Practice exam questions (book) 250 Flashcards
- Which of the following best describes the relationship between CobiT and ITIL?
A. CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.
B. CobiT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management.
C. CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.
D. CobiT provides a framework for achieving security goals, whereas ITIL defines a framework for achieving IT service-level goals.
C
- Jane has been charged with ensuring that clients’ personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to?
A. HIPAA
B. NIST SP 800-66
C. Safe Harbor
D. European Union Principles on Privacy
C
- Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?
A. Committee of Sponsoring Organizations of the Treadway Commission
B. The Organisation for Economic Co-operation and Development
C. CobiT
D. International Organization for Standardization
B
- Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?
A. Security policy committee
B. Audit committee
C. Risk management committee
D. Security steering committee
D
- As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim’s responsibility as information owner?
A. Assigning information classifications
B. Dictating how data should be protected
C. Verifying the availability of data
D. Determining how long to retain data
C
- Assigning data classification levels can help with all of the following except:
A. The grouping of classified information with hierarchical and restrictive security
B. Ensuring that nonsensitive data is not being protected by unnecessary controls
C. Extracting data from a database
D. Lowering the costs of protecting data
C
- Which of the following is not included in a risk assessment?
A. Discontinuing activities that introduce risk
B. Identifying assets
C. Identifying threats
D. Analyzing risk in order of cost or criticality
A
- Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system?
A. Risk mitigation
B. Risk acceptance
C. Risk avoidance
D. Risk transference
A
- The integrity of data is not related to which of the following?
A. Unauthorized manipulation or changes to data
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities
D
- There are several methods an intruder can use to gain access to company assets. Which of the following best describes masquerading?
A. Changing an IP packet’s source address
B. Elevating privileges to gain access
C. An attempt to gain unauthorized access as another user
D. Creating a new authorized user with hacking tools
C
- A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?
A. The asset’s value in the external marketplace
B. The level of insurance required to cover the asset
C. The initial and outgoing costs of purchasing, licensing, and supporting the asset
D. The asset’s value to the organization’s production operations
B
- Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?
A. Increase the database’s security controls and provide more granularity.
B. Implement access controls that display each user’s permissions each time they access the database.
C. Change the database’s classification label to a higher security status.
D. Decrease the security so that all users can access the information as needed.
A
- As his company’s CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?
A. threats × vulnerability × asset value = residual risk
B. SLE × frequency = ALE, which is equal to residual risk
C. (threats × vulnerability × asset value) × control gap = residual risk
D. (total risk – asset value) × countermeasures = residual risk
C
- Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?
A. Users have a tendency to request additional permissions without asking for others to be taken away.
B. It is a violation of “least privilege.”
C. It enforces the “need-to-know” concept.
D. It commonly occurs when users transfer to other departments or change positions.
C
- For what purpose was the COSO framework developed?
A. To address fraudulent financial activities and reporting
B. To help organizations install, implement, and maintain CobiT controls
C. To serve as a guideline for IT security auditors to use when verifying compliance
D. To address regulatory requirements related to protecting private health information
A
- Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role?
A. Ensuring the protection of partner data
B. Ensuring the accuracy and protection of company financial information
C. Ensuring that security policies are defined and enforced
D. Ensuring the protection of customer, company, and employee data
D
- Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role?
A. Data owner
B. Data custodian
C. Data user
D. Information systems auditor
C
- Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?
A. FAP
B. OCTAVE
C. ANZ 4360
D. NIST SP 800-30
C
- Which of the following is not a characteristic of a company with a security governance program in place?
A. Board members are updated quarterly on the company’s state of security.
B. All security activity takes place within the security department.
C. Security products, services, and consultants are deployed in an informed manner.
D. The organization has established metrics and goals for improving security.
B
- Michael is charged with developing a classification program for his company. Which of the following should he do first?
A. Understand the different levels of protection that must be provided.
B. Specify data classification criteria.
C. Identify the data custodians.
D. Determine protection mechanisms for each classification level.
A
- There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method?
A. Risk transference. Share the risk with other entities.
B. Risk reduction. Reduce the risk to an acceptable level.
C. Risk rejection. Accept the current risk.
D. Risk assignment. Assign risk to a specific owner.
A
- The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description.
A. Top-right quadrant is high impact, low probability.
B. Top-left quadrant is high impact, medium probability.
C. Bottom-left quadrant is low impact, high probability.
D. Bottom-right quadrant is low impact, high probability.
D
- What are the three types of policies that are missing from the following graphic?
A. Regulatory, Informative, Advisory
B. Regulatory, Mandatory, Advisory
C. Regulatory, Informative, Public
D. Regulatory, Informative, Internal Use
A
- List in the proper order from the table that follows the learning objectives that are missing and their proper definitions.
A. Understanding, recognition and retention, skill
B. Skill, recognition and retention, skill
C. Recognition and retention, skill, understanding
D. Skill, recognition and retention, understanding
C
- What type of risk analysis approach does the following graphic provide?
A. Quantitative
B. Qualitative
C. Operationally Correct
D. Operationally Critical
B
- ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
A. ISO/IEC 27002 Code of practice for information security management
B. ISO/IEC 27003 Guideline for ISMS implementation
C. ISO/IEC 27004 Guideline for information security management measurement and metrics framework
D. ISO/IEC 27005 Guideline for bodies providing audit and certification of information security management systems
D
- Which of the following is the criteria Sam’s company was most likely certified under?
A. SABSA
B. Capability Maturity Model Integration
C. Information Technology Infrastructure Library
D. PRINCE2
B
- What is the associated single loss expectancy value in this scenario?
A. $65,000
B. $400,000
C. $40,000
D. $4,000
C
- Which of the following best describes the control types the company originally had in place?
A. Administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical detective controls are the physical location of the database and PIN and smart card access controls.
B. Administrative preventive controls are the policies. Technical preventive controls are securing the system and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.
C. Administrative corrective controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.
D. Administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system and network segmentation. The technical detective control is the intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.
D
- The storage management system that Barry put into place is referred to as which of the following?
A. Administrative control
B. Compensating control
C. Physical control
D. Confidentiality control
B
- Which are the two most common situations that require the type of control covered in the scenario to be implemented?
A. Defense-in-depth is required and the current controls only provide one protection layer.
B. Primary control costs too much or negatively affects business operations.
C. Confidentiality is the highest concern in a situation where defense-in-depth is required.
D. Availability is the highest concern in a situation where defense-in-depth is required.
B
- Which of the following does not correctly describe a directory service?
A. It manages objects within a directory by using namespaces.
B. It enforces security policy by carrying out access control and identity management functions.
C. It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP.
D. It allows an administrator to configure and manage how identification takes place within the network.
C
- Hannah has been assigned the task of installing Web access management (WAM) software. What is the best description for what WAM is commonly used for?
A. Control external entities requesting access through X.500 databases
B. Control external entities requesting access to internal objects
C. Control internal entities requesting access through X.500 databases
D. Control internal entities requesting access to external objects
B
- There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?
A. Management password reset
B. Self-service password reset
C. Password synchronization
D. Assisted password reset
C
- A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesn’t try to compromise a flaw or weakness. Which of the following is not a side-channel attack?
A. Differential power analysis
B. Microprobing analysis
C. Timing analysis
D. Electromagnetic analysis
B
- Which of the following does not describe privacy-aware role-based access control?
A. It is an example of a discretionary access control model.
B. Detailed access controls indicate the type of data that users can access based on the data’s level of privacy sensitivity.
C. It is an extension of role-based access control.
D. It should be used to integrate privacy policies and access control policies.
A
- What was the direct predecessor to Standard Generalized Markup Language (SGML)?
A. Hypertext Markup Language (HTML)
B. Extensible Markup Language (XML)
C. LaTeX
D. Generalized Markup Language (GML)
D
- Brian has been asked to work on the virtual directory of his company’s new identity management system. Which of the following best describes a virtual directory?
A. Meta-directory
B. User attribute information stored in an HR database
C. Virtual container for data from multiple sources
D. A service that allows an administrator to configure and manage how identification takes place
C
- Emily is listening to network traffic and capturing passwords as they are sent to the authentication server. She plans to use the passwords as part of a future attack. What type of attack is this?
A. Brute-force attack
B. Dictionary attack
C. Social engineering attack
D. Replay attack
D
- Which of the following correctly describes a federated identity and its role within identity management processes?
A. A nonportable identity that can be used across business boundaries
B. A portable identity that can be used across business boundaries
C. An identity that can be used within intranet virtual directories and identity stores
D. An identity specified by domain names that can be used across business boundaries
B
- Phishing and pharming are similar. Which of the following correctly describes the difference between phishing and pharming?
A. Personal information is collected from victims through legitimate-looking Web sites in phishing attacks, while personal information is collected from victims via e-mail in pharming attacks.
B. Phishing attacks point e-mail recipients to a form where victims input personal information, while pharming attacks use pop-up forms at legitimate Web sites to collect personal information from victims.
C. Victims are pointed to a fake Web site with a domain name that looks similar to a legitimate site’s in a phishing attack, while victims are directed to a fake Web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.
D. Phishing is a technical attack, while pharming is a type of social engineering.
C
- Security countermeasures should be transparent to users and attackers. Which of the following does not describe transparency?
A. User activities are monitored and tracked without negatively affecting system performance.
B. User activities are monitored and tracked without the user knowing about the mechanism that is carrying this out.
C. Users are allowed access in a manner that does not negatively affect business processes.
D. Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.
A
- What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules?
A. XML
B. SPML
C. XACML
D. GML
C
- The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today’s regulations. Which of the following does not explain why audit logs should be protected?
A. If not properly protected, these logs may not be admissible during a prosecution.
B. Audit logs contain sensitive data and should only be accessible to a certain subset of people.
C. Intruders may attempt to scrub the logs to hide their activities.
D. The format of the logs should be unknown and unavailable to the intruder.
D
- Harrison is evaluating access control products for his company. Which of the following is not a factor he needs to consider when choosing the products?
A. Classification level of data
B. Level of training that employees have received
C. Logical access controls provided by products
D. Legal and regulation issues
B
- There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environment’s normal activities and assigns an anomaly score to packets based on the profile?
A. State-based
B. Statistical anomaly–based
C. Misuse-detection system
D. Protocol signature–based
B
- A rule-based IDS takes a different approach than a signature-based or anomaly-based system. Which of the following is characteristic of a rule-based IDS?
A. Uses IF/THEN programming within expert systems
B. Identifies protocols used outside of their common bounds
C. Compares patterns to several activities at once
D. Can detect new attacks
A
- Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft is this?
A. Phishing
B. True name
C. Pharming
D. Account takeover
B
- Of the following, what is the primary item that a capability list is based upon?
A. A subject
B. An object
C. A product
D. An application
A
- Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures?
A. They are the same thing with different titles.
B. They are administrative controls that enforce access control and protect the company’s resources.
C. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.
D. Job rotation ensures that one person cannot perform a high-risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position.
C
- What type of markup language allows company interfaces to pass service requests and the receiving company provision access to these services?
A. XML
B. SPML
C. SGML
D. HTML
B
- There are several different types of centralized access control protocols. Which of the following is illustrated in the graphic that follows?
A. Diameter
B. Watchdog
C. RADIUS
D. TACACS+
A
- An access control matrix is used in many operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to?
Access Control Matrix
A. Capability table
B. Constrained interface
C. Role-based value
D. ACL
D
- What technology within identity management is illustrated in the graphic that follows?
A. User provisioning
B. Federated identity
C. Directories
D. Web access management
B
- There are several different types of single sign-on protocols and technologies in use today. What type of technology is illustrated in the graphic that follows?
A. Kerberos
B. Discretionary access control
C. SESAME
D. Mandatory access control
C
- There are different ways that specific technologies can create one-time passwords for authentication purposes. What type of technology is illustrated in the graphic that follows?
A. Counter synchronous token
B. Asynchronous token
C. Mandatory token
D. Synchronous token
D
- Sally is carrying out a software analysis on her company’s proprietary application. She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully. What type of issue would allow for this type of compromise to take place?
A. Backdoor
B. Maintenance hook
C. Race condition
D. Data validation error
C
- Which of the following best describes how SAML, SOAP, and HTTP commonly work together in an environment that provides Web services?
A. Security attributes are put into SAML format. Web service request and authentication data are encrypted in a SOAP message. Message is transmitted in an HTTP connection.
B. Security attributes are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection over TLS.
C. Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection.
D. Authentication data are put into SAML format. HTTP request and authentication data are encapsulated in a SOAP message. Message is transmitted in an HTTP connection.
C
- Tom works at a large retail company that recently deployed radio-frequency identification (RFID) to better manage its inventory processes. Employees use scanners to gather product-related information instead of manually looking up product data. Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is the most likely reason for the existence of this type of vulnerability?
A. The company’s security team does not understand how to secure this type of technology.
B. The cost of integrating security within RFID is cost prohibitive.
C. The technology has low processing capabilities, and encryption is very processor-intensive.
D. RFID is a new and emerging technology, and the industry does not currently have ways to secure it.
C
- Tanya is the security administrator for a large distributed retail company. The company’s network has many different network devices and software appliances that generate logs and audit data. Tanya and her staff have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Which of the following is the best solution for this company to implement?
A. Security information and event management
B. Event correlation tools
C. Intrusion detection systems
D. Security event correlation management tools
A
- Sarah and her security team have carried out many vulnerability tests over the years to locate the weaknesses and vulnerabilities within the systems on the network. The CISO has asked her to oversee the development of a threat model for the network. Which of the following best describes what this model is and what it would be used for?
A. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats.
B. A threat model combines the output of the various vulnerability tests and the penetration tests carried out to understand the security posture of the network as a whole.
C. A threat model is a risk-based model that is used to calculate the probabilities of the various risks identified during the vulnerability tests.
D. A threat model is used in software development practices to uncover programming errors.
A
- Lacy’s manager has tasked her with researching an intrusion detection system for a new dispatching center. Lacy identifies the top five products and compares their ratings. Which of the following are the evaluation criteria most in use today for these types of purposes?
A. ITSEC
B. Common Criteria
C. Red Book
D. Orange Book
B
- Certain types of attacks have been made more potent by which of the following advances to microprocessor technology?
A. Increased circuits, cache memory, and multiprogramming
B. Dual-mode computation
C. Direct memory access I/O
D. Increases in processing power
D
- CPUs and operating systems can work in two main types of multitasking modes. What controls access and the use of system resources in preemptive multitasking mode?
A. The user and application
B. The program that is loaded into memory
C. The operating system
D. The CPU and user
C
- Virtual storage combines RAM and secondary storage for system memory. Which of the following is a security concern pertaining to virtual storage?
A. More than one process uses the same resource.
B. It allows cookies to remain persistent in memory.
C. It allows for side-channel attacks to take place.
D. Two processes can carry out a denial-of-service.
A
- Which of the following is a common association of the Clark-Wilson access model?
A. Chinese Wall
B. Access tuple
C. Read up and write down rule
D. Subject and application binding
D
- Which of the following correctly describes the relationship between the reference monitor and the security kernel?
A. The security kernel implements and enforces the reference monitor.
B. The reference monitor is the core of the trusted computing base, which is made up of the security kernel.
C. The reference monitor implements and enforces the security kernel.
D. The security kernel, aka abstract machine, implements the reference monitor concept.
A
- The trusted computing base (TCB) ensures security within a system when a process in one domain must access another domain in order to retrieve sensitive information. What function does the TCB initiate to ensure that this is done in a secure manner?
A. I/O operational execution
B. Process deactivation
C. Execution domain switching
D. Virtual memory to real memory mapping
C
- The Zachman Architecture Framework is often used to set up an enterprise security architecture. Which of the following does not correctly describe the Zachman Framework?
A. A two-dimensional model that uses communication interrogatives intersecting with different levels
B. A security-oriented model that gives instructions in a modular fashion
C. Used to build a robust enterprise architecture versus a technical security architecture
D. Uses six perspectives to describe a holistic information infrastructure
B
- John has been told to report to the board of directors with a vendor-neutral enterprise architecture framework that will help the company reduce fragmentation that results from the misalignment of IT and business processes. Which of the following frameworks should he suggest?
A. DoDAF
B. CMMI
C. ISO/IEC 42010
D. TOGAF
D
- Protection profiles used in the Common Criteria evaluation process contain five elements. Which of the following establishes the type and intensity of the evaluation?
A. Descriptive elements
B. Evaluation assurance requirements
C. Evaluation assurance level
D. Security target
B
- Which of the following best defines a virtual machine?
A. A virtual instance of an operating system
B. A piece of hardware that runs multiple operating system environments simultaneously
C. A physical environment for multiple guests
D. An environment that can be fully utilized while running legacy applications
A
- Bethany is working on a mandatory access control (MAC) system. She has been working on a file that was classified as Secret. She can no longer access this file because it has been reclassified as Top Secret. She deduces that the project she was working on has just increased in confidentiality and she now knows more about this project than her clearance and need-to-know allows. Which of the following refers to a concept that attempts to prevent this type of scenario from occurring?
A. Covert storage channel
B. Inference attack
C. Noninterference
D. Aggregation
C
- Virtualization offers many benefits. Which of the following incorrectly describes virtualization?
A. Virtualization simplifies operating system patching.
B. Virtualization can be used to build a secure computing platform.
C. Virtualization can provide fault and error containment.
D. Virtual machines offer powerful debugging capabilities.
A
- Which security architecture model defines how to securely develop access rights between subjects and objects?
A. Brewer-Nash
B. Clark-Wilson
C. Graham-Denning
D. Bell-LaPadula
C
- Operating systems can be programmed to carry out different methods for process isolation. Which of the following refers to a method in which an interface defines how communication can take place between two processes and no process can interact with the other’s internal programming code?
A. Virtual mapping
B. Encapsulation of objects
C. Time multiplexing
D. Naming distinctions
B
- Which of the following is not a responsibility of the memory manager?
A. Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments.
B. Limit processes to interact only with the memory segments assigned to them.
C. Swap contents from RAM to the hard drive as needed.
D. Run an algorithm to identify unused committed memory and inform the operating system that the memory is available.
D
- Several types of read-only memory devices can be modified after they are manufactured. Which of the following statements correctly describes the differences between two types of ROM?
A. PROM can only be programmed once, while EEPROM can be programmed multiple times.
B. A UV light is used to erase data on EEPROM, while onboard programming circuitry and signals erase data on EPROM.
C. The process used to delete data on PROM erases one byte at a time, while to erase data on an EPROM chip, you must remove it from the hardware.
D. The voltage used to write bits into the memory cells of EPROM burns out the fuses that connect individual memory cells, while UV light is used to write to the memory cells of PROM.
A
- There are different ways that operating systems can carry out software I/O procedures. Which of the following is used when the CPU sends data to an I/O device and then works on another process’s request until the I/O device is ready for more data?
A. I/O using DMA
B. Interrupt-driven I/O
C. Programmable I/O
D. Premapped I/O
B
- The Information Technology Infrastructure Library (ITIL) consists of five sets of instructional books. Which of the following is considered the core set and focuses on the overall planning of the intended IT services?
A. Service Operation
B. Service Design
C. Service Transition
D. Service Strategy
D
- Widgets Inc.’s software development processes are documented and the organization is capable of producing its own standard of software processes. Which of the following Capability Maturity Model Integration levels best describes Widgets Inc.?
A. Initial
B. Repeatable
C. Defined
D. Managed
C
- There are several different important pieces to the Common Criteria. Which of the following best describes the first of the missing components?
A. Target of evaluation
B. Protection profile
C. Security target
D. EALs
B
- Different access control models provide specific types of security measures and functionality in applications and operating systems. What model is being expressed in the graphic that follows?
A. Noninterference
B. Biba
C. Bell-LaPadula
D. Chinese Wall
D
- There are many different types of access control mechanisms that are commonly embedded into all operating systems. Which of the following is the mechanism that is missing in this graphic?
A. Trusted computing base
B. Security perimeter
C. Reference monitor
D. Domain
C
- There are several security enforcement components that are commonly built into operating systems. Which component is illustrated in the graphic that follows?
A. Virtual machines
B. Interrupt
C. Cache memory
D. Protection rings
D
- A multitasking operating system can have several processes running at the same time. What are the components within the processes that are shown in the graphic that follows?
A. Threads
B. Registers
C. Address buses
D. Process tables
A
- Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities.
Which of the following best describes the standard Charlie’s team needs to comply with?
A. International standard on system design to allow for better quality, interoperability, extensibility, portability, and security
B. International standard on system security to allow for better threat modeling
C. International standard on system architecture to allow for better quality, interoperability, extensibility, portability, and security
D. International standard on system architecture to allow for better quality, extensibility, portability, and security
C
- Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities.
Which of the following is Charlie most likely concerned with in this situation?
A. Injection attacks
B. Memory block
C. Buffer overflows
D. Browsing attacks
C
- Which of the following best describes the type of protection that needs to be provided by this product?
A. Hardware isolation
B. Memory induction application
C. Data execution prevention
D. Domain isolation protection
C
- Which of the following best describes the type of technology the team should implement to increase the work effort of buffer overflow attacks?
A. Address space layout randomization
B. Memory induction application
C. Input memory isolation
D. Read-only memory integrity checks
A
- Which of the following best describes the second operating system architecture described in the scenario?
A. Layered
B. Microkernel
C. Monolithic
D. Kernel based
B
- Which of the following best describes why there was a performance issue in the context of the scenario?
A. Bloated programming code
B. I/O and memory location procedures
C. Mode transitions
D. Data and address bus architecture
C
- Which of the following best describes the last architecture described in this scenario?
A. Hybrid microkernel
B. Layered
C. Monolithic
D. Hardened and embedded
A
- Robert has been given the responsibility of installing doors that provide different types of protection. He has been told to install doors that provide failsafe, fail-secure, and fail-soft protection. Which of the following statements is true about secure door types?
A. Fail-soft defaults to the sensitivity of the area.
B. Fail-safe defaults to locked.
C. Fail-secure defaults to unlocked.
D. Fail-secure defaults to double locked.
A
- Windows can have different glazing materials. What type of window may be prohibited by fire codes because of its combustibility?
A. Tempered
B. Polycarbonate acrylic
C. Glass-clad polycarbonate
D. Laminated
B
- As with logical access controls, audit logs should be produced and monitored for physical access controls. Which of the following statements is correct about auditing physical access?
A. Unsuccessful access attempts should be logged but only need to be reviewed by a security guard.
B. Only successful access attempts should be logged and reviewed.
C. Only unsuccessful access attempts during unauthorized hours should be logged and reviewed.
D. All unsuccessful access attempts should be logged and reviewed.
D
- Brad is installing windows on the storefront of a bank in an area known to be at risk of fires in the dry season. Which of the following is least likely to be true of the windows he is installing?
A. The glass has embedded wires.
B. They are made of glass-clad polycarbonate.
C. The window material is acrylic glass.
D. A solar window film has been added to them.
C
- CCTV can use fixed focal length or varifocal lenses. Which of the following correctly describes the lenses used in CCTV?
A. A fixed focal length lens allows you to move between various fields of view with a single lens.
B. To cover a large area and not focus on specific items, use a large lens opening.
C. An auto-iris lens should be used in an area with fixed lighting.
D. A shallow depth of focus allows you to focus on smaller details.
D
- Which of the following describes the type of construction materials most commonly used to build a bank’s exterior walls?
A. Dense woods fastened with metal bolts and plates
B. Steel rods encased inside of concrete walls and support beams
C. Untreated lumber
D. Steel
B
- Which of the following is a light-sensitive chip used in most of today’s CCTV cameras?
A. Digital Light Processing
B. Cathode ray tube
C. Annunciator
D. Charged-coupled devices
D
- John is installing a sprinkler system that makes use of a thermal-fusible link for a data center located in Canada. Which of the following statements is true of the system he’s installing?
A. The pipes of a dry pipe system are filled with water when pressurized air within the pipes is reduced.
B. The pipes of a preaction system are filled with water when pressurized air within the pipes is reduced.
C. The sprinkler heads of a deluge system are wide open to allow a larger volume of water to be released in a shorter period.
D. The pipes in a wet pipe system always contain water.
B
- Which of the following allows security personnel to change the field of view of a CCTV lens to different angles and distances?
A. Depth of field
B. Manual iris
C. Zoom
D. Illumination
C
- An outline for a physical security design should include program categories and the necessary countermeasures for each. What category do locks and access controls belong to?
A. Assessment
B. Deterrence
C. Response
D. Delay
D
- A number of factors need to be considered when buying and implementing a CCTV system. Which of the following is the primary factor in determining whether a lens should have a manual iris or an auto-iris?
A. If the camera must be able to move in response to commands
B. If the environment has fixed lighting
C. If objects to be viewed are wide angle, such as a parking lot, or narrow, such as a door
D. The amount of light present in the environment
B
- IDSs can detect intruders by employing electromechanical systems or volumetric systems. Which of the following correctly describes these systems?
A. Because they detect changes in subtle environmental characteristics, electromechanical systems are more sensitive than volumetric.
B. Electromechanical systems are less sensitive than volumetric systems, which detect subtle changes in environmental characteristics.
C. Electromagnetic systems deal with environmental changes such as ultrasonic frequencies, while volumetric systems can employ pressure mats or metallic foil in windows.
D. Electromagnetic systems are more sensitive because they detect a change or break in a circuit, while volumetric systems detect environmental changes.
B
- What discipline combines the physical environment and sociology issues that surround it to reduce crime rates and the fear of crime?
A. Layered defense model
B. Target hardening
C. Crime Prevention Through Environmental Design
D. Natural access control
C
- There are several types of volumetric IDSs. What type of IDS emits a measurable magnetic field that it monitors for disruptions?
A. Capacitance detector
B. Passive infrared system
C. Wave-pattern motion detectors
D. Photoelectric system
A
- Paisley is helping her company identify potential site locations for a new facility. Which of the following is not an important factor when choosing a location?
A. Distance to police and fire stations
B. Lighting
C. Natural disaster occurrence
D. Crime rate
B
- Sarah recently learned that the painting she inherited from a relative and hung in her downtown coffee shop is worth a lot of money. She is worried about its protection and wants to install an IDS. Which of the following intrusion detection systems is the most appropriate for protecting the painting?
A. Acoustical detection system
B. Proximity detector
C. Photoelectric system
D. Vibration sensor
B
- David is preparing a server room at a new branch office. What locking mechanisms should he use for the primary and secondary server room entry doors?
A. The primary and secondary entrance doors should have access controlled through a swipe card or cipher lock.
B. The primary entrance door should have access controlled through a security guard. The secondary doors should be secured from the inside and allow no entry.
C. The primary entrance door should have access controlled through a swipe card or cipher lock. The secondary doors should have a security guard.
D. The primary entrance door should have access controlled through a swipe card or cipher lock. Secondary doors should be secured from the inside and allow no entry.
D
- Which of the following is not true of IDSs?
A. They can be hindered by items within the room.
B. They are expensive and require human intervention to respond to the alarms.
C. They usually come with a redundant power supply and emergency backup power.
D. They should detect, and be resistant to, tampering.
C
- Before an effective physical security program can be rolled out, a number of steps must be taken. Which of the following steps comes first in the process of rolling out a security program?
A. Create countermeasure performance metrics.
B. Conduct a risk analysis.
C. Design the program.
D. Implement countermeasures.
B
- A number of measures should be taken to help protect devices and the environment from electric power issues. Which of the following is best to keep voltage steady and power clean?
A. Power line monitor
B. Surge protector
C. Shielded cabling
D. Regulator
D
- What type of fence detects if someone attempts to climb or cut it?
A. Class IV
B. PIDAS
C. CPTED
D. PCCIP
B
- Several different types of smoke and fire detectors can be used. What type of detector is shown in the following graphic?
A. Photoelectric
B. Heat-activated
C. Infrared flame
D. Ionization
A
- Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. Of CPTED’s three main components, what is illustrated in the following photo?
A. Natural surveillance
B. Target hardening
C. Natural access control
D. Territorial reinforcement
A
- Different types of material are built into walls and other constructs of various types of buildings and facilities. What type of material is shown in the following photo?
A. Fire-resistant material
B. Light frame construction material
C. Heavy timber construction material
D. Rebar material
D
- There are five different classes of fire. Each depends upon what is on fire. Which of the following is the proper mapping for the items missing in the provided table?
A. Class D—combustible metals
B. Class C—liquid
C. Class B—electrical
D. Class A—electrical
A
- Electrical power is being provided more through smart grids, which allow for self-healing, resistance to physical and cyberattacks, increased efficiency, and better integration of renewable energy sources. Countries want their grids to be more reliable, resilient, flexible, and efficient. Why does this type of evolution in power infrastructure concern many security professionals?
A. Allows for direct attacks through Power over Ethernet
B. Increased embedded software and computing capabilities
C. Does not have proper protection against common Web-based attacks
D. Power fluctuation and outages directly affect computing systems
B
- Mike’s team has decided to implement new perimeter fences and warning signs against trespassing around the company’s facility. Which of the categories listed in the scenario do these countermeasures map to?
A. Deterrent
B. Delaying
C. Detection
D. Assessment
A
- Mike’s team has decided to implement stronger locks on the exterior doors of the new company’s facility. Which of the categories listed in the scenario does this countermeasure map to?
A. Deterrent
B. Delaying
C. Detection
D. Assessment
B
- Mike’s team has decided to hire and deploy security guards to monitor activities within the company’s facility. Which of the categories listed in the scenario does this countermeasure map to?
A. Delaying
B. Detection
C. Assessment
D. Recall
C
- Which of the following is the best control that Greg should ensure is implemented to deal with his boss’s concern?
A. Access and audit logs
B. Mantrap
C. Proximity readers
D. Smart card readers
B
- There are several different types of authentication technologies. Which type is being shown in the graphic that follows?
A. 802.1x
B. Extensible Authentication Protocol
C. Frequency hopping spread spectrum
D. Orthogonal frequency-division multiplexing
A
- What type of security encryption component is missing from the table that follows?
A. Service Set ID
B. Temporal Key Integrity Protocol
C. Ad hoc WLAN
D. Open system authentication
B
- What type of technology is represented in the graphic that follows?
A. Asynchronous Transfer Mode
B. Synchronous Optical Networks
C. Frequency-division multiplexing
D. Multiplexing
D
- What type of telecommunication technology is illustrated in the graphic that follows?
A. Digital Subscriber Line
B. Integrated Services Digital Network
C. BRI ISDN
D. Cable modem
D
- Which type of WAN tunneling protocol is missing from the table that follows?
A. IPSec
B. FDDI
C. L2TP
D. CSMA/CD
C
- What do the SA values in the graphic of IPSec that follows represent?
A. Security parameter index
B. Security ability
C. Security association
D. Security assistant
C
- There are several different types of technologies within cryptography that provide confidentiality. What is represented in the graphic that follows?
A. Running key cipher
B. Concealment cipher
C. Steganography
D. One-time pad
D
- There are several different types of important architectures within public key infrastructures. Which architecture does the graphic that follows represent?
A. Cross-certification
B. Cross-revocation list
C. Online Certificate Status Protocol
D. Registration authority
A
- There are different ways of providing integrity and authentication within cryptography. What type of technology is shown in the graphic that follows?
A. One-way hash
B. Digital signature
C. Birthday attack
D. Collision
B
- There are several different modes that block ciphers can work in. Which mode does the graphic that follows portray?
A. Electronic Code Book Mode
B. Cipher Block Chaining
C. Output Feedback Mode
D. Counter Mode
B
- What is the missing second step in the graphic that follows?
A. Identify continuity coordinator
B. Business impact analysis
C. Identify BCP committee
D. Dependency identification
B
- What type of infrastructural setup is illustrated in the graphic that follows?
A. Hot site
B. Warm site
C. Cold site
D. Reciprocal agreement
A
- There are several types of redundant technologies that can be put into place. What type of technology is shown in the graphic that follows?
A. Tape vaulting
B. Remote journaling
C. Electronic vaulting
D. Redundant site
A
- The following is a graphic of a business continuity policy. Which component is missing from this graphic?
A. Damage assessment phase
B. Reconstitution phase
C. Business resumption phase
D. Continuity of operations plan
B
- What object-oriented programming term, or concept, is illustrated in the graphic that follows?
A. Methods
B. Messages
C. Abstraction
D. Data hiding
B
- Protection methods can be integrated into software programs. What type of protection method is illustrated in the graphic that follows?
A. Polymorphism
B. Polyinstantiation
C. Cohesiveness
D. Object classes
B
- There are several types of attacks that programmers need to be aware of. What attack does the graphic that follows illustrate?
A. Traffic analysis
B. Race condition
C. Covert storage
D. Buffer overflow
D
- Databases and applications commonly carry out the function that is illustrated in the graphic that follows. Which of the following best describes the concept that this graphic is showing?
A. Checkpoint
B. Commit
C. Two-phase commit
D. Data dictionary
A
- There are several different types of databases. Which type does the graphic that follows illustrate?
A. Relational
B. Hierarchical
C. Network
D. Object-oriented
B
- In redundant array of inexpensive disks (RAID) systems, data and parity information are striped over several different disks. What is parity information used for?
A. Information used to create new data
B. Information used to erase data
C. Information used to rebuild data
D. Information used to build data
C
- Mirroring of drives is when data is written to two drives at once for redundancy purposes. What similar type of technology is shown in the graphic that follows?
A. Direct access storage
B. Disk duplexing
C. Striping
D. Massive array of inactive disks
B
- There are several different types of important architectures within backup technologies. Which architecture does the graphic that follows represent?
A. Clustering
B. Grid computing
C. Backup tier security
D. Hierarchical Storage Management
D
