CISSP Study Quiz 2

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Skofft2134
S
Skofft2134
Community Contributor
Quizzes Created: 2 | Total Attempts: 3,141
Questions: 222 | Attempts: 343

SettingsSettingsSettings
CISSP Quizzes & Trivia

Questions and Answers
  • 1. 

    A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:

    • A.

      Concern that the laser beam may cause eye damage

    • B.

      The iris pattern changes as a person grows older

    • C.

      There is a relatively high rate of false accepts

    • D.

      The optical unit must be positioned so that the sun does not shine into the aperature

    Correct Answer
    D. The optical unit must be positioned so that the sun does not shine into the aperature
    Explanation
    The potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is that the optical unit must be positioned so that the sun does not shine into the aperture. This is important because direct sunlight can interfere with the accuracy of the iris recognition process and may result in false readings or errors. Therefore, it is necessary to ensure that the scanner is installed in a location where it is not exposed to direct sunlight to maintain the reliability and effectiveness of the iris scanning technology.

    Rate this question:

  • 2. 

    In Mandatory Access Control, sensitivity labels attached to an object contain what information?

    • A.

      The item's classification

    • B.

      The item's classification and category set

    • C.

      The item's category

    • D.

      The item's need to know

    Correct Answer
    B. The item's classification and category set
    Explanation
    In Mandatory Access Control, sensitivity labels attached to an object contain the item's classification and category set. This means that the labels not only indicate the item's classification (such as confidential, secret, or top secret), but also specify the category to which the item belongs. The category set helps in further defining the access control policies and determining which users or groups are authorized to access the object based on their security clearances and need-to-know information.

    Rate this question:

  • 3. 

    Which of the following is true about Kerberos?

    • A.

      It utilizes public key cryptography

    • B.

      It encrypts data after a ticket is granted, but passwords are exchanged in plain text.

    • C.

      It depends upon symmetric ciphers

    • D.

      It is a second party authentication system

    Correct Answer
    C. It depends upon symmetric ciphers
    Explanation
    Kerberos is a network authentication protocol that relies on symmetric key cryptography. It uses a trusted third-party server, known as the Key Distribution Center (KDC), to authenticate users and provide them with tickets to access network resources. These tickets are encrypted using symmetric ciphers, which means that the same secret key is used for both encryption and decryption. This ensures secure communication between the client and the server. Therefore, the statement "it depends upon symmetric ciphers" is true about Kerberos.

    Rate this question:

  • 4. 

    Which of the following authentication mechanisms creates a problem for mobile users?

    • A.

      Mechanisms based on IP addresses

    • B.

      Mechanism with reusable passwords

    • C.

      One-time password mechanism

    • D.

      Challenge response mechanism

    Correct Answer
    A. Mechanisms based on IP addresses
    Explanation
    Mechanisms based on IP addresses create a problem for mobile users because mobile devices often change their IP addresses as they move between different networks. This means that if an authentication mechanism relies on a specific IP address to verify a user's identity, the user may be denied access or face difficulties in authenticating when their IP address changes. Therefore, mechanisms based on IP addresses are not suitable for mobile users who frequently switch networks.

    Rate this question:

  • 5. 

    Organizations should consider which of the following first before allowing external access to their LANs via the Internet?

    • A.

      Plan for implementing workstation locking mechanisms

    • B.

      Plan for protecting the modem pool

    • C.

      Plan for providing the user with his account usage information

    • D.

      Plan for considering proper authentication options

    Correct Answer
    D. Plan for considering proper authentication options
    Explanation
    Before allowing external access to their LANs via the Internet, organizations should first consider planning for proper authentication options. This is important to ensure that only authorized users are granted access to the network, reducing the risk of unauthorized access and potential security breaches. Implementing strong authentication methods such as two-factor authentication or biometric authentication can help strengthen the security of the network and protect sensitive information from being accessed by unauthorized individuals.

    Rate this question:

  • 6. 

    Kerberos can prevent which one of the following attacks?

    • A.

      Tunneling attack

    • B.

      Playback (replay attack)

    • C.

      Destructive attack

    • D.

      Process attack

    Correct Answer
    B. Playback (replay attack)
    Explanation
    In a Kerberos implementation that is configured to use an authenticator, the user sends to the
    server her identification information, a timestamp, as well as sequence number encrypted with the
    session key that they share. The server then decrypts this information and compares it with the
    identification data the KDC sent to it regarding this requesting user. The server will allow the user
    access if the data is the same. The timestamp is used to help fight against replay attacks.

    Rate this question:

  • 7. 

    In discretionary access environments, which of the following entities is authorized to grant information access to other people?

    • A.

      System Administrator

    • B.

      Data Custodian

    • C.

      Security Manager

    • D.

      Data Owner

    Correct Answer
    D. Data Owner
    Explanation
    The data owner is authorized to grant information access to other people in discretionary access environments. As the owner of the data, they have the authority to determine who can access the information and to what extent. They are responsible for ensuring that access is granted based on the appropriate permissions and security requirements. The system administrator, data custodian, and security manager may have roles in managing and securing the data, but it is ultimately the data owner who has the authority to grant access.

    Rate this question:

  • 8. 

    Who developed one of the first mathematical models of a multilevel-security computer system?

    • A.

      Diffie and Hellman

    • B.

      Clark and Wilson

    • C.

      Bell and LaPadula

    • D.

      Gasser and Lipner

    Correct Answer
    C. Bell and LaPadula
    Explanation
    The Bell-LaPadula model was the first mathematical model of a multilevel security policy used to
    define the concept of a secure state machine and modes of access, and outlined rules of access.

    Rate this question:

  • 9. 

    Which of the following is the most reliable authentication method for remote access?

    • A.

      Variable callback system

    • B.

      Synchronous token

    • C.

      Fixed callback system

    • D.

      Combination of callback and caller ID

    Correct Answer
    B. Synchronous token
    Explanation
    A Synchronous token generates a one-time password that is only valid for a short period of time.
    Once the password is used it is no longer valid, and it expires if not entered in the acceptable time
    frame.

    Rate this question:

  • 10. 

    There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?

    • A.

      Public keys

    • B.

      Private keys

    • C.

      Public-key certificates

    • D.

      Private-key certificates

    Correct Answer
    C. Public-key certificates
    Explanation
    Public Key describes a system that uses certificates or the underlying public key cryptography on
    which the system is based.

    In the traditional public key model, clients are issued credentials or "certificates" by a Certificate
    Authority (CA). The CA is a trusted third party. Public key certificates contain the user's name, the
    expiration date of the certificate etc. The most common certificate format is X.509. Public key
    credentials in the form of certificates and public-private key pairs can provide a strong distributed
    authentication system.

    The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a
    public key certificate (a Kerberos ticket is supplied to provide access to resources). However,
    Kerberos tickets usually have lifetimes measured in days or hours rather than months or years.

    Rate this question:

  • 11. 

    A company outsources payroll services to a third party company.  Which of the following roles most likely applies to the third-party payroll company?

    • A.

      Data controller

    • B.

      Data handler

    • C.

      Data owner

    • D.

      Data processor

    Correct Answer
    D. Data processor
    Explanation
    The third-party payroll company most likely applies to the role of a data processor. As a data processor, they handle and process the payroll data on behalf of the company outsourcing the services. They are responsible for ensuring the accuracy and security of the data while performing the necessary payroll calculations and generating payslips for the employees. However, they do not have ownership or control over the data, and their actions are governed by a data processing agreement with the company.

    Rate this question:

  • 12. 

    Which managerial role is responsible for the actual computers that house data, including the security of hardware and software components?

    • A.

      Custodian

    • B.

      Data owner

    • C.

      Mission owner

    • D.

      System owner

    Correct Answer
    D. System owner
    Explanation
    The correct answer is system owner. The system owner is responsible for the actual computers that house data, including the security of hardware and software components. They ensure that the system is maintained, updated, and protected from any potential threats or vulnerabilities. The system owner also oversees the overall functioning and performance of the system to ensure that it meets the organization's needs and objectives.

    Rate this question:

  • 13. 

    What method destroys the integrity of magnetic media, such as tapes or disk drives, and the data they contain by exposing them to a strong magnetic field?

    • A.

      Bit-level overwrite

    • B.

      Degaussing

    • C.

      Destruction

    • D.

      Shredding

    Correct Answer
    B. Degaussing
    Explanation
    Degaussing is the method that destroys the integrity of magnetic media by exposing them to a strong magnetic field. This process effectively erases the data stored on the tapes or disk drives by neutralizing the magnetic particles. It is commonly used to ensure that sensitive information cannot be recovered from the media. Degaussing is a reliable and secure method for data destruction on magnetic media.

    Rate this question:

  • 14. 

    What type of relatively expensive and fast memory uses small latches called "flip-flops" to store bits?

    • A.

      DRAM

    • B.

      EPROM

    • C.

      SRAM

    • D.

      SSD

    Correct Answer
    C. SRAM
    Explanation
    SRAM = Static Random Access Memory (fast and expensive, contains switches)

    DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, contains capacitors)
    EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
    SSD = Solid State Drive

    Rate this question:

  • 15. 

    What type of memory stores bits in small capacitors (like small batteries)?

    • A.

      DRAM

    • B.

      EPROM

    • C.

      SRAM

    • D.

      SSD

    Correct Answer
    A. DRAM
    Explanation
    DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, uses capacitors)

    EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
    SRAM = Static Random Access Memory (fast and expensive, uses switches)
    SSD = Solid State Drive

    Rate this question:

  • 16. 

    Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks. What is the ARO?

    • A.

      $20,000

    • B.

      40%

    • C.

      7

    • D.

      $10,000

    Correct Answer
    C. 7
    Explanation
    ARO = Annual Rate of Occurrence; number of losses suffered per year

    Rate this question:

  • 17. 

    Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.What is the ALE of lost iPod sales due to the DoS attacks?

    • A.

      $20,000

    • B.

      $8000

    • C.

      $84,000

    • D.

      $56,000

    Correct Answer
    D. $56,000
    Explanation
    ALE = Annualized Loss Expectancy; Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

    SLE = amount lost per occurrence
    ARO = number of occurrences per year

    Rate this question:

  • 18. 

    Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.Is the DoS mitigation service a good investment?

    • A.

      Yes, it will pay for itself

    • B.

      Yes, $10,000 is less than the $56,000 ALE

    • C.

      No, the annual TCO is higher than the ALE

    • D.

      No, the annual TCO is lower than the ALE

    Correct Answer
    C. No, the annual TCO is higher than the ALE
    Explanation
    TCO = Total Cost of ownership; $10,000 per month or $120,000 per year
    ALE = Annualized Loss Expectancy; Single Loss Expectancy or SLE (40% of $20,000 = $8000) * Annualized Rate of Occurrence or ARO (7 times per year) = $56,000
    TCO ($120,000) is greater than ARO ($56,000) so this would be a bad investment

    Rate this question:

  • 19. 

    Which canon of The (ISC)2 Code of Ethics should be considered the most important?

    • A.

      Protect society, the commonwealth, and the infrastructure

    • B.

      Advance and protect the profession

    • C.

      Act honorably, honestly, justly, responsibly, and legally

    • D.

      Provide diligent and competent service to principals

    Correct Answer
    A. Protect society, the commonwealth, and the infrastructure
    Explanation
    The canons are applied in order, and Protect society, the commonwealth, and the infrastructure is the first canon listed

    Rate this question:

  • 20. 

    Which of the following can be classified as objects?

    • A.

      Readme.txt file

    • B.

      Database table

    • C.

      Running login process

    • D.

      Authenticated user

    • E.

      1099 Tax Form

    Correct Answer(s)
    A. Readme.txt file
    B. Database table
    E. 1099 Tax Form
    Explanation
    Object = any passive data within the system

    Subject = an active entity on a data system

    Rate this question:

  • 21. 

    Which of the following is true for digital signatures?

    • A.

      The sender encrypts the hash with a public key

    • B.

      The sender encrypts the hash with a private key

    • C.

      The sender encrypts the plaintext with a public key

    • D.

      The sender encrypts the plaintext with a private key

    Correct Answer
    B. The sender encrypts the hash with a private key
    Explanation
    To digitally sign a message the sender hashes the plaintext then encrypts the hash with his/her private key

    Rate this question:

  • 22. 

    Under which type of cloud service level would Linux hosting be offered?

    • A.

      IaaS

    • B.

      IDaaS

    • C.

      PaaS

    • D.

      SaaS

    Correct Answer
    A. IaaS
    Explanation
    IaaS = Infrastructure as a service; provides an entire virtualized operating systems, which the customer configures from the OS on up.

    Rate this question:

  • 23. 

    A criminal deduces that an organization is holding an offsite meeting and there are few people in the building, based on the low traffic volume to and from the parking lot.  The criminal uses the opportunity to break into the building to steal laptops.  What type of attack has been launched?

    • A.

      Aggregation

    • B.

      Emanations

    • C.

      Inference

    • D.

      Maintenance Hook

    Correct Answer
    C. Inference
    Explanation
    Inference requires an attacker to “fill in the blanks” and deduce sensitive information from public information.

    Rate this question:

  • 24. 

    EMI such as crosstalk primarily impact which aspect of security?

    • A.

      Confidentiality

    • B.

      Integrity

    • C.

      Availability

    • D.

      Authentication

    Correct Answer
    B. Integrity
    Explanation
    Most common impact of crosstalk is availability

    Rate this question:

  • 25. 

    Restricting Bluetooth device discovery relies on the secrecy of what?

    • A.

      MAC address

    • B.

      Symmetric key

    • C.

      Private key

    • D.

      Public key

    Correct Answer
    A. MAC address
    Explanation
    Restricting Bluetooth device discovery relies on the secrecy of the 48-bit Bluetooth MAC address.

    Rate this question:

  • 26. 

    What is the most secure type of EAP?

    • A.

      EAP-TLS

    • B.

      EAP-TTLS

    • C.

      LEAP

    • D.

      PEAP

    Correct Answer
    A. EAP-TLS
    Explanation
    EAP-TLS = Extensible Authentication Protocol-Transport Layer Security (uses PKI, establishes TLS tunnel)

    EAP-TTLS = Extensible Authentication Protocol-Tunneled Transport Layer Security (establishes TLS tunnel without PKI)
    LEAP = Lightweight Extensible Authentication Protocol (Cisco proprietary, insecure)
    PEAP = Protected Extensible Authentication Protocol (Cisco, Microsoft, RSA version of EAP-TTLS)

    Rate this question:

  • 27. 

    What is the most secure type of firewall?

    • A.

      Packet filter

    • B.

      Stateful firewall

    • C.

      Circuit-level proxy firewall

    • D.

      Application-layer proxy firewall

    Correct Answer
    D. Application-layer proxy firewall
    Explanation
    Application-layer firewalls are most secure, they have ability to filter based on OSI Layers 3-7

    Packet filter = filters traffic on basis of single packet; no concept of "state"
    Stateful firewall = uses state table to compare current packets to previous ones
    Circuit-layer firewall = operates at layer 5 and cannot filter based on application-layer data

    Rate this question:

  • 28. 

    Accessing an IPv6 network via an IPv4 network is called what?

    • A.

      CIDR

    • B.

      NAT

    • C.

      Translation

    • D.

      Tunneling

    Correct Answer
    D. Tunneling
    Explanation
    Tunneling is the correct answer because it refers to the process of encapsulating IPv6 packets within IPv4 packets, allowing them to be transmitted over an IPv4 network. This enables communication between an IPv6 network and an IPv4 network by creating a virtual tunnel between them.

    Rate this question:

  • 29. 

    What access control method weighs additional factors, such as time of attempted access, before granting access?

    • A.

      Content-dependent access control

    • B.

      Context-dependent access control

    • C.

      Role-based access control

    • D.

      Task-based access control

    Correct Answer
    B. Context-dependent access control
    Explanation
    Context-dependent access control is an access control method that takes into consideration additional factors, such as the time of attempted access, before granting access. This means that access is granted based on the specific context or situation in which the access request is made. This method allows for more granular control over access permissions, as it considers various contextual factors to determine whether access should be granted or denied.

    Rate this question:

  • 30. 

    What service is known as cloud identity, which allows organizations to leverage cloud service for identity management?

    • A.

      IaaS

    • B.

      IDaas

    • C.

      PaaS

    • D.

      SaaS

    Correct Answer
    B. IDaas
    Explanation
    IDaaS = Identity as a Service

    IaaS = Infrastructure as a Service
    PaaS = Platform as a Service
    SaaS = Software as a Service

    Rate this question:

  • 31. 

    What is an XML-based framework for exchanging security information, including authentication data?

    • A.

      Kerberos

    • B.

      OpenID

    • C.

      SAML

    • D.

      SESAME

    Correct Answer
    C. SAML
    Explanation
    SAML is an XML-based framework for exchanging security information, including authentication data.

    Kerberos is a third-party authentication service that may be used to support single sign-on.
    OpenID is a framework for exchanging authentication data, but it is not XML-based.
    SESAME = Secure European System for Applications in a Multivendor Environment, a single sign-on system that supports heterogeneous environments

    Rate this question:

  • 32. 

    What protocol is a common open protocol for interfacing and querying directory service information provided network operating systems using port 389 via TCP or UDP?

    • A.

      CHAP

    • B.

      LDAP

    • C.

      PAP

    • D.

      RADIUS

    Correct Answer
    B. LDAP
    Explanation
    LDAP = Lightweight directory access protocol is an open protocol for interfacing and querying directory service information from network operating systems using port 389 TCP or UDP.

    CHAP, PAP, & RADIUS are authentication protocols:

    CHAP = Challenge-Handshake Authentication Protocol
    PAP = Password Authentication Protocol
    RADIUS = Remote Authentication Dial-In User Service

    Rate this question:

  • 33. 

    What technique would raise the false accept rate (FAR) and lower the false reject rate (FRR) in a fingerprint scanning system?

    • A.

      Decrease the amount of minutiae that is verified

    • B.

      Increase the amount of minutiae that is verified

    • C.

      Lengthen the enrollment time

    • D.

      Lower the throughput time

    Correct Answer
    A. Decrease the amount of minutiae that is verified
    Explanation
    Decreasing the amount of minutiae will make the accuracy of the system lower, which lower false rejects but raises false accepts.

    Enrollment and Throughput time are not directly connected to FAR and FRR

    Rate this question:

  • 34. 

    What can be done to ensure that software meets the customer's requirements?

    • A.

      Integration testing

    • B.

      Installation testing

    • C.

      Acceptance testing

    • D.

      Unit testing

    Correct Answer
    C. Acceptance testing
    Explanation
    Acceptance testing is designed to ensure the software meets the customer's operational requirements

    Integration testing examines multiple software components as they are combined into a working system.
    Installation testing examines software as it is installed and first operated
    Unit testing is a low-level test of software components, such as functions, procedures, or objects

    Rate this question:

  • 35. 

    What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs?

    • A.

      Combinatorial software testing

    • B.

      Dynamic testing

    • C.

      Misuse case testing

    • D.

      Static testing

    Correct Answer
    A. Combinatorial software testing
    Explanation
    Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs.

    Dynamic testing examines code while executing it.
    Misuse case testing formally models how security would be impacted by an adversary abusing the application.
    Static testing examines the code passively; the code is not running. This form of testing includes walkthroughs, syntax checking, and code reviews.

    Rate this question:

  • 36. 

    You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.  Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.Assuming the penetration test is successful, what is the best way for the penetration testing firm to demonstrate the risk of theft of financial data? 

    • A.

      Instruct the penetration testing team to conduct a thorough vulnerability assessment of the server containing financial data.

    • B.

      Instruct the penetration testing team to download financial data, redact it, and report accordingly.

    • C.

      Instruct the penetration testing team that they may only download financial data via an encrypted and authenticated channel.

    • D.

      Place a harmless “flag” file in the same location as the financial data, and inform the penetration testing team to download the flag.

    Correct Answer
    D. Place a harmless “flag” file in the same location as the financial data, and inform the penetration testing team to download the flag.
    Explanation
    A flag is a dummy file containing no regulated or sensitive data. It is placed in the same area of the system as the credit card data and protected with the same permissions. If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data.

    Rate this question:

  • 37. 

    You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? 

    • A.

      Secure compiler warnings

    • B.

      Fuzzing

    • C.

      Static testing

    • D.

      White-box testing

    Correct Answer
    B. Fuzzing
    Explanation
    Fuzzing is a black-box testing method that does not require access to source code.

    Rate this question:

  • 38. 

    You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.During the course of the penetration test, the testers discover signs of an active compromise of the new custom-developed, three-tier web application. What is the best course of action? 

    • A.

      Attempt to contain and eradicate the malicious activity

    • B.

      Continue the test

    • C.

      Quietly end the test, immediately call the operational IT contact, and escalate the issue

    • D.

      Shut the server down

    Correct Answer
    C. Quietly end the test, immediately call the operational IT contact, and escalate the issue
    Explanation
    Attackers will often act more maliciously if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test and immediately escalate the issue. The client must be notified immediately, as incident handling is not the penetration tester's responsibility.

    Rate this question:

  • 39. 

    Which plan details the steps required to restore normal business operations after recovering from a disruptive event?

    • A.

      Business Continuity Plan (BCP)

    • B.

      Business Resumption Plan (BRP)

    • C.

      Continuity of Operations Plan (COOP)

    • D.

      Occupant Emergency Plan (OEP)

    Correct Answer
    B. Business Resumption Plan (BRP)
    Explanation
    Resumption Planning details the steps required to restore normal business operations after a recovering from a disruptive event.

    Business Continuity Planning develops a long-term plan to ensure the continuity of business operations.
    The Continuity of Operations Plan describes the procedures required to maintain operations during a disaster.
    The Occupant Emergency Plan provides the response procedures for occupants of a facility in the event a situation poses a threat to the health and safety of personnel, the environment, or property.

    Rate this question:

  • 40. 

    What metric describes how long it will take to recover a failed system?

    • A.

      Minimum Operating Requirements (MOR)

    • B.

      Mean Time Between Failures (MTBF)

    • C.

      Mean Time to Repair (MTTR)

    • D.

      Recovery Point Objective (RPO)

    Correct Answer
    C. Mean Time to Repair (MTTR)
    Explanation
    The Mean Time to Repair (MTTR) describes how long it will take to recover a failed system. It is the best estimate for

    Minimum Operating Requirements describe the minimum environmental and connectivity requirements in order to operate computer equipment.
    Mean Time Between Failures quantifies how long a new or repaired system will run before failing.
    The Recovery Point Objective (RPO) is the moment in time in which data must be recovered and made available to users in order to resume business operations.

    Rate this question:

  • 41. 

    What metric describes the moment in time in which data must be recovered and made available to users in order to resume business operations?

    • A.

      Mean Time Between Failures (MTBF)

    • B.

      The Mean Time to Repair (MTTR)

    • C.

      Recovery Point Objective (RPO)

    • D.

      Recovery Time Objective (RTO)

    Correct Answer
    C. Recovery Point Objective (RPO)
    Explanation
    The Recovery Point Objective (RPO) is the moment in time in which data must be recovered and made available to users in order to resume business operations.

    Mean Time Between Failures quantifies how long a new or repaired system will run before failing.
    Mean Time to Repair describes how long it will take to recover a failed system.
    Recovery Time Objective describes the maximum time allowed to recover business or IT systems.

    Rate this question:

  • 42. 

    Maximum Tolerable Downtime (MTD) is comprised of which two metrics?

    • A.

      Recovery Point Objective (RPO) and Work Recovery Time (WRT)

    • B.

      Recovery Point Objective (RPO) and Mean Time to Repair (MTTR)

    • C.

      Recovery Time Objective (RTO) and Work Recovery Time (WRT)

    • D.

      Recovery Time Objective (RTO) and Mean Time to Repair (MTTR)

    Correct Answer
    C. Recovery Time Objective (RTO) and Work Recovery Time (WRT)
    Explanation
    The Recovery Time Objective (RTO, the time it takes bring a failed system back online) and Work Recovery Time (WRT, the time required to configure a failed system) are used to calculate the Maximum Tolerable Downtime. RTO + WRT = MTD.

    Maximum Tolerable Downtime does not directly use Recovery Point Objective or Mean Time to Repair as metrics.

    Rate this question:

  • 43. 

    Which level of RAID does NOT provide additional reliability?

    • A.

      RAID 1

    • B.

      RAID 5

    • C.

      RAID 0

    • D.

      RAID 3

    Correct Answer
    C. RAID 0
    Explanation
    RAID 0 provides only striping and is used simply for performance purposes. It offers no additional data redundancy or resiliency.

    RAID 1: Mirrored Set
    RAID 3: Striped set w/ parity (allows for failure of 1 drive)
    RAID 5: Striped set w/ distributed parity (allows for failure of 1 drive)

    Rate this question:

  • 44. 

    What describes a more agile development and support model, where developers directly support operations?

    • A.

      DevOps

    • B.

      Sashimi

    • C.

      Spiral

    • D.

      Waterfall

    Correct Answer
    A. DevOps
    Explanation
    DevOps is a more agile development and support model, where developers directly support operations.

    Sashimi, spiral, and waterfall are software development methodologies that do not describe a model for developers directly supporting operations.

    Rate this question:

  • 45. 

    Two objects with the same name have different data.  What OOP concept does this illustrate?

    • A.

      Delegation

    • B.

      Inheritance

    • C.

      Polyinstantiation

    • D.

      Polymorphism

    Correct Answer
    C. Polyinstantiation
    Explanation
    Polyinstantiation means “many instances,” such as two objects with the same names that have different data.

    Delegation allows objects to delegate messages to other objects.
    Inheritance means an object inherits capabilities from its parent class.
    Polymorphism allows the ability to overload operators, performing different methods depending on the context of the input message.

    Rate this question:

  • 46. 

    What type of testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective?

    • A.

      Acceptance testing

    • B.

      Integration testing

    • C.

      Regression testing

    • D.

      Unit testing

    Correct Answer
    A. Acceptance testing
    Explanation
    acceptance testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective.

    Integration testing tests multiple software components as they are combined into a working system.
    Regression testing tests software after updates, modifications, or patches.
    Unit testing consists of low-level tests of software components, such as functions, procedures, or objects.

    Rate this question:

  • 47. 

    A database contains an entry with an empty primary key. What database concept has been violated?

    • A.

      Entity integrity

    • B.

      Normalization

    • C.

      Referential Integrity

    • D.

      Semantic Integrity

    Correct Answer
    A. Entity integrity
    Explanation
    Entity integrity means each tuple has a unique primary key that is not null.

    Normalization seeks to make the data in a database table logically concise, organized, and consistent.
    Referential integrity means that every foreign key in a secondary table matches a primary key in the parent table; if this is not true, referential integrity has been broken.
    Semantic integrity means each attribute (column) value is consistent with the attribute data type.

    Rate this question:

  • 48. 

    Which vulnerability allows a third party to redirect static content within the security context of a trusted site?

    • A.

      Cross-site request forgery (CSRF)

    • B.

      Cross-site scripting (XSS)

    • C.

      PHP remote file inclusion (RFI)

    • D.

      SQL injection

    Correct Answer
    A. Cross-site request forgery (CSRF)
    Explanation
    Cross-site request forgery (CSRF) allows a third party to redirect static content within the security context of a trusted site.

    XSS is a third-party execution of web scripting languages, such as Javascript, within the security context of a trusted site. XSS is similar to CSRF; the difference is XSS uses active code.
    PHP RFI alters normal PHP variables to reference remote content, which can lead to execution of malicious PHP code.
    SQL injection manipulates a back-end SQL server via a front-end web server.

    Rate this question:

  • 49. 

    Which of the following security controls is intended to avoid and incident from occurring?

    • A.

      Deterrent

    • B.

      Preventative

    • C.

      Corrective

    • D.

      Recovery

    Correct Answer
    B. Preventative
    Explanation
    Preventive controls stop actions from taking place. It applies restrictions to what a possible user can do, whether the user is authorized or unauthorized.

    Rate this question:

  • 50. 

    Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?

    • A.

      SESAME

    • B.

      RADIUS

    • C.

      KryptoKnight

    • D.

      TACACS+

    Correct Answer
    A. SESAME
    Explanation
    Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.

    Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Apr 03, 2017
    Quiz Created by
    Skofft2134
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.