CISSP All-In-One Exam Guide 6th Edition
Passing Score: 700
Time Limit: 360 min
File Version: 1.0
CISSP® - Certified Information Systems Security Professional
For the Next Generation of Information Security Leaders
http://www.gratisexam.com/
CISSP® certification is a globally recognized standard of achievement that confirms an individual's knowledge in the field of information security. CISSPs are
information assurance professionals who define the architecture, design, management and/or controls that assure the security of business environments. This was
the first certification in the field of information security to meet the stringent requirements of ISO/IEC Standard 17024.
http://www.gratisexam.com/
Chapter 1 - Becoming a CISSP
QUESTION 1
Which of the following provides an incorrect characteristic of a memory leak?
A.
B.
C.
D.
Common programming error
Common when languages that have no built-in automatic garbage collection are used
Common in applications written in Java
Common in applications written in C++
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Which of the following is the best description pertaining to the “Trusted Computing Base”?
A.
B.
C.
D.
The term originated from the Orange Book and pertains to firmware.
The term originated from the Orange Book and addresses the security mechanisms that are only implemented by the operating system.
The term originated from the Orange Book and contains the protection mechanisms within a system.
The term originated from the Rainbow Series and addressed the level of significance each mechanism of a system portrays in a secure environment.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Which of the following is the best description of the security kernel and the reference monitor?
A. The reference monitor is a piece of software that runs on top of the security kernel. The reference monitor is accessed by every security call of the security
kernel. The security kernel is too large to test and verify.
B. The reference monitor concept is a small program that is not related to the security kernel. It will enforce access rules upon subjects who attempt to access
specific objects. This program is regularly used with modern operating systems.
http://www.gratisexam.com/
C. The reference monitor concept is used strictly for database access control and is one of the key components in maintaining referential integrity within the
system. It is impossible for the user to circumvent the reference monitor.
D. The reference monitor and security kernel are core components of modern operating systems. They work together to mediate all access between subjects and
objects. They should not be able to be circumvented and must be called upon for every access attempt.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
Which of the following models incorporates the idea of separation of duties and requires that all modifications to data and objects be done through programs?
A.
B.
C.
D.
State machine model
Bell-LaPadula model
Clark-Wilson model
Biba model
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Which of the following best describes the hierarchical levels of privilege within the architecture of a computer system?
http://www.gratisexam.com/
A. Computer system ring structure
http://www.gratisexam.com/
B. Microcode abstraction levels of security
C. Operating system user mode
D. Operating system kernel mode
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
Which of the following is an untrue statement?
i. Virtual machines can be used to provide secure, isolated sandboxes for running untrusted applications.
ii. Virtual machines can be used to create execution environments with resource limits and, given the right schedulers, resource guarantees.
iii. Virtualization can be used to simulate networks of independent computers.
iv. Virtual machines can be used to run multiple operating systems simultaneously: different versions, or even entirely different systems, which can be on hot
standby.
A.
B.
C.
D.
All of them
None of them
i, ii
ii, iii
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
Which of the following is the best means of transferring information when parties do not have a shared secret and large quantities of sensitive information must be
transmitted?
A. Use of public key encryption to secure a secret key, and message encryption using the secret key
B. Use of the recipient’s public key for encryption, and decryption based on the recipient’s private key
C. Use of software encryption assisted by a hardware encryption accelerator
http://www.gratisexam.com/
D. Use of elliptic curve encryption
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
Which algorithm did NIST choose to become the Advanced Encryption Standard (AES) replacing the Data Encryption Standard (DES)?
A.
B.
C.
D.
DEA
Rijndael
Twofish
IDEA
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
Use the following scenario to answer questions 9–11.
John is the security administrator for company X. He has been asked to oversee the installation of a fire suppression sprinkler system, as recent unusually dry
weather has increased the likelihood of fire. Fire could potentially cause a great amount of damage to the organization’s assets. The sprinkler system is designed to
reduce the impact of fire on the company.
In this scenario, fire is considered which of the following?
A.
B.
C.
D.
Vulnerability
Threat
Risk
Countermeasure
Correct Answer: B
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Use the following scenario to answer questions 9–11.
John is the security administrator for company X. He has been asked to oversee the installation of a fire suppression sprinkler system, as recent unusually dry
weather has increased the likelihood of fire. Fire could potentially cause a great amount of damage to the organization’s assets. The sprinkler system is designed to
reduce the impact of fire on the company.
In this scenario, the sprinkler system is considered which of the following?
A.
B.
C.
D.
Vulnerability
Threat
Risk
Countermeasure
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Use the following scenario to answer questions 9–11.
John is the security administrator for company X. He has been asked to oversee the installation of a fire suppression sprinkler system, as recent unusually dry
weather has increased the likelihood of fire. Fire could potentially cause a great amount of damage to the organization’s assets. The sprinkler system is designed to
reduce the impact of fire on the company.
In this scenario, the likelihood and damage potential of a fire is considered which of the following?
A.
B.
C.
D.
Vulnerability
Threat
Risk
Countermeasure
http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Use the following scenario to answer questions 12–14.
A small remote facility for a company is valued at $800,000. It is estimated, based on historical data and other predictors, that a fire is likely to occur once every ten
years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective
and preventative controls in place.
What is the single loss expectancy (SLE) for the facility suffering from a fire?
A.
B.
C.
D.
$80,000
$480,000
$320,000
60 percent
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Use the following scenario to answer questions 12–14.
A small remote facility for a company is valued at $800,000. It is estimated, based on historical data and other predictors, that a fire is likely to occur once every ten
years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective
and preventative controls in place.
What is the annualized rate of occurrence (ARO)?
A. 1
B. 10
http://www.gratisexam.com/
C. .1
D. .01
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Use the following scenario to answer questions 12–14.
A small remote facility for a company is valued at $800,000. It is estimated, based on historical data and other predictors, that a fire is likely to occur once every ten
years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective
and preventative controls in place.
What is the annualized loss expectancy (ALE)?
A.
B.
C.
D.
$480,000
$32,000
$48,000
.6
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Which of the following is not a characteristic of Protected Extensible Authentication Protocol?
A.
B.
C.
D.
Authentication protocol used in wireless networks and point-to-point connections
Designed to provide improved secure authentication for 802.11 WLANs
Designed to support 802.1x port access control and Transport Layer Security
Designed to support password-protected connections
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Which of the following best describes the Temporal Key Integrity Protocol’s (TKIP) role in the 802.11i standard?
A.
B.
C.
D.
It provides 802.1x and EAP to increase the authentication strength.
It requires the access point and the wireless device to authenticate to each other.
It sends the SSID and MAC value in ciphertext.
It adds more keying material for the RC4 algorithm.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Vendors have implemented various solutions to overcome the vulnerabilities of the wired equivalent protocol (WEP). Which of the following provides an incorrect
mapping between these solutions and their characteristics?
A.
B.
C.
D.
LEAP requires a PKI.
PEAP only requires the server to authenticate using a digital certificate.
EAP-TLS requires both the wireless device and server to authenticate using digital certificates.
PEAP allows the user to provide a password.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
http://www.gratisexam.com/
Encapsulating Security Payload (ESP), which is one protocol within the IPSec protocol suite, is primarily designed to provide which of the following?
A.
B.
C.
D.
Confidentiality
Cryptography
Digital signatures
Access control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
Which of the following redundant array of independent disks implementations uses interleave parity?
A.
B.
C.
D.
Level 1
Level 2
Level 4
Level 5
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
Which of the following is not one of the stages of the dynamic host configuration protocol (DHCP) lease process?
i. Discover
ii. Offer
iii. Request
iv. Acknowledgment
A. All of them
B. None of them
http://www.gratisexam.com/
C. i
D. ii
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
Which of the following has been deemed by the Internet Architecture Board as unethical behavior for Internet users?
A.
B.
C.
D.
Creating computer viruses
Monitoring data traffic
Wasting computer resources
Concealing unauthorized accesses
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Most computer-related documents are categorized as which of the following types of evidence?
A.
B.
C.
D.
Hearsay evidence
Direct evidence
Corroborative evidence
Circumstantial evidence
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
QUESTION 23
During the examination and analysis process of a forensics investigation, it is critical that the investigator works from an image that contains all of the data from the
original disk. The image must have all but which of the following characteristics?
A.
B.
C.
D.
Byte-level copy
Captured slack spaces
Captured deleted files
Captured unallocated clusters
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
__________ is a process of interactively producing more detailed versions of objects by populating variables with different values. It is often used to prevent
inference attacks.
A.
B.
C.
D.
Polyinstantiation
Polymorphism
Polyabsorbtion
Polyobject
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Tim is a software developer for a financial institution. He develops middleware software code that carries out his company’s business logic functions. One of the
applications he works with is written in the C programming language and seems to be taking up too much memory as it runs over a period of time. Which of the
following best describes what Tim needs to look at implementing to rid this software of this type of problem?
A. Bounds checking
http://www.gratisexam.com/
B. Garbage collection
C. Parameter checking
D. Compiling
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
__________ is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program.
A.
B.
C.
D.
Agile testing
Structured testing
Fuzzing
EICAR
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Which type of malware can change its own code, making it harder to detect with antivirus software?
A.
B.
C.
D.
Stealth virus
Polymorphic virus
Trojan horse
Logic bomb
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
QUESTION 28
What is derived from a passphrase?
A.
B.
C.
D.
A personal password
A virtual password
A user ID
A valid password
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
Which access control model is user-directed?
A.
B.
C.
D.
Nondiscretionary
Mandatory
Identity-based
Discretionary
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
http://www.gratisexam.com/
QUESTION 30
Which item is not part of a Kerberos authentication implementation?
A.
B.
C.
D.
A message authentication code
A ticket-granting ticket
Authentication service
Users, programs, and services
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
If a company has a high turnover rate, which access control structure is best?
A.
B.
C.
D.
Role-based
Decentralized
Rule-based
Discretionary
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
In discretionary access control, who/what has delegation authority to grant access to data?
A.
B.
C.
D.
A user
A security officer
A security policy
An owner
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
Remote access security using a token one-time password generation is an example of which of the following?
A.
B.
C.
D.
Something you have
Something you know
Something you are
Two-factor authentication
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
What is a crossover error rate (CER)?
A.
B.
C.
D.
A rating used as a performance metric for a biometric system
The number of Type I errors
The number of Type II errors
The number reached when Type I errors exceed the number of Type II errors
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
What does a retina scan biometric system do?
http://www.gratisexam.com/
A.
B.
C.
D.
Examines the pattern, color, and shading of the area around the cornea
Examines the patterns and records the similarities between an individual’s eyes
Examines the pattern of blood vessels at the back of the eye
Examines the geometry of the eyeball
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
If you are using a synchronous token device, what does this mean?
A.
B.
C.
D.
The device synchronizes with the authentication service by using internal time or events.
The device synchronizes with the user’s workstation to ensure the credentials it sends to the authentication service are correct.
The device synchronizes with the token to ensure the timestamp is valid and correct.
The device synchronizes by using a challenge-response method with the authentication service.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
What is a clipping level?
A.
B.
C.
D.
The threshold for an activity
The size of a control zone
Explicit rules of authorization
A physical security mechanism
Correct Answer: A
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
QUESTION 38
Which intrusion detection system would monitor user and network behavior?
A.
B.
C.
D.
Statistical/anomaly-based
Signature-based
Static
Host-based
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
When should a Class C fire extinguisher be used instead of a Class A?
A.
B.
C.
D.
When electrical equipment is on fire
When wood and paper are on fire
When a combustible liquid is on fire
When the fire is in an open area
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
How does halon suppress fires?
A. It reduces the fire’s fuel intake.
http://www.gratisexam.com/
B. It reduces the temperature of the area.
C. It disrupts the chemical reactions of a fire.
D. It reduces the oxygen in the area.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
What is the problem with high humidity in a data processing environment?
A.
B.
C.
D.
Corrosion
Fault tolerance
Static electricity
Contaminants
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42
What is the definition of a power fault?
A.
B.
C.
D.
Prolonged loss of power
Momentary low voltage
Prolonged high voltage
Momentary power outage
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
QUESTION 43
Who has the primary responsibility of determining the classification level for information?
A.
B.
C.
D.
The functional manager
Middle management
The owner
The user
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
Which best describes the purpose of the ALE calculation?
A.
B.
C.
D.
It quantifies the security level of the environment.
It estimates the loss potential from a threat.
It quantifies the cost/benefit result.
It estimates the loss potential from a threat in a one-year time span.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
How do you calculate residual risk?
A.
B.
C.
D.
Threats × risks × asset value
(Threats × asset value × vulnerability) × risks
SLE × frequency
(Threats × vulnerability × asset value) × control gap
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
What is the Delphi method?
A.
B.
C.
D.
A way of calculating the cost/benefit ratio for safeguards
A way of allowing individuals to express their opinions anonymously Chapter 1: Becoming a CISSP
A way of allowing groups to discuss and collaborate on the best security approaches
A way of performing a quantitative risk analysis
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
What are the necessary components of a smurf attack?
A.
B.
C.
D.
Web server, attacker, and fragment offset
Fragment offset, amplifying network, and victim
Victim, amplifying network, and attacker
DNS server, attacker, and web server
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
http://www.gratisexam.com/
What do the reference monitor and security kernel do in an operating system?
A.
B.
C.
D.
Intercept and mediate a subject attempting to access objects
Point virtual memory addresses to real memory addresses
House and protect the security kernel
Monitor privileged memory usage by applications
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
Chapter 2 - Information Security Governance and Risk Management
QUESTION 1
Who has the primary responsibility of determining the classification level for information?
A.
B.
C.
D.
The functional manager
Senior management
The owner
The user
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A company can have one specific data owner or different data owners who
have been delegated the responsibility of protecting specific sets of data. One
of the responsibilities that goes into protecting this information is properly
classifying it.
QUESTION 2
If different user groups with different security access levels need to access the same information, which of the following actions should management take?
A.
B.
C.
D.
Decrease the security level on the information to ensure accessibility and usability of the information.
Require specific written approval each time an individual needs to access the information.
Increase the security controls on the information.
Decrease the classification label on the information.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
If data is going to be available to a wide range of people, more granular
security should be implemented to ensure that only the necessary people access
the data and that the operations they carry out are controlled. The security
implemented can come in the form of authentication and authorization
technologies, encryption, and specific access control mechanisms.
QUESTION 3
http://www.gratisexam.com/
What should management consider the most when classifying data?
A.
B.
C.
D.
The type of employees, contractors, and customers who will be accessing the data
Availability, integrity, and confidentiality
Assessing the risk level and disabling countermeasures
The access controls that will be protecting the data
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The best answer to this question is B, because to properly classify data,
the data owner must evaluate the availability, integrity, and confidentiality
requirements of the data. Once this evaluation is done, it will dictate which
employees, contractors, and users can access the data, which is expressed in
answer A. This assessment will also help determine the controls that should
be put into place.
QUESTION 4
Who is ultimately responsible for making sure data is classified and protected?
A.
B.
C.
D.
Data owners
Users
Administrators
Management
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The key to this question is the use of the word “ultimately.” Though
management can delegate tasks to others, it is ultimately responsible for
everything that takes place within a company. Therefore, it must continually
ensure that data and resources are being properly protected.
QUESTION 5
Which factor is the most important item when it comes to ensuring security is successful in an organization?
http://www.gratisexam.com/
A.
B.
C.
D.
Senior management support
Effective controls and implementation methods
Updated and relevant security policies and procedures
Security awareness by all employees
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Without senior management’s support, a security program will not receive
the necessary attention, funds, resources, and enforcement capabilities.
QUESTION 6
When is it acceptable to not take action on an identified risk?
A.
B.
C.
D.
Never. Good security addresses and reduces all risks.
When political issues prevent this type of risk from being addressed.
When the necessary countermeasure is complex.
When the cost of the countermeasure outweighs the value of the asset and potential loss.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Companies may decide to live with specific risks they are faced with if the
cost of trying to protect themselves would be greater than the potential loss
if the threat were to become real. Countermeasures are usually complex to a
degree, and there are almost always political issues surrounding different risks,
but these are not reasons to not implement a countermeasure.
QUESTION 7
Which is the most valuable technique when determining if a specific security control should be implemented?
A.
B.
C.
D.
Risk analysis
Cost/benefit analysis
ALE results
Identifying the vulnerabilities and threats causing the risk
http://www.gratisexam.com/
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Although the other answers may seem correct, B is the best answer here.
This is because a risk analysis is performed to identify risks and come up with
suggested countermeasures. The ALE tells the company how much it could
lose if a specific threat became real. The ALE value will go into the cost/benefit
analysis, but the ALE does not address the cost of the countermeasure and the
benefit of a countermeasure. All the data captured in answers A, C, and D are
inserted into a cost/benefit analysis.
QUESTION 8
Which best describes the purpose of the ALE calculation?
A.
B.
C.
D.
Quantifies the security level of the environment
Estimates the loss possible for a countermeasure
Quantifies the cost/benefit result
Estimates the loss potential of a threat in a span of a year
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The ALE calculation estimates the potential loss that can affect one asset
from a specific threat within a one-year time span. This value is used to figure
out the amount of money that should be earmarked to protect this asset from
this threat.
QUESTION 9
The security functionality defines the expected activities of a security mechanism, and assurance defines which of the following?
A.
B.
C.
D.
The controls the security mechanism will enforce
The data classification after the security mechanism has been implemented
The confidence of the security the mechanism is providing
The cost/benefit relationship
http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The functionality describes how a mechanism will work and behave. This
may have nothing to do with the actual protection it provides. Assurance
is the level of confidence in the protection level a mechanism will provide.
When systems and mechanisms are evaluated, their functionality and
assurance should be examined and tested individually.
QUESTION 10
How do you calculate residual risk?
A.
B.
C.
D.
Threats × risks × asset value
(Threats × asset value × vulnerability) × risks
SLE × frequency = ALE
(Threats × vulnerability × asset value) × controls gap
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The equation is more conceptual than practical. It is hard to assign a
number to an individual vulnerability or threat. This equation enables you to
look at the potential loss of a specific asset, as well as the controls gap (what
the specific countermeasure cannot protect against). What remains is the
residual risk, which is what is left over after a countermeasure is implemented.
QUESTION 11
Why should the team that will perform and review the risk analysis information be made up of people in different departments?
A. To make sure the process is fair and that no one is left out.
B. It shouldn’t. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable.
C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as
possible.
D. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.
Correct Answer: C
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
An analysis is only as good as the data that go into it. Data pertaining to
risks the company faces should be extracted from the people who understand
best the business functions and environment of the company. Each department
understands its own threats and resources, and may have possible solutions to
specific threats that affect its part of the company.
QUESTION 12
Which best describes a quantitative risk analysis?
A.
B.
C.
D.
A scenario-based analysis to research different security threats
A method used to apply severity levels to potential loss, probability of loss, and risks
A method that assigns monetary values to components in the risk assessment
A method that is based on gut feelings and opinions
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A quantitative risk analysis assigns monetary values and percentages to
the different components within the assessment. A qualitative analysis uses
opinions of individuals and a rating system to gauge the severity level of
different threats and the benefits of specific countermeasures.
QUESTION 13
Why is a truly quantitative risk analysis not possible to achieve?
A.
B.
C.
D.
It is possible, which is why it is used.
It assigns severity levels. Thus, it is hard to translate into monetary values.
It is dealing with purely quantitative elements.
Quantitative measures must be applied to qualitative elements.
Correct Answer: D
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
During a risk analysis, the team is trying to properly predict the future and
all the risks that future may bring. It is somewhat of a subjective exercise and
requires educated guessing. It is very hard to properly predict that a flood will
take place once in ten years and cost a company up to $40,000 in damages,
but this is what a quantitative analysis tries to accomplish.
QUESTION 14
What is CobiT and where does it fit into the development of information security systems and security programs?
A.
B.
C.
D.
Lists of standards, procedures, and policies for security program development
Current version of ISO 17799
A framework that was developed to deter organizational internal fraud
Open standards for control objectives
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The Control Objectives for Information and related Technology (CobiT)
is a framework developed by the Information Systems Audit and Control
Association (ISACA) and the IT Governance Institute (ITGI). It defines goals
for the controls that should be used to properly manage IT and ensure IT
maps to business needs.
QUESTION 15
What are the four domains that make up CobiT?
A.
B.
C.
D.
Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate
Plan and Organize, Maintain and Implement, Deliver and Support, and Monitor and Evaluate
Plan and Organize, Acquire and Implement, Support and Purchase, and Monitor and Evaluate
Acquire and Implement, Deliver and Support, and Monitor and Evaluate
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
CobiT has four domains: Plan and Organize, Acquire and Implement,
http://www.gratisexam.com/
Deliver and Support, and Monitor and Evaluate. Each category drills down
into subcategories. For example, Acquire and Implement contains the
following subcategories:
• Acquire and Maintain Application Software
• Acquire and Maintain Technology Infrastructure
• Develop and Maintain Procedures
• Install and Accredit Systems
• Manage Changes
QUESTION 16
What is the ISO/IEC 27799 standard?
http://www.gratisexam.com/
A.
B.
C.
D.
A standard on how to protect personal health information
The new version of BS 17799
Definitions for the new ISO 27000 series
The new version of NIST 800-60
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
It is referred to as the health informatics, and its purpose is to provide
guidance to health organizations and other holders of personal health
information on how to protect such information via implementation
of ISO/IEC 27002.
QUESTION 17
CobiT was developed from the COSO framework. What are COSO’s main objectives and purpose?
A. COSO is a risk management approach that pertains to control objectives and IT business processes.
B. Prevention of a corporate environment that allows for and promotes financial fraud.
http://www.gratisexam.com/
C. COSO addresses corporate culture and policy development.
D. COSO is risk management system used for the protection of federal systems.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
COSO deals more at the strategic level, while CobiT focuses more at the
operational level. CobiT is a way to meet many of the COSO objectives,
but only from the IT perspective. COSO deals with non-IT items also, as
in company culture, financial accounting principles, board of director
responsibility, and internal communication structures. Its main purpose
is to help ensure fraudulent financial reporting cannot take place in an
organization.
QUESTION 18
OCTAVE, NIST 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences
between these methods?
A.
B.
C.
D.
NIST 800-30 and OCTAVE are corporate based, while AS/NZS is international.
NIST 800-30 is IT based, while OCTAVE and AS/NZS 4360 are corporate based.
AS/NZS is IT based, and OCTAVE and NIST 800-30 are assurance based.
NIST 800-30 and AS/NZS are corporate based, while OCTAVE is international.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
NIST 800-30 Risk Management Guide for Information Technology
Systems is a U.S. federal standard that is focused on IT risks. OCTAVE is a
methodology to set up a risk management program within an organizational
structure. AS/NZS 4360 takes a much broader approach to risk management.
This methodology can be used to understand a company’s financial, capital,
human safety, and business decisions risks. Although it can be used to analyze
security risks, it was not created specifically for this purpose.
QUESTION 19
Use the following scenario to answer Questions 19–21. A server that houses sensitive data has been stored in an unlocked room for the last few years at Company
http://www.gratisexam.com/
A. The door to the room has a sign on the door that reads “Room 1.” This sign was placed on the door with the hope that people would not look for important
servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign.
They have also hardened the server’s configuration and employed strict operating system access controls.
The fact that the server has been in an unlocked room marked “Room 1” for the last few years means the company was practicing which of the following?
A.
B.
C.
D.
Logical security
Risk management
Risk transference
Security through obscurity
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Security through obscurity is not implementing true security controls,
but rather attempting to hide the fact that an asset is vulnerable in the hope
that an attacker will not notice. Security through obscurity is an approach to
try and fool a potential attacker, which is a poor way of practicing security.
Vulnerabilities should be identified and fixed, not hidden.
QUESTION 20
Use the following scenario to answer Questions 19–21. A server that houses sensitive data has been stored in an unlocked room for the last few years at Company
A. The door to the room has a sign on the door that reads “Room 1.” This sign was placed on the door with the hope that people would not look for important
servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign.
They have also hardened the server’s configuration and employed strict operating system access controls.
The new reinforced lock and cage serve as which of the following?
A.
B.
C.
D.
Logical controls
Physical controls
Administrative controls
Compensating controls
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
Physical controls are security mechanisms in the physical world, as in locks,
fences, doors, computer cages, etc. There are three main control types, which
are administrative, technical, and physical.
QUESTION 21
Use the following scenario to answer Questions 19–21. A server that houses sensitive data has been stored in an unlocked room for the last few years at Company
A. The door to the room has a sign on the door that reads “Room 1.” This sign was placed on the door with the hope that people would not look for important
servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign.
They have also hardened the server’s configuration and employed strict operating system access controls.
The operating system access controls comprise which of the following?
A.
B.
C.
D.
Logical controls
Physical controls
Administrative controls
Compensating controls
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Logical (or technical) controls are security mechanisms, as in firewalls,
encryption, software permissions, and authentication devices. They are
commonly used in tandem with physical and administrative controls to
provide a defense-in-depth approach to security.
QUESTION 22
Use the following scenario to answer Questions 22–24. A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current
circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new
annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.
How much does the firewall save the company in loss expenses?
A.
B.
C.
D.
$62,000
$3,000
$65,000
$30,000
Correct Answer: A
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
$62,000 is the correct answer. The firewall reduced the annualized loss
expectancy (ALE) from $92,000 to $30,000 for a savings of $62,000. The
formula for ALE is single loss expectancy × annualized rate of occurrence
= ALE. Subtracting the ALE value after the firewall is implemented from the
value before it was implemented results in the potential loss savings this type
of control provides.
QUESTION 23
Use the following scenario to answer Questions 22–24. A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current
circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new
annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.
What is the value of the firewall to the company?
A.
B.
C.
D.
$62,000
$3,000
–$62,000
–$3,000
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
–$3,000 is the correct answer. The firewall saves $62,000, but costs
$65,000 per year. 62,000 – 65,000 = –3,000. The firewall actually costs the
company more than the original expected loss, and thus the value to the
company is a negative number. The formula for this calculation is (ALE before
the control is implemented) – (ALE after the control is implemented) –
(annual cost of control) = value of control.
QUESTION 24
Use the following scenario to answer Questions 22–24. A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current
circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new
annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.
Which of the following describes the company’s approach to risk management?
http://www.gratisexam.com/
A.
B.
C.
D.
Risk transference
Risk avoidance
Risk acceptance
Risk mitigation
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Risk mitigation involves employing controls in an attempt to reduce the
either the likelihood or damage associated with an incident, or both. The four
ways of dealing with risk are accept, avoid, transfer, and mitigate (reduce). A
firewall is a countermeasure installed to reduce the risk of a threat.
QUESTION 25
Use the following scenario to answer Questions 25–27. A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a
fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current
circumstances and with the current detective and preventative controls in place.
What is the Single Loss Expectancy (SLE) for the facility suffering from a fire?
A.
B.
C.
D.
$80,000
$480,000
$320,000
60%
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
$480,000 is the correct answer. The formula for single loss expectancy (SLE)
is asset value × exposure factor (EF) = SLE. In this situation the formula would
work out as asset value ($800,000) × exposure factor (60%) = $480,000. This
means that the company has a potential loss value of $480,000 pertaining to
this one asset (facility) and this one threat type (fire).
QUESTION 26
http://www.gratisexam.com/
Use the following scenario to answer Questions 25–27. A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a
fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current
circumstances and with the current detective and preventative controls in place.
What is the Annualized Rate of Occurrence (ARO)?
A.
B.
C.
D.
1
10
.1
.01
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The annualized rate occurrence (ARO) is the frequency that a threat will
most likely occur within a 12-month period. It is a value used in the ALE
formula, which is SLE × ARO = ALE.
QUESTION 27
Use the following scenario to answer Questions 25–27. A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a
fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current
circumstances and with the current detective and preventative controls in place.
What is the Annualized Loss Expectancy (ALE)?
A.
B.
C.
D.
$480,000
$32,000
$48,000
.6
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
$48,000 is the correct answer. The annualized loss expectancy formula (SLE
× ARO = ALE) is used to calculate the loss potential for one asset experiencing
one threat in a 12-month period. The resulting ALE value helps to determine
http://www.gratisexam.com/
the amount that can be reasonably be spent in the protection of that asset. In
this situation, the company should not spend over $48,000 on protecting this
asset from the threat of fire. ALE values help organizations rank the severity
level of the risks they face so they know which ones to deal with first and how
much to spend on each.
QUESTION 28
The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain
information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces.
Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect
mappings pertaining to the individual standards that make up the ISO/IEC 27000 series?
i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program’s requirements.
ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework.
iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005 outlines risk management guidelines.
iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework.
A.
B.
C.
D.
i, iii
i, ii
ii, iii, iv
i, ii, iii, iv
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Unfortunately, you will run into questions on the CISSP exam that will be
this confusing, so you need to be ready for them. The proper mapping for the
ISO/IEC standards are as follows:
• ISO/IEC 27001 ISMS requirements
• ISO/IEC 27002 Code of practice for information security management
• ISO/IEC 27003 Guideline for ISMS implementation
• ISO/IEC 27004 Guideline for information security management
measurement and metrics framework
• ISO/IEC 27005 Guideline for information security risk management
• ISO/IEC 27006 Guidance for bodies providing audit and certification of
information security management systems
QUESTION 29
The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but
http://www.gratisexam.com/
can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so
that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into
place if an organization wants to integrate a way to improve its security processes over a period of time?
i. Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and
security improvement.
ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon.
iii. Capability Maturity Model should be integrated because it provides distinct maturity levels.
iv. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement.
A.
B.
C.
D.
i, iii
ii, iii, iv
ii, iii
ii, iv
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The best process improvement approaches provided in this list are Six
Sigma and the Capability Maturity Model. The following outlines the
definitions for all items in this question:
• TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group
• ITIL Processes to allow for IT service management developed by the
United Kingdom’s Office of Government Commerce
• Six Sigma Business management strategy that can be used to carry out
process improvement
• Capability Maturity Model Integration (CMMI) Organizational
development for process improvement developed by Carnegie Mellon
QUESTION 30
Use the following scenario to answer Questions 30–32.
Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows
that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has
determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that
some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank’s
personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open
the bank vault.
http://www.gratisexam.com/
Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the
funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent
investigation activity?
A.
B.
C.
D.
Separation of duties
Rotation of duties
Mandatory vacations
Split knowledge
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Mandatory vacation is an administrative detective control that allows for an
organization to investigate an employee’s daily business activities to uncover
any potential fraud that may be taking place. The employee should be forced
to be away from the organization for a two-week period and another person
put into that role. The idea is that the person who was rotated into that
position may be able to detect suspicious activities.
QUESTION 31
Use the following scenario to answer Questions 30–32.
Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows
that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has
determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that
some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank’s
personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open
the bank vault.
If the financial institution wants to force collusion to take place for fraud to happen successfully in this situation, what should Todd put into place?
A.
B.
C.
D.
Separation of duties
Rotation of duties
Social engineering
Split knowledge
Correct Answer: A
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
Separation of duties is an administrative control that is put into place to
ensure that one person cannot carry out a critical task by himself. If a person
were able to carry out a critical task alone, this could put the organization
at risk. Collusion is when two or more people come together to carry out
fraud. So if a task was split between two people, they would have to carry out
collusion (working together) to complete that one task and carry out fraud.
QUESTION 32
Use the following scenario to answer Questions 30–32.
Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows
that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has
determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that
some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank’s
personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open
the bank vault.
Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those
situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing
in this scenario and what those specific controls provide?
A. Separation of duties by ensuring that a supervisor must approve the cashing of a check over $3,500. This is an administrative control that provides preventative
protection for Todd’s organization.
B. Rotation of duties by ensuring that one employee only stays in one position for up to three months of a time. This is an administrative control that provides
detective capabilities.
C. Security awareness training, which is a preventive administrative control that can also emphasize enforcement.
D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Dual control is an administrative preventative control. It ensures that
two people must carry out a task at the same time, as in two people having
separate keys when opening the vault. It is not a detective control. Notice
that the question asks what Todd is not doing. Remember that on the exam
http://www.gratisexam.com/
you need to choose the best answer. In many situations you will not like
the question or the corresponding answers on the CISSP exam, so prepare
yourself. The questions can be tricky, which is one reason why the exam itself
is so difficult.
QUESTION 33
Use the following scenario to answer Questions 33–35.
Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with
ensuring that the company is better protected.
The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification
scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The
company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he
finds out that only half of them even know where the company’s policies are located and none of them know their responsibilities pertaining to classifying data.
Which of the following best describes what Sam should address first in this situation?
A.
B.
C.
D.
Integrate data protection roles and responsibilities within the security awareness training and require everyone to attend it within the next 15 days.
Review the current classification policies to ensure that they properly address the company’s risks.
Meet with senior management and get permission to enforce data owner tasks for each business unit manager.
Audit all of the current data protection controls in place to get a firm understanding of what vulnerabilities reside in the environment.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
While each answer is a good thing for Sam to carry out, the first thing
that needs to be done is to ensure that the policies properly address data
classification and protection requirements for the company. Policies provide
direction, and all other documents (standards, procedures, guidelines) and
security controls are derived from the policies and support them.
QUESTION 34
Use the following scenario to answer Questions 33–35.
Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with
ensuring that the company is better protected.
The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification
scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The
company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he
http://www.gratisexam.com/
finds out that only half of them even know where the company’s policies are located and none of them know their responsibilities pertaining to classifying data.
Sam needs to get senior management to assign the responsibility of protecting specific data sets to the individual business unit managers, thus making them data
owners. Which of the following would be the most important in the criteria the managers would follow in the process of actually classifying data once this
responsibility has been assigned to them?
A.
B.
C.
D.
Usefulness of the data
Age of the data
Value of the data
Compliance requirements of the data
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Data is one of the most critical assets to any organization. The value of the
asset must be understood so that the organization knows which assets require
the most protection. There are many components that go into calculating the
value of an asset: cost of replacement, revenue generated from asset, amount
adversaries would pay for the asset, cost that went into the development of
the asset, productivity costs if asset was absent or destroyed, and liability costs
of not properly protecting the asset. So the data owners need to be able to
determine the value of the data to the organization for proper classification
purposes.
QUESTION 35
Use the following scenario to answer Questions 33–35.
Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with
ensuring that the company is better protected.
The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification
scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The
company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he
finds out that only half of them even know where the company’s policies are located and none of them know their responsibilities pertaining to classifying data.
From this scenario, what has the company accomplished so far?
A. Implementation of administrative controls
B. Implementation of operational controls
http://www.gratisexam.com/
C. Implementation of physical controls
D. Implementation of logical controls
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The company has developed a data classification policy, which is an
administrative control.
QUESTION 36
Use the following scenario to answer Questions 36–38.
Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security
measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not.
Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation.
Which of the following best describes what Susan needs to ensure the operations staff creates for proper configuration standardization?
A.
B.
C.
D.
Dual control
Redundancy
Training
Baselines
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The operations staff needs to know what minimum level of security is
required per system within the network. This minimum level of security is
referred to as a baseline. Once a baseline is set per system, then the staff has
something to compare the system against to know if changes have not taken
place properly, which could make the system vulnerable.
QUESTION 37
Use the following scenario to answer Questions 36–38.
Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security
http://www.gratisexam.com/
measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not.
Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation.
Which of the following is the best way to illustrate to her boss the dangers of the current configuration issues?
A.
B.
C.
D.
Map the configurations to the compliancy requirements.
Compromise a system to illustrate its vulnerability.
Audit the systems.
Carry out a risk assessment.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Susan needs to illustrate these vulnerabilities (misconfigured systems) in
the context of risk to her boss. This means she needs to identify the specific
vulnerabilities, associate threats to those vulnerabilities, and calculate their
risks. This will allow her boss to understand how critical these issues are and
what type of action needs to take place.
QUESTION 38
Use the following scenario to answer Questions 36–38.
Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security
measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not.
Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation.
Which of the following is one of the most likely solutions that Susan will come up with and present to her boss?
A.
B.
C.
D.
Development of standards
Development of training
Development of monitoring
Development of testing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
Standards need to be developed that outline proper configuration
management processes and approved baseline configuration settings. Once
these standards are developed and put into place, then employees can be
trained on these issues and how to implement and maintain what is outlined
in the standards. Systems can be tested against what is laid out in the standards,
and systems can be monitored to detect if there are configurations that do not
meet the requirements outlined in the standards. You will find that some CISSP
questions seem subjective and their answers hard to pin down. Questions that
ask what is “best” or “more likely” are common.
http://www.gratisexam.com/
Chapter 3 - Access Control
QUESTION 1
Which of the following statements correctly describes biometric methods?
A.
B.
C.
D.
They are the least expensive and provide the most protection.
They are the most expensive and provide the least protection.
They are the least expensive and provide the least protection.
They are the most expensive and provide the most protection.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Compared with the other available authentication mechanisms, biometric
methods provide the highest level of protection and are the most expensive.
QUESTION 2
Which of the following statements correctly describes passwords?
A.
B.
C.
D.
They are the least expensive and most secure.
They are the most expensive and least secure.
They are the least expensive and least secure.
They are the most expensive and most secure.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Passwords provide the least amount of protection, but are the cheapest
because they do not require extra readers (as with smart cards and memory
cards), do not require devices (as do biometrics), and do not require a lot of
overhead in processing (as in cryptography). Passwords are the most common
type of authentication method used today.
QUESTION 3
How is a challenge/response protocol utilized with token device implementations?
http://www.gratisexam.com/
A.
B.
C.
D.
This protocol is not used; cryptography is used.
An authentication service generates a challenge, and the smart token generates a response based on the challenge.
The token challenges the user for a username and password.
The token challenges the user’s password against a database of stored credentials.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
An asynchronous token device is based on challenge/response mechanisms.
The authentication service sends the user a challenge value, which the user
enters into the token. The token encrypts or hashes this value, and the user
uses this as her one-time password.
QUESTION 4
Which access control method is considered user-directed?
A.
B.
C.
D.
Nondiscretionary
Mandatory
Identity-based
Discretionary
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The DAC model allows users, or data owners, the discretion of letting other
users access their resources. DAC is implemented by ACLs, which the data
owner can configure.
QUESTION 5
Which item is not part of a Kerberos authentication implementation?
A.
B.
C.
D.
Message authentication code
Ticket granting service
Authentication service
Users, programs, and services
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Message authentication code (MAC) is a cryptographic function and is
not a key component of Kerberos. Kerberos is made up of a KDC, a realm
of principals (users, services, applications, and devices), an authentication
service, tickets, and a ticket granting service.
QUESTION 6
If a company has a high turnover rate, which access control structure is best?
A.
B.
C.
D.
Role-based
Decentralized
Rule-based
Discretionary
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
It is easier on the administrator if she only has to create one role, assign
all of the necessary rights and permissions to that role, and plug a user into
that role when needed. Otherwise, she would need to assign and extract
permissions and rights on all systems as each individual came and left the
company.
QUESTION 7
The process of mutual authentication involves _______________.
A.
B.
C.
D.
A user authenticating to a system and the system authenticating to the user
A user authenticating to two systems at the same time
A user authenticating to a server and then to a process
A user authenticating, receiving a ticket, and then authenticating to a service
Correct Answer: A
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
Mutual authentication means it is happening in both directions. Instead
of just the user having to authenticate to the server, the server also must
authenticate to the user.
QUESTION 8
In discretionary access control security, who has delegation authority to grant access to data?
A.
B.
C.
D.
User
Security officer
Security policy
Owner
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
This question may seem a little confusing if you were stuck between user
and owner. Only the data owner can decide who can access the resources
she owns. She may be a user and she may not. A user is not necessarily the
owner of the resource. Only the actual owner of the resource can dictate what
subjects can actually access the resource.
QUESTION 9
Which could be considered a single point of failure within a single sign-on implementation?
A.
B.
C.
D.
Authentication server
User’s workstation
Logon credentials
RADIUS
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
In a single sign-on technology, all users are authenticating to one source. If
http://www.gratisexam.com/
that source goes down, authentication requests cannot be processed.
QUESTION 10
What role does biometrics play in access control?
A.
B.
C.
D.
Authorization
Authenticity
Authentication
Accountability
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Biometrics is a technology that validates an individual’s identity by reading
a physical attribute. In some cases, biometrics can be used for identification,
but that was not listed as an answer choice.
QUESTION 11
What determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model?
A.
B.
C.
D.
Administrator
Security policy
Culture
Security levels
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The security policy sets the tone for the whole security program. It dictates
the level of risk that management and the company are willing to accept. This
in turn dictates the type of controls and mechanisms to put in place to ensure
this level of risk is not exceeded.
QUESTION 12
Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
http://www.gratisexam.com/
A.
B.
C.
D.
It allows entities closer to the resources to make decisions about who can and cannot access resources.
It provides a centralized approach for access control, which frees up department managers.
User membership in roles can be easily revoked and new ones established as job assignments dictate.
It enforces enterprise-wide security policies, standards, and guidelines.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
An administrator does not need to revoke and reassign permissions to
individual users as they change jobs. Instead, the administrator assigns
permissions and rights to a role, and users are plugged into those roles.
QUESTION 13
Which of the following is the best description of directories that are used in identity management technology?
A.
B.
C.
D.
Most are hierarchical and follow the X.500 standard.
Most have a flat architecture and follow the X.400 standard.
Most have moved away from LDAP.
Many use LDA.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Most enterprises have some type of directory that contains information
pertaining to the company’s network resources and users. Most directories
follow a hierarchical database format, based on the X.500 standard, and a
type of protocol, as in Lightweight Directory Access Protocol (LDAP), that
allows subjects and applications to interact with the directory. Applications
can request information about a particular user by making an LDAP request
to the directory, and users can request information about a specific resource
by using a similar request.
QUESTION 14
Which of the following is not part of user provisioning?
http://www.gratisexam.com/
A.
B.
C.
D.
Creation and deactivation of user accounts
Business process implementation
Maintenance and deactivation of user objects and attributes
Delegating user administration
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
User provisioning refers to the creation, maintenance, and deactivation of
user objects and attributes as they exist in one or more systems, directories,
or applications, in response to business processes. User provisioning software
may include one or more of the following components: change propagation,
self-service workflow, consolidated user administration, delegated user
administration, and federated change control. User objects may represent
employees, contractors, vendors, partners, customers, or other recipients of
a service. Services may include electronic mail, access to a database, access
to a file server or mainframe, and so on.
QUESTION 15
What is the technology that allows a user to remember just one password?
A.
B.
C.
D.
Password generation
Password dictionaries
Password rainbow tables
Password synchronization
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Password synchronization technologies can allow a user to maintain just
one password across multiple systems. The product will synchronize the
password to other systems and applications, which happens transparently
to the user.
QUESTION 16
Which of the following is not considered an anomaly-based intrusion protection system?
http://www.gratisexam.com/
A.
B.
C.
D.
Statistical anomaly–based
Protocol anomaly–based
Temporal anomaly–based
Traffic anomaly–based
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Behavioral-based system that learns the “normal” activities of an
environment. The three types are listed next:
• Statistical anomaly–based Creates a profile of “normal” and compares
activities to this profile
• Protocol anomaly–based Identifies protocols used outside of their
common bounds
• Traffic anomaly–based Identifies unusual activity in network traffic
QUESTION 17
The next graphic covers which of the following:
http://www.gratisexam.com/
http://www.gratisexam.com/
A.
B.
C.
D.
Crossover error rate
Identity verification
Authorization rates
Authentication error rates
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
These steps are taken to convert the biometric input for identity verification:
i. A software application identifies specific points of data as match points.
ii. An algorithm is used to process the match points and translate that
information into a numeric value.
iii. Authentication is approved or denied when the database value is
compared with the end user input entered into the scanner.
QUESTION 18
The diagram shown next explains which of the following concepts:
http://www.gratisexam.com/
A.
B.
C.
D.
Crossover error rate.
Type III errors.
FAR equals FRR in systems that have a high crossover error rate.
Biometrics is a high acceptance technology.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
This rating is stated as a percentage and represents the point at which the
http://www.gratisexam.com/
false rejection rate equals the false acceptance rate. This rating is the most
important measurement when determining a biometric system’s accuracy.
• (Type I error) rejects authorized individual
• False Reject Rate (FRR)
• (Type II error) accepts impostor
• False Acceptance Rate (FAR)
QUESTION 19
The graphic shown here illustrates how which of the following works:
A. Rainbow tables
B. Dictionary attack
http://www.gratisexam.com/
C. One-time password
D. Strong authentication
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Different types of one-time passwords are used for authentication. This
graphic illustrates a synchronous token device, which synchronizes with the
authentication service by using time or a counter as the core piece of the
authentication process.
QUESTION 20
Which of the following has the correct definition mapping?
i. Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
ii. Dictionary attacks Files of thousands of words are compared to the user’s password until a match is found.
iii. Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.
iv. Rainbow table An attacker uses a table that contains all possible passwords already in a hash format.
A.
B.
C.
D.
i, ii
i, ii, iv
i, ii, iii, iv
i, ii, iii
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The list has all the correct terms to definition mappings.
QUESTION 21
George is responsible for setting and tuning the thresholds for his company’s behavior-based IDS. Which of the following outlines the possibilities of not doing this
activity properly?
A. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not
identified (false negatives).
B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not
http://www.gratisexam.com/
identified (false positives).
C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not
identified (false negatives).
D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not
identified (false negatives).
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
If the threshold is set too high, non-intrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not
identified (false negatives).
QUESTION 22
Use the following scenario to answer Questions 22–24.
Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place.
The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon
obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control
components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords
for internal employees.
Which of the following changes would be best for Tom’s team to implement?
A.
B.
C.
D.
Move from namespaces to distinguished names.
Move from meta-directories to virtual directories.
Move from RADIUS to TACACS+.
Move from a centralized to a decentralized control model.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A meta-directory within an IDM physically contains the identity
information within an identity store. It allows identity information to be
pulled from various locations and be stored in one local system (identity
store). The data within the identity store are updated through a replication
process, which may take place weekly, daily, or hourly depending upon
http://www.gratisexam.com/
configuration. Virtual directories use pointers to where the identity data reside
on the original system; thus, no replication processes are necessary. Virtual
directories usually provide the most up-to-date identity information since
they point to the original source of the data.
QUESTION 23
Use the following scenario to answer Questions 22–24.
Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place.
The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon
obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control
components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords
for internal employees.
Which of the following components should Tom make sure his team puts into place?
A.
B.
C.
D.
Single sign-on module
LDAP directory service synchronization
Web access management
X.500 database
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Web access management (WAM) is a component of most IDM products
that allows for identity management of web-based activities to be integrated
and managed centrally.
QUESTION 24
Use the following scenario to answer Questions 22–24.
Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place.
The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon
obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control
components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords
for internal employees.
Tom has been told that he has to reduce staff from the help-desk team. Which of the following technologies can help with the company’s help-desk budgetary
issues?
http://www.gratisexam.com/
A.
B.
C.
D.
Self-service password support
RADIUS implementation
Reduction of authoritative IdM sources
Implement a role-based access control model
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
If help-desk staff is spending too much time with password resetting, then
a technology should be implemented to reduce the amount of time paid
staff is spending on this task. The more tasks that can be automated through
technology, the less of the budget that has to be spent on staff. The following
are password management functionalities that are included in most IDM
products:
• Password Synchronization Reduces the complexity of keeping up with
different passwords for different systems.
• Self-Service Password Reset Reduces help-desk call volumes by allowing
users to reset their own passwords.
• Assisted Password Reset Reduces the resolution process for password
issues for the help desk. This may include authentication with other types
of authentication mechanisms (biometrics, tokens).
QUESTION 25
Use the following scenario to answer Questions 25–27.
Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its
partners’ customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company’s partners to be able to manage
inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from
Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a
high-profile entity constantly dealing with zero-day attacks.
Which of the following is the best identity management technology that Lenny should consider implementing to accomplish some of the company’s need?
A.
B.
C.
D.
LDAP directories for authoritative sources
Digital identity provisioning
Active Directory
Federated identity
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Federation identification allows for the company and its partners to share
customer authentication information. When a customer authenticates to a
partner web site, that authentication information can be passed to the retail
company, so when the customer visits the retail company’s web site, the
user has less amount of user profile information she has to submit and the
authentication steps she has to go through during the purchase process could
potentially be reduced. If the companies have a set trust model and share the
same or similar federated identity management software and settings, this
type of structure and functionality is possible.
QUESTION 26
Use the following scenario to answer Questions 25–27.
Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its
partners’ customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company’s partners to be able to manage
inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from
Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a
high-profile entity constantly dealing with zero-day attacks.
Lenny has a meeting with the internal software developers who are responsible for implementing the necessary functionality within the web-based system. Which of
the following best describes the two items that Lenny needs to be prepared to discuss with this team?
A.
B.
C.
D.
Service Provisioning Markup Language and the eXtensible Access Control Markup Language
Standard Generalized Markup Language and the Generalized Markup Language
Extensible Markup Language and the HyperText Markup Language
Service Provisioning Markup Language and the Generalized Markup Language
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Service Provisioning Markup Language (SPML) allows company
interfaces to pass service requests, and the receiving company provisions
(allows) access to these services. Both the sending and receiving companies
http://www.gratisexam.com/
need to be following XML standard, which will allow this type of
interoperability to take place. When using the eXtensible Access Control
Markup Language (XACML), application security policies can be shared
with other applications to ensure that both are following the same security
rules. The developers need to integrate both of these language types to allow
for their partner employees to interact with their inventory systems without
having to conduct a second authentication step. The use of the languages can
reduce the complexity of inventory control between the different companies.
QUESTION 27
Use the following scenario to answer Questions 25–27.
Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its
partners’ customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company’s partners to be able to manage
inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from
Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a
high-profile entity constantly dealing with zero-day attacks.
Pertaining to the CEO’s security concerns, what should Lenny suggest the company put into place?
A.
B.
C.
D.
Security event management software, intrusion prevention system, and behavior-based intrusion detection
Security information and event management software, intrusion detection system, and signature-based protection
Intrusion prevention system, security event management software, and malware protection
Intrusion prevention system, security event management software, and war dialing protection
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Security event management software allows for network traffic to be viewed
holistically by gathering log data centrally and analyzing them. The intrusion
prevention system allows for proactive measures to be put into place to help
in stopping malicious traffic from entering the network. Behavior-based
intrusion detection can identify new types of attack (zero day) compared to
signature-based intrusion detection.
QUESTION 28
Use the following scenario to answer Questions 28–29.
Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able
http://www.gratisexam.com/
to gain access to corporate assets as in databases, servers, and network-based devices. Also, while the company has had a VoIP Chapter 3: Access Control
telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain
access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some specious e-mails that the
CIO’s secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.
Which of the following is the best remote access technology for this situation?
A.
B.
C.
D.
RADIUS
TACAS+
Diameter
Kerberos
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The Diameter protocol extends the RADIUS protocol to allow for various
types of authentication to take place with a variety of different technologies
(PPP, VoIP, Ethernet, etc.). It has extensive flexibility and allows for the
centralized administration of access control.
QUESTION 29
Use the following scenario to answer Questions 28–29.
Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able
to gain access to corporate assets as in databases, servers, and network-based devices. Also, while the company has had a VoIP Chapter 3: Access Control
telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain
access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some specious e-mails that the
CIO’s secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.
What are the two main security concerns Robbie is most likely being asked to identify and mitigate?
A.
B.
C.
D.
Social engineering and spear-phishing
War dialing and pharming
Spear-phishing and war dialing
Pharming and spear-phishing
Correct Answer: C
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
Spear-phishing is a targeted social engineering attack, which is what the
CIO’s secretary is most likely experiencing. War dialing is a brute force attack
against devices that use phone numbers, as in modems. If the modems can be
removed, the risk of war dialing attacks decreases.
QUESTION 30
Use the following scenario to answer Questions 30–32.
Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized
server, the user must present a valid one-time password, which is generated through a challenge-response mechanism. The company needs to tighten access
control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better
protect the data that have been classified and deemed critical to the company’s missions.
Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key
infrastructure.
Which of the following best describes what is currently in place?
A.
B.
C.
D.
Capability-based access system
Synchronous tokens that generate one-time passwords
RADIUS
Kerberos
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A capability-based access control system means that the subject (user)
has to present something, which outlines what it can access. The item can
be a ticket, token, or key. A capability is tied to the subject for access control
purposes. A synchronous token is not being used, because the scenario
specifically states that a challenge\response mechanism is being used, which
indicates an asynchronous token.
QUESTION 31
Use the following scenario to answer Questions 30–32.
Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized
http://www.gratisexam.com/
server, the user must present a valid one-time password, which is generated through a challenge-response mechanism. The company needs to tighten access
control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better
protect the data that have been classified and deemed critical to the company’s missions.
Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key
infrastructure.
Which of the following is one of the easiest and best items Tanya can look into for proper data protection?
A.
B.
C.
D.
Implementation of mandatory access control
Implementation of access control lists
Implementation of digital signatures
Implementation of multilevel security
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Systems that provide mandatory access control (MAC) and multilevel
security are very specialized, require extensive administration, are expensive,
and reduce user functionality. Implementing these types of systems is not
the easiest approach out of the list. Since there is no budget for a PKI, digital
signatures cannot be used because they require a PKI. In most environments
access control lists (ACLs) are in place and can be modified to provide tighter
access control. ACLs are bound to objects and outline what operations specific
subjects can carry out on them.
QUESTION 32
Use the following scenario to answer Questions 30–32.
Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized
server, the user must present a valid one-time password, which is generated through a challenge-response mechanism. The company needs to tighten access
control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better
protect the data that have been classified and deemed critical to the company’s missions.
Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key
infrastructure.
Which of the following is the best single sign-on technology for this situation?
A. SESAME
http://www.gratisexam.com/
B. Kerberos
C. RADIUS
D. TACACS+
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
SESAME is a single sign-on technology that is based upon public key
cryptography; thus, it requires a PKI. Kerberos is based upon symmetric
cryptography; thus, it does not need a PKI. RADIUS and TACACS+ are remote
centralized access control protocols.
QUESTION 33
Use the following scenario to answer Questions 33–35.
Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal
employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship
management, inventory control, e-mail, and help-desk ticketing capabilities.
His team needs to allow different users access to these different services in a secure manner.
Which of the following best describes the type of environment Harry’s team needs to set up?
A.
B.
C.
D.
RADIUS
Service oriented architecture
Public key infrastructure
Web services
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A service oriented architecture will allow Harry’s team to create a centralized
web portal and offer the various services needed by internal and external
entities.
QUESTION 34
Use the following scenario to answer Questions 33–35.
http://www.gratisexam.com/
Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal
employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship
management, inventory control, e-mail, and help-desk ticketing capabilities.
His team needs to allow different users access to these different services in a secure manner.
Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented?
A.
B.
C.
D.
Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup Language
Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup Language
Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access Protocol
Service Provisioning Markup Language, Security Association Markup Language
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The most appropriate languages and protocols for the purpose laid out
in the scenario are Extensible Access Control Markup Language, Security
Assertion Markup Language, and Simple Object Access Protocol. Harry’s group
is not necessarily overseeing account provisioning, so the Service Provisioning
Markup Language is not necessary, and there is no language called “Security
Association Markup Language.”
QUESTION 35
Use the following scenario to answer Questions 33–35.
Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal
employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship
management, inventory control, e-mail, and help-desk ticketing capabilities.
His team needs to allow different users access to these different services in a secure manner.
The company’s partners need to integrate compatible authentication functionality into their web portals to allow for interoperability across the different company
boundaries. Which of the following will deal with this issue?
A.
B.
C.
D.
Service Provisioning Markup Language
Simple Object Access Protocol
Extensible Access Control Markup Language
Security Assertion Markup Language
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Security Assertion Markup Language allows the exchange of authentication
and authorization data to be shared between security domains. It is one of the
most used approaches to allow for single sign-on capabilities within a webbased
environment.
http://www.gratisexam.com/
Chapter 4 - Security Architecture and Design
QUESTION 1
What is the final step in authorizing a system for use in an environment?
A.
B.
C.
D.
Certification
Security evaluation and rating
Accreditation
Verification
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Certification is a technical review of a product, and accreditation is
management’s formal approval of the findings of the certification process.
This question asked you which step was the final step in authorizing a system
before it is used in an environment, and that is what accreditation is all about.
QUESTION 2
What feature enables code to be executed without the usual security checks?
A.
B.
C.
D.
Temporal isolation
Maintenance hook
Race conditions
Process multiplexing
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Maintenance hooks get around the system’s or application’s security and
access control checks by allowing whomever knows the key sequence to
access the application and most likely its code. Maintenance hooks should be
removed from any code before it gets into production.
QUESTION 3
If a component fails, a system should be designed to do which of the following?
http://www.gratisexam.com/
A.
B.
C.
D.
Change to a protected execution domain
Change to a problem state
Change to a more secure state
Release all data held in volatile memory
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The state machine model dictates that a system should start up securely,
carry out secure state transitions, and even fail securely. This means that if the
system encounters something it deems unsafe, it should change to a more
secure state for self-preservation and protection.
QUESTION 4
Which is the first level of the Orange Book that requires classification labeling of data?
A.
B.
C.
D.
B3
B2
B1
C2
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
These assurance ratings are from the Orange Book. B levels on up require
security labels be used, but the question asks which is the first level to require
this. B1 comes before B2 and B3, so it is the correct answer.
QUESTION 5
The Information Technology Security Evaluation Criteria was developed for which of the following?
A. International use
B. U.S. use
C. European use
http://www.gratisexam.com/
D. Global use
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
In ITSEC, the I does not stand for international; it stands for information.
This set of criteria was developed to be used by European countries to evaluate
and rate their products.
QUESTION 6
A guard is commonly used with a classified system. What is the main purpose of implementing and using a guard?
A.
B.
C.
D.
To ensure that less trusted systems only receive acknowledgments and not messages
To ensure proper information flow
To ensure that less trusted and more trusted systems have open architectures and interoperability
To allow multilevel and dedicated mode systems to communicate
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The guard accepts requests from the less trusted entity, reviews the request
to make sure it is allowed, and then submits the request on behalf of the less
trusted system. The goal is to ensure that information does not flow from a
high security level to a low security level in an unauthorized manner.
QUESTION 7
The trusted computing base (TCB) contains which of the following?
A.
B.
C.
D.
All trusted processes and software components
All trusted security policies and implementation mechanisms
All trusted software and design mechanisms
All trusted software and hardware components
Correct Answer: D
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
The TCB contains and controls all protection mechanisms within the
system, whether they are software, hardware, or firmware.
QUESTION 8
What is the imaginary boundary that separates components that maintain security from components that are not security related?
A.
B.
C.
D.
Reference monitor
Security kernel
Security perimeter
Security policy
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The security perimeter is a boundary between items that are within the TCB
and items that are outside the TCB. It is just a mark of delineation between
these two groups of items.
QUESTION 9
Which model deals only with confidentiality?
A.
B.
C.
D.
Bell-LaPadula
Clark-Wilson
Biba
Reference monitor
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Bell-LaPadula model was developed for the U.S. government with
the main goal of keeping sensitive data unreachable to those who were not
authorized to access and view it. This was the first mathematical model of a
multilevel security policy used to define the concepts of a security state and
http://www.gratisexam.com/
mode of access and to outline rules of access. The Biba and Clark-Wilson
models do not deal with confidentiality, but with integrity instead.
QUESTION 10
What is the best description of a security kernel from a security point of view?
A.
B.
C.
D.
Reference monitor
Resource manager
Memory mapper
Security perimeter
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The security kernel is a portion of the operating system’s kernel and
enforces the rules outlined in the reference monitor. It is the enforcer of the
rules and is invoked each time a subject makes a request to access an object.
QUESTION 11
In secure computing systems, why is there a logical form of separation used between processes?
A.
B.
C.
D.
Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources.
Processes are contained within their own security perimeter so they can only access protection levels above them.
Processes are contained within their own security perimeter so they can only access protection levels equal to them.
The separation is hardware and not logical in nature.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Processes are assigned their own variables, system resources, and memory
segments, which make up their domain. This is done so they do not corrupt
each other’s data or processing activities.
QUESTION 12
What type of attack is taking place when a higher-level subject writes data to a storage area and a lower-level subject reads it?
http://www.gratisexam.com/
A.
B.
C.
D.
TOC/TOU
Covert storage attack
Covert timing attack
Buffer overflow
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A covert channel is being used when something is using a resource for
communication purposes, and that is not the reason this resource was created.
A process can write to some type of shared media or storage place that
another process will be able to access. The first process writes to this media,
and the second process reads it. This action goes against the security policy of
the system.
QUESTION 13
What type of rating is used within the Common Criteria framework?
A.
B.
C.
D.
PP
EPL
EAL
A–D
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The Common Criteria uses a different assurance rating system than the
previously used criteria. It has packages of specifications that must be met for a
product to obtain the corresponding rating. These ratings and packages are called
Evaluation Assurance Levels (EALs). Once a product achieves any type of rating,
customers can view this information on an Evaluated Products List (EPL).
QUESTION 14
Which best describes the *-integrity axiom?
http://www.gratisexam.com/
http://www.gratisexam.com/
A.
B.
C.
D.
No write up in the Biba model
No read down in the Biba model
No write down in the Bell-LaPadula model
No read up in the Bell-LaPadula model
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The *-integrity axiom (or star integrity axiom) indicates that a subject of a
lower integrity level cannot write to an object of a higher integrity level. This
rule is put into place to protect the integrity of the data that resides at the
higher level.
QUESTION 15
Which best describes the simple security rule?
A.
B.
C.
D.
No write up in the Biba model
No read down in the Biba model
No write down in the Bell-LaPadula model
No read up in the Bell-LaPadula model
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The simple security rule is implemented to ensure that any subject at a
lower security level cannot view data that resides at a higher level. The reason
http://www.gratisexam.com/
this type of rule is put into place is to protect the confidentiality of the data
that resides at the higher level. This rule is used in the Bell-LaPadula model.
Remember that if you see “simple” in a rule, it pertains to reading, while * or
“star” pertains to writing.
QUESTION 16
Which of the following was the first mathematical model of a multilevel security policy used to define the concepts of a security state and mode of access, and to
outline rules of access?
A.
B.
C.
D.
Biba
Bell-LaPadula
Clark-Wilson
State machine
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
This is a formal definition of the Bell-LaPadula model, which was
created and implemented to protect confidential government and military
information.
QUESTION 17
Which of the following is a true statement pertaining to memory addressing?
A. The CPU uses absolute addresses. Applications use logical addresses.
Relative addresses are based on a known address and an offset value.
B. The CPU uses logical addresses. Applications use absolute addresses.
Relative addresses are based on a known address and an offset value.
C. The CPU uses absolute addresses. Applications use relative addresses.
Logical addresses are based on a known address and an offset value.
D. The CPU uses absolute addresses. Applications use logical addresses.
Absolute addresses are based on a known address and an offset value.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
The physical memory addresses that the CPU uses are called absolute
addresses. The indexed memory addresses that software uses are referred to as
logical addresses. A relative address is a logical address which incorporates the
correct offset value.
QUESTION 18
Pete is a new security manager at a financial institution that develops its own internal software for specific proprietary functionality. The financial institution has
several locations distributed throughout the world and has bought several individual companies over the last ten years, each with its own heterogeneous
environment. Since each purchased company had its own unique environment, it has been difficult to develop and deploy internally developed software in an
effective manner that meets all the necessary business unit requirements. Which of the following best describes a standard that Pete should ensure the software
development team starts to implement so that various business needs can be met?
A.
B.
C.
D.
ISO/IEC 42010:2007
Common Criteria
ISO/IEC 43010:2007
ISO/IEC 15408
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
ISO/IEC 42010:2007 is an international standard that outlines
specifications for system architecture frameworks and architecture languages.
It allows for systems to be developed in a manner that addresses all of the
stakeholder’s concerns.
QUESTION 19
Which of the following is an incorrect description pertaining to the common components that make up computer systems?
i. General registers are commonly used to hold temporary processing data, while special registers are used to hold process characteristic data as in condition bits.
ii. A processer sends a memory address and a “read” request down an address bus and a memory address and “write” request down an I/O bus.
iii. Process-to-process communication commonly takes place through memory stacks, which are made up of individually addressed buffer locations.
iv. A CPU uses a stack return pointer to keep track of the next instruction sets it needs to process.
A.
B.
C.
D.
i
i, ii
ii, iii
ii, iv
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A processer sends a memory address and a “read” request down an
address bus. The system reads data from that memory address and puts the
requested data on the data bus. A CPU uses a program counter to keep track
of the memory addresses containing the instruction sets it needs to process
in sequence. A stack pointer is a component used within memory stack
communication processes. An I/O bus is used by a peripheral device.
QUESTION 20
Mark is a security administrator who is responsible for purchasing new computer systems for a co-location facility his company is starting up. The company has
several time-sensitive applications that require extensive processing capabilities. The co-location facility is not as large as the main facility, so it can only fit a
smaller number of computers, which still must carry the same processing load as the systems in the main building. Which of the following best describes the most
important aspects of the products Mark needs to purchase for these purposes?
A.
B.
C.
D.
Systems must provide symmetric multiprocessing capabilities and virtualized environments.
Systems must provide asymmetric multiprocessing capabilities and virtualized environments.
Systems must provide multiprogramming multiprocessing capabilities and virtualized environments.
Systems must provide multiprogramming multiprocessing capabilities and symmetric multiprocessing environments.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
When systems provide asymmetric multiprocessing, this means multiple
CPUs can be used for processing. Asymmetric indicates the capability of
assigning specific applications to one CPU so that they do not have to share
computing capabilities with other competing processes, which increases
performance. Since a smaller number of computers can fit in the new
location, virtualization should be deployed to allow for several different
systems to share the same physical computer platforms.
QUESTION 21
Use the following scenario to answer Questions 21–23. Tom is a new security manager who is responsible for reviewing the current software that the company has
developed internally.
He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program
stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform
http://www.gratisexam.com/
more slowly, but by rebooting the systems this issue goes away. He also notices that the identification, authentication, and authorization steps built into one software
package are carried out by individual and distinct software procedures.
Which of the following best describes a characteristic of the software that may be causing issues?
A.
B.
C.
D.
Cooperative multitasking
Preemptive multitasking
Maskable interrupt use
Nonmaskable interrupt use
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Cooperative multitasking means that a developer of an application has to
properly code his software to release system resources when the application
is finished using them, or the other software running on the system could be
negatively affected. In this type of situation an application could be poorly
coded and not release system resources, which would negatively affect other
software running on the system. In a preemptive multitasking environment,
the operating system would have more control of system resource allocation
and provide more protection for these types of situations.
QUESTION 22
Use the following scenario to answer Questions 21–23. Tom is a new security manager who is responsible for reviewing the current software that the company has
developed internally.
He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program
stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform
more slowly, but by rebooting the systems this issue goes away. He also notices that the identification, authentication, and authorization steps built into one software
package are carried out by individual and distinct software procedures.
Which of the following best describes why rebooting helps with system performance in the situation described in this scenario?
A.
B.
C.
D.
Software is not using cache memory properly.
Software is carrying out too many mode transitions.
Software is working in ring 0.
Software is not releasing unused memory.
Correct Answer: D
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
When software is poorly written, it could be allocating memory and not
properly releasing it. This can affect the performance of the whole system,
since all software processes have to share a limited supply of memory. When
a system is rebooted, the memory allocation constructs are reset.
QUESTION 23
Use the following scenario to answer Questions 21–23. Tom is a new security manager who is responsible for reviewing the current software that the company has
developed internally.
He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program
stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform
more slowly, but by rebooting the systems this issue goes away. He also notices that the identification, authentication, and authorization steps built into one software
package are carried out by individual and distinct software procedures.
What security issue is Tom most likely concerned with in this situation?
A.
B.
C.
D.
Time of check\time of use
Maintenance hooks
Input validation errors
Unauthorized loaded kernel modules
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A time-of-check\time-of-use attack takes place when an attacker is able to
change an important parameter while the software is carrying out a sequence
of steps. If an attacker could manipulate the authentication steps, she could
potentially gain access to resources in an unauthorized manner before being
properly identified and authenticated.
QUESTION 24
Use the following scenario to answer Questions 24–27. Sarah’s team must build a new operating system for her company’s internal functionality requirements. The
system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to
their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that
the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
http://www.gratisexam.com/
Which of the following is a required characteristic of the system Sarah’s team must build?
A.
B.
C.
D.
Multilevel security
Dedicated mode capability
Simple security rule
Clark-Wilson constructs
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A multilevel security system allows for data at different classification levels
to be processed and allows users with different clearance levels to interact
with the system securely.
QUESTION 25
Use the following scenario to answer Questions 24–27. Sarah’s team must build a new operating system for her company’s internal functionality requirements. The
system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to
their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that
the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Which of the following reasons best describes her boss’s suggestion on the kernel design of the new system?
A.
B.
C.
D.
Hardware layer abstraction for portability capability
Layered functionality structure
Reduced mode transition requirements
Central location of all critical operating system processes
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A hybrid microkernel architecture means that all kernel processes work
within kernel mode, which reduces the amount of mode transitions. The
reduction of mode transitions reduces performance issues because the CPU
does not have to change from user mode to kernel mode as many times
during its operation.
http://www.gratisexam.com/
QUESTION 26
Use the following scenario to answer Questions 24–27. Sarah’s team must build a new operating system for her company’s internal functionality requirements. The
system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to
their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that
the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Which of the following is a characteristic that this new system will need to implement?
A.
B.
C.
D.
Multiprogramming
Simple integrity axiom
Mandatory access control
Formal verification
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Since the new system must achieve a rating of EAL 6, it must implement
mandatory access control capabilities. This is an access control model that
allows users with different clearances to be able to interact with a system that
processes data of different classification levels in a secure manner. The rating
of EAL 6 requires semiformally verified design and testing, whereas EAL 7
requires verified design and testing.
QUESTION 27
Use the following scenario to answer Questions 24–27. Sarah’s team must build a new operating system for her company’s internal functionality requirements. The
system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to
their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that
the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process.
Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented?
A.
B.
C.
D.
Data hiding should be implemented through memory deallocation.
Data hiding should be implemented through properly developed interfaces.
Data hiding should be implemented through a monolithic architecture.
Data hiding should be implemented through multiprogramming.
Correct Answer: B
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
Data hiding means that certain functionality and/or data is “hidden,” or
not available to specific processes. For processes to be able to interact with
other processes and system services, they need to be developed with the
necessary interfaces that restrict communication flows between processes.
Data hiding is a protection mechanism that segregates trusted and untrusted
processes from each other through the use of strict software interface design.
QUESTION 28
Use the following scenario to answer Questions 28–30. Steve has found out that the software product that his team submitted for evaluation did not achieve the
actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being
deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the
software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout
randomization and data execution protection.
Which of the following best describes Steve’s confusion?
A.
B.
C.
D.
Certification must happen first before the evaluation process can begin.
Accreditation is the acceptance from management, which must take place before the evaluation process.
Evaluation, certification, and accreditation are carried out by different groups with different purposes.
Evaluation requirements include certification and accreditation components.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Evaluation, certification, and accreditation are carried out by different
groups with different purposes. Evaluations are carried out by qualified
third parties who use specific evaluation criteria (Orange Book, ITSEC,
Common Criteria) to assign an assurance rating to a tested product. A
certification process is a technical review commonly carried out internally to
an organization, and accreditation is management’s formal acceptance that is
carried out after the certification process. A system can be certified internally
by a company and not pass an evaluation testing process because they are
completely different things.
QUESTION 29
Use the following scenario to answer Questions 28–30. Steve has found out that the software product that his team submitted for evaluation did not achieve the
http://www.gratisexam.com/
actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being
deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the
software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout
randomization and data execution protection.
Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized
manner?
A.
B.
C.
D.
Improved security kernel processes
Improved security perimeter processes
Improved application programming interface processes
Improved garbage collection processes
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
If device drivers can be loaded improperly, then either the access control
rules outlined within the reference monitor need to be improved upon
or the current rules need to be better enforced through the security kernel
processes. Only authorized subjects should be able to install sensitive software
components that run within ring 0 of a system.
QUESTION 30
Use the following scenario to answer Questions 28–30. Steve has found out that the software product that his team submitted for evaluation did not achieve the
actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being
deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the
software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout
randomization and data execution protection.
Which of the following best describes some of the issues that the evaluation testers most likely ran into while testing the submitted product?
A.
B.
C.
D.
Non-protected ROM sections
Vulnerabilities that allowed malicious code to execute in protected memory sections
Lack of a predefined and implemented trusted computing base
Lack of a predefined and implemented security kernel
Correct Answer: B
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
If testers suggested to the team that address space layout randomization
and data execution protection should be integrated, this is most likely because
the system allows for malicious code to easily execute in memory sections
that would be dangerous to the system. These are both memory protection
approaches.
QUESTION 31
John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser
inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this
type of issue?
A.
B.
C.
D.
Application is written in the C programming language.
Application is not carrying out enforcement of the trusted computing base.
Application is running in ring 3 of a ring-based architecture.
Application is not interacting with the memory manager properly.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The C language is susceptible to buffer overflow attacks because it allows
for direct pointer manipulations to take place. Specific commands can provide
access to low-level memory addresses without carrying out bounds checking.
http://www.gratisexam.com/
Chapter 5 - Physical and Environmental Security
QUESTION 1
What is the first step that should be taken when a fire has been detected?
A.
B.
C.
D.
Turn off the HVAC system and activate fire door releases.
Determine which type of fire it is.
Advise individuals within the building to leave.
Activate the fire suppression system.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Human life takes precedence. Although the other answers are important
steps in this type of situation, the first step is to warn others and save as many
lives as possible.
QUESTION 2
A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this?
A.
B.
C.
D.
A wide-angle lens and a small lens opening
A wide-angle lens and a large lens opening Chapter 5: Physical and Environmental Security
A wide-angle lens and a large lens opening with a small focal length
A wide-angle lens and a large lens opening with a large focal length
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The depth of field refers to the portion of the environment that is in focus
when shown on the monitor. The depth of field varies depending upon the
size of the lens opening, the distance of the object being focused on, and the
focal length of the lens. The depth of field increases as the size of the lens
opening decreases, the subject distance increases, or the focal length of the
lens decreases. So if you want to cover a large area and not focus on specific
items, it is best to use a wide-angle lens and a small lens opening.
http://www.gratisexam.com/
QUESTION 3
When should a Class C fire extinguisher be used instead of a Class A fire extinguisher?
A.
B.
C.
D.
When electrical equipment is on fire
When wood and paper are on fire
When a combustible liquid is on fire
When the fire is in an open area
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A Class C fire is an electrical fire. Thus, an extinguisher with the proper
suppression agent should be used. The following table shows the fire types,
their attributes, and suppression methods:
QUESTION 4
Which of the following is not a true statement about CCTV lenses?
A.
B.
C.
D.
Lenses that have a manual iris should be used in outside monitoring.
Zoom lenses will carry out focus functionality automatically.
Depth of field increases as the size of the lens opening decreases.
Depth of field increases as the focal length of the lens decreases.
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Manual iris lenses have a ring around the CCTV lens that can be manually
turned and controlled. A lens that has a manual iris would be used in an area
that has fixed lighting, since the iris cannot self-adjust to changes of light. An
auto iris lens should be used in environments where the light changes, such
as an outdoor setting. As the environment brightens, this is sensed by the
iris, which automatically adjusts itself. Security personnel will configure the
CCTV to have a specific fixed exposure value, which the iris is responsible for
maintaining. The other answers are true.
QUESTION 5
How does halon fight fires?
A.
B.
C.
D.
It reduces the fire’s fuel intake.
It reduces the temperature of the area and cools the fire out.
It disrupts the chemical reactions of a fire.
It reduces the oxygen in the area.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Halon is a type of gas used to interfere with the chemical reactions between
the elements of a fire. A fire requires fuel, oxygen, high temperatures, and
chemical reactions to burn properly. Different suppressant agents have been
developed to attack each aspect of a fire: CO2 displaces the oxygen, water
reduces the temperature, and soda acid removes the fuel.
QUESTION 6
What is a mantrap?
A. A trusted security domain
B. A logical access control mechanism
C. A double-door room used for physical access control
http://www.gratisexam.com/
D. A fire suppression device
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A mantrap is a small room with two doors. The first door is locked; a person
is identified and authenticated by a security guard, biometric system, smart
card reader, or swipe card reader. Once the person is authenticated and access
is authorized, the first door opens and allows the person into the mantrap. The
first door locks and the person is trapped. The person must be authenticated
again before the second door unlocks and allows him into the facility.
QUESTION 7
What is true about a transponder?
A.
B.
C.
D.
It is a card that can be read without sliding it through a card reader.
It is a biometric proximity device.
It is a card that a user swipes through a card reader to gain access to a facility.
It exchanges tokens with an authentication server.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A transponder is a type of physical access control device that does not
require the user to slide a card through a reader. The reader and card
communicate directly. The card and reader have a receiver, transmitter, and
battery. The reader sends signals to the card to request information. The card
sends the reader an access code.
QUESTION 8
When is a security guard the best choice for a physical access control mechanism?
A. When discriminating judgment is required
B. When intrusion detection is required
C. When the security budget is low
http://www.gratisexam.com/
D. When access controls are in place
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Although many effective physical security mechanisms are on the market
today, none can look at a situation, make a judgment about it, and decide what
the next step should be. A security guard is employed when a company needs to
have a countermeasure that can think and make decisions in different scenarios.
QUESTION 9
Which of the following is not a characteristic of an electrostatic intrusion detection system?
A.
B.
C.
D.
It creates an electrostatic field and monitors for a capacitance change.
It can be used as an intrusion detection system for large areas.
It produces a balance between the electric capacitance and inductance of an object.
It can detect if an intruder comes within a certain range of an object.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
An electrostatic IDS creates an electrostatic field, which is just an electric
field associated with static electric charges. The IDS creates a balanced
electrostatic field between itself and the object being monitored. If an intruder
comes within a certain range of the monitored object, there is capacitance
change. The IDS can detect this change and sound an alarm.
QUESTION 10
What is a common problem with vibration-detection devices used for perimeter security?
A.
B.
C.
D.
They can be defeated by emitting the right electrical signals in the protected area.
The power source is easily disabled.
They cause false alarms.
They interfere with computing devices.
http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
This type of system is sensitive to sounds and vibrations and detects the
changes in the noise level of an area it is placed within. This level of sensitivity
can cause many false alarms. These devices do not emit any waves; they only
listen for sounds within an area and are considered passive devices.
QUESTION 11
Which of the following is an example of glare protection?
A.
B.
C.
D.
Using automated iris lenses with short focal lengths
Using standby lighting, which is produced by a CCTV camera
Directing light toward entry points and away from a security force post
Ensuring that the lighting system uses positive pressure
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
When lighting is installed, it should be directed toward areas where
potential intruders would most likely be coming from, and directed away
from the security force posts. For example, lighting should be pointed at gates
or exterior access points, and the guard locations should be in the shadows, or
under a lower amount of illumination. This is referred to as “glare protection”
for the security force.
QUESTION 12
Which of the following is not a main component of CPTED?
A.
B.
C.
D.
Natural access control
Natural surveillance
Territorial reinforcement
Target hardening
Correct Answer: D
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
Natural access control is the use of the environment to control access to
entry points, such as using landscaping and bollards. An example of natural
surveillance is the construction of pedestrian walkways so there is a clear line
of sight of all the activities in the surroundings. Territorial reinforcement gives
people a sense of ownership of a property, giving them a greater tendency to
protect it. These concepts are all parts of CPTED. Target hardening has to do
with implementing locks, security guards, and proximity devices.
QUESTION 13
Which problems may be caused by humidity in an area with electrical devices?
A.
B.
C.
D.
High humidity causes excess electricity, and low humidity causes corrosion.
High humidity causes corrosion, and low humidity causes static electricity.
High humidity causes power fluctuations, and low humidity causes static electricity.
High humidity causes corrosion, and low humidity causes power fluctuations.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
High humidity can cause corrosion, and low humidity can cause excessive
static electricity. Static electricity can short-out devices or cause loss of
information.
QUESTION 14
What does positive pressurization pertaining to ventilation mean?
A.
B.
C.
D.
When a door opens, the air comes in.
When a fire takes place, the power supply is disabled.
When a fire takes place, the smoke is diverted to one room.
When a door opens, the air goes out.
Correct Answer: D
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Positive pressurization means that when someone opens a door, the air
goes out, and outside air does not come in. If a facility were on fire and the
doors were opened, positive pressure would cause the smoke to go out instead
of being pushed back into the building.
QUESTION 15
Which of the following answers contains a category of controls that does not belong in a physical security program?
A.
B.
C.
D.
Deterrence and delaying
Response and detection
Assessment and detection
Delaying and lighting
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The categories of controls that should make up any physical security
program are deterrence, delaying, detection, assessment, and response.
Lighting is a control itself, not a category of controls.
QUESTION 16
Which is not an administrative control pertaining to emergency procedures?
A.
B.
C.
D.
Intrusion detection systems
Awareness and training
Drills and inspections
Delegation of duties
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Awareness and training, drills and inspections, and delegation of duties are
all items that have a direct correlation to proper emergency procedures. It is
management’s responsibility to ensure that these items are in place, properly
tested, and carried out. Intrusion detection systems are technical or physical
http://www.gratisexam.com/
controls—not administrative.
QUESTION 17
If an access control has a fail-safe characteristic but not a fail-secure characteristic, what does that mean?
A.
B.
C.
D.
It defaults to no access.
It defaults to being unlocked.
It defaults to being locked.
It defaults to sounding a remote alarm instead of a local alarm.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A fail-safe setting means that if a power disruption were to affect the
automated locking system, the doors would default to being unlocked. A failsecure
configuration means a door would default to being locked if there were
any problems with the power.
QUESTION 18
Which of the following is not considered a delaying mechanism?
A.
B.
C.
D.
Locks
Defense-in-depth measures
Warning signs
Access controls
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Every physical security program should have delaying mechanisms, which have
the purpose of slowing down an intruder so security personnel can be alerted and
arrive at the scene. A warning sign is a deterrence control, not a delaying control.
QUESTION 19
What are the two general types of proximity identification devices?
http://www.gratisexam.com/
A.
B.
C.
D.
Biometric devices and access control devices
Swipe card devices and passive devices
Preset code devices and wireless devices
User-activated devices and system sensing devices
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A user-activated system requires the user to do something: swipe the card
through the reader and/or enter a code. A system sensing device recognizes
the presence of the card and communicates with it without the user needing
to carry out any activity.
QUESTION 20
Which of the following answers best describes the relationship between a risk analysis, acceptable risk level, baselines, countermeasures, and metrics?
A. The risk analysis output is used to determine the proper countermeasures required. Baselines are derived to measure these countermeasures. Metrics are used
to track countermeasure performance to ensure baselines are being met.
B. The risk analysis output is used to help management understand and set an acceptable risk level. Baselines are derived from this level. Metrics are used to
track countermeasure performance to ensure baselines are being met.
C. The risk analysis output is used to help management understand and set baselines. An acceptable risk level is derived from these baselines. Metrics are used to
track countermeasure performance to ensure baselines are being met.
D. The risk analysis output is used to help management understand and set an acceptable risk level. Baselines are derived from the metrics. Metrics are used to
track countermeasure performance to ensure baselines are being met.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The physical security team needs to carry out a risk analysis, which will
identify the organization’s vulnerabilities, threats, and business impacts. The
team should present these findings to management and work with them to
define an acceptable risk level for the physical security program. From there,
the team should develop baselines (minimum levels of security) and metrics
to properly evaluate and determine whether the baselines are being met by the
implemented countermeasures. Once the team identifies and implements the
countermeasures, the countermeasures’ performance should be continually
http://www.gratisexam.com/
evaluated and expressed in the previously created metrics. These performance
values are compared against the set baselines. If the baselines are continually
maintained, then the security program is successful because the company’s
acceptable risk level is not being exceeded.
QUESTION 21
Most of today’s CCTV systems use charged-coupled devices. Which of the following is not a characteristic of these devices?
A.
B.
C.
D.
Receives input through the lenses and converts it into an electronic signal
Captures signals in the infrared range
Provides better-quality images
Records data on hard drives instead of tapes
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The CCD is an electrical circuit that receives input light from the lens and
converts it into an electronic signal, which is then displayed on the monitor.
Images are focused through a lens onto the CCD chip surface, which forms
the electrical representation of the optical image. This technology allows the
capture of extraordinary details of objects and precise representation because
it has sensors that work in the infrared range, which extends beyond human
perception. The CCD sensor picks up this extra “data” and integrates it into
the images shown on the monitor, to allow for better granularity and quality
in the video. CCD does not record data.
QUESTION 22
Which is not a drawback to installing intrusion detection and monitoring systems?
A.
B.
C.
D.
It’s expensive to install.
It cannot be penetrated.
It requires human response.
It’s subject to false alarms.
Correct Answer: B
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Monitoring and intrusion detection systems are expensive, require someone
to respond when they set off an alarm, and, because of their level of sensitivity,
can cause several false alarms. Like any other type of technology or device, they
have their own vulnerabilities that can be exploited and penetrated.
QUESTION 23
What is a cipher lock?
A.
B.
C.
D.
A lock that uses cryptographic keys
A lock that uses a type of key that cannot be reproduced
A lock that uses a token and perimeter reader
A lock that uses a keypad
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Cipher locks, also known as programmable locks, use keypads to control
access into an area or facility. The lock can require a swipe card and a specific
combination that’s entered into the keypad.
QUESTION 24
If a cipher lock has a door delay option, what does that mean?
A.
B.
C.
D.
After a door is open for a specific period, the alarm goes off.
It can only be opened during emergency situations.
It has a hostage alarm capability.
It has supervisory override capability.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A security guard would want to be alerted when a door has been open for
an extended period. It may be an indication that something is taking place
other than a person entering or exiting the door. A security system can have
a threshold set so that if the door is open past the defined time period, an
http://www.gratisexam.com/
alarm sounds.
QUESTION 25
Which of the following best describes the difference between a warded lock and a tumbler lock?
A.
B.
C.
D.
A tumbler lock is more simplistic and easier to circumvent than a warded lock.
A tumbler lock uses an internal bolt, and a warded lock uses internal cylinders.
A tumbler lock has more components than a warded lock.
A warded lock is mainly used externally, and a tumbler lock is used internally.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The tumbler lock has more pieces and parts than a warded lock. The key
fits into a cylinder, which raises the lock metal pieces to the correct height so
the bolt can slide to the locked or unlocked position. A warded lock is easier
to circumvent than a tumbler lock.
QUESTION 26
During the construction of her company’s facility, Mary has been told that light frame construction material has been used to build the internal walls. Which of the
following best describes why Mary is concerned about this issue?
i. It provides the least amount of protection against fire.
ii. It provides the least amount of protection against forcible entry attempts.
iii. It is noncombustible.
iv. It provides the least amount of protection for mounting walls and windows.
A.
B.
C.
D.
i, iii
i, ii
ii, iii
ii, iii, iv
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Light frame construction material provides the least amount of protection
http://www.gratisexam.com/
against fire and forcible entry attempts. It is composed of untreated lumber
that would be combustible during a fire. Light frame construction material is
usually used to build homes, primarily because it is cheap, but also because
homes typically are not under the same types of fire and intrusion threats that
office buildings are.
QUESTION 27
Which of the following is not true pertaining to facility construction characteristics?
i. Calculations of approximate penetration times for different types of explosives and attacks are based on the thickness of the concrete walls and the gauge of
rebar used.
ii. Using thicker rebar and properly placing it within the concrete provides increased protection.
iii. Reinforced walls, rebar, and the use of double walls can be used as delaying mechanisms.
iv. Steel rods encased in concrete are referred to as rebar.
A.
B.
C.
D.
All of them
None of them
iii
i, ii
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Calculations of approximate penetration times for different types of
explosives and attacks are based on the thickness of the concrete walls and
the gauge of rebar used. (Rebar refers to the steel rods encased within the
concrete.) So even if the concrete were damaged, it would take longer to
actually cut or break through the rebar. Using thicker rebar and properly
placing it within the concrete provides even more protection. Reinforced
walls, rebar, and the use of double walls can be used as delaying mechanisms.
The idea is that it will take the bad guy longer to get through two reinforced
walls, which gives the response force sufficient time to arrive at the scene and
stop the attacker.
QUESTION 28
It is important to choose the correct type of windows when building a facility. Each type of window provides a different level of protection. Which of the following is a
correct description of window glass types?
i. Standard glass is made by heating the glass and then suddenly cooling it.
http://www.gratisexam.com/
ii. Tempered glass windows are commonly used in residential homes and are easily broken.
iii. Acrylic glass has two sheets of glass with a plastic film in between.
iv. Laminated glass can be made out of polycarbonate acrylic, which is stronger than standard glass but produces toxic fumes if burned.
A.
B.
C.
D.
ii, iii
ii, iii, iv
None of them
All of them
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Standard glass windows are commonly used in residential homes and are
easily broken. Tempered glass is made by heating the glass and then suddenly
cooling it. This increases its mechanical strength, which means it can handle
more stress and is harder to break. It is usually five to seven times stronger
than standard glass. Acrylic glass can be made out of polycarbonate acrylic,
which is stronger than standard glass but produces toxic fumes if burned.
Laminated glass has two sheets of glass with a plastic film in between. This
added plastic makes it much more difficult to break the window.
QUESTION 29
Sandy needs to implement the right type of fencing in an area where there is no foot traffic or observation capabilities. Sandy has decided to implement a Perimeter
Intrusion Detection and Assessment System. Which of the following is not a characteristic of this type of fence?
i. It has sensors located on the wire mesh and at the base of the fence.
ii. It cannot detect if someone attempts to cut or climb the fence.
iii. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected.
iv. It can cause many false alarms.
A.
B.
C.
D.
i
ii
iii, iv
i, ii, iv
Correct Answer: B
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of
fencing that has sensors located on the wire mesh and at the base of the fence.
It is used to detect if someone attempts to cut or climb the fence. It has a
passive cable vibration sensor that sets off an alarm if an intrusion is detected.
PIDAS is very sensitive and can cause many false alarms.
QUESTION 30
CCTV lenses have irises, which control the amount of light that enters the lens. Which of the following has an incorrect characteristic of the types of CCTV irises
that are available?
i. Automated iris lenses have a ring around the CCTV lens that can be manually turned and controlled.
ii. A lens with a manual iris would be used in areas that have fixed lighting, since the iris cannot self-adjust to changes of light.
iii. An auto iris lens should be used in environments where the light changes, as in an outdoor setting.
iv. As the environment brightens, this is sensed by the manual iris, which automatically adjusts itself.
A.
B.
C.
D.
i, iv
i, ii, iii
i, ii
i, ii, iv
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
CCTV lenses have irises, which control the amount of light that enters
the lens. Manual iris lenses have a ring around the CCTV lens that can be
manually turned and controlled. A lens with a manual iris would be used
in areas that have fixed lighting, since the iris cannot self-adjust to changes
of light. An auto iris lens should be used in environments where the light
changes, as in an outdoor setting. As the environment brightens, this is
sensed by the iris, which automatically adjusts itself. Security personnel will
configure the CCTV to have a specific fixed exposure value, which the iris is
responsible for maintaining. On a sunny day, the iris lens closes to reduce the
amount of light entering the camera, while at night, the iris opens to capture
more light—just like our eyes.
http://www.gratisexam.com/
Chapter 6 - Telecommunications and Network Security
QUESTION 1
What does it mean if someone says they were a victim of a Bluejacking attack?
A.
B.
C.
D.
An unsolicited message was sent.
A cell phone was cloned.
An IM channel introduced a worm.
Traffic was analyzed.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Bluejacking occurs when someone sends an unsolicited message to a device
that is Bluetooth-enabled. Bluejackers look for a receiving device (phone,
PDA, tablet PC, laptop) and then send a message to it. Often, the Bluejacker
is trying to send someone else their business card, which will be added to the
victim’s contact list in their address book.
QUESTION 2
How does TKIP provide more protection for WLAN environments?
A.
B.
C.
D.
It uses the AES algorithm.
It decreases the IV size and uses the AES algorithm.
It adds more keying material.
It uses MAC and IP filtering.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The TKIP protocol actually works with WEP by feeding it keying material,
which is data to be used for generating random keystreams. TKIP increases
the IV size, ensures it is random for each packet, and adds the sender’s MAC
address to the keying material.
QUESTION 3
http://www.gratisexam.com/
Which of the following is not a characteristic of the IEEE 802.11a standard?
A.
B.
C.
D.
It works in the 5GHz range.
It uses the OFDM spread spectrum technology.
It provides 52 Mbps in bandwidth.
It covers a smaller distance than 802.11b.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The IEEE standard 802.11a uses the OFDM spread spectrum technology,
works in the 5GHz frequency band, and provides bandwidth of up to 54
Mbps. The operating range is smaller because it works at a higher frequency.
QUESTION 4
Why are switched infrastructures safer environments than routed networks?
A.
B.
C.
D.
It is more difficult to sniff traffic since the computers have virtual private connections.
They are just as unsafe as nonswitched environments.
The data link encryption does not permit wiretapping.
Switches are more intelligent than bridges and implement security mechanisms.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Switched environments use switches to allow different network segments
and/or systems to communicate. When this communication takes place, a
virtual connection is set up between the communicating devices. Since it is a
dedicated connection, broadcast and collision data are not available to other
systems, as in an environment that uses purely bridges and routers.
QUESTION 5
Which of the following protocols is considered connection-oriented?
A. IP
http://www.gratisexam.com/
B. ICMP
C. UDP
D. TCP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
TCP is the only connection-oriented protocol listed. A connectionoriented
protocol provides reliable connectivity and data transmission, while
a connectionless protocol provides unreliable connections and does not
promise or ensure data transmission.
QUESTION 6
Which of the following can take place if an attacker can insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the
data link layer?
A.
B.
C.
D.
Open relay manipulation
VLAN hopping attack
Hypervisor denial-of-service attack
Smurf attack
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
VLAN hopping attacks allow attackers to gain access to traffic in various
VLAN segments. An attacker can have a system act as though it is a switch.
The system understands the tagging values being used in the network and
the trunking protocols, and can insert itself between other VLAN devices and
gain access to the traffic going back and forth. Attackers can also insert tagging
values to manipulate the control of traffic at this data link layer.
QUESTION 7
Which of the following proxies cannot make access decisions based upon protocol commands?
A. Application
http://www.gratisexam.com/
B. Packet filtering
C. Circuit
D. Stateful
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Application and circuit are the only types of proxy-based firewall solutions
listed here. The others do not use proxies. Circuit-based proxy firewalls
make decisions based on header information, not the protocol’s command
structure. Application-based proxies are the only ones that understand this
level of granularity about the individual protocols.
QUESTION 8
Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor
component?
A.
B.
C.
D.
Orthogonal frequency division
Unified threat management modem
Virtual firewall
Internet Security Association and Key Management Protocol
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Virtual firewalls can be bridge-mode products, which monitor individual
traffic links between virtual machines, or they can be integrated within the
hypervisor. The hypervisor is the software component that carries out virtual
machine management and oversees guest system software execution. If the
firewall is embedded within the hypervisor, then it can “see” and monitor all
the activities taking place within the one system.
QUESTION 9
Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3?
A. Data link, session, application, transport, and network
http://www.gratisexam.com/
B. Data link, transport, application, session, and network
C. Network, session, application, network, and transport
D. Network, transport, application, session, and presentation CISSP All-in-One Exam Guide
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The OSI model is made up of seven layers: application (layer 7), presentation
(layer 6), session (layer 5), transport (layer 4), network (layer 3), data link (layer
2), and physical (layer 1).
QUESTION 10
Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined
processes?
A.
B.
C.
D.
Network convergence
Security as a service
Unified Threat Management
Integrated convergence management
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
It has become very challenging to manage the long laundry list of security
solutions almost every network needs to have in place. The list includes, but
is not limited to, firewalls, antimalware, antispam, IDS\IPS, content filtering,
data leak prevention, VPN capabilities, and continuous monitoring and
reporting. Unified Threat Management (UTM) appliance products have been
developed that provide all (or many) of these functionalities into a single
network appliance. The goals of UTM are simplicity, streamlined installation
and maintenance, centralized control, and the ability to understand a
network’s security from a holistic point of view.
QUESTION 11
Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best
describes these network infrastructure layers?
http://www.gratisexam.com/
A. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a core network. The metro layer is the
metropolitan area network. The core connects different metro networks.
B. The access layer connects the customer’s equipment to a service provider’s core network. Aggregation occurs on a distribution network at the core.
The metro layer is the metropolitan area network.
C. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer
is the metropolitan area network. The core connects different access layers.
D. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer
is the metropolitan area network. The core connects different metro networks.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The access layer connects the customer’s equipment to a service provider’s
aggregation network. Aggregation occurs on a distribution network. The metro
layer is the metropolitan area network. The core connects different metro
networks.
QUESTION 12
Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec?
A.
B.
C.
D.
Authentication header protocol provides data integrity, data origin authentication, and protection from replay attacks.
Encapsulating security payloads protocol provides confidentiality, data origin authentication, and data integrity.
Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange.
Internet Key Exchange provides authenticated keying material for use with encryption algorithms.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Authentication header protocol provides data integrity, data origin
authentication, and protection from replay attacks. Encapsulating security
payloads protocol provides confidentiality, data origin authentication, and
data integrity. Internet Security Association and Key Management Protocol
provides a framework for security association creation and key exchange.
Internet Key Exchange provides authenticated keying material for use with
the Internet Security Association and Key Management Protocol.
http://www.gratisexam.com/
QUESTION 13
Systems that are built on the OSI framework are considered open systems.
What does this mean?
A.
B.
C.
D.
They do not have authentication mechanisms configured by default.
They have interoperability issues.
They are built with internationally accepted protocols and standards so they can easily communicate with other systems.
They are built with international protocols and standards so they can choose what types of systems they will communicate with.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
An open system is a system that has been developed based on standardized
protocols and interfaces. Following these standards allows the systems to
interoperate more effectively with other systems that follow the same standards.
QUESTION 14
Which of the following protocols work in the following layers: application, data link, network, and transport?
A.
B.
C.
D.
FTP, ARP, TCP, and UDP
FTP, ICMP, IP, and UDP
TFTP, ARP, IP, and UDP
TFTP, RARP, IP, and ICMP
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Different protocols have different functionalities. The OSI model is an
attempt to describe conceptually where these different functionalities take
place in a networking stack. The model attempts to draw boxes around
reality to help people better understand the stack. Each layer has a specific
functionality and has several different protocols that can live at that layer
and carry out that specific functionality. These listed protocols work at these
associated layers: TFTP (application), ARP (data link), IP (network), and UDP
(transport).
http://www.gratisexam.com/
QUESTION 15
Which of the following allows for the ability to pool resources, automate resource provisioning, and increase and decrease processing capacity quickly to meet the
needs of dynamic computing workloads?
A.
B.
C.
D.
Software as a Service
Network convergence
IEEE 802.1x
RAID
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Network convergence means the combining of server, storage, and network
capabilities into a single framework. This helps to decrease the costs and
complexity of running data centers and has accelerated the evolution of cloud
computing. Converged infrastructures provide the ability to pool resources,
automate resource provisioning, and increase and decrease processing
capacity quickly to meet the needs of dynamic computing workloads.
QUESTION 16
What takes place at the data link layer?
A.
B.
C.
D.
End-to-end connection
Dialog control
Framing
Data syntax
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The data link layer, in most cases, is the only layer that understands the
environment in which the system is working, whether it be Ethernet, Token
Ring, wireless, or a connection to a WAN link. This layer adds the necessary
headers and trailers to the frame. Other systems on the same type of network
using the same technology understand only the specific header and trailer
http://www.gratisexam.com/
format used in their data link technology.
QUESTION 17
What takes place at the session layer?
A.
B.
C.
D.
Dialog control
Routing
Packet sequencing
Addressing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The session layer is responsible for controlling how applications
communicate, not how computers communicate. Not all applications use
protocols that work at the session layer, so this layer is not always used in
networking functions. A session layer protocol will set up the connection to
the other application logically and control the dialog going back and forth.
Session layer protocols allow applications to keep track of the dialog.
QUESTION 18
Which best describes the IP protocol?
A.
B.
C.
D.
A connectionless protocol that deals with dialog establishment, maintenance, and destruction
A connectionless protocol that deals with the addressing and routing of packets
A connection-oriented protocol that deals with the addressing and routing of packets
A connection-oriented protocol that deals with sequencing, error detection, and flow control
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The IP protocol is connectionless and works at the network layer. It adds
source and destination addresses to a packet as it goes through its data
encapsulation process. IP can also make routing decisions based on the
destination address.
http://www.gratisexam.com/
QUESTION 19
Which of the following is not a characteristic of the Protected Extensible Authentication Protocol?
A.
B.
C.
D.
Authentication protocol used in wireless networks and point-to-point connections
Designed to provide authentication for 802.11 WLANs
Designed to support 802.1X port access control and transport layer security
Designed to support password-protected connections
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
PEAP (Protected Extensible Authentication Protocol) is a version of EAP
and is an authentication protocol used in wireless networks and point-topoint
connections. PEAP is designed to provide authentication for 802.11
WLANs, which support 802.1X port access control and TLS. It is a protocol
that encapsulates EAP within a potentially encrypted and authenticated TLS
tunnel.
QUESTION 20
The ______________ is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP.
A.
B.
C.
D.
Session Initiation Protocol
Real-time Transport Protocol
SS7
VoIP
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Session Initiation Protocol (SIP) is an IETF-defined signaling protocol,
widely used for controlling multimedia communication sessions such as voice
and video calls over IP. The protocol can be used for creating, modifying, and
terminating two-party (unicast) or multiparty (multicast) sessions consisting
of one or several media streams.
QUESTION 21
http://www.gratisexam.com/
Which of the following is not one of the stages of the DHCP lease process?
i. Discover
ii. Offer
iii. Request
iv. Acknowledgment
A.
B.
C.
D.
All of them
None of them
i, ii
ii, iii
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The four-step DHCP lease process is:
• DHCPDISCOVER message This message is used to request an IP address
lease from a DHCP server.
• DHCPOFFER message This message is a response to a DHCPDISCOVER
message, and is sent by one or numerous DHCP servers.
• DHCPREQUEST message The client sends the initial DHCP server that
responded to its request a DHCP Request message.
• DHCPACK message The DHCP Acknowledge message is sent by the
DHCP server to the DHCP client and is the process whereby the DHCP
server assigns the IP address lease to the DHCP client.
QUESTION 22
An effective method to shield networks from unauthenticated DHCP clients is through the use of _______________ on network switches.
A.
B.
C.
D.
DHCP snooping
DHCP protection
DHCP shielding
DHCP caching
Correct Answer: A
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
DHCP snooping ensures that DHCP servers can assign IP addresses to only
selected systems, identified by their MAC addresses. Also, advance network
switches now have the capability to direct clients toward legitimate DHCP
servers to get IP addresses and to restrict rogue systems from becoming DHCP
servers on the network.
QUESTION 23
Use the following scenario to answer Questions 23–25. Don is a security manager of a large medical institution. One of his groups develops proprietary software
that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been
experiencing half-open denial- of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for
masquerading attacks to take place.
What type of client ports should Don make sure the institution’s software is using when client-to-server communication needs to take place?
A.
B.
C.
D.
Well known
Registered
Dynamic
Free
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Well-known ports are mapped to commonly used services (HTTP, FTP,
etc.). Registered ports are 1,024–49,151, and vendors register specific ports to
map to their proprietary software. Dynamic ports (private ports) are available
for use by any application.
QUESTION 24
Use the following scenario to answer Questions 23–25. Don is a security manager of a large medical institution. One of his groups develops proprietary software
that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been
experiencing half-open denial- of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for
masquerading attacks to take place.
Which of the following is a cost-effective countermeasure that Don’s team should implement?
A. Stateful firewall
B. Network address translation
http://www.gratisexam.com/
C. SYN proxy
D. IPv6
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A half-open attack is a type of DoS that is also referred to as a SYN flood.
To thwart this type of attack, you can use SYN proxies, which limit the
number of open and abandoned network connections. The SYN proxy is a
piece of software that resides between the sender and receiver, and only sends
TCP traffic to the receiving system if the TCP handshake process completes
successfully.
QUESTION 25
Use the following scenario to answer Questions 23–25. Don is a security manager of a large medical institution. One of his groups develops proprietary software
that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been
experiencing half-open denial- of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for
masquerading attacks to take place.
What should Don’s team put into place to stop the masquerading attacks that have been taking place?
A.
B.
C.
D.
Dynamic packet filter firewall
ARP spoofing protection
Disable unnecessary ICMP traffic at edge routers
SRPC
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Basic RPC does not have authentication capabilities, which allow for
masquerading attacks to take place. Secure RPC (SRPC) can be implemented,
which requires authentication to take place before remote systems can
communicate with each other. Authentication can take place using shared
secrets, public keys, or Kerberos tickets.
QUESTION 26
http://www.gratisexam.com/
Use the following scenario to answer Questions 26–28. Grace is a security administrator for a medical institution and is responsible for many different teams. One
team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide
redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus buildingto- building connectivity. Since this is a training
medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next.
One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends
excessive ICMP ECHO REQUEST packets to all the hosts on a specific subnet, which is aimed at one specific server.
Which of the following is most likely the issue that Grace’s team experienced when their systems went offline?
A.
B.
C.
D.
Three critical systems were connected to a dual-attached station.
Three critical systems were connected to a single-attached station.
The secondary FDDI ring was overwhelmed with traffic and dropped the three critical systems.
The FDDI ring is shared in a metropolitan environment and only allows each company to have a certain number of systems connected to both rings.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A single-attachment station (SAS) is attached to only one ring (the primary)
through a concentrator. If the primary goes down, it is not connected to the
backup secondary ring. A dual-attachment station (DAS) has two ports and
each port provides a connection for both the primary and the secondary rings.
QUESTION 27
Use the following scenario to answer Questions 26–28. Grace is a security administrator for a medical institution and is responsible for many different teams. One
team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide
redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus buildingto- building connectivity. Since this is a training
medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next.
One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends
excessive ICMP ECHO REQUEST packets to all the hosts on a specific subnet, which is aimed at one specific server.
Which of the following is the best type of fiber that should be implemented in this scenario?
A.
B.
C.
D.
Single mode
Multimode
Optical carrier
SONET
Correct Answer: B
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
In single mode, a small glass core is used for high-speed data transmission
over long distances. This scenario specifies campus building-to-building
connections, which are usually short distances. In multimode, a large glass
core is used and is able to carry more data than single-mode fibers, though
they are best for shorter distances because of their higher attenuation levels.
QUESTION 28
Use the following scenario to answer Questions 26–28. Grace is a security administrator for a medical institution and is responsible for many different teams. One
team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide
redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus buildingto- building connectivity. Since this is a training
medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next.
One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends
excessive ICMP ECHO REQUEST packets to all the hosts on a specific subnet, which is aimed at one specific server.
Which of the following is the best and most cost-effective countermeasure for Grace’s team to put into place?
A.
B.
C.
D.
Network address translation
Disallowing unnecessary ICMP traffic coming from untrusted networks
Application-based proxy firewall
Screened subnet using two firewalls from two different vendors.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The attack description is a Smurf attack. In this situation the attacker sends
an ICMP Echo Request packet with a spoofed source address to a victim’s
network broadcast address. This means that each system on the victim’s
subnet receives an ICMP Echo Request packet. Each system then replies to that
request with an ICMP Echo Response packet to the spoof address provided
in the packets—which is the victim’s address. All of these response packets go
to the victim system and overwhelm it because it is being bombarded with
packets it does not necessarily know how to process. Filtering out unnecessary
ICMP traffic is the cheapest solution.
QUESTION 29
http://www.gratisexam.com/
Use the following scenario to answer Questions 29–31. John is the manager of the security team within his company. He has learned that attackers have installed
sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication
restrictions put into place and the servers have been caching suspicious name resolution data.
Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic?
A.
B.
C.
D.
SNMP v3
L2TP
CHAP
Dynamic packet filtering firewall
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
SNMP versions 1 and 2 send their community string values in cleartext, but
with version 3, cryptographic functionality has been added, which provides
encryption, message integrity, and authentication security. So the sniffers that
are installed on the network cannot sniff SNMP traffic.
QUESTION 30
Use the following scenario to answer Questions 29–31. John is the manager of the security team within his company. He has learned that attackers have installed
sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication
restrictions put into place and the servers have been caching suspicious name resolution data.
Which of the following unauthorized activities have most likely been taking place in this situation?
A.
B.
C.
D.
Domain kiting
Phishing
Fraggle
Zone transfer
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The primary and secondary DNS servers synchronize their information
through a zone transfer. After changes take place to the primary DNS server,
http://www.gratisexam.com/
those changes must be replicated to the secondary DNS server. It is important
to configure the DNS server to allow zone transfers to take place only between
the specific servers. Attackers can carry out zone transfers to gather very useful
network information from victims’ DNS servers. Unauthorized zone transfers
can take place if the DNS servers are not properly configured to restrict this
type of activity.
QUESTION 31
Use the following scenario to answer Questions 29–31. John is the manager of the security team within his company. He has learned that attackers have installed
sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication
restrictions put into place and the servers have been caching suspicious name resolution data.
Which of the following is the best countermeasure that John’s team should implement to protect from improper caching issues?
A.
B.
C.
D.
PKI
DHCP snooping
ARP protection
DNSSEC
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
When a DNS server receives an improper (potentially malicious) name
resolution response, it will cache it and provide it to all the hosts it serves
unless DNSSEC is implemented. If DNSSEC were enabled on a DNS server,
then the server would, upon receiving a response, validate the digital signature
on the message before accepting the information to make sure that the
response is from an authorized DNS server.
QUESTION 32
Use the following scenario to answer Questions 32–34. Sean is the new security administrator for a large financial institution. There are several issues that Sean is
made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured
firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively
large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current “anyany” rule type in place. Sean has also
found out that some team members want to implement tarpits on some of the most commonly attacked systems.
Which of the following is most likely taking place to allow spurious packets to gain unauthorized access to critical servers?
A. TCP sequence hijacking is taking place.
http://www.gratisexam.com/
B. Source routing is not restricted.
C. Fragment attacks are underway.
D. Attacker is tunneling communication through PPP.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Source routing means the packet decides how to get to its destination, not
the routers in between the source and destination computer. Source routing
moves a packet throughout a network on a predetermined path. To make sure
none of this misrouting happens, many firewalls are configured to check for
source routing information within the packet and deny it if it is present.
QUESTION 33
Use the following scenario to answer Questions 32–34. Sean is the new security administrator for a large financial institution. There are several issues that Sean is
made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured
firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively
large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current “anyany” rule type in place. Sean has also
found out that some team members want to implement tarpits on some of the most commonly attacked systems.
Which of the following best describes the firewall configuration issues Sean’s team member is describing?
A.
B.
C.
D.
Clean-up rule, stealth rule
Stealth rule, silent rule
Silent rule, negate rule
Stealth rule, silent rule
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The following describes the different firewall rule types:
• Silent rule Drop “noisy” traffic without logging it. This reduces log sizes
by not responding to packets that are deemed unimportant.
• Stealth rule Disallows access to firewall software from unauthorized
systems.
• Cleanup rule The last rule in the rule base, which drops and logs any
http://www.gratisexam.com/
traffic that does not meet the preceding rules.
• Negate rule Used instead of the broad and permissive “any rules.” Negate
rules provide tighter permission rights by specifying what system can be
accessed and how.
QUESTION 34
Use the following scenario to answer Questions 32–34. Sean is the new security administrator for a large financial institution. There are several issues that Sean is
made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured
firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively
large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current “anyany” rule type in place. Sean has also
found out that some team members want to implement tarpits on some of the most commonly attacked systems.
Which of the following best describes why Sean’s team wants to put in the mentioned countermeasure for the most commonly attacked systems?
A.
B.
C.
D.
Prevent production system hijacking
Reduce DoS attack effects
Gather statistics during the process of an attack
Increase forensic capabilities
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A tarpit is commonly a piece of software configured to emulate a
vulnerable, running service. Once the attackers start to send packets to this
“service,” the connection to the victim system seems to be live and ongoing,
but the response from the victim system is slow and the connection may
time out. Most attacks and scanning activities take place through automated
tools that require quick responses from their victim systems. If the victim
systems do not reply or are very slow to reply, the automated tools may not
be successful because the protocol connection times out. This can reduce the
effects of a DoS attack.
QUESTION 35
Use the following scenario to answer Questions 35–37. Tom’s company has been experiencing many issues with unauthorized sniffers being installed on the
network. One reason is because employees can plug their laptops, smart phones, and other mobile devices into the network, which may be infected and have
running sniffers that the owners are not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific
VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom’s team is dealing with is how to secure internal
wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each
wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom’s boss has also told him that the company needs to move
http://www.gratisexam.com/
from a landline metropolitan area network solution to a wireless solution.
What should Tom’s team implement to provide source authentication and data encryption at the data link level?
A.
B.
C.
D.
IEEE 802.1 AR
IEEE 802.1 AE
IEEE 802. 1 AF
IEEE 802.1X
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
IEEE 802.1AR provides a unique ID for a device. IEEE 802.1AE provides
data encryption, integrity, and origin authentication functionality. IEEE
802.1 AF carries out key agreement functions for the session keys used for
data encryption. Each of these standards provides specific parameters to
work within an IEEE 802.1X EAP-TLS framework. A recent version (802.1X2010) has integrated IEEE 802.1AE and IEEE 802.1AR to support service
identification and optional point-to-point encryption.
QUESTION 36
Use the following scenario to answer Questions 35–37. Tom’s company has been experiencing many issues with unauthorized sniffers being installed on the
network. One reason is because employees can plug their laptops, smart phones, and other mobile devices into the network, which may be infected and have
running sniffers that the owners are not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific
VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom’s team is dealing with is how to secure internal
wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each
wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom’s boss has also told him that the company needs to move
from a landline metropolitan area network solution to a wireless solution.
Which of the following solutions is best to meet the company’s need to protect wireless traffic?
A.
B.
C.
D.
EAP-TLS
EAP-PEAP
LEAP
EAP-TTLS
Correct Answer: D
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol
that extends TLS. EAP-TTLS is designed to provide authentication that is as
strong as EAP-TLS, but it does not require that each wireless device be issued a
certificate. Instead, only the authentication servers are issued certificates. User
authentication is performed by password, but the password credentials are
transported in a securely encrypted tunnel established based upon the server
certificates.
QUESTION 37
Use the following scenario to answer Questions 35–37. Tom’s company has been experiencing many issues with unauthorized sniffers being installed on the
network. One reason is because employees can plug their laptops, smart phones, and other mobile devices into the network, which may be infected and have
running sniffers that the owners are not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific
VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom’s team is dealing with is how to secure internal
wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each
wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom’s boss has also told him that the company needs to move
from a landline metropolitan area network solution to a wireless solution.
Which of the following is the best solution to meet the company’s need for broadband wireless connectivity?
A.
B.
C.
D.
WiMAX
IEEE 802.12
WPA2
IEEE 802.15
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
IEEE 802.16 is a MAN wireless standard that allows for wireless traffic
to cover a wide geographical area. This technology is also referred to as
broadband wireless access. The commercial name for 802.16 is WiMAX.
QUESTION 38
Use the following scenario to answer Questions 38–40. Lance has been brought in as a new security officer for a large medical equipment company. He has been
told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of
the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into
problems with the network’s NAT device.
http://www.gratisexam.com/
Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. Lance has also identified that extra
authentication is necessary for current LDAP requests, but the current technology only provides password- based authentication options.
Based upon the information in the scenario, what should the network team implement as it pertains to IPv6 tunneling?
A.
B.
C.
D.
Teredo should be configured on IPv6-aware hosts that reside behind the NAT device.
6to4 should be configured on IPv6-aware hosts that reside behind the NAT device.
Intra-Site Automatic Tunnel Addressing Protocol should be configured on IPv6-aware hosts that reside behind the NAT device.
IPv6 should be disabled on all systems.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Teredo encapsulates IPv6 packets within UDP datagrams with IPv4
addressing. IPv6-aware systems behind the NAT device can be used as Teredo
tunnel end-points even if they do not have a dedicated public IPv4 address.
QUESTION 39
Use the following scenario to answer Questions 38–40. Lance has been brought in as a new security officer for a large medical equipment company. He has been
told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of
the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into
problems with the network’s NAT device.
Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. Lance has also identified that extra
authentication is necessary for current LDAP requests, but the current technology only provides password- based authentication options.
Which of the following is the best countermeasure for the attack type addressed in the scenario?
A.
B.
C.
D.
DNSSEC
IPSec
Split server configurations
Disabling zone transfers
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
DNSSEC protects DNS servers from forged DNS information, which is
http://www.gratisexam.com/
commonly used to carry out DNS cache poisoning attacks. If DNSSEC is
implemented, then all responses that the server receives will be verified
through digital signatures. This helps to ensure that an attacker cannot
provide a DNS server with incorrect information, which would point the
victim to a malicious web site.
QUESTION 40
Use the following scenario to answer Questions 38–40. Lance has been brought in as a new security officer for a large medical equipment company. He has been
told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of
the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into
problems with the network’s NAT device.
Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. Lance has also identified that extra
authentication is necessary for current LDAP requests, but the current technology only provides password- based authentication options.
Which of the following technologies should Lance’s team investigate for increased authentication efforts?
A.
B.
C.
D.
Challenge handshake protocol
Simple Authentication and Security Layer
IEEE 802.2 AB
EAP-SSL
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Simple Authentication and Security Layer is a protocol-independent
authentication framework. This means that any protocol that knows how to
interact with SASL can use its various authentication mechanisms without
having to actually embed the authentication mechanisms within its code.
QUESTION 41
Wireless LAN technologies have gone through different versions over the years to address some of the inherent security issues within the original IEEE 802.11
standard. Which of the following provides the correct characteristics of Wi-Fi Protected Access 2 (WPA2)?
A.
B.
C.
D.
IEEE 802.1X, WEP, MAC
IEEE 802.1X, EAP, TKIP
IEEE 802.1X, EAP, WEP
IEEE 802.1X, EAP, CCMP
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Wi-Fi Protected Access 2 requires IEEE 802.1X or preshared keys for access
control, EAP or preshared keys for authentication, and AES in Counter-Mode/
CBC-MAC Protocol (CCMP) for encryption.
http://www.gratisexam.com/
Chapter 7 - Cryptography
QUESTION 1
What is the goal of cryptanalysis?
A.
B.
C.
D.
To determine the strength of an algorithm
To increase the substitution functions in a cryptographic algorithm
To decrease the transposition functions in a cryptographic algorithm
To determine the permutations used
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Cryptanalysis is the process of trying to reverse-engineer a cryptosystem,
with the possible goal of uncovering the key used. Once this key is uncovered,
all other messages encrypted with this key can be accessed. Cryptanalysis is
carried out by the white hats to test the strength of the algorithm.
QUESTION 2
The frequency of successful brute force attacks has increased because
A.
B.
C.
D.
The use of permutations and transpositions in algorithms has increased.
As algorithms get stronger, they get less complex, and thus more susceptible to attacks.
Processor speed and power have increased.
Key length reduces over time.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A brute force attack is resource-intensive. It tries all values until the correct
one is obtained. As computers have more powerful processors added to them,
attackers can carry out more powerful brute force attacks.
QUESTION 3
Which of the following is not a property or characteristic of a one-way hash function?
http://www.gratisexam.com/
A.
B.
C.
D.
It converts a message of arbitrary length into a value of fixed length.
Given the digest value, it should be computationally infeasible to find the corresponding message.
It should be impossible or rare to derive the same digest from two different messages.
It converts a message of fixed length to an arbitrary length value.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A hashing algorithm will take a string of variable length, the message can
be any size, and compute a fixed-length value. The fixed-length value is the
message digest. The MD family creates the fixed-length value of 128 bits, and
SHA creates one of 160 bits.
QUESTION 4
What would indicate that a message had been modified?
A.
B.
C.
D.
The public key has been altered.
The private key has been altered.
The message digest has been altered.
The message has been encrypted properly.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Hashing algorithms generate message digests to detect whether modification
has taken place. The sender and receiver independently generate their own
digests, and the receiver compares these values. If they differ, the receiver knows
the message has been altered.
QUESTION 5
Which of the following is a U.S. federal government algorithm developed for creating secure message digests?
A. Data Encryption Algorithm
B. Digital Signature Standard
C. Secure Hash Algorithm
http://www.gratisexam.com/
D. Data Signature Algorithm
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
SHA was created to generate secure message digests. Digital Signature
Standard (DSS) is the standard to create digital signatures, which dictates that
SHA must be used. DSS also outlines the digital signature algorithms that can
be used with SHA: RSA, DSA, and ECDSA.
QUESTION 6
Which of the following best describes the difference between HMAC and CBC-MAC?
A.
B.
C.
D.
HMAC creates a message digest and is used for integrity; CBC-MAC is used to encrypt blocks of data for confidentiality.
HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the first block for the checksum.
HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.
HMAC encrypts a message with a symmetric key and then puts the result through a hashing algorithm; CBC-MAC encrypts the whole message.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
In an HMAC operation, a message is concatenated with a symmetric key
and the result is put through a hashing algorithm. This provides integrity and
system or data authentication. CBC-MAC uses a block cipher to create a MAC,
which is the last block of ciphertext.
http://www.gratisexam.com/
QUESTION 7
What is an advantage of RSA over DSA?
http://www.gratisexam.com/
A.
B.
C.
D.
It can provide digital signature and encryption functionality.
It uses fewer resources and encrypts faster because it uses symmetric keys.
It is a block cipher rather than a stream cipher.
It employs a one-time encryption pad.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
RSA can be used for data encryption, key exchange, and digital signatures.
DSA can be used only for digital signatures.
QUESTION 8
Many countries restrict the use or exportation of cryptographic systems. What is the reason given when these types of restrictions are put into place?
A.
B.
C.
D.
Without standards, there would be many interoperability issues when trying to employ different algorithms in different programs.
The systems can be used by some countries against their local people.
Criminals could use encryption to avoid detection and prosecution.
Laws are way behind, so adding different types of encryption would confuse the laws more.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The U.S. government has greatly reduced its restrictions on cryptography
exportation, but there are still some restrictions in place. Products that use
encryption cannot be sold to any country the United States has declared is
supporting terrorism. The fear is that the enemies of the country would use
encryption to hide their communication, and the government would be
unable to break this encryption and spy on their data transfers.
QUESTION 9
What is used to create a digital signature?
A. The receiver’s private key
B. The sender’s public key
http://www.gratisexam.com/
C. The sender’s private key
D. The receiver’s public key
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A digital signature is a message digest that has been encrypted with the
sender’s private key. A sender, or anyone else, should never have access to the
receiver’s private key.
QUESTION 10
Which of the following best describes a digital signature?
A.
B.
C.
D.
A method of transferring a handwritten signature to an electronic document
A method to encrypt confidential information
A method to provide an electronic signature and encryption
A method to let the receiver of the message prove the source and integrity of a message
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A digital signature provides authentication (knowing who really sent
the message), integrity (because a hashing algorithm is involved), and
nonrepudiation (the sender cannot deny sending the message).
QUESTION 11
How many bits make up the effective length of the DES key?
A.
B.
C.
D.
56
64
32
16
Correct Answer: A
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
DES has a key size of 64 bits, but 8 bits are used for parity, so the true
key size is 56 bits. Remember that DEA is the algorithm used for the DES
standard, so DEA also has a true key size of 56 bits, because we are actually
talking about the same algorithm here. DES is really the standard, and DEA
is the algorithm. We just call it DES in the industry because it is easier.
QUESTION 12
Why would a certificate authority revoke a certificate?
A.
B.
C.
D.
If the user’s public key has become compromised
If the user changed over to using the PEM model that uses a web of trust
If the user’s private key has become compromised
If the user moved to a new location
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The reason a certificate is revoked is to warn others who use that person’s
public key that they should no longer trust the public key because, for some
reason, that public key is no longer bound to that particular individual’s
identity. This could be because an employee left the company, or changed his
name and needed a new certificate, but most likely it is because the person’s
private key was compromised.
QUESTION 13
What does DES stand for?
A.
B.
C.
D.
Data Encryption System
Data Encryption Standard
Data Encoding Standard
Data Encryption Signature
Correct Answer: B
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Data Encryption Standard was developed by NIST and the NSA to encrypt
sensitive but unclassified government data.
QUESTION 14
Which of the following best describes a certificate authority?
A.
B.
C.
D.
An organization that issues private keys and the corresponding algorithms
An organization that validates encryption processes
An organization that verifies encryption keys
An organization that issues certificates
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A registration authority (RA) accepts a person’s request for a certificate and
verifies that person’s identity. Then the RA sends this request to a certificate
authority (CA), which generates and maintains the certificate.
QUESTION 15
What does DEA stand for?
A.
B.
C.
D.
Data Encoding Algorithm
Data Encoding Application
Data Encryption Algorithm
Digital Encryption Algorithm
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
DEA is the algorithm that fulfilled the DES standard. So DEA has all of the
attributes of DES: a symmetric block cipher that uses 64-bit blocks, 16 rounds,
and a 56-bit key.
QUESTION 16
http://www.gratisexam.com/
Who was involved in developing the first public key algorithm?
A.
B.
C.
D.
Adi Shamir
Ross Anderson
Bruce Schneier
Martin Hellman
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The first released public key cryptography algorithm was developed by
Whitfield Diffie and Martin Hellman.
QUESTION 17
What process usually takes place after creating a DES session key?
A.
B.
C.
D.
Key signing
Key escrow
Key clustering
Key exchange
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
After a session key has been created, it must be exchanged securely. In most
cryptosystems, an asymmetric key (the receiver’s public key) is used to encrypt
this session key, and it is sent to the receiver.
QUESTION 18
DES performs how many rounds of permutation and substitution?
A.
B.
C.
D.
16
32
64
56
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
DES carries out 16 rounds of mathematical computation on each 64-bit
block of data it is responsible for encrypting. A round is a set of mathematical
formulas used for encryption and decryption processes.
QUESTION 19
Which of the following is a true statement pertaining to data encryption when it is used to protect data?
A.
B.
C.
D.
It verifies the integrity and accuracy of the data.
It requires careful key management.
It does not require much system overhead in resources.
It requires keys to be escrowed.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Data encryption always requires careful key management. Most algorithms
are so strong today it is much easier to go after key management rather than
to launch a brute force attack. Hashing algorithms are used for data integrity,
encryption does require a good amount of resources, and keys do not have to
be escrowed for encryption.
QUESTION 20
If different keys generate the same ciphertext for the same message, what is this called?
A.
B.
C.
D.
Collision
Secure hashing
MAC
Key clustering
Correct Answer: D
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Message A was encrypted with key A and the result is ciphertext Y. If that
same message A were encrypted with key B, the result should not be ciphertext
Y. The ciphertext should be different since a different key was used. But if the
ciphertext is the same, this occurrence is referred to as key clustering.
QUESTION 21
What is the definition of an algorithm’s work factor?
A.
B.
C.
D.
The time it takes to encrypt and decrypt the same plaintext
The time it takes to break the encryption
The time it takes to implement 16 rounds of computation
The time it takes to apply substitution functions CISSP All-in-One Exam Guide
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The work factor of a cryptosystem is the amount of time and resources
necessary to break the cryptosystem or its encryption process. The goal is
to make the work factor so high that an attacker could not be successful in
breaking the algorithm or cryptosystem.
QUESTION 22
What is the primary purpose of using one-way hashing on user passwords?
A.
B.
C.
D.
It minimizes the amount of primary and secondary storage needed to store passwords.
It prevents anyone from reading passwords in plaintext.
It avoids excessive processing required by an asymmetric algorithm.
It prevents replay attacks.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Passwords are usually run through a one-way hashing algorithm so the
actual password is not transmitted across the network or stored on a system
http://www.gratisexam.com/
in plaintext. This greatly reduces the risk of an attacker being able to obtain
the actual password.
QUESTION 23
Which of the following is based on the fact that it is hard to factor large numbers into two original prime numbers?
A.
B.
C.
D.
ECC
RSA
DES
Diffie-Hellman
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The RSA algorithm’s security is based on the difficulty of factoring large
numbers into their original prime numbers. This is a one-way function. It is
easier to calculate the product than it is to identify the prime numbers used to
generate that product.
QUESTION 24
Which of the following describes the difference between the Data Encryption Standard and the Rivest-Shamir-Adleman algorithm?
A.
B.
C.
D.
DES is symmetric, while RSA is asymmetric.
DES is asymmetric, while RSA is symmetric.
They are hashing algorithms, but RSA produces a 160-bit hashing value.
DES creates public and private keys, while RSA encrypts messages.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
DES is a symmetric algorithm. RSA is an asymmetric algorithm. DES is used
to encrypt data, and RSA is used to create public/private key pairs.
QUESTION 25
Which of the following uses a symmetric key and a hashing algorithm?
http://www.gratisexam.com/
A.
B.
C.
D.
HMAC
Triple-DES
ISAKMP-OAKLEY
RSA
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
When an HMAC function is used, a symmetric key is combined with the
message, and then that result is put though a hashing algorithm. The result is
an HMAC value. HMAC provides data origin authentication and data integrity.
QUESTION 26
The generation of keys that are made up of random values is referred to as Key Derivation Functions (KDFs). What values are not commonly used in this key
generation process?
A.
B.
C.
D.
Hashing values
Asymmetric values
Salts
Passwords
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Different values can be used independently or together to play the role of
random key material. The algorithm is created to use specific hash, passwords,
and\or salt values, which will go through a certain number of rounds of
mathematical functions dictated by the algorithm.
QUESTION 27
Use the following scenario to answer Questions 27–29. Tim is a new manager for the software development team at his company. There are different types of data
that the company’s software needs to protect. Credit card PIN values are stored within their proprietary retail credit card processing software. The same software
also stores documents, which must be properly encrypted and protected. This software is used to transfer sensitive data over dedicated WAN connections between
the company’s three branches. Tim also needs to ensure that every user that interacts with the software is properly authenticated before being allowed access, and
once the authentication completes successfully, an SSL connection needs to be set up and maintained for each connection.
http://www.gratisexam.com/
Which of the following symmetric block encryption mode(s) should be enabled in this company’s software? (Choose two.)
A.
B.
C.
D.
Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
A and B. The Electronic Code Book (ECB) mode should be used to encrypt
credit card PIN values, and the Cipher Block Chaining (CBC) mode should be
used to encrypt documents.
QUESTION 28
Use the following scenario to answer Questions 27–29. Tim is a new manager for the software development team at his company. There are different types of data
that the company’s software needs to protect. Credit card PIN values are stored within their proprietary retail credit card processing software. The same software
also stores documents, which must be properly encrypted and protected. This software is used to transfer sensitive data over dedicated WAN connections between
the company’s three branches. Tim also needs to ensure that every user that interacts with the software is properly authenticated before being allowed access, and
once the authentication completes successfully, an SSL connection needs to be set up and maintained for each connection.
Which of the following would be best to implement for this company’s connections?
A.
B.
C.
D.
End-to-end encryption
Link encryption
Trusted Platform Modules
Advanced Encryption Standard
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Since data is transmitting over dedicated WAN links, link encryptors can be
implemented to encrypt the sensitive data as it moves from branch to branch.
QUESTION 29
Use the following scenario to answer Questions 27–29. Tim is a new manager for the software development team at his company. There are different types of data
http://www.gratisexam.com/
that the company’s software needs to protect. Credit card PIN values are stored within their proprietary retail credit card processing software. The same software
also stores documents, which must be properly encrypted and protected. This software is used to transfer sensitive data over dedicated WAN connections between
the company’s three branches. Tim also needs to ensure that every user that interacts with the software is properly authenticated before being allowed access, and
once the authentication completes successfully, an SSL connection needs to be set up and maintained for each connection.
Which of the following is the best way for users to authenticate to this company’s proprietary software?
A.
B.
C.
D.
Kerberos
RADIUS
Public Key Infrastructure
IPSec
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The users can be authenticated by providing digital certificates to the
software within a PKI environment. This is the best authentication approach,
since SSL requires a PKI environment.
QUESTION 30
Use the following scenario to answer Questions 30–32. Sean is a security administrator for a financial company and has an array of security responsibilities. He
needs to ensure that traffic flowing within the internal network can only travel from one authenticated system to another authenticated system. This traffic has to be
visible to the company’s IDS sensors, so it cannot be encrypted. The data traffic that flows externally to and from the network must only travel to authenticated
systems and must be encrypted. He needs to ensure that each employee laptop has full disk encryption capabilities and that each e-mail message that each
employee sends is sent from an authenticated individual.
Which of the following best describes the software settings that need to be implemented for internal and external traffic?
A.
B.
C.
D.
IPSec with ESP enabled for internal traffic and IPSec with AH enabled for external traffic
IPSec with AH enabled for internal traffic and IPSec with ESP enabled for external traffic
IPSec with AH enabled for internal traffic and IPSec with AN and ESP enabled for external traffic
IPSec with AH and ESP enabled for internal traffic and IPSec with ESP enabled for external traffic
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
IPSec can be configured using the AH protocol, which enables system
authentication but does not provide encryption capabilities. IPSec can
be configured with the ESP protocol, which provides authentication and
encryption capabilities.
QUESTION 31
Use the following scenario to answer Questions 30–32. Sean is a security administrator for a financial company and has an array of security responsibilities. He
needs to ensure that traffic flowing within the internal network can only travel from one authenticated system to another authenticated system. This traffic has to be
visible to the company’s IDS sensors, so it cannot be encrypted. The data traffic that flows externally to and from the network must only travel to authenticated
systems and must be encrypted. He needs to ensure that each employee laptop has full disk encryption capabilities and that each e-mail message that each
employee sends is sent from an authenticated individual.
When Sean purchases laptops for his company, what does he need to ensure is provided by the laptop vendor?
A.
B.
C.
D.
Public key cryptography
Cryptography, hashing, and message authentication
BIOS password protection
Trusted Platform Module
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Trusted Platform Module (TPM) is a microchip that is part of the
motherboard of newer systems. It provides cryptographic functionality that
allows for full disk encryption. The decryption key is wrapped and stored
within the TPM chip.
QUESTION 32
Use the following scenario to answer Questions 30–32. Sean is a security administrator for a financial company and has an array of security responsibilities. He
needs to ensure that traffic flowing within the internal network can only travel from one authenticated system to another authenticated system. This traffic has to be
visible to the company’s IDS sensors, so it cannot be encrypted. The data traffic that flows externally to and from the network must only travel to authenticated
systems and must be encrypted. He needs to ensure that each employee laptop has full disk encryption capabilities and that each e-mail message that each
employee sends is sent from an authenticated individual.
What type of e-mail functionality is required for this type of scenario?
A. Digital signature
B. Hashing
http://www.gratisexam.com/
C. Cryptography
D. Message authentication code
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A digital signature is a hash value that has been encrypted with the sender’s
private key. A message can be digitally signed, which provides authentication,
nonrepudiation, and integrity. When e-mail clients have this type of
functionality, each sender is authenticated through digital certificates.
http://www.gratisexam.com/
Chapter 8 - Business Continuity and Disaster Recovery
QUESTION 1
What action should take place to restore a system and its data files after a system failure?
A.
B.
C.
D.
Restore from storage media backup.
Perform a parallel test.
Implement recovery procedures.
Perform a walk-through test.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
In this and similar situations, recovery procedures should be followed,
which most likely include recovering data from the backup media. Recovery
procedures could include proper steps for rebuilding a system from the
beginning, applying the necessary patches and configurations, and ensuring
that what needs to take place to ensure productivity is not affected. Some type
of redundant system may need to be put into place.
QUESTION 2
What is one of the first steps in developing a business continuity plan?
A.
B.
C.
D.
Identify a backup solution.
Perform a simulation test.
Perform a business impact analysis.
Develop a business resumption plan.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A business impact analysis includes identifying critical systems and
functions of a company and interviewing representatives from each
department. Once management’s support is solidified, a business impact
analysis needs to be performed to identify the threats the company faces and
the potential costs of these threats.
http://www.gratisexam.com/
QUESTION 3
How often should a business continuity plan be tested?
A.
B.
C.
D.
At least every ten years
Only when the infrastructure or environment changes
At least every two years
Whenever there are significant changes in the organization and annually
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The plans should be tested if there have been substantial changes to the
company or the environment. They should also be tested at least once a year.
QUESTION 4
During a recovery procedure test, one important step is to maintain records of important events that happen during the test. What other step is just as important?
A.
B.
C.
D.
Schedule another test to address issues that were identified during that procedure.
Make sure someone is prepared to talk to the media with the appropriate responses.
Report the events to management.
Identify essential business functions.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
When recovery procedures are carried out, the outcome of those procedures
should be reported to the individuals who are responsible for this type of
activity, which is usually some level of management. If the procedures worked
properly, management should know it, and if problems were encountered,
management should definitely be made aware of them. Members of
management are the ones who are responsible overall for fixing the recovery
system and will be the ones to delegate this work and provide the necessary
funding and resources.
QUESTION 5
http://www.gratisexam.com/
Which of the following actions is least important when quantifying risks associated with a potential disaster?
Chapter 8: Business Continuity and Disaster Recovery
A.
B.
C.
D.
Gathering information from agencies that report the probability of certain natural disasters taking place in that area
Identifying the company’s key functions and business requirements
Identifying critical systems that support the company’s operations
Estimating the potential loss and impact the company would face based on how long the outage lasted
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The question asked you about quantifying the risks, which means
to calculate the potential business impact of specific disasters. The core
components of a business impact analysis are
• Identifying the company’s key functions and business requirements
• Identifying critical systems that support the company’s operations
• Estimating the potential loss and impact the company would face based on
how long the outage lasted
Gathering information from agencies that report the probability of certain
natural disasters taking place in that area is an important piece in determining
the probability of these threats, but it is considered least necessary when
quantifying the potential damage that could be experienced.
QUESTION 6
The purpose of initiating emergency procedures right after a disaster takes place is to prevent loss of life and injuries, and to _______________.
A.
B.
C.
D.
Secure the area to ensure that no looting or fraud takes place
Mitigate further damage
Protect evidence and clues
Investigate the extent of the damages
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The main goal of disaster recovery and business continuity plans is
to mitigate all risks that could be experienced by a company. Emergency
http://www.gratisexam.com/
procedures first need to be carried out to protect human life, and then other
procedures need to be executed to reduce the damage from further threats.
QUESTION 7
Which of the following is the best way to ensure that the company’s backup tapes can be restored and used at a warm site?
A.
B.
C.
D.
Retrieve the tapes from the offsite facility, and verify that the equipment at the original site can read them.
Ask the offsite vendor to test them, and label the ones that were properly read.
Test them on the vendor’s machine, which won’t be used during an emergency.
Inventory each tape kept at the vendor’s site twice a month.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A warm site is a facility that will not be fully equipped with the company’s
main systems. The goal of using a warm site is that, if a disaster takes place,
the company will bring its systems with it to the warm site. If the company
cannot bring the systems with it because they are damaged, the company
must purchase new systems that are exactly like the original systems. So, to
properly test backups, the company needs to test them by recovering the data
on its original systems at its main site.
QUESTION 8
Which best describes a hot-site facility versus a warm- or cold-site facility?
A.
B.
C.
D.
A site that has disk drives, controllers, and tape drives
A site that has all necessary PCs, servers, and telecommunications
A site that has wiring, central air-conditioning, and raised flooring
A mobile site that can be brought to the company’s parking lot
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A hot site is a facility that is fully equipped and properly configured
so that it can be up and running within hours to get a company back
into production. Answer B gives the best definition of a fully functionally
http://www.gratisexam.com/
environment.
QUESTION 9
Which is the best description of remote journaling?
A.
B.
C.
D.
Backing up bulk data to an offsite facility
Backing up transaction logs to an offsite facility
Capturing and saving transactions to two mirrored servers in-house
Capturing and saving transactions to different media types
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Remote journaling is a technology used to transmit data to an offsite
facility, but this usually only includes moving the journal or transaction
logs to the offsite facility, not the actual files.
QUESTION 10
Which of the following is something that should be required of an offsite backup facility that stores backed-up media for companies?
A.
B.
C.
D.
The facility should be within 10 to 15 minutes of the original facility to ensure easy access.
The facility should contain all necessary PCs and servers and should have raised flooring.
The facility should be protected by an armed guard.
The facility should protect against unauthorized access and entry.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
This question addresses a facility that is used to store backed-up data; it
is not talking about an offsite facility used for disaster recovery purposes.
The facility should not be only 10 to 15 minutes away, because some types
of disasters could destroy both the company’s main facility and this facility
if they are that close together, in which case the company would lose all of
its information. The facility should have the same security standards as the
company’s security, including protection against unauthorized access.
http://www.gratisexam.com/
QUESTION 11
Which item will a business impact analysis not identify?
A.
B.
C.
D.
Whether the company is best suited for a parallel or full-interrupt test
What areas would suffer the greatest operational and financial loss in the event of a particular disaster or disruption
What systems are critical for the company and must be highly protected
What amount of outage time a company can endure before it is permanently crippled
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
All the other answers address the main components of a business impact
analysis. Determining the best type of exercise or drill to carry out is not
covered under this type of analysis.
QUESTION 12
Which areas of a company are recovery plans recommended for?
A.
B.
C.
D.
The most important operational and financial areas
The areas that house the critical systems
All areas
The areas that the company cannot survive without
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
It is best if every department within the company has its own contingency
plan and procedures in place. These individual plans would “roll up” into the
overall enterprise BCP.
QUESTION 13
Who has the final approval of the business continuity plan?
A. The planning committee
B. Each representative of each department
http://www.gratisexam.com/
C. Management
D. External authority
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Management really has the final approval over everything within a
company, including these plans.
QUESTION 14
Which is the proper sequence of steps followed in business continuity management?
A.
B.
C.
D.
Project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance
Strategy development, project initiation, business impact analysis, plan development, implementation, testing, and maintenance
Implementation and testing, project initiation, strategy development, business impact analysis, and plan development
Plan development, project initiation, strategy development, business impact analysis, implementation, testing, and maintenance
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
These steps outline the processes that should take place in the correct order
from beginning to end in business continuity management.
QUESTION 15
What is the most crucial requirement in developing a business continuity plan?
A.
B.
C.
D.
Business impact analysis
Implementation, testing, and following through
Participation from each and every department
Management support
Correct Answer: D
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Management’s support is the first thing to obtain before putting any real
effort into developing these plans. Without management’s support, the effort
will not receive the necessary attention, resources, funds, or enforcement.
QUESTION 16
During development, testing, and maintenance of the continuity plan, a high degree of interaction and communications is crucial to the process. Why?
A.
B.
C.
D.
This is a regulatory requirement of the process.
The more people who talk about it and are involved, the more awareness will increase.
This is not crucial to the plan and should not be interactive because it will most likely affect operations.
Management will more likely support it.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Communication not only spreads awareness of these plans and their
contents, but also allows more people to discuss the possible threats and
solutions, which may lead to ideas that the original team did not consider.
QUESTION 17
To get proper management support and approval of the plan, a business case must be made. Which of the following is least important to this business case?
A.
B.
C.
D.
Regulatory and legal requirements
Company vulnerabilities to disasters and disruptions
How other companies are dealing with these issues
The impact the company can endure if a disaster hits
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The other three answers are key components when building a business case.
Although it is a good idea to investigate and learn about how other companies
are dealing with similar issues, it is the least important of the four items listed.
QUESTION 18
http://www.gratisexam.com/
Which of the following describes a parallel test?
A.
B.
C.
D.
It is performed to ensure that operations performed at the alternate site also give the same results as at the primary site.
All departments receive a copy of the disaster recovery plan and walk through it.
Representatives from each department come together and go through the test collectively.
Normal operations are shut down.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
In a parallel test, some systems are run at the alternate site, and the results
are compared with how processing takes place at the primary site. This is to
ensure that the systems work in that area and productivity is not affected. This
also extends the previous test and allows the team to walk through the steps
of setting up and configuring systems at the offsite facility.
QUESTION 19
Which of the following describes a structured walk-through test?
A.
B.
C.
D.
It is performed to ensure that critical systems will run at the alternate site.
All departments receive a copy of the disaster recovery plan and walk through it.
Representatives from each department come together and review the steps of the test collectively without actually performing those steps.
Normal operations are shut down.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
During a structured walk-through test, functional representatives review
the plan to ensure its accuracy and that it correctly and accurately reflects the
company’s recovery strategy.
QUESTION 20
When is the emergency actually over for a company?
A. When all people are safe and accounted for
http://www.gratisexam.com/
B. When all operations and people are moved back into the primary site
C. When operations are safely moved to the offsite facility
D. When a civil official declares that all is safe
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The emergency is not actually over until the company moves back into its
primary site. The company is still vulnerable and at risk while it is operating
in an altered or crippled state. This state of vulnerability is not over until the
company is operating in the way it was prior to the disaster. Of course, this
may mean that the primary site has to be totally rebuilt if it was destroyed.
QUESTION 21
Which of the following does not describe a reciprocal agreement?
A.
B.
C.
D.
The agreement is enforceable.
It is a cheap solution.
It may be able to be implemented right after a disaster.
It could overwhelm a current data processing site.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A reciprocal agreement is not enforceable, meaning that the company that
agreed to let the damaged company work out of its facility can decide not to
allow this to take place. A reciprocal agreement is a better secondary backup
option if the original plan falls through.
QUESTION 22
Which of the following describes a cold site?
A. Fully equipped and operational in a few hours
B. Partially equipped with data processing equipment
C. Expensive and fully configured
http://www.gratisexam.com/
D. Provides environmental measures but no equipment
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A cold site only provides environmental measures—wiring, air
conditioning, raised floors—basically a shell of a building and no more.
QUESTION 23
Which of the following best describes what a disaster recovery plan should contain?
A.
B.
C.
D.
Hardware, software, people, emergency procedures, recovery procedures
People, hardware, offsite facility
Software, media interaction, people, hardware, management issues
Hardware, emergency procedures, software, identified risk
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The recovery plan should contain information about how to deal with
people, hardware, software, emergency procedures, recovery procedures,
facility issues, and supplies.
QUESTION 24
Which of the following is not an advantage of a hot site?
A.
B.
C.
D.
Offers many hardware and software choices.
Is readily available.
Can be up and running in hours.
Annual testing is available.
Correct Answer: A
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Because hot sites are fully equipped, they do not allow for a lot of different
hardware and software choices. The subscription service offers basic software and
hardware products, and does not usually offer a wide range of proprietary items.
QUESTION 25
Disaster recovery plans can stay updated by doing any of the following except:
A.
B.
C.
D.
Making disaster recovery a part of every business decision
Making sure it is part of employees’ job descriptions
Performing regular drills that use the plan
Making copies of the plan and storing them in an offsite facility Chapter 8: Business Continuity and Disaster Recovery
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The plan should be part of normal business activities. A lot of time and
resources go into creating disaster recovery plans, after which they are usually
stored away and forgotten. They need to be updated continuously as the
environment changes to ensure that the company can properly react to any
type of disaster or disruption.
QUESTION 26
What is the second step that is missing in the following graphic?
http://www.gratisexam.com/
http://www.gratisexam.com/
A.
B.
C.
D.
Business impact analysis
NIST standard
Management approval and resource allocation
Change control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The missing step is the BIA. The steps of the BIA are as follows:
• Identify the company’s critical business functions.
• Decide on information-gathering techniques: interviews, surveys,
qualitative or quantitative questionnaires.
• Identify resources these functions depend upon.
• Calculate how long these functions can be without these resources.
• Identify vulnerabilities and threats to these functions.
• Calculate the risk for each different business function.
• Develop backup solutions for resources based on tolerable outage times.
• Develop recovery solutions for the company’s individual departments and
for the company as a whole.
QUESTION 27
What would the items in the following graphic best be collectively called?
http://www.gratisexam.com/
A.
B.
C.
D.
Business impact values
Activation phase values
Maximum tolerable downtime values
Reconstitution impact times and values
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Maximum tolerable downtime values. This is the timeframe between
an unplanned interruption of business operations and the resumption
of business at a reduced level of service. The BIA identifies which of the
company’s critical systems are needed for survival and estimates the outage
time that can be tolerated by the company as a result of various unfortunate
events. The outage time that can be endured by a company is referred to as the
maximum tolerable downtime.
http://www.gratisexam.com/
QUESTION 28
Business continuity planning needs to provide several types of functionalities and protection types for an organization. Which of the following is not one of these
items?
i. Provide an immediate and appropriate response to emergency situations ii. Protect lives and ensure safety
iii. Reduce business conflicts
iv. Resume critical business functions
v. Work with outside vendors during the recovery period vi. Reduce confusion during a crisis
vii. Ensure survivability of the business
viii. Get “up and running” quickly after a disaster
A.
B.
C.
D.
ii, iii, vii
ii, iii, v, vi
iii
i, ii
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Preplanned procedures allow an organization to
i. Provide an immediate and appropriate response to emergency situations
ii. Protect lives and ensure safety
iii. Reduce business impact
iv. Resume critical business functions
v. Work with outside vendors during the recovery period
vi. Reduce confusion during a crisis
vii. Ensure survivability of the business
viii. Get “up and running” quickly after a disaster
QUESTION 29
Which of the following have incorrect definition mapping when it comes to disaster recovery steps?
i. Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP and that assigns authority to the
necessary roles to carry out these tasks.
ii. Conduct the BIA. Identify critical functions and systems, and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and
calculate risks.
iii. Identify preventive controls. Once threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an
economical manner.
iv. Develop recovery strategies. Write procedures and guidelines for how the organization can still stay functional in a crippled state.
http://www.gratisexam.com/
v. Develop the contingency plan. Formulate methods to ensure systems and critical functions can be brought online quickly.
vi. Test the plan and conduct training and exercises. Test the plan to identify deficiencies in the BCP, and conduct training to properly prepare individuals on their
expected tasks.
vii. Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.
A.
B.
C.
D.
iii, iv, v
ii, vii
iv, v
iii, iv, v
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The correct disaster recovery steps and their associated definition mappings
are laid out as follows:
i. Develop the continuity planning policy statement. Write a policy that
provides the guidance necessary to develop a BCP and that assigns
authority to the necessary roles to carry out these tasks.
ii. Conduct the BIA. Identify critical functions and systems, and allow the
organization to prioritize them based on necessity. Identify vulnerabilities
and threats, and calculate risks.
iii. Identify preventive controls. Once threats are recognized, identify and
implement controls and countermeasures to reduce the organization’s risk
level in an economical manner.
iv. Develop recovery strategies. Formulate methods to ensure systems and
critical functions can be brought online quickly.
v. Develop the contingency plan. Write procedures and guidelines for how
the organization can still stay functional in a crippled state.
vi. Test the plan and conduct training and exercises. Test the plan to identify
deficiencies in the BCP, and conduct training to properly prepare
individuals on their expected tasks.
vii. Maintain the plan. Put in place steps to ensure the BCP is a living
document that is updated regularly.
QUESTION 30
Sam is a manager who is responsible for overseeing the development and the approval of the business continuity plan. He needs to make sure that his team is
creating correct and all-inclusive loss criteria when it comes to potential business impacts. Which of the following is not a negative characteristic or value that is
commonly included in the criteria?
http://www.gratisexam.com/
i. Loss in reputation and public confidence
ii. Loss of competitive advantages
iii. Decrease in operational expenses
iv. Violations of contract agreements
v. Violations of legal and regulatory requirements vi. Delayed income costs
vii. Loss in revenue
viii. Loss in productivity
A.
B.
C.
D.
i, vii, viii
iii, v, vi
iii
vi
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Loss criteria must be applied to the individual threats that were identified.
The criteria should include at least the following:
• Loss in reputation and public confidence
• Loss of competitive advantages
• Increase in operational expenses
• Violations of contract agreements
• Violations of legal and regulatory requirements
• Delayed income costs
• Loss in revenue
• Loss in productivity
QUESTION 31
Which of the following best describes the relationship between highavailability and disaster recovery techniques and technologies?
A. High-availability technologies and processes are commonly put into place so that if a disaster does take place, either availability of the critical functions
continues or the delay of getting them back online and running is low.
B. High availability deals with asynchronous replication and recovery time objective requirements, which increases disaster recovery performance.
C. High availability deals with synchronous replication and recovery point objective requirements, which increases disaster recovery performance.
D. Disaster recovery technologies and processes are put into place to provide high-availability service levels.
Correct Answer: A
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
High availability and disaster recovery are not the same, but they have a
relationship. High-availability technologies and processes are commonly put
into place so that if a disaster does take place, either availability of the critical
functions continues or the delay of getting them back online and running is low.
QUESTION 32
Susan is the new BCM coordinator and needs to identify various preventive and recovery solutions her company should implement for BCP\DRP efforts. She and
her team have carried out an impact analysis and found out that the company’s order processing functionality cannot be out of operation for more than 15 hours.
She has calculated that the order processing systems and applications must be brought back online within eight hours after a disruption. The analysis efforts have
also indicated that the data that are restored cannot be older than five minutes of current real-time data. Which of the following best describes the metrics and their
corresponding values that Susan’s team has derived?
A.
B.
C.
D.
MTD of the order processing functionality is 15 hours. RPO value is 8 hours. WRT value is 7 hours. RTO value is 5 minutes.
MTD of the order processing functionality is 15 hours. RTO value is 8 hours. WRT value is 7 hours. RPO value is 5 minutes.
MTD of the order processing functionality is 15 hours. RTO value is 7 hours. WRT value is 8 hours. RPO value is 5 minutes.
MTD of the order processing functionality is 8 hours. RTO value is 15 hours. WRT value is 7 hours. RPO value is 5 minutes.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The order processing functionality as a whole has to be up and running
within 15 hours, which is the maximum tolerable downtime (MTD). The
systems and applications have to be up and running in eight hours, which is
the Recovery Time Objective (RTO). RTO deals with technology, but we still
need processes and people in place to run the technology. Work Recovery
Time (WRT) is the remainder of the overall MTD value. RTO usually deals
with getting the infrastructure and systems back up and running, and WRT
deals with restoring data, testing processes, and then making everything “live”
for production purposes. The data that are restored for this function can only
be five minutes old; thus, the Recovery Point Objective (RPO) has the value
of five minutes.
http://www.gratisexam.com/
Chapter 9 - Legal, Regulations, Investigations and Compliance
QUESTION 1
Which of the following does the Internet Architecture Board consider unethical?
A.
B.
C.
D.
Creating a computer virus
Entering information into a web page
Performing a penetration test on a host on the Internet
Disrupting Internet communications
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The Internet Architecture Board (IAB) is a committee for Internet design,
engineering, and management. It considers the use of the Internet to be a
privilege that should be treated as such. The IAB considers the following acts
unethical and unacceptable behavior:
• Purposely seeking to gain unauthorized access to Internet resources
• Disrupting the intended use of the Internet
• Wasting resources (people, capacity, and computers) through purposeful
actions
• Destroying the integrity of computer-based information
• Compromising the privacy of others
• Negligence in the conduct of Internet-wide experiments
QUESTION 2
What is the study of computers and surrounding technologies and how they relate to crime?
A.
B.
C.
D.
Computer forensics
Computer vulnerability analysis
Incident handling
Computer information criteria
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
Computer forensics is a field that specializes in understanding and properly
extracting evidence from computers and peripheral devices for the purpose
of prosecution. Collecting this type of evidence requires a skill set and
understanding of several relative laws.
QUESTION 3
Which of the following does the Internet Architecture Board consider unethical behavior?
A.
B.
C.
D.
Internet users who conceal unauthorized accesses
Internet users who waste computer resources
Internet users who write viruses
Internet users who monitor traffic
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
This question is similar to Question 1. The IAB has declared wasting
computer resources through purposeful activities unethical because it sees
these resources as assets that are to be available for the computing society.
QUESTION 4
After a computer forensics investigator seizes a computer during a crime investigation, what is the next step?
A.
B.
C.
D.
Label and put it into a container, and then label the container.
Dust the evidence for fingerprints.
Make an image copy of the disks.
Lock the evidence in the safe.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Several steps need to be followed when gathering and extracting evidence
from a scene. Once a computer has been confiscated, the first thing the
computer forensics team should do is make an image of the hard drive. The
team will work from this image instead of the original hard drive so it stays in
a pristine state and the evidence on the drive is not accidentally corrupted or
http://www.gratisexam.com/
modified.
QUESTION 5
A CISSP candidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2 Code of Ethics that
could cause the candidate to lose his or her certification?
A.
B.
C.
D.
E-mailing information or comments about the exam to other CISSP candidates
Submitting comments on the questions of the exam to (ISC)2
Submitting comments to the board of directors regarding the test and content of the class
Conducting a presentation about the CISSP certification and what the certification means
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A CISSP candidate and a CISSP holder should never discuss with others
what was on the exam. This degrades the usefulness of the exam to be used
as a tool to test someone’s true security knowledge. If this type of activity is
uncovered, the person could be stripped of their CISSP certification.
QUESTION 6
If your company gives you a new PC and you find residual information about confidential company issues, what should you do based on the (ISC)2 Code of Ethics?
A.
B.
C.
D.
Contact the owner of the file and inform him about it. Copy it to a disk, give it to him, and delete your copy.
Delete the document because it was not meant for you.
Inform management of your findings so it can make sure this type of thing does not happen again.
E-mail it to both the author and management so everyone is aware of what is going on.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
When dealing with the possible compromise of confidential company
information or intellectual property, management should be informed and
be involved as soon as possible. Management members are the ones who
are ultimately responsible for this data and who understand the damage its
leakage can cause. An employee should not attempt to address and deal with
these issues on his own.
http://www.gratisexam.com/
QUESTION 7
Why is it difficult to investigate computer crime and track down the criminal?
A.
B.
C.
D.
Privacy laws are written to protect people from being investigated for these types of crimes.
Special equipment and tools are necessary to detect these types of criminals.
Criminals can hide their identity and hop from one network to the next.
The police have no jurisdiction over the Internet.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Spoofing one’s identity and being able to traverse anonymously through
different networks and the Internet increase the complexity and difficulty
of tracking down criminals who carry out computer crimes. It is very easy to
commit many damaging crimes from across the country or world, and this
type of activity can be difficult for law enforcement to track down.
QUESTION 8
Protecting evidence and providing accountability for who handled it at different steps during the investigation is referred to as what?
A.
B.
C.
D.
The rule of best evidence
Hearsay
Evidence safety
Chain of custody
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Properly following the chain of custody for evidence is crucial for it to be
admissible in court. A chain of custody is a history that shows how evidence
was collected, analyzed, transported, and preserved in order to establish that
it is sufficiently trustworthy to be presented as evidence in court. Because
electronic evidence can be easily modified, a clearly defined chain of custody
demonstrates that the evidence is trustworthy.
http://www.gratisexam.com/
QUESTION 9
If an investigator needs to communicate with another investigator but does not want the criminal to be able to eavesdrop on this conversation, what type of
communication should be used?
A.
B.
C.
D.
Digitally signed messages
Out-of-band messages
Forensics frequency
Authentication and access control
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Out-of-band communication means to communicate through some other
type of communication channel. For example, if law enforcement agents
are investigating a crime on a network, they should not share information
through e-mail that passes along this network. The criminal may still have
sniffers installed and thus be able to access this data.
QUESTION 10
Why is it challenging to collect and identify computer evidence to be used in a court of law?
A.
B.
C.
D.
The evidence is mostly intangible.
The evidence is mostly corrupted.
The evidence is mostly encrypted.
The evidence is mostly tangible.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The evidence in computer crimes usually comes straight from computers
themselves. This means the data are held as electronic voltages, which are
represented as binary bits. Some data can be held on hard drives and peripheral
devices, and some data may be held in the memory of the system itself. This
type of evidence is intangible in that it is not made up of objects one can hold,
see, and easily understand. Other types of crimes usually have evidence that is
more tangible in nature, and that is easier to handle and control.
http://www.gratisexam.com/
QUESTION 11
The chain of custody of evidence describes who obtained the evidence and __________.
A.
B.
C.
D.
Who secured it and stole it
Who controlled it and broke it
Who secured it and validated it
Who controlled it and duplicated it
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The chain of custody outlines a process to ensure that under no circumstance
was there a possibility for the evidence to be tampered with. If the chain of
custody is broken, there is a high probability that the evidence will not be
admissible in court. If it is admitted, it will not carry as much weight.
QUESTION 12
Why is computer-generated documentation usually considered unreliable evidence?
A.
B.
C.
D.
It is primary evidence.
It is too difficult to detect prior modifications.
It is corroborative evidence.
It is not covered under criminal law, but it is covered under civil law.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
It can be very difficult to determine if computer-generated material has
been modified before it is presented in court. Since this type of evidence can
be altered without being detected, the court cannot put a lot of weight on this
evidence. Many times, computer-generated evidence is considered hearsay in
that there is no firsthand proof backing it up.
QUESTION 13
Which of the following is a necessary characteristic of evidence for it to be admissible?
http://www.gratisexam.com/
A.
B.
C.
D.
It must be real.
It must be noteworthy.
It must be reliable.
It must be important.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
For evidence to be admissible, it must be sufficient, reliable, and relevant to
the case. For evidence to be reliable, it must be consistent with fact and must
not be based on opinion or be circumstantial.
QUESTION 14
If a company deliberately planted a flaw in one of its systems in the hope of detecting an attempted penetration and exploitation of this flaw, what would this be
called?
A.
B.
C.
D.
Incident recovery response
Entrapment
Illegal
Enticement
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Companies need to be very careful about the items they use to entice
intruders and attackers, because this may be seen as entrapment by the court.
It is best to get the legal department involved before implementing these
items. Putting a honeypot in place is usually seen as the use of enticement
tools.
QUESTION 15
If an employee is suspected of wrongdoing in a computer crime, what department must be involved?
A. Human resources
http://www.gratisexam.com/
B. Legal
C. Audit
D. Payroll
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
It is imperative that the company gets human resources involved if an
employee is considered a suspect in a computer crime. This department knows
the laws and regulations pertaining to employee treatment and can work to
protect the employee and the company at the same time.
QUESTION 16
When would an investigator’s notebook be admissible in court?
A.
B.
C.
D.
When he uses it to refresh memory
When he cannot be present for testimony
When requested by the judge to learn the original issues of the investigations
When no other physical evidence is available
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Notes that are taken by an investigator will, in most cases, not be
admissible in court as evidence. This is not seen as reliable information and
can only be used by the investigator to help him remember activities during
the investigation.
QUESTION 17
Disks and other media that are copies of the original evidence are considered what?
A.
B.
C.
D.
Primary evidence
Reliable and sufficient evidence
Hearsay evidence
Conclusive evidence
http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
In most cases, computer-related evidence falls under the hearsay category,
because it is seen as copies of the original data that are held in the computer
itself and can be modified without any indication. Evidence is considered
hearsay when there is no firsthand proof in place to validate it.
QUESTION 18
If a company does not inform employees that they may be monitored and does not have a policy stating how monitoring should take place, what should a company
do?
A.
B.
C.
D.
Don’t monitor employees in any fashion.
Monitor during off-hours and slow times.
Obtain a search warrant before monitoring an employee.
Monitor anyway—they are covered by two laws allowing them to do this.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Before a company can monitor its employees, it is supposed to inform
them that this type of activity can take place. If a company monitors an
employee without telling him, this could be seen as an invasion of privacy.
The employee had an expected level of privacy that was invaded. The
company should implement monitoring capabilities into its security policy
and employee security-awareness programs.
QUESTION 19
What is one reason why successfully prosecuting computer crimes is so challenging?
A.
B.
C.
D.
There is no way to capture electrical data reliably.
The evidence in computer cases does not follow best evidence directives.
These crimes do not always fall into the traditional criminal activity categories.
Wiretapping is hard to do legally.
http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
We have an infrastructure set up to investigate and prosecute crimes:
law enforcement, laws, lawyers, courts, juries, judges, and so on. This
infrastructure has a long history of prosecuting “traditional” crimes. Only in
the last ten years or so have computer crimes been prosecuted more regularly;
thus, these types of crimes are not fully rooted in the legal system with all of
the necessary and useful precedents.
QUESTION 20
When can executives be charged with negligence?
A.
B.
C.
D.
If they follow the transborder laws
If they do not properly report and prosecute attackers
If they properly inform users that they may be monitored
If they do not practice due care when protecting resources
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Executives are held to a certain standard and are expected to act
responsibly when running and protecting a company. These standards and
expectations equate to the due care concept under the law. Due care means
to carry out activities that a reasonable person would be expected to carry out
in the same situation. If an executive acts irresponsibly in any way, she can be
seen as not practicing due care and be held negligent.
QUESTION 21
To better deal with computer crime, several legislative bodies have taken what steps in their strategy?
A.
B.
C.
D.
Expanded several privacy laws
Broadened the definition of property to include data
Required corporations to have computer crime insurance
Redefined transborder issues
http://www.gratisexam.com/
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Many times, what is corrupted, compromised, or taken from a computer
is data, so current laws have been updated to include the protection of
intangible assets, as in data. Over the years, data and information have
become many companies’ most valuable asset, which must be protected by
the laws.
QUESTION 22
Many privacy laws dictate which of the following rules?
A.
B.
C.
D.
Individuals have a right to remove any data they do not want others to know.
Agencies do not need to ensure that the data are accurate.
Agencies need to allow all government agencies access to the data.
Agencies cannot use collected data for a purpose different from what they were collected for.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The Federal Privacy Act of 1974 and the European Union Principles
on Privacy were created to protect citizens from government agencies that
collect personal data. These acts have many stipulations, including that the
information can only be used for the reason for which it was collected.
QUESTION 23
Which of the following is not true about dumpster diving?
A.
B.
C.
D.
It is legal.
It is illegal.
It is a breach of physical security.
It is gathering data from places people would not expect to be raided.
Correct Answer: B
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Dumpster diving is the act of going through someone’s trash with the hope
of uncovering useful information. Dumpster diving is legal if it does not
involve trespassing, but it is unethical.
QUESTION 24
Use the following scenario to answer Questions 24–26. Ron is a new security manager and needs to help ensure that his company can easily work with
international entities in the case of cybercrime activities. His company is expanding their offerings to include cloud computing to their customers, which are from all
over the world. Ron knows that several of their partners work in Europe, who would like to take advantage of his company’s cloud computing offerings.
Which of the following should Ron ensure that his company’s legal team is aware of pertaining to cybercrime issues?
A.
B.
C.
D.
Business exemption rule of evidence
Council of Europe (CoE) Convention on Cybercrime
Digital Millennium Copyright Act
Personal Information Protection and Electronic Documents Act
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Council of Europe (CoE) Convention on Cybercrime is the first
international treaty seeking to address computer crimes by coordinating
national laws and improving investigative techniques and international
cooperation.
QUESTION 25
Use the following scenario to answer Questions 24–26. Ron is a new security manager and needs to help ensure that his company can easily work with
international entities in the case of cybercrime activities. His company is expanding their offerings to include cloud computing to their customers, which are from all
over the world. Ron knows that several of their partners work in Europe, who would like to take advantage of his company’s cloud computing offerings.
Ron needs to make sure the executives of his company are aware of issues pertaining to transmitting privacy data over international boundaries. Which of the
following should Ron be prepared to brief his bosses on pertaining to this issue?
A.
B.
C.
D.
OECD Guidelines
Exigent circumstances
Australian Computer Emergency Response Team’s General Guidelines
International Organization on Computer Evidence
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Global organizations that move data across other countries’ boundaries
must be aware of and follow the Organisation for Economic Co-operation
and Development (OECD) Guidelines, which deal with the protection of
privacy and transborder flows of personal data.
QUESTION 26
Use the following scenario to answer Questions 24–26. Ron is a new security manager and needs to help ensure that his company can easily work with
international entities in the case of cybercrime activities. His company is expanding their offerings to include cloud computing to their customers, which are from all
over the world. Ron knows that several of their partners work in Europe, who would like to take advantage of his company’s cloud computing offerings.
What does Ron need to ensure that the company follows to allow its European partners to use its clouding computing offering?
A.
B.
C.
D.
Personal Information Protection and Electronic Documents Act
Business exemption rule of evidence
International Organization on Computer Evidence
Safe Harbor requirements
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
If a non-European organization wants to do business with a European
entity, it will need to adhere to the Safe Harbor requirements if certain types
of data will be passed back and forth during business processes.
QUESTION 27
Use the following scenario to answer Questions 27–29. Jan’s company develops software that provides cryptographic functionality. The software products provide
functionality that allows companies to be compliant with its privacy regulations and laws.
Which of the following issues does Jan’s team need to be aware of as it pertains to selling its products to companies that reside in different parts of the world?
A. Convergent technologies advancements
B. Wassenaar Arrangement
http://www.gratisexam.com/
C. Digital Millennium Copyright Act
D. Trademark laws
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Wassenaar Arrangement implements export controls for “Conventional
Arms and Dual-Use Goods and Technologies.” The main goal of this
arrangement is to prevent the buildup of military capabilities that could
threaten regional and international security and stability. Cryptography is a
technology that is considered a dual-use good under these export rules.
QUESTION 28
Use the following scenario to answer Questions 27–29. Jan’s company develops software that provides cryptographic functionality. The software products provide
functionality that allows companies to be compliant with its privacy regulations and laws.
Which of the following groups should Jan suggest that her company join for software piracy issues?
A.
B.
C.
D.
Software Protection Association
Federation Against Software Theft
Business Software Association
Piracy International Group
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Software Protection Association (SPA) has been formed by major
companies to enforce proprietary rights of software. The association was
created to protect the founding companies’ software developments, but it also
helps others ensure that their software is properly licensed. These are huge
issues for companies that develop and produce software, because a majority of
their revenue comes from licensing fees.
QUESTION 29
Use the following scenario to answer Questions 27–29. Jan’s company develops software that provides cryptographic functionality. The software products provide
functionality that allows companies to be compliant with its privacy regulations and laws.
http://www.gratisexam.com/
Which of the following is the most important functionality the software should provide to meet its customers’ needs?
A.
B.
C.
D.
Provide Safe Harbor protection
Protect personally identifiable information
Provide transborder flow protection
Provide live forensics capabilities
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Personally identifiable information (PII) is data that can be used to
uniquely identify, contact, or locate a single person or can be used with other
sources to uniquely identify a single individual. This type of data commonly
falls under privacy laws and regulation protection requirements.
QUESTION 30
Which of the following has an incorrect definition mapping?
i. Best evidence is the primary evidence used in a trial because it provides the most reliability.
ii. Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence.
iii. Conclusive evidence is refutable and cannot be contradicted.
iv. Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact.
v. Hearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no firsthand proof of accuracy or reliability.
A.
B.
C.
D.
i
ii
iii
v
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The following has the proper definition mappings:
i. Best evidence is the primary evidence used in a trial because it provides the
most reliability.
http://www.gratisexam.com/
ii. Secondary evidence is not viewed as reliable and strong in proving
innocence or guilt (or liability in civil cases) when compared to best
evidence.
iii. Conclusive evidence is irrefutable and cannot be contradicted.
iv. Circumstantial evidence can prove an intermediate fact that can then be
used to deduce or assume the existence of another fact.
v. Hearsay evidence pertains to oral or written evidence presented in court
that is secondhand and has no firsthand proof of accuracy or reliability.
QUESTION 31
Which of the following has an incorrect definition mapping?
i. Civil (code) law - Based on previous interpretations of laws
ii. Common law - Rule-based law, not precedence-based
iii. Customary law - Deals mainly with personal conduct and patterns of behavior
iv. Religious law - Based on religious beliefs of the region
A.
B.
C.
D.
i, iii
i, ii, iii
i, ii
iv
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The following has the proper definition mappings:
i. Civil (code) law Civil law is rule-based law, not precedence-based
ii. Common law Based on previous interpretations of laws
iii. Customary law Deals mainly with personal conduct and patterns of
behavior
iv. Religious law Based on religious beliefs of the region
http://www.gratisexam.com/
Chapter 10 - Software Development Security
QUESTION 1
An application is downloaded from the Internet to perform disk cleanup and to delete unnecessary temporary files. The application is also recording network login
data and sending them to another party. This application is best described as which of the following?
A.
B.
C.
D.
A virus
A Trojan horse
A worm
A logic bomb
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A Trojan horse looks like an innocent and helpful program, but in the
background it is carrying out some type of malicious activity unknown to the
user. The Trojan horse could be corrupting files, sending the user’s password
to an attacker, or attacking another computer.
QUESTION 2
What is the importance of inference in an expert system?
A.
B.
C.
D.
The knowledge base contains facts, but must also be able to combine facts to derive new information and solutions.
The inference machine is important to fight against multipart viruses.
The knowledge base must work in units to mimic neurons in the brain.
The access must be controlled to prevent unauthorized access.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The whole purpose of an expert system is to look at the data it has to work
with and what the user presents to it and to come up with new or different
solutions. It basically performs data-mining activities, identifies patterns and
relationships the user can’t see, and provides solutions. This is the same reason
you would go to a human expert. You would give her your information, and
she would combine it with the information she knows and give you a solution
http://www.gratisexam.com/
or advice, which is not necessarily the same data you gave her.
QUESTION 3
A system has been patched many times and has recently become infected with a dangerous virus. If antivirus software indicates that disinfecting a file may damage
it, what is the correct action?
A.
B.
C.
D.
Disinfect the file and contact the vendor.
Back up the data and disinfect the file.
Replace the file with the file saved the day before.
Restore an uninfected version of the patched file from backup media.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Some files cannot be properly sanitized by the antivirus software without
destroying them or affecting their functionality. So, the administrator must
replace such a file with a known uninfected file. Plus, the administrator
needs to make sure he has the patched version of the file, or else he could
be introducing other problems. Answer C is not the best answer because the
administrator may not know the file was clean yesterday, so just restoring
yesterday’s file may put him right back in the same boat.
QUESTION 4
What is the purpose of polyinstantiation?
A.
B.
C.
D.
To restrict lower-level subjects from accessing low-level information
To make a copy of an object and modify the attributes of the second copy
To create different objects that will react in different ways to the same input
To create different objects that will take on inheritance attributes from their class
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Instantiation is what happens when an object is created from a class.
Polyinstantiation is when more than one object is made and the other copy is
modified to have different attributes. This can be done for several reasons. The
http://www.gratisexam.com/
example given in the chapter was a way to use polyinstantiation for security
purposes to ensure that a lower-level subject could not access an object at a
higher level.
QUESTION 5
Database views provide what type of security control?
A.
B.
C.
D.
Detective
Corrective
Preventive
Administrative
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A database view is put into place to prevent certain users from viewing
specific data. This is a preventive measure, because the administrator is
preventing the users from seeing data not meant for them. This is one control
to prevent inference attacks.
QUESTION 6
Which of the following is used to deter database inference attacks?
A.
B.
C.
D.
Partitioning, cell suppression, and noise and perturbation
Controlling access to the data dictionary
Partitioning, cell suppression, and small query sets
Partitioning, noise and perturbation, and small query sets
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Partitioning means to logically split the database into parts. Views then
dictate what users can view specific parts. Cell suppression means that
specific cells are not viewable by certain users. And noise and perturbation is
when bogus information is inserted into the database to try to give potential
attackers incorrect information.
http://www.gratisexam.com/
QUESTION 7
When should security first be addressed in a project?
A.
B.
C.
D.
During requirements development
During integration testing
During design specifications
During implementation
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The trick to this question, and any one like it, is that security should be
implemented at the first possible phase of a project. Requirements are gathered
and developed at the beginning of a project, which is project initiation.
The other answers are steps that follow this phase, and security should be
integrated right from the beginning instead of in the middle or at the end.
QUESTION 8
Online application systems that detect an invalid transaction should do which of the following?
A.
B.
C.
D.
Roll back and rewrite over original data.
Terminate all transactions until properly addressed.
Write a report to be reviewed.
Checkpoint each data entry.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
This can seem like a tricky question. It is asking you if the system detected
an invalid transaction, which is most likely a user error. This error should
be logged so it can be reviewed. After the review, the supervisor, or whoever
makes this type of decision, will decide whether or not it was a mistake and
investigate it as needed. If the system had a glitch, power fluctuation, hang-up,
or any other software- or hardware-related error, it would not be an invalid
transaction, and in that case the system would carry out a rollback function.
http://www.gratisexam.com/
QUESTION 9
Which of the following are rows and columns within relational databases?
A.
B.
C.
D.
Rows and tuples
Attributes and rows
Keys and views
Tuples and attributes
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
In a relational database, a row is referred to as a tuple, whereas a column is
referred to as an attribute.
QUESTION 10
Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce
many integrity threats, so the database software should implement the characteristics of what’s known as the ACID test. Which of the following are incorrect
characteristics of the ACID test?
i. Atomicity Divides transactions into units of work and ensures that all modifications take effect or none take effect.
ii. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data are consistent in the different databases.
iii. Isolation Transactions execute in isolation until completed, without interacting with other transactions.
iv. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back.
A.
B.
C.
D.
i, ii
ii. iii
ii, iv
iv
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The following are correct characteristics of the ACID test:
• Atomicity Divides transactions into units of work and ensures that
all modifications take effect or none take effect. Either the changes are
http://www.gratisexam.com/
committed or the database is rolled back.
• Consistency A transaction must follow the integrity policy developed for
that particular database and ensure all data are consistent in the different
databases.
• Isolation Transactions execute in isolation until completed without
interacting with other transactions. The results of the modification are not
available until the transaction is completed.
• Durability Once the transaction is verified as accurate on all systems, it is
committed and the databases cannot be rolled back.
QUESTION 11
The software development life cycle has several phases. Which of the following lists these phases in the correct order?
A. Project initiation, system design specifications, functional design analysis and planning, software development, installation/implementation, operational/
maintenance, disposal
B. Project initiation, functional design analysis and planning, system design specifications, software development, installation/implementation, operational/
maintenance, disposal
C. Project initiation, functional design analysis and planning, software development, system design specifications, installation/implementation, operational/
maintenance, disposal
D. Project initiation, system design specifications, functional design analysis and planning, software development, operational/maintenance
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The following outlines the common phases of the software development
life cycle:
1. Project initiation
2. Functional design analysis and planning
3. System design specifications
4. Software development
5. Testing
6. Installation/implementation
7. Operational/maintenance
8. Disposal
QUESTION 12
John is a manager of the application development department within his company. He needs to make sure his team is carrying out all of the correct testing types
and at the right times of the development stages. Which of the following have the best descriptions of the types of software testing that should be carried out?
http://www.gratisexam.com/
i. Unit testing Individual component is in a controlled environment where programmers validate data structure, logic, and boundary conditions.
ii. Integration testing Verifying that components work together as outlined in design specifications.
iii. Acceptance testing Ensuring that the code meets customer requirements.
iv. Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection.
A.
B.
C.
D.
i, ii
ii, iii
i, ii, iv
i, ii, iii, iv
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
There are different types of tests the software should go through because
there are different potential flaws we will be looking for. The following are
some of the most common testing approaches:
• Unit testing Individual component is in a controlled environment where
programmers validate data structure, logic, and boundary conditions.
• Integration testing Verifying that components work together as outlined
in design specifications.
• Acceptance testing Ensuring that the code meets customer requirements.
• Regression testing After a change to a system takes place, retesting to
ensure functionality, performance, and protection.
QUESTION 13
Tim is a software developer for a financial institution. He develops middleware software code that carries out his company’s business logic functions. One of the
applications he works with is written in the C programming language and seems to be taking up too much memory as it runs over a period of time. Which of the
following best describes what Tim should implement to rid this software of this type of problem?
A. Bounds checking
Chapter 10: Software Development Security
B. Garbage collector
C. Parameter checking
D. Compiling
Correct Answer: B
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Garbage collection is an automated way for software to carry out part of its
memory management tasks. A garbage collector identifies blocks of memory
that were once allocated but are no longer in use and deallocates the blocks
and marks them as free. It also gathers scattered blocks of free memory and
combines them into larger blocks. It helps provide a more stable environment
and does not waste precious memory. Some programming languages, such
as Java, perform automatic garbage collection; others, such as C, require the
developer to perform it manually, thus leaving opportunity for error.
QUESTION 14
Marge has to choose a software development model that her team should follow. The application that her team is responsible for developing is a critical application
that can have little to no errors. Which of the following best describes the type of model her team should follow?
A.
B.
C.
D.
Cleanroom
Joint Analysis Development (JAD)
Rapid Application Development (RAD)
Reuse Model
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The software development models and their definitions are as follows:
• Joint Analysis Development (JAD) A method that uses a team approach
in application development in a workshop-oriented environment.
• Rapid Application Development (RAD) A method of determining user
requirements and developing systems quickly to satisfy immediate needs.
• Reuse Model A model that approaches software development by using
progressively developed models. Reusable programs are evolved by
gradually modifying pre-existing prototypes to customer specifications.
Since the Reuse model does not require programs to be built from scratch,
it drastically reduces both development cost and time.
• Cleanroom An approach that attempts to prevent errors or mistakes by
following structured and formal methods of developing and testing. This
approach is used for high-quality and critical applications that will be put
through a strict certification process.
QUESTION 15
http://www.gratisexam.com/
__________ is a software testing technique that provides invalid, unexpected, or random data to the input interfaces of a program.
A.
B.
C.
D.
Agile testing
Structured testing
Fuzzing
EICAR
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Fuzz testing or fuzzing is a software testing technique that provides invalid,
unexpected, or random data to the input interfaces of a program. If the program
fails (for example, by crashing or failing built-in code assertions), the defects
can be noted.
QUESTION 16
Which of the following is the second level of the Capability Maturity Model Integration?
A. Repeatable
http://www.gratisexam.com/
B. Defined
C. Managed
D. Optimizing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The five levels of the Capability Maturity Integration Model are:
http://www.gratisexam.com/
• Initial Development process is ad hoc or even chaotic. The company does
not use effective management procedures and plans. There is no assurance
of consistency, and quality is unpredictable.
• Repeatable A formal management structure, change control, and quality
assurance are in place. The company can properly repeat processes
throughout each project. The company does not have formal process
models defined.
• Defined Formal procedures are in place that outline and define processes
carried out in each project. The organization has a way to allow for
quantitative process improvement.
• Managed The company has formal processes in place to collect and
analyze quantitative data, and metrics are defined and fed into the processimprovement
program.
• Optimizing The company has budgeted and integrated plans for
continuous process improvement.
QUESTION 17
One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic?
A.
B.
C.
D.
Autonomous objects, cooperation through exchanges of messages.
The internal components of an object can be redefined without changing other parts of the system.
Refining classes through inheritance.
Object-oriented analysis, design, and modeling map to business needs and solutions.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The characteristics and their associated definitions are listed as follows:
• Modularity Autonomous objects, cooperation through exchanges of
messages.
• Deferred commitment The internal components of an object can be
redefined without changing other parts of the system.
• Reusability Other programs using the same objects.
• Naturalness Object-oriented analysis, design, and modeling map to
business needs and solutions.
QUESTION 18
Which of the following attack type best describes what commonly takes place to overwrite a return pointer memory segment?
http://www.gratisexam.com/
A.
B.
C.
D.
Traversal attack
UNICODE attack
URL encoding attack
Buffer overflow attack
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The buffer overflow is probably the most notorious of input validation
mistakes. A buffer is an area reserved by an application to store something
in it, such as some user input. After the application receives the input, an
instruction pointer points the application to do something with the input
that’s been put in the buffer. A buffer overflow occurs when an application
erroneously allows an invalid amount of input to be written into the buffer
area, overwriting the instruction pointer in the code that tells the program
what to do with the input. Once the instruction pointer is overwritten,
whatever code has been placed in the buffer can then be executed, all under
the security context of the application.
QUESTION 19
Which of the following has an incorrect attack to definition mapping?
A.
B.
C.
D.
EBJ XSS Content processing stages performed by the client, typically in client-side Java
Nonpersistent XSS attack Improper sanitation of response from a web client
Persistent XSS attack Data provided by attackers are saved on the server
DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The nonpersistent cross-site scripting vulnerability is when the data
provided by a web client, most commonly in HTTP query parameters or
in HTML form submissions, are used immediately by server-side scripts
to generate a page of results for that user without properly sanitizing the
response. The persistent XSS vulnerability occurs when the data provided
by the attacker are saved by the server and then permanently displayed on
http://www.gratisexam.com/
“normal” pages returned to other users in the course of regular browsing
without proper HTML escaping. DOM-based vulnerabilities occur in the
content processing stages performed by the client, typically in client-side
JavaScript.
QUESTION 20
John is reviewing database products. He needs a product that can manipulate a standard set of data for his company’s business logic needs. Which of the following
should the necessary product implement?
A.
B.
C.
D.
Relational database
Object-relational database
Network database
Dynamic-static
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
An object-relational database (ORD) or object-relational database
management system (ORDBMS) is a relational database with a software
front end that is written in an object-oriented programming language.
Different companies will have different business logic that needs to be carried
out on the stored data. Allowing programmers to develop this front-end
software piece allows the business logic procedures to be used by requesting
applications and the data within the database.
QUESTION 21
ActiveX Data Objects (ADO) is an API that allows applications to access back-end database systems. It is a set of ODBC interfaces that exposes the functionality of
data sources through accessible objects. Which of the following are incorrect characteristics of ADO?
i. It’s a low-level data access programming interface to an underlying data access technology (such as OLE DB).
ii. It’s a set of COM objects for accessing data sources, not just database access.
iii. It allows a developer to write programs that access data without knowing how the database is implemented.
iv. SQL commands are required to access a database when using ADO.
A.
B.
C.
D.
i, iv
ii, iii
i, ii, iii
i, ii, iii, iv
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The following are correct characteristics of ADO:
• It’s a high-level data access programming interface to an underlying data
access technology (such as OLE DB).
• It’s a set of COM objects for accessing data sources, not just database access.
• It allows a developer to write programs that access data without knowing
how the database is implemented.
• SQL commands are not required to access a database when using ADO.
QUESTION 22
Database software performs three main types of integrity services: semantic, referential, and entity. Which of the following correctly describes one of these
services?
i. A semantic integrity mechanism makes sure structural and semantic rules are enforced.
ii. A database has referential integrity if all foreign keys reference existing primary keys.
iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values.
A.
B.
C.
D.
ii
ii, iii
i, ii, iii
i, ii
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A semantic integrity mechanism makes sure structural and semantic rules
are enforced. These rules pertain to data types, logical values, uniqueness
constraints, and operations that could adversely affect the structure of the
database. A database has referential integrity if all foreign keys reference
existing primary keys. There should be a mechanism in place that ensures
no foreign key contains a reference to a primary key of a nonexisting record,
or a null value. Entity integrity guarantees that the tuples are uniquely
identified by primary key values. For the sake of entity integrity, every tuple
must contain one primary key. If it does not have a primary key, it cannot be
http://www.gratisexam.com/
referenced by the database.
QUESTION 23
Which of the following is a field of study that focuses on ways of understanding and analyzing data in databases, with concentration on automation advancements?
A.
B.
C.
D.
Artificial intelligence
Knowledge discovery in databases
Expert system development
Artificial neural networking
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Knowledge discovery in databases (KDD) is a field of study that works with
metadata and attempts to put standards and conventions in place on the way
that data are analyzed and interpreted. KDD is used to identify patterns and
relationships between data. It is also called data mining.
QUESTION 24
Use the following scenario to answer Questions 24–26. Sandy has just started as the manager of software development at a new company. There are a few things
that Sandy is finding out as she interviews her new team members that may need to be approached differently. Programmers currently develop software code and
upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product
contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker
Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined
several open API functionalities within a business-oriented software package.
Which of the following is the best technology for Sandy’s team to implement as it pertains to the previous scenario?
A.
B.
C.
D.
Computer-aided software engineering tools
Software configuration management
Software development life-cycle management
Software engineering best practices
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
Software Configuration Management (SCM) identifies the attributes of
software at various points in time, and performs a methodical control of
changes for the purpose of maintaining software integrity and traceability
throughout the software development life cycle. It defines the need to track
changes and provides the ability to verify that the final delivered software has
all of the approved changes that are supposed to be included in the release.
QUESTION 25
Use the following scenario to answer Questions 24–26. Sandy has just started as the manager of software development at a new company. There are a few things
that Sandy is finding out as she interviews her new team members that may need to be approached differently. Programmers currently develop software code and
upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product
contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker
Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined
several open API functionalities within a business-oriented software package.
Which is the best software architecture that Sandy should introduce her team to for effective business application use?
A.
B.
C.
D.
Distributed component object architecture
Simple Object Access Protocol architecture
Enterprise JavaBeans architecture
Service-oriented architecture
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A service-oriented architecture (SOA) provides standardized access to
the most needed services to many different applications at one time. This
approach allows for different business applications to access the current web
services available within the environment.
QUESTION 26
Use the following scenario to answer Questions 24–26. Sandy has just started as the manager of software development at a new company. There are a few things
that Sandy is finding out as she interviews her new team members that may need to be approached differently. Programmers currently develop software code and
upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product
contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker
Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined
several open API functionalities within a business-oriented software package.
Which best describes the approach Sandy’s team member took when creating the business-oriented software package mentioned within the scenario?
http://www.gratisexam.com/
A.
B.
C.
D.
Software as a Service
Cloud computing
Web services
Mashup
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A mashup is the combination of functionality, data, and presentation
capabilities of two or more sources to provide some type of new service or
functionality. Open APIs and data sources are commonly aggregated and
combined to provide a more useful and powerful resource.
QUESTION 27
Karen wants her team to develop software that allows her company to take advantage of and use many of the web services currently available by other companies.
Which of the following best describes the components that need to be in place and what their roles are?
A. Web service provides the application functionality. Universal Description, Discovery, and Integration describes the web service’s specifications. The Web
Services Description Language provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the
exchange of messages between a requester and provider of a web service.
B. Web service provides the application functionality. The Web Services Description Language describes the web service’s specifications.
Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol
allows for the exchange of messages between a requester and provider of a web service.
C. Web service provides the application functionality. The Web Services Description Language describes the web service’s specifications. Simple Object Access
Protocol provides the mechanisms for web services to be posted and discovered. Universal Description, Discovery, and Integration allows for the exchange of
messages between a requester and provider of a web service.
D. Web service provides the application functionality. The Simple Object Access Protocol describes the web service’s specifications. Universal Description,
Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Web Services Description Language allows for the
exchange of messages between a requester and provider of a web service.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Web service provides the application functionality. The Web Services
Description Language describes the web service’s specifications. Universal
http://www.gratisexam.com/
Description, Discovery, and Integration provides the mechanisms for web
services to be posted and discovered. The Simple Object Access Protocol
allows for the exchange of messages between a requester and provider of a
web service.
QUESTION 28
Use the following scenario to answer Questions 28–30. Brad is a new security administrator within a retail company. He is discovering several issues that his
security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the
following characters “%20” and “../”. The web server software ensures that users input the correct information within the forms that are presented to them via their
web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end
database.
Which of the following best describes attacks that could be taking place against this organization?
A.
B.
C.
D.
Cross-site scripting and certification stealing
URL encoding and directory transversal attacks
Parameter validation manipulation and session management attacks
Replay and password brute force attacks
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The characters “%20” are encoding values that attackers commonly use in
URL encoding attacks. These encoding values can be used to bypass web server
filtering rules and can result in the attacker being able to gain unauthorized
access to components of the web server. The characters “../” can be used by
attackers in similar web server requests, which instruct the web server software
to traverse directories that should be inaccessible. This is commonly referred
to as a path or directory traversal attack.
QUESTION 29
Use the following scenario to answer Questions 28–30. Brad is a new security administrator within a retail company. He is discovering several issues that his
security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the
following characters “%20” and “../”. The web server software ensures that users input the correct information within the forms that are presented to them via their
web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end
database.
The web server software is currently carrying out which of the following functions and what is an associated security concern Brad should address?
http://www.gratisexam.com/
A.
B.
C.
D.
Client-side validation The web server should carry out a secondary set of input validation rules on the presented data before processing them.
Server-side includes validation The web server should carry out a secondary set of input validation rules on the presented data before processing them.
Data Source Name logical naming access The web server should be carrying out a second set of reference integrity rules.
Data Source Name logical naming access The web server should carry out a secondary set of input validation rules on the presented data before processing
them.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Client-side validation is being carried out. This procedure ensures that the
data that are inserted into the form contain valid values before being sent to
the web server for processing. The web server should not just rely upon clientside
validation, but should also carry out a second set of procedures to ensure
that the input values are not illegal and potentially malicious.
QUESTION 30
Use the following scenario to answer Questions 28–30. Brad is a new security administrator within a retail company. He is discovering several issues that his
security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the
following characters “%20” and “../”. The web server software ensures that users input the correct information within the forms that are presented to them via their
web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end
database.
Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with?
A.
B.
C.
D.
Parameter validation attack
Injection attack
Cross-site scripting
Database connector attack
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The current architecture allows for web server software to directly
communicate with a back-end database. Brad should ensure that proper
database access authentication is taking place so that SQL injection attacks
cannot be carried out. In a SQL injection attack the attacker sends over
http://www.gratisexam.com/
input values that the database carries out as commands and can allow
authentication to be successfully bypassed.
http://www.gratisexam.com/
Chapter 11 - Security Operations
QUESTION 1
Which of the following best describes operations security?
A.
B.
C.
D.
Continual vigilance about hacker activity and possible vulnerabilities
Enforcing access control and physical security
Taking steps to make sure an environment, and the things within it, stay at a certain level of protection
Doing strategy planning to develop a secure environment and then implementing it properly
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
All of these are necessary security activities and procedures—they just
don’t all fall under the operations umbrella. Operations is about keeping
production up and running in a healthy and secure manner. Operations
is not usually the entity that carries out strategic planning. It works at an
operational, day-to-day level, not at the higher strategic level.
QUESTION 2
Which of the following describes why operations security is important?
A.
B.
C.
D.
An environment continually changes and has the potential of lowering its level of protection.
It helps an environment be functionally sound and productive.
It ensures there will be no unauthorized access to the facility or its resources.
It continually raises a company’s level of protection.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
This is the best answer because operations has the goal of keeping
everything running smoothly each and every day. Operations implements
new software and hardware and carries out the necessary security tasks passed
down to it. As the environment changes and security is kept in the loop with
these changes, there is a smaller likelihood of opening up vulnerabilities.
http://www.gratisexam.com/
QUESTION 3
What is the difference between due care and due diligence?
A.
B.
C.
D.
Due care is the continual effort of ensuring that the right thing takes place, and due diligence is the continual effort to stay compliant with regulations.
Due care and due diligence are in contrast to the “prudent person” concept.
They mean the same thing.
Due diligence involves investigating the risks, while due care involves carrying out the necessary steps to mitigate these risks.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Due care and due diligence are legal terms that do not just pertain to
security. Due diligence involves going through the necessary steps to know
what a company’s or individual’s actual risks are, while due care involves
carrying out responsible actions to reduce those risks. These concepts
correspond with the “prudent person” concept.
QUESTION 4
Why should employers make sure employees take their vacations?
A.
B.
C.
D.
They have a legal obligation.
It is part of due diligence.
It is a way for fraud to be uncovered.
To ensure the employee does not get burnt out.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Many times, employees who are carrying out fraudulent activities do not
take the vacation they have earned because they do not want anyone to find
out what they have been doing. Forcing employees to take vacations means
that someone else has to do that person’s job and can possibly uncover any
misdeeds.
QUESTION 5
Which of the following best describes separation of duties and job rotation?
http://www.gratisexam.com/
A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot
perform a high-risk task alone.
B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person
knows the tasks of a position.
C. They are the same thing, but with different titles.
D. They are administrative controls that enforce access control and protect the company’s resources.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Rotation of duties enables a company to have more than one person trained
in a position and can uncover fraudulent activities. Separation of duties is put
into place to ensure that one entity cannot carry out a critical task alone.
QUESTION 6
If a programmer is restricted from updating and modifying production code, what is this an example of?
A.
B.
C.
D.
Rotation of duties
Due diligence
Separation of duties
Controlling input values
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
This is just one of several examples of separation of duties. A system must
be set up for proper code maintenance to take place when necessary, instead
of allowing a programmer to make changes arbitrarily. These types of changes
should go through a change control process and should have more entities
involved than just one programmer.
QUESTION 7
Why is it important to control and audit input and output values?
http://www.gratisexam.com/
A.
B.
C.
D.
Incorrect values can cause mistakes in data processing and be evidence of fraud.
Incorrect values can be the fault of the programmer and do not comply with the due care clause.
Incorrect values can be caused by brute force attacks.
Incorrect values are not security issues.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
There should be controls in place to make sure the data input into a system
and the results generated are in the proper format and have expected values.
Improper data being put into an application or system could cause bad
output and security issues, such as buffer overflows.
QUESTION 8
What is the difference between least privilege and need to know?
A. A user should have least privilege that restricts her need to know.
B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.
C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she
has a need to know.
D. They are two different terms for the same issue.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Users should be able to access only the resources they need to fulfill the
duties of their positions. They also should only have the level of permissions
and rights for those resources that are required to carry out the exact operations
they need for their jobs, and no more. This second concept is more granular
than the first, but they have a symbiotic relationship.
QUESTION 9
Which of the following would not require updated documentation?
A. An antivirus signature update
http://www.gratisexam.com/
B. Reconfiguration of a server
C. A change in security policy
D. The installation of a patch to a production server
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Documentation is very important for data processing and networked
environments. This task often gets pushed to the back burner or is totally
ignored. If things are not properly documented, employees will forget
what actually took place with each device. If the environment needs to be
rebuilt, for example, it may be done incorrectly if the procedure was poorly
or improperly documented. When new changes need to be implemented,
the current infrastructure may not be totally understood. Continually
documenting when virus signatures are updated would be overkill. The
other answers contain events that certainly require documentation.
QUESTION 10
If sensitive data are stored on a CD-ROM and are no longer needed, which would be the proper way of disposing of the data?
A.
B.
C.
D.
Degaussing
Erasing
Purging
Physical destruction
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
One cannot properly erase data held on a CD-ROM. If the data are
sensitive and you need to ensure no one has access to the same, the media
should be physically destroyed.
QUESTION 11
If SSL is being used to encrypt messages that are transmitted over the network, what is a major concern of the security professional?
A. The network segments have systems that use different versions of SSL.
http://www.gratisexam.com/
B. The user may have encrypted the message with an application-layer product that is incompatible with SSL.
C. Network tapping and wiretapping.
D. The networks that the message will travel that the company does not control.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
This is not a great question, but could be something that you run into on
the exam. Let’s look at the answers. Different SSL versions are usually not a
concern, because the two communicating systems will negotiate and agree
upon the necessary version. There is no security violation issue here. SSL
works at the transport layer; thus, it will not be affected by what the user does,
as stated in answer B. SSL protects against network tapping and wiretapping.
Answer D talks about the network segments the company does not own.
You do not know at what point the other company will decrypt the SSL
connection because you do not have control of that environment. Your data
could be traveling unencrypted and unprotected on another network.
QUESTION 12
What is the purpose of SMTP?
A.
B.
C.
D.
To enable users to decrypt mail messages from a server
To enable users to view and modify mail messages from a server
To transmit mail messages from the client to the mail server
To encrypt mail messages before being transmitted CISSP All-in-One Exam Guide
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Simple Mail Transfer Protocol (SMTP) is the protocol used to allow clients
to send e-mail messages to each other. It lets different mail servers exchange
messages.
QUESTION 13
If a company has been contacted because its mail server has been used to spread spam, what is most likely the problem?
http://www.gratisexam.com/
A.
B.
C.
D.
The internal mail server has been compromised by an internal hacker.
The mail server in the DMZ has private and public resource records.
The mail server has e-mail relaying misconfigured.
The mail server has SMTP enabled.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Spammers will identify the mail servers on the Internet that have relaying
enabled and are “wide open,” meaning the servers will forward any e-mail
messages they receive. These servers can be put on a black list, which means
other mail servers will not accept mail from them.
QUESTION 14
Which of the following is not a reason fax servers are used in many companies?
A.
B.
C.
D.
They save money by not needing individual fax devices and the constant use of fax paper.
They provide a secure way of faxing instead of having faxed papers sitting in bins waiting to be picked up.
Faxes can be routed to employees’ electronic mailboxes.
They increase the need for other communication security mechanisms.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The other three answers provide reasons why fax servers would be used
instead of individual fax machines: ease of use, they provide more protection,
and their supplies may be cheaper.
QUESTION 15
If a company wants to protect fax data while it is in transmission, which of the following are valid mechanisms?
A.
B.
C.
D.
PGP and MIME
PEM and TSL
Data link encryption or fax encryptor
Data link encryption and MIME
http://www.gratisexam.com/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
This is the best answer for this question. The other components could
provide different levels of protection, but a fax encryptor (which is a data
link encryptor) provides a higher level of protection across the board because
everything is encrypted. Even if a user does not choose to encrypt something,
it will be encrypted anyway before it is sent out the fax server.
QUESTION 16
What is the purpose of TCP wrappers?
http://www.gratisexam.com/
A.
B.
C.
D.
To monitor requests for certain ports and control access to sensitive files
To monitor requests for certain services and control access to password files
To monitor requests for certain services and control access to those services
To monitor requests to system files and ensure they are not modified
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
This is a technology that wraps the different services available on a system.
What this means is that if a remote user makes a request to access a service,
this product will intercept this request and determine whether it is valid and
legal before allowing the interaction to take place.
QUESTION 17
How do network sniffers work?
http://www.gratisexam.com/
A.
B.
C.
D.
They probe systems on a network segment.
They listen for ARP requests and ICMP packets.
They require an extra NIC to be installed and configured.
They put the NIC into promiscuous mode.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A sniffer is a device or software component that puts the NIC in promiscuous
mode, meaning the NIC will pick up all frames it “sees” instead of just the
frames addressed to that individual computer. The sniffer then shows the output
to the user. It can have capture and filtering capabilities.
QUESTION 18
Which of the following is not an attack against operations?
A.
B.
C.
D.
Brute force
Denial-of-service
Buffer overflow
ICMP sting
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The first three choices are attacks that can directly affect security
operations. There is no such attack as an ICMP sting.
QUESTION 19
Why should user IDs be included in data captured by auditing procedures?
A.
B.
C.
D.
They show what files were attacked.
They establish individual accountability.
They are needed to detect a denial-of-service attack.
They activate corrective measures.
http://www.gratisexam.com/
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
For auditing purposes, the procedure should capture the user ID, time of
event, type of event, and the source workstation. Capturing the user ID allows
the company to hold individuals accountable for their actions.
QUESTION 20
Which of the following controls requires separate entities, operating together, to complete a task?
A.
B.
C.
D.
Least privilege
Data hiding
Dual control
Administrative
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Dual control requires two or more entities working together to complete a
task. An example is key recovery. If a key must be recovered, and key recovery
requires two or more people to authenticate to a system, the act of them
coming together and carrying out these activities is known as dual control.
This reduces the possibility of fraud.
QUESTION 21
Which of the following would not be considered an operations media control task?
A.
B.
C.
D.
Compressing and decompressing storage materials
Erasing data when its retention period is over
Storing backup information in a protected area
Controlling access to media and logging activities
Correct Answer: A
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
The last three tasks fall under the job functions of an individual or
department responsible for controlling access to media. Compressing and
decompressing data does not.
QUESTION 22
How is the use of clipping levels a way to track violations?
A. They set a baseline for normal user errors, and any violations that exceed that threshold should be recorded and reviewed to understand why they are
happening.
B. They enable the administrator to view all reduction levels that have been made to user codes and that have incurred violations.
C. They disallow the administrator to customize the audit trail to record only those violations deemed security related.
D. They enable the administrator to customize the audit trail to capture only access violations and denial-of-service attacks.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Clipping levels are thresholds of acceptable user errors and suspicious
activities. If the threshold is exceeded, it should be logged and the
administrator should decide if malicious activities are taking place or if the
user needs more training.
QUESTION 23
Tape library management is an example of operations security through which of the following?
A.
B.
C.
D.
Archival retention
The review of clipping levels
Resource protection
Change management
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The reason to have tape library management is to have a centralized and
standard way of protecting how media is stored, accessed, and destroyed.
http://www.gratisexam.com/
QUESTION 24
A device that generates coercive magnetic force for the purpose of reducing magnetic flux density to zero on media is called
A.
B.
C.
D.
Magnetic saturation
Magnetic field
Physical destruction
Degausser
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A degausser is a device that generates a magnetic field (coercive magnetic
force) that changes the orientation of the bits held on the media (reducing
magnetic flux density to zero).
QUESTION 25
Which of the following controls might force a person in operations into collusion with personnel assigned organizationally within a different function for the sole
purpose of gaining access to data he is not authorized to access?
A.
B.
C.
D.
Limiting the local access of operations personnel
Enforcing auditing
Enforcing job rotation
Limiting control of management personnel
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
If operations personnel are limited in what they can access, they would
need to collude with someone who actually has access to the resource. This
question is not very clear, but it is very close to the way many CISSP exam
questions are formatted.
QUESTION 26
What does the following graphic represent and what is the technology’s importance?
http://www.gratisexam.com/
A. Hierarchical storage management
B. Storage access network
http://www.gratisexam.com/
C. Network redundancy
D. Single point of failure
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Network redundancy is duplicated network equipment that can provide
a backup in case of network failures. This technology protects the company
from single points of failure.
http://www.gratisexam.com/
Comprehensive Questions
QUESTION 1
Based upon this scenario, what is most likely the biggest risk Josh’s company needs to be concerned with?
A.
B.
C.
D.
Market share drop if the attackers are able to bring the specific product to market more quickly than Josh’s company.
Confidentiality of e-mail messages. Attackers may post all captured e-mail messages to the Internet.
Impact on reputation if the customer base finds out about the attack.
Depth of infiltration of attackers. If attackers have compromised other systems, more confidential data could be at risk.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
While they are all issues to be concerned with, risk is a combination of
probability and business impact. The largest business impact out of this list and
in this situation is the fact that intellectual property for product development
has been lost. If a competitor can produce the product and bring it to market
quickly, this can have a long-lasting financial impact on the company.
QUESTION 2
The attackers in this situation would be seen as which of the following?
A.
B.
C.
D.
Vulnerability
Threat
Risk
Threat agent
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The attackers are the entities that have exploited a vulnerability; thus, they
are the threat agent.
QUESTION 3
If Josh is correct in his assumptions, which of the following best describes the vulnerability, threat, and exposure, respectively?
http://www.gratisexam.com/
A.
B.
C.
D.
E-mail server is hardened, an entity could exploit programming code flaw, server is compromised and leaking data.
E-mail server is not patched, an entity could exploit a vulnerability, server is hardened.
E-mail server misconfiguration, an entity could exploit misconfiguration, server is compromised and leaking data.
DMZ firewall misconfiguration, an entity could exploit misconfiguration, internal e-mail server is compromised.
CISSP All-in-One Exam Guide
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
In this situation the e-mail server most likely is misconfigured or has a
programming flaw that can be exploited. Either of these would be considered
a vulnerability. The threat is that someone would find out about this
vulnerability and exploit it. In this scenario since the server is compromised,
it is the item that is providing exposure to the company. This exposure is
allowing sensitive data to be accessed in an unauthorized manner.
QUESTION 4
Aaron is a security manager who needs to develop a solution to allow his company’s mobile devices to be authenticated in a standardized and centralized manner
using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution for Aaron to implement?
A.
B.
C.
D.
SESAME using PKI
RADIUS using EAP
Diameter using EAP
RADIUS using TTLS
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Diameter is a protocol that has been developed to build upon the
functionality of RADIUS and to overcome many of its limitations. Diameter
is an AAA protocol that provides the same type of functionality as RADIUS
and TACACS+ but also provides more flexibility and capabilities, including
working with EAP. RADIUS uses UDP, and cannot effectively deal well with
remote access, IP mobility, and policy control.
QUESTION 5
http://www.gratisexam.com/
Terry is a security manager for a credit card processing organization. His company uses internal DNS servers, which are placed within the LAN, and external DNS
servers, which are placed in the DMZ. The company also relies upon DNS servers provided by their service provider. Terry has found out that attackers have been
able to manipulate several DNS server caches, which point employee traffic to malicious websites. Which of the following best describes the solution this company
should implement?
A.
B.
C.
D.
IPSec
PKI
DNSSEC
MAC-based security
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
DNSSEC (DNS security, which is part of the many current implementations
of DNS server software) works within a PKI and uses digital signatures, which
allows DNS servers to validate the origin of a message to ensure that it is not
spoofed and potentially malicious. If DNSSEC were enabled on server A, then
server A would, upon receiving a response, validate the digital signature on
the message before accepting the information to make sure that the response
is from an authorized DNS server. So even if an attacker sent a message to a
DNS server, the DNS server would discard it because the message would not
contain a valid digital signature. DNSSEC allows DNS servers to send and
receive only authenticated and authorized messages between themselves,
and thwarts the attacker’s goal of poisoning a DNS cache table.
QUESTION 6
It is important to deal with the issue of “reasonable expectation of privacy” (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of
privacy is used when defining the scope of the privacy protections provided by _____________________.
A.
B.
C.
D.
Federal Privacy Act
PATRIOT Act
The Fourth Amendment of the Constitution
The Bill of Rights
Correct Answer: C
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
It is important to deal with the issue of “reasonable expectation of privacy”
(REP) when it comes to employee monitoring. In the U.S. legal system
the expectation of privacy is used when defining the scope of the privacy
protections provided by the Fourth Amendment of the Constitution. If it is not specifically explained to an employee that monitoring is possible and/
or probable, when the monitoring takes place he could claim that his privacy
rights have been violated and launch a civil suit against a company.
QUESTION 7
Jane is suspicious that an employee is sending sensitive data to one of the company’s competitors. The employee has to use these data for daily activities, thus it is
difficult to properly restrict the employee’s access rights. In this scenario, which best describes the company’s vulnerability, threat, risk, and necessary control?
A. Vulnerability is employee access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control
is detailed network traffic monitoring.
B. Vulnerability is lenient access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is
detailed user monitoring.
C. Vulnerability is employee access rights, threat is internal employees misusing privileged access, risk is the business impact of confidentiality, and the necessary
control is multifactor authentication.
D. Vulnerability is employee access rights, threat is internal users misusing privileged access, risk is the business impact of confidentiality, and the necessary
control is CCTV.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A vulnerability is a lack or weakness of a control. In this situation the access
control may be weak in nature, thus exploitable. The vulnerability is that the
user, who must be given access to the sensitive data, is not properly monitored
to deter and detect a willful breach of security. The threat is that any internal
entity might misuse given access. The risk is the business impact of losing
sensitive data. One control that could be put into place is monitoring so that
access activities can be closely watched.
QUESTION 8
Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot access resources.
B. It provides a centralized approach for access control, which frees up department managers.
C. User membership in roles can be easily revoked and new ones established as job assignments dictate.
http://www.gratisexam.com/
D. It enforces an enterprise-wide security policy, standards, and guidelines.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
An administrator does not need to revoke and reassign permissions to
individual users as they change jobs. Instead, the administrator assigns
permissions and rights to a role, and users are plugged into those roles.
QUESTION 9
Mark needs to ensure that the physical security program he develops for his company increases performance, decreases risk in a cost-effective manner, and allows
management to make informed decisions. Which of the following best describes what he needs to put into place?
A.
B.
C.
D.
Performance-based program
Defense-in-depth program
Layered program
Security through obscurity
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
It is possible to determine how beneficial and effective your physical
security program is only if it is monitored through a performance-based
approach. This means you should devise measurements and metrics to
gauge the effectiveness of your countermeasures. This enables management
to make informed business decisions when investing in the protection of
the organization’s physical security. The goal is to increase the performance
of the physical security program and decrease the risk to the company in a
cost-effective manner. You should establish a baseline of performance and
thereafter continually evaluate performance to make sure that the company’s
protection objectives are being met.
QUESTION 10
A software development company released a product that committed several errors that were not expected once deployed in their customers’ environments. All of
the software code went through a long list of tests before being released. The team manager found out that after a small change was made to the code, the
program was not tested before it was released. Which of the following tests was most likely not conducted?
http://www.gratisexam.com/
A.
B.
C.
D.
Unit
Compiled
Integration
Regression
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Regression testing should take place after a change to a system takes place,
retesting to ensure functionality, performance, and protection.
QUESTION 11
It is important to choose the right risk analysis methodology to meet the goals of the organization’s needs. Which of the following best describes when the risk
management standard AS/NZS 4360 should be used?
A.
B.
C.
D.
When there is a need to assess items of an organization that are directly related to information security.
When there is a need to assess items of an organization that are not just restricted to information security.
When a qualitative method is needed to prove the compliance levels as they pertain to regulations.
When a qualitative method is needed to prove the compliance levels as they pertain to laws.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
AS/NZS 4360 takes a much broader approach to risk management than just
information security. This Australian and New Zealand methodology can be
used to understand a company’s financial, capital, human safety, and business
decisions risks. Although it can be used to analyze security risks, it was not
created specifically for this purpose. This risk management standard is more
focused on the health of a company from a business point of view, not security.
QUESTION 12
Companies should follow certain steps in selecting and implementing a new computer product. Which of the following sequences is ordered correctly?
A. Evaluation, accreditation, certification
http://www.gratisexam.com/
B. Evaluation, certification, accreditation
C. Certification, evaluation, accreditation
D. Certification, accreditation, evaluation
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The first step is evaluation. Evaluation involves reviewing the product’s
protection functionality and assurance ratings. The next phase is certification.
Certification involves testing the newly purchased product within the company’s
environment. The final stage is accreditation, which is management’s formal
approval.
QUESTION 13
Use the following scenario to answer Questions 13–15.
Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not
have as many layers of controls when it comes to the data processed by these applications, since external entities will not understand the internal logic of the
applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization’s current risk profile. He also tells his boss that
the hospital should become ISO certified to bolster its customers’ and partners’ confidence.
Which of the following approaches has been implemented in this scenario?
A.
B.
C.
D.
Defense-in-depth
Security through obscurity
Information security management system
BS 17799
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Security through obscurity is depending upon complexity or secrecy as
a protection method. Some organizations feel that since their proprietary
code is not standards based, outsiders will not know how to compromise its
components. This is an insecure approach. Defense-in-depth is a better approach
with the assumption that anyone can figure out how something works.
http://www.gratisexam.com/
QUESTION 14
Use the following scenario to answer Questions 13–15.
Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not
have as many layers of controls when it comes to the data processed by these applications, since external entities will not understand the internal logic of the
applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization’s current risk profile. He also tells his boss that
the hospital should become ISO certified to bolster its customers’ and partners’ confidence.
Which ISO/IEC standard would be best for Jack to follow to meet his goals?
A.
B.
C.
D.
ISO/IEC 27002
ISO/IEC 27004
ISO/IEC 27005
ISO/IEC 27006
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
ISO/IEC 27005 is the international standard for risk assessments and
analysis.
QUESTION 15
Use the following scenario to answer Questions 13–15.
Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not
have as many layers of controls when it comes to the data processed by these applications, since external entities will not understand the internal logic of the
applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization’s current risk profile. He also tells his boss that
the hospital should become ISO certified to bolster its customers’ and partners’ confidence.
Which standard should Jack suggest to his boss for compliance?
A.
B.
C.
D.
BS 17799
ISO/IEC 27004
ISO/IEC 27799
BS 7799:2011
Correct Answer: C
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
The ISO/IEC 27799 is a guideline for information security management in
health organizations. It deals with how organizations that store and process
sensitive medical information should protect it.
QUESTION 16
An operating system maintains several processes in memory at the same time. The processes can only interact with the CPU during its assigned time slice since
there is only one CPU and many processes. Each process is assigned an interrupt value to allow for this type of time slicing to take place. Which of the following
best describes the difference between maskable and nonmaskable interrupts?
A.
B.
C.
D.
A maskable interrupt is assigned to a critical process, and a nonmaskable interrupt is assigned to a noncritical process.
A maskable interrupt is assigned to a process in ring 0, and a nonmaskable interrupt is assigned to a process in ring 3.
A maskable interrupt is assigned to a process in ring 3, and a nonmaskable interrupt is assigned to a process in ring 4.
A maskable interrupt is assigned to a noncritical process, and a nonmaskable interrupt is assigned to a critical process.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A maskable interrupt is assigned to an event that may not be overly
important, and the programmer can indicate that if that interrupt calls, the
program does not stop what it is doing. This means the interrupt is ignored.
Nonmaskable interrupts can never be overridden by an application because
the event that has this type of interrupt assigned to it is critical.
QUESTION 17
Cable telecommunication networks used to provide a security risk in that neighbors could commonly access each other’s Internet-based traffic because the traffic
was not encrypted and protected. Which of the following is an international telecommunications standard that addresses these issues?
A.
B.
C.
D.
Safe Harbor Encryption Requirements
Data-Over-Cable Service Interface Specifications
Privacy Service Requirements
Telecommunication Privacy Protection Standard
Correct Answer: B
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
Most cable providers comply with Data-Over-Cable Service Interface
Specifications (DOCSIS), which is an international telecommunications
standard that allows for the addition of high-speed data transfer to an existing
cable TV (CATV) system. DOCSIS includes MAC-layer security services in its
Baseline Privacy Interface/Security (BPI/SEC) specifications. This protects
individual user traffic by encrypting the data as they travel over the provider’s
infrastructure. Sharing the same medium brings up a slew of security
concerns, because users with network sniffers can easily view their neighbors’
traffic and data as both travel to and from the Internet. Many cable companies
are now encrypting the data that go back and forth over shared lines through
a type of data link encryption.
QUESTION 18
There are different categories for evidence depending upon what form it is in and possibly how it was collected. Which of the following is considered supporting
evidence?
A.
B.
C.
D.
Best evidence
Corroborative evidence
Conclusive evidence
Direct evidence
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Corroborative evidence cannot stand alone, but instead is used as supporting
information in a trial. It is often testimony indirectly related to the case but
offers enough correlation to supplement the lawyer’s argument. The other
choices are all types of evidence that can stand alone.
QUESTION 19
_____________ is the graphical representation of data commonly used on websites. It is a skewed representation of characteristics a person must enter to prove
that the subject is a human and not an automated tool, as in a software robot.
A. Anti-spoofing
B. CAPTCHA
http://www.gratisexam.com/
C. Spam anti-spoofing
D. CAPCHAT
CISSP All-in-One Exam Guide
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A CAPTCHA is a skewed representation of characteristics a person must
enter to prove that the subject is a human and not an automated tool, as in
a software robot. It is the graphical representation of data.
QUESTION 20
Mark has been asked to interview individuals to fulfill a new position in his company. The position is a chief privacy officer (CPO). What is the function of this type of
position?
A.
B.
C.
D.
Ensuring that company financial information is correct and secure
Ensuring that customer, company, and employee data are protected
Ensuring that security policies are defined and enforced
Ensuring that partner information is kept safe
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The CPO is a newer position, created mainly because of the increasing
demands on organizations to protect a long laundry list of different types
of data. This role is responsible for ensuring that customer, company, and
employee data are secure and kept secret, which keeps the company out of
criminal and civil courts and hopefully out of the headlines.
QUESTION 21
A risk management program must be developed properly and in the right sequence. Which of the following provides the correct sequence for the steps listed?
i. Developed a risk management team
ii. Calculated the value of each asset
iii. Identified the vulnerabilities and threats that can affect the identified assets
iv. Identified company assets to be assessed
http://www.gratisexam.com/
A.
B.
C.
D.
i, iii, ii, iv
ii, i, iv, iii
iii, i, iv, ii
i, iv, ii, iii
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The correct steps for setting up a risk management program are as follows:
1. Develop a risk management team
2. Identify company assets to be assessed
3. Calculate the value of each asset
4. Identify the vulnerabilities and threats that can affect the identified assets
QUESTION 22
Jack needs to develop a security program for a medical organization. He has been instructed by the security steering committee to follow the ISO/IEC international
standards when constructing and implementing this program so that certification can be accomplished. Which of the following best describes the phases Jack
should follow?
A. “Plan” by defining scope and policy. “Do” by managing identified risks.
“Check” by carrying out monitoring procedures and audits. “Act” by implementing corrective actions.
B. “Plan” by defining scope and policy. “Do” by creating an implementation risk mitigation plan and implementing controls. “Check” by carrying out monitoring
procedures and audits. “Act” by implementing corrective actions.
C. “Plan” by identifying controls. “Do” by creating an implementation risk mitigation plan. “Check” by carrying out monitoring procedures and audits. “Act” by
implementing corrective actions.
D. “Plan” by defining scope and policy. “Do” by creating an implementation risk mitigation plan and implementing controls. “Check” by carrying out monitoring
procedures and audits. “Act” by implementing risk management.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
When building an information security management system (ISMS)
based upon the ISO/IEC standard, it is best to follow the Plan-Do-Check-Act
approach. ISO/IEC 27001 defines the components of this approach as the
following:
http://www.gratisexam.com/
1. Plan: Establish ISMS policy, objectives, processes, and procedures relevant
to managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives.
2. Do: Implement and operate the ISMS policy, controls, processes, and
procedures.
3. Check: Assess and, where applicable, measure process performance against
ISMS policy, objectives, and practical experience and report the results to
management for review.
4. Act: Take corrective and preventive actions, based on the results of
the internal ISMS audit and management review or other relevant
information, to achieve continual improvement of the ISMS.
QUESTION 23
Which of the following best describes the core reasons the Department of Defense Architecture Framework and the British Ministry of Defense Architecture
Framework were developed?
A. Data need to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and accurate decisions.
B. Modern warfare is complex and insecure. Data need to be properly secured against enemy efforts to ensure decision makers can have access to it.
C. Critical infrastructures are constantly under attack in warfare situations.
These frameworks are used to secure these types of environments.
D. Weapon systems are computerized and must be hardened and secured in a standardized manner.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Modern warfare is complex, and activities happen fast, which requires
personnel and systems to be more adaptable than ever before. Data need to be
captured and properly presented so that decision makers understand complex
issues quickly, which allows for fast and accurate decisions.
QUESTION 24
George is the security manager of a large bank, which provides online banking and other online services to its customers. George has recently found out that some
of their customers have complained about changes to their bank accounts that they did not make. George worked with the security team and found out that all
changes took place after proper authentication steps were completed. Which of the following describes what most likely took place in this situation?
A. Web servers were compromised through cross-scripting attacks.
B. SSL connections were decrypted through a man-in-the-middle attack.
C. Personal computers were compromised with Trojan horses that installed keyloggers.
http://www.gratisexam.com/
D. Web servers were compromised and masquerading attacks were carried out.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
While all of these situations could have taken place, the most likely attack
type in this scenario is the use of a keylogger. Attackers commonly compromise
personal computers by tricking the users into installing Trojan horses that have
the capability to install keystroke loggers. The keystroke logger can capture
authentication data that the attacker can use to authenticate as a legitimate
user and carry out malicious activities.
QUESTION 25
Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a
function or characteristic of IPSec?
A.
B.
C.
D.
Encryption
Link layer protection
Authentication
Protection of packet payloads and the headers
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
IPSec is a protocol used to provide VPNs that use strong encryption and
authentication functionality. It can work in two different modes: tunnel mode
(payload and headers are protected) or transport mode (payload protection
only). IPSec works at the network layer, not the data link layer.
QUESTION 26
A typical PKI infrastructure would have which of the following transactions?
1. Receiver decrypts and obtains session key.
2. Sender requests receiver’s public key.
3. Public key is sent from a public directory.
4. Sender sends a session key encrypted with receiver’s public key.
http://www.gratisexam.com/
A.
B.
C.
D.
4, 3, 2, 1
2, 1, 3, 4
2, 3, 4, 1
2, 4, 3, 1
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The sender would need to first obtain the receiver’s public key, which could
be from the receiver or a public directory. The sender needs to protect the
symmetric session key as it is being sent, so she encrypts it with the receiver’s
public key. The receiver decrypts the session key with his private key.
QUESTION 27
Use the following scenario to answer Questions 27–28. Tim is the CISO for a large distributed
financial investment organization. The company’s network is made up of different
network devices and software applications, which generate their own proprietary logs
and audit data. Tim and his security team have become overwhelmed with trying to
review all of the log files when attempting to identify if anything suspicious is taking
place within the network. Another issue Tim’s team needs to deal with is that many of
the network devices have automated IPv6-to-IPv4 tunneling enabled by default.
Which of the following is the best solution for this company to implement as it pertains to the first issue addressed in the scenario?
A.
B.
C.
D.
Event correlation tools
Intrusion detection systems
Security information and event management
Security event correlation management tools
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Today, more organizations are implementing security event management
(SEM) systems, also called security information and event management
(SIEM) systems. These products gather logs from various devices (servers,
firewalls, routers, etc.) and attempt to correlate the log data and provide
http://www.gratisexam.com/
analysis capabilities. We also have different types of systems on a network
(routers, firewalls, IDS, IPS, servers, gateways, proxies) collecting logs in
various proprietary formats, which requires centralization, standardization,
and normalization. Log formats are different per product type and vendor.
QUESTION 28
Use the following scenario to answer Questions 27–28. Tim is the CISO for a large distributed
financial investment organization. The company’s network is made up of different
network devices and software applications, which generate their own proprietary logs
and audit data. Tim and his security team have become overwhelmed with trying to
review all of the log files when attempting to identify if anything suspicious is taking
place within the network. Another issue Tim’s team needs to deal with is that many of
the network devices have automated IPv6-to-IPv4 tunneling enabled by default.
Which of the following best describes why Tim should be concerned about the second issue addressed in the scenario?
A.
B.
C.
D.
Software and devices that are scanning traffic for suspicious activity may only be configured to evaluate one system type.
Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate one service type.
Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate two protocol types.
Software and devices that are monitoring traffic for suspicious activity may only be configured to evaluate one traffic type.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
While many of these automatic tunneling techniques reduce
administration overhead because network administrators do not have to
configure each and every system and network device with two different IP
addresses, there are security risks that need to be understood. Many times
users and network administrators do not know that automatic tunneling
capabilities are enabled, thus they do not ensure that these different tunnels
are secured and/or are being monitored. If you are an administrator of a
network and have IDS, IPS, and firewalls that are only configured to monitor
and restrict IPv4 traffic, then all IPv6 traffic could be traversing your network
insecurely. Attackers use these protocol tunnels and misconfigurations to
get past these types of security devices so that malicious activities can take
place unnoticed. Products and software may need to be updated to address
both traffic types, proxies may need to be deployed to manage traffic
communication securely, IPv6 should be disabled if not needed, and security
appliances need to be configured to monitor all traffic types.
http://www.gratisexam.com/
QUESTION 29
Which of the following is not a characteristic of the Sherwood Applied Business Security Architecture framework?
A.
B.
C.
D.
Model and methodology for the development of information security enterprise architectures
Layered model, with its first layer defining business requirements from a security perspective
Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework
Enterprise architecture framework used to define and understand a business environment
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The Zachman framework is an enterprise architecture framework developed
by John Zachman used to define and understand a business environment.
QUESTION 30
What type of rating system is used within the Common Criteria structure?
A.
B.
C.
D.
PP
EPL
EAL
A–D
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The Common Criteria uses a different assurance rating system than the
previously used criteria. It has packages of specifications that must be met for a
product to obtain the corresponding rating. These ratings and packages are called
Evaluation Assurance Levels (EALs). Once a product achieves any type of rating,
customers can view this information on an Evaluated Products List (EPL).
QUESTION 31
___________________ a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies.
_________________ is an XML-based framework being developed by OASIS for exchanging user, resource, and service provisioning information between
cooperating organizations.
http://www.gratisexam.com/
A.
B.
C.
D.
Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML)
Extensible Access Control Markup Language (XACML), Service Provisioning Markup Language (SPML)
Extensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML)
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Extensible Access Control Markup Language (XACML), a declarative access
control policy language implemented in XML and a processing model,
describes how to interpret security policies. Service Provisioning Markup
Language (SPML) is an XML-based framework being developed by OASIS
for exchanging user, resource, and service provisioning information between
cooperating organizations.
QUESTION 32
Doors configured in fail-safe mode assume what position in the event of a power failure?
A.
B.
C.
D.
Open and locked
Closed and locked
Closed and unlocked
Open
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A company must decide how to handle physical access control in the event
of a power failure. In fail-safe mode, doorways are automatically unlocked. This
is usually dictated by fire codes to ensure that people do not get stuck inside of
a burning building. Fail-secure means that the door will default to lock.
QUESTION 33
Packet-filtering firewalls have limited capabilities. Which of the following is
not a common characteristic of these firewall types?
i. They cannot prevent attacks that employ application-specific
http://www.gratisexam.com/
vulnerabilities or functions.
ii. The logging functionality present in packet-filtering firewalls is limited.
iii. Most packet-filtering firewalls do not support advanced user
authentication schemes.
iv. Many packet-filtering firewalls can detect spoofed addresses.
v. May not be able to detect packet fragmentation attacks.
A.
B.
C.
D.
ii
iii
iv
v
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Some of the weaknesses and characteristics of packet-filtering firewalls are
as follows:
• They cannot prevent attacks that employ application-specific vulnerabilities
or functions.
• The logging functionality present in packet-filtering firewalls is limited.
• Most packet-filtering firewalls do not support advanced user authentication
schemes.
• Many packet-filtering firewalls cannot detect spoofed addresses.
• They may not be able to detect packet fragmentation attacks.
QUESTION 34
BS 25999 is the BSI (British Standards Institute’s) standard for Business Continuity Management (BCM). The BS standard has two main parts. Which of the
following properly defines one of these parts correctly?
A. BS 25999-1:2006 Business Continuity Management Code of Practice— General guidance that provides principles, processes, and requirements for BCM.
B. BS 25999-2:2007 Specification for Business Continuity Management— Specifies objective, regulatory requirements for executing, operating, and enhancing a
BCM system.
C. BS 25999-1:2006 Business Continuity Management Code of Practice— General specifications that provide principles, deadlines, and terminology for BCM.
D. BS 25999-2:2007 Specification for Business Continuity Management— Specifies objective, auditable requirements for executing, operating, and enhancing a
BCM system.
Correct Answer: D
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
The BS standard has two parts: BS 25999-1:2006 Business Continuity
Management Code of Practice—General guidance that provides principles,
processes, and terminology for BCM. BS 25999-2:2007 Specification
for Business Continuity Management—Specifies objective, auditable
requirements for executing, operating, and enhancing a BCM system.
QUESTION 35
Use the following scenario to answer Questions 35–36. Zack is a security consultant who
has been hired to help an accounting company improve some of their current e-mail
security practices. The company wants to ensure that when their clients send the company
accounting files and data, the clients cannot later deny sending these messages.
The company also wants to integrate a more granular and secure authentication method
for their current mail server and clients.
Which of the following best describes how client messages can be dealt with and addresses the first issue outlined in the scenario?
A.
B.
C.
D.
Company needs to integrate a public key infrastructure and the Diameter protocol.
Clients must encrypt messages with their public key before sending them to the accounting company.
Company needs to have all clients sign a formal document outlining nonrepudiation requirements.
Client must digitally sign messages that contain financial information.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
When clients digitally sign messages this is ensuring nonrepudiation. Since
the client should be the only person who has his private key and only his public
key can decrypt it, the e-mail must have been sent from the client. Digital
signatures provide nonrepudiation protection, which is what this company needs.
QUESTION 36
Use the following scenario to answer Questions 35–36. Zack is a security consultant who
has been hired to help an accounting company improve some of their current e-mail
security practices. The company wants to ensure that when their clients send the company
accounting files and data, the clients cannot later deny sending these messages.
The company also wants to integrate a more granular and secure authentication method
for their current mail server and clients.
http://www.gratisexam.com/
Which of the following would be the best solution to integrate to meet the authentication requirements outlined in the scenario?
A.
B.
C.
D.
TLS
IPSec
802.1x
SASL
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Simple Authentication and Security Layer (SASL) is a protocol-independent
authentication framework. It is a framework for authentication and data
security in Internet protocols. It decouples authentication mechanisms from
application protocols, with the goal of allowing any authentication mechanism
supported by SASL to be used in any application protocol that uses SASL.
SASL’s design is intended to allow new protocols to reuse existing mechanisms
without requiring redesign of the mechanisms, and allows existing protocols to
make use of new mechanisms without redesign of protocols.
QUESTION 37
Rennie needs to ensure that the BCP project will be successful. His manager has asked him to carry out a SWOT analysis to ensure that the defined objectives
within the scope can be accomplished and to identify issues that could impede upon the necessary success and productivity required of the project as a whole.
Which of the following is not considered to be a basic tenet of a SWOT analysis?
A.
B.
C.
D.
Strengths: characteristics of the project team that give it an advantage over others
Weaknesses: characteristics that place the team at a disadvantage relative to others
Opportunities: elements that could contribute to the project’s success
Trends: elements that could contribute to the project’s failure
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The individual objectives of a project must be analyzed to ensure that each
is actually attainable. A part of scope analysis that may prove useful is SWOT
analysis. SWOT stands for Strengths/Weaknesses/Opportunities/Threats, and
http://www.gratisexam.com/
its basic tenets are as follows:
• Strengths: characteristics of the project team that give it an advantage over
others.
• Weaknesses: characteristics that place the team at a disadvantage relative to
others.
• Opportunities: elements that could contribute to the project’s success.
• Threats: elements that could contribute to the project’s failure.
QUESTION 38
A ___________________ is the amount of time it should take to recover from a disaster, and a ____________________ is the amount of data, measured in time,
that can be lost and be tolerable from that same event.
A.
B.
C.
D.
Recovery time objective, recovery point objective
Recovery point objective, recovery time objective
Maximum tolerable downtime, work recovery time
Work recovery time, maximum tolerable downtime
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A recovery time objective (RTO) is the amount of time it takes to recover
from a disaster, and a recovery point objective (RPO) is the amount of data,
measured in time, that can be lost from that same event. The RPO is the
acceptable amount of data loss measured in time. This value represents the
earliest point in time by which data must be recovered. The higher the value
of data, the more funds or other resources that can be put into place to ensure
a smaller amount of data is lost in the event of a disaster. RTO is the earliest
time period and a service level within which a business process must be
restored after a disaster to avoid unacceptable consequences associated
with a break in business continuity.
QUESTION 39
Mary is playing around on her computer late at night and discovers a way to hack into a small company’s personnel files. She decides to take a look around, but
does not steal any information. Is she still committing a crime even if she does not steal any of the information?
A. No, since she does not steal any information, she is not committing a crime.
B. Yes, she has gained unauthorized access.
C. No, the system was easily hacked; therefore, entry is allowed.
http://www.gratisexam.com/
D. Yes, she could jeopardize the system without knowing it.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Computer crime can broadly be defined as criminal activity involving
an information technology infrastructure, including illegal access, illegal
interception, data interference, systems interference, misuse of devices, forgery,
and electronic fraud.
QUESTION 40
In the structure of Extensible Access Control Markup Language (XACML) a Subject element is the ______________, a Resource element is the ___________, and
an Action element is the ___________.
A.
B.
C.
D.
Requesting entity, requested entity, types of access
Requested entity, requesting entity, types of access
Requesting entity, requested entity, access control
Requested entity, requesting entity, access control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
XACML uses a Subject element (requesting entity), a Resource element
(requested entity), and an Action element (types of access). XACML defines
a declarative access control policy language implemented in XML.
QUESTION 41
The Mobile IP protocol allows location-independent routing of IP datagrams on the Internet. Each mobile node is identified by its ______________ disregarding its
current location in the Internet. While away from its home network, a mobile node is associated with a ___________.
A.
B.
C.
D.
Prime address, care-of address
Home address, care-of address
Home address, secondary address
Prime address, secondary address
http://www.gratisexam.com/
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The Mobile IP protocol allows location-independent routing of IP packets
on web-based environments. Each mobile device is identified by its home
address. While away from its home network, a mobile node is associated with
a care-of address, which identifies its current location, and its home address
is associated with the local endpoint of a tunnel to its home agent. Mobile
IP specifies how a mobile device registers with its home agent and how the
home agent routes packets to the mobile device.
QUESTION 42
Instead of managing and maintaining many different types of security products and solutions, Joan wants to purchase a product that combines many technologies
into one appliance. She would like to have centralized control, streamlined maintenance, and a reduction in stove pipe security solutions. Which of the following
would best fit Joan’s needs?
A.
B.
C.
D.
Dedicated appliance
Centralized hybrid firewall applications
Hybrid IDS\IPS integration
Unified threat management
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The list of security solutions most companies need includes, but is not
limited to, firewalls, antimalware, antispam, IDS\IPS, content filtering, data
leak prevention, VPN capabilities, continuous monitoring, and reporting.
Unified Threat Management (UTM) appliance products have been developed
that provide all (or many) of these functionalities into a single network
appliance. The goals of UTM are simplicity, streamlined installation and
maintenance, centralized control, and the ability to understand a network’s
security from a holistic point of view.
QUESTION 43
Why is it important to have a clearly defined incident-handling process in place?
http://www.gratisexam.com/
A.
B.
C.
D.
To avoid dealing with a computer and network threat in an ad hoc, reactive, and confusing manner
In order to provide a quick reaction to a threat so that a company can return to normal operations as soon as possible
In order to provide a uniform approach with certain expectations of the results
All of the above
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A clearly defined incident-handling process can be more cost-effective,
enable recovery to happen more quickly, and provide a uniform approach
with certain expectations of the results. Incident handling should be closely
related to disaster recovery planning and should be part of the company’s
disaster recovery plan.
QUESTION 44
Which of the following is an international organization that helps different governments come together and tackle the economic, social, and governance challenges
of a globalized economy and provides guidelines on the protection of privacy and transborder flows of personal data rules?
A.
B.
C.
D.
Council of Global Convention on Cybercrime
Council of Europe Convention on Cybercrime
Organisation for Economic Co-operation and Development
Organisation for Cybercrime Co-operation and Development
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Global organizations that move data across other country boundaries
must be aware of and follow the Organisation for Economic Co-operation
and Development (OECD), which provides guidelines on the Protection of
Privacy and Transborder Flows of Personal Data rules. Since most countries
have a different set of laws pertaining to the definition of private data and
how they should be protected, international trade and business get more
convoluted and can negatively affect the economy of nations. The OECD is
an international organization that helps different governments come together
and tackle the economic, social, and governance challenges of a globalized
economy. Because of this, the OECD came up with guidelines for the various
http://www.gratisexam.com/
countries to follow so that data are properly protected and everyone follows
the same type of rules.
QUESTION 45
System ports allow different computers to communicate with each other’s services and protocols. Internet Corporation for Assigned Names and Numbers has
assigned registered ports to be ____________________ and dynamic ports to be ____________.
A.
B.
C.
D.
0–1024, 49152–65535
1024–49151, 49152–65535
1024–49152, 49153–65535
0–1024, 1025–49151
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Registered ports are 1024–49151, which can be registered with the Internet
Corporation for Assigned Names and Numbers (ICANN) for a particular use.
Vendors register specific ports to map to their proprietary software. Dynamic
ports are 49152–65535 and are available to be used by any application on an
“as needed” basis.
QUESTION 46
When conducting a quantitative risk analysis, items are gathered and assigned numeric values so that cost/benefit analysis can be carried out. Which of the
following provides the correct formula to understand the value of a safeguard?
A.
B.
C.
D.
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
(ALE before implementing safeguard) – (ALE during implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
(ALE before implementing safeguard) – (ALE while implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of asset) = value of safeguard to the company
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The correct formula for cost/benefit analysis is (ALE before implementing
safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
= value of safeguard to the company.
http://www.gratisexam.com/
QUESTION 47
Patty is giving a presentation next week to the executive staff of her company.
She wants to illustrate the benefits of the company using specific cloud
computing solutions. Which of the following does not properly describe
one of these benefits or advantages?
i. Organizations have more flexibility and agility in IT growth and
functionality.
ii. Cost of computing can be increased since it is a shared delivery model.
iii. Location independence can be achieved because the computing is not
centralized and tied to a physical data center.
iv. Applications and functionality can be more easily migrated from one
physical server to another because environments are virtualized.
v. Scalability and elasticity of resources can be accomplished in near realtime
through automation.
vi. Performance can increase as processing is shifted to available systems
during peak loads.
A.
B.
C.
D.
i
ii
iii
v
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Each of the listed items are correct benefits or characteristics of cloud
computing except “Cost of computing can be increased since it is a shared
delivery model.” The correct answer would be “Cost of computing can be
decreased since it is a shared delivery model.”
QUESTION 48
Use the following scenario to answer Questions 48–49. Frank is the new manager over inhouse
software designers and programmers. He has been telling his team that before
design and programming on a new product begins, a formal architecture needs to be
developed. He also needs this team to understand security issues as they pertain to
software design. Frank has shown the team how to follow a systematic approach, which
allows them to understand how different compromises could take place with the software
http://www.gratisexam.com/
products they develop.
Which of the following best describes what an architecture is in the context of this scenario?
A.
B.
C.
D.
Tool used to conceptually understand the structure and behavior of a complex entity through different views
Formal description and representation of a system and the components that make it up
Framework used to create individual architectures with specific views
Framework that is necessary to identify needs and meet all of the stakeholder requirements
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
An architecture is a tool used to conceptually understand the structure and
behavior of a complex entity through different views. An architecture provides
different views of the system, based upon the needs of the stakeholders of that
system.
QUESTION 49
Use the following scenario to answer Questions 48–49. Frank is the new manager over inhouse
software designers and programmers. He has been telling his team that before
design and programming on a new product begins, a formal architecture needs to be
developed. He also needs this team to understand security issues as they pertain to
software design. Frank has shown the team how to follow a systematic approach, which
allows them to understand how different compromises could take place with the software
products they develop.
Which of the following best describes the approach Frank has shown his team as outlined in the scenario?
A.
B.
C.
D.
Attack surface analysis
Threat modeling
Penetration testing
Double-blind penetration testing
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
Threat modeling is a systematic approach used to understand how different
threats could be realized and how a successful compromise could take place.
A threat model is a description of a set of security aspects that can help define
a threat and a set of possible attacks to consider. It may be useful to define
different threat models for one software product. Each model defines a
narrow set of possible attacks to focus on. A threat model can help to assess
the probability, the potential harm, and the priority of attacks, and thus help
to minimize or eradicate the threats.
QUESTION 50
Barry was told that the IDS product that is being used on the network has heuristic capabilities. Which of the following best describes this functionality?
A.
B.
C.
D.
Gathers packets and reassembles the fragments before assigning anomaly values
Gathers data to calculate the probability of an attack taking place
Gathers packets and compares their payload values to a signature engine
Gathers packet headers to determine if something suspicious is taking place within the network traffic
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
IDS and some antimalware products are said to have “heuristic”
capabilities. The term heuristic means to create new information from
different data sources. The IDS gathers different “clues” from the network
or system and calculates the probability an attack is taking place. If the
probability hits a set threshold, then the alarm sounds.
QUESTION 51
System assurance evaluations have gone through many phases. First, TCSEC was used, but it was considered too narrow. Next, ITSEC was developed to be
flexible, but in the process became extremely complicated. Now, products are evaluated through the use of a new list of requirements. What is this list of
requirements called?
A.
B.
C.
D.
International Evaluation Criteria System
Universal Evaluation Standards
Common Criteria
National Security Standards
Correct Answer: C
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
The Common Criteria was created by several organizations in different
countries as a way of combining the best parts of TCSEC and ITSEC and other
criteria into a more useful measure. The Common Criteria has been accepted
globally.
QUESTION 52
Don is a senior manager of an architectural firm. He has just found out that a key contract was renewed, allowing the company to continue developing an operating
system that was idle for several months. Excited to get started, Don begins work on the operating system privately, but cannot tell his staff until the news is
announced publicly in a few days. However, as Don begins making changes in the software, various staff members notice changes in their connected systems,
even though they work in a lower security level. What kind of model could be used to ensure this does not happen?
A.
B.
C.
D.
Biba
Bell-LaPadula
Noninterference
Clark-Wilson
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
In this example, lower-ranked staffers could have deduced that the contract
had been renewed by paying attention to the changes in their systems. The
noninterference model addresses this specifically by dictating that no action
or state in higher levels can impact or be visible to lower levels. In this
example, the staff could learn something indirectly or infer something that
they do not have a right to know yet.
QUESTION 53
Betty has received several e-mail messages from unknown sources that try and entice her to click a specific link using a “Click Here” approach. Which of the
following best describes what is most likely taking place in this situation?
A.
B.
C.
D.
DNS pharming attack
Embedded hyperlink is obfuscated
Malware back-door installation
Bidirectional injection attack
http://www.gratisexam.com/
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
HTML documents and e-mails allow users to attach or embed hyperlinks
in any given text, such as the “Click Here” links you commonly see in e-mail
messages or webpages. Attackers misuse hyperlinks to deceive unsuspecting
users into clicking rogue links. The most common approach is known as URL
hiding.
QUESTION 54
Rebecca is the network administrator of a large retail company. The company has Ethernet-based distributed networks throughout the northwest region of the
United States. Her company would like to move to an Ethernet-based multipoint communication architecture that can run over their service provider’s IP/MPLS
network. Which of the following would be the best solution for these requirements?
A.
B.
C.
D.
Metro-Ethernet
L2TP/IPSec
Virtual Private LAN Services
SONET
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Virtual Private LAN Services (VPLS) is a multipoint layer 2 virtual private
network that connects two or more customer devices using Ethernet bridging
techniques. In other words, VPLS emulates a LAN over a managed IP/MPLS
network. VPLS is a way to provide Ethernet-based multipoint-to-multipoint
communication over IP/MPLS networks.
QUESTION 55
Which of the following multiplexing technologies analyzes statistics related to the typical workload of each input device and makes real-time decisions on how much
time each device should be allocated for data transmission?
A.
B.
C.
D.
Time-division multiplexing
Wave-division multiplexing
Frequency-division multiplexing
Statistical time-division multiplexing
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Statistical time-division multiplexing (STDM) transmits several types of
data simultaneously across a single transmission line. STDM technologies
analyze statistics related to the typical workload of each input device and
make real-time decisions on how much time each device should be allocated
for data transmission.
QUESTION 56
In a VoIP environment, the Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) are commonly used. Which of the following best describes the
difference between these two protocols?
A. RTCP provides a standardized packet format for delivering audio and video over IP networks. RTP provides out-of-band statistics and control information to
provide feedback on QoS levels.
B. RTP provides a standardized packet format for delivering data over IP networks. RTCP provides control information to provide feedback on QoS levels.
C. RTP provides a standardized packet format for delivering audio and video over MPLS networks. RTCP provides control information to provide feedback on QoS
levels.
D. RTP provides a standardized packet format for delivering audio and video over IP networks. RTCP provides out-of-band statistics and control information to
provide feedback on QoS levels.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The actual voice stream is carried on media protocols such as the Realtime
Transport Protocol (RTP). RTP provides a standardized packet format for
delivering audio and video over IP networks. RTP is a session layer protocol
that carries data in media stream format, as in audio and video, and is used
extensively in VoIP, telephony, video conferencing, and other multimedia
streaming technologies. It provides end-to-end delivery services and is
commonly run over the transport layer protocol UDP. RTP Control Protocol
(RTCP) is used in conjunction with RTP and is also considered a session layer
protocol. It provides out-of-band statistics and control information to provide
feedback on QoS levels of individual streaming multimedia sessions.
QUESTION 57
http://www.gratisexam.com/
ISO/IEC 27031:2011 is an international standard for business continuity that organizations can follow. Which of the following is a correct characteristic of this
standard?
A.
B.
C.
D.
Guidelines for information and communications technology readiness for business continuity
ISO/IEC standard that is a component of the overall BS 7999 series
Standard that was developed by NIST and evolved to be an international standard
Component of the Safe Harbor requirements
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
ISO/IEC 27031:2011 is a set of guidelines for information and
communications technology readiness for business continuity. This ISO/IEC
standard is a component of the overall ISO/IEC 27000 series.
QUESTION 58
Fran is the CSO of a new grocery and retail store. Her company paid for a physical security consultant to assess their current controls and security program that is
in place to ensure that the company is carrying out due care efforts. The security consultant told Fran that the areas in front of the stores need to have two footcandle illumination. Which of the following best describes the consultant’s advice?
A.
B.
C.
D.
Lights must be placed two feet apart.
The area being lit must be illuminated two feet high and two feet out.
This is an illumination metric used for lighting.
Each lit area must be within two feet of the next lit area.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The National Institute of Standards and Technology (NIST) standard
pertaining to perimeter protection states that critical areas should be
illuminated eight feet high and use two foot-candles, which is a unit that
represents the illumination power of an individual light.
QUESTION 59
IPSec’s main protocols are AH and ESP. Which of the following services does AH provide?
http://www.gratisexam.com/
A.
B.
C.
D.
Confidentiality and authentication
Confidentiality and availability
Integrity and accessibility
Integrity and authentication
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
IPSec is made up of two main protocols, Authentication Header (AH) and
Encapsulating Security Payload (ESP). AH provides system authentication
and integrity, but not confidentiality or availability. ESP provides system
authentication, integrity, and confidentiality, but not availability. Nothing
within IPSec can ensure the availability of the system it is residing on.
QUESTION 60
When multiple databases exchange transactions, each database is updated. This can happen many times and in many different ways. To protect the integrity of the
data, databases should incorporate a concept known as an ACID test. What does this acronym stand for?
A.
B.
C.
D.
Availability, confidentiality, integrity, durability
Availability, consistency, integrity, durability
Atomicity, confidentiality, isolation, durability
Atomicity, consistency, isolation, durability
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The ACID test concept should be incorporated into the software of a
database. ACID stands for:
• Atomicity Divides transactions into units of work and ensures that either
all modifications take effect or none take effect. Either the changes are
committed or the database is rolled back.
• Consistency A transaction must follow the integrity policy developed
for that particular database and ensure that all data are consistent in the
different databases.
• Isolation Transactions execute in isolation until completed, without
http://www.gratisexam.com/
interacting with other transactions. The results of the modification are not
available until the transaction is completed.
• Durability Once the transaction is verified as accurate on all systems, it is
committed and the databases cannot be rolled back.
QUESTION 61
Use the following scenario to answer Questions 61–62. Jim works for a power plant, and
senior management just conducted a meeting with Jim’s team explaining that the upgrades
that will be made to the surrounding power grid and its components will allow
for better self-healing, resistance to physical and cyberattacks, increased efficiency, and
better integration of renewable energy sources. The senior management also expressed
concerns about the security of these changes.
Which of the following best describes the changes the organization in the scenario will be moving forward with?
A.
B.
C.
D.
Integrating natural gas production with their current coal activities
Integrating a smart grid
Integrating the power grid with the existing SONET rings
Integrating authentication technologies into power metering devices
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Many parts of the world are moving to smart grids, which means that
there is a lot more computing software and technology embedded into the
grids to optimize and automate these functions. Some of the goals of a smart
grid are self-healing, resistance to physical and cyberattacks, bidirectional
communication capabilities, increased efficiency, and better integration of
renewable energy sources. We want our grids to be more reliable, resilient,
flexible, and efficient.
QUESTION 62
Use the following scenario to answer Questions 61–62. Jim works for a power plant, and
senior management just conducted a meeting with Jim’s team explaining that the upgrades
that will be made to the surrounding power grid and its components will allow
for better self-healing, resistance to physical and cyberattacks, increased efficiency, and
better integration of renewable energy sources. The senior management also expressed
concerns about the security of these changes.
http://www.gratisexam.com/
Which of the following best describes the security concerns addressed in this scenario?
A.
B.
C.
D.
Allows for direct attacks through Ethernet over Power
Increased embedded software and computing capabilities
Does not have proper protection against common web-based attacks
Power fluctuation and outages directly affect computing systems
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
We are moving to smart grids, which means that there is a lot more
computing software and technology embedded into the grids to optimize
and automate these functions. This means that almost every component of
the new power grid has to be computerized in some manner; thus, it can be
vulnerable to digital-based attacks.
QUESTION 63
Henry is the team leader of a group of software designers. They are at a stage in their software development project where they need to reduce the amount of code
running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary services. Which of the following
best describes the first step they need to carry out to accomplish these tasks?
A.
B.
C.
D.
Attack surface analysis
Software development life cycle
Risk assessment
Unit testing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The aim of an attack surface analysis is to identify and reduce the amount
of code accessible to untrusted users. The basic strategies of attack surface
reduction are to reduce the amount of code running, reduce entry points
available to untrusted users, reduce privilege levels as much as possible, and
eliminate unnecessary services. Attack surface analysis is generally carried
out through specialized tools to enumerate different parts of a product and
aggregate their findings into a numerical value. Attack surface analyzers
http://www.gratisexam.com/
scrutinize files, registry keys, memory data, session information, processes,
and services details.
QUESTION 64
Jenny needs to engage a new software development company to create her company’s internal banking software. It will need to be created specifically for her
company’s environment, so it must be proprietary in nature. Which of the following would be useful for Jenny to use as a gauge to determine how advanced and
mature the various software development companies are in their processes?
A.
B.
C.
D.
SaS 70
Capability Maturity Model Integration level
Auditing results
Key performance metrics
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The Capability Maturity Model Integration (CMMI) model outlines the
necessary characteristics of an organization’s security engineering process.
It addresses the different phases of a secure software development life cycle,
including concept definition, requirements analysis, design, development,
integration, installation, operations, and maintenance, and what should
happen in each phase. It can be used to evaluate security engineering practices
and identify ways to improve them. It can also be used by customers in the
evaluation process of a software vendor. In the best of both worlds, software
vendors would use the model to help improve their processes and customers
would use the model to assess the vendor’s practices.
QUESTION 65
Which of the following is a representation of the logical relationship between elements of data and dictates the degree of association among elements, methods of
access, processing alternatives, and the organization of data elements?
A.
B.
C.
D.
Data element
Array
Secular component
Data structure
Correct Answer: D
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
A data structure is a representation of the logical relationship between
elements of data. It dictates the degree of association among elements,
methods of access, processing alternatives, and the organization of data
elements. The structure can be simple in nature, like the scalar item, which
represents a single element that can be addressed by an identifier and accessed
by a single address in storage. The scalar items can be grouped in arrays, which
provide access by indexes. Other data structures include hierarchical structures
by using multilinked lists that contain scalar items, vectors, and possibly
arrays. The hierarchical structure provides categorization and association.
QUESTION 66
Kerberos is a commonly used access control and authentication technology. It is important to understand what the technology can and cannot do and its potential
downfalls. Which of the following is not a potential security issue that must be addressed when using Kerberos?
i. The KDC can be a single point of failure.
ii. The KDC must be scalable.
iii. Secret keys are temporarily stored on the users’ workstations.
iv. Kerberos is vulnerable to password guessing.
A.
B.
C.
D.
i, iv
iii
All of them
None of them
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
These are all issues that are directly related to Kerberos. These items are as
follows:
• The KDC can be a single point of failure. If the KDC goes down, no one can
access needed resources. Redundancy is necessary for the KDC.
• The KDC must be able to handle the number of requests it receives in a
timely manner. It must be scalable.
• Secret keys are temporarily stored on the users’ workstations, which means
it is possible for an intruder to obtain these cryptographic keys.
http://www.gratisexam.com/
• Session keys are decrypted and reside on the users’ workstations, either in a
cache or in a key table. Again, an intruder can capture these keys.
• Kerberos is vulnerable to password guessing. The KDC does not know if a
dictionary attack is taking place.
QUESTION 67
If the ALE for a specific asset is $100,000, and after implementation of the control the new ALE is $45,000 and the annual cost of the control is $30,000, should the
company implement this control?
A.
B.
C.
D.
Yes
No
Not enough information
It depends on the ARO
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Yes, the company should implement the control, as the value would be
$25,000.
QUESTION 68
ISO/IEC 27000 is a growing family of ISO/IEC Information Security Management Systems (ISMS) standards. It comprises information security standards published
jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an
incorrect mapping of the individual standards that make up this family of standards?
A.
B.
C.
D.
ISO/IEC 27002 Code of practice for information security management.
ISO/IEC 27003 Guideline for ISMS implementation.
ISO/IEC 27004 Guideline for information security management measurement and metrics framework.
ISO/IEC 27005 Guideline for bodies providing audit and certification of information security management systems.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The correct mappings for the individual standards are as follows:
• ISO/IEC 27002 Code of practice for information security management.
• ISO/IEC 27003 Guideline for ISMS implementation.
http://www.gratisexam.com/
• ISO/IEC 27004 Guideline for information security management
measurement and metrics framework.
• ISO/IEC 27005 Guideline for information security risk management.
• ISO/IEC 27006 Guideline for bodies providing audit and certification of
information security management systems.
QUESTION 69
When a CPU is passed an instruction set and data to be processed and the program status word (PSW) register contains a value indicating that execution should
take place in privileged mode, which of the following would be considered true?
A.
B.
C.
D.
Operating system is executing in supervisory mode
Request came from a trusted process
Functionality that is available in user mode is not available
An untrusted process submitted the execution request
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
If the PSW has a bit value that indicates the instructions to be executed
should be carried out in privileged mode, this means a trusted process (e.g.,
an operating system process) made the request and can have access to the
functionality that is not available in user mode.
QUESTION 70
Encryption and decryption can take place at different layers of an operating system, application, and network stack. End-to-end encryption happens within the
_______. SSL encryption takes place at the _________ layer. PPTP encryption takes place at the ______ layer. Link encryption takes place at the _________ and
___________ layers.
A.
B.
C.
D.
Applications, network, data link, data link and physical
Applications, transport, network, data link and physical
Applications, transport, data link, data link and physical
Network, transport, data link, data link and physical
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
End-to-end encryption happens within the applications. SSL encryption
takes place at the transport layer. PPTP encryption takes place at the data link
layer. Link encryption takes place at the data link and physical layers.
QUESTION 71
Which of the following best describes the difference between hierarchical storage management (HSM) and storage area network (SAN) technologies?
A.
B.
C.
D.
HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems.
SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.
HSM and SAN are one and the same. The difference is in the implementation.
HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Hierarchical storage management (HSM) provides continuous online
backup functionality. It combines hard disk technology with the cheaper and
slower optical or tape jukeboxes. Storage area network (SAN) is made up of
several storage systems that are connected together to form a single backup
network.
QUESTION 72
The Anticybersquatting Consumer Protection Act (ACPA) was enacted to protect which type of intellectual property?
A.
B.
C.
D.
Trade secrets
Copyrights
Trademarks
Patents
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The ACPA was enacted for trademark owners to have legal recourse to
protect the illegal registration of their domain names. It is only relevant under
the following categories: domain name registrant has the intent to profit
from registering the trademark domain name; the registrant registers or uses
http://www.gratisexam.com/
a domain name that at the time of registration is identical or confusingly
similar to an existing distinctive mark, or is identical or confusingly similar to
a famous mark; or is a trademark, word, or name protected by certain sections
of the U.S. Code.
QUESTION 73
The International Organization on Computer Evidence (IOCE) was appointed to draw up international principles for procedures relating to what type of evidence?
A.
B.
C.
D.
Information evidence
Digital evidence
Conclusive evidence
Real evidence
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
In March 1998, the IOCE was appointed to draw up international
principles for the procedures relating to digital evidence to ensure the
harmonization of methods and practices among nations, and to guarantee the
ability to use digital evidence collected by one national state in the courts of
another state.
QUESTION 74
A fraud analyst with a national insurance company uses database tools every day to help identify violations and identify relationships between the captured data
through the uses of rule discovery. These tools help identify relationships among a wide variety of information types. What kind of knowledge discovery in database
(KDD) is this considered?
A.
B.
C.
D.
Probability
Statistical
Classification
Behavioral
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Data mining is also known as knowledge discovery in database (KDD),
http://www.gratisexam.com/
which is a technique used to identify valid and useful patterns. Different types
of data can have various interrelationships, and the method used depends
on the type of data and patterns that are sought. The following are three
approaches used in KDD systems to uncover these patterns:
• Classification Data are grouped together according to shared similarities.
• Probabilistic Data interdependencies are identified and probabilities are
applied to their relationships.
• Statistical Identifies relationships between data elements and uses rule
discovery.
QUESTION 75
Which of the following is an XML-based protocol that defines the schema of how web service communication takes place over HTTP transmissions?
A.
B.
C.
D.
Service-Oriented Protocol
Active X Protocol
Simple Object Access Protocol
JVEE
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
What if we need programs running on different operating systems and
written in different programming languages to communicate over web-based
communication methods? We would use Simple Object Access Protocol
(SOAP). SOAP is an XML-based protocol that encodes messages in a web
service environment. SOAP actually defines an XML schema or a structure of
how communication is going to take place. The SOAP XML schema defines
how objects communicate directly.
QUESTION 76
Which of the following has an incorrect definition mapping?
i. Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE) Team-oriented approach that assesses organizational and IT
risks through facilitated workshops.
ii. AS/NZS 4360 Australia and New Zealand business risk management
assessment approach.
iii. ISO/IEC 27005 International standard for the implementation of a
http://www.gratisexam.com/
risk management program that integrates into an information security
management system (ISMS).
iv. Failure Modes and Effect Analysis Approach that dissects a component
into its basic functions to identify flaws and those flaws’ effects.
v. Fault tree analysis Approach to map specific flaws to root causes in
complex systems.
A.
B.
C.
D.
None of them
ii
iii, iv
v
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Each answer lists the correct definition mapping.
QUESTION 77
For an enterprise security architecture to be successful in its development
and implementation, which of the following items must be understood and
followed?
i. Strategic alignment
ii. Process enhancement
iii. Business enablement
iv. Security effectiveness
A.
B.
C.
D.
i, ii
ii, iii
i, ii, iii, iv
iii, iv
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
For an enterprise security architecture to be successful in its development
and implementation, the following items must be understood and followed:
strategic alignment, process enhancement, business enablement, and security
effectiveness.
QUESTION 78
Which of the following best describes the purpose of the Organisation for Economic Co-operation and Development (OECD)?
A. An international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized
economy.
http://www.gratisexam.com/
B. A national organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy.
C. An international organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized
economy.
D. A national organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized economy.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The OECD is an international organization that helps different
governments come together and tackle the economic, social, and governance
challenges of a globalized economy. Thus, the OECD came up with guidelines
for the various countries to follow so data are properly protected and everyone
follows the same type of rules.
QUESTION 79
There are many enterprise architecture models that have been developed over the years for specific purposes. Some of them can be used to provide structure for
information security processes and technology to be integrated throughout an organization. Which of the following provides an incorrect mapping between the
architect types and the associated definitions?
A. Zachman framework Model and methodology for the development of information security enterprise architectures.
http://www.gratisexam.com/
B. TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group.
C. DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals.
D. MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Zachman model is for business enterprise architectures, not security
enterprises. The proper definition mappings are as follows:
• Zachman framework Model for the development of enterprise
architectures developed by John Zachman.
• TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group.
• DoDAF U.S. Department of Defense architecture framework that ensures
interoperability of systems to meet military mission goals.
• MODAF Architecture framework used mainly in military support
missions developed by the British Ministry of Defence.
• SABSA model Model and methodology for the development of
information security enterprise architectures.
QUESTION 80
Which of the following best describes the difference between the role of the ISO/IEC 27000 series and CobiT?
A. The CobiT provides a high-level overview of security program requirements, while the ISO/IEC 27000 series provides the objectives of the individual security
controls.
B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while CobiT provides the objectives of the individual security
controls.
C. CobiT is process oriented, and the ISO/IEC standard is solution oriented.
D. The ISO/IEC standard is process oriented, and CobiT is solution oriented.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The ISO/IEC 27000 series provides a high-level overview of security
program requirements, while CobiT provides the objectives of the individual
security controls. CobiT provides the objectives that the real-world
http://www.gratisexam.com/
implementations (controls) you chose to put into place need to meet.
QUESTION 81
The Capability Maturity Model Integration (CMMI) approach is being used more frequently in security program and enterprise development. Which of the following
provides an incorrect characteristic of this model?
A.
B.
C.
D.
A model that provides a pathway for how incremental improvement can take place.
Provides structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes.
It was created for process improvement and developed by Carnegie Mellon.
It was built upon the SABSA model.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
This model was not built upon the SABSA model. All other characteristics
are true.
QUESTION 82
If Joe wanted to use a risk assessment methodology that allows the various business owners to identify risks and know how to deal with them, what methodology
would he use?
A.
B.
C.
D.
Qualitative
COSO
FRAP
OCTAVE
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Operationally Critical Threat, Asset, and Vulnerability Evaluation
(OCTAVE) is a methodology that is intended to be used in situations where
people manage and direct the risk evaluation for information security within
their company. This places the people who work inside the organization in
the position of being able to make decisions regarding the best approach for
evaluating the security of their organization.
http://www.gratisexam.com/
QUESTION 83
Information security is a field that is maturing and becoming more organized and standardized. Organizational security models should be based upon a formal
architecture framework. Which of the following best describes what a formal architecture framework is and why it would be used?
A.
B.
C.
D.
Mathematical model that defines the secure states that various software components can enter and still provide the necessary protection.
Conceptual model that is organized into multiple views addressing each of the stakeholder’s concerns.
Business enterprise framework that is broken down into six conceptual levels to ensure security is deployed and managed in a controllable manner.
Enterprise framework that allows for proper security governance.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A formal architecture framework is a conceptual model in which an
architecture description is organized into multiple architecture views,
where each view addresses specific concerns originating with the specific
stakeholders. Individual stakeholders have a variety of system concerns, which
the architecture must address. To express these concerns, each view applies the
conventions of its architecture viewpoint.
QUESTION 84
Which of the following provides a true characteristic of a fault tree analysis?
A.
B.
C.
D.
Fault trees are assigned qualitative values to faults that can take place over a series of business processes.
Fault trees are assigned failure mode values.
Fault trees are labeled with actual numbers pertaining to failure probabilities.
Fault trees are used in a stepwise approach to software debugging.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Fault tree analysis follows this general process. First, an undesired effect
is taken as the root, or top, event of a tree of logic. Then, each situation that
has the potential to cause that effect is added to the tree as a series of logic
expressions. Fault trees are then labeled with actual numbers pertaining to
failure probabilities.
http://www.gratisexam.com/
QUESTION 85
Several models and frameworks have been developed by different
organizations over the years to help businesses carry out processes in a more
efficient and effective manner. Which of the following provides the correct
definition mapping of one of these items?
i. COSO A framework and methodology for Enterprise Security
Architecture and Service Management.
ii. ITIL Processes to allow for IT service management developed by the
United Kingdom’s Office of Government Commerce.
iii. Six Sigma Business management strategy that can be used to carry out
process improvement.
iv. Capability Maturity Model Integration (CMMI) Organizational
development for process improvement developed by Carnegie Mellon.
A.
B.
C.
D.
i
i, iii
ii, iv
ii, iii, iv
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Each of the listed answers in ii., iii., and iv. has the correct definition
mapping. Answer i. is incorrect. COSO is an organization that provides
leadership in the areas of organizational governance, internal control,
enterprise risk management, fraud, business ethics, and financial reporting
QUESTION 86
It is important that organizations ensure that their security efforts are effective and measurable. Which of the following is not a common method used to track the
effectiveness of security efforts?
A.
B.
C.
D.
Service level agreement
Return on investment
Balanced scorecard system
Provisioning system
Correct Answer: D
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
Security effectiveness deals with metrics, meeting service level agreement
(SLA) requirements, achieving return on investment (ROI), meeting set
baselines, and providing management with a dashboard or balanced
scorecard system. These are ways to determine how useful the current security
solutions and architecture as a whole are performing.
QUESTION 87
Capability Maturity Model Integration (CMMI) is a process improvement
approach that is used to help organizations improve their performance. The
CMMI model may also be used as a framework for appraising the process
maturity of the organization. Which of the following is an incorrect mapping
of the levels that may be assigned to an organization based upon this model?
i. Maturity Level 2 – Managed
ii. Maturity Level 3 – Defined
iii. Maturity Level 4 – Quantitatively Managed
iv. Maturity Level 5 – Optimizing
A.
B.
C.
D.
i
i, ii
All of them
None of them
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Each answer provides the correct definition of the four levels that can be
assigned to an organization during its evaluation against the CMMI model.
This model can be used to determine how well the organization’s processes
compare to CMMI best practices, and to identify areas where improvement
can be made. Maturity Level 1 is Initial.
QUESTION 88
An organization’s information risk management policy should address many
items to provide clear direction and structure. Which of the following is not a
core item that should be covered in this type of policy?
http://www.gratisexam.com/
i. The objectives of the IRM team
ii. The level of risk the organization will accept and what is considered an
acceptable level of risk
iii. Formal processes of risk identification
iv. The connection between the IRM policy and the organization’s strategic
planning processes
v. Responsibilities that fall under IRM and the roles to fulfill them
vi. The mapping of risk to specific physical controls
vii. The approach toward changing staff behaviors and resource allocation in
response to risk analysis
viii. The mapping of risks to performance targets and budgets
ix. Key indicators to monitor the effectiveness of controls
A.
B.
C.
D.
ii, v, ix
vi
v
vii, ix
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The information risk management (IRM) policy should map to all of the
items listed except specific physical controls. Policies should not specify any
type of controls, whether they are administrative, physical, or technical.
QUESTION 89
More organizations are outsourcing business functions to allow them to
focus on their core business functions. Companies use hosting companies
to maintain websites and e-mail servers, service providers for various
telecommunication connections, disaster recovery companies for co-location
capabilities, cloud computing providers for infrastructure or application
services, developers for software creation, and security companies to carry out
vulnerability management. Which of the following items should be included
during the analysis of an outsourced partner or vendor?
i. Conduct onsite inspection and interviews
ii. Review contracts to ensure security and protection levels are agreed upon
iii. Ensure service level agreements are in place
http://www.gratisexam.com/
iv. Review internal and external audit reports and third-party reviews
v. Review references and communicate with former and existing customers
vi. Review Better Business Bureau reports
A.
B.
C.
D.
ii, iii, iv
iv, v, vi
All of them
i, ii, iii
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Each of these items should be considered before committing to an
outsource partner or vendor.
QUESTION 90
Privacy has become a very important component of information security over
the last few years. Organizations should carry out security and privacy impact
assessments to evaluate their processes. Which of the following contains an
incorrect characteristic or definition of a privacy impact assessment?
i. An analysis of how information is handled to ensure handling conforms
to applicable legal, regulatory, and policy requirements regarding privacy.
ii. An analysis of how information is handled to determine the risks and
effects of collecting, maintaining, and disseminating information in
identifiable form in an electronic information system.
iii. An analysis of how information is handled to examine and evaluate
protections and alternative processes for handling information to increase
potential privacy risks.
A.
B.
C.
D.
None of them
ii, iii
i, ii
iii
Correct Answer: D
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Privacy impact assessment (PIA) is an analysis of how information is
handled: (i) to ensure handling conforms to applicable legal, regulatory, and
policy requirements regarding privacy; (ii) to determine the risks and effects
of collecting, maintaining, and disseminating information in identifiable
form in an electronic information system; and (iii) to examine and evaluate
protections and alternative processes for handling information to mitigate
potential privacy risks.
QUESTION 91
A financial institution has developed their internal security program based upon the ISO/IEC 27000 series. The security officer has been told that metrics need to be
developed and integrated into this program so that effectiveness can be gauged. Which of the following standards should be followed to provide this type of
guidance and functionality?
A.
B.
C.
D.
ISO/IEC 27002
ISO/IEC 27003
ISO/IEC 27004
ISO/IEC 27005
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
ISO/IEC 27004:2009, which is used to assess the effectiveness of an ISMS
and the controls that make up the security program as outlined in ISO/IEC
27001. ISO/IEC 27004 is the guideline for information security management
measurement and metrics framework.
QUESTION 92
Which of the following is not a requirement for a database based on the 500 standard?
A.
B.
C.
D.
The directory has a tree structure to organize the entries using a parentchild configuration.
Each entry has the same name made up of attributes of a specific object.
The attributes used in the directory are dictated by the defined schema.
The unique identifiers are called distinguished names.
Correct Answer: B
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
The following are rules for object organization within a database based on
the X.500 standard:
• The directory has a tree structure to organize the entries using a parent-child configuration.
• Each entry has a unique name.
• The attributes used in the directory are dictated by the defined schema.
• The unique identifiers are called distinguished names.
QUESTION 93
Sue has been asked to install a web access management (WAM) product for her company’s environment. What is the best description for what WAMs are
commonly used for?
A.
B.
C.
D.
Control external entities requesting access to internal objects
Control internal entities requesting access to external objects
Control external entities requesting access through X.500 databases
Control internal entities requesting access through X.500 databases
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A WAM product allows an administrator to configure and control access
to internal resources. This type of access control is commonly put in place to
control external entities requesting access. The product may work on a single
web server or a server farm.
QUESTION 94
A user’s digital identity is commonly made up of more than just a user name. Which of the following is not a common item that makes up a user’s identity?
A.
B.
C.
D.
Entitlements
Traits
Figures
Attributes
Correct Answer: C
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
A user’s identity is commonly a collection of her attributes (department,
role in company, shift time, clearance, and others), her entitlements (resources
available to her, authoritative rights in the company, and so on), and her traits
(biometric information, height, sex, and so forth).
QUESTION 95
Which of the following is a true statement pertaining to markup languages?
A. HyperText Markup Language (HTML) came from Generalized Markup Language (GML), which came from the Standard Generalized Markup Language
(SGML).
B. HyperText Markup Language (HTML) came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language
(GML).
C. Standard Generalized Markup Language (SGML) came from the HyperText Markup Language (HTML), which came from the Generalized Markup Language
(GML).
D. Standard Generalized Markup Language (SGML) came from the Generalized Markup Language (GML), which came from the HyperText Markup Language
(HTML).
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
HTML came from Standard Generalized Markup Language (SGML), which
came from the Generalized Markup Language (GML). A markup language is
a way to structure text and how it will be presented. You can control how the
text looks and some of the actual functionality the page provides.
QUESTION 96
What is Extensible Markup Language (XML) and why was it created?
A.
B.
C.
D.
A specification that is used to create various types of markup languages for specific industry requirements
A specification that is used to create static and dynamic websites
A specification that outlines a detailed markup language dictating all formats of all companies that use it
A specification that does not allow for interoperability for the sake of security
Correct Answer: A
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
Extensible Markup Language (XML) was created as a specification to create
various markup languages. From this specification, more specific markup
language standards were created to be able to provide individual industries
with the functions they required. Individual industries use markup languages
to meet different needs, but there is an interoperability issue in that the
industries still need to be able to communicate with each other.
QUESTION 97
Which access control policy is enforced in an environment that uses containers and implicit permission inheritance using a nondiscretionary model?
A.
B.
C.
D.
Rule-based
Role-based
Identity-based
Mandatory
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Roles work as containers for users. The administrator or security professional
creates the roles and assigns rights to them and then assigns users to the
container. The users then inherit the permissions and rights from the
containers (roles), which is how implicit permissions are obtained.
QUESTION 98
Which of the following centralized access control protocols would a security professional choose if her network consisted of multiple protocols, including Mobile IP,
and had users connecting via wireless and wired transmissions?
A.
B.
C.
D.
RADIUS
TACACS+
Diameter
Kerberos
Correct Answer: C
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
Diameter is a more diverse centralized access control administration
technique than RADIUS and TACACS+ because it supports a wide range of
protocols that often accompany wireless technologies. RADIUS supports
PPP, SLIP, and traditional network connections. TACACS+ is a RADIUS-like
protocol that is Cisco-proprietary. Kerberos is a single sign-on technology, not
a centralized access control administration protocol that supports all stated
technologies.
QUESTION 99
Jay is the security administrator at a credit card processing company. The company has many identity stores, which are not properly synchronized. Jay is going to
oversee the process of centralizing and synchronizing the identity data within the company. He has determined that the data in the HR database will be considered
the most up-to-date data, which cannot be overwritten by the software in other identity stores during their synchronization processes. Which of the following best
describes the role of this database in the identity management structure of the company?
A.
B.
C.
D.
Authoritative system of record
Infrastructure source server
Primary identity store
Hierarchical database primary
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
An “Authoritative System of Record” (ASOR) is a hierarchical tree-like
structure system that tracks subjects and their authorization chains. The
authoritative source is the “system of record,” or the location where identity
information originates and is maintained. It should have the most up-to-date
and reliable identity information.
QUESTION 100
Proper access control requires a structured user provisioning process. Which of the following best describes user provisioning?
A. The creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to
business processes.
B. The creation, maintenance, activation, and delegation of user objects and attributes as they exist in one or more systems, directories, or applications, in
response to compliance processes.
C. The maintenance of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes.
http://www.gratisexam.com/
D. The creation and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business
processes.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
User provisioning refers to the creation, maintenance, and deactivation of
user objects and attributes as they exist in one or more systems, directories, or
applications in response to business processes.
QUESTION 101
A user’s identity can be a collection of her _________ (department, role in company, shift time, clearance); her __________ (resources available to her,
authoritative rights in the company); and her ________ (biometric information, height, sex,).
A.
B.
C.
D.
Attributes, access, traits
Attributes, entitlements, access
Attributes, characteristics, traits
Attributes, entitlements, traits
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
A user’s identity can be a collection of her attributes (department, role
in company, shift time, clearance, and others), her entitlements (resources
available to her, authoritative rights in the company, and so on), and her traits
(biometric information, height, sex, and so forth).
QUESTION 102
John needs to ensure that his company’s application can accept provisioning data from their partner’s application in a standardized method. Which of the following
best describes the technology that John should implement?
A.
B.
C.
D.
Service Provisioning Markup Language
Extensible Provisioning Markup Language
Security Assertion Markup Language
Security Provisioning Markup Language
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Service Provisioning Markup Language (SPML) allows for the exchange of
provisioning data between applications, which could reside in one organization
or many. SPML allows for the automation of user management (account
creation, amendments, revocation) and access entitlement configuration related
to electronically published services across multiple provisioning systems.
This markup language allows for the integration and interoperation of service
provisioning requests across various platforms.
QUESTION 103
Lynn logs into a website and purchases an airline ticket for her upcoming trip. The website also offers her pricing and package deals for hotel rooms and rental cars
while she is completing her purchase. The airline, hotel, and rental companies are all separate and individual companies. Lynn decides to purchase her hotel room
through the same website at the same time. The website is using Security Assertion Markup Language to allow for this type of federated identity management
functionality. In this example which entity is the principal, which entity is the identity provider, and which entity is the service provider?
A.
B.
C.
D.
Portal, Lynn, hotel company
Lynn, airline company, hotel company
Lynn, hotel company, airline company
Portal, Lynn, airline company
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
In this scenario, Lynn is considered the principal, the airline company
would be considered the identity provider, and the hotel company that
receives the user’s authentication information from the airline company web
server is considered the service provider. Security Assertion Markup Language
(SAML) provides the authentication pieces to federated identity management
systems to allow business-to-business (B2B) and business-to-consumer (B2C)
transactions.
QUESTION 104
John is the new director of software development within his company. Several proprietary applications offer individual services to the employees, but the employees
have to log into each and every application independently to gain access to these discrete services. John would like to provide a way that allows each of the
http://www.gratisexam.com/
services provided by the various applications to be centrally accessed and controlled. Which of the following best describes the architecture that John should
deploy?
A.
B.
C.
D.
Service-oriented architecture
Web services architecture
Single sign-on architecture
Hierarchical service architecture
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The use of web services in this manner also allows for organizations to
provide service-oriented architecture environments (SOA). SOA is way to provide
independent services residing on different systems in different business
domains in one consistent manner. This architecture is a set of principles
and methodologies for designing and developing software in the form of
interoperable services.
QUESTION 105
Which security model enforces the principle that the security levels of an object should never change and is known as the “strong tranquility” property?
A.
B.
C.
D.
Biba
Bell-LaPadula
Brewer-Nash
Noninterference
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Bell-LaPadula models have rigid security policies that are built to ensure
confidentiality. The “strong tranquility” property is an inflexible mechanism
that enforces the consistent security classification of an object.
QUESTION 106
In the system design phase, system requirement specifications are gathered and a modeling language is used. Which of the following best describes what a
modeling language is and what it is used for?
http://www.gratisexam.com/
A. A modeling language is commonly mathematical to allow for the verification of the system components. It is used to understand what the components need to
accomplish individually and when they work together.
B. A modeling language is commonly graphical to allow for threat modeling to be accomplished through the understanding of system components.
It is used to understand what the components need to accomplish individually and when they work together.
C. A modeling language is commonly graphical to allow for a system architecture to be built.
D. A modeling language is commonly graphical to allow for visualization of the system components. It is used to understand what the components need to
accomplish individually and when they work together.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
In the system design phase we gather system requirement specifications
and use modeling languages to establish how the system will accomplish
design goals, such as required functionality, compatibility, fault tolerance,
extensibility, security, usability, and maintainability. The modeling language
is commonly graphical so that we can visualize the system from a static
structural view and a dynamic behavioral view. We can understand what the
components within the system need to accomplish individually and how they
work together to accomplish the larger established architectural goals.
QUESTION 107
There is a specific terminology taxonomy used in the discipline of formal
architecture framework development and implementation. Which of the
following terms has an incorrect definition?
i. Architecture Fundamental organization of a system embodied in its
components, their relationships to each other and to the environment,
and the principles guiding its design and evolution.
ii. Architectural description (AD) Representation of a whole system from the
perspective of a related set of concerns.
iii. Stakeholder Individual, team, or organization (or classes thereof) with
interests in, or concerns relative to, a system.
iv. View Collection of document types to convey an architecture in a formal
manner.
v. Viewpoint A specification of the conventions for constructing and using a
view. A template from which to develop individual views by establishing
the purposes and audience for a view and the techniques for its creation
and analysis.
http://www.gratisexam.com/
A.
B.
C.
D.
i, iii
ii, iv
iv, v
ii
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Formal enterprise architecture frameworks use the following terms:
• Architecture Fundamental organization of a system embodied in its
components, their relationships to each other and to the environment,
and the principles guiding its design and evolution.
• Architectural description (AD) Collection of document types to convey
an architecture in a formal manner.
• Stakeholder Individual, team, or organization (or classes thereof) with
interests in, or concerns relative to, a system.
• View Representation of a whole system from the perspective of a related
set of concerns.
• Viewpoint A specification of the conventions for constructing and using
a view. A template from which to develop individual views by establishing
the purposes and audience for a view and the techniques for its creation
and analysis.
QUESTION 108
Operating systems may not work on systems with specific processors. Which of the following best describes why one operating system may work on a Pentium Pro
processor but not on an AMD processor?
A.
B.
C.
D.
The operating system was not developed to work within the architecture of a specific processor and cannot use that specific processor instruction set.
The operating system was developed before the new processor architecture was released, thus it is not backwards compatible.
The operating system is programmed to use a different instruction set.
The operating system is platform dependent, thus it can only work on one specific processor family.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://www.gratisexam.com/
Each CPU type has a specific architecture and set of instructions that it can
carry out. The operating system must be designed to work within this CPU
architecture. This is why one operating system may work on a Pentium Pro
processor (CISC) but not on an AMD processor (RISC).
QUESTION 109
Which of the following best describes how an address and a data bus are used for instruction execution?
A.
B.
C.
D.
CPU sends a “fetch” request on the data bus, and the data residing at the requested address are returned on the address bus.
CPU sends a “get” request on the address bus, and the data residing at the requested address are returned on the data bus.
CPU sends a “fetch” request on the address bus, and the data residing at the requested address are returned on the data bus.
CPU sends a “get” request on the data bus, and the data residing at the requested address are returned on the address bus.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
If the CPU needs to access some data, either from memory or from an
I/O device, it sends a “fetch” request on the address bus. The fetch request
contains the address of where the needed data are located. The circuitry
associated with the memory or I/O device recognizes the address the CPU
sent down the address bus and instructs the memory or device to read the
requested data and put it on the data bus. So the address bus is used by the
CPU to indicate the location of the needed information, and the memory or
I/O device responds by sending the information that resides at that memory
location through the data bus.
QUESTION 110
An operating system has many different constructs to keep all of the different execution components in the necessary synchronization. One construct the operating
system maintains is a process table. Which of the following best describes the role of a process table within an operating system?
A.
B.
C.
D.
The table contains information about each process that the CPU uses during the execution of the individual processes’ instructions.
The table contains memory boundary addresses to ensure that processes do not corrupt each other’s data.
The table contains condition bits that the CPU uses during state transitions.
The table contains I/O and memory addresses.
Correct Answer: A
Section: (none)
Explanation
http://www.gratisexam.com/
Explanation/Reference:
The operating system keeps a process table, which has one entry per
process. The table contains each individual process’s state, stack pointer,
memory allocation, program counter, and status of open files in use. The
reason the operating system documents all of this status information is that
the CPU needs all of it loaded into its registers when it needs to interact with,
for example, process 1. The CPU uses this information during the execution
activities for specific processes.
QUESTION 111
Hanna is a security manager of a company that relies heavily on one specific operating system. The operating system is used in the employee workstations and is
embedded within devices that support the automated production line software. She has uncovered that the operating system has a vulnerability that could allow an
attacker to force applications to not release memory segments after execution. Which of the following best describes the type of threat this vulnerability introduces?
A.
B.
C.
D.
Injection attacks
Memory corruption
Denial of service
Software locking
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Attackers have identified programming errors in operating systems that
allow them to “starve” the system of its own memory. This means the
attackers exploit a software vulnerability that ensures that processes do not
properly release their memory resources. Memory is continually committed
and not released, and the system is depleted of this resource until it can no
longer function. This is an example of a denial-of-service attack.
QUESTION 112
Which of the following architecture frameworks has a focus on command, control, communications, computers, intelligence, surveillance, and reconnaissance
systems and processes?
A.
B.
C.
D.
DoDAF
TOGAF
CMMI
MODAF
http://www.gratisexam.com/
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Department of Defense Architecture Framework (DoDAF) has a focus
on command, control, communications, computers, intelligence, surveillance,
and reconnaissance systems and processes. When the U.S. DoD purchases
technology products and weapon systems, enterprise architecture documents
must be created based upon DoDAF standards to illustrate how they will
properly integrate into the current infrastructures.
QUESTION 113
Many operating systems implement address space layout randomization (ASLR). Which of the following best describes this type of technology?
A.
B.
C.
D.
Randomly arranging memory address values
Restricting the types of processes that can execute instructions in privileged mode
Running privileged instructions in virtual machines
Randomizing return pointer values
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Address space layout randomization (ASLR) is a control that involves
randomly arranging processes’ address space and other memory segments.
ASLR makes it more difficult for an attacker to predict target addresses for
specific memory attacks.
QUESTION 114
A company needs to implement a CCTV system that will monitor a large area of the facility. Which of the following is the correct lens combination for this?
A.
B.
C.
D.
A wide-angle lens and a small lens opening
A wide-angle lens and a large lens opening
A wide-angle lens and a large lens opening with a small focal length
A wide-angle lens and a large lens opening with a large focal length
Correct Answer: A
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
The depth of field refers to the portion of the environment that is in focus
when shown on the monitor. The depth of field varies, depending upon the
size of the lens opening, the distance of the object being focused on, and the
focal length of the lens. The depth of field increases as the size of the lens
opening decreases, the subject distance increases, or the focal length of the
lens decreases. So if you want to cover a large area and not focus on specific
items, it is best to use a wide-angle lens and a small lens opening.
QUESTION 115
What is the name of a water sprinkler system that keeps pipes empty and doesn’t release water until a certain temperature is met and a “delay mechanism” is
instituted?
A.
B.
C.
D.
Wet
Preaction
Delayed
Dry
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A link must melt before the water will pass through the sprinkler heads,
which creates the delay in water release. This type of suppression system is
best in data-processing environments because it allows time to deactivate the
system if there is a false alarm.
QUESTION 116
There are different types of fire suppression systems. Which of the following answers best describes the difference between a deluge and a preaction system?
A. A deluge system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by
other means. A preaction system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
B. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by
other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
C. A dry pipe system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by
other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
http://www.gratisexam.com/
D. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by
other means. A deluge system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A preaction system has a link that must be burned through before water
is released. This is the mechanism that provides the delay in water release. A
deluge system has wide open sprinkler heads that allow a lot of water to be
released quickly. It does not have a delaying component.
QUESTION 117
Which of the following best describes why a Crime Prevention Through Environmental Design (CPTED) would integrate block parties and civic meetings?
A.
B.
C.
D.
These activities are designed to get people to work together to increase the overall crime and criminal behavior in the area.
These activities are designed to get corporations to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
These activities are designed to get people to work together to increase the three strategies of this design model.
These activities are designed to get people to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
CPTED encourages activity support, which is planned activities for the
areas to be protected. These activities are designed to get people to work
together to increase the overall awareness of acceptable and unacceptable
activities in the area. The activities could be neighborhood watch groups,
company barbeques, block parties, or civic meetings. This strategy is
sometimes the reason for particular placement of basketball courts, soccer
fields, or baseball fields in open parks. The increased activity will hopefully
keep the bad guys from milling around doing things the community does not
welcome.
QUESTION 118
Which of the following frameworks is a two-dimensional model that uses six basic communication interrogatives intersecting with different viewpoints to give a
holistic understanding of the enterprise?
http://www.gratisexam.com/
A.
B.
C.
D.
SABSA
TOGAF
CMMI
Zachman
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The Zachman framework is a two-dimensional model that uses six basic
communication interrogatives (What, How, Where, Who, When, and Why)
intersecting with different viewpoints (Planner, Owner, Designer, Builder,
Implementer, and Worker) to give a holistic understanding of the enterprise.
This framework was developed in the 1980s and is based on the principles of
classical business architecture that contain rules that govern an ordered set of
relationships.
QUESTION 119
Not every data transmission incorporates the session layer. Which of the following best describes the functionality of the session layer?
A.
B.
C.
D.
End-to-end data transmission
Application client/server communication mechanism in a distributed environment
Application-to-computer physical communication
Provides application with the proper syntax for transmission
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The communication between two pieces of the same software product that
reside on different computers needs to be controlled, which is why session
layer protocols even exist. Session layer protocols take on the functionality
of middleware, which allow software on two different computers to
communicate.
QUESTION 120
What is the purpose of the Logical Link Control (LLC) layer in the OSI model?
http://www.gratisexam.com/
A.
B.
C.
D.
Provides a standard interface for the network layer protocol
Provides the framing functionality of the data link layer
Provides addressing of the packet during encapsulation
Provides the functionality of converting bits into electrical signals
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The data link layer has two sublayers: the Logical Link Control (LLC) and
Media Access Control (MAC) layers. The LLC provides a standard interface for
whatever network protocol is being used. This provides an abstraction layer so
that the network protocol does not need to be programmed to communicate
with all of the possible MAC level protocols (Ethernet, Token Ring, WLAN,
FDDI, etc.).
QUESTION 121
Which of the following best describes why classless interdomain routing (CIDR) was created?
A.
B.
C.
D.
To allow IPv6 traffic to tunnel through IPv4 networks
To allow IPSec to be integrated into IPv4 traffic
To allow an address class size to meet an organization’s need
To allow IPv6 to tunnel IPSec traffic
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
A Class B address range is usually too large for most companies, and a
class C address range is too small, so CIDR provides the flexibility to increase
or decrease the class sizes as necessary. CIDR is the method to specify more
flexible IP address classes.
QUESTION 122
John is a security engineer at a company that develops highly confidential products for various government agencies. While his company has VPNs set up to
protect traffic that travels over the Internet and other nontrusted networks, he knows that internal traffic should also be protected. Which of the following is the best
type of approach John’s company should take?
http://www.gratisexam.com/
A.
B.
C.
D.
Implement a data link technology that provides 802.1AE security functionality.
Implement a network-level technology that provides 802.1AE security functionality.
Implement SSL over L2TP.
Implement IPSec over L2TP.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
802.1AE is the IEEE MAC Security standard (MACSec), which defines a
security infrastructure to provide data confidentiality, data integrity, and data
origin authentication. Where a VPN connection provides protection at the
higher networking layers, MACSec provides hop-by-hop protection at layer 2.
802.1AE is the IEEE MAC Security standard (also known as MACSec), which
defines connectionless data confidentiality and integrity for media access–
independent protocols.
QUESTION 123
IEEE ________ provides a unique ID for a device. IEEE _________ provides data encryption, integrity, and origin authentication functionality. IEEE ________
carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE
________ framework.
A.
B.
C.
D.
802.1AF, 802.1AE, 802.1AR, 802.1X EAP-TLS
802.1AT, 802.1AE, 802.1AM, 802.1X EAP-SSL
802.1AR, 802.1AE, 802.1AF, 802.1X EAP-SSL
802.1AR, 802.1AE, 802.1AF, 802.1X EAP-TLS
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
802.1AR provides a unique ID for a device. 802.1AE provides data
encryption, integrity, and origin authentication functionality. 802.1AF carries
out key agreement functions for the session keys used for data encryption.
Each of these standards provides specific parameters to work within an
802.1X EAP-TLS framework.
QUESTION 124
http://www.gratisexam.com/
Bob has noticed that one of the network switches has been acting strangely over the last week. Bob installed a network protocol analyzer to monitor the traffic going
to the specific switch. He has identified UDP traffic coming from an outside source using the destination port 161. Which of the following best describes what is
most likely taking place?
A.
B.
C.
D.
Attacker is modifying the switch SNMP MIB.
Attacker is carrying out a selective DoS attack.
Attacker is manipulating the ARP cache.
Attacker is carrying out an injection attack.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
If an attacker can uncover the read-write string she could change values
held within the MIB, which could reconfigure the device. The usual default
read-only community string is “public” and the read-write string is “private.”
Many companies do not change these, so anyone who can connect to port 161
can read the status information of a device and potentially reconfigure it. The
SNMP ports (161 and 162) should not be open to untrusted networks, like
the Internet, and if needed they should be filtered to ensure only authorized
individuals can connect to them.
QUESTION 125
Larry is a seasoned security professional and knows the potential dangers associated with using an ISP’s DNS server for Internet connectivity. When Larry stays at
a hotel or uses his laptop in any type of environment he does not fully trust, he updates values in his HOSTS file. Which of the following best describes why Larry
carries out this type of task?
A.
B.
C.
D.
Reduces the risk of an attacker sending his system a corrupt ARP address which points his system to a malicious website.
Ensures his host-based IDS is properly updated.
Reduces the risk of an attacker sending his system an incorrect IP address to host mapping that points his system to a malicious website.
Ensures his network-based IDS is properly synchronized with his hostbased IDS.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The HOSTS file resides on the local computer and can contain static
hostname-to-IP mapping information. If you do not want your system to
http://www.gratisexam.com/
query a DNS server, you can add the necessary data in the HOSTS file, and
your system will first check its contents before reaching out to a DNS server.
Some people use these files to reduce the risk of an attacker sending their
system a bogus IP address that points them to a malicious website.
QUESTION 126
John has uncovered a rogue system on the company network that emulates a switch. The software on this system is being used by an attacker to modify frame tag
values. Which of the following best describes the type of attack that has most likely been taking place?
A.
B.
C.
D.
DHCP snooping
VLAN hopping
Network traffic shaping
Network traffic hopping
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
An attacker can have a system act as though it is a switch. The system
understands the tagging values being used in the network and the trunking
protocols, and can insert itself between other VLAN devices and gain access
to the traffic going back and forth. Attackers can also insert tagging values to
manipulate the control of traffic at the data link layer.
QUESTION 127
Frank is a new security manager for a large financial institution. He has been told that the organization needs to reduce the total cost of ownership for many
components of the network and infrastructure. The organization currently maintains many distributed networks, software packages, and applications. Which of the
following best describes the cloud services that are most likely provided by service providers for Frank to choose from?
A. Infrastructure as a Service provides an environment similar to an operating system, Platform as a Service provides operating systems and other major
processing platforms, and Software as a Service provides specific application-based functionality.
B. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides operating systems and other major processing
platforms, and Software as a Service provides specific application-based functionality.
C. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides application-based functionality, and Software as a
Service provides specific operating system functionality.
D. Infrastructure as a Service provides an environment similar to a database, Platform as a Service provides operating systems and other major processing
platforms, and Software as a Service provides specific application-based functionality.
Correct Answer: B
http://www.gratisexam.com/
Section: (none)
Explanation
Explanation/Reference:
The most common cloud service models are:
• Infrastructure as a Service (IaaS) Cloud providers offer the infrastructure
environment of a traditional data center in an on-demand delivery method.
• Platform as a Service (PaaS) Cloud providers deliver a computing
platform, which can include an operating system, database, and web server
as a holistic execution environment.
• Software as a Service (SaaS) Provider gives users access to specific
application software (CRM, e-mail, games).
QUESTION 128
Terry is told by his boss that he needs to implement a networked-switched infrastructure that allows several systems to be connected to any storage device. What
does Terry need to roll out?
A.
B.
C.
D.
Electronic vaulting
Hierarchical storage management
Storage area network
Remote journaling
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Storage area network (SAN) is made up of several storage systems that are
connected together to form a single backup network. A SAN is a networked
infrastructure that allows several systems to be connected to any storage
device. This is usually provided by using switches to create a switching fabric.
The switching fabric allows for several devices to communicate with backend
storage devices and provides redundancy and fault tolerance by not
depending upon one specific line or connection. Private channels or storage
controllers are implemented so hosts can access the different storage devices
transparently.
QUESTION 129
On a Tuesday morning, Jami is summoned to the office of the security director where she finds six of her peers from other departments. The security director gives
them instructions about an event that will be taking place in two weeks. Each of the individuals will be responsible for removing specific systems from the facility,
bringing them to the offsite facility, and implementing them. Each individual will need to test the installed systems and ensure the configurations are correct for
http://www.gratisexam.com/
production activities. What event is Jami about to take part in?
A.
B.
C.
D.
Parallel test
Full-interruption test
Simulation test
Structured walk-through test
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Parallel tests are similar to simulation tests, except that parallel tests
include moving some of the systems to the offsite facility. Simulation tests
stop just short of the move. Parallel tests are effective because they ensure that
specific systems work at the new location, but the test itself does not interfere
with business operations at the main facility.
QUESTION 130
While DRP and BCP are directed at the development of “plans,” ______________ is the holistic management process that should cover both of them. It provides a
framework for integrating resilience with the capability for effective responses that protects the interests of the organization’s key stakeholders.
A.
B.
C.
D.
Continuity of operations
Business continuity management
Risk management
Enterprise management architecture
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
While DRP and BCP are directed at the development of “plans,” business
continuity management (BCM) is the holistic management process that
should cover both of them. BCM provides a framework for integrating
resilience with the capability for effective responses that protects the interests
of the organization’s key stakeholders. The main objective of BCM is to allow
the executive staff to continue to manage business operations under various
conditions. BCM is the overarching approach to managing all aspects of BCP
and DRP.
http://www.gratisexam.com/
QUESTION 131
The “Safe Harbor” privacy framework was created to:
A.
B.
C.
D.
Ensure that personal information should be collected only for a stated purpose by lawful and fair means and with the knowledge or consent of the subject
Provide a streamlined means for U.S. organizations to comply with European privacy laws
Require the federal government to release to citizens the procedures for how records are collected, maintained, used, and distributed
None of the above
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The U.S. approach to privacy protection relies on industry-specific
legislation, regulation, and self-regulation, whereas the European Union
relies on comprehensive privacy regulation. In order to bridge these different
privacy approaches, the U.S. Department of Commerce and the European
Commission developed a “Safe Harbor” framework.
QUESTION 132
The European Union’s Directive on Data Protection forbids the transfer of individually identifiable information to a country outside the EU, unless:
A.
B.
C.
D.
The receiving country grants individuals adequate privacy protection.
The receiving country pays a fee to the EU.
There are no exceptions; no information is ever transferred.
The receiving country is a member of the Fair Trade Organization.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The European Union has restrictions on “transborder data flows” that
would allow private data to flow to countries whose laws would not protect
that data. The “Safe Harbor” privacy framework was developed between
the United States and the EU to provide a streamlined means for U.S.
organizations to comply with the European privacy laws.
QUESTION 133
http://www.gratisexam.com/
The main goal of the Wassenaar Arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability.
How does this relate to technology?
A.
B.
C.
D.
Cryptography is a dual-use tool.
Technology is used in weaponry systems.
Military actions directly relate to critical infrastructure systems.
Critical infrastructure systems can be at risk under this agreement.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Wassenaar Arrangement implements export controls for “Conventional
Arms and Dual-Use Goods and Technologies.” The main goal of this
arrangement is to prevent the buildup of military capabilities that could
threaten regional and international security and stability. So everyone is
keeping an eye on each other to make sure no one country’s weapons can take
everyone else out. One item the agreement deals with is cryptography, which
is seen as a dual-use good. It can be used for military and civilian uses. It is
seen to be dangerous to export products with cryptographic functionality to
countries that are in the “offensive” column, meaning that they are thought
to have friendly ties with terrorist organizations and/or want to take over the
world through the use of weapons of mass destruction.
QUESTION 134
Which world legal system of law is used in continental European countries, such as France and Spain, and is rule-based law, not precedence based?
A.
B.
C.
D.
Civil (code) law system
Common law system
Customary law system
Mixed law system
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The civil (code) law system is used in continental European countries
such as France and Spain. It is a different legal system from the common law
http://www.gratisexam.com/
system used in the United Kingdom and United States. A civil law system
is rule-based law, not precedence based. For the most part, a civil law
system is focused on codified law—or written laws.
QUESTION 135
Which of the following is not a correct characteristic of the Failure Modes and Effect Analysis (FMEA) method?
A.
B.
C.
D.
Determining functions and identifying functional failures
Assessing the causes of failure and their failure effects through a structured process
Structured process carried out by an identified team to address high-level security compromises
Identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Failure Modes and Effect Analysis (FMEA) is a method for determining
functions, identifying functional failures, and assessing the causes of failure
and their failure effects through a structured process. It is commonly used in
product development and operational environments. The goal is to identify
where something is most likely going to break and either fix the flaws that
could cause this issue or implement controls to reduce the impact of the break.
QUESTION 136
A risk analysis can be carried out through qualitative or quantitative means. It
is important to choose the right approach to meet the organization’s goals. In
a quantitative analysis, which of the following items would not be assigned a
numeric value?
i. Asset value
ii. Threat frequency
iii. Severity of vulnerability
iv. Impact damage
v. Safeguard costs
vi. Safeguard effectiveness
vii. Probability
A. All of them
B. None of them
http://www.gratisexam.com/
C. ii
D. vii
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Each of these items would be assigned a numeric value in a quantitative
risk analysis. Each element is quantified and entered into equations to
determine total and residual risks. It is more of a scientific or mathematical
approach to risk analysis compared to qualitative.
QUESTION 137
Uncovering restricted information by using permissible data is referred to as __________.
A.
B.
C.
D.
Inference
Data mining
Perturbation
Cell suppression
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Aggregation and inference go hand in hand. For example, a user who uses
data from a public database in order to figure out classified information
is exercising aggregation (the collection of data) and can then infer the
relationship between that data and the data he does not have access to.
This is called an inference attack.
QUESTION 138
Tim wants to deploy a server-side scripting language on his company’s web server that will allow him to provide common code that will be used throughout the site
in a uniform manner. Which of the following best describes this type of technology?
A. Sandbox
B. Server-side includes
C. Cross-site scripting
http://www.gratisexam.com/
D. Java applets
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Server-side includes (SSI) is an interpreted server-side scripting language
used mainly on web servers. It allows web developers to reuse content by
inserting the same content into multiple web documents. This typically
involves use of an include statement in the code and a file (.inc) that is
to be included.
QUESTION 139
An attacker can modify the client-side JavaScript that provides structured layout and HTML representation. This commonly takes place through form fields within
compromised web servers. Which of the following best describes this type of attack?
A.
B.
C.
D.
Injection attack
DOM-based XSS
Persistent XSS
Session hijacking
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
DOM (Document Object Model)–based XSS vulnerability is also referred
to as local cross-site scripting. DOM is the standard structure layout to
represent HTML and XML documents in the browser. In such attacks the
document components such as form fields and cookies can be referenced
through JavaScript. The attacker uses the DOM environment to modify the
original client-side JavaScript. This causes the victim’s browser to execute the
resulting abusive JavaScript code.
QUESTION 140
CobiT and COSO can be used together, but have different goals and focuses.
Which of the following is incorrect as it pertains to these two models?
i. COSO is a model for corporate governance, and CobiT is a model for IT
http://www.gratisexam.com/
governance.
ii. COSO deals more at the strategic level, while CobiT focuses more at the
operational level.
iii. CobiT is a way to meet many of the COSO objectives, but only from the IT
perspective.
iv. COSO deals with non-IT items also, as in company culture, financial
accounting principles, board of director responsibility, and internal
communication structures.
A.
B.
C.
D.
None
All
i, ii
ii, iii
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
They are all correct.
QUESTION 141
Use the following scenario to answer Questions 141–142. Ron is in charge of updating his
company’s business continuity and disaster recovery plans and processes. After a business
impact analysis his team has told him that if the company’s e-commerce payment
gateway was unable to process payments for 24 hours or more, this could drastically
affect the survivability of the company. The analysis indicates that after an outage the
payment gateway and payment processing should be restored within 13 hours. Ron’s
team needs to integrate solutions that provide redundancy, fault tolerance, and failover
capability.
In the scenario, what does the 24-hour time period represent and what does the 13-hour time period represent?
A.
B.
C.
D.
Maximum tolerable downtime, recovery time objective
Recovery time objective, maximum tolerable downtime
Maximum tolerable downtime, recovery data period
Recovery time objective, data recovery period
Correct Answer: A
Section: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
RTO is an allowable amount of downtime, and the MTD is a time period
that represents the inability to recover. The RTO value is smaller than the MTD
value, because the MTD value represents the time after which an inability
to recover significant operations will mean severe and perhaps irreparable
damage to the organization’s reputation or bottom line. The RTO assumes
that there is a period of acceptable downtime. This means that a company can
be out of production for a certain period of time (RTO) and still get back on
its feet. But if the company cannot get production up and running within the
MTD window, the company is sinking too fast to properly recover.
QUESTION 142
Use the following scenario to answer Questions 141–142. Ron is in charge of updating his
company’s business continuity and disaster recovery plans and processes. After a business
impact analysis his team has told him that if the company’s e-commerce payment
gateway was unable to process payments for 24 hours or more, this could drastically
affect the survivability of the company. The analysis indicates that after an outage the
payment gateway and payment processing should be restored within 13 hours. Ron’s
team needs to integrate solutions that provide redundancy, fault tolerance, and failover
capability.
Which of the following best describes the type of solution Ron’s team needs to implement?
A.
B.
C.
D.
RAID and clustering
Storage area networks
High availability
Grid computing and clustering
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
High availability (HA) is a combination of technologies and processes that
work together to ensure that critical functions are always up and running at
the necessary level. To provide this level of high availability, a company has to
have a long list of technologies and processes that provide redundancy, fault
tolerance, and failover capabilities.
http://www.gratisexam.com/
http://www.gratisexam.com/
http://www.gratisexam.com/