Security Architecture and Engineering Flashcards
This domain represents 13% of the CISSP exam. Security must be incorporated into the design of information systems, as well as being key to the facilities housing information systems and workers.
Q. 1 What’s considered a sufficient fencing height to keep out casual intruders?
12 feet 3 to 4 feet 12 feet with one strand of barbed wire 8 feet with three strands of barbed wire
3 to 4 feet
[Security Engineering] Three to four feet is a sufficient height to deter casual physical intruders.
Q. 2 How does soda acid aid in fire suppression?
It reduces the fire’s oxygen supply It isolates the fire’s fuel supply It lowers the temperature below what the fire needs to sustain itself It extinguishes the fire through a chemical reaction
It isolates the fire’s fuel supply
[Security Engineering] Soda acid prevents the fire’s fuel supply from reacting with oxygen in the fire triangle.
Q. 3 What’s the principal feature of a mantrap?
Its advanced metal detecting capability Only one of its two doors can be opened at a time The high speed by which people can enter and exit a facility Its biometric identifying capabilities
Only one of its two doors can be opened at a time
[Security Engineering] A mantrap controls physical access by permitting only one door in a controlled pair to be open at a time.
Q. 4 What’s one possible weakness of a BIOS password intended to protect hard disk data?
It may be possible to read the hard disk data by placing it in another computer It might not provide disk encryption The encryption used is generally weak It can be defeated by connecting jumpers together on the system board
It may be possible to read the hard disk data by placing it in another computer
[Asset Security] Some BIOS passwords prevent only that particular computer from accessing the hard drive; therefore, they don’t actually protect the hard drive’s contents.
Q. 5 The major hierarchical classes of security protection defined in the Orange Book (TCSEC) include which of the following? Drag and drop the correct answer(s) from top to bottom.
Compartmentalized protection Discretionary protection Mandatory protection Total protection Minimal protection Verified protection
Discretionary protection
Mandatory protection
Minimal protection
Verified protection
[Security Engineering] The major hierarchical classes of security protection defined in the Orange Book (TCSEC) are Minimal protection (D), Discretionary protection (C), Mandatory protection (B), and Verified protection (A).
Q. 6 After a power failure, the security doors in a data center permit all personnel to access the facility. This is known as
Fail open Fail closed Control closed Control open
Fail open
[Security Engineering] “Fail open” describes the condition in which an access controls permits access in the event of an abnormal condition, such as a power failure.
Q. 7 The model that assigns classification levels to materials and to individuals to determine who can view materials based upon their classification is known as
The DoD multilevel security model The Bell-LaPadula model The Clark-Wilson model The information flow model
The Bell-LaPadula model
[Security Engineering] The Bell-LaPadula model is used to control access to information based on the classification of that information and the clearance level of the individual who wants to view it.
Q. 8 An asymmetric cryptosystem is also known as a
Message digest Hash function Public key cryptosystem Secret key cryptosystem
Public key cryptosystem
[Security Engineering] Asymmetric cryptosystems also are known as public key cryptosystems.
Q. 9 To what height should a critical building be illuminated at night?
4 feet 8 feet 12 feet 24 feet
8 feet
[Security Engineering] Eight feet is a sufficient height to provide visibility of most physical intruder activities at night.
Q. 10 A database containing the data structures used by an application is known as
A data encyclopedia A data dictionary Metadata A schema
A data dictionary
[Security Engineering] A data dictionary contains information about an application’s data structures, including table names, field names, indexes, and so on.
Q. 11 The sum total of all protection mechanisms in a system is known as a
Trusted Computing Base Protection domain Trusted path Summation Protection Mechanism
Trusted Computing Base
[Security Engineering] The Trusted Computing Base (TCB) is the complete set of hardware, firmware, and/or software components that are critical to a computer system’s security.
Q. 12 An algorithm that’s easy to compute in the forward direction but difficult to compute backwards is known as
A block cipher A stream cipher A public key function A one-way function
A one-way function
[Security Engineering] A one-way function is easy to compute in the forward direction but very difficult to run backwards.
Q. 13 A chart of privileges and subjects is known as a(n)
Protection ring Chart of accounts Access control list Access matrix
Access matrix
[Security Engineering] An access matrix is used to map subjects to capabilities.
Q. 14 The amount of effort required to break a given ciphertext is known as the
Work factor Effort function Cryptanalysis Extraction
Work factor
[Security Engineering] Work factor describes the amount of time and/or effort required to break a ciphertext.
Q. 15 What term refers to an object, such as memory space in a program or a storage block on media, that may present a risk of data remanence if it is not properly cleared?
Data residency Data resiliency Object reuse Data at rest
Object reuse
[Asset Security] Object reuse is the term that refers to an object that may present a risk of data remanence if it is not properly cleared. Data residency refers to the physical or geographic location of data. Data resiliency refers to the persistent nature of data. Data at rest refers to data that is located on storage media.
Q. 16 Which of the following are examples of third-generation programming languages? Drag and drop the correct answer(s) from top to bottom.
Klingon BASIC C/C++ Assembler FORTRAN Java
BASIC
C/C++
FORTRAN
Java
[Security Engineering] C/C++, BASIC, FORTRAN, and Java are all examples of third-generation programming languages. An assembler is a program used to convert software code to machine language. Klingon is a fictional language used by a fictional warlike humanoid alien species, not a programming language.
Q. 17 Why would a user’s public encryption key be widely distributed?
So that cryptographers can attempt to break it Because it is encrypted So that others can send encrypted messages to the user So that the user can decrypt messages from any location
So that others can send encrypted messages to the user
[Security Engineering] In public key cryptography, the public key doesn’t reveal any information about the secret key.
Q. 18 European ITSEC level F-C2 is equivalent to what U.S. TCSEC level?
D C1 C2 B2
C2
[Security Engineering] The European ITSEC level F-C2 corresponds to U.S. TCSEC level C2.
Q. 19 The purpose of an operating system is to
Manage hardware resources Compile program code Decompile program code Present a graphic interface to users
Manage hardware resources
[Security Engineering] An operating system (OS) manages computer hardware and presents a consistent interface to application programs and tools.
Q. 20 Object-oriented databases
Are well-suited to the storage and manipulation of complex data types Use fewer system resources than relational databases Are easier to learn than relational databases Have severe restrictions on the types and sizes of data elements
Are well-suited to the storage and manipulation of complex data types
[Security Engineering] Object-oriented databases are well-suited for complex and large data types, but consume far more system resources than relational databases and have steep learning curves.
Q. 21 What’s one disadvantage of an organization signing its own certificates?
The certificate signing function is labor-intensive People outside the organization may receive warning messages The user identification process is labor-intensive It’s much more expensive than having certificates signed by a CA
People outside the organization may receive warning messages
[Security Engineering] The lack of a top-level (root) signature on a certificate results in warning messages stating that the certificate cannot be verified because it lacks a top-level signature (unless the organization has been granted the authority to self-sign its own certificates).
Q. 22 Which of the following are physical preventive controls? Drag and drop the correct answer(s) from top to bottom.
CCTV
Fencing
Warning signs
Guards
Fencing
Guards
Q. 23 The method of encryption in which both sender and recipient possess a common encryption key is known as
Message digest Hash function Public key cryptography Secret key cryptography
Secret key cryptography
Security Engineering] Secret key cryptography requires both parties to possess a common, secret key.
Q. 24 Firmware is generally stored on
ROM or EPROM Tape RAM Any removable media
ROM or EPROM
[Security Engineering] Firmware is lower-level software, installed on a system or device, that is seldom changed and updated relatively infrequently. Therefore, it is generally stored in more permanent memory, such as ROM or EPROM.
Q. 25 Which of the following is NOT a purpose of a digital signature?
Authentication to a key server Detecting unauthorized changes of data Non-repudiation Identifying the person who signed the data
Authentication to a key server
[Security Engineering] Digital signatures aren’t used for authentication to a key server.
Q. 26 Reading down the columns of a message that has been written across is an example of
A columnar transposition cipher Calculating the columnar hash Calculating the checksum Calculating the modulo
A columnar transposition cipher
[Security Engineering] In a columnar transposition cipher, the cryptographer writes across (horizontally), but the message is read down (vertically).
Q. 27 One risk related to unknown SSL certificates in a browser session is
A man in the browser attack A compromised WPA key A compromised WEP key A man in the middle attack
A man in the middle attack
[Security Engineering] Unknown SSL certificates encountered in a browser may be an indication of a malicious proxy that is decrypting and examining SSL traffic in a session.
Q. 28 An evaluation of security features in an information system against a set of security requirements is known as a(n)
Protection Certification Accreditation Verification
Certification
[Security Engineering] A certification is the formal evaluation of security features according to a set of security requirements.
Q. 29 Which of the following are examples of security modes in a system? Drag and drop the correct answer(s) from top to bottom.
Compartmented Dedicated Authenticated Privileged Multilevel Windows Compatibility System High
Compartmented
Dedicated
Multilevel
System High
[Security Engineering] Dedicated, System High, Multilevel, and Compartmented are security modes used to control how users can access information depending on the classification of the information.
Q. 30 How does water aid in fire suppression?
It reduces the fire’s oxygen supply It isolates the fire’s fuel supply It lowers the temperature below what the fire needs to sustain itself It extinguishes the fire through a chemical reaction
It lowers the temperature below what the fire needs to sustain itself
[Security Engineering] Water primarily removes the heat element from the fire triangle. To some extent, water can also create a barrier separating the fuel and oxygen elements of the fire triangle.
Q. 31 Object-oriented and relational are examples of
Types of programming languages Types of database records Types of database queries Types of databases
Types of databases
[Security Engineering] Object-oriented and relational are types of databases.
Q. 32 Why should a data center’s walls go all the way to the ceiling and not just stop at the suspended ceiling?
The walls will be stronger The HVAC will run more efficiently To prevent an intruder from entering the data center by climbing over the wall The high wall will block more noise
To prevent an intruder from entering the data center by climbing over the wall
[Security Engineering] The primary reason for extending a wall from the floor to the ceiling in a data center is to prevent an intruder from gaining access above a suspended ceiling or below a raised floor.
Q. 33 The substitution cipher that shifts characters by 13 positions, which is used by UNIX systems, is known as
Crypt ROOT 13 ROT 13 ROTOR 13
ROT 13
[Security Engineering] UNIX used the simple substitution cipher called ROT 13 to obfuscate messages. It was most often used in newsgroups to hide off-color jokes from those who were easily offended and didn’t want to read them. ROT 13 wasn’t meant to be difficult to decrypt – only to make text unrecognizable on sight.
Q. 34 How does CO2 aid in fire suppression?
It reduces the fire’s oxygen supply It isolates the fire’s fuel supply It lowers the temperature below what the fire needs to sustain itself It extinguishes the fire through a chemical reaction
It reduces the fire’s oxygen supply
[Security Engineering] CO2 displaces oxygen long enough to stop a fire’s chemical reaction.
Q. 35 The science of hiding the true meaning of messages from unintended recipients is known as
Cryptosystem Cryptology Cryptography Enciphering
Cryptography
[Security Engineering] Cryptography is the art of hiding the meaning of messages so that unintended recipients can’t read those messages.
Q. 36 What are the main types of water sprinkler systems used in fire suppression? Drag and drop the correct answer(s) from top to bottom.
Deluge Dry pipe Postaction Rotating head Preaction Wet pipe
Deluge
Dry pipe
Preaction
Wet pipe
[Security Engineering] Dry pipe, wet pipe, deluge, and preaction are the main types of water sprinkler systems used in fire suppression.
Q. 37 The Bell-LaPadula model is an example of
An accreditation model A Take-Grant model An integrity model An access-control model
An access-control model
Security Engineering] Bell-LaPadula is an access control model.
Q. 38 Which of the following is NOT an advantage of cipher locks over access-card locks?
Cipher locks are independent and work even when centralized systems can’t A cipher lock may be more cost-effective than an access-card lock for one door Cipher locks offer better centralized control than do access-card locks Cipher locks are self-contained, requiring no external power or wiring
Cipher locks offer better centralized control than do access-card locks
[Security Engineering] Cipher locks usually do not provide centralized control.
Q. 39 Tailgating is a term describing what activity?
Logging in to a server from two or more locations Causing a PBX to permit unauthorized long distance calls Following an employee through an uncontrolled access point Following an employee through a controlled access point
Following an employee through a controlled access point
Q. 40 In the event of a power failure, what does fail closed mean in the context of controlled building entrances?
Controlled entrances permit no one to pass Controlled entrances permit people to pass without identification The access control computer is down Everyone is permitted to enter the building
Controlled entrances permit no one to pass
[Security Engineering] “Fail closed” refers to any controlling mechanism that defaults to a locked position if it fails, thereby permitting entry by no one (including authorized persons).
Q. 41 A given symmetric cryptosystem uses a 64-bit key size. If an asymmetric cryptosystem is used instead, what key size is required to give the equivalent strength of the symmetric cryptosystem?
2048 bits 512 bits 64 bits 24 bits
512 bits
[Security Engineering] An asymmetric cryptosystem must use a 512-bit key size to match the strength of a symmetric cryptosystem using a 64-bit key.
Q. 42 Data mining
Can be performed by privileged users only Is generally performed after hours because it’s resource intensive Refers to searches for correlations in a data warehouse Is the term used to describe a hacker who has broken into a databas
Refers to searches for correlations in a data warehouse
[Security Engineering] Data mining describes searches for correlations, patterns, and trends in a data warehouse.
Q. 43 What’s the purpose of memory protection?
It protects memory from malicious code It prevents a program from being able to access memory used by another program Memory protection is another term used to describe virtual memory backing store It ensures that hardware refresh is frequent enough to maintain memory integrity
It prevents a program from being able to access memory used by another program
[Security Engineering] Memory protection is a machine-level security feature that prevents one program from being able to read or alter memory assigned to another program.
Q. 44 A water sprinkler system characterized as always having water in the pipes is known as
Dry-pipe Wet-pipe Preaction Discharge
Wet-pipe
[Security Engineering] A wet-pipe sprinkler system always has water in the pipes.
Q. 45 Drain pipes that channel liquids away from a building are called
Positive drains Neutral drains Storm drains Negative drains
Positive drains
[Security Engineering] Positive drains carry liquids away from a building.
Q. 46 What’s the purpose of a back door?
Provides an alternate means of authentication Permits a function when the security officer is absent Used to bypass the guarded main entrance of a secure facility Used to bypass one or more security controls
Used to bypass one or more security controls
[Software Development Security] A back door is used to circumvent security controls.
Q. 47 Steganography isn’t easily noticed because
Monitor and picture quality are so good these days Most PC speakers are turned off or disabled The human eye cannot discern the noise that steganography introduces Checksums can’t detect most steganographed images
The human eye cannot discern the noise that steganography introduces
[Security Engineering] Steganography is difficult to detect visually in an image.
Q. 48 An unintended and unauthorized communication path is known as a
Covert channel Back door Front door Side door
Covert channel
[Security Engineering] A covert channel is an unintended and unauthorized communication path.
Q. 49 The security mode in which all users have the required clearance and authorization to access information is known as:
Dedicated Compartmented Trusted Labeled
Dedicated
[Security Engineering] In a dedicated mode information system, all users have both the clearance and authorization to access information.
Q. 50 The model that incorporates constrained data items and procedures for verifying and changing integrity states is known as
The Bell-LaPadula integrity model
The Clark-Wilson integrity model
Your selection is incorrect
The Wilson-Phillips integrity model
The information flow mode
The Clark-Wilson integrity model
[Security Engineering] Clark-Wilson starts with a constrained data item (CDI), confirms integrity state by using the integrity verification procedure (IVP), and changes integrity state by using the transformation procedure (TP). Bell-LaPadula and information flow are access control models. Wilson Phillips (without a hyphen) is an awesome band from the 1990s!
Q. 51 Why should computer and office equipment be checked in and checked out at a building entrance?
So that IT knows whether it’s available in the event of a disaster Fixed asset personnel can keep location records up-to-date To deter employees from trying to steal computer equipment To account for what would otherwise be metal detector alarms
To deter employees from trying to steal computer equipment
[Security Engineering] Equipment check-in and check-out procedures can help deter theft.
