Answers to Practice Exam I

1. C

2. A 1

2. B 1

2. C 2

2. D 3

3. C

4. D

5. D

6. B

7. B

8. B

9. B

10. D

11. D

12. C

13. D

14. A

15. B

16. B

17. A

18. B

19. B

20. C

21. B

22. D

23. A

24. C

25. C

26. A

27. B

28. C

29. B

30. D

31. B

32. B

33. D

34. D

35. A

36. B

37. C

38. D

39. A

40. D

41. C

42. B

43. A

44. A

45. D

46. B

47. D

48. D

49. A

50. C

51. D

52. B

53. A

54. A

55. B

56. B

57. D

58. B

59. B

60. D

Question 1

The correct answer is C. A mandatory access control (MAC) model is static and based on clearances on subjects and labels on objects. Therefore, in a MAC-based system, access is determined by the system rather than the user. One feature of this model is security labels. Answer A is incorrect because there is no access control model known as restricted access control. Answer B is incorrect because discretionary access control (DAC) leaves access control up to the owner’s discretion. Answer D is incorrect because role-based access control models are used extensively by banks and other organizations that have very defined roles. Chapter 8

Question 2

The correct answer is shown in the table below. Information security models are a key topic that you can expect to be questioned on. While there are more than the four shown in this question, these are some of the most commonly tested. Both Biba and Clark-Wilson are integrity models (note they both have an “i” in their name.) Bell-LaPadula is an example of a confidentiality model whereas the primary purpose of Brewer-Nash is to prevent conflicts of interest. Chapter 5

Question 3

The correct answer is C. Iris recognition functions by analyzing the features that exist in the colored tissue surrounding the pupil to confirm a match. These systems can analyze more than 200 points for comparison. Answer A is incorrect because retina scanning analyzes the layer of blood vessels in the eye. The retina is also more prone to change than the iris. Answer B is incorrect because there is no cornea scan. Answer D is incorrect because there is no optic nerve scan. Chapter 8

Question 4

The correct answer is D. The crossover error rate is defined as a percentage in which a lower number indicates a better biometric system. It is the most important measurement when attempting to determine the accuracy of the system. Answer A is incorrect because there is no crossover acceptance rate. Answer B is incorrect because higher numbers are less accurate. Answer C is incorrect because, again, there is no crossover acceptance rate. Chapter 8

Question 5

The correct answer is D. A biometric system cannot examine all the detail in an object, or it will be prone to false rejection type I errors. Answer A, B, and C are incorrect as Type I errors occur when legitimate users are improperly denied access. If they, however, do not examine enough information about an object they are prone to false accepts type II errors. Type II errors occur when unauthorized individuals are granted access to resources and devices they should not have. Fingerprints are fairly static metrics and some systems are very accurate. Exam candidates should know the difference between Type I and Type II errors and how CER is used. Chapter 8

Question 6

The correct answer is B. A 3- to 4-foot fence will deter only casual trespassers. Answers A, C, and D do not correctly address the question: Fences 2 to 3 feet high can be easily crossed and would not be considered a deterrent. Fences that are 5–7 feet high are considered more difficult to climb than a shorter fence. Fences that are 8 feet high should be used to deter a determined intruder. Chapter 3

Question 7

The correct answer is B. The data owner, who is typically a member of senior management, is responsible for protecting company assets and data. Answer A is incorrect because the user is the individual who uses the documentation. Answer C is incorrect because the data custodian is responsible for maintaining and protecting the company’s assets and data. Answer D is incorrect because the auditor makes periodic reviews of the documentation, verifies that it is complete, and ensures that users are following its guidelines. Chapter 10

Question 8

The correct answer is B. A vulnerability is a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage. Answer A is incorrect because a risk is the potential harm that can arise from an event. Answer C is incorrect because exposure is the amount of damage that could result from the vulnerability. Answer D is incorrect because a threat is a natural or manmade event that could have some type of negative impact on the organization. Chapter 4

Question 9

The correct answer is B. The correct formula to determine single loss expectancy is Single loss expectancy = Asset value × Exposure factor. Answers A, C, and D are incorrect because none is the correct formula. Items to consider when calculating the SLE include the physical destruction or theft of assets, the loss of data, the theft of information, and threats that might cause a delay in processing. Chapter 4

Question 10

The correct answer is D. Quantitative assessment deals with numbers and dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and to the assets and threats of a risk analysis. To complete the assessment, first estimate potential losses, then conduct a threat analysis, and finally determine annual loss expectancy. Answers A, B, and C do not detail the steps needed to perform a quantitative assessment. Chapter 4

Question 11

The correct answer is D. The Delphi Technique is an example of a qualitative assessment technique. It is not used for quantitative assessment, DRP, or BCP; therefore, answers A, B, and C are incorrect. Chapter 4

Question 12

The correct answer is C. It properly defines the formula for total risk. Total risk is calculated by Threat × Vulnerability × Asset value. Answers A, B, and D are incorrect because they do not properly define the formula. Chapter 4

Question 13

The correct answer is D. Risk acceptance means that the risk has been analyzed and the individuals responsible have decided that they will accept such risk. Answer A is incorrect because risk reduction occurs when a countermeasure is implemented to alter or reduce the risk. Answer B is incorrect because risk rejection means that the responsible party has decided to ignore the risk. Answer C is incorrect because risk transference transfers the risk to a third party. Chapter 4

Question 14

The correct answer is A. Ring 0 is the most trusted ring. The security kernel resides at ring 0, and protection rings support the security of the system. Answers B, C, and D are incorrect because the security kernel is not located at the respective rings. Chapter 5

Question 15

The correct answer is B. Answers A, C, and D would all work; the question asks which would not work. Authentication Header (AH) checks the integrity of an IP address and is intrinsically incompatible with Network Address Translation (NAT). Chapter 7

Question 16

The correct answer is B. Registers are considered the temporary storage units within the CPU. CPUs consist of registers, arithmetic/logic unit (ALU), and control circuitry. Answers A, C, and D are incorrect because the I/O buffers, control circuitry, and the ALU are not considered temporary storage units in the CPU. Chapter 5

Question 17

The correct answer is A. The Biba model, which was published in 1977, was the first model developed to address the concerns of integrity. It looks at preventing unauthorized users from making changes to the system and addresses only one goal of integrity (outsiders). Answer B is incorrect because although the Clark-Wilson model is based on integrity, it was not the first model. Answer C is incorrect because the Brewer-Nash model is based on confidentiality. Answer D is incorrect because the Chinese Wall is another name for the Brewer-Nash model. Chapter 5

Question 18

The correct answer is B. Bell-LaPadula was the first model to address the concerns of confidentiality. It was developed in the 1970s and was considered groundbreaking because it supported multilevel security. Although it is well suited for the DoD and government, it is not well suited for modern commercial entities. Answer A is incorrect because the Biba model is an integrity model. Answer C is incorrect because the Graham-Denning model was not the first model to be developed on integrity. Answer D is incorrect because the Clark-Wilson model is another example of an integrity model. Chapter 5

Question 19

The correct answer is B. TCSEC (or the Orange Book) was developed to evaluate the integrity of standalone systems. Answer A is incorrect because the ITSEC is an international standard developed in Europe. Answer C is incorrect because Common Criteria is a global standard that built on TCSEC, ITSEC, and the CTCPEC. Answer D is incorrect because the CTCPEC is the Canadian version of the Orange Book. Chapter 5

Question 20

The correct answer is C. Compartment security mode requires all subjects to have a clearance for most restricted information and a valid need to know. A is not correct because a dedicated security mode would require a clearance for all information; this question requires a security clearance for most, not all, information. B is not correct because a system high security mode must have a clearance for all information and a valid need to know for some information. This scenario requires a clearance for most restricted information and a valid need to know. D is not correct because with a multi-level mode some subjects do not have clearance for all information and each subject has a need to know for all information they will access. CISSP candidates must know the four different security modes of operation. Chapter 5

Question 21

The correct answer is B. During the actual exam expect to see some enhanced questions that feature figures or diagrams. There are two methods by which PKI revocation can be handled. The first is a CRL. A CRL is generated and published periodically or after a certificate has been revoked. The second method is the OCSP. OCSP does not mandate encryption, discloses that a particular network host used a specific certificate, and generally places less of a burden on client resources. It does not contain more information. Chapter 6

Question 22

The correct answer is D. The foreign key is correct because it refers to an attribute in one table whose value matches the primary key in another table. Answer A is incorrect because the field refers to the smallest unit of data within a database. Answer B is incorrect because aggregation refers to the process of combining several low-sensitivity items, with the result that these items produce a higher-sensitivity data item. Answer C is incorrect because a composite key is two or more columns that are together designated as the computer’s primary key. Chapter 11

Question 23

The correct answer is A. Bluetooth uses frequency-hopping spread spectrum (FHSS). FHSS functions by modulating the data with a narrowband carrier signal that hops in a random but predictable sequence from frequency to frequency. Bluetooth can be susceptible to bluejacking and other forms of attack. Answer B is incorrect because 802.11a uses orthogonal frequency-division multiplexing. Answer C is incorrect because 802.11b uses direct sequence spread spectrum (DSSS) technology. Answer D is incorrect because 802.11g also uses orthogonal frequency-division multiplexing. Chapter 7

Question 24

The correct answer is C. Pulse code modulation (PCM) is the original technique used to digitize voice with 8 bits of sampling 8,000 times per second, which yields 64Kbps for one voice channel. Answer A is incorrect because DAT is digital audio tape and is an analog voice-transmission method. Answers B and D are incorrect because CDMA and GSM are methods for cellular phone transmission. Chapter 7

Question 25

The correct answer is C. Twenty-four DS0 lines are bundled to make one T1. A T1 line has a composite rate of 1.544Mb. Answers A, B, and D are incorrect because 18, 21, and 32 DS0 line bundles do not exist. Chapter 7

Question 26

The correct answer is A. The Synchronous Data Link Control (SDLC) protocol was developed in the mid-1970s for use in Systems Network Architecture (SNA) environments. SDLC is unique in that it was the first synchronous, link layer, bit-oriented protocol. The ISO modified SDLC to create the High-Level Data Link Control (HDLC) protocol and release it as a standard. Answer B is incorrect because ISDN is an end-to-end telephone service that is digital in nature. Answer C is incorrect because Link Access Procedure-Balanced (LAP-B) is a subset of HDLC and is not used by SNA. Answer D is incorrect because X.25 is an efficient protocol developed in the 1970s for packet-switched networks. Chapter 7

Question 27

The correct answer is B. Transaction persistence means that the state of the database security is the same after a transaction has occurred. In addition, there is no risk of integrity problems. Answer A is incorrect because it does not define transaction persistence. Answer C is wrong because transaction persistence does not state that the database should be the same before and after a transaction. Answer D is incorrect because even though databases should be available to multiple users at the same time without endangering the integrity of the data, that fact is not a definition of transaction persistence. Chapter 11

Question 28

The correct answer is C. Aggregation is the capability to combine data from separate sources to gain information. Answer A is incorrect because metadata is data about data. Answer B is incorrect because inference attacks occur when authorized users infer information by analyzing the data they have access to. Answer D is incorrect because deadlocking is a database stalemate. Chapter 11

Question 29

The correct answer is B. A TOC/TOU attack can occur when the contents of a file have changed between the time the system security functions checked the contents of the variables, and the time the variables are actually used or accessed. This is a form of asynchronous attack. Answer A is incorrect because the description describes an asynchronous attack. Answer C is incorrect because the example does not describe a DCOM attack. Answer D is incorrect because although the network might be vulnerable to a Smurf attack, the subsequent lock would not change the status of such an attack. Chapter 5

Question 30

The correct answer is D. Hearsay evidence is not based on personal knowledge, but is information that was told to a witness by another person. It is inadmissible in a court of law. Answer A is incorrect because best evidence is the preferred type of evidence. Answer B is incorrect because secondary evidence is admissible and is usually a copy of original evidence. Answer C is incorrect because conclusive evidence is also admissible. Chapter 9

Question 31

The correct answer is B. Cipher block chaining (CBC) builds a dependency between the blocks of data. To find the plain text of a particular block, you need to know the cipher text, the key, and the cipher text for the previous block. This feature makes CBC unique. Answer A is incorrect because Electronic Code Book is fast but not chained or secure. Answer C is incorrect because cipher feedback (CFB) can be used to emulate a stream cipher and features a feedback function. Answer D is incorrect because output feedback (OFB) can also emulate a stream cipher and can pregenerate the key stream independent of the data. Chapter 6

Question 32

The correct answer is B. 2DES or double DES is no more secure than single DES and is susceptible to a meet-in-the-middle attack. Answers A, C, and D are incorrect because none is susceptible to a meet-in-the-middle attack. Chapter 6

Question 33

The correct answer is D. Elliptic curve cryptosystems (ECC) is an asymmetric cryptosystem created in the 1980s to create and store digital signatures in a small amount of memory. Answer A is incorrect because DES is a symmetric algorithm. Answer B is incorrect because SHA1 is a hashing algorithm. Answer C is incorrect because Diffie-Hellman is used for key exchange. Chapter 6

Question 34

The correct answer is D. The red team’s purpose is to penetrate security. Red teams are sometimes called tiger teams or penetration testers. Answers A, B, and C are incorrect because individuals from all those groups should be involved in the contingency-planning process. Chapter 12

Question 35

The correct answer is A. Attackers can attack ARP by flooding the switch and other devices with bogus MAC addresses or by ARP poisoning. Answer B is incorrect because although spanning tree is a valid attack, it is typically used for DoS. Answer C is incorrect because name server poisoning is another type of DNS attack. Answer D is incorrect because a reverse lookup is a term associated with DNS, not ARP. Chapter 7

Question 36

The correct answer is B. EAP is a strong form of authentication that uses more advanced methods of authentication besides passwords. Answers A, C, and D are incorrect because none of these methods use more advanced forms of authentication, such as digital certificates. Chapter 8

Question 37

The correct answer is C. RFC 1918 specifies the addresses that are to be used for private address schemes. Addresses 172.16.0.0 to 172.63.255.255 are not part of the specified range; therefore, answer C is the correct choice. Answers A, B, and D are incorrect because RFC 1918 specifies 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. Chapter 7

Question 38

The correct answer is D. Stealing email is not difficult because it is clear text and easily sniffed. Email is one of the most popular Internet applications and deserves protection. Although answers B and C are incorrect, they all outline potential vulnerabilities in standard email. Answer A is incorrect as encryption is not difficult. Chapter 10

Question 39

The correct answer is A. Instant messaging (IM) has the capability for scripting, which is one reason it is dangerous for the organization. Answers B, C, and D do not properly answer the question because they are all reasons why IM is vulnerable. IM can bypass corporate firewalls, most versions lack encryption, and IM uses insecure password management. Chapter 10

Question 40

The correct answer is D. The Distributed Object Component Model (DCOM) allows applications to be divided into pieces and objects to be run remotely over the network. Potential vulnerabilities exist because of the way ActiveX is integrated with DCOM. Answers A and B are incorrect because CORBA is a set of standards that addresses the need for interoperability between hardware and software. Answer C is incorrect because Enterprise JavaBeans (EJB) is designed for enterprise networks. Chapter 11

Question 41

The correct answer is C. Pretty Good Privacy (PGP) uses a web-like model because there are no certificate authorities; there are only end users. Anyone who uses PGP must determine whom they trust: Without a certificate authority, there is no centralized or governing agency to control and validate other users. Answer A is incorrect because PKI does not use a web of trust. Answer B is incorrect because IGMP is used for multicast router group management. Answer D is incorrect because Privacy Enhanced Email (PEM) is an email-security protocol. Chapter 7

Question 42

The correct answer is B. Entrapment is considered the act of tricking a person to commit a crime in order to bring criminal charges against him or her. Although entrapment might be seen as illegal behavior, enticement usually is not. Answer A is incorrect because inducement is the act of bringing about the desired result. Answer C is incorrect because a honeypot is a trap set to detect or slow attempts at unauthorized use of information systems. Answer D is incorrect because enticement is the act of influencing by exciting hope or desire. Chapter 9

Question 43

The correct answer is A. The G8 is a group of economically advanced nations that have agreed to work together to work to solve economic problems. The G8 has now grown to 20 members and is also known as the G20. Answer B is incorrect because Mutual Legal Assistance Treaties (MLATs) are agreements that United States law-enforcement agencies have with law-enforcement agencies in other nations to fight computer crime and terrorism. MLATs are relatively recent developments created to improve the effectiveness of judicial assistance and to regularize and facilitate cooperation. Answer C is incorrect because SWAT is a term used for Special Weapons and Tactics police teams. Answer D is incorrect because UN Resolution 1154 deals with weapons inspections in Iraq. Chapter 10

Question 44

The correct answer is A. The five main types of BCP testing strategies include checklist, structured walk-through, simulation, parallel, and full interruption. Therefore, answers B, C, and D are incorrect because the question asked which is not a valid type. Answer A describes a partial interruption, which is not one of the five valid types. Chapter 12

Question 45

The correct answer is D. Business, facility and supply, user, technical, and data are the five primary categories. Answers A, B, and C are incorrect because they do not describe the five categories. Chapter 12

Question 46

The correct answer is B. The Java script is used by the Java interpreter and is not one of the three layers. Answers A, C, and D do not successfully answer the question, but they do make up the three layers used by the Java interpreter. These include the Java language, which interprets code downloaded from a website; Java libraries, which prevent undesired access to resources and help implement a security policy; and the Java interpreter, which converts the code into native machine code. Chapter 11

Question 47

The correct answer is D. Internet Group Management Protocol (IGMP) is used by hosts to report multicast group memberships to neighboring multicast routers. Security problems exist with IGMP because anyone can start a multicast group or join an existing one. Answer A is incorrect because ICMP is used for logical errors and diagnostics. Answer B is incorrect because the Routing Information Protocol (RIP) is a broadcast-based routing protocol. Answer C is incorrect because although 224.0.0.1 is a multicast address, it is not a protocol used for multicast management. Chapter 7

Question 48

The correct answer is D. VoIP is very time sensitive and, as such, should be based on an isochronous design. This means that the entire system must be engineered to deliver output with exactly the same timing as the input. FireWire is another example of a device that contains an isochronous interface. Answer A is incorrect because VoIP does not use time-division multiplexing. Answer B is incorrect because VoIP uses UDP for the voice portion of the call, not TCP. Some implementations of VoIP can use TCP for setup and call control. Answer C is incorrect because VLANs are not used for timing and delay problems, but are used to separate the VoIP from general traffic to make it more secure from sniffing. Chapter 7

Question 49

The correct answer is A. ATM creates a fixed channel, or route, between two points whenever data transfer begins, and packages the data into 53-byte fixed-length cells. ATM can be used in LANs, WANs, and MANs. It supports high-bandwidth data needs. Answer B is incorrect because ISDN provides a completely end-to-end digital connection. Answer C is incorrect because Switched Multimegabit Data Service (SMDS) is a low-market-share service used to interconnect LANs. Answer D is incorrect because Frame Relay does not package data into 53-byte fixed-length cells. Chapter 7

Question 50

The correct answer is C. One issue with WEP is the initialization vector (IV); it is 24 bits, not 20. Answers A, B, and D detail some of the vulnerabilities of WEP. For example, WEP uses a single shared key among all clients, which means that you are authenticating groups, not devices or single users. Also, RC4 is the correct encryption type and can be implemented in 40- or 104-bit configuration, but WEP does not properly initialize it. This means that the key values roll over and are predictable. Finally, a 24-bit IV vector is too short, and a 40-bit key is weak. Chapter 7

Question 51

The correct answer is D. The formula for the annual loss expectancy is:

ALE × ARO = SLE, or 0.95 × 720 = $684

Annual rate of occurrence is 95%, or 0.95

Single loss expectancy is ($9 per hour × 8 hours per employee) × 10 employees = $720

Therefore, the nonprofit could expect to lose $684 by not using antivirus software. Chapter 4

Question 52

The correct answer is B. An evaluation that is carried out and meets an evaluation assurance level (EAL) 2 specifies that the design has been structurally tested. Answers A, C, and D are incorrect because EAL 1 = functionally tested; EAL 4 = methodically designed, tested, and reviewed; and EAL 5 = semi-formally designed and tested. Chapter 5

Question 53

The correct answer is A. The Red Book lists the following ratings: B2 Good, C2 Fair, C1 Minimum, and None. Therefore, answers B, C, and D are incorrect because the question asked which is not a valid rating. Chapter 5

Question 54

The correct answer is A. The star * property rule states that someone at one security level cannot write information to a lower security level. Answer B is incorrect because the simple security rule states that someone cannot read information at a higher security level. Answer C is incorrect because the simple integrity property deals with the Biba model, not Bell-LaPadula. Answer D is incorrect because it states that read and write privileges are valid only at the level at which the user resides. Chapter 5

Question 55

The correct answer is B. Annual loss expectancy is calculated this way:

ALE = ARO × SLE or 0.95 × 720 = $684

The annual savings is the ALE minus the cost of the deterrent, or $684 – $399 = $285. Therefore, answers A, C, and D are incorrect Chapter 4

Question 56

The correct answer is B. Physical security is considered the first line of defense against human behavior. Items such as gates, guards, locks, and cameras can be used for physical defense. Answer A is incorrect because cryptography is best used to protect the integrity and confidentiality of data. Answer C is incorrect because business continuity planning should be used to prevent critical outages. Answer D is incorrect because policies are an administrative control. Chapter 3

Question 57

The correct answer is D. HVAC should be a closed-loop system with positive pressurization. Closed loop means that the air inside the building is filtered and continually reused. Positive pressurization should be used to ensure that inside air is pushed out. This is a big safety feature in case the building catches fire. Answers A, B, and C are incorrect because they do not contain both closed-loop systems and positive pressurization. Chapter 3

Question 58

The correct answer is B. Heat-activated sensors can be either rate-of-rise or fixed-temperature sensors. Answer A is incorrect because flame-activated sensors respond to the infrared energy that emanates from a fire. Answer C is incorrect because smoke-activated sensors use a photoelectric device. Answer D is incorrect because there is no category of fire detector known as ion-activated. Chapter 3

Question 59

The correct answer is B. Electrical fires are considered Class C fires. All other answers are incorrect because Class A fires consist of wood and paper products, Class B fires consist of liquids such as petroleum, and Class D fires result from combustible metals. Chapter 3

Question 60

The correct answer is D. A dry pipe system is the preferred fire suppression method for locations that are unheated or subject to freezing. Dry pipe systems are unique in that they use pressurized air or nitrogen. In the event of a fire, the sprinkler head opens and releases the pressurized air. Although these systems do typically use a clapper valve, the term is used here because it might be unfamiliar to many readers. The exam might also use terms that you are not familiar with. All other answers are incorrect because deluge systems release a large amount of water in a very short period of time, wet pipe systems hold water in the pipe, and preaction systems release water into the pipe only when a specified temperature or separate detection device triggers its release. Chapter 3