Test #2 Flashcards
An organization is looking for a filtering solution that will help eliminate some of the recent problems it has had with viruses and worms. Which of the following best meets this requirement?
❍ A. Intrusion detection
❍ B. Malware inspection
❍ C. Load balancing
❍ D. Internet content filtering
Answer B is correct. A malware inspection filter is basically a web filter
applied to traffic that uses the HTTP protocol. The body of all HTTP
requests and responses is inspected. Malicious content is blocked while legitimate
content passes through unaltered. Answer A is incorrect because
intrusion-detection systems are designed to analyze data, identify attacks, and
respond to the intrusion. Answer C is incorrect because load balancers are
servers configured in a cluster to provide scalability and high availability.
Answer D is incorrect because Internet content filters use a collection of
terms, words, and phrases that are compared to content from browsers and
applications.
- Which risk management response is being implemented when a company purchases
insurance to protect against service outage?
❍ A. Acceptance
❍ B. Avoidance
❍ C. Mitigation
❍ D. Transference
Answer D is correct. The liability of risk is transferred through insurance
policies. Answer A is incorrect because accepting a risk is to do nothing in
response. Risk avoidance involves simply terminating the operation that produces
the risk, making answer B incorrect. Answer C is not correct because
mitigation applies a solution that results in a reduced level of risk or exposure.
- A collection of compromised computers running software installed by a Trojan horse or a worm is referred to as what?
❍ A. Zombie
❍ B. Botnet
❍ C. Herder
❍ D. Virus
Answer B is correct. Answers A and C are incorrect but are related to a botnet
in that a zombie is one of many computer systems that make up a botnet,
whereas a bot herder is the controller of the botnet. Answer D is incorrect. A
virus is a program that infects a computer without the knowledge of the user.
- Adding a token for every POST or GET request that is initiated from the browser to the server can be used to mitigate which of the following attacks?
❍ A. Buffer overflow
❍ B. Cross-site request forgery (XSRF)
❍ C. Cross-site scripting
❍ D. Input validation error
Answer B is correct. In order to mitigate cross-site request forgery (XSRF)
attacks, the most common solution is to add a token for every POST or GET
request that is initiated from the browser to the server. Answer A is incorrect
because buffer overflows are associated with input validation. Answer C is
incorrect because setting the HTTPOnly flag on the session cookie is used to
mitigate XXS attacks. Answer D is incorrect because input validation tests
whether an application properly handles input from a source outside the
application destined for internal processing
- Which of the following is one of the biggest challenges associated with database encryption?
❍ A. Multi-tenancy
❍ B. Key management
❍ C. Weak authentication components
❍ D. Platform support
Answer B is correct. One of the biggest challenges associated with database
encryption is key management. Answer A is incorrect because multi-tenancy is
a security issue related to cloud computing implementations. Answer C is
incorrect because lack of management software and weak authentication components
are associated with hardware hard drive encryption. Answer D is
incorrect because cost and platform support are concerns with smartphone
encryption products.
- Which form of access control enables data owners to extend access rights to other logons?
❍ A. MAC
❍ B. DAC
❍ C. Role-based (RBAC)
❍ D. Rule-based (RBAC)
Answer B is correct. Discretionary access control (DAC) systems enable data
owners to extend access rights to other logons. Mandatory access control
(MAC) systems require assignment of labels to extend access, making answer
A incorrect. Answers C and D are incorrect because both RBAC access control
forms rely on conditional assignment of access rules either inherited
(role-based) or by environmental factors such as time of day or secured terminal
location (rule-based).
- In a decentralized key management system, the user is responsible for which one of the following functions?
❍ A. Creation of the private and public key
❍ B. Creation of the digital certificate
❍ C. Creation of the CRL
❍ D. Revocation of the digital certificate
Answer A is correct. In a decentralized key system, the end user generates his
or her own key pair. The other functions, such as creation of the certificate,
CRL, and the revocation of the certificate, are still handled by the certificate
authority; therefore, answers B, C, and D are incorrect
- What is the name given to the system of digital certificates and certificate authorities used for public key cryptography over networks?
❍ A. Protocol Key Instructions (PKI)
❍ B. Public Key Extranet (PKE)
❍ C. Protocol Key Infrastructure (PKI)
❍ D. Public Key Infrastructure (PKI)
Answer D is correct. Public Key Infrastructure describes the trust hierarchy
system for implementing a secure public key cryptography system over
TCP/IP networks. Answers A, B, and C are incorrect because these are bogus
terms.
- If Sally wants to send a secure message to Mark using public-key encryption but is not worried about sender verification, what does she need in addition to her original message text?
❍ A. Sally’s private key
❍ B. Sally’s public key
❍ C. Mark’s private key
❍ D. Mark’s public key
Answer D is correct. Sally needs Mark’s public key to encrypt her original
message in a form that only Mark can decrypt. Neither of Sally’s keys is needed
because the originator does not need to be validated, making answers A
and B incorrect. Answer C is incorrect because Mark’s private key is used for
decrypting the encrypted message to reveal Sally’s original message.
- Which of the following methods would be the most effective method to physically secure laptops that are used in an environment such as an office?
❍ A. Security cables
❍ B. Server cages
❍ C. Locked cabinet
❍ D. Hardware locks
Answer A is correct. Security cables with combination locks can provide such
security and are easy to use. They are used mostly to secure laptops and leave
the equipment exposed. Answer B is incorrect because PC Safe tower and
server cages are designed to bolt to the floor and are meant to be in an environment
that is static. Answer C is incorrect because a locked cabinet is an
alternative for equipment that is not used or does not have to be physically
accessed on a regular, daily basis. Vendors provide solutions such as a security
cabinet locker that secures CPU towers. The housing is made of durable,
heavy-duty steel for strength. Answer D is incorrect because a hardware lock
is used for license enforcement.
- Which of the following serves the purpose of trying to lure a malicious attacker into a system?
❍ A. Honeypot
❍ B. Pot of gold
❍ C. DMZ
❍ D. Bear trap
Answer A is correct. A honeypot is used to serve as a decoy and lure a malicious
attacker. Answers B and D are incorrect answers and are not legitimate
terms for testing purposes. Answer C is incorrect because a DMZ is an area
between the Internet and the internal network
- What is the recommended range of humidity level according to the ASHRAE?
❍ A. 10%–20%
❍ B. 30%–40%
❍ C. 40%–55%
❍ D. 55%–65%
Answer C is correct. The American Society of Heating, Refrigerating and Air-
Conditioning Engineers (ASHRAE) recommends optimal humidity levels in the
40% to 55% range, making answers A, B, and D incorrect. Very low levels of
humidity can promote the buildup of electrostatic charges that can harm sensitive
electronic components. Very high levels of humidity can promote condensation
on chilled surfaces and introduce liquid into operating equipment.
- Which of the following is a network protocol that supports file transfers and is a combination of RCP and SSH?
❍ A. HTTPS
❍ B. FTPS
❍ C. SFTP
❍ D. SCP
Answer D is correct. The Secure Copy Protocol (SCP) is a network protocol
that supports file transfers. SCP is a combination of RCP and SSH. It uses the
BSD RCP protocol tunneled through the Secure Shell (SSH) protocol to provide
encryption and authentication. Answer A is incorrect because HTTPS is
used for secured web-based communications. Answer B is incorrect. FTPS,
also known as FTP Secure and FTP-SSL, is a FTP extension that adds support
for TLS and SSL. Answer C is incorrect because SFTP, or secure FTP, is
a program that uses SSH to transfer files. Unlike standard FTP, it encrypts
both commands and data, preventing passwords and sensitive information
from being transmitted in the clear over the network.
- You want to implement a technology solution for a small organization that can function as a single point of policy control and management for access to Internet content. Which of the following should you choose?
❍ A. Proxy gateway
❍ B. Circuit-level gateway
❍ C. Application-level gateway
❍ D. Web security gateway
Answer D is correct. Web security gateways offer a single point of policy control
and management for web-based content access. Answer A is too generic to
be a proper answer. Answer B is incorrect because a circuit-level gateway’s decisions
are based on source and destination addresses. Answer C is incorrect
because an application-level gateway understands services and protocols.
You have recently had security breaches in the network. You suspect they might be coming from a telecommuter’s home network. Which of the following devices would you use to require a secure method for employees to access corporate
resources while working from home?
❍ A. A router
❍ B. A VPN concentrator
❍ C. A firewall
❍ D. A network-based IDS
Answer B is correct. A VPN concentrator is used to allow multiple users to
access network resources using secure features that are built into the device and
are deployed where the requirement is for a single device to handle a very large
number of VPN tunnels. Answer A is incorrect because a router forwards information
to its destination on the network or the Internet. A firewall protects computers
and networks from undesired access by the outside world; therefore,
answer C is incorrect. Answer D is incorrect because network-based intrusiondetection
systems monitor the packet flow and try to locate packets that are not
allowed for one reason or another and might have gotten through the firewall.
At which layer of the OSI model does the Internet Protocol Security protocol function?
❍ A. Network layer
❍ B. Presentation layer
❍ C. Session layer
❍ D. Application layer
Answer A is correct. IPsec validation and encryption function at the network
layer of the OSI model. Answers B, C, and D are incorrect because IPsec functions
at a lower level of the OSI model.
- When troubleshooting SSL, which two layers of the OSI model are of most value?
❍ A. Application layer and Presentation layer
❍ B. Presentation layer and Session layer
❍ C. Application layer and Transport layer
❍ D. Physical layer and Data Link layer
Answer C is correct. SSL connections occur between the application and transport
layers. Answer A is incorrect because the Secure Sockets Layer SSL operates
at a deeper level. Answer B is incorrect because the Secure Sockets Layer transport
effectively fills the same role as these OSI model layers. Answer D is incorrect
because the data has been abstracted beyond the level at which SSL operates.
- Which of the three principles of security is supported by an iris biometric system?
❍ A. Confidentiality
❍ B. Integrity
❍ C. Availability
❍ D. Vulnerability
Answer A is correct. Confidentiality involves protecting against unauthorized
access, which biometric authentication systems support. Integrity is concerned
with preventing unauthorized modification, making answer B incorrect. Answer
C is not correct because availability is concerned with ensuring that access to
services and data is protected against disruption. Answer D is incorrect because
a vulnerability is a failure in one or more of the C-I-A principles.
- _________ describes the potential that a weakness in hardware, software, process, or people will be identified and taken advantage of.
❍ A. Vulnerability
❍ B. Exploit
❍ C. Threat
❍ D. Risk
Answer C is correct. A threat is the potential that a vulnerability will be identified
and exploited. Answer A is incorrect because a vulnerability is the weakness
itself and not the likelihood that it will be identified and exploited.
Answer B is incorrect because an exploit is the mechanism of taking advantage
of a vulnerability rather than its likelihood of occurrence. Answer D is incorrect
because risk is the likelihood that a threat will occur and the measure of
its effect.
- Which of the following is not a principal concern for first responders to a hacking
incident within a corporation operating in the United States?
❍ A. Whether EMI shielding is intact
❍ B. Whether data is gathered properly
❍ C. Whether data is protected from modification
❍ D. Whether collected data is complete
Answer A is correct. EMI shielding is important to protecting data and services
against unauthorized interception as well as interference but is not a principal
concern for first responders following an incident. First responders must
ensure that data is collected correctly and protect it from modification using
proper controls, ensuring a clear chain of evidence, making answers B and C
incorrect. Answer D is incorrect because a first responder might be the only
agent able to ensure that all data is collected before being lost due to volatility
of storage.
- Which rule of evidence within the United States involves Fourth Amendment protections?
❍ A. Admissible
❍ B. Complete
❍ C. Reliable
❍ D. Believable
Answer A is correct. Admissibility involves collecting data in a manner that
ensures its viability in court, including legal requirements such as the Fourth
Amendment protections against unlawful search and seizure. Answers B and C
are incorrect because data must be collected completely and protected against
modification to ensure reliability, but these are not concerns of the Fourth
Amendment. Answer D is incorrect because believability focuses on evidence
being understandable, documented, and not subject to modification during
transition.
- A user has downloaded trial software and subsequently downloads a key generator
in order to unlock the trial software. The user’s antivirus detection software now alerts the user that the system is infected. Which one of the following best describes the type of malware infecting the system?
❍ A. Logic bomb
❍ B. Trojan
❍ C. Adware
❍ D. Worm
Answer B is correct. Trojans are programs disguised as something useful. In
this instance, the user was likely illegally trying to crack software, and in the
process infect the system with malware. Although answers A, C, and D are
types of malware, they are not the best choices.
- Which of the following is a coordinated effort in which multiple machines attack a single victim or host with the intent to prevent legitimate service?
❍ A. DoS
❍ B. Masquerading
❍ C. DDoS
❍ D. Trojan horse
Answer C is correct. A distributed denial of service (DDoS) is similar to a
denial-of-service (DoS) attack in that they both try to prevent legitimate
access to services. However, a DDoS is a coordinated effort among many
computer systems; therefore, answer A is incorrect. Masquerading involves
using someone else’s identity to access resources; therefore, answer B is incorrect.
A Trojan horse is a program used to perform hidden functions; therefore,
answer D is incorrect.
- What is the name given to the activity that consists of collecting information that will be later used for monitoring and review purposes?
❍ A. Logging
❍ B. Auditing
❍ C. Inspecting
❍ D. Vetting
Answer A is correct. Logging is the process of collecting data to be used for
monitoring and auditing purposes. Auditing is the process of verification that
normally involves going through log files; therefore, answer B is incorrect.
Typically, the log files are frequently inspected, and inspection is not the
process of collecting the data; therefore, answer C is incorrect. Vetting is the
process of thorough examination or evaluation; therefore, answer D is incorrect.
- Which of the following are not methods for minimizing a threat to a web server?
(Choose the two best answers.)
❍ A. Disable all non-web services
❍ B. Ensure Telnet is running
❍ C. Disable nonessential services
❍ D. Enable logging
Answers B and D are correct. Having Telnet enabled presents security issues
and is not a primary method for minimizing threat. Logging is important for
secure operations and is invaluable when recovering from a security incident.
However, it is not a primary method for reducing threat. Answer A is incorrect
because disabling all non-web services might provide a secure solution for
minimizing threats. Answer C is incorrect because each network service carries
its own risks; therefore, it is important to disable all nonessential services.
- The organization is concerned about bugs in commercial off-the-shelf (COTS) software. Which of the following might be the only means of reviewing the security quality of the program?
❍ A. Fuzzing
❍ B. Cross-site scripting
❍ C. Input validation
❍ D. Cross-site request forgery
Answer A is correct. In some closed application instances, fuzzing might be
the only means of reviewing the security quality of the program. Answer B is
incorrect because cross-site scripting (XXS) vulnerabilities can be used to
hijack the user’s session or to cause the user accessing malware-tainted Site A
to unknowingly attack Site B on behalf of the attacker who planted code on
Site A. Answer C is incorrect because input validation tests whether an application
properly handles input from a source outside the application destined
for internal processing. Answer D, Cross-site Request Forgery (XSRF), is an
attack in which the end user executes unwanted actions on a web application
while she is currently authenticated.
- Which of the following is an attack in which the end user executes unwanted actions on a web application while he is currently authenticated?
❍ A. Buffer overflow
❍ B. Input validation error
❍ C. Cross-site scripting
❍ D. Cross-site request forgery
Answer D is correct. Cross-site Request Forgery (XSRF) is an attack in which
the end user executes unwanted actions on a web application while he is currently
authenticated. Answer A is incorrect because a buffer overflow is a
direct result of poor or incorrect input validation or mishandled exceptions.
Answer B is incorrect because input validation errors are a result of improper
field checking in the code. Answer C is incorrect because cross-site scripting
(XXS) vulnerabilities can be used to hijack the user’s session or to cause the
user accessing malware-tainted Site A to unknowingly attack Site B on behalf
of the attacker who planted code on Site A.
- Which of the follow methods would be the most effective method to physically secure computers that are used in a lab environment that operates on a part-time basis?
❍ A. Security cables
❍ B. Server cages
❍ C. Locked cabinet
❍ D. Hardware locks
Answer C is correct. A locked cabinet is an alternative for equipment that is not
used or does not have to be physically accessed on a regular, daily basis. Vendors
provide solutions such as a security cabinet locker that secures CPU towers. The
housing is made of durable, heavy-duty steel for strength. Answer A is incorrect
because security cables with combination locks can provide such security and are
easy to use but are used mostly to secure laptops and leave the equipment
exposed. Answer B is incorrect because PC Safe tower and server cages are
designed to bolt to the floor and are meant to be in an environment that is static.
Answer D is incorrect because a hardware lock is used for license enforcement.
- Which of the following methods would be the most effective to physically secure tower-style computers in a financial organization?
❍ A. Security cables
❍ B. Server cages
❍ C. Locked cabinet
❍ D. Hardware locks
Answer B is correct. Products such as PC Safe tower and server cages are
designed to bolt to the floor and are meant to be in an environment that is
static. For example, financial businesses have been hit hard by theft of desktop
computers because they hold a lot of personal data. Answer A is incorrect
because security cables with combination locks can provide such security and
are easy to use and are used mostly to secure laptops and leave the equipment
exposed. Answer C is incorrect because a locked cabinet is an alternative for
equipment that is not used or does not have to be physically accessed on a
regular, daily basis. Answer D is incorrect because a hardware lock, also
known as a software protection dongle, is used for license enforcement.
- Your organization is exploring data loss prevention solutions. The proposed solution
is an end-point solution. This solution is targeting which of the following data states?
❍ A. In motion
❍ B. At rest
❍ C. In use
❍ D. At flux
Answer C is correct. Protection of data in use is considered to be an endpoint
solution and the application is run on end-user workstations or servers in the
organization. Answer A is incorrect because protection of data in motion is considered to be a network solution and either a hardware or software solution
is installed near the network perimeter to monitor for and flag policy violations.
Answer B is incorrect because protection of data at rest is considered to be a
storage solution and is generally a software solution that monitors how confidential
data is stored. Answer D is incorrect because there is no such data state.
- Which of the following uses a secure crypto-processor to authenticate hardware
devices such as PC or laptop?
❍ A. Public Key Infrastructure
❍ B. Full disk encryption
❍ C. File-level encryption
❍ D. Trusted Platform Module
Answer D is correct. TPM refers to a secure crypto-processor used to authenticate
hardware devices such as PC or laptop. The idea behind TPM is to allow
any encryption-enabled application to take advantage of the chip. Answer A is
incorrect because Public Key Infrastructure (PKI) is a set of hardware, software,
people, policies, and procedures needed to create, manage, distribute,
use, store, and revoke digital certificates. Answer B is incorrect because fulldisk
encryption involves encrypting the operating system partition on a computer
and then booting and running with the system drive encrypted at all
times. Answer C is incorrect because in file- or folder-level encryption, individual
files or directories are encrypted by the file system itself.
- Which process involves verifying keys as being authentic?
❍ A. Authorization
❍ B. Authentication
❍ C. Access control
❍ D. Verification
Answer B is correct. Authentication involves the presentation and verification
of credentials of keys as being authentic. Answer A is incorrect because
authorization involves checking authenticated credentials against a list of
authorized security principles. Once checked, resource access is allowed or
limited based on Access Control constraints, making answer C incorrect.
Answer D is incorrect because verification of credentials occurs during
authentication (as being authentic) and authorization (as being authorized to
request resource access) and is not a recognized access control process.
- Which category of authentication includes smart cards?
❍ A. Something you know
❍ B. Something you have
❍ C. Something you are
❍ D. Something you do
Answer B is correct. Something you have includes smart cards, tokens, and
keys. Something you know includes account logons, passwords, and PINs,
making answer A incorrect. Answers C and D are incorrect because both
something you are and something you do involve measures of personal biological
qualities and do not require an external device such as a smart card or key.
- Which of the following is not a division of access control as defined by the Orange Book?
❍ A. Discretionary
❍ B. Limited
❍ C. Mandatory
❍ D. Verified
Answer B is correct. “Limited” is not an access control designation within the
Trusted Computer System Evaluation Criteria (TCSEC) document DoD 5200.28-STD, often referred to as the “Orange Book.” The four divisions are Mandatory, Discretionary, Minimal, and Verified— making answers A, C, and
D incorrect.
- Which division of TCSEC access control includes the subdivisions Controlled Access Protection and Discretionary Security Protection?
❍ A. Division A
❍ B. Division B
❍ C. Division C
❍ D. Division D
Answer C is correct. Discretionary access control (C-level) includes subdivisions
Discretionary Security Protection (C1) and Controlled Access
Protection (C2) based on details such as data segmentation and logging.
These are not subdivisions of the Minimal (D-level), Mandatory (B-level), or
Verified (A-level) access control divisions—making answers A, B, and D
incorrect.
- Which of the following is a hybrid crypto system?
❍ A. IDEA
❍ B. MD5
❍ C. RSA
❍ D. PGP
Answer D is correct. Pretty Good Privacy (PGP) is a hybrid cryptosystem that
makes use of the incorrect choices, A, B, and C. IDEA is a symmetric encryption
cipher, RSA is an asymmetric cipher, and MD5 is a hash.
- Which of the following is the type of algorithm used by MD5?
❍ A. Block cipher algorithm
❍ B. Hashing algorithm
❍ C. Asymmetric encryption algorithm
❍ D. Cryptographic algorithm
Answer B is correct. Although the Message Digest (MD) series of algorithms
is classified globally as a symmetric key encryption algorithm, the correct
answer is hashing algorithm, which is the method that the algorithm uses to
encrypt data. Answer A in incorrect because a block cipher divides the message
into blocks of bits. Answer C is incorrect because MD5 is a symmetric
key algorithm, not an asymmetric encryption algorithm (examples of this
include RC6, Twofish, and Rijndael). Answer D is incorrect because cryptographic
algorithm is a bogus term.
- To check the validity of a digital certificate, which one of the following would be used?
❍ A. Corporate security policy
❍ B. Certificate policy
❍ C. Certificate revocation list
❍ D. Expired domain names
Answer C is correct. A certificate revocation list (CRL) provides a detailed list
of certificates that are no longer valid. A corporate security policy would not
provide current information on the validity of issued certificates; therefore,
answer A is incorrect. A certificate policy does not provide information on
invalid issued certificates, either; therefore, answer B is incorrect. Finally, an
expired domain name has no bearing on the validity of a digital certificate;
therefore, answer D is incorrect.
- What is the acronym for the de facto cryptographic message standards developed
by RSA Laboratories?
❍ A. PKIX
❍ B. X.509
❍ C. PKCS
❍ D. Both A and C
Answer C is correct. The Public Key Cryptography Standards (PKCS) are the
de facto cryptographic message standards developed and maintained by RSA
Laboratories, a division of the RSA Security Corporation. PKIX describes the
development of Internet standards for X.509-based digital certificates; therefore,
answers A, B, and D are incorrect.
- Which of the following is true of digital signatures? (Choose the two best answers.)
❍ A. They use the skipjack algorithm.
❍ B. They can be automatically time-stamped.
❍ C. They allow the sender to repudiate that the message was sent.
❍ D. They cannot be imitated by someone else.
Answers B and D are correct. Digital signatures offer several features and capabilities.
This includes being able to ensure the sender cannot repudiate that he
or she used the signature. In addition, non-repudiation schemes are capable of
offering time stamps for the digital signature. Answer A is incorrect. The
Skipjack algorithm was developed for use with a chipset developed by the U.S.
government. Skipjack provides only for encryption. Answer C is incorrect, as a
key feature of digital signatures is to provide for non-repudiation.