Answers to Practice Exam I
1. C
2. A 1
B 1
C 2
D 3
3. C
4. D
5. D
6. B
7. B
8. B
9. B
10. D
11. D
12. C
13. D
14. A
15. B
16. B
17. A
18. B
19. B
20. C
21. B
22. D
23. A
24. C
25. C
26. A
27. B
28. C
29. B
30. D
31. B
32. B
33. D
34. D
35. A
36. B
37. C
38. D
39. A
40. D
41. C
42. B
43. A
44. A
45. D
46. B
47. D
48. D
49. A
50. C
51. D
52. B
53. A
54. A
55. B
56. B
57. D
58. B
59. B
60. D
The correct answer is C. Attribute-based access control (ABAC) makes use of objects and environmental attributes that are checked by a policy decision point and a policy enforcement point against a policy. Answer A is incorrect because mandatory access control (MAC) uses labels. Answer B is incorrect because discretionary access control (DAC) leaves access control up to the owner’s discretion. Answer D is incorrect because role-based access control (RBAC) models are used extensively by banks and other organizations that have very defined roles. See Chapter 6.
The correct answer is shown in the table below. Information security models are a key topic that you can expect to be questioned on. While there are more than the four shown in this question, these are some of the most commonly tested models. Both Biba and Clark-Wilson are integrity models (which you can remember based on the fact that each has an i in its name). Bell-LaPadula is an example of a confidentiality model, and the primary purpose of Brewer and Nash is to prevent conflicts of interest. See Chapter 4.
Integrity (1) |
Confidentiality (2) |
Conflict of Interest (3) |
|---|---|---|
Biba |
Bell-LaPadula |
Brewer and Nash |
Clark-Wilson |
|
|
|
|
|
|
|
|
The correct answer is C. Iris recognition functions by analyzing the features that exist in the colored tissue surrounding the pupil to confirm a match. These systems can analyze more than 200 points for comparison. Answer A is incorrect because retina scanning analyzes the layer of blood vessels in the eye. The retina is also more prone to change than the iris. Answer B is incorrect because cornea scanning does not exist. Answer D is incorrect because optic nerve scanning does not exist. See Chapter 6.
The correct answer is D. The crossover error rate (CER) is as a percentage in which a lower number indicates a better biometric system. It is the most important measurement when attempting to determine the accuracy of a biometric system. Answers A and C are incorrect because there is no crossover acceptance rate. Answer B is incorrect because higher numbers are less accurate. See Chapter 6.
The correct answer is D. A biometric system cannot examine all the detail in an object, or it will be prone to false rejection (Type I) errors. Answers A, B, and C are incorrect because Type I errors occur when legitimate users are improperly denied access. If these systems do not examine enough information about an object, however, they are prone to false acceptances (Type II) errors. Type II errors occur when unauthorized individuals are granted access to resources and devices they should not have. Fingerprints are fairly static metrics, and some systems are very accurate. You should know the difference between Type I and Type II errors and how CER is used. See Chapter 6.
The correct answer is B. A 3- to 4-foot fence will deter casual trespassers. Answers A, C, and D do not correctly address the question: Fences 2 to 3 feet high can be easily crossed and would not be considered deterrents. Fences that are 5–7 feet high are more difficult to climb than shorter fences. Fences that are 8 feet high should be used to deter a determined intruder. See Chapter 6.
The correct answer is B. The data owner, who is typically a member of senior management, is responsible for protecting company assets and data. Answer A is incorrect because the user is the individual who uses the documentation. Answer C is incorrect because the data custodian is responsible for maintaining and protecting the company’s assets and data. Answer D is incorrect because an auditor makes periodic reviews of the documentation, verifies that it is complete, and ensures that users are following its guidelines. See Chapter 8.
The correct answer is B. A vulnerability is a flaw, a loophole, an oversight, or an error that makes an organization susceptible to attack or damage. Answer A is incorrect because a risk is potential harm that can arise from an event. Answer C is incorrect because exposure is the amount of damage that could result from a vulnerability. Answer D is incorrect because a threat is a natural or human-caused event that could have some type of negative impact on an organization. See Chapter 3.
The correct answer is B. The correct formula for determining single loss expectancy is Single loss expectancy = Asset value × Exposure factor. Answers A, C, and D are incorrect because none of them shows the correct formula. Factors to consider when calculating SLE include physical destruction or theft of assets, loss of data, theft of information, and threats that might cause delays in processing. See Chapter 3.
The correct answer is D. Quantitative assessment deals with numbers and dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and to the assets and threats of a risk analysis. To complete the assessment, first estimate potential losses, then conduct a threat analysis, and finally determine annual loss expectancy. Answers A, B, and C do not list the steps needed to perform a quantitative assessment. See Chapter 3.
The correct answer is D. The Delphi technique is an example of a qualitative assessment technique. It is not used for quantitative assessment, DRP, or BCP; therefore, answers A, B, and C are incorrect. See Chapter 3.
The correct answer is C. The formula for total risk is Threat × Vulnerability × Asset value. Answers A, B, and D are incorrect because they do not show how to find total risk. See Chapter 3.
The correct answer is D. Risk acceptance means that the risk has been analyzed, and the individuals responsible have decided that they will accept this risk. Answer A is incorrect because risk reduction involves implementing a countermeasure to alter or reduce the risk. Answer B is incorrect because risk rejection means that the responsible party has decided to ignore the risk. Answer C is incorrect because risk transference involves transferring the risk to a third party, such as an insurer. See Chapter 3.
The correct answer is A. Protection rings support the security of a system. Layer 0 is the most trusted ring, and the security kernel resides at layer 0. Answers B, C, and D are incorrect because the security kernel is not located in layer 1, layer 2, or layer 4. See Chapter 4.
The correct answer is B. Answers A, C, and D would all work; the question asks which would not work. Authentication Header (AH) checks the integrity of an IP address and is intrinsically incompatible with Network Address Translation (NAT). See Chapter 5.
The correct answer is B. Registers are considered temporary storage units within a CPU. A CPU consists of registers, an arithmetic/logic unit (ALU), and control circuitry. Answers A, C, and D are incorrect because the I/O buffers, control circuitry, and the ALU are not considered temporary storage units in the CPU. See Chapter 4.
The correct answer is A. The Biba model, which was published in 1977, was the first model developed to address integrity. Its goal is to prevent unauthorized users from making changes to the system and addresses only one goal: integrity (outsiders). Answer B is incorrect because although the Clark-Wilson model is based on integrity, it was not the first model. Answer C is incorrect because the Brewer and Nash model is based on confidentiality. Answer D is incorrect because the Chinese Wall is another name for the Brewer and Nash model. See Chapter 4.
The correct answer is B. Bell-LaPadula was the first model to address confidentiality. It was developed in the 1970s and was considered groundbreaking because it supported multilevel security. Although it is well suited for the DoD and government, it is not well suited for modern commercial entities. Answer A is incorrect because the Biba model is an integrity model. Answer C is incorrect because the Graham-Denning model was not the first confidentiality-focused model to be developed. Answer D is incorrect because the Clark-Wilson model is another example of an integrity model. See Chapter 4.
The correct answer is B. Dynamic application security testing (DAST) is a blackbox testing technique that involves inspecting an application at runtime for vulnerabilities. Answer A is incorrect because interactive application security testing (IAST) involves placing an agent within an application and performing all its analysis in the app in real time and anywhere in the development process. Answer C is incorrect because runtime application security protection (RASP) works inside an application but is more a security tool than a testing technique. RASP is designed to control an application’s execution. Answer D is incorrect because static application security testing (SAST) is considered whitebox testing and helps developers find security vulnerabilities in the application source code earlier in the software development lifecycle. See Chapter 4.
The correct answer is C. Compartmented security mode requires all subjects to have a clearance for most restricted information and a valid need to know. Answer A is not correct because a dedicated security mode would require a clearance for all information; this question requires a security clearance for most, not all, information. Answer B is not correct because a system high security mode must have a clearance for all information and a valid need to know for some information. This scenario requires a clearance for most restricted information and a valid need to know. Answer D is not correct because with a multilevel mode, some subjects do not have clearance for all information, and each subject has a need to know for all information he or she will access. CISSP candidates must know the four different security modes of operation. See Chapter 4.
The correct answer is B. During the actual exam expect to see some enhanced questions that feature figures or diagrams. There are two methods by which PKI revocation can be handled. The first is through use of a CRL, which is generated and published periodically or after a certificate has been revoked. The second method is to use OCSP, which does not mandate encryption, discloses that a particular network host used a specific certificate, and generally places less burden on client resources. It does not contain more information. See Chapter 4.
The correct answer is D. The foreign key refers to an attribute in one table whose value matches the primary key in another table. Answer A is incorrect because a field is the smallest unit of data within a database. Answer B is incorrect because aggregation refers to the process of combining several low-sensitivity items, with the result that these items produce a higher-sensitivity data item. Answer C is incorrect because a composite key is two or more columns that are together designated as the computer’s primary key. See Chapter 9.
The correct answer is A. Bluetooth uses frequency-hopping spread spectrum (FHSS). FHSS functions by modulating the data with a narrowband carrier signal that hops in a random but predictable sequence from frequency to frequency. Bluetooth can be susceptible to Bluejacking and other forms of attack. Answer B is incorrect because 802.11a uses orthogonal frequency-division multiplexing. Answer C is incorrect because 802.11b uses direct-sequence spread spectrum (DSSS) technology. Answer D is incorrect because LiFi uses light to transmit data and position between devices. See Chapter 5.
The correct answer is C. Virtual Extensible LAN (VXLAN) is a technology designed to provide the same Ethernet Layer 2 network services as a VLAN but with greater extensibility and flexibility. VXLAN supports the virtualization of a data center network while addressing the needs of multi-tenant data centers by providing the necessary segmentation on a large scale. Answer A is incorrect because a virtual LAN (VLAN) is any broadcast domain that is partitioned from one or more existing LANs. A virtual LAN is administered like a physical LAN. Answers B and D are incorrect because a trunk is simply a link between two switches that carries the data of more than one VLAN and CDMA is a method for cellular phone transmission. See Chapter 5.
The correct answer is C. Twenty-four DS0 lines are bundled to make one T1. A T1 line has a composite rate of 1.544 Mbps. Answers A, B, and D are incorrect because 18-, 21-, and 32-DS0 line bundles do not exist. See Chapter 5.
The correct answer is A. Microsegmentation is a security technique that breaks data centers and cloud environments into segments down to the individual workload level. Answer B is incorrect because while firewalls were the original segmentation model their aggressive use would not allow for efficient network operations. Answer C is incorrect because zero trust is based on the principle of maintaining strict access controls and not trusting anyone regardless if they are outside or already inside the network perimeter. Answer D is incorrect because a SDWAN manages a LAN or service provider’s core network and is programmable by the user to deliver bandwidth on demand. See Chapter 5.
The correct answer is B. Transaction persistence means that the state of a database’s security is the same before and after a transaction occurs, and there is no risk of integrity problems. Answer A is incorrect because it does not define transaction persistence. Answer C is incorrect because transaction persistence does not state that the database should be the same before and after a transaction. Answer D is incorrect because even though databases should be available to multiple users at the same time without endangering the integrity of the data, that is not a definition of transaction persistence. See Chapter 9.
The correct answer is C. Aggregation is the capability to combine data from separate sources to gain information. Answer A is incorrect because metadata is data about data. Answer B is incorrect because inference attacks occur when authorized users infer information by analyzing the data they have access to. Answer D is incorrect because deadlocking is a database stalemate. See Chapter 9.
The correct answer is B. A TOC/TOU attack can occur when the contents of a file change between the time the system security functions check the contents of the variables and the time when the variables are actually used or accessed. This is a form of asynchronous attack. Answer A is incorrect because the description describes an asynchronous attack. Answer C is incorrect because the example does not describe a DCOM attack. Answer D is incorrect because a pass the hash attack is an attack in which an attacker authenticates to a remote server or service by using the underlying NTLM or Lanman hash of a user’s password. See Chapter 4.
The correct answer is D. Hearsay evidence is not based on personal knowledge but is information that was told to a witness by another person. It is inadmissible in a court of law. Answer A is incorrect because best evidence is the preferred type of evidence. Answer B is incorrect because secondary evidence is admissible and is usually a copy of original evidence. Answer C is incorrect because conclusive evidence is also admissible. See Chapter 8.
The correct answer is B. Cipher Block Chaining (CBC) builds a dependency between the blocks of data. To find the plaintext of a particular block, you need to know the ciphertext, the key, and the ciphertext for the previous block. This feature makes CBC unique. Answer A is incorrect because electronic code book is fast but not chained or secure. Answer C is incorrect because Cipher Feedback (CFB) can be used to emulate a stream cipher and features a feedback function. Answer D is incorrect because Output Feedback (OFB) can also emulate a stream cipher and can pregenerate the key stream, independently of the data. See Chapter 4.
The correct answer is B. 2DES, or Double DES, is no more secure than single DES and is susceptible to meet-in-the-middle attacks. Answers A, C, and D are incorrect because none of these forms of DES are susceptible to meet-in-the-middle attacks. See Chapter 6.
The correct answer is D. Elliptic curve cryptosystem (ECC) is an asymmetric cryptosystem created in the 1980s to make and store digital signatures in a small amount of memory. Answer A is incorrect because DES is a symmetric algorithm. Answer B is incorrect because SHA1 is a hashing algorithm. Answer C is incorrect because Diffie-Hellman is used for key exchange. See Chapter 4.
The correct answer is D. The purpose of the red team is to penetrate security. Red teams are sometimes called tiger teams or penetration testers. Answers A, B, and C are incorrect because individuals from all those groups should be involved in the contingency planning process. See Chapter 9.
The correct answer is A. Attackers can attack ARP by flooding a switch and other devices with bogus MAC addresses or through ARP poisoning. Answer B is incorrect because although spanning tree is a valid attack, it is typically used for DoS. Answer C is incorrect because name server poisoning is another type of DNS attack. Answer D is incorrect because a reverse lookup is a term associated with DNS, not ARP. See Chapter 5.
The correct answer is B. EAP is a strong form of authentication that uses more advanced methods of authentication besides passwords. Answers A, C, and D are incorrect because none of these methods use more advanced forms of authentication, such as digital certificates. See Chapter 5.
The correct answer is C. RFC 1918 specifies the addresses that are to be used for private address schemes. Addresses 172.16.0.0 to 172.63.255.255 are not part of the specified range; therefore, answer C is the correct choice. Answers A, B, and D are incorrect because RFC 1918 specifies 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. See Chapter 5.
The correct answer is D. Stealing email is not difficult because it is plaintext and easily sniffed. Email is one of the most popular Internet applications and deserves protection. Although answers B and C are incorrect, they describe potential vulnerabilities in standard email. Answer A is incorrect because encryption is not difficult. See Chapter 5.
The correct answer is A. Instant messaging (IM) has the capability for scripting, which is one reason it is dangerous for an organization. Answers B, C, and D do not properly answer the question because they are all reasons IM is vulnerable. IM can bypass corporate firewalls, most versions lack encryption, and IM uses insecure password management. See Chapter 8.
The correct answer is D. The Distributed Component Object Model (DCOM) allows applications to be divided into pieces and objects to be run remotely over the network. Potential vulnerabilities exist because of the way ActiveX is integrated with DCOM. Answer A is incorrect because Java is not associated with DCOM and is primarily used as a simple, efficient, general-purpose language. Answer B is incorrect because CORBA is a set of standards that addresses the need for interoperability between hardware and software. Answer C is incorrect because Enterprise JavaBeans (EJB) is designed for enterprise networks. See Chapter 9.
The correct answer is C. Pretty Good Privacy (PGP) uses a web-like model because there are no certificate authorities (CAs); there are only end users. Anyone who uses PGP must determine whom to trust because, without a CA, there is no centralized or governing agency to control and validate other users. Answer A is incorrect because PKI does not use a web of trust. Answer B is incorrect because IGMP is used for multicast router group management. Answer D is incorrect because Domain Keys Identified Mail (DKIM) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of the domain. See Chapter 5.
The correct answer is B. Entrapment is considered the act of tricking a person to commit a crime in order to bring criminal charges against him or her. Although entrapment is illegal, enticement usually is not. Answer A is incorrect because inducement is the act of bringing about the desired result. Answer C is incorrect because a honeypot is a trap set to detect or slow attempts at unauthorized use of information systems. Answer D is incorrect because enticement is the act of influencing by exciting hope or desire. See Chapter 7.
The correct answer is A. The G8 is a group of economically advanced nations that have agreed to work together to solve economic problems. The G8 has now grown to 20 members and is also known as the G20. Answer B is incorrect because mutual legal assistance treaties (MLATs) are agreements that U.S. law-enforcement agencies have with law-enforcement agencies in other nations to fight computer crime and terrorism. MLATs are created to improve the effectiveness of judicial assistance and to regularize and facilitate cooperation. Answer C is incorrect because SWAT is a term used for special weapons and tactics police teams. Answer D is incorrect because UN Resolution 1154 deals with weapons inspections in Iraq. See Chapter 8.
The correct answer is A. The five main types of BCP testing strategies are checklist, structured walkthrough, simulation, parallel, and full interruption. Therefore, answers B, C, and D are incorrect because the question asked which is not a valid type. Answer A is correct because partial interruption is not one of the five valid types. See Chapter 8.
The correct answer is D. Business, facility and supply, user, technical, and data are the five primary categories in a business continuity plan. Answers A, B, and C are incorrect because they do not describe the five categories. See Chapter 7.
The correct answer is B. APIs provide developers the ability to bypass traditional web pages and interact directly with the underlying service. Answer A is incorrect because SOAP does not allow direct access to the underling service. SOAP allows communication via the Internet between two programs on the same or different platforms. Answer C is incorrect as OAuth is an authentication protocol. Answer D is incorrect as REST is a software architectural style which uses a subset of HTTP. See Chapter 9.
The correct answer is D. Hosts use Internet Group Management Protocol (IGMP) to report multicast group memberships to neighboring multicast routers. Security problems exist with IGMP because anyone can start a multicast group or join an existing one. Answer A is incorrect because ICMP is used for logical errors and diagnostics. Answer B is incorrect because Routing Information Protocol (RIP) is a broadcast-based routing protocol. Answer C is incorrect because although 224.0.0.1 is a multicast address, it is not a protocol used for multicast management. See Chapter 5.
The correct answer is D. VoIP is very time sensitive and, as such, should be based on an isochronous design. This means that the entire system must be engineered to deliver output with exactly the same timing as the input. Answer A is incorrect because VoIP does not use time-division multiplexing. Answer B is incorrect because VoIP uses UDP, not TCP, for the voice portion of a call. Some implementations of VoIP can use TCP for setup and call control. Answer C is incorrect because VLANs are not used for timing and delay problems, but are used to separate VoIP traffic from general traffic to make it more secure from sniffing. See Chapter 5.
The correct answer is A. ATM creates a fixed channel, or route, between two points whenever data transfer begins, and it packages the data into 53-byte fixed-length cells. ATM can be used in LANs, WANs, and MANs. It supports high-bandwidth data needs. Answer B is incorrect because ISDN provides a completely end-to-end digital connection. Answer C is incorrect because Switched Multimegabit Data Service (SMDS) is a low-market-share service used to interconnect LANs. Answer D is incorrect because microsegmentation is a method of creating zones in data centers and cloud environments to isolate workloads and secure them individually. See Chapter 5.
The correct answer is C. One issue with WEP is the initialization vector (IV), which is 24 bits, not 20. Answers A, B, and D list some of the vulnerabilities of WEP. For example, WEP uses a single shared key among all clients, which means that it authenticates groups, not devices or single users. Also, RC4 is the correct encryption type and can be implemented in 40- or 104-bit configuration, but WEP does not properly initialize it. This means the key values roll over and are predictable. Finally, a 24-bit IV vector is too short, and a 40-bit key is weak. See Chapter 5.
The correct answer is D. The formula for annual loss expectancy is:
ALE × ARO = SLE, or 0.95 × 720 = $684
Annual rate of occurrence = 95%, or 0.95
Single loss expectancy = ($9 per hour × 8 hours per employee) × 10 employees = $720
Therefore, the nonprofit could expect to lose $684 by not using antivirus software. See Chapter 3.
The correct answer is B. An evaluation that is carried out and meets evaluation assurance level (EAL) 2 specifies that the design has been structurally tested. Answers A, C, and D are incorrect because EAL 1 = functionality tested; EAL 4 = methodically designed, tested, and reviewed; and EAL 5 = semi-formally designed and tested. See Chapter 4.
The correct answer is A. Microsegmentation is a countermeasure that can be used to mitigate lateral movement. It involves breaking data centers and cloud environments into individual workload level segments to enhance security. Answer B is incorrect because zero trust is based on the concept that organizations should not automatically trust anything inside or outside its perimeters. Answer C is incorrect because port mirroring is used on a network switch to send a copy of network packets seen on one switch port to another. Answer D is incorrect because enforced governance compliance would not specifically prevent lateral movement. See Chapter 5.
The correct answer is A. The star (*) property rule states that someone at one security level cannot write information to a lower security level. Answer B is incorrect because the simple security rule states that someone cannot read information at a higher security level. Answer C is incorrect because the simple integrity property deals with the Biba model, not Bell-LaPadula. Answer D is incorrect because the strong star rule states that read and write privileges are valid only at the level at which the user resides. See Chapter 4.
The correct answer is B. Annual loss expectancy is calculated this way:
ALE = ARO × SLE, or 0.95 × 720 = $684
The annual savings is the ALE minus the cost of the deterrent, or $684 − $399 = $285. Therefore, answers A, C, and D are incorrect See Chapter 3.
The correct answer is B. Physical security is considered the first line of defense against human attack. Items such as gates, guards, locks, and cameras can be used for physical defense. Answer A is incorrect because cryptography is best used to protect the integrity and confidentiality of data. Answer C is incorrect because business continuity planning should be used to prevent critical outages. Answer D is incorrect because policies are an administrative control. See Chapter 6.
The correct answer is D. HVAC should be a closed-loop system with positive pressurization. Closed loop means that the air inside the building is filtered and continually reused. Positive pressurization should be used to ensure that inside air is pushed out. This is an important safety feature in the event that the building catches fire. Answers A, B, and C are incorrect because they do not specify both closed-loop system and positive pressurization. See Chapter 6.
The correct answer is B. Heat-activated sensors can be either rate-of-rise or fixed-temperature sensors. Answer A is incorrect because flame-activated sensors respond to the infrared energy that emanates from a fire. Answer C is incorrect because smoke-activated sensors use a photoelectric device. Answer D is incorrect because there is no category of fire detector known as ion activated. See Chapter 8.
The correct answer is B. Electrical fires are considered Class C fires. All other answers are incorrect. Class A fires consist of wood and paper products, Class B fires consist of liquids such as petroleum, and Class D fires result from combustible metals. See Chapter 8.
The correct answer is D. A dry-pipe system is the preferred fire suppression method for locations that are unheated or subject to freezing. Dry-pipe systems are unique in that they use pressurized air or nitrogen. In the event of a fire, the sprinkler head opens and releases the pressurized air. Although these systems do typically use a clapper valve, the term is used here because it might be unfamiliar to many readers. The exam might also use terms that you are not familiar with. All other answers are incorrect because deluge systems release large amounts of water in a very short period of time, wet-pipe systems hold water in the pipes, and pre-action systems release water into the pipe only when a specified temperature or separate detection device triggers its release. See Chapter 8.