Answers to Practice Exam II
1. D
2. D
3. B
4. A
5. D
6. B
7. C
8. A
9. A
10. B
11. B
12. D
13. B
14. C
15. B
16. A
17. D
18. B
19. B
20. C
21. C
22. D
23. C
24. B
25. C
26. D
27. C
28. D
29. C
30. B
31. B
32. D
33. A
34. C
35. A
36. B
37. C
38. B
39. B
40. C
41. A
42. A
43. C
44. B
45. D
46. A
47. B
48. D
49. B
50. D
51. A
52. A
53. C
54. C
55. C
56. D
57. D
58. B
59. B
60. A
The correct answer is D. A fence will not prevent a determined intruder. Although fences can deter an intruder, a determined individual could drive through the fence, cut the fence, blow up the fence, or find another way through. The best design to deter a determined intruder is 8 feet high with three strands of barbed/razor wire. See Chapter 6.
The correct answer is D. Class D fires result from combustible metals. All other answers are incorrect: Class A fires consist of wood and paper products, Class B fires consist of liquids such as petroleum, and Class C fires are electrical fires. See Chapter 8.
The correct answer is B. Defense in depth can be presented in many ways. It can be layers of the same control or different controls. The outer layer is physical/preventive/deterrent, the second layer is technical/preventive/detective, and the third layer is administrative/preventive. When facing this type of question, always identify which type of control you are dealing with: physical, administrative, or technical. Then determine the purpose of the control: detective, preventive, corrective, and so on. See Chapter 3.
The correct answer is A. Magnetic strip card keys contain rows of copper strips. Answers B, C, and D are incorrect: Electronic circuit card keys have embedded electronic circuits, magnetic stripe card keys have stripes of magnetic material, and active electronic cards can transmit data. See Chapter 6.
The correct answer is D. Hard-drive encryption offers the best defense against the loss of confidentiality. Answer A is incorrect because integrity programs validate the integrity of installed software but do not validate its confidentiality. Answer B is incorrect; reward labels might or might not encourage someone to return equipment, but they definitely will not protect data confidentiality. Answer C is incorrect because locking cables might prevent someone from removing a laptop but won’t prevent someone from accessing data on the device. See Chapter 2.
The correct answer is B. If halon is deployed in concentrations greater than 10% and in temperatures of 900°F or more, it degrades into hydrogen fluoride, hydrogen bromide, and bromine. This toxic brew can be deadly. Answers A, C, and D are incorrect because concentrations must be 10% or greater, and temperatures must reach 900°F. See Chapter 8.
The correct answer is C. The NIST standard for perimeter protection using lighting specifies that critical areas should be illuminated with 2 foot-candles of illuminance at a height of 8 feet. Answers A, B, and D do not match the NIST standards. See Chapter 6.
The correct answer is A. A Type I error occurs when a biometric system denies an authorized individual access. Answer B is incorrect because a Type II error occurs when an unauthorized individual is granted access. Answers C and D are incorrect because Type III and IV errors do not exist. See Chapter 6.
The correct answer is A. When comparing biometric systems, the most important item to consider is the crossover error rate (CER). The CER is the point at which the false acceptance rate meets the false rejection rate. The CER indicates the accuracy of the biometric system. Answers B, C, and D are incorrect because there are no biometric measurements known as error acceptance rate, crossover acceptance rate, or failure acceptance rate. See Chapter 6.
The correct answer is B. RSA’s SecurID is an example of synchronous authentication. An RSA SecureID device or token uses a one-time password and a clock that synchronizes the authenticator to the authentication server during the authentication process. Each individual passcode is valid for only a very short period—normally 60 seconds or less—and is used with a username and password for two-factor authentication. Answer A is incorrect because RSA’s SecurID might be part of an SSO system, but this is not an accurate answer. Answer C is incorrect because although the RSA’s SecurID fob might be considered a token, it is not the best answer available out of the four. Answer D is incorrect because asynchronous authentication devices are not synchronized to the authentication server; rather, these devices use a challenge-response mechanism. See Chapter 6.
The correct answer is B. LEAP is considered a weak version of EAP. It makes use of a modified version of CHAP and therefore does not adequately protect the authentication process. Answers A (EAP-FAST), C (PEAP), and D (EAP-TLS) are all strong versions of EAP. See Chapter 5.
The correct answer is D. Breach of single sign-on (SSO) can enable an attacker to access many systems that are tied to SSO when authenticated only once. Answer A is incorrect because SSO does not involve a lot of maintenance and overhead. Answer B is incorrect because although SSO systems such as Kerberos do require clock synchronization, this is not the overriding security issue. Answer C is incorrect because every system has some type of flaw or drawback. See Chapter 6.
The correct answer is B. Snort started as a signature-based IDS. Today, Snort has grown to include behavior-based features. A signature-based system examines data to check for malicious content. When data is found that matches a known signature, it can be flagged to initiate further action. Answer A is incorrect because Snort is not a behavior-based IPS. Answer C is incorrect because Snort is not a behavior-based IDS. Answer D is incorrect because although Snort is signature based, it is considered an IDS, not an IPS. IPSs are unlike IDSs in that IPSs have much greater response capabilities and allow administrators to initiate action upon being alerted. See Chapter 6.
The correct answer is C. Asynchronous attacks are sometimes called race conditions because the attacker is racing to make a change to an object before it is used by the system. Asynchronous attacks typically target timing. The objective is to exploit the delay between the time of check (TOC) and the time of use (TOU). Answers A, B, and D are incorrect because they do not adequately describe a race condition. See Chapter 4.
The correct answer is B. Rings of protection run from layer 0 to layer 3. Layer 2 is the location of I/O drivers and utilities. Answers A, C, and D are incorrect because layer 1 contains parts of the OS that do not reside in the kernel, layer 3 contains applications and programs, and layer 0 is the location of the security kernel. See Chapter 4.
The correct answer is A. Multiprogramming CPUs can interleave two or more programs for execution at any one time. Answer B is incorrect because multitasking CPUs have the capability to perform one or more tasks or subtasks at a time. Answer C is incorrect because there is no type of processor known as multiapp. Answer D is incorrect because the term multiprocessor refers to systems that have the capability to support more than one CPU. See Chapter 4.
The correct answer is D. The ALU portion of the CPU performs arithmetic and logical operations on the binary data. Answers A, B, and C are incorrect because I/O buffers, registers, and the control circuits do not perform arithmetic and logical operations. See Chapter 4.
The correct answer is B. The Biba model is integrity based and does not allow a subject to write to a higher security level or read from a lower security level. Answer A is incorrect because the Bell-LaPadula model is based on confidentiality. Answer C is incorrect because the state machine model seeks to determine whether one state is valid before moving to another. Answer D is incorrect because the Clark-Wilson model is an integrity model and is designed to address integrity. See Chapter 4.
The correct answer is B. The Lockheed Martin Cyber Kill Chain framework has seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and controls, and actions. Therefore, answers A, C, and D are incorrect. See Chapter 7.
The correct answer is C. Containerization has become a major trend in software development as an alternative or companion to virtualization. Containerization involves encapsulating or packaging software code and all its dependencies so that it can run uniformly and consistently on any infrastructure. Answers A, B, and D are incorrect. Microservices architecture enables rapid, frequent, and reliable delivery of large, complex applications. Serverless defines apps deployed in containers that automatically launch on demand when called. An embedded system is a combination of a computer processor, computer memory, and input/output that has a dedicated function within a larger mechanism, such as IoT or SCADA. See Chapter 5.
The correct answer is C. The trusted computing base (TCB) is the totality of protection mechanisms within a computer system, including hardware, firmware, software, processes, and some interprocess communications. These items are responsible for enforcing security. Answer A is incorrect because rings of protection are designed to protect the operating system. Answer B is incorrect because the security kernel is the most trusted portion of the operating system. Answer D is incorrect because although resource isolation is an important part of implementing security, it is not the totality of protection mechanisms. See Chapter 4.
The correct answer is D. Session Initiation Protocol (SIP) is an application-layer request/response protocol used for VoIP. SIP is transported by UDP, makes use of TCP, and is vulnerable to sniffing attacks. More details can be found in RFC 2543. Answer A is incorrect because there is no protocol called SKYP; the proprietary product Skype offers encryption and is used for a peer-to-peer Internet phone service. Answer B is incorrect because SLIP is used by ISPs for dialup connections. Answer C is incorrect because S/MIME is used to secure email. See Chapter 5.
The correct answer is C. 802.11b uses direct-sequence spread spectrum (DSSS) technology. DSSS is a transmission method that transmits the data along with a chipping bit to increase the signal’s resistance to interference. Answer A is incorrect because Bluetooth uses frequency-hopping spread spectrum. Answer B is incorrect because 802.11a uses orthogonal frequency-division multiplexing. Answer D is incorrect because 802.11ac uses MIMO-OFDM. See Chapter 5.
The correct answer is B. A rogue AP is an unauthorized AP attached to a corporate network. Rogue APs are some of the biggest threats to a secure network. Answer A is incorrect because a connection to an unauthorized modem is not a valid answer. Answer C is incorrect because a rogue AP is not a modem. Answer D is incorrect because a connection to an unsecured network is not a rogue AP but might be considered an act of war driving. See Chapter 5.
The correct answer is C. A Fagan inspection is to make sure that all the documentation is correct and clear for understanding, created up to standard during a code review. Usually the inspection team checks test cases, specifications, and code. Answers A, B, and D are incorrect because fuzzing is associated with misuse testing, synthetic transactions are used for stress testing, and RASP is designed to detect attacks in real time and functions to monitor the execution of the application. See Chapter 7.
The correct answer is D. T1s use time division to break the individual DS0s into 24 separate channels. Time division is the allotment of available bandwidth based on time. It allows a T1 to carry both voice and data at the same time. Answer A is incorrect because there is no system known as channel division. Answer B is incorrect because FHSS is used by mobile devices. Answer C is incorrect because T1s do not use frequency division. See Chapter 5.
The correct answer is C. A disaster recovery plan (DRP) focuses on how to repair and restore a data center and the information at an original or new primary site. Answer A is incorrect because a business continuity plan (BCP) is focused on the continuation of critical services. Answer B is incorrect because business continuity management (BCM) is about building a framework for a capable response. Answer D is incorrect because a business impact analysis (BIA) is a functional analysis used to identify the potential impact of an outage. See Chapter 8.
The correct answer is D. Software escrow agreements are used to provide protection for source code in the event that the manufacturer declares bankruptcy or goes broke. The three items that are most critical in this type of agreement are where the code will be deposited, under what conditions the code will be released, and the terms of use of the source code upon its release to the user. Answer A is incorrect because government access to keys deals with the government’s desire to maintain cryptographic keys used by industry. Answer B is incorrect because mutually assured destruction (MAD) is a term not associated with software protection. Answer C is incorrect because electronic vaulting is a term that describes the bulk transfer of data. See Chapter 8.
The correct answer is C. The Safe Harbor Act is a cooperative effort between the United States and Europe to exchange information about European citizens between European firms and North American parent corporations. It was enacted because a large number of individuals have been victims of identity theft and to deal with the increase in misuses of personal information laws and agreements. Answer A is incorrect because although SB 168 deals with privacy, it is a state law that took effect in 2002, preventing businesses from using California residents’ Social Security numbers as unique identifiers. Answer B is incorrect because there is no law known as the Demar Act. Answer D is incorrect because the name of the act is not Safety Shield. See Chapter 3.
The correct answer is B. A bit copy, or physical copy, captures all the data on the copied medium and produces an exact copy that includes hidden and residual data, slack space, swap contents, deleted files, and other data remnants. It allows an examiner to perform an analysis of the copy and store the original. Answer A is incorrect because a logical copy does not completely duplicate the structure of the original media. Answer C is incorrect because Microsoft Backup is not an approved product for forensic analysis. Answer D is incorrect because although Xcopy can duplicate files, it does not provide a bit-level copy of the original medium. See Chapter 8.
The correct answer is B. Secure Electronic Transaction (SET) was developed by MasterCard and Visa to be used on the Internet for credit card transactions. It uses digital signatures. Answer A is incorrect because SET is not used for digital signatures. Answer C is incorrect because SET is not used for key exchange, and Victor Miller and Neal Koblitz are the creators of ECC. Answer D is incorrect because SET does not use SSL. See Chapter 5.
The correct answer is D. Knowledge discovery in databases is an artificial intelligence method used to identify useful patterns in data; it provides a type of automatic analysis. Answer A is incorrect because polyinstantiation is a technique used to prevent inference violations. Answer B is incorrect because known signature scanning is a method used to detect computer viruses. Answer C is incorrect because an application programming interface (API) is not associated with artificial intelligence. See Chapter 9.
The correct answer is A. Although RFC 1035 does allow DNS lookups over TCP, this service is provided for only when lookups are greater than 512 bytes; typically UDP port 53 is used. Answers B, C, and D are incorrect because UDP port 69 is used for TFTP, TCP port 53 is used for zone transfers, and UDP port 161 is used for SNMP. See Chapter 5.
The correct answer is C. Running the md5sum hashing algorithm would be the best way for Bob to verify the program. Answer A is incorrect because AES is a symmetric algorithm and will not help Bob verify the program. Answer B is incorrect because the size and date might match the information found on the developer’s website, but the program still might have been altered. Answer D is incorrect because a digital signature will not verify the integrity of the program. See Chapter 6.
The correct answer is A. IMAP is associated with email, but it is not an email security standard; it is a protocol to receive email and excels compared to POP3 when working with mail on multiple devices/clients. It also leaves a copy on the server. Answers B, C, and D are all incorrect as they specify valid email security standards: MIME Object Security Services (MOSS), Pretty Good Privacy (PGP), and Privacy Enhanced Email (PEM). See Chapter 5.
The correct answer is B. With link encryption, the message is decrypted and re-encrypted as it passes through each successive node, using a key common to the two nodes. Answers A, C, and D are incorrect because they all describe end-to-end encryption. See Chapter 5.
The correct answer is C. Diameter uses RADIUS as a base and is considered the next generation of authentication, authorization, and accounting services for the Internet, with over 16 million attribute/variable pair (AVP) tags for negotiation. Answer A is incorrect because TACACS is not considered a base for Diameter. Answer B is incorrect because TACACS+ is a Cisco protocol that is widely used. Answer D is incorrect because Kerberos is not associated with Diameter but is considered a single sign-on technology. See Chapter 6.
The correct answer is B. Programmers involved in database management talk about the ACID test when discussing whether a database management system has been properly designed to handle transactions. The ACID test addresses atomicity, consistency, isolation, and durability. Answer A is incorrect because the ACID test does not deal with behavior-based IDSs. Answer C is incorrect because ACID is not related to signature-based IDSs. Answer D is incorrect because the ACID test is not related to the strength of a cryptographic function. See Chapter 9.
The correct answer is B. Redundant array of inexpensive tape (RAIT) is used to back up systems by means of a tape array that stripes the data across the tape. Answer A is incorrect because RAID is not typically used for backup. Answer C is incorrect because JBOD (just a bunch of disks) offers no backup or fault tolerance. Answer D is incorrect because SOAR (Security Orchestration, Automation, and Response) is not a type of tape backup but is used to respond to security events through playbooks and requires little to no human intervention. See Chapter 8.
The correct answer is C. RC4 is a stream cipher. It has been implemented in products such as SSL and WEP. Answer A is incorrect because DES is a block cipher with a 56-bit key size. Answer B is incorrect because Camellia is a block cipher developed by Mitsubishi with a default 128-block size. Answer D is incorrect because Twofish is a 256-bit key size block cipher. See Chapter 4.
The correct answer is A. Electronic Code Book (ECB) is fast and simple but is also the weakest mode of DES. Answer B is incorrect because Cipher Block Chaining (CBC) is not the weakest mode of DES. Answer C is incorrect because Cipher Feedback (CFB) is more secure than ECB and OFB. Answer D is incorrect because Output Feedback (OFB) is not the weakest, but it can’t detect integrity errors as well as CFB. See Chapter 4.
The correct answer is A. The statement “access and use of the Internet is a privilege and should be treated as such by all users” is part of RFC 1087, which is titled “Ethics and the Internet.” Answer B is incorrect because the statement is not part of the (ISC)2 Code of Ethics. Answer C is incorrect because the statement is not part of the Ten Commandments of Computer Ethics. Answer D is incorrect because RFC 1109 addresses network management, not ethics. See Chapter 7.
The correct answer is C. The waterfall method is the oldest and one of the most well-known methods for developing software systems. It was developed in the 1970s and is divided into phases, each of which involves a list of activities that must be performed before the next phase can begin. Answer A is incorrect because the spiral model is a combination of the waterfall and prototyping methods. Answer B is incorrect because the clean room software development method focuses on ways to prevent defects rather than ways to remove them. Answer D is incorrect because the V-shaped waterfall model is an extension to the original waterfall model. See Chapter 9.
The correct answer is B. A multipartite malware is not one of the techniques used by fileless malware. Answer A, C, and D are incorrect as all three are techniques used by fileless malware. Fileless infector can execute in one of several ways including windows registry manipulation, memory code injection, and script-based techniques. See Chapter 9.
The correct answer is D. HTTPS uses TCP and port 443. Answer A is incorrect because port 80 is used for HTTP, answer B is incorrect because port 110 is used for POP3, and answer C is incorrect because port 111 is for Network File Service. See Chapter 5.
The correct answer is A. Hierarchical databases link records in a tree structure so that each record type has only one owner. Hierarchical databases date from the information management systems of the 1950s and 1960s. Answer B is incorrect because network databases were not the first. Answer C is incorrect because although relational databases are the most widely used, they were not the first. Answer D is incorrect because object-oriented databases were not the first; they were designed to overcome some of the limitations of relational databases. See Chapter 9.
The correct answer is B. The IEEE divides the OSI data link layer into sublayers. The upper half is the Logical Link Control (LLC) layer, and the lower half is the Media Access Control (MAC) layer. The LLC layer is based on HDLC; the MAC layer is where 802.3 addressing is performed. Answers A, C, and D are incorrect because none of these are sublayers of the data link layer. See Chapter 5.
The correct answer is D. An access control matrix is used to associate the relationships and rights of subjects and objects. Answer A is incorrect because MAC uses security labels on objects and clearances for subjects. Answer B is incorrect because RBAC would be based on roles and containers, not users. Answer C is incorrect because LBAC is based on the interaction between any combination of objects and subjects. LBAC provides upper and lower limits for a user. See Chapter 6.
The correct answer is B. Subjects are the active entities, and objects are the passive entities. A subject does not have to be a person; it can be an application. However, in this scenario, the subject—the active entity—is the list of names. Answers A, C, and D are incorrect. Subjects are active, objects are passive, the mode of access is read or write. See Chapter 6.
The correct answer is D. A service set ID (SSID) is used to identify an 802.11 network. An SSID is a 32-bit character string that acts as a shared identifier and that some describe as a very weak password. The SSID is used to differentiate one WLAN from another. Answer A is incorrect because a security ID (SID) is an identifier used in conjunction with Microsoft domains. Answer B is incorrect because a broadcast name is not a means of identifying a WLAN. Answer C is incorrect because Kismet is a Linux software program used to sniff wireless traffic. See Chapter 5.
The correct answer is A. Threat intelligence leverages threat history and includes threat feeds, indicators of compromise (IoCs), and other pieces of threat actor activities that security analysts analyze and enrich. This information is used to look for persistent threats and zero-day exploits. Answers B, C, and D are incorrect because IDP, SIEM, and UEBA use machine learning, algorithms, and statistical analyses to detect deviations from established patterns. These anomalies may indicate potential or real threats. See Chapter 9.
The correct answer is A. An evaluation that is carried out and meets evaluation assurance level (EAL) 1 specifies that the design has been functionality tested. Answers B, C, and D are incorrect because EAL 2 = structurally tested; EAL 4 = methodically designed, tested, and reviewed; and EAL 5 = semi-formally designed and tested. See Chapter 4.
The correct answer is C. Clark-Wilson does not provide for the confidentiality of information; Clark-Wilson deals with integrity. Answers A, B, and D are all incorrect because the question asks which aspect Clark-Wilson does not address. See Chapter 4.
The correct answer is C. A data custodian is responsible for maintaining and protecting a company’s assets and data at a macro level. Answer A is incorrect because the user is the individual who uses the documentation. Answer B is incorrect because the data owner is responsible for protecting the data. Answer D is incorrect because the auditor makes periodic reviews of the documentation and verifies that it is complete and that users are following its guidelines. See Chapter 2.
The correct answer is C. Single loss expectancy (SLE) × Annualized rate of occurrence (ARO) is the formula used to determine ALE. Answers A, B, and D are incorrect because these formulas are not used to calculate ALE. See Chapter 3.
The correct answer is D. A qualitative assessment ranks the seriousness of threats and sensitivity of assets into grades or classes, such as low, medium, and high. It is performed by experts or external consultants and is based on risk scenarios. Although purely quantitative risk assessment is not possible, purely qualitative risk analysis is. Answers A, B, and C are incorrect because they do not adequately describe qualitative risk assessment. See Chapter 3.
The correct answer is D. Facilitated Risk Analysis Process (FRAP) is an example of a qualitative assessment technique. It is not used for BCP, quantitative assessment, or DRP; therefore, answers A, B, and C are incorrect. See Chapter 3.
The correct answer is B. The U.S. Department of Defense data classification standard classifies data as unclassified, sensitive, confidential, secret, and top secret. Answer A is incorrect because ISO 17799 is an international security standard policy. Answer C is incorrect because RFC 2196 is the Site Security Handbook and does not address data classification standards. Answer D is incorrect because there is no CDCS standard. See Chapter 2.
The correct answer is B. Risk rejection is the least prudent course of action because it means that individuals have decided that risk does not exist and are ignoring it. Answer A is incorrect because risk reduction occurs when a countermeasure is implemented to alter or reduce the risk. Answer C is incorrect because risk transference involves transferring risk to a third party. Answer D is incorrect because risk acceptance means that risk is analyzed, but the responsible individuals have decided that they will accept the risk. See Chapter 4.
The correct answer is A. Risk management requires that vulnerabilities be examined, that loss expectancy be calculated, that a probability of occurrence be determined, and that the costs of countermeasures be estimated. Only then can it be determined whether the value of an asset outweighs the cost of protection. Answer B is incorrect as typically you would not spend more on the countermeasure than the value of the asset. Answer C is incorrect as you would not typically implement a countermeasure regardless of the price. Answer D is incorrect as the risk must be evaluated before you can assess if insurance should or should not be used. Answer D is incorrect as it is possible for the cost of protection to outweigh the value of an asset. See Chapter 3.