the CISSP exam. Continuity / recovery plans should be make for every location in separate. This is because when there is a disaster, Its not usually in all the different locations, its better to have one plan for each of it so you can use and follow only the plan of the affected site and don’t bother the other ones.
QUESTION NO: 1281 What are suitable protocols for securing VPN connections? A. S/MIME and SSH B. TLS and SSL C. IPsec and L2TP D. PKCS# and X.509
Answer: C Explanation: Both of them can be used to create and secure VPN’s. The Layer 2 Tunnel Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an important component for VPNs. VPNs allow users and telecommuters to connect to their corporate intranets or extranets. IPSec is a series of guidelines for the protection of Internet Protocol (IP) communications. It specifies ways for securing private information transmitted over public networks. Services supported by IPSec include confidentiality (encryption), authenticity (proof of sender), integrity (detection of data tampering) and replay protection (defense against unauthorized re-sending of data). It work on layer 3 of the OSI model and is the most common protocols used to create VPNs.
QUESTION NO: 1282 Which of the following questions is less likely to help in assessing identification and authentication controls? A. Is a current list maintained and approved of authorized users and their access? B. Are passwords changed at least every ninety days or earlier if needed? C. Are inactive user identifications disabled after a specified period of time? D. Is there a process for reporting incidents?
Answer: D Explanation: We just some common sense to answer this question correctly, why are we going to ask about process reporting for incidents?, does is help relating to identification and authentication?, I don’t think so. There are other more interesting questions, password deal with authentication, inactive user Ids are also related to identification. But the most important to me, know if there is a list with authorized users and their current access, this can help you to identify unauthorized activities.
QUESTION NO: 1283 The primary purpose for using one-way encryption of user passwords within a system is which of the following? A. It prevents an unauthorized person from trying multiple passwords in one logon attempt. B. It prevents an unauthorized person from reading or modifying the password list. C. It minimizes the amount of storage required for user passwords. D. It minimizes the amount of processing time used for encrypting passwords.
Answer: B Explanation: This kind of encryption flavor increases security for passwords, if you use a one way encryption algorithm, you know that the encryption is not reversible, you cannot get the original value that you provided as a password from the resulting hash with any key or algorithm. This increase security in the way that when a person see the password list, it will only see the hash values and cannot read the original password or modify them without getting corruption.
QUESTION NO: 1284 The security of a computer application is most effective and economical in which of the following cases? A. The system is optimized prior to the addition of security. B. The system is procured off-the-shelf. C. The system is customized to meet the specific security threat. D. The system is designed originally to provide the necessary security.
Answer: D Explanation: This is very obvious, if your system is designed from the ground up to provide security, its going to be cheaper and more effective at the end, because you don’t need reanalysis, re-coding, and re-structure of the internal code of the computer application. If you don’t address security at the beginning you will also need to spend time and money reviewing the code to try to put the security infrastructure in some place of it.
QUESTION NO: 1285 In the following choices there is one that is a typical biometric characteristics that is not used to uniquely authenticate an individual’s identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans
Answer: D Explanation: Answer A, B and C can be used to uniquely identify a person, but in the case of the Skin, there are no unique characteristics that can differentiate two distinct individuals in an acceptable accurate way. In the case of the IRIS and the Retina, there are not two of them equal. In the case of the palm, every person has different marks on it. The skin is common to all and does not have specific textures or marks to make it unique in comparison to another individual.
QUESTION NO: 1286 Which of the following proves or disproves a specific act though oral testimony based on information gathered through the witness’s five senses? A. Direct evidence B. Circumstantial evidence C. Conclusive evidence D. Corroborative evidence
Answer: A Explanation: As stated in the CISSP documentation, “If you want to achieve the validation or revalidation of the oral testimony of a witness, you need to provide physical, direct evidence to backup your statements and override the five senses of an oral testimony”. Circumstantial or Corroborative evidence is not enough in this case, we need direct, relevant evidence backing up the facts.