P/E 3 Flashcards

1
Q
  1. Which of the following is not a valid means to improve the security offered by password authentication?

A. Enabling account lockout controls
B. Enforcing a password policy
C. Using password-verification tools and password-cracking tools against your password database file
D. Allowing users to reuse the same password

A

Answer: D

Preventing password reuse by tracking password history increases security but allowing users to reuse the same password does not increase security. You can also improve password security by enabling account lockout controls, enforcing a password policy, and using password verification tools to check the strength of existing passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. What provides data for re-creating the history of an event, intrusion, or system failure?

A. Security policies
B. Log files
C. Audit reports
D. Business continuity planning

A

Answer: B

Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure. An audit trail includes log files and can reconstruct an event, extract information about an incident, and prove or disprove culpability. Security policies are documents that define security requirements for an organization. An audit report includes details gleaned from log files. Business continuity planning occurs before an event, such as a disaster, in an attempt to reduce the impact of the event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. What category of malicious software includes rogue antivirus software?

A. Logic bombs
B. Worms
C. Trojan horses
D. Spyware

A

Answer: C

Rogue antivirus software is an example of a Trojan horse. Users are tricked into installing it, and once installed, it steals sensitive information and/or prompts the user for payment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. What is the most important aspect of a biometric device?

A. Accuracy
B. Acceptability
C. Enrollment time
D. Invasiveness

A

Answer: A

The most important aspect of a biometric factor is its accuracy. If a biometric factor is not accurate, it may allow unauthorized users into a system. Acceptability by users, the amount of time it takes to enroll, and the invasiveness of the biometric device are additional considerations but not as important as its accuracy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. In areas where technical controls cannot be used to prevent virus infections, what should be used to prevent them?

A. Security baselines
B. Awareness training
C. Traffic filtering
D. Network design

A

Answer: B

Educating users is an important part of preventing virus infections and works with technical controls such as antivirus software. Security baselines provide a secure starting point for a system as a technical control. Traffic filtering is another technical control that can block viruses. Network design can be used to control the flow of traffic as a technical control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. What standard governs the creation of digital certificates used in the public key infrastructure?

A. FIPS 180-2
B. S/MIME
C. X.509
D. 802.1x

A

Answer: C

X.509 defines a common format for digital certificates containing certification of a public encryption key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. What is the final stage in the life cycle of backup media, occurring after or as a means of sanitization?

A. Degaussing
B. Destruction
C. Declassification
D. Defenestration

A

Answer: B

Destruction is the final stage in the life cycle of backup media. Destruction should occur after proper sanitization or as a means of sanitization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Security mechanisms, tools, and practices that deter and mitigate malicious activity and events are what type of control?

A. Preventive control
B. Directive control
C. Corrective control
D. Recovery control

A

Answer: A

Preventive controls are the actual mechanisms by which malicious acts and activities are reduced or prevented entirely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Beth is looking through web server logs and finds form input that looks like this:

13>SCRIPT>alert(‘Enter your password’)>/SCRIPT>

What type of attack has she likely discovered?

A. XSS
B. SQL injection
C. XSRF
D. TOCTTOU

A

Answer: A

The use of the tag is a telltale sign of a cross-site scripting (XSS) attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. What security flaw conveys information by writing data to a common storage area where another process can read it?

A. Covert timing channel
B. Buffer overflow
C. Covert storage channel
D. Maintenance hook

A

Answer: C

A covert storage channel conveys information by writing data to a common storage area where another process can read it. Storing data in such a way introduces a security flaw that allows unauthorized users to access the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. APTs are most closely related to what type of attack category?

A. Military attacks
B. Thrill attacks
C. Grudge attacks
D. Insider attacks

A

Answer: A

Advanced persistent threats (APTs) are often associated with government and military actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. What is a divestiture?

A. Asset or employee reduction
B. A distribution of profits to shareholders
C. A release of documentation to the public
D. A transmission of data to law enforcement during an investigation

A

Answer: A

A divestiture is an asset or employee reduction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. There are generally three forms of governance within an enterprise organization, all of which have common goals, such as to ensure continued growth and expansion over time and to maintain resiliency to threats and the market. Which of the following is not one of these common forms of governance?

A. IT
B. Facility
C. Corporate
D. Security

A

Answer: B

The three common forms of governance are IT, corporate, and security. Facility is not usually considered a form of governance, or it is already contained within one of the other three.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What form of attack is always possible when using a non-802.1x implementation of a wireless network?

A. Password guessing
B. Encryption cracking
C. IV interception
D. Packet replay attacks

A

Answer: A

Password guessing is always a potential attack if a wireless network is not otherwise using some other form of authentication, typically accessed via 802.1x.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What is the preparation of storage media by overwriting with unclassified data for later reuse or redistribution?

A. Erasure
B. Clearing
C. Purging
D. Sanitization

A

Answer: B

Clearing is a method of sufficiently deleting data on media that will be reused in the same secured environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. What is a secret agreement between parties to commit a criminal act against an organization or third party?

A. Collision
B. Confusion
C. Collusion
D. Contusion

A

Answer: C

Collusion is the act of two or more parties conspiring to commit a crime against another party or organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. What type of processing makes use of a multithreading technique at the operating system level?

A. Symmetric multiprocessing
B. Multitasking
C. Multiprogramming
D. Massively parallel processing

A

Answer: A

Symmetric multiprocessing systems implement multithreading techniques at the operating system level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. Of the following, what best explains the motivation for using a preventive access control?

A. To discourage violation of security policies
B. To stop unwanted or unauthorized activity from occurring
C. To discover unwanted or unauthorized activity
D. To restore systems to normal after an unwanted or unauthorized activity has occurred

A

Answer: B

The essence of a preventive access is to prevent or stop unwanted or unauthorized activity from occurring. Option A defines a deterrent access control, option C defines a detective access control, and option D defines a corrective access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. The University of Outer Mongolia runs a web application that processes student tuition payments via credit card and is subject to PCI DSS. The university does not wish to perform web vulnerability scans on a regular basis because they consider them too time-consuming. What technology may they put in place that eliminates the PCI DSS requirement for recurring web vulnerability scans?

A. Web application firewall
B. Intrusion prevention system
C. Network vulnerability scanner
D. None. There is no exception to the recurring web vulnerability scan requirement.

A

Answer: A

PCI DSS allows organizations to choose between performing annual web vulnerability assessment tests or installing a web application firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. In what type of software testing does the tester not have access to the code?

A. White box
B. Black box
C. Gray box
D. Static

A

Answer: B

Black-box testing examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output. Black-box testers do not have access to the internal code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. Which conceptual security model offers the best preventive protection against viral infection and outbreak?

A. ISO/OSI reference model
B. Concentric circle
C. Operations security triple
D. CIA Triad

A

Answer: B

A concentric circle security model represents the best practice known as defense in depth, a layered approach to protecting IT infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. What is access?

A. Functions of an object
B. Information flow from objects to subjects
C. Unrestricted admittance of subjects on a system
D. Administration of ACLs

A

Answer: B

Access is the transfer of information from an object to a subject. An object is a passive resource that does not have functions. Access is not unrestricted. Access control includes more than administration of access control lists (ACLs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. Which of the following increases vulnerabilities related to viruses?

A. Length of time the system is operating
B. The classification level of the primary user
C. Installation of software
D. Use of roaming profiles

A

Answer: C

As more software is installed, more vulnerabilities are added to the system, thus adding more avenues of attack for viruses. How long a system operates, the classification level of the user, or the use of roaming profiles does not increase vulnerabilities related to viruses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. What is the act of searching for unauthorized modems known as?

A. Dumpster diving
B. Espionage
C. System auditing
D. War dialing

A

Answer: D

War dialing is the act of searching for unauthorized modems that will accept inbound calls on an otherwise secure network in an attempt to gain access. Dumpster diving is searching through trash for information. Espionage is the act of collecting information against a competitor or foreign government. System auditing is used to assess the effectiveness of security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. What is the frequency of an IT infrastructure security audit or security review based on?

A. Asset value
B. Administrator discretion
C. Risk
D. Level of realized threats

A

Answer: C

The frequency of an IT infrastructure security audit or security review is based on risk. You must establish the existence of sufficient risk to warrant the expense of, and interruption caused by, a security audit on a more or less frequent basis. Asset value and threats are a part of risk but are not the whole picture, and assessments are not performed based only on either of these. A high-value asset with a low level of threats doesn’t present a high risk. Similarly, a low-value asset with a high level of threats doesn’t present a high risk. The decision to perform an audit isn’t usually relegated to an administrator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  1. Which one of the following techniques takes the concept of process isolation and applies it to hardware controls?

A. Layering
B. Abstraction
C. Data hiding
D. Hardware segmentation

A

Answer: D

Hardware segmentation is similar to process isolation in purpose. It prevents the access of information that belongs to a different process/security level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  1. What is a well-known synonym for defense in depth?

A. Confidentiality-Integrity-Accountability
B. Bastion server
C. Layered security
D. Biometric authentication

A

Answer: C

Defense in depth is also known as layered security. The motivation for layered security comes from the benefits that accrue from establishing multiple layers or levels of access controls to provide defense in depth from security threats. If one layer fails or is bypassed, defenses at other layers kick in to provide additional protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  1. What element of quantitative risk analysis judges the frequency of compromise of a threat?

A. SLE
B. EF
C. AV
D. ARO

A

Answer: D

The ARO (annualized rate of occurrence) is the element of quantitative risk analysis that judges the frequency of compromise of a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
  1. Your manager is concerned that the business impact assessment recently completed by the BCP team doesn’t adequately take into account the loss of goodwill among customers that might result from a particular type of disaster. Where should items like this be addressed?

A. Continuity strategy
B. Quantitative analysis
C. Likelihood assessment
D. Qualitative analysis

A

Answer: D

The qualitative analysis portion of the business impact assessment (BIA) allows you to introduce intangible concerns, such as loss of customer goodwill, into the BIA planning process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. What security services are provided by Kerberos for authentication traffic?

A. Availability and nonrepudiation
B. Confidentiality and nonrepudiation
C. Confidentiality and integrity
D. Availability and authorization

A

Answer: C

Kerberos provides confidentiality and integrity protection security services for authentication traffic using symmetric cryptography to encrypt tickets sent over the network to prove identification and provide authentication. The security services provide by Kerberos are not directly related to availability or nonrepudiation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  1. Which essential element of an audit report is not considered to be a basic concept of the audit?

A. Purpose of the audit
B. Recommendations of the auditor
C. Scope of the audit
D. Results of the audit

A

Answer: B

Recommendations of the auditor are not considered basic and essential concepts to be included in an audit report. Key elements of an audit report include the purpose, scope, and results of the audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  1. The process by which media is prepared for irrevocable destruction to ensure no chance of data recovery goes by what name?

A. Degaussing
B. Sterilization
C. Declassification
D. Sanitization

A

Answer: D

Sanitization is the process of wiping storage media clean in preparation for disposal or destruction. It ensures that data cannot be recovered by any means from destroyed or discarded media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
  1. What strategy basically consists of multiple layers of antivirus, malware, and spyware protection distributed throughout a given network environment?

A. CIA Triad
B. Concentric circle
C. Operations security triple
D. Separation of duties

A

Answer: B

A concentric circle security model comprises several mutually independent security applications, processes, or services that operate toward a single common goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q
  1. What security mode allows systems to process information at more than one level of security even when all users do not have appropriate clearances?

A. Dedicated
B. Multilevel
C. Compartmented
D. System high

A

Answer: B

Multilevel security systems can process information at different levels even when all system users do not have the required security clearance to access all information processed by the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
  1. What process state can be dependent on peripherals?

A. Ready
B. Waiting
C. Running
D. Supervisory

A

Answer: B

The waiting state is a process state that depends on peripherals as the processes pause execution until the conclusion of some requested activity, such as peripheral activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
  1. What sort of intruder is actually one of the “good guys” doing good things for your network security?

A. Unethical hacker
B. Ethical hacker
C. System cracker
D. Malicious user

A

Answer: B

Ethical hackers are those trained in responsible network security methodology, with a philosophy toward nondestructive and nonintrusive testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
  1. What phase of a business impact assessment calculates the ARO for a given risk scenario?

A. Risk identification
B. Likelihood assessment
C. Impact assessment
D. Resource prioritization

A

Answer: B

The annualized rate of occurrence (ARO) is a measure of how many times a risk might materialize in a typical year. It is a measure of risk likelihood.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
  1. Which of the following is not an effective countermeasure against inappropriate content being hosted or distributed over a secured network?

A. Activity logging
B. Content filtering
C. Intrusion detection system
D. Penalties for violations

A

Answer: C

An intrusion detection system is designed to detect intrusions and is not a countermeasure against inappropriate content by internal users. However, activity logging, content filtering, and policies that include penalties for violations can all be used as countermeasures for inappropriate content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
  1. Which of the following statements is not true?

A. VLANs are created by switches.
B. A subnet is created by a router.
C. Multilayer switches can allow cross-VLAN communications by providing a routing function.
D. The assignment of an IP address and subnet mask defines a subnet.

A

Answer: B

A subnet is not created by a router; a subnet is created through the assignment of an IP address and a subnet mask. Routers only manage traffic between subnets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
  1. Which security principle involves the knowledge and possession of sensitive material as an aspect of one’s occupation?

A. Principle of least privilege
B. Separation of duties
C. Need to know
D. As-needed basis

A

Answer: C

The need-to-know policy operates on the basis that any given system user should be granted access only to portions of sensitive information or materials necessary to perform some task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
  1. What would an administrator use to ensure systems have required patches?

A. Patch management system
B. Patch scanner
C. Penetration tester
D. Fuzz tester

A

Answer: A

A patch management system ensures that systems have required patches. In addition to deploying patches, it would also check the systems to verify they accepted the patches. There is no such thing as a patch scanner. A penetration test will attempt to exploit a vulnerability, but it can be intrusive and cause an outage so it isn’t appropriate in this scenario. A fuzz tester sends random data to a system to check for vulnerabilities but doesn’t test for patches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
  1. How does an API user typically authenticate to use the API?

A. Password
B. API key
C. Cookie
D. Two-factor authentication

A

Answer: B

API keys are passed with each API call to authenticate the API user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
  1. When possible, operations controls should be _____.

A. Simple
B. Administrative
C. Preventive
D. Transparent

A

Answer: D

When possible, operations controls should be invisible, or transparent, to users. This keeps users from feeling hampered by security and reduces their knowledge of the overall security scheme, thus further restricting the likelihood that users will violate system security deliberately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
  1. Which one of the following terms can be used to describe RAM memory?

A. Secondary
B. Sequential
C. Nonvolatile
D. Random

A

Answer: D

Random access memory (RAM) is accessed in a random, rather than a sequential, fashion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
  1. What is layering?

A. Deploying multiple security mechanisms in parallel
B. Deploying multiple security mechanisms in a series
C. Requiring identification and authentication before authorization
D. Deploying multiple firewalls around the perimeter of a network

A

Answer: B

Layering is the deployment of multiple security mechanisms in a series.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
  1. What networking device can be used to create digital network segments that can be altered as needed by adjusting the settings internal to the device rather than on end-point devices?

A. Router
B. Switch
C. Proxy
D. Gateway

A

Answer: B

A switch is a networking device that can be used to create digital network segments (i.e., VLANs) that can be altered as needed by adjusting the settings internal to the device rather than on end-point devices. A router connects disparate networks rather than creating network segments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q
  1. Which of the following is true about Kerberos?

A. It uses symmetric key cryptography.
B. It uses asymmetric key cryptography.
C. It uses public key cryptography.
D. It requires a PKI.

A

Answer: A

Kerberos uses symmetric key cryptography. It does not use asymmetric or public key cryptography, and it does not require public key infrastructure (PKI).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q
  1. When an intruder gains unauthorized access to a facility by asking an employee to hold open a door because their arms are full of packages, this is known as what type of attack?

A. Tailgating
B. Masquerading
C. Impersonation
D. Piggybacking

A

Answer: D

Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q
  1. Which security mode provides the most granular control over resources and users?

A. Dedicated
B. System high
C. Compartmented
D. Multilevel

A

Answer: B

System high mode provides the most granular control over resources and users because it enforces clearances, requires need to know, and allows the processing of only single sensitivity levels. All the other levels either do not have unique need to know between users (dedicated), allow multiple levels of data processing (compartmented), or allow a wide number of users with varying clearance (multilevel).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q
  1. A team that initially knows nothing about its target before performing a security analysis is known as what?

A. Absolute knowledge
B. Partial knowledge
C. Zero knowledge
D. Infinite knowledge

A

Answer: C

Zero-knowledge teams possess only primary information about an organization during a security assessment or penetration test.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q
  1. Which one of the following addressing schemes uses a value stored in one of the CPU’s registers combined with an instruction operand to determine the correct memory location to access?

A. Direct addressing
B. Immediate addressing
C. Base+Offset addressing
D. Indirect addressing

A

Answer: C

Base+Offset addressing uses a value stored in one of the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to the value and retrieves the operand from that computed memory location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q
  1. Which of the following is not an element defined under the Clark-Wilson model?

A. Constrained data item
B. Transformation procedures
C. Redundant commit statement
D. Integrity verification procedure

A

Answer: C

A redundant commit statement is not associated with the Clark-Wilson model; it is instead an element in database replication. The Clark-Wilson model does define constrained data item, transformation procedures, and integrity verification procedure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q
  1. What security principle states that a thorough understanding of a system’s operational details is not necessary for most routine activities?

A. Process isolation
B. Abstraction
C. Monitoring
D. Hardware segmentation

A

Answer: B

Abstraction states that a detailed understanding of lower system levels is not a necessary requirement for working at higher levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q
  1. The Clark-Wilson access model is also called a(n) ___________________ interface model.

A. Encrypted
B. Triple
C. Restricted
D. Unrestricted

A

Answer: C

The Clark-Wilson model can also be described as a restricted interface model because it uses classification-based restrictions to offer subject-specific functions and information. Subjects at one classification level will see a specific set of data and obtain access to a related set of functions, while another subject at a different classification level will see a different dataset and obtain access to a different set of functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q
  1. A person who illicitly gains the trust or credentials from a trusted party has committed what criminal act?

A. Espionage
B. Sabotage
C. Reverse engineering
D. Social engineering

A

Answer: D

Social engineering is an attempt to deceive an insider into performing questionable actions on behalf of some unauthorized outsider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q
  1. Which of the following is not a valid reason why log files should be protected?

A. Log files can be used to reconstruct events leading up to an incident.
B. Attackers may try to erase their activity during or after an attack.
C. Unprotected log files cannot be used as evidence.
D. Log files include information on why an attack occurred.

A

Answer: D

Log files include information on what happened, when and where it happened, who was involved, and sometimes how, but they do not include why an attack occurred; they do not include the motivation of an attacker. Log files should be protected because they can be used to reconstruct events, attackers may try to modify them, and unprotected logs cannot be used as evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q
  1. Which type of intrusion detection system (IDS) can be considered an expert system?

A. Host-based
B. Network-based
C. Knowledge-based
D. Behavior-based

A

Answer: D

A behavior-based IDS can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events. In other words, the IDS can act like a human expert by evaluating current events against known events. A knowledge-based IDS uses a database of known attack methods to detect attacks. Both host-based and network-based systems can be either knowledge-based, behavior-based, or a combination of both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q
  1. What form of data sampling examines only errors that occur above some specified threshold level?

A. Sampling
B. Summarizing
C. Clipping
D. Accounting

A

Answer: C

Clipping levels are widely used in the process of auditing events to establish a baseline of system or user activity that is considered routine activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q
  1. Why should an enterprise network implement endpoint security?

A. To provide sufficient security on each individual host.
B. Centralized security mechanisms are too expensive.
C. Network security safeguards do not provide any protection for hosts.
D. Hardware security options are ineffective against software exploits.

A

Answer: A

Endpoint security is implemented in order to provide sufficient security on each individual host, rather than relying on network-based security only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q
  1. Which one of the following is not one of the canons of the (ISC)2 code of ethics?

A. Act honorably, honestly, justly, responsibly, and legally.
B. Advance and protect the profession.
C. Preserve the integrity of the CISSP exam.
D. Provide diligent and competent service to principals.

A

Answer: C

The code of ethics does not explicitly mention the CISSP exam.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q
  1. Which of the following security models is most often used for general commercial applications?

A. Brewer and Nash model
B. Biba model
C. Bell-LaPadula model
D. Clark-Wilson model

A

Answer: D

Of the four models mentioned, Biba and Clark-Wilson are most commonly used for commercial applications because both focus on data integrity. Of these two, Clark-Wilson offers more control and does a better job of maintaining integrity, so it’s used most often for commercial applications. Bell-LaPadula is used most often for military applications. Brewer and Nash applies only to datasets (usually within database management systems) where conflict-of-interest classes prevent subjects from accessing more than one dataset that might lead to a conflict-of-interest situation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q
  1. What technique is the most effective means of protecting against XSS attacks?

A. Acceptance testing
B. Code review
C. Firewall rules
D. Input validation

A

Answer: D

Input validation protects against a wide variety of web-based attacks, including XSS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q
  1. You are designing a contract management system and need to be able to prove to a court that the individual who sent in a contract actually sent the message and that it was not forged. What cryptographic goal are you trying to achieve?

A. Nonrepudiation
B. Confidentiality
C. Integrity
D. Authentication

A

Answer: A

The cryptographic goal of nonrepudiation ensures that you can prove to an uninvolved third party that a message originated with the purported sender.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q
  1. What encryption algorithm does the WPA-2 protocol use to protect wireless networks?

A. DES
B. 3DES
C. AES
D. TKIP

A

Answer: C

WPA-2 uses AES encryption, replacing the TKIP encryption used by WPA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q
  1. What form of security planning is designed to focus on timeframes of approximately one year and may include scheduling of tasks, assignment of responsibilities, hiring plans, maintenance plans, and even acquisition plans?

A. Strategic
B. Operational
C. Administrative
D. Tactical

A

Answer: D

Tactical planning is designed to focus on timeframes of approximately one year and may include scheduling of tasks, assignment of responsibilities, hiring plans, maintenance plans, and even acquisition plans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q
  1. If the user has the ability to define object access, what type of controls are you using?

A. Discretionary controls
B. Mandatory controls
C. Audited controls
D. Remote controls

A

Answer: A

Discretionary controls give the subject (user) some ability to define the objects to access. This access control mechanism ensures that the owner or creator of an object controls and defines the access other subjects have to that object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q
  1. What is the purpose of a security impact analysis in the context of change management?

A. To approve changes
B. To reject changes
C. To identify changes
D. To review changes

A

Answer: D

A security impact analysis reviews change requests and evaluates them for potential negative impacts. All changes aren’t necessarily approved or rejected. The analysis doesn’t attempt to identify changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q
  1. Which of the following can be used securely even when no preexisting secure form of communication exists between the two parties?

A. AES
B. RSA
C. IDEA
D. RC5

A

Answer: B

RSA is an example of asymmetric cryptography, which does not require a preexisting relationship to provide a secure mechanism for data exchange. Two individuals can begin communicating securely from the moment they start communicating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q
  1. How is accountability maintained for individual subjects?

A. Paper trails
B. Audit trails
C. Compliance checks
D. Penetration tests

A

Answer: B

Audit trails are the means through which individuals are held accountable for their actions and any events or occurrences they cause.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q
  1. In a(n) ___________ system, all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.

A. Trusted
B. Authorized
C. Available
D. Baseline

A

Answer: A

In a trusted system, all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q
  1. What is the first action that you should take when responding to an information security incident?

A. Isolate and contain.
B. Gather evidence.
C. Report.
D. Restore service.

A

Answer: A

The first priority in incident response is to prevent further damage by isolating affected systems and containing the threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q
  1. A screen scraper tool can be used to?

A. Remove fingerprints from glass screens
B. Capture keystrokes
C. Remove advertisements from web pages
D. Extract data from XML/HMTL-formatted data automatically

A

Answer: D

A screen scraper tool is used to automatically extract standardized formatted data, such as XML and HTML, from human-friendly output. This tool is often used to extract results from web search engines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q
  1. Generally, a privacy policy is designed to protect what?

A. A user’s privacy
B. The public’s freedom
C. Intellectual property
D. A company’s right to audit

A

Answer: D

The purpose of a privacy policy is to inform users where they do and do not have privacy for the primary benefit of the protection of the company’s right to audit and monitor user activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q
  1. What form of security control is used to guide the implementation of an organization?

A. Directive control
B. Detective control
C. Corrective control
D. Preventive control

A

Answer: A

Directive controls are the means by which an organizational security policy is governed at the logical level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q
  1. What basic access control mechanism is being used when all access is blocked unless a statement allows the access?

A. Constrained interface
B. Access control matrix
C. Explicit deny
D. Implicit deny

A

Answer: D

An implicit deny mechanism will block all access that is not explicitly allowed. A constrained interface reduces what is viewable to a user and an access control matrix identifies subjects and objects, and they both employ an implicit deny philosophy, but the question doesn’t describe them. An explicit deny philosophy requires a separate rule to deny specific access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q
  1. The Bell-LaPadula access control model was designed to protect what aspect of security?

A. Confidentiality
B. Integrity
C. Accessibility
D. Authentication

A

Answer: A

The Bell-LaPadula model is focused on maintaining the confidentiality of objects. Bell-LaPadula does not address the aspects of object integrity or availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q
  1. Which of the following terms correctly describes all three of the following protocols: IPX/SPX, AppleTalk, and NetBEUI?

A. Routable protocols
B. Non-IP protocols
C. Layer 2 protocols
D. Stateful protocols

A

Answer: B

IPX/SPX, AppleTalk, and NetBEUI are examples of non-IP protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q
  1. Which of the following encryption packages provides full disk encryption and is built into Microsoft Windows?

A. TrueCrypt
B. PGP
C. EFS
D. BitLocker

A

Answer: D

BitLocker is the full disk encryption package provided by Microsoft as a Windows component. EFS, while a component of Windows, does not provide full disk encryption. TrueCrypt and PGP are not Microsoft products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q
  1. Which one of the following business impact assessment (BIA) tasks should be performed last?

A. Risk identification
B. Resource prioritization
C. Impact assessment
D. Likelihood assessment

A

Answer: B

Resource prioritization is the final step of the business impact assessment (BIA) process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q
  1. Bob just received a message from Alice encrypted with the RSA algorithm. What key should he use to decrypt it?

A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bob’s private key

A

Answer: D

Bob decrypts any messages he receives using his own private key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q
  1. Most of the higher-order security models, such as Bell-LaPadula and Biba, are based on which of the following?

A. Take-Grant model
B. State machine model
C. Brewer and Nash model
D. Clark Wilson model

A

Answer: B

Most higher-order security models, such as Bell-LaPadula and Biba, are based on the state machine model (as well as the information flow and noninterference models).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q
  1. What technology allows for phone conversations to occur over an existing TCP/IP network and Internet connection?

A. IPSec
B. VoIP
C. SSH
D. TLS

A

Answer: B

VoIP (Voice over IP) allows for phone conversations to occur over an existing TCP/IP network and Internet connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q
  1. A security mechanism that verifies the effectiveness of directive and preventive controls is itself what type of control?

A. Corrective control
B. Directive control
C. Deceptive control
D. Detective control

A

Answer: D

Detective controls are, as the name suggests, mechanisms and means through which the effectiveness of preventive controls is verified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q
  1. What term describes a secure channel for the TCB to communicate with the rest of the system?

A. Trusted path
B. Covert channel
C. Overt channel
D. IPSec session

A

Answer: A

A trusted path is a channel established with strict standards to allow necessary communication without exposing the TCB to security vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q
  1. Which of the following means of cache poisoning relates to the relationship between a MAC address and an IP address?

A. HOSTS file poisoning
B. Caching server poisoning
C. Internet files cache poisoning
D. ARP poisoning

A

Answer: D

ARP performs the resolution of and maintains the local cache of mappings between MAC addresses and IP addresses. Thus, ARP poisoning affects the MAC to IP relationship. HOSTS file poisoning and caching server poisoning are DNS attacks, thus exploiting the relationship between FQDNs and IP addresses. Internet file cache poisoning is the planting of false code or other data in a browser’s file history.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q
  1. Which of the following is not a common component of third-party governance?

A. Document exchange and review
B. Full interruption testing
C. Onsite assessment
D. Process/policy review

A

Answer: B

Third-party governance typically includes onsite assessment, document exchange and review, and process/policy review. Full interruption testing is more often associated with DRP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q
  1. The Goguen-Meseguer model is an ________ model based on predetermining the set or domain—a list of objects that a subject can access.

A. Integrity
B. Confidentiality
C. Non-interference
D. Availability

A

Answer: A

The Goguen-Meseguer model is an integrity model based on predetermining the set or domain—a list of objects that a subject can access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q
  1. Which of the following is not typically a technique employed by software designers to ensure that a program does only what is required and nothing more?

A. Confinement
B. Bounds
C. Isolation
D. Throughput

A

Answer: D

Although throughput is an important factor in supporting availability, it is not a key technique employed by software designers to ensure that software does only what is required and nothing more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q
  1. What type of chip often stores the firmware used by printers and other hardware devices?

A. ROM
B. PROM
C. EPROM
D. EEPROM

A

Answer: D

The BIOS firmware is normally stored on an EEPROM chip to allow for “flash” updates when the BIOS needs revision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q
  1. The _______ plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the ______ plan.

A. Tactical, strategic
B. Operational, strategic
C. Strategic, operational
D. Tactical, operation

A

Answer: A

The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q
  1. Which one of the following business impact assessment variables is used to quantify the frequency with which a specific event is expected to occur over the course of a year?

A. AV
B. SLE
C. ARO
D. MTD

A

Answer: C

The annualized rate of occurrence (ARO) measures the frequency with which a specific event is expected to occur over the course of a year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q
  1. What type of electrical component serves as the primary building block for static RAM chips?

A. Capacitor
B. Resistor
C. Flip-flop
D. Translator

A

Answer: C

Static RAM chips are built using a number of flip-flop transistors that retain their charge without requiring constant refreshing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q
  1. What processor operating mode is designed to protect users from accidentally damaging the system through the execution of poorly designed code?

A. User mode
B. Privileged mode
C. System mode
D. Kernel mode

A

Answer: A

User mode is the basic mode used by the CPU when executing user instructions. It enables only a portion of the full CPU instruction set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q
  1. What type of threat is often sponsored by a government?

A. Whaling
B. Spear-phishing
C. Advanced persistent threat
D. Rogueware

A

Answer: C

An advanced persistent threat (APT) refers to a group of attackers working together who are highly motivated, skilled, and patient and are often sponsored by a government. Whaling is a phishing attack that focuses on high-level executives and spear-phishing is a targeted phishing attack, but neither is commonly sponsored by a government. Rogueware is software that appears as free antivirus software but is actually malicious.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q
  1. What is the vulnerability or feature of a PBX system that allows for an external entity to piggyback onto the PBX system and make long-distance calls without being charged for the tolls?

A. Black box
B. DTMF
C. Vishing
D. Remote dialing

A

Answer: D

Remote dialing (aka hoteling) is the vulnerability or feature of a PBX system that allows for an external entity to piggyback onto the PBX system and make long-distance calls without being charged for the tolls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q
  1. What can you use to ensure that users create strong passwords and do not reuse passwords?

A. Password length
B. Password complexity
C. Password history
D. Password policy

A

Answer: D

A password policy can ensure that users create strong passwords of sufficient length and complexity. Password policies can also track password history and prevent users from reusing passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q
  1. What notion grants users only the access they need to complete their jobs tasks?

A. Due diligence
B. CIA Triad
C. Principle of least privilege
D. Due care

A

Answer: C

Granting users limited access only to those applications, functions, processes, or services necessary to fulfill their tasks is the principle of least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q
  1. What is an attempt to vigorously exercise the security constraints and parameters of a network, often using any means necessary?

A. Ethical hacking
B. Penetration testing
C. War dialing
D. Brute force

A

Answer: B

Penetration testing is the process of exercising, validating, and verifying the state of security on a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q
  1. How many new cryptographic keys must be generated when a user is removed from an already-functioning public key encryption system?

A. Zero
B. One
C. Two
D. All keys

A

Answer: A

The removal of a user from a public key cryptosystem does not require the generation of any new keys. A message merely needs to be sent to all participants revoking the former user’s key pair.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q
  1. Spamming attacks occur when numerous unsolicited messages are sent to a victim. Because enough data is sent to the victim to prevent legitimate activity, it is also known as what?

A. Sniffing
B. Denial of service
C. Brute-force attack
D. Buffer overflow attack

A

Answer: B

A spamming attack (sending massive amounts of unsolicited email) can be used as a type of denial-of-service attack. It doesn’t use eavesdropping methods, so it isn’t sniffing. Brute-force methods attempt to crack passwords. Buffer overflow attacks send strings of data to a system in an attempt to cause it to fail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q
  1. What process would you utilize to sufficiently delete any existing data on a magnetic storage volume for reuse in questionably secure environments?

A. Cleansing
B. Sanitizing
C. Purging
D. Sterilizing

A

Answer: C

Purging is used to sufficiently cleanse remnants of data on a magnetic storage drive so that it can be reused in unsecure environments.

102
Q
  1. What is the name of the security standard that was specifically designed as a replacement for SSL?

A. SSH
B. IPSec
C. TLS
D. SHTTP

A

Answer: C

TLS (Transport Layer Security) was specifically designed as a replacement for SSL.

103
Q
  1. Exercising reasonable care to protect the interests and assets of an organization through a formalized security structure (policies, standards, guidelines, and so on) is better known as what?

A. Due care
B. Due notice
C. Due diligence
D. Due indifference

A

Answer: A

Due care is the notion of preserving and protecting assets and interests for a given organization as exercised through a formalized security structure comprising baselines, guidelines, policies, procedures, and rules.

104
Q
  1. The Roscommon Rangers baseball team is concerned about the risk that a storm might result in the cancellation of a baseball game. There is a 30 percent chance that the storm will occur, and if it does, the team must refund all single-game tickets because the game cannot be rescheduled. Season ticket holders will not receive a refund and account for 20 percent of ticket sales. The ticket sales for the game are $1.5 million. What is the exposure factor in this scenario?

A. 20 percent
B. 30 percent
C. 70 percent
D. 80 percent

A

Answer: D

The exposure factor is the amount of the asset that is at risk. In this case, the 80 percent of the tickets that are single-game sales must be refunded, so the exposure factor is 80 percent of the game’s revenue.

105
Q
  1. Of the following, what can mitigate the success of a sniffing attack?

A. Using rainbow tables
B. Salting passwords
C. Using access reviews
D. Using encrypted passwords

A

Answer: D

Encrypted passwords (and one-time passwords) can reduce the success of a sniffing attack. Rainbow tables are used by attackers to crack hashed passwords. Salting passwords helps reduce the success rate of rainbow tables. Access reviews help ensure that an organization is using practices that support the security policy.

106
Q
  1. What is record retention?

A. The act of deleting and purging records and important information
B. The act of creating and modifying records and important information
C. The act of storing and maintaining records and important information
D. The act of sharing and distributing records and important information

A

Answer: C

Storing and maintaining vital records and crucial information is instrumental to record retention.

107
Q
  1. What is a hardware-imposed network segmentation that requires a routing function to support intersegment communications otherwise known as?

A. Subnet
B. DMZ
C. VLAN
D. Extranet

A

Answer: C

A VLAN (virtual LAN) is a hardware-imposed network segmentation created by switches that requires a routing function to support communication between different segments.

108
Q
  1. What type of cipher replaces each character in a message with an alternate value to achieve confidentiality?

A. Stream cipher
B. Transposition cipher
C. Block cipher
D. Substitution cipher

A

Answer: D

Substitution ciphers actually replace the characters in a message with different values.

109
Q
  1. Name the collection of processes used to prepare media so that classified data cannot be recovered before, during, and after final destruction.

A. Cleansing
B. Clearing
C. Degaussing
D. Sanitization

A

Answer: D

Sanitization is any number of processes that prepare media for destruction.

110
Q
  1. Which of the following is not a reason why using passwords alone is a poor security mechanism?

A. When possible, users choose easy-to-remember passwords that are easy to guess or crack.
B. Randomly generated passwords are hard to remember, and thus many users write them down.
C. Short passwords can be discovered quickly in brute-force attacks only when used against a stolen password database file.
D. Passwords can be stolen through many means, including observation, recording and playback, and security database theft.

A

Answer: C

Brute-force attacks can be used against password database files and system logon prompts, not only database files. Weaknesses with passwords include users choosing easy-to-remember passwords, users writing down complex passwords, and the ability to steal passwords with other methods.

111
Q
  1. Ricky receives an encrypted message from Flo that uses an asymmetric encryption algorithm. What key should he use to decrypt the message?

A. Flo’s public key
B. Flo’s private key
C. Ricky’s public key
D. Ricky’s private key

A

Answer: D

Ricky uses his own private key to decrypt the message that Flo encrypted with Ricky’s public key.

112
Q
  1. What can detect creeping privileges?

A. Account provisioning
B. Disabling an account
C. Account review
D. Account revocation

A

Answer: C

Account reviews can detect instances of creeping privileges or excessive privileges. Account provisioning grants privileges. Disabling an account ensures it isn’t used, and account revocation deletes the account.

113
Q
  1. Which system state operation mode has the most restricted access to resources?

A. User mode
B. Privileged mode
C. System mode
D. Kernel mode

A

Answer: A

User mode is the most restricted system mode.

114
Q
  1. What type of memory uses space on a drive to simulate RAM?

A. Virtual memory
B. Virtual storage
C. Real memory
D. Real storage

A

Answer: A

Virtual memory uses drive space to simulate memory when programs require more memory than is physically available.

115
Q
  1. Which method of storage preparation is the least secure against recovery attempts or laboratory attacks?

A. Clearing
B. Purging
C. Declassification
D. Erasing

A

Answer: D

Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media.

116
Q
  1. Which of the following is the least acceptable form of biometric device?

A. Iris scan
B. Retina scan
C. Fingerprint
D. Facial geometry

A

Answer: B

Of the options listed, a retina scan is the least accepted biometric device because it requires users to position their face on a cup reader that blows air into the eye and can reveal personal health issues. An iris scan can be read from a distance and doesn’t reveal medical information. Additionally, fingerprints and facial geometry scans do not reveal medical information and are less invasive.

117
Q
  1. Monitoring can be used to perform all but which of the following?

A. Detect asset values
B. Detect malicious actions by subjects
C. Detect attempted intrusions
D. Detect system failures

A

Answer: A

Monitoring is not used to detect asset values. Monitoring can help detect malicious actions, attempted intrusions, and system failures.

118
Q
  1. Any process, mechanism, or tool that guides an organizational security implementation is what type of control?

A. Administrative control
B. Corrective control
C. Directive control
D. Detective control

A

Answer: C

Directive controls guide an organizational security implementation and as such are control statements.

119
Q
  1. Which one of the following is not a function supported by PEM?

A. Disclosure protection
B. Originator authenticity
C. Traffic flow confidentiality
D. Message integrity

A

Answer: C

Privacy Enhanced Mail (PEM) does not provide traffic flow confidentiality.

120
Q
  1. Which of the following does not usually represent a timeframe of increased risk and vulnerability to an organization, such as information disclosure, data loss, and unplanned downtime?

A. Layoffs
B. Awareness training
C. Acquisitions
D. Mergers

A

Answer: B

Awareness training typically reduces risk and vulnerability.

121
Q
  1. What tool uses precomputed hashes to crack password hashes stored in a password file?

A. Brute force
B. Rainbow table
C. Replay attack
D. Steganography

A

Answer: B

The rainbow table contains precomputed hashes of common passwords and is used to crack hashes stored in password files.

122
Q
  1. Which of the following is not considered a type of auditing activity?

A. Recording of event data
B. Data reduction
C. Log analysis
D. Deployment of countermeasures

A

Answer: D

Deployment of countermeasures is not considered a type of auditing activity but is instead an attempt to prevent security problems. Auditing includes recording event data in logs, using data reduction methods to extract meaningful data, and analyzing logs.

123
Q
  1. Which of the following is not a benefit of VLANs?

A. Traffic isolation
B. Data/traffic encryption
C. Traffic management
D. Reduced vulnerability to sniffers

A

Answer: B

VLANs do not impose encryption on data or traffic. Encrypted traffic can occur within a VLAN, but encryption is not imposed by the VLAN.

124
Q
  1. Using a network packet sniffer, you intercept a communication. After examining the IP packet’s header, you notice that the flag byte has the binary value of 00000100. What does this indicate?

A. A flooding attack is occurring.
B. A new session is being initiated.
C. A reset has been transmitted.
D. A custom-crafted IP packet is being broadcast.

A

Answer: C

The flag value of 00000100 indicates a RST, or reset flag, has been transmitted. This is not necessarily an indication of malicious activity.

125
Q
  1. What Clark-Wilson model feature helps protect against insider attacks by restricting the amount of authority any user possesses?

A. Simple integrity property
B. Time of use
C. Need to know
D. Separation of duties

A

Answer: D

The Clark-Wilson model enforces separation of duties to further protect the integrity of data. This model employs limited interfaces or programs to control and maintain object integrity.

126
Q
  1. Spoofing is primarily used to perform what activity?

A. Send large amounts of data to a victim
B. Cause a buffer overflow
C. Hide the identity of an attacker through misdirection
D. Steal user account names and passwords

A

Answer: C

Spoofing grants the attacker the ability to hide their identity through misdirection and is used in many different types of attacks. Spoofing doesn’t send large amounts of data to a victim. It can be used as part of a buffer overflow attack to hide the identity of the attacker but doesn’t cause buffer overflows directly. If user account names and passwords are stolen, the attacker can use them to impersonate the user.

127
Q
  1. Preventing unwanted software installations are best handled by what form of control?

A. Detective control
B. Access control
C. Directive control
D. Administrative control

A

Answer: B

Access control is the automated mechanism that can prevent or permit system changes, installations, and updates on a selective basis.

128
Q
  1. One of the most common vulnerabilities of an IT infrastructure and the hardest to protect against is the occurrence of ________.

A. Errors and omissions
B. Inference
C. Data destruction by malicious code
D. Data scavenging

A

Answer: A

One of the most common vulnerabilities and hardest to protect against is the occurrence of errors and omissions. Inference is a technique used to gain information from a database without having full access to the database and can be protected by controlling database access. Malicious code can be blocked with up-to-date antivirus software. Data scavenging can be blocked by controlling what data is thrown in the trash.

129
Q
  1. What form of addressing is described as the memory address that is supplied to the CPU as part of the instruction but doesn’t contain the actual value that the CPU is to use as an operand; instead, the memory address contains another memory address?

A. Direct
B. Indirect
C. Immediate
D. Global

A

Answer: B

Indirect addressing occurs when the memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address.

130
Q
  1. What is the most common programmer-generated security flaw?

A. TOCTTOU vulnerability
B. Buffer overflow
C. Inadequate control checks
D. Improper logon authentication

A

Answer: B

By far, the buffer overflow is the most common, and most avoidable, programmer-generated vulnerability.

131
Q
  1. Which one of the following BCP phases involves the largest commitment of hardware and software resources?

A. BCP development
B. BCP testing, training, and maintenance
C. BCP evaluation
D. BCP implementation

A

Answer: D

The BCP implementation phase involves the largest commitment of hardware and software resources. The other phases are more manpower intensive.

132
Q
  1. In a typical environment, when a user creates a new file object (such as a document or image file), who is the owner of that object by default?

A. Key recovery agent
B. Administrator or root
C. Creator
D. None

A

Answer: C

The user who creates a new object is usually the default owner of that object.

133
Q
  1. What Bell-LaPadula property protects a subject from modifying an object at a lower security level?

A. No read up
B. No read down
C. No write up
D. No write down

A

Answer: D

The * (star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down).

134
Q
  1. Gathering sensitive information about an organization or party, in both physical and digital form, for the purpose of ill-gotten gain or disclosure is indicative of what crime?

A. Sabotage
B. Social engineering
C. Espionage
D. Collusion

A

Answer: C

Espionage is a criminal action to disclose or profit from illegally obtained sensitive information about an organization.

135
Q
  1. Which of the composition theories refers to the management of information flow from one system to another?

A. Feedback
B. Hookup
C. Cascading
D. Waterfall

A

Answer: C

Cascading: Input for one system comes from the output of another system. Feedback: One system provides input to another system, which reciprocates by reversing those roles (so that system A first provides input for system B and then system B provides input to system A). Hookup: One system sends input to another system but also sends input to external entities. Waterfall: A form of project management, not related to information flow.

136
Q
  1. What feature of the TCP/IP protocol suite makes it possible for tools like Loki to bypass firewall restrictions by passing otherwise prohibited traffic across the network sentry using ICMP?

A. Dynamic IP addressing
B. Encapsulation
C. VLSM
D. Supernetting

A

Answer: B

Encapsulation is the feature of the TCP/IP protocol suite that makes it possible for tools like Loki to bypass firewall restrictions by tunneling prohibited traffic through an alternate protocol, such as ICMP.

137
Q
  1. Which form of memory is used for long-term retention?

A. Nonvolatile primary memory
B. Nonvolatile secondary memory
C. Volatile primary memory
D. Volatile secondary memory

A

Answer: B

Nonvolatile secondary memory is used for long-term storage. Examples of this memory type include hard drives, optical discs, and magnetic tape.

138
Q
  1. Reversing the unwanted effects of some event or occurrence (attacks, faults, and errors) is governed by what form of control?

A. Administrative control
B. Preventive control
C. Corrective control
D. Reactive control

A

Answer: C

Corrective controls are the governing means and mechanisms that reverse and undo the undesirable effects of a given event or occurrence, such as system intrusion or component failure.

139
Q
  1. In what type of cryptographic attack does the attacker interfere with the connection establishment and then gain access to all subsequent communications?

A. Man-in-the-middle attack
B. Chosen plain-text attack
C. Birthday attack
D. Meet-in-the-middle attack

A

Answer: A

In the man-in-the-middle attack, the attacker sits between the two communicating parties and relays messages between them. Both parties think they are communicating directly with each other.

140
Q
  1. Which of the following attacks is an attempt to test every possible combination against a security feature in order to bypass it?

A. Brute-force attack
B. Spoofing attack
C. Dictionary attack
D. Rainbow table attack

A

Answer: A

A brute-force attack is an attempt to discover passwords for user accounts by systematically attempting every possible combination of letters, numbers, and symbols. Spoofing is pretending to be something or someone else, and it is used in a wide variety of attacks. A dictionary attack checks passwords against a database or dictionary. A rainbow table attack checks hashed values of passwords against the values stored in a rainbow table.

141
Q
  1. What can detect violations of the principle of least privilege?

A. User entitlement audit
B. Review of security logs
C. Review of inactive accounts
D. Traffic analysis

A

Answer: A

A user entitlement audit can identify whether users have excessive privileges violating the principle of least privilege. While security logs may be used in the user entitlement audit, they would not be used alone. A review of inactive accounts is part of an access review audit, not a user entitlement audit. Traffic analysis focuses on the patterns and trends of data rather than the actual content.

142
Q
  1. You were hired to perform a business impact assessment for a company located in Southern California and are evaluating the firm’s exposure to wildfires. You’ve determined that the value of the firm’s facilities and equipment is $10,000,000. After consulting fire experts, you’ve determined that there is a 10 percent chance that the facility will be 75 percent destroyed by wildfire in a given year. What is the annual loss expectancy (ALE)?

A. $100,000
B. $750,000
C. $7,500,000
D. $10,000,000

A

Answer: B

The annual loss expectancy is computed by multiplying the asset value ($10,000,000) by the exposure factor (75 percent), then multiplying that (the SLE) by the ARO, in this example 10 percent, resulting in $750,000 ALE.

143
Q
  1. What type of alternate processing facility contains a full complement of computing equipment in working order but lacks current copies of data?

A. Hot site
B. Warm site
C. Cold site
D. Cloud site

A

Answer: B

Warm sites contain all of the equipment needed to assume operations but do not maintain current data.

144
Q
  1. What is the fastest form of memory?

A. L2 cache
B. CPU registers
C. RAM
D. Flash memory

A

Answer: B

CPU registers are the fastest form of memory.

145
Q
  1. Methodical examination and review of environmental security and regulatory compliance, and a form of directive control, is known as what?

A. Penetration testing
B. Compliance checking
C. Auditing
D. Ethical hacking

A

Answer: C

Auditing is the periodic examination and review of a network to ensure that it meets security and regulatory compliance.

146
Q
  1. When NAC is used to manage an enterprise network, what happens to a notebook system once reconnected to the intranet after it has been out of the office for six weeks while in use by an executive on an international business trip?

A. Reimaged
B. Updated at next refresh cycle
C. Quarantine
D. User must reset their password

A

Answer: C

NAC often operates in a pre-admission philosophy in which a system must meet all current security requirements (such as patch application and antivirus updates) before it is allowed to communicate with the network. This often means systems that are not in compliance are quarantined or otherwise involved in a captive portal strategy in order to force compliance before network access is restored.

147
Q
  1. Which of the following statements is false?

A. Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization.
B. Security governance is the implementation of a security solution and a management method that are tightly interconnected.
C. Security governance is an IT issue only.
D. Security governance directly oversees and gets involved in all levels of security.

A

Answer: C

Security is not and should not be treated as an IT issue only.

148
Q
  1. An organization is hosting a website that accesses resources from multiple organizations. They want users to be able to access all of the resources but only log on once. What should they use?

A. Federal database for CIA
B. Kerberos
C. Diameter
D. Federated database for SSO

A

Answer: D

A federated database used for single sign-on (SSO) allows a user to log on once and access multiple resources. This is not called a federal database. Kerberos is an effective SSO system within a single organization but not between organizations. Diameter is a newer alternative to RADIUS used for centralized authentication.

149
Q
  1. What is the most common reaction to the loss of physical and infrastructure support?

A. Deploying OS updates
B. Vulnerability scanning
C. Waiting for the event to expire
D. Tightening of access controls

A

Answer: C

In most cases, you must simply wait until the emergency or condition expires and things return to normal. If physical and infrastructure support is lost, such as after a catastrophe, regular activity (including deploying updates, performing scans, or tightening controls) is not possible.

150
Q
  1. Which events would generally require that the recertification of a system take place? (Choose all that apply.)

A. An intrusion
B. A change in configuration
C. The end of the organization’s fiscal year
D. The passage of a specified amount of time since the last certification

A

Answer: B;D

A system must be recertified whenever the configuration changes or a specified time has passed since the last certification.

151
Q
  1. Which of the following is not an example of a deterrent access control?

A. Security policy
B. Security camera
C. Awareness training
D. Antivirus software

A

Answer: D

Antivirus software is not a deterrent access control, though it can be identified as a preventive, corrective, or recovery access control. Examples of deterrent access controls include security policies, cameras, awareness training, fences, locks, security badges, and guards.

152
Q
  1. The Clark-Wilson access control model was designed to protect what aspect of security?

A. Confidentiality
B. Integrity
C. Accessibility
D. Authentication

A

Answer: B

The Clark-Wilson model is focused on maintaining the integrity of objects. Through the use of two principles—well-formed transactions and separation of duties—the Clark-Wilson model provides an effective means to protect integrity.

153
Q
  1. An entity such as an administrator or system integrator is provided access to special high-order functionality normally inaccessible to standard users. What are these entities called?

A. Administrative life forms
B. Privileged entities
C. Powerful entities
D. Administrative entities

A

Answer: B

Privileged entities are those who are given special access to off-limits areas of the company’s crucial IT infrastructure.

154
Q
  1. An employee recently accepted a job with another company and left after an amicable two-week notice. What should be done with the user’s account on the last day of employment?

A. No action is required
B. Transfer it
C. Disable it
D. Delete it

A

Answer: C

Accounts should be disabled when employees leave for any reason. Accounts are not transferred between companies. It should be deleted only after it has been determined that the account is no longer needed.

155
Q
  1. ____________________ is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements. The actual method of ____________________ may vary, but it generally involves an outside investigator or auditor. This auditor might be designated by a governing body or might be a consultant hired by the target organization.

A. Third-party governance
B. Risk assessment
C. Security certification and accreditation
D. Awareness training

A

Answer: A

Third-party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements. The actual method of third-party governance may vary, but it generally involves an outside investigator or auditor. This auditor might be designated by a governing body or might be a consultant hired by the target organization.

156
Q
  1. A ___________________ is the combination of hardware and software networking components into a single integrated entity. The resultant system allows for software control over all network functions, management, traffic shaping, address assignment, and so on. A single management console or interface can be used to oversee every aspect of the network, a task requiring physical presence at each hardware component in the past.

A. Wireless network
B. Virtualized network
C. Private network
D. VLAN network

A

Answer: B

A virtualized network, or network virtualization, is the combination of hardware and software networking components into a single integrated entity. The resultant system allows for software control over all network functions, management, traffic shaping, address assignment, and so on. A single management console or interface can be used to oversee every aspect of the network, a task requiring physical presence at each hardware component in the past.

157
Q
  1. The Roscommon Rangers baseball team is concerned about the risk that a storm might result in the cancellation of a baseball game. There is a 30 percent chance that the storm will occur, and if it does, the team must refund all single-game tickets because the game cannot be rescheduled. Season ticket holders will not receive a refund and account for 20 percent of ticket sales. The ticket sales for the game are $1,500,000. What is the single loss expectancy in this scenario?

A. $300,000
B. $1,050,000
C. $1,200,000
D. $1,500,000

A

Answer: C

The single loss expectancy is calculated as the product of the exposure factor (80 percent) and the asset value ($1,500,000). In this example, the single loss expectancy is $1,200,000.

158
Q
  1. Alice would like to perform mutation fuzzing as part of her testing of new code moving into production. What tool would help her perform this fuzzing?

A. nmap
B. Metasploit
C. Nessus
D. Zzuf

A

Answer: D

zzuf is a Linux tool that automates the process of mutation fuzzing.

159
Q
  1. Under what form of control are people and processes all included, managed, and controlled?

A. Authoritative control
B. Accessory control
C. Authentic control
D. Administrative control

A

Answer: D

Administrative control takes into consideration the processes and people who operate within an organizational security policy.

160
Q
  1. When you are configuring a wireless extension to an intranet, once you’ve configured WPA-2 with 802.1x authentication, what additional security step could you implement in order to offer additional reliable security?

A. Require a VPN
B. Disable SSID broadcast
C. Issue static IP addresses
D. Use MAC filtering

A

Answer: A

Requiring a VPN to access the private wired network in addition to WPA-2 and 802.1x is the only additional reliable security option.

161
Q
  1. The standard for study and control of electronic signals produced by various types of electronic hardware is known as _________.

A. Eavesdropping
B. TEMPEST
C. SESAME
D. Wiretapping

A

Answer: B

TEMPEST is the standard that defines the study and control of electronic signals produced by various types of electronic hardware. Eavesdropping refers to using sniffing tools to capture and analyze data. SESAME is a ticket-based authentication system similar to Kerberos. Wiretapping commonly refers to monitoring phone calls.

162
Q
  1. Mechanisms that return or restore systems and processes to a normal operational state following an attack, fault, or error are what type of control?

A. Reactive control
B. Recovery control
C. Responsive control
D. Receptive control

A

Answer: B

Recovery control indicates a direct form of control that returns systems and processes to a known good, normalized state following an intrusion, fault, or failure.

163
Q
  1. On manual review systems, failure recognition is whose primary responsibility?

A. Tester or test-taker
B. Client or representative
C. Outsider or administrator
D. Observer or auditor

A

Answer: D

The observer or auditor of a manual review system is directly responsible for recognizing failure of that system.

164
Q
  1. Matthew is looking through web server logs and finds form input that looks like this:

alan’; DELETE * FROM inventory WHERE 1 = 1;

What type of attack has he likely discovered?

A. XSS
B. SQL Injection
C. XSRF
D. TOCTTOU

A

Answer: B

The use of the single quotation mark is a telltale sign of a SQL injection attack.

165
Q
  1. Which of the following is true regarding vulnerability scanners?

A. They actively scan for intrusion attempts.
B. They serve as a form of enticement.
C. They locate known security holes.
D. They automatically reconfigure a system to a more secure state.

A

Answer: C

Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. They are not active detection tools for intrusion, they offer no form of enticement, and they do not configure system security. In addition to testing a system for security weaknesses, they produce evaluation reports, which include recommendations.

166
Q
  1. _______________ is verification that each certificate in a certificate path is valid and legitimate.

A. Enrollment
B. Authorization
C. Certificate path validation
D. Spoofing

A

Answer: C

Certificate path validation is verification that each certificate in a certificate path is valid and legitimate.

167
Q
  1. Which one of the following is not a basic requirement for the reference monitor?

A. It must be tamperproof.
B. The source code must be made public.
C. It must always be invoked.
D. It must be small enough for testing.

A

Answer: B

There is no requirement that the reference monitor’s source code be available to the public.

168
Q
  1. Which of the following could be considered PII (personally identifiable information)?

A. Employer
B. Phone number
C. Items purchased at a store
D. Favorite restaurant

A

Answer: B

A phone number is the most PII-like information from this list. Any data point that directly or nearly directly points to an individual is PII. Any data point that itself does not point to an individual on its own is not PII. For example, the list of groceries you purchase is not PII unless that list also contains your name, credit card information, or account number.

169
Q
  1. What certificate revocation technique provides real-time certificate verification?

A. Certificate revocation lists
B. Revocation notification alerts
C. Online Certificate Status Protocol
D. Certificate Revocation System

A

Answer: C

The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

170
Q
  1. Which of the following comes first?

A. Accreditation
B. Assurance
C. Trust
D. Certification

A

Answer: C

Trust comes first. Trust is built into a system by crafting the components of security. Then assurance (in other words, reliability) is evaluated using certification and/or accreditation processes.

171
Q
  1. What stage of the SW-CMM model is characterized by formal, documented software development processes?

A. Initial
B. Repeatable
C. Defined
D. Managed

A

Answer: C

The Defined stage of SW-CMM is characterized by the use of formal, documented software development processes.

172
Q
  1. Your company has developed a new process for processing steel. You wish to protect it as long as possible without disclosing any details of the invention. What type of intellectual property protection would be best?

A. Patent
B. Trademark
C. Copyright
D. Trade secret

A

Answer: D

Trade secrets must be kept secret by the organization but have unlimited life. Patents would also apply to a manufacturing process, but they require public disclosure of the process and have limited duration.

173
Q
  1. Which of the following best describes an access control category that includes hiring and firing policies, data classifications and labels, and security awareness and training?

A. Administrative access controls
B. Technical access controls
C. Logical access controls
D. Physical access controls

A

Answer: A

Administrative access controls are also referred to as management controls and include policies and procedures such as hiring and firing policies, data classifications and labels, and security awareness training. Technical and logical controls are synonymous and include hardware or software mechanisms used to manage access. Physical access controls are physical controls deployed to prevent direct contact with systems or areas within a facility.

174
Q
  1. Of the following, which provides some protection against tampering?

A. Security token
B. Capabilities list
C. Security label
D. Access matrix

A

Answer: C

A security label is usually a permanent part of the object to which it is attached, thus providing some protection against tampering. The other options do not offer such protection.

175
Q
  1. What technique can be used to destroy all traces of data on a storage device in order to prevent the recovery of data remanence?

A. Certification
B. Authorization
C. Sanitization
D. Non-repudiation

A

Answer: C

Sanitization (or wiping, purging, or zeroization) is a technique that can be used to destroy all traces of data on a storage device in order to prevent the recovery of data remanence.

176
Q
  1. NAT allows the use of private IP addresses for internal use while maintaining the ability to communicate with the Internet. Where are the private IP addresses defined?

A. RFC 1492
B. RFC 1661
C. RFC 1918
D. RFC 3947

A

Answer: C

NAT offers numerous benefits, including that you can use the private IP addresses defined in RFC 1918 in a private network and still be able to communicate with the Internet.

177
Q
  1. Which of the following is not a true statement in regard to DDoS attacks?

A. Some DDoS attacks exploit software flaws that can be patched.
B. Some DDoS attacks perform flooding for which there is no patch.
C. Some DDoS attacks amplify or multiply traffic by using intermediary bound networks or by using widely distributed remote agents.
D. All DDoS traffic can be traced back to the origin point and controlling hacker.

A

Answer: D

Some DDoS traffic can be traced back to its origin, but that does not mean the origin is the hacker. DDoS attacks that use distributed remote agents or intermediary but innocent third-party networks do not provide an easy trace path back to the original controlling hacker.

178
Q
  1. What is the process of recording information about system activities and events and occurrence data?

A. Accountability
B. Sampling
C. Clipping
D. Auditing

A

Answer: D

Auditing encompasses a wide variety of different activities, including the recording of event/occurrence data, examination of data, data reduction, the use of event/occurrence alarm triggers, and log file analysis.

179
Q
  1. Which of the following is not a segmentation of a network?

A. Subnet
B. VPN
C. VLAN
D. DMZ

A

Answer: B

A VPN is not a network segmentation; it is a secured encapsulation tunnel. Subnets, VLANs, and a DMZ are examples of network segmentation.

180
Q
  1. An administrator wants to determine if a server is vulnerable to known attacks. Which of the following is the best tool to use for this?

A. Vulnerability scanner
B. Port scanner
C. Sniffer
D. Configuration tester

A

Answer: A

A vulnerability scanner is the best tool of those listed to determine if a server is vulnerable to known attacks. A port scanner will identify open ports and a sniffer captures traffic, but neither will necessarily determine vulnerabilities. A configuration tester is an automated tool that checks system configuration but doesn’t necessarily determine vulnerabilities.

181
Q
  1. You can return a magnetic storage device to its native “unused” state through what process?

A. Sterilization
B. Declassification
C. Sanitation
D. Degaussing

A

Answer: D

Degaussing is the technique used to remove data from magnetic tapes with the goal of returning the tape to its original state. Hard disks that are degaussed can destroy the disk drive mechanics making the drive no longer functional but there are no guarantees that the data has actually been destroyed. The platters may be removed in a clean room from the damaged drive to a known working drive and the data could be accessed then.

182
Q
  1. What method ultimately results in the total physical destruction of storage media and includes incineration, crushing, and shredding?

A. Destruction
B. Declassification
C. Purging
D. Cleansing

A

Answer: A

Destruction is the final stage in the life cycle of backup media. Destruction should occur after proper sanitization or as a means of sanitization.

183
Q
  1. What Biba property protects a subject from accessing an object at a lower integrity level?

A. No read up
B. No read down
C. No write up
D. No write down

A

Answer: B

The Simple Integrity Property states that a subject cannot read an object of a lower integrity level (no read down).

184
Q
  1. Which of the following is the most difficult network segment to eavesdrop?

A. WPA encrypted wireless
B. Coax
C. Fiber optic
D. STP gigabit Ethernet

A

Answer: C

Fiber is the most difficult network segment to eavesdrop because the act of doing so is always detectable.

185
Q
  1. Which of the following is not a security concern in relation to an organization’s divestitures?

A. Preventing data leakage
B. Sanitization techniques
C. Holding exit interviews
D. Performing on-boarding

A

Answer: D

An organization involved in divestiture has security concerns related to prevention of data leakage, using proper sanitization techniques, and holding exit interviews. Performing on-boarding is not usually related to divestiture but to acquisition.

186
Q
  1. Which of the following statements is false?

A. Third-party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements.
B. The actual method of third-party governance may vary but generally involves an outside investigator or auditor.
C. Third-party governance focuses on verifying compliance with stated security objectives.
D. Third-party governance auditors are always consultants hired by the target organization.

A

Answer: D

Third-party governance auditors might be designated by a governing body or might be consultants hired by the target organization.

187
Q
  1. What type of mobile code was designed to have the least security risk or exposure to a system?

A. CGI
B. Java
C. ActiveX
D. JavaScript

A

Answer: B

Security was of paramount concern during the design of the Java platform, and Sun’s development team created the “sandbox” concept to place privilege restrictions on Java code. The sandbox isolates Java code objects from the rest of the operating system and enforces strict rules about the resources those objects can access.

188
Q
  1. Which of the following cryptographic attacks can be used when you have access to an encrypted message but no other information?

A. Known plain-text attack
B. Frequency analysis attack
C. Chosen cipher-text attack
D. Meet in the middle attack

A

Answer: B

Frequency analysis may be used on encrypted messages. The other techniques listed require additional information, such as the plain text or the ability to choose the cipher text.

189
Q
  1. A team that knows substantial information about its target, including on-site hardware/software inventory and configuration details, is best described as what?

A. Zero knowledge
B. Infinite knowledge
C. Absolute knowledge
D. Partial knowledge

A

Answer: D

Partial-knowledge teams possess a detailed account of organizational assets, including hardware and software inventory, prior to a penetration test.

190
Q
  1. Which of the following is not a goal of the change control process of configuration management?

A. Implement changes in a monitored and orderly manner.
B. Changes are cost effective.
C. A formalized testing process is included to verify that a change produces expected results.
D. All changes can be reversed.

A

Answer: B

While most business decisions need to include cost analysis, the change control process of configuration management is not directly concerned with cost effectiveness.

191
Q
  1. Which of the following includes a record of system activity and can be used to detect security violations, software flaws, and performance problems?

A. Change logs
B. Security logs
C. System logs
D. Audit trail

A

Answer: D

Audit trails provide a comprehensive record of system activity and can help detect a wide variety of security violations, software flaws, and performance problems. An audit trail includes a variety of logs, including change logs, security logs, and system logs, but any one of these individual logs can’t detect all the issues mentioned in the question.

192
Q
  1. What security protocol has become the de facto standard used to provide secure e-commerce services?

A. S/MIME
B. TLS
C. SET
D. PGP

A

Answer: B

TLS (Transport Layer Security), the revised replacement for SSL, has become the de facto standard used to provide secure e-commerce services. This is in spite of the attempts of several credit card companies to promote alternate options, such as Secure Electronic Transaction (SET).

193
Q
  1. What type of addressing is described by the following statements? The memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps located on a different page).

A. Indirect
B. Direct
C. Base+Offset
D. Immediate

A

Answer: A

Indirect addressing uses a scheme similar to direct addressing. However, the memory address supplied to the CPU as part of the instruction doesn’t contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps located on a different page).

194
Q
  1. Which of the following is an example of a Type 2 authentication factor?

A. Something you have, such as a smart card, ATM card, token device, and memory card
B. Something you are, such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, and hand geometry
C. Something you do, such as typing a passphrase or signing your name
D. Something you know, such as a password, personal identification number (PIN), lock combination, passphrase, mother’s maiden name, and favorite color

A

Answer: A

A Type 2 authentication factor is something you have, including a smart card, token device, or memory card. Type 3 authentication is something you are, and some behavioral biometrics include something you do. Type 1 authentication is something you know.

195
Q
  1. Which of the following could be considered the most secure?

A. RAM
B. PROM
C. EEPROM
D. ROM

A

Answer: D

ROM is burned at the factory and then unchangeable. Thus, ROM is the most secure because it will always maintain its integrity.

196
Q
  1. Which form of risk assessment provides a result that is as easy to read and understand as a typical budget report?

A. Qualitative
B. Quantitative
C. Quantum
D. Reverse engineering

A

Answer: B

Quantitative risk assessment produces a number-based result that is as easy to read and understand as a typical budget report.

197
Q
  1. Which of the following criminal acts is committed by a knowledgeable employee, or an insider?

A. Sabotage
B. Espionage
C. Scavenging
D. Dumpster diving

A

Answer: A

Sabotage is a criminal act committed against an organization by a knowledgeable employee.

198
Q
  1. In what security mode must each user have access approval and valid need to know for all information processed by the system?

A. Dedicated mode
B. System high mode
C. Compartmented mode
D. Multilevel mode

A

Answer: C

The scenario presented in the question describes the three characteristics of compartmented security mode.

199
Q
  1. Which of the following indicates a primary security issue related to single sign-on?

A. It makes it more difficult to remember passwords.
B. It risks maximum compromise if a password is discovered.
C. It requires long passwords.
D. It encourages excessive privileges.

A

Answer: B

A drawback with single sign-on is that maximum unauthorized access is possible if an attacker discovers a password. Because users need to remember only one password, it makes it easier for users to remember passwords. Single sign-on does not dictate the length of passwords or encourage excessive privileges.

200
Q
  1. What process ensures that all necessary and required elements of a security solution are implemented as expected?

A. Auditing
B. Accounting
C. Compliance checking
D. Penetration testing

A

Answer: C

Compliance checking ensures that all necessary elements of a security solution are properly deployed and functioning as expected.

201
Q
  1. VPNs are used to transport communications over an intermediary medium through the means of ______________, authentication, and encryption.

A. Encapsulation
B. Concatenation
C. Depreciation
D. Fuzzing

A

Answer: A

VPNs are used to transport communications over an intermediary medium through the means of encapsulation (i.e., tunneling), authentication, and encryption.

202
Q
  1. Practicing the activities that maintain continued application of security protocol, policy, and procedure is also called what?

A. Due notice
B. Due diligence
C. Due care
D. Due date

A

Answer: B

Due diligence is the action taken to apply, enforce, and perform responsibilities or rules as governed by organizational policy.

203
Q
  1. What is the first step of access control?

A. Accountability logging
B. ACL verification
C. Subject authorization
D. Subject identification

A

Answer: D

Access controls govern subjects’ access to objects and the first step in this process is identifying the subject. Accountability logging, verification of access control lists (ACLs), and authentication are not possible without a subject identity.

204
Q
  1. Alice wants to send a message to Bob using the RSA encryption algorithm. What key should she use to encrypt the message?

A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bob’s private key

A

Answer: C

If Alice wants to send a message to Bob, she should encrypt it using his public key.

205
Q
  1. If you are a government contractor, which of the following issues is of greatest concern if your IT solution includes IaaS outsourced from an international cloud service provider?

A. PII privacy
B. Regulation compliance
C. Use of open source software
D. Use of IS/ISO standard components

A

Answer: B

Generally, regulation compliance is of greatest concern to governments, military, and government contractors when working with cloud services—especially those whose hosting infrastructure is not restricted to a single country.

206
Q
  1. You represent a United States company that wishes to seek safe harbor protection under the European Union Data Privacy Directive. Which one of the following is not one of the seven requirements you must meet for processing personal information?

A. Data integrity
B. Notice
C. Onward Transfer
D. Encryption

A

Answer: D

The seven requirements are Notice, Choice, Onward Transfer, Access, Security, Data Integrity, and Enforcement.

207
Q
  1. Administrators often consider the relationship between assets, risk, vulnerability, and threat under what model?

A. CIA Triad
B. CIA Triplex
C. Operations Security Tetrahedron
D. Operations security triple

A

Answer: D

The operations security triple is a conceptual security model that encompasses three concepts (assets, risk, and vulnerability) and their interdependent relationship within a structured, formalized organization.

208
Q
  1. The willful destruction of assets or elements within the IT infrastructure as a form of revenge or justification for perceived wrongdoing is known as _____.

A. Espionage
B. Entrapment
C. Sabotage
D. Permutation

A

Answer: C

The willful destruction of assets or elements within the IT infrastructure as a form of revenge or justification for perceived wrongdoing is known as sabotage. Espionage is the gathering of information about a competitor or enemy. Entrapment occurs when someone is encouraged to do something illegal after they have indicated they will not do it. Permutation refers to rearranging or modifying something slightly.

209
Q
  1. The Brewer and Nash access model requires which of the following to operate properly?

A. Properly identified subjects
B. One or more datasets
C. Class definitions related to conflict of interest for all datasets
D. All of the above

A

Answer: D

The Brewer and Nash model organizes datasets according to conflict-of-interest classes so that authorized users with access to any member of a conflict class will be denied access to other members of that class. Thus, all three specific ingredients mentioned—properly identified subjects, one or more datasets, and conflict class definitions for all datasets—are required for it to operate properly. This makes option D the best answer.

210
Q
  1. Which of the following wireless technologies supports multifactor authentication options?

A. WEP
B. TKIP
C. CCMP
D. WPA2

A

Answer: D

Both WPA and WPA2 support the enterprise authentication known as 802.1x/EAP, a standard port-based network access control that ensures clients cannot communicate with a resource until proper authentication has taken place. Effectively, 802.1x is a hand-off system that allows the wireless network to leverage the existing network infrastructure’s authentication services. Through the use of 802.1x, other techniques and solutions such as RADIUS, TACACS, certificates, smart cards, token devices, and biometrics can be integrated into wireless networks providing techniques for both mutual and multi-factor authentication.

211
Q
  1. What is sampling?

A. The act of including elements of data in a larger body of data to construct a meaningful whole
B. The act of extracting elements of data from a larger body of data to construct a meaningful whole
C. The act of injecting elements of data into a larger body of data to construct a meaningful whole
D. The act of exporting elements of data from a larger body of data to construct a meaningful whole

A

Answer: B

Sampling is a form of data reduction, where elements are extracted from a larger body of information to construct a meaningful whole.

212
Q
  1. What term is used to describe the onboard memory that a CPU uses to store values on which it is operating?

A. Cache
B. Register
C. Pipeline
D. Assembly

A

Answer: B

Registers are onboard memory locations that can be accessed by the CPU in an extremely short period of time.

213
Q
  1. Intrusion detection systems (IDSs) are capable of detecting which types of abnormal or unauthorized activities? (Choose all that apply.)

A. External connection attempts
B. Execution of malicious code
C. Unauthorized access attempts to controlled objects
D. Inappropriate use of privileges

A

Answer: A;B;C

IDSs can detect attacks from external connection attempts, execution of malicious code, and unauthorized access attempts to controlled objects. An IDS cannot detect inappropriate use of privileges such as a malicious insider abusing their privileges.

214
Q
  1. How might you prepare a storage medium of classified material to prevent laboratory attacks?

A. Degaussing
B. Clearing
C. Erasing
D. Purging

A

Answer: D

Purging is erasing the data so the media is not vulnerable to data remnant recovery attacks, including those classified as laboratory level.

215
Q
  1. All of the following are implications of multilayer protocols except which one?

A. VLAN hopping
B. Multiple encapsulation
C. Filter evasion using tunneling
D. Static IP addressing

A

Answer: D

Static IP addressing is not an implication of multilayer protocols.

216
Q
  1. What is the term used to refer to the formal assignment of responsibility to an individual or group?

A. Governance
B. Ownership
C. Take grant
D. Separation of duties

A

Answer: B

Ownership is the formal assignment of responsibility to an individual or group.

217
Q
  1. What forms of monitoring take into account the nature and flow of packets rather than the content?

A. Trend analysis
B. Sampling
C. Clipping
D. Intrusion detection

A

Answer: A

Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than the actual content.

218
Q
  1. Which of the following forms of authentication provides the strongest security?

A. Password and a PIN
B. One-time password
C. Passphrase and a smart card
D. Fingerprint

A

Answer: C

Among these options, passphrase and a smart card provide the strongest authentication security because they deliver two-factor authentication. A password and a PIN are both in the same factor. Despite the security offered by one-time passwords, a two-factor authenticator is stronger.

219
Q
  1. What technical security mechanism restricts sensitive functions to the core of a process?

A. Layering
B. Abstraction
C. Data hiding
D. Process isolation

A

Answer: A

Layering of processes implements a structure similar to the ring model used for operating modes.

220
Q
  1. The process of extracting smaller elements from a much larger body of information to construct a meaningful summary of the whole is known as what?

A. Auditing
B. Sampling
C. Clipping
D. Accounting

A

Answer: B

Sampling is a form of data reduction that allows an auditor to quickly determine the important issues or events from an audit trail.

221
Q
  1. Which one of the three models discussed in this book is best suited to address the confidentiality issues of military systems?

A. Bell-LaPadula model
B. Biba model
C. Clark-Wilson model
D. IPSec

A

Answer: A

The Bell-LaPadula model addresses only the confidentiality of data and works well for military applications. This model is based on the state machine model and employs mandatory access controls and the lattice model.

222
Q
  1. What verifies a claimed identity?

A. Identification
B. Authentication
C. Authorization
D. Accountability

A

Answer: B

Authentication is the process of verifying or testing the validity of a claimed identity. Identification is the claimed identity. Authorization grants access to resources to the proven identity, and accountability tracks access to resources.

223
Q
  1. Which one of the following is not a part of documenting the business continuity plan?

A. Documentation of policies for continuity
B. Historical record
C. Job creation
D. Identification of flaws

A

Answer: C

BCP documentation can be an arduous task, but it should not require the creation of a new position.

224
Q
  1. Stationary and removable media storage volumes all carry an expected life span rating from the manufacturer. What property might you examine to realize this life expectancy rating?

A. Mean time between errors
B. Spindle speed
C. Mean time between failures
D. Life expectancy rating

A

Answer: C

The mean time between failures (MTBF) rating on storage drives specifies the expected life span (or average failure rate for any drive in a given batch) for a given medium.

225
Q
  1. What type of connection needs a modem in order to support digital computer communications over an otherwise analog link?

A. VoIP
B. ISDN
C. POTS
D. Wireless

A

Answer: C

POTS (plain old telephone system) or PSTN (public switched telephone network) requires the use of a modem to support digital computer communications over an otherwise analog link.

226
Q
  1. Which of the following will identify potential attack sources?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Advanced persistent threat

A

Answer: B

Threat modeling is the process of identifying, understanding, and categorizing potential threats, including threats from attack sources. Asset valuation identifies the value of assets. Vulnerability analysis identifies weaknesses. An advanced persistent threat is a form of attack, often sponsored by a government.

227
Q
  1. What is the main purpose for process confinement?

A. To prevent a process from executing a privileged command
B. To prevent a process from writing to an unauthorized memory location
C. To allow a process to execute a privileged command
D. To allow a process to write into another process’s memory location

A

Answer: B

Process isolation prevents a process from reading or writing to an unauthorized memory location. This concept ensures that any behavior will affect only the memory and resources associated with the process.

228
Q
  1. Which of the following is not a form of spoofed traffic filtering?

A. Block inbound packets whose source address is an internal address
B. Block outbound packets whose source address is an external address
C. Block outbound packets whose source address is an unassigned internal address
D. Block inbound packets whose source address is on a block/black list

A

Answer: D

Using a block list or black list is a valid form of security filtering; it is just not a form of spoofing filtering.

229
Q
  1. What form of analysis selectively views error events that cross a specified threshold?

A. Sampling
B. Clipping
C. Averaging
D. Meaning

A

Answer: B

Clipping is a subset of sampling, which is a process of extracting data from a large body of information but with a specified cut-off point or threshold.

230
Q
  1. What type of processing enables a system to operate at more than one classification level simultaneously?

A. Multiprocessing
B. Single state
C. Multistate
D. Multithreading

A

Answer: C

Multistate processing systems are certified to handle multiple security levels simultaneously by using specialized security mechanisms.

231
Q
  1. What type of intellectual property protection applies to the text of this book?

A. Trademark
B. Trade secret
C. Patent
D. Copyright

A

Answer: D

Copyright law protects the rights of creators of original works of authorship, including books.

232
Q
  1. What is the maximum hash length created by the SHA-2 algorithms?

A. 256 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits

A

Answer: B

The SHA-2 algorithms support the creation of message digests up to 512 bits long.

233
Q
  1. Among the following concepts, which element is not essential for an audit report?

A. Audit purpose
B. Audit scope
C. Audit results
D. Audit overview

A

Answer: D

Audit overview is not essential for an audit report; the purpose, scope and results of an audit are the three primary (and necessary) elements.

234
Q
  1. Which of the following activities is not considered a valid form of penetration testing?

A. Denial-of-service attacks
B. Port scanning
C. Distribution of malicious code
D. Packet sniffing

A

Answer: C

Distribution of malicious code will almost always result in damage or loss of assets and is not used in a penetration test. However, denial-of-service attacks, port scanning, and packet sniffing may all be included in a penetration test.

235
Q
  1. What sort of criminal act is committed when an attacker is able to intercept more than just network traffic?

A. Sniffing
B. Eavesdropping
C. Snooping
D. War dialing

A

Answer: B

Eavesdropping is the ability to intercept network and telephony communications along with physical and electronic documents and even personal conversations.

236
Q
  1. What is the purpose of a DMZ?

A. To host resources accessed by outside visitors but that are still isolated from the private network
B. To encapsulate plain-text protocols with a layer of encryption
C. To support the use of audio communications over an IP network
D. To enable portable clients to make network links over radio waves

A

Answer: A

A DMZ is used to host resources accessed by outside visitors but that are still isolated from the private network. A VPN is used to encapsulate plain-text protocols with a layer of encryption. VoIP is used to support the use of audio communications over an IP network. A WAP is used to enable portable clients to make network links over radio waves.

237
Q
  1. You are assessing an encryption algorithm that uses an 8-bit key. How many possible key values exist in this approach?

A. 8
B. 64
C. 128
D. 256

A

Answer: D

You can determine the number of possible keys by raising 2 to the power of the length of the key (in bits). In this case, 28=256.

238
Q
  1. What technique is commonly used by child pornographers to hide illegal images within innocent ones?

A. Email encryption
B. Steganography
C. Nonrepudation
D. Brute force

A

Answer: B

Steganography allows hiding data within an image. Child pornographers often use it to hide illegal images within innocent ones.

239
Q
  1. What type of interface testing would identify flaws in a program’s ability to interact with other programs via web services?

A. Application programming interface testing
B. User interface testing
C. Physical interface testing
D. Security interface testing

A

Answer: A

Application programming interfaces (APIs) provide standard mechanisms for web services to interact with each other.

240
Q
  1. Why should access to pentest reports be controlled and restricted?

A. They contain copies of confidential data stored on the network.
B. They contain information about the vulnerabilities of the system.
C. They are useful only to upper management.
D. They include the details about the configuration of security controls.

A

Answer: B

Pentest reports should be secured because they contain information about the vulnerabilities of the system and disclosure of such vulnerabilities to the wrong person could lead to security breaches. They would not normally contain confidential data from the network. They are useful to both upper management and security professionals. They would not normally include details about security control configuration.

241
Q
  1. What type of planning or security management should include acquisitions, divestitures, and oversight committees?

A. Disaster recovery planning
B. Security governance
C. Standards and baselines
D. Trusted recovery planning

A

Answer: B

Security governance should include acquisitions, divestitures, and oversight committees.

242
Q
  1. Which one of the following is not an example of a code repository?

A. Bitbucket
B. GitHub
C. Source Forge
D. AWS

A

Answer: D

AWS is an Infrastructure-as-a-Service provider, not a code repository.

243
Q
  1. What are the only procedures that are allowed to modify a constrained data item (CDI) in the Clark-Wilson model?

A. Transformation procedures (TPs)
B. Integrity verification procedure (IVP)
C. Independent modification algorithm (IMA)
D. Dependent modification algorithm (DMA)

A

Answer: A

Transformation procedures (TPs) are the only procedures that are allowed to modify a CDI. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model.

244
Q
  1. Which one of the following types of memory can never be written to by the end user?

A. ROM
B. PROM
C. EPROM
D. EEPROM

A

Answer: A

Read-only memory (ROM) can be written to only one time at the factory. Users cannot modify the contents.

245
Q
  1. Searching through the refuse, remains, or leftovers from an organization or operation to discover or infer confidential information is known as ______.

A. Social engineering
B. Dumpster diving
C. Impersonation
D. Inference

A

Answer: B

Dumpster diving is the act of searching through the refuse, remains, or leftovers from an organization or operation to discover or infer confidential information. Social engineering uses different methods to trick employees or users into giving up information, and impersonation is a social engineering tactic. Inference is a technique used to gain information from a database without having full access to the database.

246
Q
  1. What kind of attack renders the Double DES encryption algorithm no more secure than traditional DES?

A. Meet in the middle
B. Man in the middle
C. Birthday
D. Chosen cipher text

A

Answer: A

The meet in the middle attack specifically targets encryption algorithms that use two rounds of encryption, such as Double DES.

247
Q
  1. What type of memory chip can be erased through the modulation of an electric current?

A. ROM
B. PROM
C. EPROM
D. EEPROM

A

Answer: D

Electronically erasable programmable read-only memory (EEPROM) chips can be erased by modulating an electric current applied to the chip.

248
Q
  1. Which of the following access control techniques uses labels to identify subjects and objects?

A. Discretionary access control
B. Nondiscretionary access control
C. Role-based access control
D. Mandatory access control

A

Answer: D

Mandatory access control uses labels to identify subjects and objects and grants access based on matching labels. Discretionary access control requires all objects to have an owner. Nondiscretionary access control provides centralized access controlled by an administrator. Role-based access control provides access based on membership within a role.

249
Q
  1. What common vulnerability has no direct countermeasure and little safeguards or validators?

A. Theft
B. Fraud
C. Omission
D. Collusion

A

Answer: C

Both omissions and errors are difficult aspects to protect against, particularly as they deal with human and circumstantial origins.

250
Q
  1. What is the biggest risk associated with web or mobile applets?

A. Having an execution-limiting sandbox
B. Lower performance rates from servers
C. Consumption of free memory space
D. Executing code from external sources

A

Answer: D

The biggest risk associated with web or mobile applets is executing code from external sources. The risk is running malicious or unstable code from an outside source, even if that code is signed.

251
Q
  1. An attempt to dupe personnel into performing some unauthorized activity on their behalf or reveal sensitive information to an unauthorized party is known as what?

A. Social engineering
B. Reverse engineering
C. Eavesdropping
D. Sniffing

A

Answer: A

Social engineering is a deceptive act meant to trick personnel into revealing sensitive information or performing some unauthorized act on their behalf.