test1 Flashcards

Question 1

Q

As your organization’s security administrator, you are reviewing the audit results to assess if your organization’s security baselines are maintained. In which phase of the security management life cycle are you engaged?

Plan and Organize
Monitor and Evaluate
Implement
Operate and Maintain

Answer

A

Monitor and Evaluate
(Correct)

Explanation
You are engaged in the Monitor and Evaluate phase of the security management life cycle. This phase includes the following components: Review logs, audit results, metrics, and service level agreements. Assess accomplishments. Complete quarterly steering committee meetings. Develop improvement steps for integration into Plan and Organize phase. Reviewing audits is not part of any of the other phases.

Question 2

Q

You have been instructed to maintain the business continuity plan. Which option is NOT a reason to do this?
•organizational changes
•infrastructure changes
•personnel changes
•budget changes

Answer

A

organizational changes
(Correct)

Explanation
Budget changes are not a reason to maintain the business continuity plan. The business continuity plan should be maintained for several reasons including: Infrastructure changes Environment changes Organizational changes Hardware, software, and application changes Personnel changes The steps in the business continuity planning process are as follows: Develop the business continuity planning policy statement. Conduct the business impact analysis (BIA). Identify preventative controls. Develop the recovery strategies. Develop the contingency plans. Test the plan, and train the users. Maintain the plan

Question 3

Q

Which security principle used in the Bell-LaPadula model prevents the security level of subjects and objects from being changed once they have been created?
•principle of least privilege
•domination principle
•Static principle
•Tranquility principle

Answer

A

•Tranquility principle
(Correct)

Explanation
The tranquility principle used in the Bell-LaPadula model prevents the security level of subjects and objects from being changed once they have been created. For this reason, the Bell-LaPadula model is considered to be very static in nature. The strong tranquility property states that objects never change their security level. The static principle and the domination principle are not valid security principles. The principle of least privilege ensures that users are given the most restrictive permissions to execute their job tasks. The Bell-LaPadula model was one of the first mathematical models of a multilevel security policy used to define a secure state machine. It addresses information control flow, security levels, and access modes. Access permissions are defined using an access control matrix that defines the classification system and the class of subjects and objects. Information flow occurs when a subject accesses, observes, or alters an object. One limitation of the Bell-LaPadula model is that it contains covert channels, which is a communication pathway that enables a process to transfer information in a way that violates the system security model. The tranquility principle used in the Bell-LaPadula model prevents the security level of subjects and objects from being changed once they have been created. For this reason, the Bell-LaPadula model is considered to be very static in nature. The strong tranquility property states that objects never change their security level. The static principle and the domination principle are not valid security principles. The principle of least privilege ensures that users are given the most restrictive permissions to execute their job tasks. The Bell-LaPadula model was one of the first mathematical models of a multilevel security policy used to define a secure state machine. It addresses information control flow, security levels, and access modes. Access permissions are defined using an access control matrix that defines the classification system and the class of subjects and objects. Information flow occurs when a subject accesses, observes, or alters an object. One limitation of the Bell-LaPadula model is that it contains covert channels, which is a communication pathway that enables a process to transfer information in a way that violates the system security model.

Question 4

Q

Your company monitors several events to ensure that the security of your servers is not compromised, and that the performance of your servers is maintained within certain thresholds. A security consultant has been hired by your company to analyze organizational security measures. The consultant has requested access to the security monitoring logs. You need to limit the amount of audit log information you provide by discarding information that is not needed by the consultant. Which tool should you use?
•audit-reduction tool
•attack signature-detection tool
•audit filter
•variance-detection tool

Answer

A

•audit-reduction tool
(Correct)

Explanation
You should use an audit-reduction tool. An audit-reduction tool is used to limit the amount of audit log information by discarding information that is not needed by the security professional. This tool discards mundane information that is not needed. An audit filter is not a tool. An audit filter is part of the audit log that allows you to filter the log based on certain criteria. Because of its limited function, the audit-reduction tool is usually a better choice for limiting the amount of information that is displayed. A variance-detection tool monitors usage trends to alert security professionals of unusual activity. An attack signature-detection tool monitors the network and compares events with a database of known attack patterns.

Question 5

Q

Your organization has decided to implement the Diffie-Hellman asymmetric algorithm. Which statement is true of this algorithm’s key exchange?

Authorized users need not exchange secret keys
Unauthorized users exchange public keys over a nonsecure medium
Authorized users exchange public keys over a secure medium
Authorized users exchange secret keys over a nonsecure medium

Answer

A

Authorized users exchange secret keys over a nonsecure medium
(Correct)

Explanation
In Diffie-Hellman key exchange, authorized users exchange secret keys over a nonsecure medium. The Diffie-Hellman algorithm is a cryptographic protocol in which the sending and receiving parties jointly establish the shared secret key to enable its use for all future encryption and decryption of bulk data. A Diffie-Hellman key exchange algorithm is not typically used to encrypt data. It is a method used to securely exchange keys over a non-secure medium. Therefore, Diffie-Hellman is a key exchange protocol and is used for secure key distribution. Diffie-Hellman does not assist in bulk encryption and decryption. In Diffie-Hellman key exchange, the authorized users do not exchange public keys but a shared secret key over a nonsecure medium. Unauthorized users should not have access to the secret keys because they are not authorized participants of a secure communication.

Question 6

Q

Which entity can an administrator use to designate which users can access a file?

a proxy server
an ACL
a firewall
a NAT server

Answer

A

• an ACL
(Correct)

Explanation
An access control list (ACL) is a security mechanism that is used to designate which users can gain various types of access, such as read, write, and execute access to resources on a network. An ACL provides security as granular as the file level. The DAC model uses ACL to identify the users who have permissions to a resource. A firewall allows and denies network access through communications ports. A NAT server presents public Internet Protocol (IP) addresses to the Internet on behalf of computers on a private network. A proxy server can be used to enable hosts to access Internet resources. A proxy server can increase the performance of a network by caching Web pages, which can reduce the amount of time required for clients to access Web pages.

Question 7

Q

Which characteristics of a system are evaluated by the Trusted Computer System Evaluation Criteria (TCSEC)? a. assurance b. authenticity c. functionality d. response-time
•	option b
•	options b and d
•	option a
•	options a and c
•	options a and b
•	option d

Answer

A

• options a and c
(Correct)

Explanation
The Trusted Computer System Evaluation Criteria (TCSEC) evaluates the assurance and functionality of a system. The assurance and functionality of the system are evaluated as a single, combined criterion while performing tests for the system verification in accordance with the stipulations. It also reviews the effectiveness and trustworthiness of a product. The U.S. Department of Defense (DoD) developed TCSEC to evaluate and rate the effectiveness, assurance, and functionality of operating systems, applications, and security products. Database management systems are not covered by TCSEC. The evaluation criteria are published in a book referred to as the Orange Book. The Orange Book specifies the security ratings for products of different vendors. Customers can use the ratings to evaluate and compare different products. Manufacturers can also use the ratings to build their products according to the specifications. TCSEC classifies the systems into hierarchical divisions of security levels ranging from verified protection to minimal security. Initially founded as the DoD Computer Security Center to ensure that centers processing classified and sensitive information are using trusted computer systems, it was later named the National Computer Security Center (NCSC). The NCSC is a branch of the National Security Agency (NSA) that initiates research, and develops and publishes standards and criteria for trusted information systems. A higher rating implies a higher degree of trust and assurance. For example, a B2 rating provides more assurance than a C2 rating. A higher rating includes the requirements of a lower rating. For example, a B2 rating includes the features and specifications of a C2 rating. Common Criteria deals with the functionality and assurance attributes of a product. Common Criteria is a worldwide-recognized and accepted evaluation standard for security products. This evaluation criterion reduces the complexity of the ratings and ensures that the vendors manufacture products for international markets. Therefore, Common Criteria addresses the functionality in terms of the tasks performed by a product and assures that the product will work as predicted. The three major parts of the Common Criteria are 1) Introduction and General Model, 2) Security Functional Requirements, and 3) Security Assurance Requirements. ISO/IEC 15408-1 is the International Standards version of the Common Criteria.

Question 8

Q

What produces 160-bit checksums?
•	 DES
•	 MD5
•	 AES
•	 SHA
(Correct)

Answer

A

• SHA
(Correct)

Explanation
The Secure Hashing Algorithm (SHA) produces 160-bit checksums. The Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys and 128-bit block sizes. The MD5 algorithm produces 128-bit checksums, and Data Encryption Standard (DES) uses 56-bit encryption keys.

Question 9

Q

Which Web browser add-in uses Authenticode for security?
• Java
• Cross-site scripting (XSS)
• ActiveX

• Common Gateway Interface (CGI)

Answer

A

• ActiveX
(Correct)

Explanation
ActiveX uses Authenticode for security. Authenticode is a certificate technology that allows ActiveX components to be validated by a server. Users need to be careful when confirming the installation of ActiveX components or controls. Automatically accepting an ActiveX component or control creates an opportunity for security breaches. None of the other options uses Authenticode for security. Cross-site scripting (XSS) is a type of security vulnerability typically found in Web applications that allows code injection by hackers into the Web pages viewed by other users. It is used to trick a user into visiting a site and having code execute locally. Java is a self-contained script that is downloaded from a server to a client and run within a Web browser. CGI is a scripting method that was used extensively in older Web servers. CGI scripts captured data from users using simple forms.

Question 10

Q

Near the end of a recent incident investigation, the incident investigator suggests that your organization takes several recommended countermeasures. Which step of the investigation process is being carried out?

presentation
examination
collection
analysis

Answer

A

collection
(Correct)

Explanation
The presentation step of the investigation process is being carried out. This step can include documentation, expert testimony, clarification, mission impact statement, recommended countermeasures, and statistical interpretation. The collection step of the investigation process is not being carried out. This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. The examination step of the investigation process is not being carried out. This step can include traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. The analysis step of the investigation process is not being carried out. This step can include traceability, statistical analysis, protocol analysis, data mining, and timeline determination. The proper steps in a forensic investigation are as follows: Identification Preservation Collection Examination Analysis Presentation Decision

Question 11

Q

Which TCSEC security rating addresses the use of covert channel analysis?
•	 D
•	 B1
•	 A1
•	 B2

Answer

A

• B2
(Correct)

Explanation
The B2 security rating addresses the use of covert channel analysis in a system. Covert channel analysis is an operational assurance requirement that is specified in the Orange Book. It is required for B2 class systems to protect against covert storage channels. It is required for B3 class systems to protect against both covert storage and covert timing channels. The Trusted Computer System Evaluation Criteria (TCSEC) classifies the systems into hierarchical divisions of security levels ranging from verified protection to minimal security. The TCSEC-defined levels and the sublevels of security are as follows: A: Verified protection offering the highest level of security An A1 rating implies that the security assurance, design, development, implementation, evaluation, and documentation of a computer is performed in a very formal and detailed manner. An infrastructure containing A1-rated systems is the most secure environment and is typically used to store highly confidential and sensitive information. This level specifies trusted distribution controls. B: Mandatory protection based on the Bell-LaPadula security model and enforced by the use of security labels. A B1 rating refers to labeled security, where each object has a classification label and each subject has a security clearance level. To access the contents of the object, the subject should have an equal or higher level of security clearance than the object. A system compares the security clearance level of a subject with the object's classification to allow or deny access to the object. The B1 category offers process isolation, the use of device labels, the use of design specification and verification, and mandatory access controls. B1 systems are used to handle classified information. A B2 rating refers to structured protection. A stringent authentication procedure should be used in B2-rated systems to enable a subject to access objects by using the trusted path without any backdoors. This level is the lowest level to implement trusted facility management; levels B3 and A1 implement it also. Additional requirements of a B2 rating include the separation of operator and administrator duties, sensitivity labels, and covert storage channel analysis (but NOT covert timing analysis). A B2 system is used in environments that contain highly sensitive information. Therefore, a B2 system should be resistant to penetration attempts. A B3 rating refers to security domains. B3 systems should be able to perform a trusted recovery. A system evaluated against a B3 rating should have the role of the security administrator fully defined. A B3 system should provide the monitoring and auditing functionality. A B3 system is used in environments that contain highly sensitive information and should be resistant to penetration attempts. Another feature of B3 rating is covert timing channel analysis. C: Discretionary protection based on discretionary access of subjects, objects, individuals, and groups. A C1 rating refers to discretionary security protection. To enable the rating process, subjects and objects should be separated from the auditing facility by using a clear identification and authentication process. A C1 rating system is suitable for environments in which users process the information at the same sensitivity level. A C1 rating system is appropriate for environments with low security concerns. A C2 rating refers to controlled access protection. The authentication and auditing functionality in systems should be enabled for the rating process to occur. A system with a C2 rating provides resource protection and does not allow object reuse. Object reuse implies that an object should not have remnant data that can be used by a subject later. A C2 system provides granular access control and establishes a level of accountability when subjects access objects. A system with C2 rating is suitable for a commercial environment. D: Minimal protection rating that is offered to systems that fail to meet the evaluation criteria A higher rating implies a higher degree of trust and assurance. For example, a B2 rating provides more assurance than a C2 rating. A higher rating includes the requirements of a lower rating. For example, a B2 rating includes the features and specifications of a C2 rating. Therefore, all the other options are incorrect.

Question 12

Q

Which processes define the supervisor mode?
• processes that are executed in the outer protection rings
• processes that are executed in the inner protection rings
• processes with no protection mechanism
• processes in the outer protection ring that have more privileges

Answer

A

• processes that are executed in the inner protection rings
(Correct)

Explanation
The supervisor mode refers to processes that are executed in the inner protection rings. The processes in the inner protection rings are granted more privileges than the processes in the outer protection ring. The processes in the inner ring are executed in the privileged or the supervisor mode, while the processes working in the outer protection rings are executed in the user mode. These processes in the inner ring include the operating system kernel process and input/output (I/O) instructions. Processes are placed in a ring structure according to least privilege. Multiplexed Information and Computing Service (MULTICS) is an example of a ring protection system. All other options are incorrect. Each operating system has a protection mechanism, such as memory segments and protection rings, to ensure that the applications do not adversely affect the critical components of the operating system. The protection rings define the security policy for each application by limiting the operations that can be performed by the application. No application in the operating system functions without a protection mechanism. Operating systems are responsible for memory allocation, input and output tasks, and resource allocation. If an operating system allows sequential use of an object without refreshing it, disclosure of residual data can arise.

Question 13

Q

Which device lock prevents access to hard drives or unused ports in a computer?
•	 switch control
•	 cable trap
•	 port control
•	 peripheral switch control
•	 slot lock

Answer

A

• port control
(Correct)

Explanation
A port control is a device lock that prevents access to hard drives or unused ports in a computer. A switch control is a device lock that prevents access to power switches. A slot lock is a device lock that attaches a computer to a stationary component using a cable attached to a spare expansion slot. A peripheral switch control is a device lock that is inserted between the computer and the keyboard input slot to control the power. A cable trap is a device lock that secures input and output devices by using a cable to connect them to a lockable unit.

Question 14

Q

Your company must comply with a cybersecurity certification body’s requirements. Management has requested that you perform a test prior to applying for this certification. Which type of test should you perform?

Perform an internal assessment or audit using personnel from the certification body.
Perform an external assessment or audit using personnel from within the company
Perform an internal assessment or audit using personnel from within the company.
Perform an external assessment or audit using personnel from the certification body.

Answer

A

• Perform an external assessment or audit using personnel from within the company
(Correct)

Explanation
You should perform an internal assessment or audit using personnel from within the company. Internal assessments or audits should be performed first so that personnel can then work on fixing any identified vulnerabilities, risks, or issues. You should not perform an external assessment or audit of any kind until after you have performed an internal assessment or audit and resolved as many of the issues identified there as possible. You should not perform an internal or external assessment or audit using personnel from the certification body until after organizational personnel has performed these assessments and worked to fix any identified issues. Internal assessments or audits are completed from within the enterprise and can be completed by personnel from within the company or a third party. External assessments are completed from outside the enterprise and can be completed by personnel from within the company or a third party. While some certifying bodies will provide personnel to perform the assessment or audit as part of the certification process, some may require that organizations work with a third-party organization to perform the assessment or audit.

Question 15

Q

You must document the appropriate guidelines that should be included as part of any security policy that involves personnel who travel with company-issued devices. You have been given a list of possible tips that travelers should be included in the guidelines as follows: A. Privacy when traveling, no matter the connection medium, is not guaranteed. B. Personnel movements can be tracked using mobile devices. C. Malicious software can be inserted onto a device from any connection that is controlled by someone else or through thumb drives. D. Do not take the device with you if you do not need it. Which tips are valid tips that should be included as part of the guidelines for personnel?
•	 A, B, and C only
•	 All of the tips
•	 A, C, and D only
(Correct)
•	 B, C, and D only

Answer

A

• A, C, and D only
(Correct)

Explanation
All of the tips list are valid tips that should be included as part of the guidelines for personnel that may travel with company-issued devices. Other tips include: All information that you transmit can be intercepted. All individuals are at risk, although some in sensitive corporate or government positions may be at a higher risk. Foreign criminals are adept at posing as someone you trust to obtain sensitive information. If your device is ever examined or left in a hotel room when the room is examined, assume that the hard drive has been copied and the device compromised.

Question 16

Q

Recently, an attacker injected malicious code into a Web application on your organization's Web site. Which type of attack did your organization experience?
•	 cross-site scripting
•	 buffer overflow
•	 SQL injection
•	 path traversal

Answer

A

• cross-site scripting
(Correct)

Explanation
Your organization experienced a cross-site scripting (XSS) attack. A XSS attack occurs when an attacker locates a vulnerability on a Web site that allows the attacker to inject malicious code into a Web application. A buffer overflow occurs when an invalid amount of input is written to the buffer area. A SQL injection occurs when an attacker inputs actual database commands into the database input fields instead of the valid input. Path traversal occurs when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the Web. Some possible countermeasures to input validation attacks include the following: Filter out all known malicious requests. Validate all information coming from the client, both at the client level and at the server level. Implement a security policy that includes parameter checking in all Web applications. The system design specification phase of the software development life cycle (SDLC) focuses on providing details on which kind of security mechanism will be a part of the software product. The system design specification phase also conducts a detailed design review and develops a plan for validation, verification, and testing. The organization developing the application will review the product specifications with the customer to ensure that the security requirements are clearly stated and understood, and that the planned functionality is embedded in the product. Involving security analysts at this phase maximizes the benefit to the organization. It also enables you to understand the security requirements

Question 17

Q

Recently, an attacker injected malicious code into a Web application on your organization's Web site. Which type of attack did your organization experience?
•	 cross-site scripting
(Correct)
•	 buffer overflow
•	 SQL injection
•	 path traversal

Answer

A

• cross-site scripting
(Correct)

Explanation
Your organization experienced a cross-site scripting (XSS) attack. A XSS attack occurs when an attacker locates a vulnerability on a Web site that allows the attacker to inject malicious code into a Web application. A buffer overflow occurs when an invalid amount of input is written to the buffer area. A SQL injection occurs when an attacker inputs actual database commands into the database input fields instead of the valid input. Path traversal occurs when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the Web. Some possible countermeasures to input validation attacks include the following: Filter out all known malicious requests. Validate all information coming from the client, both at the client level and at the server level. Implement a security policy that includes parameter checking in all Web applications. The system design specification phase of the software development life cycle (SDLC) focuses on providing details on which kind of security mechanism will be a part of the software product. The system design specification phase also conducts a detailed design review and develops a plan for validation, verification, and testing. The organization developing the application will review the product specifications with the customer to ensure that the security requirements are clearly stated and understood, and that the planned functionality is embedded in the product. Involving security analysts at this phase maximizes the benefit to the organization. It also enables you to understand the security requirements and features of the product and to report existing loopholes. The system development phase of the SDLC includes coding and scripting of software applications. The system development stage ensures that the program instructions are written according to the defined security and functionality requirements of the product. The programmers build security mechanisms, such as audit trails and access control, into the software according to the predefined security assessments and the requirements of the application. The SDLC includes the following phases: Plan/Initiate Project Gather Requirements Design (including system design) Develop (including system development) Test/Validate Release/Maintain Certify/Accredit Change Management and Configuration Management/Replacement

Question 18

Q

You are explaining to a junior administrator about port scanning. Which of the following statements is true?
• There are over 65,000 ports that are vulnerable on a TCP/IP network.
• Only UDP ports are vulnerable on a TCP/IP network.
• There are 1,024 ports that are vulnerable on a TCP/IP network.
• There are over 65,000 well-known ports.

Answer

A

• There are over 65,000 ports that are vulnerable on a TCP/IP network.
(Correct)

Explanation
On a TCP/IP network, there are over 65,000 ports that are vulnerable. The first 1,024 ports are the well-known ports responsible for well-known services, such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP). The port numbers start at 0 and go through 65,535. Both TCP and UDP ports are vulnerable on a TCP/IP network.

Question 19

Q

You need to determine which users are accessing a Windows Server 2008 computer from the network. Which audit category should you enable?
•	 Audit Object Access
•	 Audit Account Logon Events
•	 Audit Account Management
•	 Audit Privilege Use

Explanation
The Audit Privilege Use audit category will audit all instances of users exercising their rights. This category audits all rights found in the Local Security Policy under Security Settings\Local Policies\User Right Assignment. The Access the computer from the network policy allows users to access a computer from the network. The Audit Account Logon Events audit category tracks all attempts to log on with a domain user account when enabled on domain controllers. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s user accounts database. The Audit Account Management audit category monitors changes to user accounts and groups. The Audit Object Access audit category tracks access to all objects outside Active Directory.

Answer

A

• Audit Privilege Use
(Correct)

Explanation
The Audit Privilege Use audit category will audit all instances of users exercising their rights. This category audits all rights found in the Local Security Policy under Security Settings\Local Policies\User Right Assignment. The Access the computer from the network policy allows users to access a computer from the network. The Audit Account Logon Events audit category tracks all attempts to log on with a domain user account when enabled on domain controllers. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s user accounts database. The Audit Account Management audit category monitors changes to user accounts and groups. The Audit Object Access audit category tracks access to all objects outside Active Directory.

Question 20

Q

You are considering the sensitivity and criticality of your organization’s data. Which of the following statements is NOT true?
• Data that is sensitive should also be considered critical
• Sensitivity determines how freely the data can be handled.
• Once data sensitivity and criticality is documented, the organization should work to create a data classification system.
• Criticality measures the importance of the data.

Answer

A

• Data that is sensitive should also be considered critical
(Correct)

Explanation
It is not true that sensitive data should also be considered critical data. Data considered sensitive may not necessarily be considered critical. Sensitivity and criticality are not related. Sensitivity determines how freely the data can be handled. Criticality measures the importance of the data. Once data sensitivity and criticality is documented, the organization should work to create a data classification system

Question 21

Q

Which statement is true of event logging?

Logging should be performed once a day.
System and application logs should be delivered over the network in plain text.
System and application logs should permit modification of the existing entries.
Only system administration, internal audit, and security staff should have access to the log files.

Answer

A

System and application logs should permit modification of the existing entries.
(Correct)

Explanation
To ensure confidentiality and integrity of log records, only system administration staff, internal audit staff, and security staff should have access to log files for the purposes of analysis and review. Logging enables the network administration staff to detect vulnerable points in a network, identify performance issues, log suspicious activity from a specific user or a system, and identify a security breach. It is important that the logs be reviewed periodically and archived. The period of a log archive depends on the sensitivity of data and the organization’s retention policy. Logging should not be performed once a day. Logging should be permanently enabled on all computer systems and infrastructure equipment, such as routers and firewalls, to constantly monitor the operations. The events can be logged for both Windows and UNIX systems. In a UNIX system, the events logged include the use of Setuid and Setgid. In Windows systems, the events logged include successful and unsuccessful login attempts. For both systems, file permission changes should also be logged. System and application logs should not permit modification of the existing entries. Logging provides detailed information about the system resource usage and the system activities. In the event of an intrusion, logging provides the system logs and the audit trails, helping to detect the source of an attack. System and application logs should not be delivered over the network in plain text. If log data is transferred over a WAN link, it is recommended that such information be encrypted while it travels over the network. Log encryption ensures the confidentiality and integrity of the information. Other recommendations while transferring log data over a WAN link are as follows: Logs should be centralized to enable easy collection and analysis. All computer systems and infrastructure equipment must have their clock synchronized to a central timeserver, and the log entries should contain time and date stamps. Log files should be stored on a secure system by using stringent access control to prevent modification, destruction, or deletion.

Question 22

Q

Which option is NOT an element of detective physical control?

CCTV
wave pattern motion detector
motion generator
sensors

Answer

A

• motion generator
(Correct)

Explanation
Motion generators are not detective physical controls deployed to secure a facility. A motion generator is not a valid category of detective physical controls. Detective physical controls include the following elements: Sensors: Monitors events and sends the detected anomalies to the centralized monitoring software Motion detectors, such as wave pattern motion detector, capacitance detector, and audio detector: Sense changes in an environment based on different parameters, such as motion of a subject, wave patterns, and so on Closed circuit TVs (CCTVs): Monitor the different areas in the facility from a centralized location to aid the security personnel Alarms: Immediately notify the concerned authorities about abnormal events

Question 23

Q

What is an agent in a distributed computing environment?

the middleware that establishes the relationship between objects in a client/server environment
a protocol that encodes messages in a Web service setup
a program that performs services in one environment on behalf of a principal in another environment
an identifier used to uniquely identify users, resources, and components within an environment

Answer

A

• a program that performs services in one environment on behalf of a principal in another environment
(Correct)

Explanation
In a distributed computing environment, an agent is a program that performs services in one environment on behalf of a principal in another environment. A globally unique identifier (GUID) and a universal unique identifier (UUID) uniquely identify users, resources, and components within a Distributed Component Object Model (DCOM) or Distributed Computer Environment (DCE) environment, respectively. Simple Object Access Protocol (SOAP) is an XML-based protocol that encodes messages in a Web service setup. Object request brokers (ORBs) are the middleware that establishes the relationship between objects in a client/server environment. A standard that uses ORB to implement exchanges among objects in a heterogeneous, distributed environment is Common Object Request Broker Architecture (CORBA). A distributed object model that has similarities to CORBA is DCOM. The Object Request Architecture (ORA) is a high-level framework for a distributed environment. It consists of ORBs, object services, application objects, and common facilities. The following are characteristics of a distributed data processing (DDP) approach: It consists of multiple processing locations that can provide alternatives for computing in the event that a site becomes inoperative. Distances from a user to a processing resource are transparent to the user. Data stored at multiple, geographically separate locations is easily available to the user.

Question 24

Q

Which statement is NOT true of the Computer Security Act of 1987?

A computer security plan should be developed for a network.
There should be security awareness training for individuals.
The act pertains to confidential and sensitive data held by private organizations.
Computers containing sensitive information should be identified.

Answer

A

• The act pertains to confidential and sensitive data held by private organizations.
(Correct)

Explanation
The Computer Security Act of 1987 pertains to confidential and sensitive information maintained by federal agencies. This act does not deal with data held by private organizations. The Computer Security Act of 1987 has the following requirements: The federal agency should identify the computer systems that contain sensitive information. A security plan should be developed and implemented for the systems’ security. Periodic security awareness training should be conducted for employees. Acceptable computer usage practices should be defined in advance. The government agencies should ensure that employees maintain a certain level of awareness and protection. The primary purpose of the Computer Security Act of 1987 is to safeguard sensitive information of the federal government and to ensure that all federal computer systems fulfill a certain desired level of security to ensure the confidentiality, integrity, and availability of information.

Question 25

Q

Your organization has decided to implement a network-based intrusion detection system (NIDS). What is the primary advantage of using this type of system?

ability to analyze encrypted information
high throughput of the individual workstations on the network
low maintenance
no counterattack on the intruder

Answer

A

• low maintenance
(Correct)

Explanation
The primary advantage of NIDS is the low maintenance involved in analyzing traffic in the network. A NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems. Host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets. An NIDS can counterattack an intruder after detecting an intrusion in the network. A counterattack is carried out either by blocking the IP address of the malicious host through access lists or by terminating the existing connection. An NIDS can also send an alarm to the management station to request corrective action to prevent intrusion. Individual hosts do not need real time monitoring because intrusion is monitored on the network segment on which the NIDS is placed and not on individual workstations. A NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private network Tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of a NIDS. The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors, such as the processor speed, memory, and bandwidth allocated, affect the throughput of workstations. The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers.

Question 26

Q

Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to answer the question.

natural disaster
catastrophe
human-caused disaster
technological disaster

Answer

A

• natural disaster
(Correct)

Explanation
A natural disaster impacted many of the offices last year. A winter storm is a natural disaster. A catastrophe is disruption that has a wider and longer impact than a natural disaster, and usually involves destroyed facilities or prolonged downtime. The winter storm did not destroy facilities or result in prolonged downtime. A technological disaster occurs when a device fails. The failure of the intranet server could be considered a technological disaster. It only affected personnel in the main office. A human-caused disaster occurs through human intent or error. The failure of the intranet server could be considered a human-caused disaster because it was initiated by outside attackers.

Question 27

Q

A new security policy implemented by your organization states that all official e-mail messages must be signed with digital signatures. Which elements are provided when these are used?

• authentication

integrity
encryption
non-repudiation
availability

Explanation
A digital signature is a hash value that is encrypted with the sender’s private key. The message is digitally signed. Therefore, it provides authentication, non-repudiation, and integrity in electronic mail. In a digitally signed message transmission using a hash function, the message digest is encrypted in the sender’s private key. Digital signatures do not provide encryption and cannot ensure availability. Digital Signature Standard (DSS) defines digital signatures. It provides integrity and authentication. It is not a symmetric key algorithm. A digital signature cannot be spoofed. Therefore, attacks, such as man-in-the-middle attacks, cannot harm the integrity of the message. Microsoft uses digital signing to ensure the integrity of driver files. A form of digital signature where the signer is not privy to the content of the message is called a blind signature.

Answer

A

• authentication
(Correct)

Explanation
A digital signature is a hash value that is encrypted with the sender’s private key. The message is digitally signed. Therefore, it provides authentication, non-repudiation, and integrity in electronic mail. In a digitally signed message transmission using a hash function, the message digest is encrypted in the sender’s private key. Digital signatures do not provide encryption and cannot ensure availability. Digital Signature Standard (DSS) defines digital signatures. It provides integrity and authentication. It is not a symmetric key algorithm. A digital signature cannot be spoofed. Therefore, attacks, such as man-in-the-middle attacks, cannot harm the integrity of the message. Microsoft uses digital signing to ensure the integrity of driver files. A form of digital signature where the signer is not privy to the content of the message is called a blind signature.

Question 28

Q

Which statement is NOT true of the operation modes of the data encryption standard (DES) algorithm?

Electronic Code Book (ECB) mode operation is best suited for database encryption.
ECB is the easiest and fastest DES mode that can be used.
ECB repeatedly uses produced ciphertext to encipher a message consisting of blocks.
Cipher Block Chaining (CBC) and Cipher Feedback (CFB) mode are best used for authentication.

Answer

A

• ECB repeatedly uses produced ciphertext to encipher a message consisting of blocks.
(Correct)

Explanation
It is Cipher Block Chaining (CBC), not Electronic Code Book (ECB), that repeatedly uses an algorithm to encipher a message consisting of blocks. In CBC, the ciphertext output is processed as input into another block to avoid revealing a pattern. In ECB, a particular block always produces the same ciphertext for a standard input of text. The produced ciphertext is not repeatedly used, but the ciphertext output is always standard. The ECB mode operation is best suited for database encryption and is the easiest and fastest though not the safest mode to use. ECB is one of the many modes of operation for DES and uses a 64-bit data block to produce ciphertext. CBC, Output Feedback, and Cipher Feedback (CFB) mode are three other modes of operations of DES and are best used for authentication purposes. DESX is a variant of DES developed to prevent brute force attacks. Using DESX, input plaintext is bitwise XORed with 64 bits of additional key data before encryption with DES, and the output of DES is also bitwise XORed with another 64 bits of key data.

Question 29

Q

To which category of controls does system auditing and monitoring belong?

physical control
technical control
system control
administrative control

Answer

A

• technical control
(Correct)

Explanation
System auditing and monitoring are components of technical control. Auditing is required to ensure the accountability of users. It provides detection if a certain event happens. An example of auditing is a system access audit trail that is employed to track all successful and unsuccessful logins. A timely review of the system’s access audit records is necessary for network security. Physical security controls ensure the physical security of the facility infrastructure. Physical controls include fencing, gates, locks, and lighting. Physical controls work in conjunction with operation security to achieve the security objectives of the organization. System controls are not a recognized category of controls. Although an organization might refer to a control as a system control in that it protects a system, controls can only be divided into three main categories: technical (logical), administrative (managerial), and physical. Administrative controls define the security policy, standards, guidelines, and standard operating procedures. Administrative controls also define the supervisory structure and the security awareness training curriculum for the employees of the organization. Rotation of duties, separation of duties, and mandatory vacations are all administrative controls. Audit monitoring enables you to identify any unusual change in user activities. Performance monitoring is to verify system performance.

Question 30

Q

What is the first step in designing an effective physical security program?

Define an acceptable risk level for each physical security threat.
Identify the physical security program team.
Carry out the physical security risk analysis.
Determine performance baselines from acceptable risk levels.

Answer

A

• Identify the physical security program team.
(Correct)

Explanation
When designing an effective physical security program, the first step is to identify the physical security program team. The steps in designing an effective physical security program are as follows: Identify the physical security program team. Carry out the physical security risk analysis. Define an acceptable risk level for each security threat. Determine performance baselines from acceptable risk levels. Create countermeasure performance metrics. From the analysis results, outline the level of protection and performance required for the deterrence, delaying, detection, assessment, and response program categories. Identify and implement countermeasures for each program category. Evaluate countermeasures on a regular basis to ensure that acceptable risk level is not exceeded.

Question 31

Q

During a recent incident investigation, you extracted hidden data from the data image that was created. In which step of the incident investigation process were you involved?

•	identification
•	preservation
•	collection
•	examination
(Correct)

Answer

A

• examination
(Correct)

Explanation
You were involved in the examination step of the incident investigation process. This step includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. You were not involved in the identification step of the incident investigation process. This step can include event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis. You were not involved in the preservation step of the incident investigation process. This step can include imaging technologies, chain of custody standards, and time synchronization. You were not involved in the collection step of the incident investigation process. This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. The proper steps in a forensic investigation are as follows: Identification Preservation Collection Examination Analysis Presentation Decision

Question 32

Q

Which type of virus includes protective code that prevents outside examination of critical elements?

phage virus
stealth virus
armored virus
companion virus

Answer

A

• armored virus
(Correct)

Explanation
An armored virus includes protective code that prevents examination of critical elements, such as scans by anti-virus software. The armor attempts to make it difficult to destroy the virus. A companion virus attaches to legitimate programs and creates a program with a different file extension. When the user attempts to access the legitimate program, the companion virus executes in place of the legitimate program. A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected applications. A stealth virus prevents detection by hiding from applications. It may report a different file size than the actual file size as a method of preventing detection.

Question 33

Q

Your organization is using the Crime Prevention Through Environmental Design (CPTED) approach to ensure that your site is designed properly. Which facet of this approach includes door, fence, lighting, and landscaping placement?

target hardening
territorial reinforcement
natural surveillance
natural access control

Answer

A

• natural access control
(Correct)

Explanation
Natural access control in the CPTED approach includes door, fence, lighting, and landscaping placement. This control ensures that traffic is controlled. Natural surveillance in the CPTED approach includes security guards, closed-circuit television (CCTV), line of sight, low landscaping, and raised entrances. The primary concern of this facet is to ensure that criminals feel uncomfortable making an attack. Territorial reinforcement in the CPTED approach includes walls, fences, landscaping, lighting, flags, and sidewalks that emphasize or extend the company’s area of influence so users feel that they own the area. Target hardening is not part of CPTED. It is another approach to physical security, which stresses denying access through physical and artificial barriers. The best approach is to build an environment using the CPTED approach and then apply target hardening on top of the CPTED design.

Question 34

Q

You are examining an access control matrix for your organization. Which entity corresponds to a row in this matrix?

object
access control list (ACL)
capability
subject

Answer

A

• capability
(Correct)

Explanation
A capability corresponds to a row in the access control matrix. A capability is a list of all the access permission that a subject has been granted. An object is an entity in the access control matrix to which subjects can be granted permissions. A column in an access control matrix corresponds to the access control list (ACL) for an object. A row in an access control matrix corresponds to a subject’s capabilities, not just the subject. By storing a list of rights on each subject, the granting of capabilities is accomplished.

Question 35

Q

Which unshielded twisted-pair (UTP) category consists of four twisted pairs of copper wire and is certified for transmission rates of up to 100 Mbps?

Category 1
Category 5
Category 4
Category 3
Category 2

Answer

A

• Category 5
(Correct)

Explanation
Category 5 UTP cabling is the most widely used category of UTP cable. It enables transmission rates of up to 100 Mbps, and it is the highest category of UTP cabling. UTP transmission rates are as follows: Category 1 - up to 4 Mbps Category 2 - up to 4 Mbps Category 3 - up to 10 Mbps Category 4 - up to 16 Mbps Category 5 - up to 100 Mbps Category 5e - up to 1000 Mbps (1 Gbps) Category 6 - up to 1000 Mbps (1 Gbps) Category 6e - up to 1000 Mbps (1 Gbps) Category 7 - up to 10 Gbps Category 1 wiring consists of two pairs of twisted copper wire. It is rated for voice grade, not data communication. It is the oldest UTP wiring and is used for communication on the Public Switched Telephone Network (PSTN). Category 2 wiring consists of four pairs of twisted copper wire and is suitable for data communications of up to 4 Mbps. Category 3 wiring consists of four pairs of twisted copper wire with three twists per foot. It is suitable for 10 Mbps data communication. It has been the most widely used UTP

Question 36

Q

standard since the mid-1980s, especially for Ethernet networks. Category 4 wiring consists of four pairs of twisted copper wire and is rated for 16 Mbps. It was designed with 16 Mbps Token Ring networks in mind. Category 5 wiring consists of four twisted pairs of copper wire terminated by RJ-45 connectors. Category 5 cabling can support frequencies of up to 100 MHz and speeds of up to 100 Mbps. It can be used for ATM, Token Ring, 1000Base-T, 100Base-T, and 10Base-T networking. NOTE: Category 5e cable is the most commonly used cable for new UTP implementations. The “e” in Category 5e cable stands for “enhanced.” This enhanced specification will support bandwidths of up to 350 MHz.
Question 95: Incorrect
Which statement is NOT true for construction of an information processing facility?
• Raised floors need to be electrically grounded.
• All walls must have a one-hour minimum fire rating.
• Doors need the same fire rating as the surrounding walls.
• Doors must prohibit forcible entries.

Answer

A

All walls must have a one-hour minimum fire rating.
(Correct)

Explanation
All walls of an information processing facility have different fire ratings based on which type they are. While internal walls must have a one-hour minimum fire rating, adjacent walls should have a two-hour minimum fire rating. Different building materials have different fire ratings. Therefore, the type of construction material being used should comply with the fire ratings that depend upon the use of the building. The walls, ceilings, and floors should be made of materials that comply with the required fire ratings. Doors should have the same fire rating as the surrounding walls. Moreover, the doors should prohibit forcible entry. Raised floors must be electrically grounded because they are used to hide and protect wires and electric cables. A raised floor is a platform with removable panels where equipment is installed that is located in the flooring with space between it and the main building floor housing cabling. Often a raised floor is used to supply conditioned air to the data processing equipment and room. Underfloor ventilation, as with all computer room ventilation, should not vent to any other office or area. HVAC air ducts serving other rooms should not pass through the computer room unless an automatic damping system is provided. Raised flooring, also called a false floor or a secondary floor, has very strict requirements as to its construction and use. Electrical cables must be enclosed in metal conduit, and data cables must be enclosed in raceways with all unused cable removed. Openings in the raised floor must be smooth, nonabrasive, and protected against the entrance of debris or other combustibles. Obviously, the raised flooring and decking must be constructed from noncombustible materials.

Question 37

Q

Which statements are true of memory cards? a. Memory cards have more memory than smart cards. b. Memory cards can provide two-factor authentication. c. Memory cards have no processing power of their own. d. Memory cards can supply static and dynamic passwords for authentication.
•	options b and c
•	option c
•	option d
•	option b
•	options a and d
•	option a

Answer

A

options b and c
(Correct)

Explanation
Memory cards do not have processing power. They act only as a repository of data, such as user credentials, that can be used for user authentication. Memory cards provide two-factor authentication. A user must provide a PIN along with the memory card. Two-factor authentication relies on something you know, such as a password, and something you have, such as a memory card. Memory cards act as simple storage devices and do not have more memory than smart cards. Smart cards, sometimes called processor cards, can process information because of the inbuilt processor and the auxiliary hardware. Smart cards have a built-in processor and memory. Tokens resemble credit cards and are used to supply one-time passwords (OTP), which are a combination of static and dynamic passwords. Access tokens are best suited for high-security areas. One of the disadvantages of memory cards is that they are easy to counterfeit.

Question 38

Q

Your organization's network was recently attacked. During the attack, hackers stole valuable proprietary information. You have been asked to supply information that is admissible as evidence in a court of law to prosecute the suspects. What should you provide?
•	hard disk data copies
•	memory dumps
•	user login names
•	passwords

Answer

A

• memory dumps
(Correct)

Explanation
Memory dumps are admissible in the court of law as evidence to prosecute a suspect. Memory dumps contain the latest state of the system before the attack occurred. To ensure a clear chain of custody for evidence collection, the system should be removed from the network, and the contents of the memory should be dumped due to the sensitive and fragile nature of the information. This memory dump might contain vital information regarding the incident and can prove helpful in prosecuting the suspect. User login names, passwords, and hard disk data copies are not helpful in prosecuting a suspect. Therefore, none of them is considered admissible evidence in the court of law. Law enforcement may need to obtain passwords as part of an investigation. Law enforcement may use the following methods to obtain passwords: Use password cracker software. Compel the suspect to provide the password. Contact the developer of the software for information to gain access to the computer or network through a back door. While hard disk data copies are not admissible in court, the original hard drive is admissible, providing the proper chain of custody was maintained and the evidence was secured.

Question 39

Q

Your organization has a fault-tolerant, clustered database that maintains sales records. Which transactional technique is used in this environment?

OLTP
ODBC
data warehousing
OLE DB

Answer

A

• data warehousing
(Correct)

Explanation
Online transaction processing (OLTP) is used in this environment. OLTP is a transactional technique used when a fault-tolerant, clustered database exists. OLTP balances transactional requests and distributes them among the different servers based on transaction load. OLTP uses a two-phase commit to ensure that all the databases in the cluster contain the same data. Object Linking and Embedding Database (OLE DB) is a method of linking data from different databases together. Open Database Connectivity (ODBC) is an application programming interface (API) that can be configured to allow any application to query databases. Data warehousing is a technique whereby data from several databases is combined into a large database for retrieval and analysis. Security requirements are considered a part of software risk analysis during the project initiation phase of the SDLC. The SDLC identifies the relevant threats and vulnerabilities based on the environment in which the product will perform data processing, the sensitivity of the data required, and the countermeasures that should be a part of the product. It is important that the SDLC methodology be adequate to meet the requirements of the business and the users. The SDLC includes the following phases: Plan/Initiate Project Gather Requirements Design Develop Test/Validate Release/Maintain Certify/Accredit Change Management and Configuration Management/Replacement

Question 40

Q

Management asks you to provide a list of all access controls that will detect when a security issue occurs. Which control is an example of this?

access control list (ACL)
audit log
encryption
router

Answer

A

• audit log
(Correct)

Explanation
An audit log is an example of a detective technical control because it detects security breaches once they have occurred. An audit log is also considered to be a compensative technical control. Routers, firewalls, and access control lists (ACLs) are examples of preventative technical controls because they prevent security breaches. They are all also compensative technical controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative is developed to dictate how security policies are implemented to fulfill the company’s security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potentials violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.

Question 41

Q

We want to ensure there is no data remanence when we dispose of our old hard disks. When we overwrite a hard disk, what does the overwrite program do?

Answer

A

Explanation
Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).

Question 42

Q

Part of Bob’s job is to monitor our environments. Just after coming in on Monday morning, he gets an alert. What just happened?

Answer

A

Explanation
Alert: Triggers warnings if certain event happens. This can be traffic utilization above 75% or memory usage at 90% or more for more than 2 minutes.

Question 43

Q

Which of these countermeasures would be the LEAST effective against brute force attacks?

Answer

A

Explanation
Salting is adding random characters to passwords before hashing, it does nothing against brute force attacks. Key stretching and limited login attempts are good countermeasures, complex passwords can help, but will eventually be broken.

Question 44

Q

When our Intrusion Prevention Systems (IPS) allows permitted traffic pass, that is an example of what?

Answer

A

Explanation

True Negative: Normal traffic on the network and the system detects it and does nothing

Question 45

Q

A monolithic kernel runs in which mode?

Answer

A

Explanation
The Kernel At the core of the OS is the Kernel. At ring 0 (or 3), it interfaces between the operating system (and applications) and the hardware. A monolithic kernel is one static executable and the kernel runs in supervisor mode. All functionality required by a monolithic kernel must be precompiled in.

Question 46

Q

During a security incident you see something that is usable in court. This constitutes which type of evidence?

Answer

A

Direct Evidence: Testimony from a first hand witness, what they experienced with their 5 senses.

Question 47

Q

We are thinking about implementing biometrics throughout our organization. Which of these could be reasons we should consider as reason to NOT implement biometrics? (Select all that apply).

Answer

A

Biometrics can be very effective if implemented right, but it does have some risks we need to be aware of. We can’t reissue new biometrics, it is possible to learn about genetic diseases, pregnancy and other personal information from some biometrics and it is more expensive to implement than type 1 and 2 authentication.

Question 48

Q

Healthcare insurers, providers and clearing house agencies must comply with HIPAA (Health Insurance Portability and Accountability Act) if they operate in the United States. Which of these are rules they MUST follow? (Select all that apply).

Answer

A

Puts strict privacy and security rules on how Protected Health Information (PHI) is handled by health insurers, providers and clearing house agencies (Claims). Health Insurance Portability and Accountability Act (HIPAA) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate Administrative, Physical and Technical safeguards. Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause. Lost encrypted data may not require disclosure.

Question 49

Q

A historical type of encryption that was based on a set of disks with random letters; the sender and receiver would agree on the disk order. What is it called?

Answer

A

The Jefferson Disk (Bazeries Cylinder) - is a cipher system using a set of wheels or disks, each with the 26 letters of the alphabet arranged around the edge. Jefferson (US president) invented it, and Bazeries improved it. The order of the letters is different for each disk and is usually scrambled in some random way. Each disk is marked with a unique number. A hole in the center of the disks allows them to be stacked on an axle. The disks are removable and can be mounted on the axle in any order desired. The order of the disks is the cipher key, and both sender and receiver must arrange the disks in the same predefined order. Jefferson’s device had 36 disks.

Question 50

Q

Before we upgrade a system or apply a patch, we want to get a backup of the system. We need the backup we take to not interfere with the current backup cycle, and we need it to allow us to do a full restore with a single tape. Which backup type should we chose?

Answer

A

Before we upgrade a system or apply a patch, we want to get a backup of the system. We need our backup to not interfere with the current backup cycle, and we need it to allow us to do a full restore with a single tape. Which backup type should we chose?

Question 51

Q

There are many pitfalls when we work with the audit record management in our organization. Which of these is NOT one of those common problems?

Answer

A

Centralized storage is not a problem, that is good. Security Audit Logs (Audit trail): Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.

Question 52

Q

Jane is using an industry framework to help her team to do self-directed risk management. Which framework is Jane using?

Answer

A

OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation: Self-Directed Risk Management.

Question 53

Q

Storing passwords in plaintext on a server is obviously a big security vulnerability. Why would an organization choose to do that?

Answer

A

It can take a second or two on older systems to authenticate if the passwords are hashed or encrypted. We should, however, never leave passwords in plaintext to save a second or two.

Question 54

Q

An Artificial Neural Network (ANN) tries to emulate a brain. Which of these is NOT TRUE about ANNs?

Answer

A

Explanation

ANNs do not use IF/THEN statements.

Question 55

Q

An attacker has gained access to our hashed passwords. We haven’t started used salting or nonces yet. Why is that a problem?

Answer

A

Explanation
If an attacker can get access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password’s hash value. This will circumvent the clipping levels (limit on wrong login attempts).

Question 56

Q

Jane is explaining our logical intrusion system to senior management. Help her answer this question from the CFO: “Which type of intrusion system will ALWAYS block malicious traffic if it recognizes it as malicious?”

Answer

A

Explanation
IPS (Intrusion Prevention System): Similar to IDS, but they also take action to malicious traffic; what they do with the traffic is determined by configuration. Events trigger an action, drop/redirect traffic, often combined with the trigger monitoring/administrator warnings, emails or text messages.

Question 57

Q

Which of these, if used right, is the MOST secure form of “something you have” authentication?

Answer

A

Single-use passwords: Having passwords which are only valid once makes many potential attacks ineffective, just like one-time pads. While they are passwords, it is something you have in your possession, not something you know.

Question 58

Q

172.32.0.0/24 is which type of IPv4 addresses?

Answer

A

This is a public address and it is internet routable, not to be confused by the private IPv4 range of 172.16.0.0 – 172.31.255.255, we can use them on our internal network, they are not routable on the internet.

Question 59

Q

Jane is doing network forensics on an attack. Which of these is a COMMON form used?

Answer

A

Network forensics: Systems used to collect network data for forensics use usually come in two forms: Catch-it-as-you-can: All packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage. Stop, look and listen: Each packet is analyzed in a basic way in memory and only certain information is saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

Question 60

Q

As part of our staff training to raise the staff awareness, we are doing drills. What is the MAIN purpose of those?

Answer

A

Drills (exercises): Walkthroughs of the plan; main focus is to train staff, and improve employee response (think fire drills).

Question 61

Q

In our software testing we are using fuzz testing. Which type of testing is that?

Answer

A

Fuzzing (Fuzz Testing) – A black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Question 62

Q

We have hired a penetration testing company to find security flaws in our organization. They are at the enumeration phase, what are they doing?

Answer

A

Pen testing would normally have these phases, enumeration is the same as scanning. Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment > Exploitation > Reporting.

Question 63

Q

Jane is implementing active directory throughout our organization. She wants all the domains to trust each other, which type of trust domain should she implement?

Answer

A

Explanation

Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.

Question 64

Q

We are implementing passive monitoring in our data center. We have chosen to use infrared motion detectors. What do they use to detect movement?

Answer

A

Infrared sensors detect changes in heat signatures.

Answer 65

A

Explanation
Hashing with salting is the best way of password storage, confirmation can be near instant and the password can’t be reverse engineered.

Answer 66

A

Multithreading is the ability of a central processing unit (CPU) or a single core in a multi-core processor to execute multiple processes or threads concurrently, appropriately supported by the operating system.

Answer 67

A

Explanation
Tailoring is customizing a standard to your organization. We will apply this standard, but we use a stronger encryption (AES 256-bit).

Answer 68

A

DSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic.

Answer 69

A

Security Assessments: A full picture approach to assessing how effective our access controls are, they have a very broad scope. We would not look at Employee performance. Security assessments often span multiple areas, and can use some or all of these components: Policies, procedures, and other administrative controls. Assessing the real world-effectiveness of administrative controls. Change management. Architectural review. Penetration tests. Vulnerability assessments. Security audits.

Answer 70

A

CHAP (Challenge-Handshake Authentication Protocol): The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it. Provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. Requires the client and server know the plaintext of a shared secret, but it is never sent over the network. Providing better security compared to PAP which is vulnerable for both these reasons. Used by PPP (Point to Point Protocol) servers to validate the remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.

Answer 71

A

Typo squatting – Buying an URL that is VERY close to real website name (Can be illegal in certain circumstances).

Answer 72

A

SDLC (Software Development Life Cycle): The SDLC is not really a methodology, but a description of the phases in the life cycle of software development. These phases are (in general), 
investigation, 
analysis, 
design, 
build, 
test, 
implement, 
maintenance and support (and disposal).

Can have security built into each step of the process, for the exam it always does.

Answer 73

A

Things in your possession, not things you know (knowledge factor) or something you are (biometrics).

Answer 74

A

While honeypots can be useful, we do not want to lure attackers in (entrapment). If we deployed one each time we launched a system we could have 1000’s of them, and during an attack we are busy with more important things.

Answer 75

A

One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.

Answer 76

A

Subjects have Clearance assigned to them. A formal decision on a subject’s current and future trustworthiness. The higher the clearance, the more in-depth the background checks should be (always in military, not always in business).

Answer 77

A

Quantitative Risk Analysis – We want exactly enough security for our needs. This is where we put a number on that. We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
Asset Value (AV) – How much is the asset worth?
Exposure factor (EF) – Percentage of Asset Value lost?
Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
Annual Rate of Occurrence (ARO) – How often will this happen each year?
Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.

Answer 78

A

Centralized Logging: Should be automated, secure and even administrators should have limited access.

Answer 79

A

Data/Information Owner: Management level, they assign sensitivity labels and backup frequency. This could be you or a Data Owner from HR, Payroll or other departments.

Answer 80

A

Compatibility/production testing: Does the software interface as expected with other applications or systems? Does the software perform as expected in our production environment vs. the development environment

Answer 81

A

Invocation Property: “No Read or Write UP”. Subjects can never access or alter data on a higher level.

Answer 82

A

We should address support, who owns the code and how good the software development company is, we can’t really see what other companies say about the software it is being custom developed for us.

Answer 83

A

SOC 2 Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.

Answer 84

A

Host based, on a client, normally a server or workstation. Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can’t look at encrypted packets.

Answer 85

A

We categorize disasters in 3 categories: natural, human, or environmental. Natural: Anything caused by nature; this could be earthquakes, floods, snow, tornados, etc. Human: Anything caused by humans; they can be intentional or unintentional disasters; unintentional could be an employee using a personal USB stick on a PC at work and spreading malware, which would be just as bad as if an attacker had done it, but the employee was just ignorant, careless, or didn’t think it would matter. Environmental (not to be confused with natural disasters); Anything in our environment; could be power outage/spikes, hardware failures, provider issues, etc.

Answer 86

A

False Positive: Normal traffic and the system detects it and acts.

Answer 87

A

We can still recover files that has not been overwritten yet, formatting just removes the file structure.

Answer 88

A

Asymmetric Encryption uses 2 keys: a Public Key and a Private Key (Key Pair). Your Public Key is publicly available. Used by others to encrypt messages sent to you. Since the key is asymmetric, the ciphertext can’t be decrypted with your public Key. Your Private Key - You keep this safe. You use it to decrypt messages sent with your public key.

Answer 89

A

Flash memory: Small portable drives (USB sticks are an example); they are a type of EEPROM.

Brainscape's Knowledge GenomeTM

test1 Flashcards

Brainscape's Knowledge Genome^TM