Extra 1257-1356 Flashcards

1
Q

QUESTION NO: 1257 A packet filtering firewall looks at the data packet to get information about the source and destination addresses of an incoming packet, the session’s communications protocol (TCP, UDP or ICMP), and the source destination application port for the? A. Desired service B. Dedicated service C. Delayed service D. Distributed service.

A

Answer: A Explanation: This is true, the packets filters show the desired service port (Remember that they are layer 3 devices), this is because you can have many different referenced port number in the destination port field of the different packets. You have to look for the well-known port numbers of the service desired. For example, look in port 80 for HTTP and port 21 for FTP. This is the correct terminology, see the features of Packet Filters in your CISSP documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

QUESTION NO: 1258 Packet Filtering Firewalls system is considered a? A. First generation firewall. B. Second generation firewall. C. Third generation firewall. D. Fourth generation firewall.

A

Answer: A Explanation: Firewall technology is a young but quickly maturing industry. The first generation of firewall architectures has been around almost as long as routers, first appearing around 1985 and coming out of Cisco’s IOS software division. These firewalls are called packet filter firewalls. However, the first paper describing the screening process used by packet filter firewalls did not appear until 1988, when Jeff Mogul from Digital Equipment Corporation published his studies. At this time we are in the Fourth generation of firewall devices and software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

QUESTION NO: 1259 When should a post-mortem review meeting be held after an intrusion has been properly taken care of? A. Within the first three months after the investigation of the intrusion is completed. B. Within the first week after prosecution of intruders have taken place, whether successful or not. C. Within the first month after the investigation of the intrusion is completed. D. Within the first week of completing the investigation of the intrusion.

A

Answer: D Explanation: As stated in CISSP documentation, you should make post mortem review meetings after taking care of the intrusion, and no more than one week after the facts. Its not a good practice to wait more than this time, it’s a matter of common sense too, three months, one month, 2 weeks, its too much time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

QUESTION NO: 1260 Which of the following can be used as a covert channel? A. Storage and timing. B. Storage and low bits. C. Storage and permissions. D. Storage and classification.

A

Answer: A Explanation: Those are the proper elements, you can use these two to achieve a covert channel. Low bits is not a term related to covert channels. Permissions are related to authentication, they do not achieve what the question wants. Also, classification is could not selected as a correct choice. Check your official CISSP documentation to see what can be used as a covert channel. “An active variation on eavesdropping is called Covert Channel eavesdropping, which consists of using a hidden unauthorized network connection to communicate unauthorized information. A Covert Storage Channel operates by writing information to storage by one process and then reading by using another process from a different security level. A Covert Timing Channel signals information to another process by modulating its own resource use to affect the response time of another.” Pg. 101 Krutz: The CISSP Prep Guide: Gold Edition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

QUESTION NO: 1261 Which software development model is actually a meta-model that incorporates a number of the software development models? A. The Waterfall model. B. The modified Waterfall model. C. The Spiral model. D. The Critical Patch Model (CPM).

A

Answer: C Explanation: The spiral model for software engineering has evolved to encompass the best features of the classic waterfall model, while at the same time adding an element known as risk analysis. The spiral model is more appropriate for large, industrial software projects and has four main blocks/quadrants. Each release or version of the software requires going through new planning, risk analysis, engineering and customer evaluation phases and this is illustrated in the model by the spiral evolution outwards from the center. For each new release of a software product, a risk analysis audit should be performed to decide whether the new objectives can be completed within budget (time and costs), and decisions have to be made about whether to proceed. The level of planning and customer evaluation is missing from the waterfall model which is mainly concerned with small software programs. The spiral model also illustrated the evolutionary development of software where a solution may be initially proposed which is very basic (first time round the loop) and then later releases add new features and possibly a more elaborate GUI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

QUESTION NO: 1262 What is not true with pre-shared key authentication within IKE / IPsec protocol: A. Pre-shared key authentication is normally based on simple passwords. B. Needs a PKI to work. C. Only one preshared key for all VPN connections is needed. D. Costly key management on large user groups.

A

Answer: B Explanation: Pre-Shared Secret is usually used when both ends of the VPN lacks access to a compatible certificate server. Once you have defined all the endpoints in your VPN, you can establish a password that is used to authenticate the other end of the connection, this is the Pre- Shared secret. Since you are using Pre-Shared key because you don’t have an available / compatible certificate server, IPSEC and IKE do not need to use PKI in this case (that actually provides the certificate server infrastructure).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

QUESTION NO: 1263 Which question is NOT true concerning Application Control? A. It limits end users of applications in such a way that only particular screens are visible. B. Only specific records can be requested choice. C. Particular uses of the application can be recorded for audit purposes. D. Is non-transparent to the endpoint applications so changes are needed to the applications involved.

A

Answer: D Explanation: Application control provides a transparent feeling to endpoint applications when changes are needed, this is one of the features of it. With application control you can audit certain use of the applications involved and only specify record of your choice. There is also the possibility to limit the end users applications to provide access to only certain screens. Check your CISSP documentation about Application Control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

QUESTION NO: 1264 In order to ensure the privacy and integrity of the data, connections between firewalls over public networks should use? A. Screened subnets B. Digital certificates C. Encrypted Virtual Private Networks D. Encryption

A

Answer: C Explanation: This is the correct answer, since firewall does not mean “VPN” we have to select “Encrypted Virtual Private Networks”. With a VPN and encryption we can provide secure communication in a transparent way for the users between the endpoints achieving “Confidentiality”. This confidentiality is achieved through encryption, and this encryption relies on encryption algorithms like AES, DES, CAST and others. Screened Subnet are not related to secure data over public networks, it’s a place to put our network services accessible from the outside. Digital certificates do not provide confidentiality, they only provide integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

QUESTION NO: 1265 What is necessary for a subject to have write access to an object in a Multi-Level Security Policy? A. The subject’s sensitivity label must dominate the object’s sensitivity label. B. The subject’s sensitivity label subordinates the object’s sensitivity label. C. The subject’s sensitivity label is subordinated by the object’s sensitivity label. D. The subject’s sensitivity label is dominated by the object’s sensitivity label.

A

Answer: A Explanation: The correct answer is: The subject’s sensitivity label must dominate the object’s sensitivity label. With a Multi-level security policy you have information that has different sensitivity labels. In order to read an object the subject’s sensitivity label must be equal to or greater than that of the object. So it would be considered to dominate it, no read up. The following answers are incorrect: The subject’s sensitivity label subordinates the object’s sensitivity label. Is incorrect because if the subject’s sensitivity label subordinates the object’s sensitivity label that would mean it is lower and the subject should not have read access to the object. The subject’s sensitivity label is subordinated by the object’s sensitivity label. Is incorrect because the this would not allow for read access if the sensitivity lables were equal. So the subject’s sensitivity label is not subordinated by the object’s sensitivity label, the subject’s label must dominate the object’s label. Remember dominate means equal to or greater than where subordinate means less than. The subject’s sensitivity label is dominated by the object’s sensitivity label. Is incorrect because if the object’s sensitivity label dominates the subject’s sensitivity label then the subject should not have access, it is the subject that must dominate the object and not the other way around. Remember dominate means equal to or greater than so this would mean that the object’s sensitivity label is equal to or greater than the subject. According to the OIG, Multi-level security is defined as a class of system-containing information with different sensitivities that simultaneously permits access by users with different security clearances and need-to-know, but prevents users from obtaining access to information for which they lack authorization. The Subject’s sensitivity label must be equal to or greater than the object’s sensitivity label in order for the subject to have read access to it, no read up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

QUESTION NO: 1266 What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account? A. Data fiddling B. Data diddling C. Data hiding D. Data masking

A

Answer: B Explanation: This kind of an attack involves altering the raw data just before it is processed by a computer and then changing it back after the processing is completed. This kind of attack was used in the past to make what is stated in the question, steal small quantities of money and transfer them to the attackers account. See “Data deddling crimes” on the Web. The most correct answer is ‘Salami’, but since that is not an option the most correct answer is data diddling. “A salami attack is committing several small crimes with the hope that the overall larger crime will go unnoticed. ….An example would be if an employee altered a banking software program to subtract 5 cents from each of the bank’s customers’ accounts once a month and moved this amount to the employee’s bank account. If this happened to all of the bank’s 50,000 customer accounts, the intruder could make up to $ 30,000 a year. Data diddling refers to the alteration of existing data. Many times this modification happens before it is entered into an application or as soon as it completes processing and is outputted from an application. There was an incident in 1997, in Maryland, where a Taco Bell employee was sentenced to ten years in jail because he reprogrammed the drive-up window cash register to ring up ever 42.99 order as one penny. He collected the full amount from the customer, put the penny in the till, and pocketed the other $2.98. He made $3600 before his arrest.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

QUESTION NO: 1267 Which of the following is unlike the other three? A. El Gamal B. Teardrop C. Buffer Overflow D. Smurf

A

Answer: A Explanation: Options B, C and D are all Denial of Service attacks. El Gamal is the Diffie-Hellman key exchange algorithm and is usually described as an active exchange of keys by two parties. The buffer overflow attack objective is consume the available memory for the TCP/IP protocol stack to make the machine crash. Teardrop and Smurf are DoS attacks that make use of spoofing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

QUESTION NO: 1268 Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud manipulates the line voltage to receive a tool-free call? A. Red Boxes B. Blue Boxes C. White Boxes D. Black Boxes

A

Answer: D Explanation: A Black Box is a device that is hooked up to your phone that fixes your phone so that when you get a call, the caller doesn’t get charged for the call. This is good for calls up to 1/2 hour, after 1/2 hour the Phone Co. gets suspicious, and then you can guess what happens. The Red box basically simulates the sounds of coins being dropped into the coin slot of a payphone. The traditional Red Box consisting of a pair of Wien-bridge oscillators with the timing controlled by 555 timer chips. The Blue Box, The mother of all boxes, The first box in history, which started the whole phreaking scene. Invented by John Draper (aka “Captain Crunch”) in the early 60s, who discovered that by sending a tone of 2600Hz over the telephone lines of AT&T, it was possible to make free calls. The White Box turns a normal touch tone keypad into a portable unit. This kind of box can be commonly found in a phone shop.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

QUESTION NO: 1269 Which of the following groups represents the leading source of computer crime losses? A. Hackers B. Industrial saboteurs C. Foreign intelligence officers D. Employees

A

Answer: D Explanation: This can be checked at the computer crime static’s on the web. Most of the attacks, actually 70% of them, come from inside the company, and 80% of them from employees of it. This is a reality, when we protect our infrastructure be sure to give great importance to internal security, we don’t when is one of the company employees going to make a strike. Hackers are also important, but less than our own employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

QUESTION NO: 1270 Which of the following steps should be performed first in a business impact analysis (BIA)? A. Identify all business units within the organization. B. Evaluate the impact of disruptive events. C. Estimate the Recovery Time Objectives (RTO). D. Evaluate the criticality of business functions.

A

Answer: A Explanation: Remember that when we talk about a BIA (Business Impact Analysis), we are analyzing and identifying possible issues about our infrastructure. It’s an analysis about the business, the process that it relays on, the level of the systems and a estimative of the financial impact, or in other words, how much many we loose with our systems down. The first step on it should always be the identifying of the business units in the company. You can then go to other requirements like estimate losses and downtime costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

QUESTION NO: 1271 Which of the following embodies all the detailed actions that personnel are required to follow? A. Standards B. Guidelines C. Procedures D. Baselines

A

Answer: C Explanation: As stated in the dictionary, here are 3 definitions of procedure: Its pretty visible that this is the term we are looking for as stated in the questions, you can check your CISSP documentation too.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

QUESTION NO: 1272 Immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length (up to two kilometers in some cases) is? A. Coaxial cable B. Twisted Pair cable C. Axial cable D. Fiber Optic cable

A

Answer: D Explanation: Since fiber optics does not use electrical signals to transmit the information (it uses lights that goes through the mirrored silvered cable from source to end), its not affected by EMI (Electro Magnetic Interference) like other copper transmission methods like 10base5 and 10base2, therefore EMI does not affect the possible transmission distance. Fiber optics can have a great distance between end points, much greater than the copper transmission methods. Examples of Fiber optics standards are: 100BaseFX and 1000BaseFX.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

QUESTION NO: 1273 Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or cassette? A. Degaussing B. Parity Bit Manipulation C. Certification D. Buffer overflow

A

Answer: A Explanation: An alternating current (AC) bulk eraser (degausser) is used for complete erasure of data and other signal on magnetic media. Degaussing is a process where magnetic media is exposed to a powerful, alternating magnetic field. Degaussing removes any previously written data, leaving the media in a magnetically randomized (blank) state. The degausser must subject the media to an alternating magnetic field of sufficient intensity to saturate the media and then by slowly withdrawing or reducing the field leaves the magnetic media in a magnetically neutral state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

QUESTION NO: 1274 Which of the following is an advantage of prototyping? A. Prototype systems can provide significant time and cost savings. B. Change control is often less complicated with prototype systems. C. It ensures that functions or extras are not added to the intended system. D. Strong internal controls are easier to implement.

A

Answer: A Explanation: The Prototype Phase is also called the “Proof of Concept” Phase. Whether it’s called one or the other depends on what the creator is trying to “prove.” If the main deliverable of the Phase includes a working version of the product’s technical features, it’s a “prototype.” If the main deliverable just looks like it has the product’s technical features, then it’s a “proof of concept.” Prototypes can save time and money because you can test some functionality earlier in the process. You don’t have to make the whole final product to begin testing it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

QUESTION NO: 1275 The IS security analyst’s participation in which of the following system development life cycle phases provides maximum benefit to the organization? A. System requirements definition. B. System design. C. Program development. D. Program testing.

A

Answer: B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

QUESTION NO: 1276 Controls are implemented to? A. Eliminate risk and reduce the potential for loss. B. Mitigate risk and eliminate the potential for loss. C. Mitigate risk and reduce the potential for loss. D. Eliminate risk and eliminate the potential for loss.

A

Answer: C Explanation: That’s the essence of Controls, you put them in your environment to minimize the impact of a potential loss, with them you can also mitigate the risk and obtain the first through this. Controls are a very good practice to secure an environment, they should be considered by any security professional, CISSP or not, the risk should be minimized as much as you can.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

QUESTION NO: 1277 A circuit level gateway is ________ when compared to an application level firewall. A. Easier to maintain. B. More difficult to maintain. C. More secure. D. Slower

A

Answer: A Explanation: Since circuit level gateways are not as high in the OSI model for the inspection as Application level firewalls, they are easier to maintain and configure. Application layer firewalls are up to layer 7 of the OSI model and provide a great bunch of options and complex configurations. Application layer firewalls are more secure than circuit level gateway because they can track and analyze information up to layer 7, a drawback to this, is that this functionality makes them slower.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

QUESTION NO: 1278 In IPSec, if the communication mode is gateway-gateway or host-gateway: A. Only tunnel mode can be used. B. Only transport mode can be used. C. Encapsulating Security Payload (ESP) authentication must be used. D. Both tunnel and transport mode can be used.

A

Answer: D Explanation: “IPSec can work in one of two modes: transport mode, where the payload of the message is protected, and tunnel mode, where the payload and the routing and header information is protected.” Pg 527 Shon Harris: All-in-One CISSP Certification Not:” Encapsulating Security Payload (ESP) authentication must be used” “IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to be used, but it is an open, modular framework that provides a lot of flexibility for companies when they choose to use this type of technology. IPSec uses two basic security protocols: Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity.” Pg 527 Shon Harris: All-in-One CISSP Certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

QUESTION NO: 1279 Which integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure? A. The Take-Grant model B. The Biba integrity model C. The Clark Wilson integrity model D. The Bell-LaPadula integrity model

A

Answer: C Explanation: The Clark-Wilson model was developed to address security issues in commercial environments. The model uses two categories of mechanisms to realize integrity: well-formed transactions and separation of duty. It defines a constraint data item, a integrity verification and a transformation of that object. A possible way to represent a constraint that only certain trusted programs can modify objects is using application:checksum condition, where the checksum ensures authenticity of the application. Another way is using application:endorser condition, which indicates that a valid certificate, stating that the application has been endorsed by the specified endorser, must be presented. Static separation of duty is enforced by the security administrator when assigning group membership. Dynamic separation of duty enforces control over how permissions are used at the access time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

QUESTION NO: 1280 Which of the following rules pertaining to a Business Continuity Plan/Disaster Recovery Plan is incorrect? A. In order to facilitate recover, a single plan should cover all locations. B. There should be requirements for to form a committee to decide a course of action. These decisions should be made ahead of time and incorporated into the plan. C. In its procedures and tasks, the plan should refer to functions, not specific individuals. D. Critical vendors should be contacted ahead of time to validate equipment can be obtained in a timely manner.

A

Answer: A Explanation: This is not the best practice, even more for the CISSP exam. Continuity / recovery plans should be make for every location in separate. This is because when there is a disaster, Its not usually in all the different locations, its better to have one plan for each of it so you can use and follow only the plan of the affected site and don’t bother the other ones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

QUESTION NO: 1281 What are suitable protocols for securing VPN connections? A. S/MIME and SSH B. TLS and SSL C. IPsec and L2TP D. PKCS# and X.509

A

Answer: C Explanation: Both of them can be used to create and secure VPN’s. The Layer 2 Tunnel Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an important component for VPNs. VPNs allow users and telecommuters to connect to their corporate intranets or extranets. IPSec is a series of guidelines for the protection of Internet Protocol (IP) communications. It specifies ways for securing private information transmitted over public networks. Services supported by IPSec include confidentiality (encryption), authenticity (proof of sender), integrity (detection of data tampering) and replay protection (defense against unauthorized re-sending of data). It work on layer 3 of the OSI model and is the most common protocols used to create VPNs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

QUESTION NO: 1282 Which of the following questions is less likely to help in assessing identification and authentication controls? A. Is a current list maintained and approved of authorized users and their access? B. Are passwords changed at least every ninety days or earlier if needed? C. Are inactive user identifications disabled after a specified period of time? D. Is there a process for reporting incidents?

A

Answer: D Explanation: We just some common sense to answer this question correctly, why are we going to ask about process reporting for incidents?, does is help relating to identification and authentication?, I don’t think so. There are other more interesting questions, password deal with authentication, inactive user Ids are also related to identification. But the most important to me, know if there is a list with authorized users and their current access, this can help you to identify unauthorized activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

QUESTION NO: 1283 The primary purpose for using one-way encryption of user passwords within a system is which of the following? A. It prevents an unauthorized person from trying multiple passwords in one logon attempt. B. It prevents an unauthorized person from reading or modifying the password list. C. It minimizes the amount of storage required for user passwords. D. It minimizes the amount of processing time used for encrypting passwords.

A

Answer: B Explanation: This kind of encryption flavor increases security for passwords, if you use a one way encryption algorithm, you know that the encryption is not reversible, you cannot get the original value that you provided as a password from the resulting hash with any key or algorithm. This increase security in the way that when a person see the password list, it will only see the hash values and cannot read the original password or modify them without getting corruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

QUESTION NO: 1284 The security of a computer application is most effective and economical in which of the following cases? A. The system is optimized prior to the addition of security. B. The system is procured off-the-shelf. C. The system is customized to meet the specific security threat. D. The system is designed originally to provide the necessary security.

A

Answer: D Explanation: This is very obvious, if your system is designed from the ground up to provide security, its going to be cheaper and more effective at the end, because you don’t need reanalysis, re-coding, and re-structure of the internal code of the computer application. If you don’t address security at the beginning you will also need to spend time and money reviewing the code to try to put the security infrastructure in some place of it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

QUESTION NO: 1285 In the following choices there is one that is a typical biometric characteristics that is not used to uniquely authenticate an individual’s identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans

A

Answer: D Explanation: Answer A, B and C can be used to uniquely identify a person, but in the case of the Skin, there are no unique characteristics that can differentiate two distinct individuals in an acceptable accurate way. In the case of the IRIS and the Retina, there are not two of them equal. In the case of the palm, every person has different marks on it. The skin is common to all and does not have specific textures or marks to make it unique in comparison to another individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

QUESTION NO: 1286 Which of the following proves or disproves a specific act though oral testimony based on information gathered through the witness’s five senses? A. Direct evidence B. Circumstantial evidence C. Conclusive evidence D. Corroborative evidence

A

Answer: A Explanation: As stated in the CISSP documentation, “If you want to achieve the validation or revalidation of the oral testimony of a witness, you need to provide physical, direct evidence to backup your statements and override the five senses of an oral testimony”. Circumstantial or Corroborative evidence is not enough in this case, we need direct, relevant evidence backing up the facts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

QUESTION NO: 1287 Which of the following would be defined as an absence of safeguard that could be exploited? A. A threat B. A vulnerability C. A risk D. An exposure

A

Answer: B Explanation: In IT, a vulnerability is the weakness of a System to be exploited and corrupted by a security hole. There is always a risk that our systems been vulnerable, with security we cannot make the risk to be 0%, but we can decrease the possibility of a threat becoming in a successful attack through one of those vulnerabilities. There is no system without vulnerabilities, we need to patch our systems frequently to reduce the risk of a threat through a vulnerability of one of our systems.

32
Q

QUESTION NO: 1288 Which of the following is a LAN transmission protocol? A. Ethernet B. Ring topology C. Unicast D. Polling

A

Answer: C Reference: “LAN Transmission Methods. LAN data is transmitted from the sender to one or more receiving stations using either a unicast, multicast, or broadcast transmission.” pg 528 Hansche: Official (ISC)2 Guide to the CISSP Exam

33
Q

QUESTION NO: 1289 Why would a database be denormalized? A. To ensure data integrity. B. To increase processing efficiency. C. To prevent duplication of data. D. To save storage space.

A

Answer: B Explanation: Denormalization is the process of attempting to optimize the performance of data storage by adding redundant data. It is necessary because current DBMSs are not fully relational. A fully relational DBMS would be able to preserve full normalization at the logical level, while allowing it to be mapped to performance-tuned physical level. Database designers often justify denormalization on performance issues, but they should note that logical denormalization can easily break the consistency of the database, one of the all-important ACID properties. However, a designer can achieve the performance benefits while retaining consistency by performing denormalization at a physical level; such denormalization is often called caching.

34
Q

QUESTION NO: 1290 Under “Named Perils” form of Property insurance A. Burden of proof that particular loss is covered is on Insurer. B. Burden of proof that particular loss is not covered is on Insurer. C. Burden of proof that particular loss is covered is on Insured. D. Burden of proof that particular loss is not covered is on Insured.

A

Answer: B Explanation: A insurance policy to cover fire damage is said to cover the “named peril” of fire. So, the insurer would need to prove that fire was not covered if the insurer was trying to deny the claim. The insured has no burden of proof other than showing damage was caused by fire.

35
Q

QUESTION NO: 1291 The following is not true: A. Since the early days of mankind humans have struggled with the problems of protecting assets. B. The addition of a PIN keypad to the card reader was a solution to unreported card or lost card problem. C. There has never been of problem of lost keys. D. Human guard is an inefficient and sometimes ineffective method of protecting resources.

A

Answer: C Explanation: This is absolutely false, this problem can be seen almost anywhere. There have always been trouble with the lost of keys. Some of those looses are more important than others, its not the same to lost the key of the company safe box, that lost the key of you locker with that contains your shoes. This is obviously an incorrect statement, answer C is the one in here. “Unfortunately, using security guards is not a perfect solution. There are numerous disadvantages to deploying, maintaining, and relying upon security guards. Not all environments and facilities support security guards. This may be due actual human incompatibility with the layout, design, location, and construction of the facility. Not all security guards are themselves reliable. Prescreening, bonding, and training does not guarantee that you won’t end up with an ineffective and unreliable security guard.” Pg 646 Tittel: CISSP Guide.

36
Q

QUESTION NO: 1292 Which of the following statements pertaining to software testing approaches is correct? A. A bottom-up approach allows interface errors to be detected earlier. B. A top-down approach allows errors in critical modules to be detected earlier. C. The test plan and results should be retained as part of the system’s permanent documentation. D. Black box testing is predicted on a close examination of procedural detail.

A

Answer: C Explanation: This is an absolute best practice in the software testing field, you should always have to keep all your testing approaches with the results as part of the product documentation. This can help you in the case you have problems with some tasks or components of the software in the future, you can check back your testing and results and see if the system was making the tasks correctly and if anything changed from that environment.

37
Q

QUESTION NO: 1293 Which Orange Book evaluation level is described as “Structured Protection”? A. A1 B. B3 C. B2 D. B1

A

Answer: C Explanation: Class B2 corresponds to Structured Protection. Division B - Mandatory Protection Mandatory access is enforced by the use of security labels. The architecture is based on the Bell- LaPadula security model and evidence of the reference monitor enforcement must be available. B1: Labeled Security Each data object must contain a classification label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subject and the object’s security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement and the design specifications are reviewed and verified. It is intended for environments that handle classified data. B2: Structured Protection The security policy is clearly defined and documented and the system design and implementation is subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-defined interfaces between layers. Subject and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means there are no trapdoors. There is a separation of operator and administration functions within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolated processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The environment that would require B2 systems could process sensitive data that requires a higher degree of security. This environment would require systems that are relatively resistant to penetration and compromise. B3 Security Domains In this class, more granularity is provided in each protects mechanism and the programming code that is not necessary to support the security is excluded. The design and implementation should not provide too much complexity because as the complexity of a system increases, the ability of the individuals who need to test, maintain, and configure it reduces; thus, the overall security can be threatened. The reference monitor components must be small enough to test properly and be tamperproof. The security administrator role is clearly defined and the system must be able to recover from failures without its security level being compromised. When the system starts up and loads its operating system and components, it must be done in an initial secure state to ensure any weakness of the system cannon be taken advantage of in this slice of time. An environment that requires B3 systems is a highly secured environment that processes very sensitive information. It requires systems that are highly resistant to penetration. Note: In class (B2) systems, the TCB is based on a clearly defined and documented formal security policy model that requires the discretionary and mandatory access control enforcement found in class (B1) systems be extended to all subjects and objects in the ADP system. In addition, covert channels are addressed. The TCB must be carefully structured into protectioncritical and non-protection-critical elements. Class B corresponds to “Structured Protection” inside the Orange Book.

38
Q

QUESTION NO: 1294 Which of the following questions should any user not be able to answer regarding their organization information security policy? A. Who is involved in establishing the security policy? B. Where is the organization security policy defined? C. What are the actions that need to be performed in case of a disaster? D. Who is responsible for monitoring compliance to the organization security policy?

A

Answer: C Explanation: According to CISSP documentation, the actual definition and procedures defined inside an organization disaster recovery policy are of private nature. Only people working in the company and with a role inside it should know about those procedures. Its not a good practice to be divulgating Disaster recovery procedures to external people. Many times external people need to know who is involved in it, and who is responsible. This could be the case of a vendor providing replacement equipment in case of disaster.

39
Q

QUESTION NO: 1295 RAID Level 1 mirrors the data from one disk to set of disks using which of the following techniques? A. Copying the data onto another disk or set of disks. B. Moving the data onto another disk or set of disks. C. Establishing dual connectivity to another disk or set of disks. D. Establishing dual addressing to another disk or set of disks.

A

Answer: A Explanation: RAID 1 or Mirroring is a technique in which data is written to two duplicate disks simultaneously through a copy process. This way if one of the disk drives fails, the system can instantly switch to the other disk without any loss of data or service. Disk mirroring is used commonly in on-line database systems where it’s critical that the data be accessible at all times. RAID means “Redundant Array of Inexpensive Disks”.

40
Q

QUESTION NO: 1296 Which type of firewall can be used to track connectionless protocols such as UDP and RPC? A. Statefull inspection firewalls B. Packet filtering firewalls C. Application level firewalls D. Circuit level firewalls

A

Answer: A

41
Q

QUESTION NO: 1297 Which of the following items should not be retained in an E-mail directory? A. Drafts of documents. B. Copies of documents. C. Permanent records. D. Temporary documents.

A

Answer: C Explanation: This is another matter of common sense; the CISSP exam has many situations like this. It is not a good practice to have Permanent documents in your e-mail, this is because you don’t know if your e-mail is always backed up, and maybe the document must be available in a corporate repository. There is no problem to have Copies, draft or temporary documents in your email. The important ones for the company are the Permanent documents.

42
Q

QUESTION NO: 1298 Which of the following department managers would be best suited to oversee the development of an information security policy? A. Information systems B. Human resources C. Business operations D. Security administration

A

Answer: C Explanation: He is the most appropriate manager, this is because he know the inns and outs of the business processes inside the company. Remember that he manages the business operations, and are those operations the ones that make the company live and generate the revenue. He knows who should access what and when. Security administrators develop the policy with the information provided by persons like the Business operations manager. Human Resources is not appropriate in this case, and the Information systems manager know about the technology, but not the business needs of the company.

43
Q

QUESTION NO: 1299 Which of the following countermeasures is not appropriate for war dialing attacks? A. Monitoring and auditing for such activity. B. Disabling call forwarding. C. Making sure only necessary phone numbers are made public. D. Using completely different numbers for voice and data accesses.

A

Answer: B Explanation: War dialing, or scanning, has been a common activity in the computer underground and computer security industry for decades. Hollywood made war dialing popular with the 1983 movie, War Games, in which a teenager searching for a videogame company ultimately uncovers a government nuclear war warning system. The act of war dialing is extremely simple – a host computer dials a given range of telephone numbers using a modem. Every telephone number that answers with a modem and successfully connects to the host is stored in a log. Disabling call forwarding is not a useful countermeasure because it’s the attacker machine the one who connects to the attacked system and forwarding is not an issue inside the attack. Answer A, C and D can be used as countermeasures to harder the war dial attack.

44
Q

QUESTION NO: 1300 Which of the following tools is less likely to be used by a hacker? A. I0phtcrack B. Tripwire C. Crack D. John the Ripper

A

Answer: B Explanation: Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. The hard part is doing it the right way, balancing security, maintenance, and functionality. This tool is not usually used by hackers to attack, its usually used to defend against hackers attacks. L0phtcrack is a hacker utility to get passwords, Crack and John the Ripper are also password crackers.

45
Q

QUESTION NO: 1301 Which of the following logical access exposures involves changing data before, or as it is entered into the computer? A. Data diddling B. Salami techniques C. Trojan horses D. Viruses

A

Answer: A Explanation: This kind of attack involves altering the raw data just before it is processed by a computer and then changing it back after the processing is completed. This kind of attack was used in the past to steal small quantities of money and transfer them to the attackers account, there are many other uses too. Trojan horses open ports without the user knowledge to permit remote control and a Virus is a malicious piece of code that executed inside your computer.

46
Q

QUESTION NO: 1302 Which of the following computer aided software engineering (CASE) products is used for developing detailed designs, such as screen and report layouts? A. Lower CASE B. Middle CASE C. Upper CASE D. I-CASE

A

Answer: B Explanation: This is the proper name, you can search for “Middle CASE” on the Internet. “Middle CASE” its a CASE flavor and UML design tool that provides the required functionality like screen and report layouts and detailed designs. There are many well known vendors providing this kind of tools for the development process of Software.

47
Q

QUESTION NO: 1303 What is called the number of columns in a table? A. Schema B. Relation C. Degree D. Cardinality

A

Answer: C Explanation: In database terminology, is the same to say that the number of Degrees is “X” and that the number of columns is “X” inside a Table. This question is just trying to test our knowledge of rare, difficult to fin terminology. You can check this in the knowledgebase of Oracle. When we talk about degrees, we are just talking about columns. The schema is the structure of the database, and the relations are the way each table relates to others.

48
Q

QUESTION NO: 1304 Which of the following is the most reliable authentication device? A. Variable callback system B. Smart Card system C. Fixed callback system D. Combination of variable and fixed callback system.

A

Answer: B Explanation: The smart card, an intelligent token, is a credit card sized plastic card embedded with an integrated circuit chip. It provides not only memory capacity, but computational capability as well. The self-containment of smart card makes it resistant to attack as it does not need to depend upon potentially vulnerable external resources. Because of this characteristic, smart cards are often used in different applications which require strong security protection and authentication. Option B is the most correct option, this is because Callback systems are not considered very reliable in the CISSP examination, Smart cards can also provide 2 mode authentication. “Caller ID and callback options are great, but they are usually not practical because they require users to call in from a static phone number each time they access the network. Most users are accessing the network remotely because they are on the road and moving from place to place.” Pg. 428 Shon Harris: All-In-One CISSP Certification Guide.

49
Q

QUESTION NO: 1305 Which of the following firewall rules is less likely to be found on a firewall installed between and organization internal network and the Internet? A. Permit all traffic to and from local host. B. Permit all inbound ssh traffic C. Permit all inbound tcp connections. D. Permit all syslog traffic to log-server.abc.org.

A

Answer: C Explanation: Option “C” is a very bad practice in a firewall connecting one of its interfaces to a public network like Internet. Since in that rule you are allowing all inbound TCP traffic, the hackers can send all the attacks they want to any TCP port, they can make port scanning, Syn Attacks, and many other dangerous DoS activities to our private network. Permit the traffic from local host is a best practice, our firewall is the local host. Permit SSH (Secure Shell) is also good because this protocol use cryptography.

50
Q

QUESTION NO: 1306 The Internet can be utilized by either? A. Public or private networks (with a Virtual Private Networks). B. Private or public networks (with a Virtual Private Networks). C. Home or private networks (with a Virtual Private Networks). D. Public or home networks (with a Virtual Private Networks).

A

Answer: C

51
Q

QUESTION NO: 1307 This backup method must be made regardless of whether Differential or Incremental methods are used. A. Full Backup Method B. Incremental backup method C. Differential backup method D. Tape backup method

A

Answer: A Explanation: Since the “Full” backup method provides a baseline for our systems for Restore, the full backup must be done at least once regardless of the method you are using. Its very common to use full backups in combination with incremental or differential ones to decrease the backup time (however you increment the restore time), but there is no way to maintain a system only with incremental or differential backups. You always need to begin from your restore baseline, the Full Backup.

52
Q

QUESTION NO: 1308 Why do buffer overflows happen? A. Because buffers can only hold so much data. B. Because input data is not checked for appropriate length at time of input. C. Because they are an easy weakness to exploit. D. Because of insufficient system memory.

A

Answer: B

53
Q

QUESTION NO: 1309 Which of the following should not be performed by an operator? A. Mounting disk or tape B. Backup and recovery C. Data entry D. Handling hardware

A

Answer: B

54
Q

QUESTION NO: 1310 What security model is dependant on security labels? A. Discretionary access control B. Label-based access control C. Mandatory access control D. Non-discretionary access control

A

Answer: C Explanation: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy. This kind of access control method is based on Security labels. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden).

55
Q

QUESTION NO: 1311 Detection capabilities of Host-based ID systems are limited by the incompleteness of which of the following? A. Audit log capabilities B. Event capture capabilities C. Event triage capabilities D. Audit notification capabilities

A

Answer: A Explanation: This is one of the weakest point of IDS systems installed on the individual hosts. Since much of the malicious activity could be circulating through the network, and this kind of IDS usually have small logging capabilities and of local nature. So any activity happening in the network could go unnoticed, and intrusions can’t be tracked as in depth as we could with an enterprise IDS solution providing centralized logging capabilities.

56
Q

QUESTION NO: 1312 Computer crime is generally made possible by which of the following? A. The perpetrator obtaining training & special knowledge. B. Victim carelessness. C. Collusion with others in information processing D. System design flaws.

A

Answer: B Explanation: This is a real problem, nobody thinks that can be victim of a computer crime until it is. There is a big problem relating to the people thinking about this kind of attacks. Computer crimes can be very important and can make great damage to enterprises. Computer Crime will decrease once people begin to think about the Risks and begin to protect their systems from the most common attacks.

57
Q

QUESTION NO: 1313 The structures, transmission methods, transport formats, and security measures that are used to provide integrity, availability, authentication, and confidentiality for transmissions over private and public communications networks and media includes? A. The Telecommunications and Network Security domain. B. The Telecommunications and Netware Security domain. C. The Technical communications and Network Security domain. D. The Telnet and Network Security domain.

A

Answer: A Explanation: This is pretty straight forward. The four principal pillars of computer security: integrity, authentication, confidentiality and availability are all part of the network security and telecommunication domain. Why? Because those pillars deal with that. We provide integrity through digital signatures, authentication through passwords, confidentiality through encryption and availability by fault tolerance and disaster recovery. All of those are networking and telecommunication components.

58
Q

QUESTION NO: 1314 Which of the following is the lowest TCSEC class where in the system must protected against covert storage channels (but not necessarily covert timing channels)? A. B2 B. B1 C. B3 D. A1

A

Answer: A Explanation: The B2 class referenced in the orange book is the formal security policy model based on device labels that can use DAC (Discretionary access controls) and MAC (Mandatory Access Controls). It provides functionality about covert channel control. It does not require covert timing channels. You can review the B2 section of the Orange Book.

59
Q

QUESTION NO: 1315 Which type of control is concerned with avoiding occurrences of risks? A. Deterrent controls B. Detective controls C. Preventive controls D. Compensating controls

A

Answer: C Explanation: Preventive controls deals with the avoidance of risk through the diminution of probabilities. Is like the example we read earlier about the dogs. Just to remember, Since we want to prevent something from happening, we can go out and buy some Guard dogs to make the job. You are buying them because you want to prevent something from happening. The intruder will see the dogs and will maybe go back, this prevents an attack, this dogs are a form of preventive control.

60
Q

QUESTION NO: 1316 The basic function of an FRDS is to? A. Protect file servers from data loss and a loss of availability due to disk failure. B. Persistent file servers from data gain and a gain of availability due to disk failure. C. Prudent file servers from data loss and a loss of acceptability due to disk failure. D. Packet file servers from data loss and a loss of accountability due to disk failure.

A

Answer: A Explanation: FRDS systems will give us the functionality to protect our servers from disk failure an allow us to have highly available file services in our production servers. FRDS provides high availability against many types of disk failures and well known problems, if one disk goes down, the others still work providing no downtime. FRDS solutions are the preferred way to protect file servers against data corruption and loss. You can see more about FRDS in the Internet, search “FRDS System”.

61
Q

QUESTION NO: 1317 Which of the following protocols does not operate at the data link layer (layer 2)? A. PPP B. RARP C. L2F D. ICMP

A

Answer: D Explanation: Internet Control Message Protocol. ICMP is used for diagnostics in the network. The Unix program, ping, uses ICMP messages to detect the status of other hosts in the net. ICMP messages can either be queries (in the case of ping) or error reports, such as when a network is unreachable. This protocol resides in layer 3 of the OSI model (Network layer).

62
Q

QUESTION NO: 1318 This tape format can be used to backup data systems in addition to its original intended audio used by: A. Digital Audio tape (DAT) B. Digital video tape (DVT) C. Digital Casio Tape (DCT) D. Digital Voice Tape (DVT)

A

Answer: A Explanation: Digital Audio Tape (DAT or R-DAT) is a signal recording and playback medium introduced by Sony in 1987. In appearance it is similar to a compact audio cassette, using 1/8” magnetic tape enclosed in a protective shell, but is roughly half the size at 73 mm x 54 mm x 10.5 mm. As the name suggests the recording is digital rather than analog, DAT converting and recording at the same rate as a CD (44.1 kHz sampling rate and 16 bits quantization) without data compression. This means that the entire input signal is retained. If a digital source is copied then the DAT will produce an exact clone. The format was designed for audio use, but through an ISO standard it has been adopted for general data storage, storing from 4 to 40 GB on a 120 meter tape depending on the standard and compression (DDS-1 to DDS-4). It is, naturally, sequential-access media and is commonly used for backups. Due to the higher requirements for integrity in data backups a computer-grade DAT was introduced.

63
Q

QUESTION NO: 1319 By examining the “state” and “context” of the incoming data packets, it helps to track the protocols that are considered “connectionless”, such as UDP-based applications and Remote Procedure Calls (RPC). This type of firewall system is used in? A. First generation firewall systems. B. Second generation firewall systems. C. Third generation firewall systems. D. Fourth generation firewall systems.

A

Answer: C Explanation: Statefull inspection is a third generation firewall technology designed to be aware of, and inspect, not only the information being received, but the dynamic connection and transmission state of the information being received. Control decisions are made by analyzing and utilizing the following: Communication Information, Communication derived state, Application derived state and information manipulation.

64
Q

QUESTION NO: 1320 Guards are appropriate whenever the function required by the security program involves which of the following? A. The use of discriminating judgment. B. The use of physical force. C. The operation of access control devices. D. The need to detect unauthorized access.

A

Answer: A Explanation: This is the correct answer, we don’t have guards only to use physical force, that is not the real functionality of them if your security policy is well oriented. They are not only there to operate control devices and to detect unauthorized access, as stated in CISSP documentation, the appropriate function of a guard inside a security program is the use of discriminating judgment.

65
Q

QUESTION NO: 1321 A server cluster looks like a? A. Single server from the user’s point of view. B. Dual server from the user’s point of view. C. Tripe server from the user’s point of view. D. Quardle server from the user’s point of view.

A

Answer: A Explanation: A “Cluster” is a grouping of machines running certain services providing high availability and fault tolerance fro them. In other words, they are grouped together as a means of fail over support. From the users view, a cluster is a single server, but its only a logical one, you can have an array of 4 server in cluster all with the same IP address (/achieving correct resolution through ARP), there is no difference for the client.

66
Q

QUESTION NO: 1322 Which of the following are functions that are compatible in a properly segregated environment? A. Application programming and computer operation. B. System programming and job control analysis. C. Access authorization and database administration. D. System development and systems maintenance.

A

Answer: D Explanation: If you think about it, System development and system maintenance are perfectly compatible, you can develop in the systems for certain time, and when it time for a maintenance, you stop the development process an make the maintenance. It’s a pretty straight forward process. The other answer do not provide the simplicity and freedom of this option. Incorrect answer: Access authorization and database administration are NEVER compatible.

67
Q

QUESTION NO: 1323 Encryption is applicable to all of the following OSI/ISO layers except: A. Network layer B. Physical layer C. Session layer D. Data link layer

A

Answer: B Explanation: The Physical Layer describes the physical properties of the various communications media, as well as the electrical properties and interpretation of the exchanged signals. Ex: this layer defines the size of Ethernet coaxial cable, the type of BNC connector used, and the termination method. You cannot encrypt nothing at this layer because its physical, it is not protocol / software based. Network, Data link and transport layer supports encryption.

68
Q

QUESTION NO: 1324 The Computer Security Policy Model the Orange Book is based on is which of the following? A. Bell-LaPadula B. Data Encryption Standard C. Kerberos D. Tempest

A

Answer: A Explanation: Following the publication of the Anderson report, considerable research was initiated into formal models of security policy requirements and of the mechanisms that would implement and enforce those policy models as a security kernel. Prominent among these efforts was the ESD-sponsored development of the Bell and LaPadula model, an abstract formal treatment of DoD security policy.[2] Using mathematics and set theory, the model precisely defines the notion of secure state, fundamental modes of access, and the rules for granting subjects specific modes of access to objects. Finally, a theorem is proven to demonstrate that the rules are security-preserving operations, so that the application of any sequence of the rules to a system that is in a secure state will result in the system entering a new state that is also secure. This theorem is known as the Basic Security Theorem.

69
Q

QUESTION NO: 1325 Which type of attack would a competitive intelligence attack best classify as? A. Business attack B. Intelligence attack C. Financial attack D. Grudge attack

A

Answer: A Explanation: Since we are talking about a competitive intelligence attack, we can classify it as a Business attack because it is disrupting business activities. Intelligence attacks are one of the most commonly used to hurt a company where more it hurts, in its information. To see more about competitive intelligence attacks you can take a look at some CISSP study guide. It could be the CISSP gold edition guide. “Military and intelligence attacks are launched primarily to obtain secret and restricted information from law enforcement or military and technological research sources. Business attacks focus on illegally obtaining an organization’s confidential information. Financial attacks are carried out to unlawfully obtain money or services. Grudge attacks are attacks that are carried out to damage an organization or a person.”

70
Q

QUESTION NO: 1326 Which of the following is responsible for the most security issues? A. Outside espionage B. Hackers C. Personnel D. Equipment failure

A

Answer: C Explanation: As I stated earlier in the comments, the great part of the attacks to companies comes from the personnel. Hackers are out there and attack some targets, but should never forget that your worst enemy can be inside of your company. Is for that that we usually implement IDS and profundity security. It’s a very good practice to install Host based IDS to limit the ability of internal attackers through the machines. Another problem with personal is the ignorance, there are time that they just don’t know what they are doing, and certainly are violating the security policy.

71
Q

QUESTION NO: 1327 Which of the following goals is NOT a goal of Problem Management? A. To eliminate all problems. B. To reduce failures to a manageable level. C. To prevent the occurrence or re-occurrence of a problem. D. To mitigate the negative impact of problems on computing services and resources.

A

Answer: A Explanation: This is not possible, nobody can eliminate all problems, only god can, this is a reality and Problem Management Gurus know that. With problem management we can reduce failures, prevent reoccurrence of problems and mitigate negative impact as much as we can, but we cannot eliminate all problems, this is not a perfect world.

72
Q

QUESTION NO: 1328 Examples of types of physical access controls include all except which of the following? A. badges B. locks C. guards D. passwords

A

Answer: D Explanation: A password is not a physical thing, it’s a logical one. You can control physical access with armed guards, by locking doors and using badges to open doors, but you can’t relate password to a physical environment. Just to remember, Passwords are used to verify that the user of an ID is the owner of the ID. The ID-password combination is unique to each user and therefore provides a means of holding users accountable for their activity on the system. They are related to software, not to hardware.

73
Q

QUESTION NO: 1329 Which of the following statements pertaining to the (ISC)2 Code of Ethics is incorrect? A. All information systems security professionals who are certified by (ISC)2 recognize that such a certification is a privilege that must be both earned and maintained. B. All information systems security professionals who are certified by (ISC)2 shall provide diligent and competent service to principals. C. All information systems security professionals who are certified by (ISC)2 shall discourage such behavior as associating or preparing to associate with criminals or criminal behavior. D. All information systems security professionals who are certified by (ISC)2 shall promote the understanding and acceptance of prudent information security measures.

A

Answer: C Explanation: This is not one of the statements of the ISC2 code of Ethics, ISC2 certified people is free to get in association with any person and any party they want. ISC2 thinks that their certified people must have liberty of choice in their associations. However ISC2 ask the certified professionals to promote the certification and the understanding and acceptance of security measures, they also ask the certified people to provide competent services and be proud of their exclusive ISC2 certified professional status. I think is very fair, you are free to who where you want, with the people you want, but always be proud of your certification and your skills as a security professional. Code from ISC web site. “All information systems security professionals who are certified by (ISC)2 recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all Certified Information Systems Security Professionals (CISSPs) commit to fully support this Code of Ethics. CISSPs who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. There are only four mandatory canons in the code. By necessity such high-level guidance is not intended to substitute for the ethical judgment of the professional. Additional guidance is provided for each of the canons. While this guidance may be considered by the Board in judging behavior, it is advisory rather than mandatory. It is intended to help the professional in identifying and resolving the inevitable ethical dilemmas that will confront him/her. Code of Ethics Preamble: * Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. * Therefore, strict adherence to this code is a condition of certification. Code of Ethics Canons: * Protect society, the commonwealth, and the infrastructure. * Act honorably, honestly, justly, responsibly, and legally. * Provide diligent and competent service to principals. * Advance and protect the profession. The following additional guidance is given in furtherance of these goals. Objectives for Guidance In arriving at the following guidance, the committee is mindful of its responsibility to: * Give guidance for resolving good v. good and bad v. bad dilemmas. * To encourage right behavior such as: * Research * Teaching * Identifying, mentoring, and sponsoring candidates for the profession * Valuing the certificate * To discourage such behavior as: * Raising unnecessary alarm, fear, uncertainty, or doubt * Giving unwarranted comfort or reassurance * Consenting to bad practice * Attaching weak systems to the public net * Professional association with non-professionals * Professional recognition of or association with amateurs * Associating or appearing to associate with criminals or criminal behavior However, these objectives are provided for information only; the professional is not required or expected to agree with them. In resolving the choices that confront him, the professional should keep in mind that the following guidance is advisory only. Compliance with the guidance is neither necessary nor sufficient for ethical conduct. Compliance with the preamble and canons is mandatory. Conflicts between the canons should be resolved in the order of the canons. The canons are not equal and conflicts between them are not intended to create ethical binds. Protect society, the commonwealth, and the infrastructure * Promote and preserve public trust and confidence in information and systems. * Promote the understanding and acceptance of prudent information security measures. * Preserve and strengthen the integrity of the public infrastructure. * Discourage unsafe practice. Act honorably, honestly, justly, responsibly, and legally * Tell the truth; make all stakeholders aware of your actions on a timely basis. * Observe all contracts and agreements, express or implied. * Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order. * Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence. * When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service. Provide diligent and competent service to principals * Preserve the value of their systems, applications, and information. * Respect their trust and the privileges that they grant you. * Avoid conflicts of interest or the appearance thereof. * Render only those services for which you are fully competent and qualified. Advance and protect the profession * Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. * Take care not to injure the reputation of other professionals through malice or indifference. •Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others.

74
Q

QUESTION NO: 1330 Which DES modes can best be used for authentication? A. Cipher Block Chaining and Electronic Code Book. B. Cipher Block Chaining and Output Feedback. C. Cipher Block Chaining and Cipher Feedback. D. Output Feedback and Electronic Code Book.

A

Answer: C Explanation: Cipher Block Chaining (CBC) uses feedback to feed the result of encryption back into the encryption of the next block. The plain-text is XOR’ed with the previous cipher-text block before it is encrypted. The encryption of each block depends on all the previous blocks. This requires that the decryption side processes all encrypted blocks sequentially. This mode requires a random initialization vector which is XOR’ed with the first data block before it is encrypted. The initialization vector does not have to be kept secret. The initialization vector should be a random number (or a serial number), to ensure that each message is encrypted uniquely. In the Cipher Feedback Mode (CFB) is data encrypted in units smaller than the block size. This mode can be used to encrypt any number of bits e.g. single bits or single characters (bytes) before sending across an insecure data link. Both of those method can be best used to provide user authentication capabilities.

75
Q

QUESTION NO: 1331 In the OSI / ISO model, at what layer are some of the SLIP, CSLIP, PPP control functions are provided? A. Data Link B. Transport C. Presentation D. Application

A

Answer: A Explanation: The Data Link layer takes raw data from the physical layer and gives it logical structure. This logic includes information about where the data is meant to go, which computer sends the data, and the overall validity of the bytes sent. The Data Link layer also controls functions of logical network topologies and physical addressing as well as data transmission synchronization and corrections. SLIP, CSLIP and PPP provide control functions at the Data Link Layer (layer 2 of the OSI model).