Introduction

The CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification. This introduction provides you with a basic overview of this book and the CISSP exam.

This book is designed for readers and students who want to study for the CISSP certification exam. If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you. The purpose of this book is to adequately prepare you to take the CISSP exam.

Before you dive into this book, you need to have accomplished a few tasks on your own. You need to have a general understanding of IT and of security. You should have the necessary five years of experience (or four years if you have a college degree) in one of the 10 domains covered by the CISSP exam. If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for the CISSP exam. For more information on (ISC)2, see the next section.

(ISC)2

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2 organization. (ISC)2 is a global not-for-profit organization. It has four primary mission goals:

• Maintain the Common Body of Knowledge (CBK) for the field of information systems security.
• Provide certification for information systems security professionals and practitioners.
• Conduct certification training and administer the certification exams.
• Oversee the ongoing accreditation of qualified certification candidates through continued education.

The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners. You can obtain more information about (ISC)2 from its website at www.isc2.org.

CISSP and SSCP

(ISC)2 supports and provides two primary certifications: CISSP and SSCP. These certifications are designed to verify the knowledge and skills of IT security professionals across all industries. The Certified Information Systems Security Professional credential is for security professionals responsible for designing and maintaining security infrastructure within an organization. The System Security Certified Practitioner (SSCP) is a credential for security professionals responsible for implementing or operating a security infrastructure in an organization.

The CISSP certification covers material from the 10 CBK domains:

• Access Control
• Telecommunications and Network Security
• Information Security Governance and Risk Management
• Application Development Security
• Cryptography
• Security Architecture and Design
• Operations Security
• Business Continuity and Disaster Recovery Planning
• Legal, Regulations, Investigations, and Compliance
• Physical (Environmental) Security

The SSCP certification covers material from seven CBK domains:

• Access Controls
• Administration
• Audit and Monitoring
• Cryptography
• Data Communications
• Malicious Code/Malware
• Risk, Response, and Recovery

The content for the CISSP and SSCP domains overlap significantly, but the focus is different for each set of domains. The CISSP focuses on theory and design, whereas the SSCP focuses more on implementation and best practices. This book focuses only on the domains for the CISSP exam.

Prequalifications

(ISC)2 has defined several qualification requirements you must meet to become a CISSP. First, you must be a practicing security professional with at least five years’ experience or with four years’ experience and a recent IT or IS degree. Professional experience is defined as security work performed for salary or commission within one or more of the 10 CBK domains.

Second, you must agree to adhere to a formal code of ethics. The CISSP Code of Ethics is a set of guidelines the (ISC)2 wants all CISSP candidates to follow to maintain professionalism in the field of information systems security. You can find it in the Information section on the (ISC)2 website at www.isc2.org.

(ISC)2 also offers an entry program known as an Associate of (ISC)2. This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam anyway and then obtain experience afterward. Associates are granted six years to obtain five years of security experience. Only after providing proof of such experience, usually by means of endorsement and a resume, can the individual be awarded CISSP certification.

To sign up, visit the (ISC)2 website, and follow the instructions listed there for registering to take the CISSP exam (the link reads “Register Now for CISSP Certification Exams”). You’ll provide your contact information, payment details, and security-related professional experience. You’ll also select one of the available time and location settings for the exam. Once (ISC)2 approves your application to take the exam, you’ll receive a confirmation email with all the details you’ll need to find the testing center and take the exam.

Overview of the CISSP Exam

The CISSP exam consists of 250 questions, and you have six hours to complete it. The exam is still administered using a paper booklet and answer sheet. This means you’ll be using a pencil to fill in answer bubbles.

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure. It is very broad, but not very deep. To successfully complete this exam, you’ll need to be familiar with every domain in the CBK but not necessarily be a master of each domain.

You’ll need to register for the exam through the (ISC)2 website at www.isc2.org.

(ISC)2 administers the exam itself. In most cases, the exams are held in large conference rooms at hotels. Existing CISSP holders are recruited to serve as proctors or administrators for these exams. Be sure to arrive at the testing center around 8 a.m., and keep in mind that absolutely no one will be admitted into the exam after 8:30 a.m. Once all test takers are signed in and seated, the exam proctors will pass out the testing materials and read a few pages of instructions. This may take 30 minutes or more. Once that process is finished, the 6-hour window for taking the test will begin.

CISSP Exam Question Types

Every question on the CISSP exam is a four-option, multiple-choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, such as asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response. Here’s an example:

You must select the one correct or best answer and mark it on your answer sheet. In some cases, the correct answer will be very obvious to you. In other cases, several answers may seem correct. In these instances, you must choose the best answer for the question asked. Watch for general, specific, universal, superset, and subset answer selections. In other cases, none of the answers will seem correct. In these instances, you’ll need to select the least incorrect answer.

Advice on Taking the Exam

The CISSP exam consists of two key elements. First, you need to know the material from the 10 CBK domains. Second, you must have good test-taking skills. With six hours to complete a 250-question exam, you have just less than 90 seconds for each question. Thus, it is important to work quickly, without rushing but also without wasting time.

One key factor to remember is that guessing is better than not answering a question. If you don’t answer a question, you will not get any credit. But if you guess, you have at least a 25 percent chance of improving your score. Wrong answers are not counted against you. So, near the end of the sixth hour, be sure an answer is selected for every line on the answer sheet.

You can write on the test booklet, but nothing written on it will count for or against your score. Use the booklet to make notes and keep track of your progress. We recommend circling each answer you select before you mark it on your answer sheet.

To maximize your test-taking activities, here are some general guidelines:

• Answer easy questions first.
• Skip harder questions, and return to them later. Consider creating a column on the front cover of your testing booklet to keep track of skipped questions.
• Eliminate wrong answers before selecting the correct one.
• Watch for double negatives.
• Be sure you understand what the question is asking.

Manage your time. You should try to complete about 50 questions per hour. This will leave you with about an hour to focus on skipped questions and double-check your work.

Be very careful to mark your answers on the correct question number on the answer sheet. The most common cause of failure is making a transfer mistake from the test booklet to the answer sheet.

Be sure to bring food and drink to the test site. You will not be allowed to leave to obtain sustenance. Your food and drink will be stored against one wall of the testing room. You can eat and drink at any time, but only against that wall. Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car. Wear a watch, but make sure it is not a programmable one. Bring pencils, a manual sharpener, and an eraser.

If English is not your first language, you can register for one of several other language versions of the exam. Or, if you choose to use the English version of the exam, a translation dictionary is allowed. You must be able to prove that you need such a dictionary; this is usually accomplished with your birth certificate or your passport.

Study and Exam Preparation Tips

We recommend planning for a month or so of nightly intensive study for the CISSP exam. Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:

• Take one or two evenings to read each chapter in this book and work through its review material.
• Take all the practice exams provided in the book and on the CD. Complete the written labs from each chapter, and use the review questions for each chapter to help guide you to topics where more study or time spent working through key concepts and strategies might be beneficial.
• Review the (ISC)2’s study guide from www.isc2.org.
• Use the flashcards found on the CD to reinforce your understanding of concepts.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification. That final step is known as endorsement. Basically, this involves getting someone familiar with your work history to sign and submit an endorsement form on your behalf. The endorsement form is sent to you as an attachment to the email notifying you of your achievement in passing the exam. Simply send the form to a CISSP in good standing along with your resume. The endorser must review your resume, ensure that you have sufficient experience in the 10 CISSP domains, and then submit the signed form to (ISC)2 via fax or post mail. You must have submitted the endorsement files to (ISC)2 within 90 days after receiving the confirmation of passing email. Once (ISC)2 receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via post mail.

If you happen to fail the exam, you may take the exam a second time as soon as you can find another open slot in a testing location. However, you will need to pay full price for your second attempt. In the unlikely case you need to test a third time, (ISC)2 requires that you wait six months.

Post-CISSP Concentrations

(ISC)2 has added three concentrations to its certification lineup. These concentrations are offered only to CISSP certificate holders. The (ISC)2 has taken the concepts introduced on the CISSP exam and focused on specific areas, namely, architecture, management, and engineering. These three concentrations are as follows:

Information Systems Security Architecture Professional (ISSAP) Aimed at those who specialize in information security architecture. Key domains covered here include access control systems and methodology; cryptography; physical security integration; requirements analysis and security standards, guidelines, and criteria; technology-related aspects of business continuity planning and disaster recovery planning; and telecommunications and network security. This is a credential for those who design security systems or infrastructure or for those who audit and analyze such structures.

Information Systems Security Management Professional (ISSMP) Aimed at those who focus on management of information security policies, practices, principles, and procedures. Key domains covered here include enterprise security management practices; enterprise-wide system development security; law, investigations, forensics, and ethics; oversight for operations security compliance; and understanding business continuity planning, disaster recovery planning, and continuity of operations planning. This is a credential for those professionals who are responsible for security infrastructures, particularly where mandated compliance comes into the picture.

Information Systems Security Engineering Professional (ISSEP) Aimed at those who focus on the design and engineering of secure hardware and software information systems, components, or applications. Key domains covered include certification and accreditation, systems security engineering, technical management, and U.S. government information assurance rules and regulations. Most ISSEPs work for the U.S. government or for a government contractor that manages government security clearances.

For more details about these concentration exams and certifications, please see the (ISC)2 website at www.isc2.org.

Notes on This Book’s Organization

This book is designed to cover each of the 10 CISSP Common Body of Knowledge domains in sufficient depth to provide you with a clear understanding of the material. The main body of this book comprises 19 chapters. The first nine domains are each covered by two chapters, and the final domain (Physical Security) is covered in Chapter 19. The domain/chapter breakdown is as follows:

Chapters 1 and 2 Access Control

Chapters 3 and 4 Telecommunications and Network Security

Chapters 5 and 6 Information Security Governance and Risk Management

Chapters 7 and 8 Application Development Security

Chapters 9 and 10 Cryptography

Chapters 11 and 12 Security Architecture and Design

Chapters 13 and 14 Operations Security

Chapters 15 and 16 Business Continuity and Disaster Recovery Planning

Chapters 17 and 18 Legal, Regulations, Investigations, and Compliance

Chapter 19 Physical (Environmental) Security

Each chapter includes elements to help you focus your studies and test your knowledge, detailed in the following sections.

The Elements of This Study Guide

You’ll see many recurring elements as you read through this study guide. Here’s a description of some of those elements:

Key Terms and Glossary In every chapter, we’ve identified key terms, which are important for you to know. You’ll also find these key terms and their definitions in the Glossary. Note that the Glossary is included as a PDF on the Companion CD.

Summaries The summary is a brief review of the chapter to sum up what was covered.

Exam Essentials The Exam Essentials highlight topics that could appear on one or both of the exams in some form. While we obviously do not know exactly what will be included in a particular exam, this section reinforces significant concepts that are key to understanding the body of knowledge area and the test specs for the CISSP exam.

Chapter Review Questions Each chapter includes practice questions that have been designed to measure your knowledge of key ideas that were discussed in the chapter. After you finish each chapter, answer the questions; if some of your answers are incorrect, it’s an indication that you need to spend some more time studying that topic. The answers to the practice questions can be found at the end of the chapter.

Written Labs Each chapter includes written labs that synthesize various concepts and topics that appear in the chapter. These raise questions that are designed to help you put together various pieces you’ve encountered individually in the chapter and assemble them to propose or describe potential security strategies or solutions.

Real World Scenarios As you work through each chapter, you’ll find at least two descriptions of typical and plausible workplace situations where an understanding of the security strategies and approaches relevant to the chapter content could play a role in fixing problems or in fending off potential difficulties. This gives readers a chance to see how specific security policies, guidelines, or practices should or may be applied to the workplace.

What’s on the CD?

We worked really hard to provide some essential tools to help you with your certification process. All of the following gear should be loaded on your workstation when studying for the test.

The Sybex Test Preparation Software

The test preparation software, made by experts at Sybex, prepares you for the CISSP exam. In this test engine, you will find all the review and assessment questions from the book, plus additional bonus exams that appear exclusively on the CD. You can take the assessment test, test yourself by chapter, take the practice exams, or take a randomly generated exam comprising all the questions.

Electronic Flashcards

Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam. Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!

CISSP Study Guide in PDF

Sybex offers the CISSP Study Guide in PDF format on the CD so you can read the book on your PC or laptop. So if you travel and don’t want to carry a book, or if you just like to read from the computer screen, Adobe Acrobat is also included on the CD.

Bonus Exams

Sybex includes bonus exams on the CD, each comprising questions meant to survey your understanding of key elements in the CISSP CBK.

How to Use This Book and CD

This book has a number of features designed to guide your study efforts for the CISSP certification exam. It assists you by listing at the beginning of each chapter the CISSP body of knowledge domain topics covered in the chapter and by ensuring that each topic is fully discussed within the chapter. The practice questions at the end of each chapter and the practice exams on the CD are designed to test your retention of the material you’ve read to make you aware of areas in which you should spend additional study time. Here are some suggestions for using this book and CD:

• Take the assessment test before you start reading the material. This will give you an idea of the areas in which you need to spend additional study time as well as those areas in which you may just need a brief refresher.
• Answer the review questions after you’ve read each chapter; if you answer any incorrectly, go back to the chapter and review the topic, or utilize one of the additional resources if you need more information.
• Download the flashcards to your handheld device, and review them when you have a few minutes during the day.
• Take every opportunity to test yourself. In addition to the assessment test and review questions, there are bonus exams on the CD. Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts.

Finally, find a study partner if possible. Studying for, and taking, the exam with someone else will make the process more enjoyable, and you’ll have someone to help you understand topics that are difficult for you. You’ll also be able to reinforce your own knowledge by helping your study partner in areas where they are weak.

Assessment Test

1. Which of the following type of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?

A. Preventive

B. Deterrent

C. Detective

D. Corrective

2. Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices.

A. Difficult to guess or unpredictable

B. Meet minimum length requirements

C. Meet specific complexity requirements

D. All of the above

3. Which of the following is most likely to detect DoS attacks?

A. Host-based IDS

B. Network-based IDS

C. Vulnerability scanner

D. Penetration testing

4. Which of the following is considered a denial-of-service attack?

A. Pretending to be a technical manager over the phone and asking a receptionist to change their password

B. While surfing the Web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU

C. Intercepting network traffic by copying the packets as they pass through a specific subnet

D. Sending message packets to a recipient who did not request them simply to be annoying

5. At which layer of the OSI model does a router operate?

A. Network layer

B. Layer 1

C. Transport layer

D. Layer 5

6. Which type of firewall automatically adjusts its filtering rules based on the content of the traffic of existing sessions?

A. Static packet filtering

B. Application-level gateway

C. Stateful inspection

D. Dynamic packet filtering

7. A VPN can be established over which of the following?

A. Wireless LAN connection

B. Remote access dial-up connection

C. WAN link

D. All of the above

8. Email is the most common delivery vehicle for which of the following?

A. Viruses

B. Worms

C. Trojan horse

D. All of the above

9. The CIA Triad comprises what elements?

A. Contiguousness, interoperable, arranged

B. Authentication, authorization, accountability

C. Capable, available, integral

D. Availability, confidentiality, integrity

10. Which of the following is not a required component in the support of accountability?

A. Auditing

B. Privacy

C. Authentication

D. Authorization

11. Which of the following is not a defense against collusion?

A. Separation of duties

B. Restricted job responsibilities

C. Group user accounts

D. Job rotation

12. A data custodian is responsible for securing resources after ______________ has assigned the resource a security label.

A. Senior management

B. Data owner

C. Auditor

D. Security staff

13. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures utilized to gain a detailed understanding of the software development process?

A. Repeatable

B. Defined

C. Managed

D. Optimizing

14. Which one of the following is a layer of the ring protection scheme that is not normally implemented in practice?

A. Layer 0

B. Layer 1

C. Layer 3

D. Layer 4

15. What is the last phase of the TCP/IP three-way handshake sequence?

A. SYN packet

B. ACK packet

C. NAK packet

D. SYN/ACK packet

16. Which one of the following vulnerabilities would best be countered by adequate parameter checking?

A. Time-of-check-to-time-of-use

B. Buffer overflow

C. SYN flood

D. Distributed denial of service

17. What is the value of the logical operation shown here?

A. 0 1 1 1 1 1

B. 0 1 1 0 1 0

C. 0 0 1 0 0 0

D. 0 0 1 1 0 1

18. In what type of cipher are the letters of the plain-text message rearranged to form the cipher text?

A. Substitution cipher

B. Block cipher

C. Transposition cipher

D. One-time pad

19. What is the length of a message digest produced by the MD5 algorithm?

A. 64 bits

B. 128 bits

C. 256 bits

D. 384 bits

20. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike?

A. Renee’s public key

B. Renee’s private key

C. Mike’s public key

D. Mike’s private key

21. Which of the following statements is true?

A. The less complex a system, the more vulnerabilities it has.

B. The more complex a system, the less assurance it provides.

C. The less complex a system, the less trust it provides.

D. The more complex a system, the less attack surface it generates.

22. Ring 0, from the design architecture security mechanism known as protection rings, can also be referred to as all but which of the following:

A. Privileged mode

B. Supervisory mode

C. System mode

D. User mode

23. Which of the following is not a composition theory related to security models?

A. Cascading

B. Feedback

C. Iterative

D. Hookup

24. The collection of components in the TCB that work together to implement reference monitor functions is called the ______________.

A. Security perimeter

B. Security kernel

C. Access matrix

D. Constrained interface

25. Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what?

A. Directive controls

B. Preventive controls

C. Detective controls

D. Corrective controls

26. System architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery are elements of what security criteria?

A. Quality assurance

B. Operational assurance

C. Life cycle assurance

D. Quantity assurance

27. Which of the following is a procedure designed to test and perhaps bypass a system’s security controls?

A. Logging usage data

B. War dialing

C. Penetration testing

D. Deploying secured desktop workstations

28. Auditing is a required factor to sustain and enforce what?

A. Accountability

B. Confidentiality

C. Accessibility

D. Redundancy

29. What is the formula used to compute the ALE?

A. ALE = AV * EF * ARO

B. ALE = ARO * EF

C. ALE = AV * ARO

D. ALE = EF * ARO

30. What is the first step of the business impact assessment process?

A. Identification of priorities

B. Likelihood assessment

C. Risk identification

D. Resource prioritization

31. Which of the following represent natural events that can pose a threat or risk to an organization?

A. Earthquake

B. Flood

C. Tornado

D. All of the above

32. What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately upon failure of the primary facility?

A. Hot site

B. Warm site

C. Cold site

D. All of the above

33. What form of intellectual property is used to protect words, slogans, and logos?

A. Patent

B. Copyright

C. Trademark

D. Trade secret

34. What type of evidence refers to written documents that are brought into court to prove a fact?

A. Best evidence

B. Payroll evidence

C. Documentary evidence

D. Testimonial evidence

35. Why are military and intelligence attacks among the most serious computer crimes?

A. The use of information obtained can have far-reaching detrimental strategic effects on national interests in an enemy’s hands.

B. Military information is stored on secure machines, so a successful attack can be embarrassing.

C. The long-term political use of classified information can impact a country’s leadership.

D. The military and intelligence agencies have ensured that the laws protecting their information are the most severe.

36. What type of detected incident allows the most time for an investigation?

A. Compromise

B. Denial of service

C. Malicious code

D. Scanning

37. If you want to restrict access into or out of a facility, which would you choose?

A. Gate

B. Turnstile

C. Fence

D. Mantrap

38. What is the point of a secondary verification system?

A. To verify the identity of a user

B. To verify the activities of a user

C. To verify the completeness of a system

D. To verify the correctness of a system

Answers to Assessment Test

1. C. Detective access controls are used to discover (and document) unwanted or unauthorized activity. For more information, please see Chapter 1.

2. D. Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and utilize all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn’t be transmitted in the clear. For more information, please see Chapter 1.

3. B. Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don’t detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool. For more information, please see Chapter 2.

4. B. Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering and sniffing are typically not considered DoS attacks. For more information, please see Chapter 2.

5. A. Network hardware devices, including routers, function at layer 3, the Network layer. For more information, please see Chapter 3.

6. D. Dynamic packet-filtering firewalls enable the real-time modification of the filtering rules based on traffic content. For more information, please see Chapter 3.

7. D. A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an Internet connection used by a client for access to the office LAN. For more information, please see Chapter 4.

8. D. Email is the most common delivery mechanism for viruses, worms, Trojan horses, documents with destructive macros, and other malicious code. For more information, please see Chapter 4.

9. D. The components of the CIA Triad are confidentiality, availability, and integrity. For more information, please see Chapter 5.

10. B. Privacy is not necessary to provide accountability. For more information, please see Chapter 5.

11. C. Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability. For more information, please see Chapter 6.

12. B. The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately. For more information, please see Chapter 6.

13. C. The Managed phase of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management. For more information, please see Chapter 7.

14. B. Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist. For more information, please see Chapter 7.

15. B. The SYN packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK packet. The initiating host sends an ACK packet, and the connection is then established. For more information, please see Chapter 8.

16. B. Parameter checking is used to prevent the possibility of buffer-overflow attacks. For more information, please see Chapter 8.

17. A. The ∨ symbol represents the OR function, which is true when one or both of the input bits are true. For more information, please see Chapter 9.

18. C. Transposition ciphers use an encryption algorithm to rearrange the letters of the plain-text message to form a cipher-text message. For more information, please see Chapter 9.

19. B. The MD5 algorithm produces a 128-bit message digest for any input. For more information, please see Chapter 10.

20. C. Any recipient can use Mike’s public key to verify the authenticity of the digital signature. For more information, please see Chapter 10.

21. B. The more complex a system, the less assurance it provides. More complexity means more areas for vulnerabilities exist and more areas must be secured against threats. More vulnerabilities and more threats mean that the subsequent security provided by the system is less trustworthy. For more information, please see Chapter 11.

22. D. Ring 0 has direct access to the most resources, thus user mode is not an appropriate label because user mode requires restrictions to limit access to resources. For more information, please see Chapter 11.

23. C. Iterative is not one of the composition theories related to security models. Cascading, feedback, and hookup are the three composition theories. For more information, please see Chapter 12.

24. B. The collection of components in the TCB that work together to implement reference monitor functions is called the security kernel. For more information, please see Chapter 12.

25. C. Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs. For more information, please see Chapter 13.

26. B. Assurance is the degree of confidence you can place in the satisfaction of security needs of a computer, network, solution, and so on. Operational assurance focuses on the basic features and architecture of a system that lend themselves to supporting security. For more information, please see Chapter 13.

27. C. Penetration testing is the attempt to bypass security controls to test overall system security. For more information, please see Chapter 14.

28. A. Auditing is a required factor to sustain and enforce accountability. For more information, please see Chapter 14.

29. A. The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE * ARO. The other formulas displayed here do not accurately reflect this calculation. For more information, please see Chapter 15.

30. A. Identification of priorities is the first step of the business impact assessment process. For more information, please see Chapter 15.

31. D. Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornados, wildfires, and other acts of nature as well. Thus options A, B, and C are correct because they are natural and not man made. For more information, please see Chapter 16.

32. A. Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Warm sites consist of preconfigured hardware and software to run the business, neither of which possesses the vital business information. Cold sites are simply facilities designed with power and environmental support systems but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company. For more information, please see Chapter 16.

33. C. Trademarks are used to protect the words, slogans, and logos that represent a company and its products or services. For more information, please see Chapter 17.

34. C. Written documents brought into court to prove the facts of a case are referred to as documentary evidence. For more information, please see Chapter 17.

35. A. The purpose of a military and intelligence attack is to acquire classified information. The detrimental effect of using such information could be nearly unlimited in the hands of an enemy. Attacks of this type are launched by very sophisticated attackers. It is often very difficult to ascertain what documents were successfully obtained. So when a breach of this type occurs, you sometimes cannot know the full extent of the damage. For more information, please see Chapter 18.

36. D. Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early. For more information, please see Chapter 18.

37. B. A turnstile is a form of gate that prevents more than one person from gaining entry at a time and often restricts movement to one direction. It is used to gain entry but not exit, or vice versa. For more information, please see Chapter 19.

38. D. Secondary verification mechanisms are set in place to establish a means of verifying the correctness of detection systems and sensors. This often means combining several types of sensors or systems (CCTV, heat and motion sensors, and so on) to provide a more complete picture of detected events. For more information, please see Chapter 19.