CISSP Study Quiz 2

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Skofft2134
S
Skofft2134
Community Contributor
Quizzes Created: 2 | Total Attempts: 3,304
| Attempts: 353 | Questions: 200
Please wait...
Question 1 / 200
0 %
0/100
Score 0/100
1. Which of the following is the FIRST step in protecting data's confidentiality?

Explanation

It is important to identify the data that must be classified prior to implementing security mechanisms to avoid implementing the same level of security for both critical and normal data.

Submit
Please wait...
About This Quiz
CISSP Quizzes & Trivia

CISSP Study Quiz 2 assesses knowledge on key cybersecurity concepts including biometric systems, access control models, and authentication mechanisms. It prepares learners for CISSP certification, focusing on practical... see moresecurity solutions and attack prevention. see less

2. Which of the following is the WEAKEST authentication mechanism?

Explanation

Passwords are considered one of the weakest security mechanisms available, because users generally select passwords that are easy to guess.

Submit
3. Behavioral-based systems are also known as?

Explanation

Behavioral-based systems are also known as Profile-based systems because they rely on creating profiles or baselines of normal behavior for users, systems, or networks. These systems analyze and compare current behavior against these profiles to detect any anomalies or deviations that may indicate potential threats or attacks. By understanding the typical behavior of users or systems, profile-based systems can effectively identify abnormal activities and trigger alerts or preventive actions to mitigate risks.

Submit
4. A company outsources payroll services to a third party company.  Which of the following roles most likely applies to the third-party payroll company?

Explanation

The third-party payroll company most likely applies to the role of a data processor. As a data processor, they handle and process the payroll data on behalf of the company outsourcing the services. They are responsible for ensuring the accuracy and security of the data while performing the necessary payroll calculations and generating payslips for the employees. However, they do not have ownership or control over the data, and their actions are governed by a data processing agreement with the company.

Submit
5. This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What best describes this scenario?

Explanation

Privilege is a term used to describe what a user can do on a computer or system. It covers rights, access and permissions. A user who has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill is said to have ‘excessive privileges’.

Submit
6. Which of the following groups represents the leading source of computer crime losses?

Explanation

Employees represent the leading source of computer crime losses. This can be through hardware theft, data theft, physical damage and interruptions to services. Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands.

Submit
7. What can be done to ensure that software meets the customer's requirements?

Explanation

Acceptance testing is designed to ensure the software meets the customer's operational requirements

Integration testing examines multiple software components as they are combined into a working system.
Installation testing examines software as it is installed and first operated
Unit testing is a low-level test of software components, such as functions, procedures, or objects

Submit
8. What method destroys the integrity of magnetic media, such as tapes or disk drives, and the data they contain by exposing them to a strong magnetic field?

Explanation

Degaussing is the method that destroys the integrity of magnetic media by exposing them to a strong magnetic field. This process effectively erases the data stored on the tapes or disk drives by neutralizing the magnetic particles. It is commonly used to ensure that sensitive information cannot be recovered from the media. Degaussing is a reliable and secure method for data destruction on magnetic media.

Submit
9. How would nonrepudiation be best classified as?

Explanation

Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.

For example, if a user sends a message and then later claims he did not send it, this is an act of repudiation. When a cryptography mechanism provides nonrepudiation, the sender cannot later deny he sent the message (well, he can try to deny it, but the cryptosystem proves otherwise). It’s a way of keeping the sender honest.

Nonrepudiation is a preventive control – it prevents someone having the ability to deny something.

Submit
10. What is the number of columns in a table called?

Explanation

The number of columns in a database table (relation) is referred to as the degree.

Submit
11. What layer of the OSI/ISO model does Point-to-point tunneling protocol (PPTP) work at?

Explanation

PPTP works at the data link layer

Submit
12. According to private sector data classification levels, how would salary levels and medical information be classified?

Explanation

Data such as salary levels and medical information would be classified as confidential according to private sector data classification levels.

The following shows the common levels of sensitivity from the highest to the lowest for commercial business (public sector):

Confidential
Private
Sensitive
Public

Submit
13. What access control method weighs additional factors, such as time of attempted access, before granting access?

Explanation

Context-dependent access control is an access control method that takes into consideration additional factors, such as the time of attempted access, before granting access. This means that access is granted based on the specific context or situation in which the access request is made. This method allows for more granular control over access permissions, as it considers various contextual factors to determine whether access should be granted or denied.

Submit
14. Organizations should consider which of the following first before allowing external access to their LANs via the Internet?

Explanation

Before allowing external access to their LANs via the Internet, organizations should first consider planning for proper authentication options. This is important to ensure that only authorized users are granted access to the network, reducing the risk of unauthorized access and potential security breaches. Implementing strong authentication methods such as two-factor authentication or biometric authentication can help strengthen the security of the network and protect sensitive information from being accessed by unauthorized individuals.

Submit
15. Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets?

Explanation

SNMP versions 1 and 2 send their community string values in cleartext, but with SNMP version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So any sniffers that are installed on the network cannot sniff SNMP traffic.

Submit
16. What type of testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective?

Explanation

acceptance testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective.

Integration testing tests multiple software components as they are combined into a working system.
Regression testing tests software after updates, modifications, or patches.
Unit testing consists of low-level tests of software components, such as functions, procedures, or objects.

Submit
17. What is the main problem of the renewal of a root CA certificate?

Explanation

Every entity (user, computer, application, network device) that has a certificate from a PKI trusts
other entities with certificates issued by the same PKI because they all trust the root Certificate Authority (CA). This trust is ensured because every entity has a copy of the root CA’s public certificate.

If you want to change or renew the root CA certificate, to maintain the trust, the new certificate must be distributed to every entity that has a certificate from the PKI.

Submit
18. What protocol is a common open protocol for interfacing and querying directory service information provided network operating systems using port 389 via TCP or UDP?

Explanation

LDAP = Lightweight directory access protocol is an open protocol for interfacing and querying directory service information from network operating systems using port 389 TCP or UDP.

CHAP, PAP, & RADIUS are authentication protocols:

CHAP = Challenge-Handshake Authentication Protocol
PAP = Password Authentication Protocol
RADIUS = Remote Authentication Dial-In User Service

Submit
19. Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)?

Explanation

The IP address 192.168.42.5 is in the private Class C IP address range.

The private IP address ranges are:

* 10.0.0.0–10.255.255.255 (Class A network)
* 172.16.0.0–172.31.255.255 (Class B networks)
* 192.168.0.0–192.168.255.255 (Class C networks)

Submit
20. When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the proper term to refer to a single unit of TCP data at the transport layer?

Explanation

In the OSI model layer 4 is the transport layer. In the TCP/IP model, Application Layer data is encapsulated in a Layer 4 TCP segment. That TCP segment is encapsulated in a Layer 3 IP packet. Data, segments, and packets are examples of Protocol Data Units (PDUs)

Submit
21. Who developed one of the first mathematical models of a multilevel-security computer system?

Explanation

The Bell-LaPadula model was the first mathematical model of a multilevel security policy used to
define the concept of a secure state machine and modes of access, and outlined rules of access.

Submit
22. Ensuring least privilege does not require:

Explanation

Ensuring that the user alone does not have sufficient rights to subvert an important process is not a requirement for least privilege. This is an example of separation of duties where it would take collusion between two or more people to subvert the process.

Submit
23. Common Criteria 15408 generally outlines assurance and functional requirements through a security evaluation process concept of ______________, ____________, __________ for Evaluated Assurance Levels (EALs) to certify a product or system.

Explanation

Under the Common Criteria model, an evaluation is carried out on a product and it is assigned an Evaluation Assurance Level (EAL). The thorough and stringent testing increases in detailed oriented tasks as the assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1, where functionality testing takes place, to EAL7, where thorough testing is performed and the system design is verified.

The Common Criteria process is based on two key elements: protection profiles and security targets. Protection profiles (PPs) specify for a product that is to be evaluated (the target of evaluation (TOE)) the security requirements and protections, which are considered the security desires or the “I want” from a customer. Security targets (STs) specify the claims of
security from the vendor that are built into a TOE. STs are considered the implemented security measures or the “I will provide” from the vendor. In addition to offering security targets, vendors may offer packages of additional security features. A package is an intermediate grouping of security requirement components that can be added or removed from a TOE (like the option packages when purchasing a new vehicle).

Submit
24. Which of the following protocols does not operate at the data link layer (layer 2)?

Explanation

ICMP works at the network layer of the OSI model.

Submit
25. What service is known as cloud identity, which allows organizations to leverage cloud service for identity management?

Explanation

IDaaS = Identity as a Service

IaaS = Infrastructure as a Service
PaaS = Platform as a Service
SaaS = Software as a Service

Submit
26. Which of the following is NOT an asymmetric key algorithm?

Explanation

Data Encryption Standard (DES) is not an asymmetric key algorithm; it’s a symmetric key algorithm.

DES is a symmetric block encryption algorithm. When 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key: 56 bits make up the true key, and 8 bits are used for parity. When the DES algorithm is applied to data, it divides the message into blocks and operates on them one at a time. The blocks are put through 16 rounds of transposition and substitution functions. The order and type of transposition and substitution functions depend on the value of the key used with the algorithm. The result is 64-bit blocks of ciphertext.

Submit
27. Which approach to a security program ensures people responsible for protecting the company's assets are DRIVING the program?

Explanation

A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to
assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies.

Submit
28. What uses a key of the same length as the message where each bit or character from the plaintext is encrypted by a modular addition?

Explanation

In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret,
then the resulting ciphertext will be impossible to decrypt or break. However, practical problems have prevented one-time pads from being widely used.

Submit
29. What is an XML-based framework for exchanging security information, including authentication data?

Explanation

SAML is an XML-based framework for exchanging security information, including authentication data.

Kerberos is a third-party authentication service that may be used to support single sign-on.
OpenID is a framework for exchanging authentication data, but it is not XML-based.
SESAME = Secure European System for Applications in a Multivendor Environment, a single sign-on system that supports heterogeneous environments

Submit
30. A criminal deduces that an organization is holding an offsite meeting and there are few people in the building, based on the low traffic volume to and from the parking lot.  The criminal uses the opportunity to break into the building to steal laptops.  What type of attack has been launched?

Explanation

Inference requires an attacker to “fill in the blanks” and deduce sensitive information from public information.

Submit
31. You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.During the course of the penetration test, the testers discover signs of an active compromise of the new custom-developed, three-tier web application. What is the best course of action? 

Explanation

Attackers will often act more maliciously if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test and immediately escalate the issue. The client must be notified immediately, as incident handling is not the penetration tester's responsibility.

Submit
32. Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—Oxley Section 404 compliance?

Explanation

COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide
sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.

There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its books (manipulate its revenue and earnings reports), but it took the Sarbanes–Oxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could send executives to jail if it was discovered that their company was submitting fraudulent accounting findings to the Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain their internal COSO structure.

Submit
33. With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance?

Explanation

An object-oriented database (OODB) is more dynamic than a relational database as it stores data as objects. It allows object-oriented programming (OOP) code, including classes, to manipulate the objects. This also makes the reusing of code possible.

Submit
34. Which of the following characteristics pertaining to databases is not true?

Explanation

Data normalization is the process of reducing data to its canonical form. Database normalization is the process of organizing the fields and tables of a relational database to minimize redundancy and dependency. Justification is not a term that is used for normalized data.

Submit
35. Which level of RAID does NOT provide additional reliability?

Explanation

RAID 0 provides only striping and is used simply for performance purposes. It offers no additional data redundancy or resiliency.

RAID 1: Mirrored Set
RAID 3: Striped set w/ parity (allows for failure of 1 drive)
RAID 5: Striped set w/ distributed parity (allows for failure of 1 drive)

Submit
36. What describes a more agile development and support model, where developers directly support operations?

Explanation

DevOps is a more agile development and support model, where developers directly support operations.

Sashimi, spiral, and waterfall are software development methodologies that do not describe a model for developers directly supporting operations.

Submit
37. Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks. What is the ARO?

Explanation

ARO = Annual Rate of Occurrence; number of losses suffered per year

Submit
38. Which of these terms is MOST closely related to confidentiality?

Explanation

Confidentiality refers to the protection of sensitive information from unauthorized access. The term "need-to-know" is closely related to confidentiality as it emphasizes that only individuals with a legitimate need should have access to confidential information. This principle ensures that information is disclosed on a strictly need-to-know basis, reducing the risk of unauthorized disclosure and maintaining confidentiality.

Submit
39. Maximum Tolerable Downtime (MTD) is comprised of which two metrics?

Explanation

The Recovery Time Objective (RTO, the time it takes bring a failed system back online) and Work Recovery Time (WRT, the time required to configure a failed system) are used to calculate the Maximum Tolerable Downtime. RTO + WRT = MTD.

Maximum Tolerable Downtime does not directly use Recovery Point Objective or Mean Time to Repair as metrics.

Submit
40. In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server?

Explanation

SSL and TLS both support server authentication (mandatory) and client authentication (optional).

Submit
41. In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessity of answering two questions:

Explanation

The correct answer is "What part of body to be used and how to accomplish identification that is viable". This answer accurately reflects the two questions that were raised in the context of biometric identification systems. It acknowledges the need to determine which part of the body should be utilized for identification purposes and how to effectively achieve a viable identification process. The other options mentioned in the question, such as determining a person's age and income level or tone of voice and habits, do not directly address the main concerns of biometric identification systems.

Submit
42. You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? 

Explanation

Fuzzing is a black-box testing method that does not require access to source code.

Submit
43. Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided?

Explanation

PPP (Point-to-Point Protocol) is a data link protocol used to establish a direct connection between two nodes. PPP has replaced the older SLIP and CSLIP protocols.

Submit
44. With SQL Relational databases where is the actual data stored?

Explanation

In a relational database the actual data is stored in tables that consist of tuples (rows) and attributes (columns).

Submit
45. Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.Is the DoS mitigation service a good investment?

Explanation

TCO = Total Cost of ownership; $10,000 per month or $120,000 per year
ALE = Annualized Loss Expectancy; Single Loss Expectancy or SLE (40% of $20,000 = $8000) * Annualized Rate of Occurrence or ARO (7 times per year) = $56,000
TCO ($120,000) is greater than ARO ($56,000) so this would be a bad investment

Submit
46. RADIUS incorporates which of the following services?

Explanation

A central authentication service for dial-up users is the standard Remote Authentication and Dial-In User Service (RADIUS). RADIUS incorporates an authentication server and dynamic passwords. The RADIUS protocol is an open lightweight, UDP-based protocol that can be modified to work with a variety of security systems. It provides authentication, authorization and
accounting services to routers, modem servers, and wireless applications. RADIUS is described in RFC 2865.

Submit
47. What is the access protection system that limits connections by calling back the number of a previously authorized location called?

Explanation

Callback is when the host system disconnects the caller and then dials the authorized telephone
number of the remote terminal in order to reestablish the connection.

Submit
48. When considering all the reasons that buffer overflow vulnerabilities exist what is the real reason?

Explanation

The human error in this answer is poor programming by the software developer.

A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed.

When a programmer writes a piece of software that will accept data, this data and its associated instructions will be stored in the buffers that make up a stack. The buffers need to be the right size to accept the inputted data. So if the input is supposed to be one character, the buffer should be one byte in size. If a programmer does not ensure that only one byte of data is being inserted into the software, then someone can input several characters at once and thus overflow that specific
buffer.

Submit
49. In discretionary access environments, which of the following entities is authorized to grant information access to other people?

Explanation

The data owner is authorized to grant information access to other people in discretionary access environments. As the owner of the data, they have the authority to determine who can access the information and to what extent. They are responsible for ensuring that access is granted based on the appropriate permissions and security requirements. The system administrator, data custodian, and security manager may have roles in managing and securing the data, but it is ultimately the data owner who has the authority to grant access.

Submit
50. Which of the following is NOT a security characteristic we need to consider while choosing a biometric identification system?

Explanation

Cost is not a security concern

Submit
51. Which access control model would a lattice-based access control model be an example of?

Explanation

A lattice-based access control model, which is a type of label-based mandatory access control model, is used to define the levels of security that an object may have and that a subject may have access to.

Submit
52. What is the most secure type of EAP?

Explanation

EAP-TLS = Extensible Authentication Protocol-Transport Layer Security (uses PKI, establishes TLS tunnel)

EAP-TTLS = Extensible Authentication Protocol-Tunneled Transport Layer Security (establishes TLS tunnel without PKI)
LEAP = Lightweight Extensible Authentication Protocol (Cisco proprietary, insecure)
PEAP = Protected Extensible Authentication Protocol (Cisco, Microsoft, RSA version of EAP-TTLS)

Submit
53. What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?

Explanation

An access control matrix is a table of subjects and objects that specifies the actions individual subjects can take upon individual objects.

Submit
54. Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System TACACS for communication between clients and servers?

Explanation

The original TACACS was developed during the days of ARPANET which is the basis for the Internet. TACACS uses UDP as its communication protocol. TACACS+ uses TCP as its communication protocol.

Submit
55. Which of the following is an advantage of prototyping?

Explanation

A sample of software code or a model (prototype) can be developed to explore a specific approach to a problem before investing expensive time and resources. A team can identify the usability and design problems while working with a prototype and adjust their approach as necessary. Within the software development industry three main prototype models have been invented and used. These are the rapid prototype, evolutionary prototype, and operational prototype.

Submit
56. In biometrics, "one-to-many" search against database of stored biometric images is done in:

Explanation

A biometric system executes a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown user in identification mode. If the comparison of the biometric sample to a template in the database falls within a threshold previously set, identifying the individual will succeed.

Submit
57. Which of the following is true for digital signatures?

Explanation

To digitally sign a message the sender hashes the plaintext then encrypts the hash with his/her private key

Submit
58. What metric describes how long it will take to recover a failed system?

Explanation

The Mean Time to Repair (MTTR) describes how long it will take to recover a failed system. It is the best estimate for

Minimum Operating Requirements describe the minimum environmental and connectivity requirements in order to operate computer equipment.
Mean Time Between Failures quantifies how long a new or repaired system will run before failing.
The Recovery Point Objective (RPO) is the moment in time in which data must be recovered and made available to users in order to resume business operations.

Submit
59. The best technique to authenticate to a system is to:

Explanation

This is a tricky question. Normally, biometrics is the preferred answer as it is a more secure means of authentication than even multi-factor authentication. However, you would not establish biometric access through a secured server or Web site. Therefore, the answer must be “Ensure the person is authenticated by something he knows and something he has”. This is an example of two-factor authentication.

Submit
60. Which software development model is actually a meta-model that incorporates a number of the software development models?

Explanation

The spiral model is a risk-driven process model generator for software projects. Thus, the incremental, waterfall, prototyping, and other process models are special cases of the spiral model that fit the risk patterns of certain projects.

Submit
61. A network-based vulnerability assessment is a type of test also referred to as:

Explanation

An Intrusion Detection System (IDS) typically follows a two-step process. First procedures include inspection of the configuration files of a system to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations.

In a second step, procedures are network-based and considered an active component; mechanisms are set in place to reenact known methods of attack and to record system responses.

Submit
62. Which of the following security controls is intended to bring an environment back to regular operation?

Explanation

The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating.

The six different control functionalities are as follows:

Deterrent Intended to discourage a potential attacker

Preventive Intended to avoid an incident from occurring

Corrective Fixes components or systems after an incident has occurred

Recovery Intended to bring the environment back to regular operations

Detective Helps identify an incident’s activities and potentially an intruder

Compensating Controls that provide an alternative measure of control

Submit
63. There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?

Explanation

Public Key describes a system that uses certificates or the underlying public key cryptography on
which the system is based.

In the traditional public key model, clients are issued credentials or "certificates" by a Certificate
Authority (CA). The CA is a trusted third party. Public key certificates contain the user's name, the
expiration date of the certificate etc. The most common certificate format is X.509. Public key
credentials in the form of certificates and public-private key pairs can provide a strong distributed
authentication system.

The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a
public key certificate (a Kerberos ticket is supplied to provide access to resources). However,
Kerberos tickets usually have lifetimes measured in days or hours rather than months or years.

Submit
64. Which of the following are additional access control objectives?

Explanation

Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity, and availability.

Confidentiality assures that the information is not disclosed to unauthorized persons or processes. Integrity ensures the consistency of data.

Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and utility.

Submit
65. Who should measure the effectiveness of Information System security related controls in an organization?

Explanation

The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met.

CobiT is a model that most information security auditors follow when evaluating a security program. The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.

Submit
66. What is the primary goal of setting up a honey pot?

Explanation

A honeypot system is a computer that usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of to actual production computers. To make a honeypot system lure attackers, administrators may enable services and ports that are popular to exploit. Some honeypot systems have services emulated, meaning the actual service is not running but software that acts like those services is available. Honeypot systems can get an attacker’s attention by
advertising themselves as easy targets to compromise. They are configured to look like regular company systems so that attackers will be drawn to them like bears are to honey.

Organizations use these systems to identify, quantify, and qualify specific traffic types to help determine their danger levels. The systems can gather network traffic statistics and return them to a centralized location for better analysis. So as the systems are being attacked, they gather intelligence information that can help the network staff better understand what is taking place within their environment.

Submit
67. What is the most secure type of firewall?

Explanation

Application-layer firewalls are most secure, they have ability to filter based on OSI Layers 3-7

Packet filter = filters traffic on basis of single packet; no concept of "state"
Stateful firewall = uses state table to compare current packets to previous ones
Circuit-layer firewall = operates at layer 5 and cannot filter based on application-layer data

Submit
68. Two objects with the same name have different data.  What OOP concept does this illustrate?

Explanation

Polyinstantiation means “many instances,” such as two objects with the same names that have different data.

Delegation allows objects to delegate messages to other objects.
Inheritance means an object inherits capabilities from its parent class.
Polymorphism allows the ability to overload operators, performing different methods depending on the context of the input message.

Submit
69. Debbie from finance called to tell you that she downloaded and installed a free wallpaper program that sets the wallpaper on her computer to match the current weather outside but now her computer runs slowly and the disk drive activity light is always on. You take a closer look and when you do a simple port scan to see which ports are open on her computer, you notice that TCP/80 is open. You point a web browser at her computer's IP Address and port and see a site selling prescription drugs. Apart from the wallpaper changing software, what did Debbie install without her knowledge?

Explanation

A Trojan horse is code that is disguised as a useful application but contains code that has a malicious or harmful purpose imbedded in it. The Trojan horse can then set up a back door, install keystroke loggers, implement rootkits, upload files from the victim’s system, install bot software, and perform many other types of malicious acts.

Submit
70. What type of memory stores bits in small capacitors (like small batteries)?

Explanation

DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, uses capacitors)

EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
SRAM = Static Random Access Memory (fast and expensive, uses switches)
SSD = Solid State Drive

Submit
71. Which of the following security controls is intended to avoid and incident from occurring?

Explanation

Preventive controls stop actions from taking place. It applies restrictions to what a possible user can do, whether the user is authorized or unauthorized.

Submit
72. Operations Security seeks to primarily protect against which of the following?

Explanation

Operations security is concerned with maintaining networks, computer systems, applications, and environments in a secure and protected manner. It consists of ensuring that users, applications, and servers have the proper access privileges to only the resources they have permissions for to and that oversight is implemented via monitoring, auditing, and reporting controls.

Submit
73. A 'Pseudo flaw' is which of the following?

Explanation

A Pseudo flaw is appears as a vulnerability in an operating system program but is in actual fact a trap for intruders who may attempt to exploit the vulnerability.

Submit
74. The description of the database is called a schema. The schema is defined by which of the following?

Explanation

The description of the database is called a schema, and the schema is defined by a Data Definition Language (DDL). DDL is similar to a computer programming language and is used for defining data structures, such as database schemas.

Submit
75. What technique would raise the false accept rate (FAR) and lower the false reject rate (FRR) in a fingerprint scanning system?

Explanation

Decreasing the amount of minutiae will make the accuracy of the system lower, which lower false rejects but raises false accepts.

Enrollment and Throughput time are not directly connected to FAR and FRR

Submit
76. The authenticator within Kerberos provides a requested service to the client after validating which of the following?

Explanation

In Kerberos implementations where the use of an authenticator is configured, the user sends their identification information and a timestamp and sequence number encrypted with the shared session key to the requested service, which then decrypts this information and compares it with the identification data the KDC sent to it about this requesting user. If the data matches, the user is allowed access to the requested service.

Submit
77. Another example of Computer Incident Response Team (CIRT) activities is:

Explanation

The network logs contain information which can give clues on computer incidents that have occurred. This information must be collected, saved for future use (retained), reviewed, and analyzed. These activities related to handling incidents are the responsibility of the Computer Incident Response Team.

Submit
78. Which of the following are WELL KNOWN PORTS assigned by the IANA?

Explanation

Ports 0 to 1023 are well-known ports assigned by the IANA (Internet Assigned Numbers Authority). These ports are reserved for specific services and protocols that are commonly used and recognized worldwide. Well-known ports include ports like HTTP (port 80), HTTPS (port 443), FTP (port 21), SSH (port 22), and many others. These ports are standardized and widely known, making them easily identifiable and accessible for network communication.

Submit
79. SQL commands do not include which of the following?

Explanation

There is no Add command within the Structure Query Language (SQL). Instead the Insert command is used to add new data to the database.

There is also no Relist command within SQL.

Submit
80. Which security model introduces access to objects only through programs?

Explanation

With the Clark–Wilson model, users are unable to modify critical data (CDI) directly. Users have to be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user.

Submit
81. Which of the following authentication mechanisms creates a problem for mobile users?

Explanation

Mechanisms based on IP addresses create a problem for mobile users because mobile devices often change their IP addresses as they move between different networks. This means that if an authentication mechanism relies on a specific IP address to verify a user's identity, the user may be denied access or face difficulties in authenticating when their IP address changes. Therefore, mechanisms based on IP addresses are not suitable for mobile users who frequently switch networks.

Submit
82. Which canon of The (ISC)2 Code of Ethics should be considered the most important?

Explanation

The canons are applied in order, and Protect society, the commonwealth, and the infrastructure is the first canon listed

Submit
83. Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.What is the ALE of lost iPod sales due to the DoS attacks?

Explanation

ALE = Annualized Loss Expectancy; Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

SLE = amount lost per occurrence
ARO = number of occurrences per year

Submit
84. Why would a database be denormalized?

Explanation

The purpose of denormalization is to improve the read performance and processing efficiency of a database by adding redundant data or by grouping data.

Submit
85. In computing what is the name of a non-self-replicating type of malware program containing malicious code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it, when executed, carries out actions that are unknown to the person installing it, typically causing loss or theft of data, and possible system harm.

Explanation

A trojan horse is any code that appears to have some useful purpose but contains code that has a malicious or harmful purpose imbedded in it. It is non-self-replicating malware that often includes a trapdoor as a means to gain access to a computer system bypassing security controls.

Submit
86. Which plan details the steps required to restore normal business operations after recovering from a disruptive event?

Explanation

Resumption Planning details the steps required to restore normal business operations after a recovering from a disruptive event.

Business Continuity Planning develops a long-term plan to ensure the continuity of business operations.
The Continuity of Operations Plan describes the procedures required to maintain operations during a disaster.
The Occupant Emergency Plan provides the response procedures for occupants of a facility in the event a situation poses a threat to the health and safety of personnel, the environment, or property.

Submit
87. What is the BEST answer pertaining to the difference between the Session and Transport layers of the OSI model?

Explanation

The transport layer provides host-to-host (for example, computer-to-computer) communication services.

The session layer provides the mechanism for opening, closing and managing a session between end-user application processes.

Submit
88. Complex applications involving multimedia, computer aided design, video, graphics, and expert systems are more suited to which of the following database type?

Explanation

An object-oriented database (OODB) has classes to define the attributes and procedures of its objects, which can be a variety of data types such as images, audio, documents, and video. This complex data is required for computer-aided design and imaging.

Submit
89. During an IS audit, one of your auditors has observed that some of the critical servers in your organization can be accessed ONLY by using a shared/common user name and password. What should be the auditor's PRIMARY concern be with this approach?

Explanation

Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time.

Audit trails list the actions performed by the user account used to perform the actions. However, if all the users are using the same user account, you have no way of knowing which person performed which action. Therefore, you have no “accountability”.

Submit
90. Kerberos can prevent which one of the following attacks?

Explanation

In a Kerberos implementation that is configured to use an authenticator, the user sends to the
server her identification information, a timestamp, as well as sequence number encrypted with the
session key that they share. The server then decrypts this information and compares it with the
identification data the KDC sent to it regarding this requesting user. The server will allow the user
access if the data is the same. The timestamp is used to help fight against replay attacks.

Submit
91. The fact that a network-based IDS reviews packets payload and headers enables which of the following?

Explanation

An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to monitor host audit logs in order to determine if any violations of an organization’s security policy have taken place. An IDS can detect intrusions that have circumvented or passed through a firewall or are occurring within the local area network behind the firewall. A network-based IDS usually provides reliable, real-time information without consuming network or host resources. A network-based IDS is passive while it acquires data. Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected. Furthermore, because this IDS is monitoring an attack in realtime, it can also respond to an attack in progress to limit damage.

Submit
92. Which of the following is true about Kerberos?

Explanation

Kerberos is a network authentication protocol that relies on symmetric key cryptography. It uses a trusted third-party server, known as the Key Distribution Center (KDC), to authenticate users and provide them with tickets to access network resources. These tickets are encrypted using symmetric ciphers, which means that the same secret key is used for both encryption and decryption. This ensures secure communication between the client and the server. Therefore, the statement "it depends upon symmetric ciphers" is true about Kerberos.

Submit
93. In IPSec, if the communication is to be gateway-to-gateway or host-to-gateway:

Explanation

In IPSec tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications.

Submit
94. Which of the following is one of the oldest and most common problems in software development that is still very prevalent today?

Explanation

Buffer overflows are in the source code of various applications and operating systems. They have been around since programmers started developing software. This means it is very difficult for a user to identify and fix them. When a buffer overflow is identified, the vendor usually sends out a patch, so keeping systems current on updates, hotfixes, and patches is usually the best countermeasure.

A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments,
or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.

Submit
95. Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer?

Explanation

The data link layer provides node-to-node data transfer -- a link between two directly connected nodes. It detects and possibly corrects errors that may occur in the physical layer. It, among other things, defines the protocol to establish and terminate a connection between two physically connected devices. It also defines the protocol for flow control between them.

The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC, defined in the IEEE 802.2 specification, communicates with the protocol immediately above it, the network layer. The MAC will have the appropriately loaded protocols to interface with the protocol requirements of the physical layer.

The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. So when you see a reference to an IEEE standard, such as 802.11, 802.16, or 802.3, it refers to the protocol working at the MAC sublayer of the data link layer of a protocol stack.

Submit
96. Which of the following statements pertaining to IPSec is incorrect?

Explanation

IPSec works at the network layer, not at the transport layer

Submit
97. Which of the following translates source code one command at a time for execution on a computer?

Explanation

Interpreters translate one command at a time during run-time or execution time.

Submit
98. Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized?

Explanation

If a company decides to terminate the activity that is introducing the risk, this is known as risk avoidance. For example, if a company allows employees to use instant messaging (IM), there are many risks surrounding this technology. The company could decide not to allow any IM activity by their users because there is not a strong enough business need for its continued use. Discontinuing this service is an example of risk avoidance.

By being proactive and removing the vulnerability causing the risk, we are avoiding the risk.

Submit
99. Which of the following would provide the BEST stress testing environment taking under consideration and avoiding possible data exposure and leaks of sensitive data?

Explanation

You should perform stress tests in a test environment. It is best to use live workload data as the stress test would be more realistic.

Stress testing (sometimes called torture testing) is a form of deliberately intense or thorough testing used to determine the stability of a given system or entity. It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results.

Submit
100. What is the difference between Access Control Lists (ACLs) and Capability Tables?

Explanation

A capability table stipulates the access rights that a specified subject has in relation to detailed objects.

Access control lists defines subjects that are authorized to access a specific object, and includes the level of authorization that subjects are granted.

Therefore, the difference between the two is that the subject is bound to the capability table, while the object is bound to the ACL.

Submit
101. Which one of these statements about the key elements of a good configuration process is NOT true?

Explanation

The statement “Control modifications to system hardware in order to prevent resource changes” is not a key element of a good configuration process. Modifications to system hardware should be controlled by a change control procedure.

Submit
102. The object-relational and object-oriented models are better suited to managing complex data such as required for which of the following?

Explanation

An object-oriented database has classes to define the attributes and procedures of its objects, which can be a variety of data types such as images, audio, documents, and video. This complex data is required for computer-aided design and imaging.

Submit
103. Which of the following protocols offers native encryption?

Explanation

IPSEC: Encapsulating Security Payload (ESP) provides encryption (Network Layer)
SSH: supports several encryption algorithms
SSL: implemented asymmetric encryption (Transport Layer)
TLS: supports several encryption algorithms (Transport Layer)

PPTP: No encryption (Data Link Layer)
MPLS: Converged Protocol, no encryption
L2F: authentication tunneling, no encryption (Data Link Layer)
L2TP: Uses IPSEC for encryption (Data Link Layer)
TFTP: no encryption (Application Layer)

Submit
104. You wish to make use of "port knocking" technologies. How can you BEST explain this?

Explanation

Port knocking is an authentication method used by network administrators to control access to computers or other network devices behind a firewall. Port knocking takes advantage of firewall rules to allow a client who knows the "secret knock" to enter the network through a particular port by performing a sequence of connection attempts (called a knock sequence). The correct knock sequence for any given port is created for specific IP addresses by the network administrator. A small program called a daemon monitors the firewall log files for connection requests and determines whether or not a client seeking the network is on the list of approved IP addresses and has performed the correct knock sequence. If the answer is yes, it opens the associated port and allows access. Of course, if unauthorized personnel discover the knock sequence, then they, too,
can gain access.

Submit
105. Which of the following is true about link encryption?

Explanation

With Link Encryption each entity has keys in common with its two neighboring nodes in the transmission chain. Thus, a node receives the encrypted message from its predecessor (the neighboring node), decrypts it, and then re-encrypts it with another key that is common to the successor node. Then, the encrypted message is sent on to the successor node where the process is repeated until the final destination is reached. Obviously, this mode does not provide protection if the nodes along the transmission path can be compromised.

Submit
106. Kerberos is vulnerable to replay in which of the following circumstances?

Explanation

Kerberos addresses the confidentiality and integrity of information. It does not directly address availability and attacks such as frequency analysis. Furthermore, because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both physical attacks and attacks from malicious code. Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window.
Because a client’s password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client.

Submit
107. Which of the following is not an element of a relational database model?

Explanation

Security structures called referential validation within tables are not an element of a relational database model. Referential integrity is used to ensure all foreign keys reference primary keys. Referential validation is not a security structure within a table.

Submit
108. The Clipper Chip utilizes which concept in public key cryptography?

Explanation

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device, with a built-in backdoor, intended to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and by 1996 was entirely defunct.

The Clipper chip used a data encryption algorithm called Skipjack to transmit information and the Diffie-Hellman key exchange-algorithm to distribute the cryptokeys between the peers. At the heart of the concept was key escrow. In the factory, any new telephone or other device with a Clipper chip would be given a cryptographic key, that would then be provided to the government in escrow. If government agencies "established their authority" to listen to a communication, then
the key would be given to those government agencies, who could then decrypt all data transmitted by that particular telephone. The newly formed Electronic Frontier Foundation preferred the term "key surrender" to emphasize what they alleged was really occurring.

Submit
109. Which of the following is not a property of the Rijndael block cipher algorithm?

Explanation

This option is incorrect because the block sizes supported by Rijndael are 128, 192, and 256 bits.

Submit
110. What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs?

Explanation

Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs.

Dynamic testing examines code while executing it.
Misuse case testing formally models how security would be impacted by an adversary abusing the application.
Static testing examines the code passively; the code is not running. This form of testing includes walkthroughs, syntax checking, and code reviews.

Submit
111. Java is not:

Explanation

JAVA was developed so that the same program could be executed on multiple hardware and operating system platforms, it is not Architecture Specific.

Submit
112. Cryptography does NOT help in:

Explanation

Cryptography can prevent unauthorized users from being able to read or modify the data. However, it cannot prevent someone deleting the encrypted data.

Modern cryptography concerns itself with the following four objectives:

1) Confidentiality (the information cannot be understood by anyone for whom it was unintended)
2) Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected)
3) Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information)
4) Authentication (the sender and receiver can confirm each other’s identity and the origin/destination of the information.

Submit
113. Under which type of cloud service level would Linux hosting be offered?

Explanation

IaaS = Infrastructure as a service; provides an entire virtualized operating systems, which the customer configures from the OS on up.

Submit
114. What is NOT true with pre shared key authentication within IKE / IPsec protocol?

Explanation

Most IPsec implementations consist of an IKE daemon that runs in user space and an IPsec stack in the kernel that processes the actual IP packets. No Public Key Infrastructure is required.

Submit
115. What is the primary purpose of using redundant array of inexpensive disks (RAID) level zero?

Explanation

RAID level 0 (disk striping) offers no fault tolerance, just performance improvements

Submit
116. The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of:

Explanation

In addition to the accuracy of the biometric systems, there are other factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability. The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a system. Acceptable throughput rates are in the range of 10 subjects per minute.

Submit
117. Which managerial role is responsible for the actual computers that house data, including the security of hardware and software components?

Explanation

The correct answer is system owner. The system owner is responsible for the actual computers that house data, including the security of hardware and software components. They ensure that the system is maintained, updated, and protected from any potential threats or vulnerabilities. The system owner also oversees the overall functioning and performance of the system to ensure that it meets the organization's needs and objectives.

Submit
118. Which of the following technologies has been developed to support TCP/IP networking over low speed serial interfaces?

Explanation

Serial Line Internet Protocol (SLIP) is an older technology developed to support TCP/IP communications over asynchronous serial connections, such as serial cables or modem dial - up.

Submit
119. Which ISO/OSI layer establishes the communications link between individual devices over a physical link or channel?

Explanation

The data link layer is responsible for proper communication within the network devices and for changing the data into the necessary format (electrical voltage) for the physical link or channel

Submit
120. Which of the following is addressed by Kerberos?

Explanation

Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Underworld. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services.

Kerberos addresses the confidentiality and integrity of information. It does not directly address availability and attacks such as frequency analysis.

Submit
121. In a known plaintext attack, the cryptanalyst has knowledge of which of the following?

Explanation

Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at “cracking” the cipher is also known as an attack.

In a Known Plaintext attack, the attacker has both the plaintext and the associated ciphertext of several messages.

Submit
122. What type of relatively expensive and fast memory uses small latches called "flip-flops" to store bits?

Explanation

SRAM = Static Random Access Memory (fast and expensive, contains switches)

DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, contains capacitors)
EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
SSD = Solid State Drive

Submit
123. How many layers are defined within the US Department of Defense (DoD) TCP/IP Model?

Explanation

The TCP/IP model include the following four layers: application, host-to-host, Internet, and Network access.

Submit
124. Which of the following biometrics devices has the highest Crossover Error Rate (CER)?

Explanation

There are three main performance measures in biometrics. These measures are as follows:

False Rejection Rate (FRR) or Type I Error. The percentage of valid subjects that are falsely rejected.

False Acceptance Rate (FAR) or Type II Error. The percentage of invalid subjects that are falsely accepted.

Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate.

Voice pattern biometrics have the highest Crossover Error Rate (CER). This is because voice patterns tend to change with the individual’s mood and health. The common cold or flu, for instance, would alter the tone and pitch of a person’s voice.

Submit
125. A database contains an entry with an empty primary key. What database concept has been violated?

Explanation

Entity integrity means each tuple has a unique primary key that is not null.

Normalization seeks to make the data in a database table logically concise, organized, and consistent.
Referential integrity means that every foreign key in a secondary table matches a primary key in the parent table; if this is not true, referential integrity has been broken.
Semantic integrity means each attribute (column) value is consistent with the attribute data type.

Submit
126. A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:

Explanation

The potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is that the optical unit must be positioned so that the sun does not shine into the aperture. This is important because direct sunlight can interfere with the accuracy of the iris recognition process and may result in false readings or errors. Therefore, it is necessary to ensure that the scanner is installed in a location where it is not exposed to direct sunlight to maintain the reliability and effectiveness of the iris scanning technology.

Submit
127. What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system?

Explanation

Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization’s security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.

Submit
128. Unshielded Twisted Pair cabling is a:

Explanation

Unshielded Twisted Pair cabling consists of an outer jacket and four pairs of twisted wire medium.

Submit
129. Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?

Explanation

Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.

Submit
130. Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer in a network. Within which OSI/ISO layer is RPC implemented?

Explanation

Session-layer services are commonly used in application environments that make use of remote procedure calls (RPCs).

Submit
131. Which of the following is the most reliable authentication method for remote access?

Explanation

A Synchronous token generates a one-time password that is only valid for a short period of time.
Once the password is used it is no longer valid, and it expires if not entered in the acceptable time
frame.

Submit
132. Transport Layer Security (TLS) is a two-layered socket layer security protocol that contains the TLS Record Protocol and the:

Explanation

The TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol.

Submit
133. Accessing an IPv6 network via an IPv4 network is called what?

Explanation

Tunneling is the correct answer because it refers to the process of encapsulating IPv6 packets within IPv4 packets, allowing them to be transmitted over an IPv4 network. This enables communication between an IPv6 network and an IPv4 network by creating a virtual tunnel between them.

Submit
134. Which of the following is less likely to be included in the change control sub-phase of the maintenance phase of a software product?

Explanation

To determine the user interface would not be part of the change control phase. This would be done in an earlier phase.

The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerability, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity.

Submit
135. Which of the following represents the best programming?

Explanation

Cohesion reflects how many different types of tasks a module can carry out. If a module carries out only one task (i.e., subtraction) or several tasks that are very similar (i.e., subtract, add, multiply), it is described as having high cohesion, which is a good thing. The higher the cohesion, the easier it is to update or modify and not affect other modules that interact with it. This also means the module is easier to reuse and maintain because it is more straightforward when compared to a module with low cohesion.

Coupling is a measurement that indicates how much interaction one module requires to carry out its tasks. If a module has low (loose) coupling, this means the module does not need to communicate with many other modules to carry out its job. High (tight) coupling means a module depends upon many other modules to carry out its tasks. Low coupling is more desirable because the modules are easier to understand, easier to reuse, and changes can take place and not affect
many modules around it. Low coupling indicates that the programmer created a well-structured module.

Submit
136. Virus scanning and content inspection of SMIME encrypted e-mail without doing any further processing is:

Explanation

E-mail encryption solutions such as S/MIME have been available for a long time. These encryption solutions have seen varying degrees of adoption in organizations of different types. However, such solutions present some challenges:

Inability to apply messaging policies: Organizations also face compliance requirements that require inspection of messaging content to make sure it adheres to messaging policies. However, messages encrypted with most client-based encryption solutions, including S/MIME, prevent content inspection on the server. Without content inspection, an organization can't validate that all messages sent or received by its users comply with messaging policies.

Decreased security: Antivirus software is unable to scan encrypted message content, further exposing an organization to risk from malicious content such as viruses and worms. Encrypted messages are generally considered to be trusted by most users, thereby increasing the likelihood of a virus spreading throughout your organization.

Submit
137. In an online transaction processing system (OLTP), which of the following actions should be taken when erroneous or invalid transactions are detected?

Explanation

An online transaction processing system is used in conjunction with a database to commit transactions to a database I real time. The database must maintain its integrity, meaning the data in the database must be accurate at all times. Therefore, transactions must occur correctly or not at all to ensure that that only accurate data are entered into the database.

Submit
138. Which of the following is the MOST important aspect relating to employee termination?

Explanation

To ensure that the termination procedures are carried out properly, you need to ensure that the appropriate people (the people who will carry out the procedures) are notified about the termination.

Submit
139. Which of the following biometric parameters are better suited for authentication use over a long period of time?

Explanation

Of the answers given, the iris is the least likely to change over a long period of time which makes the iris pattern better suited for authentication use over a long period of time. The iris is the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows. The uniqueness of each of these characteristics within the iris is captured by a camera and compared with the information gathered during the enrollment phase. Of the biometric systems, iris scans are the most accurate. The iris remains constant through adulthood, which reduces the type of errors that can happen during the authentication process

Submit
140. External consistency ensures that the data stored in the database is:

Explanation

External consistency stipulates that the data should match physical reality.

Submit
141. Which of the following statements pertaining to PPTP (Point-to-Point Tunneling Protocol) is incorrect?

Explanation

L2TP is a hybrid of L2F and PPTP, so L2TP is derived from PPTP, not vice versa.

Submit
142. The IP header contains a protocol field. If this field contains the value of 1, what type of data is contained within the IP datagram?

Explanation

The IP header protocol field value for ICMP is 1.

Submit
143. Which of the following choices is a valid Public Key Cryptography Standard (PKCS) addressing RSA?

Explanation

In cryptography, PKCS #1 is the first of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It provides the basic definitions of and recommendations for implementing the RSA algorithm for public-key cryptography. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations.

Submit
144. What is NOT an authentication method within IKE and IPsec?

Explanation

CHAP is not an IKE authentication method. IKE authentication can be performed using either pre-shared key (shared secret), certificate based authentication (signatures), or public key encryption.

Submit
145. What does "System Integrity" mean?

Explanation

System Integrity means that all components of the system cannot be tampered with by unauthorized personnel and can be verified that they work properly.

Submit
146. Restricting Bluetooth device discovery relies on the secrecy of what?

Explanation

Restricting Bluetooth device discovery relies on the secrecy of the 48-bit Bluetooth MAC address.

Submit
147. In what way could Java applets pose a security threat?

Explanation

Programmers have figured out how to write applets that enable the code to access hard drives and resources that are supposed to be protected by the Java security scheme. This code can be malicious in nature and cause destruction and mayhem to the user and her system.

Submit
148. Brute force attacks against encryption keys have increased in potency because of increased computing power. Which of the following is often considered a good protection against the brute force cryptography attack?

Explanation

A session key is a single-use symmetric key that is used to encrypt messages between two users during a communication session.

If Tanya has a symmetric key she uses to always encrypt messages between Lance and herself, then this symmetric key would not be regenerated or changed. They would use the same key every time they communicated using encryption. However, using the same key repeatedly increases the chances of the key being captured and the secure communication being compromised. If, on the other hand, a new symmetric key were generated each time Lance and Tanya wanted to communicate, it would be used only during their one dialogue and then destroyed. If they wanted to communicate an hour later, a new session key would be created and shared.

A session key provides more protection than static symmetric keys because it is valid for only one session between two computers. If an attacker were able to capture the session key, she would have a very small window of time to use it to try to decrypt messages being passed back and forth.

Submit
149. In regards to the query function of relational database operations, which of the following represent implementation procedures that correspond to each of the low-level operations in the query?

Explanation

A query plan (or query execution plan) is an ordered set of steps used to access data in a SQL relational database management system. This is a specific case of the relational model concept of access plans.

Since SQL is declarative, there are typically a large number of alternative ways to execute a given query, with widely varying performance. When a query is submitted to the database, the query optimizer evaluates some of the different, correct possible plans for executing the query and returns what it considers the best option.

Submit
150. What protocol is used on the Local Area Network (LAN) to obtain an IP address from it's known MAC address?

Explanation

RARP translates a MAC address into an IP address.

Submit
151. Which of the following is a symmetric encryption algorithm?

Explanation

RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.

RC5 has a variety of parameters it can use for block size, key size, and the number of rounds used. It was created by Ron Rivest and analyzed by RSA Data Security, Inc. The block sizes used in this algorithm are 32, 64, or 128 bits, and the key size goes up to 2,048 bits. The number of rounds used for encryption and decryption is also variable. The number of rounds can go up to 255.

Submit
152. A code, as it pertains to cryptography:

Explanation

Historically, a code refers to a cryptosystem that deals with linguistic units: words, phrases, sentences, and so forth. For example, the word “OCELOT” might be the ciphertext for the entire phrase “TURN LEFT 90 DEGREES,” the word “LOLLIPOP” might be the ciphertext for “TURN RIGHT 90 DEGREES”.

Codes are only useful for specialized circumstances where the message to transmit has an already defined equivalent ciphertext word.

Submit
153. Most access violations are:

Explanation

In security circles, people are often the weakest link. Either accidentally through mistakes or lack of training, or intentionally through fraud and malicious intent, personnel cause more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure.

A common accidental access violation is a user discovering a feature of an application that they should not be accessing.

Submit
154. Like the Kerberos protocol, SESAME is also subject to which of the following?

Explanation

Just like Kerberos, SESAME depends on the initial user authentication. For that reason, SESAME has the same weakness to attacks on the user’s password as Kerberos does.

Submit
155. What is the act of obtaining information of a higher sensitivity by combining information from lower levels of sensitivity?

Explanation

Aggregation is the act of combining information from separate sources. The combination of the data forms new information, which the subject does not have the necessary rights to access. The combined information has a sensitivity that is greater than that of the individual parts.

Submit
156. In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class C network?

Explanation

Class C was defined with the 3 high-order bits set to 1, 1, and 0, and designating the next 21 bits to number the networks. This translates to the IP address range of a class C network of 192.0.0.0 to 223.255.255.255.

Submit
157. Which of the following offers security to wireless communications?

Explanation

Wireless Transport Layer Security (WTLS) provides security connectivity services similar to those of SSL or TLS.

Submit
158. Which of the following can be classified as objects?

Explanation

Object = any passive data within the system

Subject = an active entity on a data system

Submit
159. The Widget Company decided to take their company public and while they were in the process of doing so had an external auditor come and look at their company. As part of the external audit they brought in a technology expert, who incidentally was a new CISSP. The auditor's expert asked to see their last risk analysis from the technology manager. The technology manager did not get back to him for a few days and then the Chief Financial Officer gave the auditors a 2 page risk assessment that was signed by both the Chief Financial Officer and the Technology Manager.  While reviewing it, the auditor noticed that only parts of their financial data were being backed up on site and nowhere else; the Chief Financial Officer accepted the risk of only partial financial data being backed up with no off-site copies available. Who owns the risk with regards to the data that is being backed up and where it is stored?

Explanation

The chief financial officer (CFO) is a member of the board. The board members are responsible for setting the organization’s strategy and risk appetite (how much risk the company should take on).

In this question, the Chief Financial Officer accepted the risk of only partial financial data being backed up with no off-site copies available. The Chief Financial Officer therefore owns the risk.

Submit
160. Which of the following is the primary security feature of a proxy server?

Explanation

A proxy firewall is a network security system that protects network resources by filtering messages at the application layer. The application-level proxy understands the packet as a whole and can make access decisions based on the content of the packets.

Submit
161. Which of the following is most appropriate to notify an internal user that session monitoring is being conducted?

Explanation

In this question, the user is an internal user. There is another version of this question where the user is in external user so you need to read the questions carefully.

With an internal user, as opposed to an external user, you will be able to meet the user face-to face. Therefore, you can ask the user to sign a written agreement to acknowledge that the user has been informed that session monitoring is being conducted.

Submit
162. EMI such as crosstalk primarily impact which aspect of security?

Explanation

Most common impact of crosstalk is availability

Submit
163. Which of the following is NOT a property of the Rijndael block cipher algorithm?

Explanation

The maximum key size is 256 bits, not 512 bits.

Rijndael is a block symmetric cipher that was chosen to fulfill the Advanced Encryption Standard.

It uses a 128-bit block size and various key lengths (128, 192, 256).

The Rijndael specification is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.

Submit
164. Which of the following is best practice to employ in order to reduce the risk of collusion?

Explanation

For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time.

Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. By moving people willing to collude to commit fraud, we can reduce the risk of collusion.

Submit
165. In which phase of the System Development Lifecycle (SDLC) is Security Accreditation obtained?

Explanation

Within the SDLC framework Security Accreditation is obtained during the Implementation Phase, more specifically during Testing and evaluation control.

Submit
166. Which of the following is the correct set of assurance requirements for EAL 5?

Explanation

The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations.

Submit
167. What metric describes the moment in time in which data must be recovered and made available to users in order to resume business operations?

Explanation

The Recovery Point Objective (RPO) is the moment in time in which data must be recovered and made available to users in order to resume business operations.

Mean Time Between Failures quantifies how long a new or repaired system will run before failing.
Mean Time to Repair describes how long it will take to recover a failed system.
Recovery Time Objective describes the maximum time allowed to recover business or IT systems.

Submit
168. To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up:

Explanation

Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object.

Submit
169. Which of the following best allows risk management results to be used knowledgeably?

Explanation

Risk management often must rely on speculation, best guesses, incomplete data, and many unproven assumptions. The uncertainty analysis attempts to document this so that the risk management results can be used knowledgeably. There are two primary sources of uncertainty in the risk management process: (1) a lack of confidence or precision in the risk management model or methodology and (2) a lack of sufficient information to determine the exact value of the elements of the risk model, such as threat frequency, safeguard effectiveness, or consequences.

Submit
170. When an outgoing request is made on a port number greater than 1023, this type of firewall creates an ACL to allow the incoming reply on that port to pass:

Explanation

Ports up to 1023 are called well-known ports and are reserved for server-side services. The sending system must choose a dynamic port higher than 1023 when it sets up a connection with another entity. The dynamic packet-filtering firewall then creates an Access Control List (ACL) that allows the external entity to communicate with the internal system.

Submit
171. Which of the following statements is NOT true of IPSec Transport mode?

Explanation

Tunnel mode, not transport mode, is required for gateway services.

Submit
172. In a SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session?

Explanation

HTTP Secure (HTTPS) is HTTP running over SSL. The client browser generates a session key and encrypts it with the server’s public key.

Submit
173. The IP header contains a protocol field. If this field contains the value of 2, what type of data is contained within the IP datagram?

Explanation

The IP header protocol field value for IGMP is 2.

Submit
174. A Differential backup process will:

Explanation

When a file is modified or created, the file system sets the archive bit to 1. A differential backup process backs up the files that have been modified since the last full backup, but does not change the archive bit value.

Submit
175. A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:

Explanation

Non-discretionary access control is when the system administrator or a single management body
within an organization centrally controls access to all resources for everybody on a network.

Submit
176. What can be defined as: It confirms that users' needs have been met by the supplied solution?

Explanation

Acceptance testing is used to ensure that the code meets customer requirements. If this testing is passed the user's needs have been met.

Submit
177. Similar to Secure Shell (SSH-2), Secure Sockets Layer (SSL) uses symmetric encryption for encrypting the bulk of the data being sent over the session and it uses asymmetric or public key cryptography for:

Explanation

Peer authentication is an integral part of the SSL protocol. Peer authentication relies on the availability of trust anchors and authentication keys.

Submit
178. Which of the following is true about link encryption?

Explanation

Link encryption is an approach to communications security that encrypts and decrypts all traffic at each end of a communications line. The mode is vulnerable to a third-party who access to a node in the transmission path.

Submit
179. Which of the following cable types is limited in length to 185 meters?

Explanation

RG-58 was once widely used in "thin" Ethernet (10BASE2), where it provides a maximum segment length of 185 meters.

Submit
180. When a station communicates on the network for the first time, which of the following protocol would search for and find the Internet Protocol (IP) address that matches with a known Ethernet address?

Explanation

The RARP protocol translates MAC (Ethernet) Address to IP addresses.

The ARP protocol translates IP Addresses to MAC (Ethernet) Addresses

Submit
181. Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements?

Explanation

Verification is the process of determining whether the product accurately represents and meets the design specifications given to the developers.

Submit
182. Which of the following was designed to support multiple network types over the same serial link?

Explanation

Point-to-Point Protocol (PPP) is a full - duplex protocol used for the transmission of TCP/IP packets over various non-LAN connections, such as modems, ISDN, VPNs, Frame Relay, and so on. PPP permits multiple network layer protocols to operate on the same communication link.

Submit
183. Which of the following is a LAN transmission method?

Explanation

Broadcast, unicast, and multicast are all LAN transmissions methods.:

Submit
184. Which of the following services is provided by S-RPC?

Explanation

Secure Remote Procedure Call (S- RPC) is an authentication service and is simply a means to prevent unauthorized execution of code on remote systems.

Submit
185. Which of the following is NOT a known type of Message Authentication Code (MAC)?

Explanation

Signature-based MAC (SMAC) is not a known type of Message Authentication Code (MAC).

Message authentication code is a cryptographic function that uses a hashing algorithm and symmetric key for data integrity and system origin functions.

A keyed-hash message authentication code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key.

A cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block.

A message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message.

Submit
186. What level of assurance for a digital certificate verifies a user's name, address, social security number, and other information against a credit bureau database?

Explanation

Users can obtain certificates with various levels of assurance.

Level 1/Class 1 certificates verify electronic mail addresses. This is done through the use of a personal information number that a user would supply when asked to register. This level of certificate may also provide a name as well as an electronic mail address; however, it may or may not be a genuine name (i.e., it could be an alias). This proves that a human being will reply back if you send an email to that name or email address.

Class 2/Level 2 verify a user’s name, address, social security number, and other information against a credit bureau database.

Class 3/Level 3 certificates are available to companies. This level of certificate provides photo identification to accompany the other items of information provided by a level 2 certificate.

Submit
187. Which vulnerability allows a third party to redirect static content within the security context of a trusted site?

Explanation

Cross-site request forgery (CSRF) allows a third party to redirect static content within the security context of a trusted site.

XSS is a third-party execution of web scripting languages, such as Javascript, within the security context of a trusted site. XSS is similar to CSRF; the difference is XSS uses active code.
PHP RFI alters normal PHP variables to reference remote content, which can lead to execution of malicious PHP code.
SQL injection manipulates a back-end SQL server via a front-end web server.

Submit
188. Which of the following is the most secure firewall implementation?

Explanation

A screened-subnet architecture is the most secure solution as it adds another layer of security to the screened-host architecture, which in turn is more secure than both Dual-homed host firewalls and Packet-filtering firewalls.

Submit
189. Which of the following activities would not be included in the contingency planning process phase?

Explanation

When an incident strikes, more is required than simply knowing how to restore data from backups. Also necessary are the detailed procedures that outline the activities to keep the critical systems available and ensure that operations and processing are not interrupted. Contingency management defines what should take place during and after an incident. Actions that are required to take place for emergency response, continuity of operations, and dealing with major
outages must be documented and readily available to the operations staff.

Development of test procedures is not part of contingency planning. This has nothing to do with recovering from an incident.

Submit
190. What can be defined as a list of subjects along with their access rights that are authorized to access a specific object?

Explanation

Access control lists defines subjects that are authorized to access a specific object, and includes the level of authorization that subjects are granted.

Submit
191. Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?

Explanation

Both the system owner and the information owner (data owner) are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data.

Submit
192. In Mandatory Access Control, sensitivity labels attached to an object contain what information?

Explanation

In Mandatory Access Control, sensitivity labels attached to an object contain the item's classification and category set. This means that the labels not only indicate the item's classification (such as confidential, secret, or top secret), but also specify the category to which the item belongs. The category set helps in further defining the access control policies and determining which users or groups are authorized to access the object based on their security clearances and need-to-know information.

Submit
193. Password management falls into which control category?

Explanation

Preventive controls are put in place to inhibit harmful occurrences. Access control is an example of a preventive control. Passwords are used in access control; therefore, password control is a preventive control.

Preventive controls can be administrative, physical or technical.

Preventive Technical controls include:
Passwords, biometrics, smart cards, Encryption, secure protocols, call-back systems, database views, constrained user interfaces, Antimalware software, access control lists, firewalls, intrusion prevention system

Submit
194. Which of the following methods of providing telecommunications continuity involves the use of an alternative media?

Explanation

Alternative routing provides two different cables from the local exchange to your site, so you can protect against cable failure as your service will be maintained on the alternative route.

Submit
195. Which of the following best ensures accountability of users for the actions taken within a system or domain?  

Explanation

To ‘ensure’ accountability, the user must prove that they are who they say they are. This is the function of authentication. Therefore, authentication best ensures accountability of users for the actions taken within a system or domain.

Submit
196. Which of the following best describes the Secure Electronic Transaction (SET) protocol?

Explanation

Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. With SET an entity verifies a digital signature of the sender and digitally signs the information before it is sent to the next entity involved in the process.

Submit
197. What kind of encryption is realized in the S/MIME-standard?

Explanation

S/MIME follows the Public Key Cryptography Standards (PKCS). S/MIME uses a hybrid message encryption system, which means it uses both symmetric and asymmetric algorithms.

Submit
198. One of the following statements about the differences between PPTP and L2TP is NOT true?

Explanation

L2TP is not compatible with NAT

Submit
199. Many approaches to Knowledge Discovery in Databases (KDD) are used to identify valid and useful patterns in data. This is an evolving field of study that includes a variety of automated analysis solutions such as Data Mining. Which of the following is not an approach used by KDD?

Explanation

Oriented is not a KDD approach.

The following are three approaches used in KDD systems to uncover these patterns:

Classification - Data are grouped together according to shared similarities.

Probabilistic - Data interdependencies are identified and probabilities are applied to their relationships.

Statistical - Identifies relationships between data elements and uses rule discovery.

Another fourth data mining technique is deviation detection: find the record(s) that is (are) the most different from the other records, i.e., find all outliers. These may be thrown away as noise or may be the “interesting” ones.

Submit
200. Which of the following would be the best reason for separating the test and development environments?

Explanation

You should always separate test and development environments.

When testing a system, you need to isolate the system to ensure the test system is controlled and stable. This will ensure the system is tested in a realistic environment that mirrors the live environment as closely as possible.

Access control methods can be used to easily separate the test and development environments.

Submit
View My Results

Quiz Review Timeline (Updated): Mar 21, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Apr 03, 2017
    Quiz Created by
    Skofft2134
Cancel
  • All
    All (200)
  • Unanswered
    Unanswered ()
  • Answered
    Answered ()
Which of the following is the FIRST step in protecting data's...
Which of the following is the WEAKEST authentication mechanism?
Behavioral-based systems are also known as?
A company outsources payroll services to a third party company. ...
This is a common security issue that is extremely hard to control in...
Which of the following groups represents the leading source of...
What can be done to ensure that software meets the customer's...
What method destroys the integrity of magnetic media, such as tapes or...
How would nonrepudiation be best classified as?
What is the number of columns in a table called?
What layer of the OSI/ISO model does Point-to-point tunneling protocol...
According to private sector data classification levels, how would...
What access control method weighs additional factors, such as time of...
Organizations should consider which of the following first before...
Tim's day to day responsibilities include monitoring health of...
What type of testing determines whether software meets various...
What is the main problem of the renewal of a root CA certificate?
What protocol is a common open protocol for interfacing and querying...
Which of the following is an IP address that is private (i.e. reserved...
When referring to the data structures of a packet, the term Protocol...
Who developed one of the first mathematical models of a...
Ensuring least privilege does not require:
Common Criteria 15408 generally outlines assurance and functional...
Which of the following protocols does not operate at the data link...
What service is known as cloud identity, which allows organizations to...
Which of the following is NOT an asymmetric key algorithm?
Which approach to a security program ensures people responsible for...
What uses a key of the same length as the message where each bit or...
What is an XML-based framework for exchanging security information,...
A criminal deduces that an organization is holding an offsite meeting...
You are the CISO (chief information security officer) of a large bank...
Which Security and Audit Framework has been adopted by some...
With regard to databases, which of the following has characteristics...
Which of the following characteristics pertaining to databases is not...
Which level of RAID does NOT provide additional reliability?
What describes a more agile development and support model, where...
Your company sells Apple iPods online and has suffered many...
Which of these terms is MOST closely related to confidentiality?
Maximum Tolerable Downtime (MTD) is comprised of which two metrics?
In SSL/TLS protocol, what kind of authentication is supported when you...
In biometric identification systems, at the beginning, it was soon...
You are the CISO (chief information security officer) of a large bank...
Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP...
With SQL Relational databases where is the actual data stored?
Your company sells Apple iPods online and has suffered many...
RADIUS incorporates which of the following services?
What is the access protection system that limits connections by...
When considering all the reasons that buffer overflow vulnerabilities...
In discretionary access environments, which of the following entities...
Which of the following is NOT a security characteristic we need to...
Which access control model would a lattice-based access control model...
What is the most secure type of EAP?
What can be defined as a table of subjects and objects indicating what...
Which of the following protocol was used by the INITIAL version of the...
Which of the following is an advantage of prototyping?
In biometrics, "one-to-many" search against database of...
Which of the following is true for digital signatures?
What metric describes how long it will take to recover a failed...
The best technique to authenticate to a system is to:
Which software development model is actually a meta-model that...
A network-based vulnerability assessment is a type of test also...
Which of the following security controls is intended to bring an...
There are parallels between the trust models in Kerberos and Public...
Which of the following are additional access control objectives?
Who should measure the effectiveness of Information System security...
What is the primary goal of setting up a honey pot?
What is the most secure type of firewall?
Two objects with the same name have different data.  What OOP...
Debbie from finance called to tell you that she downloaded and...
What type of memory stores bits in small capacitors (like small...
Which of the following security controls is intended to avoid and...
Operations Security seeks to primarily protect against which of the...
A 'Pseudo flaw' is which of the following?
The description of the database is called a schema. The schema is...
What technique would raise the false accept rate (FAR) and lower the...
The authenticator within Kerberos provides a requested service to the...
Another example of Computer Incident Response Team (CIRT) activities...
Which of the following are WELL KNOWN PORTS assigned by the IANA?
SQL commands do not include which of the following?
Which security model introduces access to objects only through...
Which of the following authentication mechanisms creates a problem for...
Which canon of The (ISC)2 Code of Ethics should be considered the most...
Your company sells Apple iPods online and has suffered many...
Why would a database be denormalized?
In computing what is the name of a non-self-replicating type of...
Which plan details the steps required to restore normal business...
What is the BEST answer pertaining to the difference between the...
Complex applications involving multimedia, computer aided design,...
During an IS audit, one of your auditors has observed that some of the...
Kerberos can prevent which one of the following attacks?
The fact that a network-based IDS reviews packets payload and headers...
Which of the following is true about Kerberos?
In IPSec, if the communication is to be gateway-to-gateway or...
Which of the following is one of the oldest and most common problems...
Layer 2 of the OSI model has two sublayers. What are those sublayers,...
Which of the following statements pertaining to IPSec is incorrect?
Which of the following translates source code one command at a time...
Which of the following risk handling technique involves the practice...
Which of the following would provide the BEST stress testing...
What is the difference between Access Control Lists (ACLs) and...
Which one of these statements about the key elements of a good...
The object-relational and object-oriented models are better suited to...
Which of the following protocols offers native encryption?
You wish to make use of "port knocking" technologies. How...
Which of the following is true about link encryption?
Kerberos is vulnerable to replay in which of the following...
Which of the following is not an element of a relational database...
The Clipper Chip utilizes which concept in public key cryptography?
Which of the following is not a property of the Rijndael block cipher...
What term describes a black-box testing method that seeks to identify...
Java is not:
Cryptography does NOT help in:
Under which type of cloud service level would Linux hosting be...
What is NOT true with pre shared key authentication within IKE / IPsec...
What is the primary purpose of using redundant array of inexpensive...
The throughput rate is the rate at which individuals, once enrolled,...
Which managerial role is responsible for the actual computers that...
Which of the following technologies has been developed to support...
Which ISO/OSI layer establishes the communications link between...
Which of the following is addressed by Kerberos?
In a known plaintext attack, the cryptanalyst has knowledge of which...
What type of relatively expensive and fast memory uses small latches...
How many layers are defined within the US Department of Defense (DoD)...
Which of the following biometrics devices has the highest Crossover...
A database contains an entry with an empty primary key. What database...
A potential problem related to the physical installation of the Iris...
What ensures that the control mechanisms correctly implement the...
Unshielded Twisted Pair cabling is a:
Which of the following was developed to address some of the weaknesses...
Remote Procedure Call (RPC) is a protocol that one program can use to...
Which of the following is the most reliable authentication method for...
Transport Layer Security (TLS) is a two-layered socket layer security...
Accessing an IPv6 network via an IPv4 network is called what?
Which of the following is less likely to be included in the change...
Which of the following represents the best programming?
Virus scanning and content inspection of SMIME encrypted e-mail...
In an online transaction processing system (OLTP), which of the...
Which of the following is the MOST important aspect relating to...
Which of the following biometric parameters are better suited for...
External consistency ensures that the data stored in the database is:
Which of the following statements pertaining to PPTP (Point-to-Point...
The IP header contains a protocol field. If this field contains the...
Which of the following choices is a valid Public Key Cryptography...
What is NOT an authentication method within IKE and IPsec?
What does "System Integrity" mean?
Restricting Bluetooth device discovery relies on the secrecy of what?
In what way could Java applets pose a security threat?
Brute force attacks against encryption keys have increased in potency...
In regards to the query function of relational database operations,...
What protocol is used on the Local Area Network (LAN) to obtain an IP...
Which of the following is a symmetric encryption algorithm?
A code, as it pertains to cryptography:
Most access violations are:
Like the Kerberos protocol, SESAME is also subject to which of the...
What is the act of obtaining information of a higher sensitivity by...
In the days before CIDR (Classless Internet Domain Routing), networks...
Which of the following offers security to wireless communications?
Which of the following can be classified as objects?
The Widget Company decided to take their company public and while they...
Which of the following is the primary security feature of a proxy...
Which of the following is most appropriate to notify an internal user...
EMI such as crosstalk primarily impact which aspect of security?
Which of the following is NOT a property of the Rijndael block cipher...
Which of the following is best practice to employ in order to reduce...
In which phase of the System Development Lifecycle (SDLC) is Security...
Which of the following is the correct set of assurance requirements...
What metric describes the moment in time in which data must be...
To control access by a subject (an active entity such as individual or...
Which of the following best allows risk management results to be used...
When an outgoing request is made on a port number greater than 1023,...
Which of the following statements is NOT true of IPSec Transport mode?
In a SSL session between a client and a server, who is responsible for...
The IP header contains a protocol field. If this field contains the...
A Differential backup process will:
A central authority determines what subjects can have access to...
What can be defined as: It confirms that users' needs have been met by...
Similar to Secure Shell (SSH-2), Secure Sockets Layer (SSL) uses...
Which of the following is true about link encryption?
Which of the following cable types is limited in length to 185 meters?
When a station communicates on the network for the first time, which...
Which of the following is the act of performing tests and evaluations...
Which of the following was designed to support multiple network types...
Which of the following is a LAN transmission method?
Which of the following services is provided by S-RPC?
Which of the following is NOT a known type of Message Authentication...
What level of assurance for a digital certificate verifies a...
Which vulnerability allows a third party to redirect static content...
Which of the following is the most secure firewall implementation?
Which of the following activities would not be included in the...
What can be defined as a list of subjects along with their access...
Who of the following is responsible for ensuring that proper controls...
In Mandatory Access Control, sensitivity labels attached to an object...
Password management falls into which control category?
Which of the following methods of providing telecommunications...
Which of the following best ensures accountability of users for the...
Which of the following best describes the Secure Electronic...
What kind of encryption is realized in the S/MIME-standard?
One of the following statements about the differences between PPTP and...
Many approaches to Knowledge Discovery in Databases (KDD) are used to...
Which of the following would be the best reason for separating the...
Alert!

Advertisement