CISSP Study Quiz 2
- 1.
A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:
- A.
Concern that the laser beam may cause eye damage
- B.
The iris pattern changes as a person grows older
- C.
There is a relatively high rate of false accepts
- D.
The optical unit must be positioned so that the sun does not shine into the aperature
Correct Answer
D. The optical unit must be positioned so that the sun does not shine into the aperatureExplanation
The potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is that the optical unit must be positioned so that the sun does not shine into the aperture. This is important because direct sunlight can interfere with the accuracy of the iris recognition process and may result in false readings or errors. Therefore, it is necessary to ensure that the scanner is installed in a location where it is not exposed to direct sunlight to maintain the reliability and effectiveness of the iris scanning technology.Rate this question:
-
- 2.
In Mandatory Access Control, sensitivity labels attached to an object contain what information?
- A.
The item's classification
- B.
The item's classification and category set
- C.
The item's category
- D.
The item's need to know
Correct Answer
B. The item's classification and category setExplanation
In Mandatory Access Control, sensitivity labels attached to an object contain the item's classification and category set. This means that the labels not only indicate the item's classification (such as confidential, secret, or top secret), but also specify the category to which the item belongs. The category set helps in further defining the access control policies and determining which users or groups are authorized to access the object based on their security clearances and need-to-know information.Rate this question:
-
- 3.
Which of the following is true about Kerberos?
- A.
It utilizes public key cryptography
- B.
It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
- C.
It depends upon symmetric ciphers
- D.
It is a second party authentication system
Correct Answer
C. It depends upon symmetric ciphersExplanation
Kerberos is a network authentication protocol that relies on symmetric key cryptography. It uses a trusted third-party server, known as the Key Distribution Center (KDC), to authenticate users and provide them with tickets to access network resources. These tickets are encrypted using symmetric ciphers, which means that the same secret key is used for both encryption and decryption. This ensures secure communication between the client and the server. Therefore, the statement "it depends upon symmetric ciphers" is true about Kerberos.Rate this question:
-
- 4.
Which of the following authentication mechanisms creates a problem for mobile users?
- A.
Mechanisms based on IP addresses
- B.
Mechanism with reusable passwords
- C.
One-time password mechanism
- D.
Challenge response mechanism
Correct Answer
A. Mechanisms based on IP addressesExplanation
Mechanisms based on IP addresses create a problem for mobile users because mobile devices often change their IP addresses as they move between different networks. This means that if an authentication mechanism relies on a specific IP address to verify a user's identity, the user may be denied access or face difficulties in authenticating when their IP address changes. Therefore, mechanisms based on IP addresses are not suitable for mobile users who frequently switch networks.Rate this question:
-
- 5.
Organizations should consider which of the following first before allowing external access to their LANs via the Internet?
- A.
Plan for implementing workstation locking mechanisms
- B.
Plan for protecting the modem pool
- C.
Plan for providing the user with his account usage information
- D.
Plan for considering proper authentication options
Correct Answer
D. Plan for considering proper authentication optionsExplanation
Before allowing external access to their LANs via the Internet, organizations should first consider planning for proper authentication options. This is important to ensure that only authorized users are granted access to the network, reducing the risk of unauthorized access and potential security breaches. Implementing strong authentication methods such as two-factor authentication or biometric authentication can help strengthen the security of the network and protect sensitive information from being accessed by unauthorized individuals.Rate this question:
-
- 6.
Kerberos can prevent which one of the following attacks?
- A.
Tunneling attack
- B.
Playback (replay attack)
- C.
Destructive attack
- D.
Process attack
Correct Answer
B. Playback (replay attack)Explanation
In a Kerberos implementation that is configured to use an authenticator, the user sends to the
server her identification information, a timestamp, as well as sequence number encrypted with the
session key that they share. The server then decrypts this information and compares it with the
identification data the KDC sent to it regarding this requesting user. The server will allow the user
access if the data is the same. The timestamp is used to help fight against replay attacks.Rate this question:
-
- 7.
In discretionary access environments, which of the following entities is authorized to grant information access to other people?
- A.
System Administrator
- B.
Data Custodian
- C.
Security Manager
- D.
Data Owner
Correct Answer
D. Data OwnerExplanation
The data owner is authorized to grant information access to other people in discretionary access environments. As the owner of the data, they have the authority to determine who can access the information and to what extent. They are responsible for ensuring that access is granted based on the appropriate permissions and security requirements. The system administrator, data custodian, and security manager may have roles in managing and securing the data, but it is ultimately the data owner who has the authority to grant access.Rate this question:
-
- 8.
Who developed one of the first mathematical models of a multilevel-security computer system?
- A.
Diffie and Hellman
- B.
Clark and Wilson
- C.
Bell and LaPadula
- D.
Gasser and Lipner
Correct Answer
C. Bell and LaPadulaExplanation
The Bell-LaPadula model was the first mathematical model of a multilevel security policy used to
define the concept of a secure state machine and modes of access, and outlined rules of access.Rate this question:
-
- 9.
Which of the following is the most reliable authentication method for remote access?
- A.
Variable callback system
- B.
Synchronous token
- C.
Fixed callback system
- D.
Combination of callback and caller ID
Correct Answer
B. Synchronous tokenExplanation
A Synchronous token generates a one-time password that is only valid for a short period of time.
Once the password is used it is no longer valid, and it expires if not entered in the acceptable time
frame.Rate this question:
-
- 10.
There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?
- A.
Public keys
- B.
Private keys
- C.
Public-key certificates
- D.
Private-key certificates
Correct Answer
C. Public-key certificatesExplanation
Public Key describes a system that uses certificates or the underlying public key cryptography on
which the system is based.
In the traditional public key model, clients are issued credentials or "certificates" by a Certificate
Authority (CA). The CA is a trusted third party. Public key certificates contain the user's name, the
expiration date of the certificate etc. The most common certificate format is X.509. Public key
credentials in the form of certificates and public-private key pairs can provide a strong distributed
authentication system.
The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a
public key certificate (a Kerberos ticket is supplied to provide access to resources). However,
Kerberos tickets usually have lifetimes measured in days or hours rather than months or years.Rate this question:
-
- 11.
A company outsources payroll services to a third party company. Which of the following roles most likely applies to the third-party payroll company?
- A.
Data controller
- B.
Data handler
- C.
Data owner
- D.
Data processor
Correct Answer
D. Data processorExplanation
The third-party payroll company most likely applies to the role of a data processor. As a data processor, they handle and process the payroll data on behalf of the company outsourcing the services. They are responsible for ensuring the accuracy and security of the data while performing the necessary payroll calculations and generating payslips for the employees. However, they do not have ownership or control over the data, and their actions are governed by a data processing agreement with the company.Rate this question:
-
- 12.
Which managerial role is responsible for the actual computers that house data, including the security of hardware and software components?
- A.
Custodian
- B.
Data owner
- C.
Mission owner
- D.
System owner
Correct Answer
D. System ownerExplanation
The correct answer is system owner. The system owner is responsible for the actual computers that house data, including the security of hardware and software components. They ensure that the system is maintained, updated, and protected from any potential threats or vulnerabilities. The system owner also oversees the overall functioning and performance of the system to ensure that it meets the organization's needs and objectives.Rate this question:
-
- 13.
What method destroys the integrity of magnetic media, such as tapes or disk drives, and the data they contain by exposing them to a strong magnetic field?
- A.
Bit-level overwrite
- B.
Degaussing
- C.
Destruction
- D.
Shredding
Correct Answer
B. DegaussingExplanation
Degaussing is the method that destroys the integrity of magnetic media by exposing them to a strong magnetic field. This process effectively erases the data stored on the tapes or disk drives by neutralizing the magnetic particles. It is commonly used to ensure that sensitive information cannot be recovered from the media. Degaussing is a reliable and secure method for data destruction on magnetic media.Rate this question:
-
- 14.
What type of relatively expensive and fast memory uses small latches called "flip-flops" to store bits?
- A.
DRAM
- B.
EPROM
- C.
SRAM
- D.
SSD
Correct Answer
C. SRAMExplanation
SRAM = Static Random Access Memory (fast and expensive, contains switches)
DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, contains capacitors)
EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
SSD = Solid State DriveRate this question:
-
- 15.
What type of memory stores bits in small capacitors (like small batteries)?
- A.
DRAM
- B.
EPROM
- C.
SRAM
- D.
SSD
Correct Answer
A. DRAMExplanation
DRAM = Dynamic Random Access Memory (slower and cheaper than SRAM, uses capacitors)
EPROM = Erasable Programmable Read Only Memory (can be flashed and written to multiple times)
SRAM = Static Random Access Memory (fast and expensive, uses switches)
SSD = Solid State DriveRate this question:
-
- 16.
Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks. What is the ARO?
- A.
$20,000
- B.
40%
- C.
7
- D.
$10,000
Correct Answer
C. 7Explanation
ARO = Annual Rate of Occurrence; number of losses suffered per yearRate this question:
-
- 17.
Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.What is the ALE of lost iPod sales due to the DoS attacks?
- A.
$20,000
- B.
$8000
- C.
$84,000
- D.
$56,000
Correct Answer
D. $56,000Explanation
ALE = Annualized Loss Expectancy; Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)
SLE = amount lost per occurrence
ARO = number of occurrences per yearRate this question:
-
- 18.
Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.Is the DoS mitigation service a good investment?
- A.
Yes, it will pay for itself
- B.
Yes, $10,000 is less than the $56,000 ALE
- C.
No, the annual TCO is higher than the ALE
- D.
No, the annual TCO is lower than the ALE
Correct Answer
C. No, the annual TCO is higher than the ALEExplanation
TCO = Total Cost of ownership; $10,000 per month or $120,000 per year
ALE = Annualized Loss Expectancy; Single Loss Expectancy or SLE (40% of $20,000 = $8000) * Annualized Rate of Occurrence or ARO (7 times per year) = $56,000
TCO ($120,000) is greater than ARO ($56,000) so this would be a bad investmentRate this question:
-
- 19.
Which canon of The (ISC)2 Code of Ethics should be considered the most important?
- A.
Protect society, the commonwealth, and the infrastructure
- B.
Advance and protect the profession
- C.
Act honorably, honestly, justly, responsibly, and legally
- D.
Provide diligent and competent service to principals
Correct Answer
A. Protect society, the commonwealth, and the infrastructureExplanation
The canons are applied in order, and Protect society, the commonwealth, and the infrastructure is the first canon listedRate this question:
-
- 20.
Which of the following can be classified as objects?
- A.
Readme.txt file
- B.
Database table
- C.
Running login process
- D.
Authenticated user
- E.
1099 Tax Form
Correct Answer(s)
A. Readme.txt file
B. Database table
E. 1099 Tax FormExplanation
Object = any passive data within the system
Subject = an active entity on a data systemRate this question:
-
- 21.
Which of the following is true for digital signatures?
- A.
The sender encrypts the hash with a public key
- B.
The sender encrypts the hash with a private key
- C.
The sender encrypts the plaintext with a public key
- D.
The sender encrypts the plaintext with a private key
Correct Answer
B. The sender encrypts the hash with a private keyExplanation
To digitally sign a message the sender hashes the plaintext then encrypts the hash with his/her private keyRate this question:
-
- 22.
Under which type of cloud service level would Linux hosting be offered?
- A.
IaaS
- B.
IDaaS
- C.
PaaS
- D.
SaaS
Correct Answer
A. IaaSExplanation
IaaS = Infrastructure as a service; provides an entire virtualized operating systems, which the customer configures from the OS on up.Rate this question:
-
- 23.
A criminal deduces that an organization is holding an offsite meeting and there are few people in the building, based on the low traffic volume to and from the parking lot. The criminal uses the opportunity to break into the building to steal laptops. What type of attack has been launched?
- A.
Aggregation
- B.
Emanations
- C.
Inference
- D.
Maintenance Hook
Correct Answer
C. InferenceExplanation
Inference requires an attacker to “fill in the blanks” and deduce sensitive information from public information.Rate this question:
-
- 24.
EMI such as crosstalk primarily impact which aspect of security?
- A.
Confidentiality
- B.
Integrity
- C.
Availability
- D.
Authentication
Correct Answer
B. IntegrityExplanation
Most common impact of crosstalk is availabilityRate this question:
-
- 25.
Restricting Bluetooth device discovery relies on the secrecy of what?
- A.
MAC address
- B.
Symmetric key
- C.
Private key
- D.
Public key
Correct Answer
A. MAC addressExplanation
Restricting Bluetooth device discovery relies on the secrecy of the 48-bit Bluetooth MAC address.Rate this question:
-
- 26.
What is the most secure type of EAP?
- A.
EAP-TLS
- B.
EAP-TTLS
- C.
LEAP
- D.
PEAP
Correct Answer
A. EAP-TLSExplanation
EAP-TLS = Extensible Authentication Protocol-Transport Layer Security (uses PKI, establishes TLS tunnel)
EAP-TTLS = Extensible Authentication Protocol-Tunneled Transport Layer Security (establishes TLS tunnel without PKI)
LEAP = Lightweight Extensible Authentication Protocol (Cisco proprietary, insecure)
PEAP = Protected Extensible Authentication Protocol (Cisco, Microsoft, RSA version of EAP-TTLS)Rate this question:
-
- 27.
What is the most secure type of firewall?
- A.
Packet filter
- B.
Stateful firewall
- C.
Circuit-level proxy firewall
- D.
Application-layer proxy firewall
Correct Answer
D. Application-layer proxy firewallExplanation
Application-layer firewalls are most secure, they have ability to filter based on OSI Layers 3-7
Packet filter = filters traffic on basis of single packet; no concept of "state"
Stateful firewall = uses state table to compare current packets to previous ones
Circuit-layer firewall = operates at layer 5 and cannot filter based on application-layer dataRate this question:
-
- 28.
Accessing an IPv6 network via an IPv4 network is called what?
- A.
CIDR
- B.
NAT
- C.
Translation
- D.
Tunneling
Correct Answer
D. TunnelingExplanation
Tunneling is the correct answer because it refers to the process of encapsulating IPv6 packets within IPv4 packets, allowing them to be transmitted over an IPv4 network. This enables communication between an IPv6 network and an IPv4 network by creating a virtual tunnel between them.Rate this question:
-
- 29.
What access control method weighs additional factors, such as time of attempted access, before granting access?
- A.
Content-dependent access control
- B.
Context-dependent access control
- C.
Role-based access control
- D.
Task-based access control
Correct Answer
B. Context-dependent access controlExplanation
Context-dependent access control is an access control method that takes into consideration additional factors, such as the time of attempted access, before granting access. This means that access is granted based on the specific context or situation in which the access request is made. This method allows for more granular control over access permissions, as it considers various contextual factors to determine whether access should be granted or denied.Rate this question:
-
- 30.
What service is known as cloud identity, which allows organizations to leverage cloud service for identity management?
- A.
IaaS
- B.
IDaas
- C.
PaaS
- D.
SaaS
Correct Answer
B. IDaasExplanation
IDaaS = Identity as a Service
IaaS = Infrastructure as a Service
PaaS = Platform as a Service
SaaS = Software as a ServiceRate this question:
-
- 31.
What is an XML-based framework for exchanging security information, including authentication data?
- A.
Kerberos
- B.
OpenID
- C.
SAML
- D.
SESAME
Correct Answer
C. SAMLExplanation
SAML is an XML-based framework for exchanging security information, including authentication data.
Kerberos is a third-party authentication service that may be used to support single sign-on.
OpenID is a framework for exchanging authentication data, but it is not XML-based.
SESAME = Secure European System for Applications in a Multivendor Environment, a single sign-on system that supports heterogeneous environmentsRate this question:
-
- 32.
What protocol is a common open protocol for interfacing and querying directory service information provided network operating systems using port 389 via TCP or UDP?
- A.
CHAP
- B.
LDAP
- C.
PAP
- D.
RADIUS
Correct Answer
B. LDAPExplanation
LDAP = Lightweight directory access protocol is an open protocol for interfacing and querying directory service information from network operating systems using port 389 TCP or UDP.
CHAP, PAP, & RADIUS are authentication protocols:
CHAP = Challenge-Handshake Authentication Protocol
PAP = Password Authentication Protocol
RADIUS = Remote Authentication Dial-In User ServiceRate this question:
-
- 33.
What technique would raise the false accept rate (FAR) and lower the false reject rate (FRR) in a fingerprint scanning system?
- A.
Decrease the amount of minutiae that is verified
- B.
Increase the amount of minutiae that is verified
- C.
Lengthen the enrollment time
- D.
Lower the throughput time
Correct Answer
A. Decrease the amount of minutiae that is verifiedExplanation
Decreasing the amount of minutiae will make the accuracy of the system lower, which lower false rejects but raises false accepts.
Enrollment and Throughput time are not directly connected to FAR and FRRRate this question:
-
- 34.
What can be done to ensure that software meets the customer's requirements?
- A.
Integration testing
- B.
Installation testing
- C.
Acceptance testing
- D.
Unit testing
Correct Answer
C. Acceptance testingExplanation
Acceptance testing is designed to ensure the software meets the customer's operational requirements
Integration testing examines multiple software components as they are combined into a working system.
Installation testing examines software as it is installed and first operated
Unit testing is a low-level test of software components, such as functions, procedures, or objectsRate this question:
-
- 35.
What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs?
- A.
Combinatorial software testing
- B.
Dynamic testing
- C.
Misuse case testing
- D.
Static testing
Correct Answer
A. Combinatorial software testingExplanation
Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs.
Dynamic testing examines code while executing it.
Misuse case testing formally models how security would be impacted by an adversary abusing the application.
Static testing examines the code passively; the code is not running. This form of testing includes walkthroughs, syntax checking, and code reviews.Rate this question:
-
- 36.
You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible. Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.Assuming the penetration test is successful, what is the best way for the penetration testing firm to demonstrate the risk of theft of financial data?
- A.
Instruct the penetration testing team to conduct a thorough vulnerability assessment of the server containing financial data.
- B.
Instruct the penetration testing team to download financial data, redact it, and report accordingly.
- C.
Instruct the penetration testing team that they may only download financial data via an encrypted and authenticated channel.
- D.
Place a harmless “flag” file in the same location as the financial data, and inform the penetration testing team to download the flag.
Correct Answer
D. Place a harmless “flag” file in the same location as the financial data, and inform the penetration testing team to download the flag.Explanation
A flag is a dummy file containing no regulated or sensitive data. It is placed in the same area of the system as the credit card data and protected with the same permissions. If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data.Rate this question:
-
- 37.
You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application?
- A.
Secure compiler warnings
- B.
Fuzzing
- C.
Static testing
- D.
White-box testing
Correct Answer
B. FuzzingExplanation
Fuzzing is a black-box testing method that does not require access to source code.Rate this question:
-
- 38.
You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.During the course of the penetration test, the testers discover signs of an active compromise of the new custom-developed, three-tier web application. What is the best course of action?
- A.
Attempt to contain and eradicate the malicious activity
- B.
Continue the test
- C.
Quietly end the test, immediately call the operational IT contact, and escalate the issue
- D.
Shut the server down
Correct Answer
C. Quietly end the test, immediately call the operational IT contact, and escalate the issueExplanation
Attackers will often act more maliciously if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test and immediately escalate the issue. The client must be notified immediately, as incident handling is not the penetration tester's responsibility.Rate this question:
-
- 39.
Which plan details the steps required to restore normal business operations after recovering from a disruptive event?
- A.
Business Continuity Plan (BCP)
- B.
Business Resumption Plan (BRP)
- C.
Continuity of Operations Plan (COOP)
- D.
Occupant Emergency Plan (OEP)
Correct Answer
B. Business Resumption Plan (BRP)Explanation
Resumption Planning details the steps required to restore normal business operations after a recovering from a disruptive event.
Business Continuity Planning develops a long-term plan to ensure the continuity of business operations.
The Continuity of Operations Plan describes the procedures required to maintain operations during a disaster.
The Occupant Emergency Plan provides the response procedures for occupants of a facility in the event a situation poses a threat to the health and safety of personnel, the environment, or property.Rate this question:
-
- 40.
What metric describes how long it will take to recover a failed system?
- A.
Minimum Operating Requirements (MOR)
- B.
Mean Time Between Failures (MTBF)
- C.
Mean Time to Repair (MTTR)
- D.
Recovery Point Objective (RPO)
Correct Answer
C. Mean Time to Repair (MTTR)Explanation
The Mean Time to Repair (MTTR) describes how long it will take to recover a failed system. It is the best estimate for
Minimum Operating Requirements describe the minimum environmental and connectivity requirements in order to operate computer equipment.
Mean Time Between Failures quantifies how long a new or repaired system will run before failing.
The Recovery Point Objective (RPO) is the moment in time in which data must be recovered and made available to users in order to resume business operations.Rate this question:
-
- 41.
What metric describes the moment in time in which data must be recovered and made available to users in order to resume business operations?
- A.
Mean Time Between Failures (MTBF)
- B.
The Mean Time to Repair (MTTR)
- C.
Recovery Point Objective (RPO)
- D.
Recovery Time Objective (RTO)
Correct Answer
C. Recovery Point Objective (RPO)Explanation
The Recovery Point Objective (RPO) is the moment in time in which data must be recovered and made available to users in order to resume business operations.
Mean Time Between Failures quantifies how long a new or repaired system will run before failing.
Mean Time to Repair describes how long it will take to recover a failed system.
Recovery Time Objective describes the maximum time allowed to recover business or IT systems.Rate this question:
-
- 42.
Maximum Tolerable Downtime (MTD) is comprised of which two metrics?
- A.
Recovery Point Objective (RPO) and Work Recovery Time (WRT)
- B.
Recovery Point Objective (RPO) and Mean Time to Repair (MTTR)
- C.
Recovery Time Objective (RTO) and Work Recovery Time (WRT)
- D.
Recovery Time Objective (RTO) and Mean Time to Repair (MTTR)
Correct Answer
C. Recovery Time Objective (RTO) and Work Recovery Time (WRT)Explanation
The Recovery Time Objective (RTO, the time it takes bring a failed system back online) and Work Recovery Time (WRT, the time required to configure a failed system) are used to calculate the Maximum Tolerable Downtime. RTO + WRT = MTD.
Maximum Tolerable Downtime does not directly use Recovery Point Objective or Mean Time to Repair as metrics.Rate this question:
-
- 43.
Which level of RAID does NOT provide additional reliability?
- A.
RAID 1
- B.
RAID 5
- C.
RAID 0
- D.
RAID 3
Correct Answer
C. RAID 0Explanation
RAID 0 provides only striping and is used simply for performance purposes. It offers no additional data redundancy or resiliency.
RAID 1: Mirrored Set
RAID 3: Striped set w/ parity (allows for failure of 1 drive)
RAID 5: Striped set w/ distributed parity (allows for failure of 1 drive)Rate this question:
-
- 44.
What describes a more agile development and support model, where developers directly support operations?
- A.
DevOps
- B.
Sashimi
- C.
Spiral
- D.
Waterfall
Correct Answer
A. DevOpsExplanation
DevOps is a more agile development and support model, where developers directly support operations.
Sashimi, spiral, and waterfall are software development methodologies that do not describe a model for developers directly supporting operations.Rate this question:
-
- 45.
Two objects with the same name have different data. What OOP concept does this illustrate?
- A.
Delegation
- B.
Inheritance
- C.
Polyinstantiation
- D.
Polymorphism
Correct Answer
C. PolyinstantiationExplanation
Polyinstantiation means “many instances,” such as two objects with the same names that have different data.
Delegation allows objects to delegate messages to other objects.
Inheritance means an object inherits capabilities from its parent class.
Polymorphism allows the ability to overload operators, performing different methods depending on the context of the input message.Rate this question:
-
- 46.
What type of testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective?
- A.
Acceptance testing
- B.
Integration testing
- C.
Regression testing
- D.
Unit testing
Correct Answer
A. Acceptance testingExplanation
acceptance testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective.
Integration testing tests multiple software components as they are combined into a working system.
Regression testing tests software after updates, modifications, or patches.
Unit testing consists of low-level tests of software components, such as functions, procedures, or objects.Rate this question:
-
- 47.
A database contains an entry with an empty primary key. What database concept has been violated?
- A.
Entity integrity
- B.
Normalization
- C.
Referential Integrity
- D.
Semantic Integrity
Correct Answer
A. Entity integrityExplanation
Entity integrity means each tuple has a unique primary key that is not null.
Normalization seeks to make the data in a database table logically concise, organized, and consistent.
Referential integrity means that every foreign key in a secondary table matches a primary key in the parent table; if this is not true, referential integrity has been broken.
Semantic integrity means each attribute (column) value is consistent with the attribute data type.Rate this question:
-
- 48.
Which vulnerability allows a third party to redirect static content within the security context of a trusted site?
- A.
Cross-site request forgery (CSRF)
- B.
Cross-site scripting (XSS)
- C.
PHP remote file inclusion (RFI)
- D.
SQL injection
Correct Answer
A. Cross-site request forgery (CSRF)Explanation
Cross-site request forgery (CSRF) allows a third party to redirect static content within the security context of a trusted site.
XSS is a third-party execution of web scripting languages, such as Javascript, within the security context of a trusted site. XSS is similar to CSRF; the difference is XSS uses active code.
PHP RFI alters normal PHP variables to reference remote content, which can lead to execution of malicious PHP code.
SQL injection manipulates a back-end SQL server via a front-end web server.Rate this question:
-
- 49.
Which of the following security controls is intended to avoid and incident from occurring?
- A.
Deterrent
- B.
Preventative
- C.
Corrective
- D.
Recovery
Correct Answer
B. PreventativeExplanation
Preventive controls stop actions from taking place. It applies restrictions to what a possible user can do, whether the user is authorized or unauthorized.Rate this question:
-
- 50.
Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?
- A.
SESAME
- B.
RADIUS
- C.
KryptoKnight
- D.
TACACS+
Correct Answer
A. SESAMEExplanation
Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.Rate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 21, 2023Quiz Edited by
ProProfs Editorial Team -
Apr 03, 2017Quiz Created by
Skofft2134
Back to top