Appendix Answers to Review Questions

Chapter 1: Security and Risk Management (Domain 1)

  1. D. The final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organization should implement proposed countermeasure(s).
  2. A. Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email addresses, names, or, in the case of an evil twin attack, SSIDs.
  3. C. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.
  4. A. The Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization will use it. These principles are based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in 2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing, processing or transmitting data on EU or Swiss citizens.
  5. D. The three common threat modeling techniques are focused on attackers, software, and assets. Social engineering is a subset of attackers.
  6. A. Most state data breach notification laws are modeled after California’s law, which covers Social Security number, driver’s license number, state identification card number, credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), medical records, and health insurance information.
  7. C. The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.
  8. D. A fingerprint scan is an example of a “something you are” factor, which would be appropriate for pairing with a “something you know” password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both “something you know,” which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.
  9. D. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.
  10. A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.
  11. A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.
  12. D. The export of encryption software to certain countries is regulated under US export control laws.
  13. D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.
  14. D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).
  15. B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.
  16. D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.
  17. D. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation. It gives true teeth to the intellectual property rights of trade secret owners.
  18. C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
  19. C. RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.
  20. B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.
  21. A. Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case.
  22. B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.
  23. C. After developing a list of assets, the business impact analysis team should assign values to each asset.
  24. C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.
  25. D. Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.
  26. A. Access control lists are used for determining a user’s authorization level. Usernames are identification tools. Passwords and tokens are authentication tools.
  27. D. Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace.
  28. A. The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack.
  29. B. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.
  30. A. A Smurf attack is an example of a denial of service attack, which jeopardizes the availability of a targeted network.
  31. D. Strategic plans have a long-term planning horizon of up to five years in most cases. Operational and tactical plans have shorter horizons of a year or less.
  32. A. The United States Patent and Trademark Office (USPTO) bears responsibility for the registration of trademarks.
  33. B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.
  34. B. The Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.
  35. B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information.
  36. A. The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.
  37. B. Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.
  38. C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.
  39. D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.
  40. B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.
  41. A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
  42. D. The Service Organizations Control audit program includes business continuity controls in a Type 2, but not Type 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.
  43. A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently.
  44. A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.
  45. A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a non-disclosure agreement (NDA).
  46. A. Trademarks protect words and images that represent a product or service and would not protect computer software.
  47. B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the Internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office’s server over the Internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the Internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.
  48. C. Redundant Array of Inexpensive Disks (RAID) uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.
  49. A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.
  50. B. The Fourth Amendment directly prohibits government agents from searching private property without a warrant and probable cause. The courts have expanded the interpretation of the Fourth Amendment to include protections against other invasions of privacy.
  51. A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.
  52. D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will hopefully disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.
  53. C. Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.
  54. C. Denial of service (DoS) and distributed denial of service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.
  55. B. Baselines provide the minimum level of security that every system throughout the organization must meet.
  56. C. Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.
  57. C. If the organization’s primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.
  58. D. The Computer Security Act of 1987 gave the National Institute of Standards and Technology (NIST) responsibility for developing standards and guidelines for federal computer systems. For this purpose, NIST draws upon the technical advice and assistance of the National Security Agency where appropriate.
  59. B. There is no requirement that patents be for inventions made by American citizens. Patentable inventions must, on the other hand, be new, nonobvious, and useful.
  60. A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.
  61. A. Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.
  62. A. The fourth step of the NIST risk management framework is assessing security controls.
  63. D. HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse.
  64. C. Confidentiality controls prevent the disclosure of sensitive information to unautho-rized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.
  65. A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
  66. B. Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.
  67. D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.
  68. D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.
  69. A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations.
  70. C. The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to maliciously cause damage in excess of $5,000 to a federal computer system during any one-year period.
  71. B. ISO 27002 is an international standard focused on information security and titled “Information technology – Security techniques – Code of practice for information security management.” The IT Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.
  72. B. The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.
  73. B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.
  74. C. Non-disclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements (SLAs) specify service uptime and other performance measures. Non-compete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.
  75. D. Router ACLs, encryption, and firewall rules are all examples of technical controls. Data classification is an administrative control.
  76. C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.
  77. D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.
  78. C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.
  79. D. Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.
  80. B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.
  81. A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.
  82. D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.
  83. D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.
  84. A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.
  85. D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.
  86. D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.
  87. C. In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.
  88. D. The Sarbanes-Oxley Act (SOX) governs the financial reporting of publicly traded companies and includes requirements for security controls that ensure the integrity of that information.
  89. D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk of a major earthquake.
  90. C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.
  91. B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.
  92. A. An organization pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the business in a new location should the organization invoke its business continuity plan.
  93. B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.
  94. D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.
  95. C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.
  96. C. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50%.
  97. B. The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.
  98. A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000 and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.
  99. C. Information disclosure attacks rely upon the revelation of private, confidential, or controlled information. Programming comments embedded in HTML code are an example of this type of attack.
  100. B. Non-disclosure agreements (NDAs) protect the confidentiality of sensitive information by requiring that employees and affiliates not share confidential information with third parties. NDAs normally remain in force after an employee leaves the company.

Chapter 2: Asset Security (Domain 2)

  1. C. Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn’t be used to stop attacks at any normal bank.
  2. A. Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are required to perform specific actions under regulations like the EU DPD. Finally, in many organizations, data stewards are internal roles that oversee how data is used.
  3. B. A baseline is used to ensure a minimum security standard. A policy is the foundation that a standard may point to for authority, and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isn’t the term you’re looking for here.
  4. B. Media is typically labeled with the highest classification level of data it contains. This prevents the data from being handled or accessible at a lower classification level. Data integrity requirements may be part of a classification process but don’t independently drive labeling in a classification scheme.
  5. A. The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn’t a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.
  6. A. A data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable.
    Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met.
  7. D. Custodians are delegated the role of handling day-to-day tasks by managing and overseeing how data is handled, stored, and protected. Data processors are systems used to process data. Business owners are typically project or system owners who are tasked with making sure systems provide value to their users or customers.
  8. D. Safe Harbor compliance helps US companies meet the EU Data Protection Directive. Yearly assessments may be useful, but they aren’t required. HIPAA is a US law that applies specifically to healthcare and related organizations, and encrypting all data all the time is impossible (at least if you want to use the data!).
  9. C. Security baselines provide a starting point to scope and tailor security controls to your organization’s needs. They aren’t always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, nor do they prevent liability.
  10. A. Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that’s completed, the media can be reused. Erasing is the deletion of files or media. Purging is a more intensive form of clearing for reuse in lower security areas, and sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.
  11. C. The US government uses the label Confidential for data that could cause damage if it was disclosed without authorization. Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data could cause serious damage. Classified is not a level in the US government classification scheme.
  12. D. Spare sectors, bad sectors, and space provided for wear leveling on SSDs (overprovisioned space) may all contain data that was written to the space that will not be cleared when the drive is wiped. Most wiping utilities only deal with currently addressable space on the drive. SSDs cannot be degaussed, and wear leveling space cannot be reliably used to hide data. These spaces are still addressable by the drive, although they may not be seen by the operating system.
  13. B. Data remanence is a term used to describe data left after attempts to erase or remove data. Slack space describes unused space in a disk cluster, zero fill is a wiping methodology that replaces all data bits with zeroes, and residual bytes is a made-up term.
  14. C. Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary. Thus public, sensitive, proprietary matches this most closely. Confidential is a military classification, which removes two of the remaining options, and trade secrets are more damaging to lose than a private classification would allow.
  15. C. A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.
  16. B. AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.
  17. A. Data loss prevention (DLP) systems can use labels on data to determine the appropriate controls to apply to the data. DLP systems won’t modify labels in real time and typically don’t work directly with firewalls to stop traffic. Deleting unlabeled data would cause big problems for organizations that haven’t labeled every piece of data!
  18. B. The value of the data contained on media often exceeds the cost of the media, making more expensive media that may have a longer life span or additional capabilities like encryption support a good choice. While expensive media may be less likely to fail, the reason it makes sense is the value of the data, not just that it is less likely to fail. In general, the cost of the media doesn’t have anything to do with the ease of encryption, and data integrity isn’t ensured by better media.
  19. C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means.
    Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don’t make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution due to the cost involved.
  20. A. The US government’s classification levels from least to most sensitive are Confidential, Secret, and Top Secret.
  21. C. Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive
  22. C. PCI DSS, the Payment Card Industry Data Security Standard, provides the set of requirements for credit card processing systems. The Microsoft, NSA, and CIS baseline are all useful for building a Windows 10 security standard, but they aren’t as good of an answer as the PCI DSS standard itself.
  23. D. The CIS benchmarks are an example of a security baseline. A risk assessment would help identify which controls were needed, and proper system ownership is an important part of making sure baselines are implemented and maintained. Data labeling can help ensure that controls are applied to the right systems and data.
  24. B. Scoping involves selecting only the controls that are appropriate for your IT systems, while tailoring matches your organization’s mission and the controls from a selected baseline. Baselining is the process of configuring a system or software to match a baseline, or building a baseline itself. Selection isn’t a technical term used for any of these processes.
  25. B. The controls implemented from a security baseline should match the data classification of the data used or stored on the system. Custodians are trusted to ensure the day-to-day security of the data and should do so by ensuring that the baseline is met and maintained. Business owners often have a conflict of interest between functionality and data security, and of course, applying the same controls everywhere is expensive and may not meet business needs or be a responsible use of resources.
  26. B. FTP and Telnet do not provide encryption for the data they transmit and should not be used if they can be avoided. SFTP and SSH provide encryption to protect both the data they send and the credentials that are used to log in via both utilities.
  27. B. Many organizations require the destruction of media that contains data at higher levels of classification. Often the cost of the media is lower than the potential costs of data exposure, and it is difficult to guarantee that reused media doesn’t contain remnant data. Tapes can be erased by degaussing, but degaussing is not always fully effective. Bitrot describes the slow loss of data on aging media, while data permanence is a term sometimes used to describe the life span of data and media.
  28. A. NIST Special Publication 800-122 defines PII as any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, biometric records, and other information that is linked or linkable to an individual such as medical, educational, financial, and employment information. PHI is health-related information about a specific person, Social Security numbers are issued to individuals in the United States, and SII is a made-up term.
  29. B. The biggest threat to data at rest is typically a data breach. Data at rest with a high level of sensitivity is often encrypted to help prevent this. Decryption is not as significant of a threat if strong encryption is used and encryption keys are well secured. Data integrity issues could occur, but proper backups can help prevent this, and of course data could be improperly classified, but this is not the primary threat to the data.
  30. B. Full disk encryption only protects data at rest. Since it encrypts the full disk, it does not distinguish between labeled and unlabeled data.
  31. B. One way to use an IPsec VPN is to create a private, encrypted network (or tunnel) via a public network, allowing users to be a virtual part of their employer’s internal network. IPsec is distinct from TLS, provides encryption for confidentiality and integrity, and of course, in this scenario Sue is connecting to her employer’s network rather than the employer connecting to hers.
  32. D. Classification identifies the value of data to an organization. This can often help drive IT expenditure prioritization and could help with rough cost estimates if a breach occurred, but that’s not the primary purpose. Finally, most breach laws call out specific data types for notification rather than requiring organizations to classify data themselves.
  33. B. Downgrading systems and media is rare due to the difficulty of ensuring that sanitization is complete. The need to completely wipe (or destroy) the media that systems use means that the cost of reuse is often significant and may exceed the cost of purchasing a new system or media. The goal of purging is to ensure that no data remains, so commingling data should not be a concern, nor should the exposure of the data; only staff with the proper clearance should handle the systems! Finally, a DLP system should flag data based on labels, not on the system it comes from.
  34. A. Classification should be conducted based on the value of the data to the organization, its sensitivity, and the amount of harm that could result from exposure of the data. Cost should be considered when implementing controls and is weighed against the damage that exposure would create.
  35. C. Erasing, which describes a typical deletion process in many operating systems, typically removes only the link to the file, and leaves the data that makes up the file itself. The data will remain in place but not indexed until the space is needed and it is overwritten. Degaussing works only on magnetic media, but it can be quite effective on it. Purging and clearing both describe more elaborate removal processes.
  36. D. Safe Harbor is a framework intended to bridge the different privacy protection laws between the United States and the European Union and is run by the US Department of Commerce. At the time of this writing, Safe Harbor had been declared “invalid” by the European Court of Justice, although the US Department of Commerce has stated that it will continue the Safe Harbor program.
    Both the GDPR and NIS are pending EU regulations, and there is no EU CyberSafe Act.
  37. C. TLS is a modern encryption method used to encrypt and protect data in transit. AES256 is a symmetric cipher often used to protect data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security.
  38. C. Private data is typically considered data that could cause damage. Loss of confidential data is normally classified as able to cause exceptionally grave damage, while exposure of private data could cause serious damage. As you’d expect, public data exposure won’t cause damage.
  39. A. A data loss prevention (DLP) system or software is designed to identify labeled data or data that fits specific patterns and descriptions to help prevent it from leaving the organization. An IDS is designed to identify intrusions. Although some IDS systems can detect specific types of sensitive data using pattern matching, they have no ability to stop traffic. A firewall uses rules to control traffic routing, while UDP is a network protocol.
  40. A. When data is stored in a mixed classification environment, it is typically classified based on the highest classification of data included. In this case, the US government’s highest classification is Top Secret. Mixed classification is not a valid classification in this scheme.
  41. B. A non-disclosure agreement, or NDA, is a legal agreement that prevents employees from sharing proprietary data with their new employers. Purging is used on media, while classification is used on data. Encryption can help secure data, but it doesn’t stop employees who can decrypt or copy the data from sharing it.
  42. C. By default, BitLocker and Microsoft’s Encrypting File System (EFS) both use AES (Advanced Encryption Standard), which is the NIST-approved replacement for DES (Data Encryption Standard). Serpent was a competitor of AES, and 3DES was created as a possible replacement for DES.
  43. B. Group Policy provides the ability to monitor and apply settings in a security baseline. Manual checks by users or using startup scripts provide fewer reviews and may be prone to failure, while periodic review of the baseline won’t result in compliance being checked.
  44. B. A baseline is a set of security configurations that can be adopted and modified to fit an organization’s security needs. A security policy is written to describe an organization’s approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP-800 series of documents address computer security in a variety of areas.
  45. C. Record retention policies describe how long an organization should retain data and may also specify how and when destruction should occur. Classification policies describe how and why classification should occur and who is responsible, while availability and audit policies may be created for specific purposes.
  46. A. The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while CRIME and BEAST were earlier attacks against SSL.
  47. D. Using strong encryption, like AES256, can help ensure that loss of removable media like tapes doesn’t result in a data breach. Security labels may help with handling processes, but they won’t help once the media is stolen or lost. Having multiple copies will ensure that you can still access the data but won’t increase the security of the media. Finally, using hard drives instead of tape only changes the media type and not the risk from theft or loss.
  48. D. Electronic signatures, as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are “trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.” Signatures cannot provide confidentiality, or integrity, and don’t ensure that someone has reviewed the data.
  49. D. Secure Shell (SSH) is an encrypted protocol for remote login and command-line access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities for Windows operating systems.
  50. B. Degaussing uses strong magnetic fields to erase magnetic media. Magwipe is a made-up term. Sanitization is a combination of processes used to remove data from a system or media to ensure that it cannot be recovered. Purging is a form of clearing used on media that will be reused in a lower classification or lower security environment.
  51. D. Personnel retention deals with the knowledge that employees gain while employed. Issues related to the knowledge they may leave with and share are often handled with non-disclosure agreements. Knowledge gained after employment, as well as how soon (or how late) employees leave the organization, is not central to this issue.
  52. C. One of the most important parts of labeling the data is ensuring that it receives a mark or label that provides the classification of the data. Digital rights management (DRM) tools provide ways to control how data is used, while encrypting it can help maintain the confidentiality and integrity of the data. Classifying the data is necessary to label it, but it doesn’t automatically place a label on the data.
  53. D. The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.
  54. D. Data in transit is data that is traversing a network or is otherwise in motion. TLS, VPNs, and IPsec tunnels are all techniques used to protect data in transit. AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols. Encrypting your storage media before it is transported is a good practice, but transporting media isn’t the type of transit that is meant by the phrase.
  55. C. The data owner has ultimate responsibility for data belonging to an organization and is typically the CEO, president, or another senior employee. Business and mission owners typically own processes or programs. System owners own a system that processes sensitive data.
  56. A. The Federal Trade Commission, or FTC, is the US government agency that deals with Safe Harbor. The Food and Drug Administration, Department of Defense, and Department of Commerce do not oversee Safe Harbor.
  57. A. Chris is most likely to be responsible for classifying the data that he owns as well as assisting with or advising the system owners on security requirements and control selection. In an organization with multiple data owners, Chris is unlikely to set criteria for classifying data on his own. As a data owner, Chris will also not typically have direct responsibility for scoping, tailoring, applying, or enforcing those controls.
  58. B. The system administrators are acting in the roles of data administrators who grant access and will also act as custodians who are tasked with the day-to-day application of security controls. They are not acting as data owners who own the data itself. Typically, system administrators are delegated authority by system owners, such as a department head, and of course they are tasked with providing access to users.
  59. C. According to the European Union’s Data Protection Directive, third-party organizations that process personal data on behalf of a data controller are known as data processors. The organization that they are contracting with would act in the role of the business or mission owners, and others within Chris’s organization would have the role of data administrators, granting access as needed to the data based on their operational procedures and data classification.
  60. B. The European Data Protection Directive has seven primary tenets:
    • Notice
    • Choice
    • Onward transfer
    • Security
    • Data integrity
    • Access
    • Enforcement

    Reason is not included in this list.

  61. B. Under the EU’s DPD, data processors like the third-party company in this question bear responsibility for ensuring that the data is not used for anything other than the purpose for which it is intended. Ben’s company is the data controller, while the third party is the data processor, leaving the third party with that role.
  62. D. The US government specifies Secret as the classification level for information that, if disclosed, could cause serious harm to national security. Top Secret is reserved for information that could cause exceptionally grave harm, while confidential data could be expected to cause less harm. Unclassified is not an actual classification but only indicates that the data may be released to unclassified individuals. Organizations may still restrict access to unclassified information.
  63. A. Sanitization is the combination of processes used to remove data from a system or media. When a PC is disposed of, sanitization includes the removal or destruction of drives, media, and any other storage devices it may have. Purging, destruction, and declassification are all other handling methods.
  64. D. Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie-Hellman is a protocol for key exchange.
  65. C. Requiring all media to have a label means that when unlabeled media is found, it should immediately be considered suspicious. This helps to prevent mistakes that might leave sensitive data un-labeled. Prelabeled media is not necessarily cheaper (nor may it make sense to buy!), while reusing public media simply means that it must be classified based on the data it now contains. HIPAA does not have specific media labeling requirements.
  66. B. Data in use is data that is in a temporary storage location while an application or process is using it. Thus, data in memory is best described as data in use or ephemeral data. Data at rest is in storage, while data in transit is traveling over a network or other channel. Data at large is a made-up term.
  67. C. Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence. A form like this one helps to ensure that each device has been checked and that it was properly wiped, purged, or sanitized. This can allow reuse, does not prevent destruction, and does not help with attribution, which is a concept used with encryption to prove who created or sent a file.
  68. C. Ensuring that data cannot be recovered is difficult, and the time and effort required to securely and completely wipe media as part of declassification can exceed the cost of new media. Sanitization, purging, and clearing may be part of declassification, but they are not reasons that it is not frequently chosen as an option for organizations with data security concerns.
  69. B. In the NIST SP 800-60 diagram, the process determines appropriate categorization levels resulting in security categorization and then uses that as an input to determine controls. Standard selection would occur at an organizational level, while baselining occurs when systems are configured to meet a baseline. Sanitization would require the intentional removal of data from machines or media.
  70. C. A and E can both be expected to have data at rest. C, the Internet, is an unknown, and the data can’t be guaranteed to be at rest. B, D, and F are all data in transit across network links.
  71. C. B, D, and F all show network links. Of the answers provided, Transport Layer Security (TLS) provides the best security for data in motion. AES256 and 3DES are both symmetric ciphers and are more likely to be used for data at rest. SSL has been replaced with TLS and should not be a preferred solution.
  72. B. Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach and the file will remain secure until decrypted at location E. Since answers A, C, and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form.
  73. D. Destruction is the final stage in the life cycle of media and can be done via disintegration, incineration, or a variety of other methods that result in the media and data being nonrecoverable. Sanitization is a combination of processes used when data is being removed from a system or media. Purging is an intense form of clearing, and degaussing uses strong magnetic fields to wipe data from magnetic media.
  74. B. The Data Protection Directive’s principles do not address data retention time periods. The seven principles are notice, purpose, consent, security, disclosure, access, and accountability.
  75. D. Visual indicators like a distinctive screen background can help employees remember what level of classification they are dealing with and thus the handling requirements that they are expected to follow.
  76. C. If an organization allows media to be downgraded, the purging process should be followed, and then the media should be relabeled. Degaussing may be used for magnetic media but won’t handle all types of media. Pulverizing would destroy the media, preventing reuse, while relabeling first could lead to mistakes that result in media that hasn’t been purged entering use.
  77. B. The data owner sets the rules for use and protection of data. The remaining options all describe tasks for the system owner, including implementation of security controls.
  78. C. Encrypting and labeling sensitive email will ensure that it remains confidential and can be identified. Performing these actions only on sensitive email will reduce the cost and effort of encrypting all email, allowing only sensitive email to be the focus of the organization’s efforts. Only encrypting highly sensitive email not only skips labeling but might expose other classifications of email that shouldn’t be exposed.
  79. D. Scoping is performed when you match baseline controls to the IT system you’re working to secure. Creation of standards is part of the configuration process and may involve the use of baselines. Baselining can mean the process of creating a security baseline or configuring systems to meet the baseline. CIS, the Center for Internet Security, provides a variety of security baselines.
  80. C. Systems used to process data are data processors. Data owners are typically CEOs or other very senior staff, custodians are granted rights to perform day-to-day tasks when handling data, and mission owners are typically program or information system owners.
  81. A. The EU GDPR is slated to replace the EU DPD, with adoption starting in 2015 and 2016 and full enforcement occurring in 2017 and 2018. NIST standards and special publications apply to the United States, while COBIT is an IT management framework. There is no EU Personal Data Protection Regulation.
  82. B. Protected health information, or PHI, includes a variety of data in multiple formats, including oral and recorded data, such as that created or received by healthcare providers, employers, and life insurance providers. PHI must be protected by HIPAA. PII is personally identifiable information. SHI and HPHI are both made-up acronyms.
  83. C. AES is a strong symmetric cipher that is appropriate for use with data at rest. SHA1 is a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and insecure symmetric encryption method.
  84. B. The principle of data integrity states that data should be reliable and that information should not be used for purposes other than those that users are made aware of by notice and that they have accepted through choice.
    Enforcement is aimed at ensuring that compliance with principles is assured. Access allows individuals to correct, change, or delete their information, while onward transfer limits transfers to other organizations that comply with the principles of notice and choice.
  85. C. Due to problems with remnant data, the US National Security Agency requires physical destruction of SSDs. This process, known as disintegration, results in very small fragments via a shredding process. Zero fill wipes a drive by replacing data with zeros, degaussing uses magnets to wipe magnetic media, and clearing is the process of preparing media for reuse.
  86. A. The data owner bears responsibility for categorizing information systems and delegates selection of controls to system owners, while custodians implement the controls. Users don’t perform any of these actions, while business owners are tasked with ensuring that systems are fulfilling their business purpose.
  87. B. PCI DSS provides a set of required security controls and standards. Step 2 would be guided by the requirements of PCI DSS. PCI DSS will not greatly influence step 1 because all of the systems handle credit card information, making PCI DSS apply to all systems covered. Steps 3 and 4 will be conducted after PCI DSS has guided the decisions in step 2.
  88. C. Custodians are tasked with the day-to-day monitoring of the integrity and security of data. Step 5 requires monitoring, which is a custodial task. A data owner may grant rights to custodians but will not be responsible for conducting monitoring. Data processors process data on behalf of the data controller, and a user simply uses the data via a computing system.
  89. B. Susan’s organization is limiting its risk by sending drives that have been sanitized before they are destroyed. This limits the possibility of a data breach if drives are mishandled by the third party, allowing them to be stolen, resold, or simply copied. The destruction of the drives will handle any issues with data remanence, while classification mistakes are not important if the drives have been destroyed. Data permanence and the life span of the data are not important on a destroyed drive.
  90. C. A digital watermark is used to identify the owner of a file or to otherwise label it. A copyright notice provides information about the copyright asserted on the file, while data loss prevention (DLP) is a solution designed to prevent data loss. Steganography is the science of hiding information, often in images or files.
  91. D. Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a non-information-security-related process for maintaining physical assets.
  92. C. The cost of the data is not directly included in the classification process. Instead, the impact to the organization if the data were exposed or breached is considered. Who can access the data and what regulatory or compliance requirements cover the data are also important considerations.
  93. B. Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is an outdated encryption standard, and OTP is the acronym for one-time password.
  94. D. Administrators have the rights to assign permissions to access and handle data. Custodians are trusted to handle day-to-day data handling tasks. Business owners are typically system or project owners, and data processors are systems used to process data.
  95. B. The California Online Privacy Protection Act (COPPA) requires that operators of commercial websites and services post a prominently displayed privacy policy if they collect personal information on California residents.
    The Personal Information Protection and Electronic Documents Act is a Canadian privacy law, while California Civil Code 1798.82 is part of the set of California codes that requires breach notification. The California Online Web Privacy Act does not exist.
  96. A. Tapes are frequently exposed due to theft or loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization’s classification schemes and handling requirements. Purging the tapes would cause the loss of data, while increasing the classification level of the tapes or encrypting them may create extra work that isn’t required by the classification level of the tapes.
  97. A. The correct answer is the tape that is being shipped to a storage facility. You might think that the tape in shipment is “in motion,” but the key concept is that the data is not being accessed and is instead in storage. Data in a TCP packet, in an e-commerce transaction, or in local RAM is in motion and is actively being used.
  98. D. When the value of data changes due to legal, compliance, or business reasons, reviewing classifications and reclassifying the data is an appropriate response. Once the review is complete, data can be reclassified and handled according to its classification level. Simply relabeling the data avoids the classification process and may not result in the data being handled appropriately. Similarly, selecting a new baseline or simply encrypting the data may not handle all of the needs that the changes affecting the data create.
  99. C. PGP, or Pretty Good Privacy (or its open-source alternative, GPG) provide strong encryption of files, which can then be sent via email. Email traverses multiple servers and will be unencrypted at rest at multiple points along its path as it is stored and forwarded to its destination.
  100. A. While many non-government organizations create their own classification schemes, a common model with levels that align with the U.S. government’s classification labels is shown below. In the given options, B and D do not match the US government’s Top Secret, Secret, Confidential scheme, and C incorrectly matches business proprietary data with confidential data as well as Top Secret data with business sensitive data. Business internal is often another term for business sensitive, meaning that it is used to match two classifications!

Chapter 3: Security Engineering (Domain 3)

  1. D. The Brewer-Nash model allows access controls to change dynamically based upon a user’s actions. It is often used in environments like Matthew’s to implement a “Chinese wall” between data belonging to different clients.
  2. A. Fires may be detected as early as the incipient stage. During this stage, air ionization takes place and specialized incipient fire detection systems can identify these changes to provide early warning of a fire.
  3. A. Closed circuit television (CCTV) systems act as a secondary verification mechanism for physical presence because they allow security officials to view the interior of the facility when a motion alarm sounds to determine the current occupants and their activities.
  4. B. In an m of n control system, at least m of n possible escrow agents must collaborate to retrieve an encryption key from the escrow database.
  5. A. This is an example of a vendor offering a fully functional application as a web-based service. Therefore, it fits under the definition of Software as a Service (SaaS). In Infrastructure as a Service (IaaS), Compute as a Service (CaaS), and Platform as a Service (PaaS) approaches, the customer provides their own software. In this example, the vendor is providing the email software, so none of those choices are appropriate.
  6. B. The Digital Signature Standard approves three encryption algorithms for use in digital signatures: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm; and the Elliptic Curve DSA (ECDSA) algorithm. HAVAL is a hash function, not an encryption algorithm. While hash functions are used as part of the digital signature process, they do not provide encryption.
  7. A. In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Harry is requesting resource access and is, therefore, the subject.
  8. C. Michael should conduct his investigation, but there is a pressing business need to bring the website back online. The most reasonable course of action would be to take a snapshot of the compromised system and use the snapshot for the investigation, restoring the website to operation as quickly as possible while using the results of the investigation to improve the security of the site.
  9. C. The use of a sandbox is an example of confinement, where the system restricts the access of a particular process to limit its ability to affect other processes running on the same system.
  10. D. Assurance is the degree of confidence that an organization has that its security controls are correctly implemented. It must be continually monitored and re-verified.
  11. A. Maintenance hooks, otherwise known as backdoors, provide developers with easy access to a system, bypassing normal security controls. If not removed prior to finalizing code, they pose a significant security vulnerability if an attacker discovers the maintenance hook.
  12. B. The Simple Integrity Property states that an individual may not read a file classified at a lower security level than the individual’s security clearance.
  13. B. Supervisory control and data acquisition (SCADA) systems are used to control and gather data from industrial processes. They are commonly found in power plants and other industrial environments.
  14. B. The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing an encrypted drive by installing it in another computer.
  15. B. Running DES three times produces a strong encryption standard known as Triple DES, or 3DES. In order for this to provide additional security, DES must also be run using at least two different keys. NIST recommends use of three independent keys for the strongest version.
  16. C. In an asymmetric cryptosystem, the sender of a message always encrypts the message using the recipient’s public key.
  17. D. When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is theB.
  18. B. Each user retains their private key as secret information. In this scenario, Bob would only have access to his own private key and would not have access to the private key of Alice or any other user.
  19. B. Alice creates the digital signature using her own private key. Then Bob, or any other user, can verify the digital signature using Alice’s public key.
  20. B. The salt is a random value added to a password before it is hashed by the operating system. The salt is then stored in a password file with the hashed password. This increases the complexity of cryptanalytic attacks by negating the usefulness of attacks that use precomputed hash values, such as rainbow tables.
  21. A. Hash functions do not include any element of secrecy and, therefore, do not require a cryptographic key.
  22. D. A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.
  23. B. The Encapsulating Security Payload (ESP) protocol provides confidentiality and integrity for packet contents. It encrypts packet payloads and provides limited authentication and protection against replay attacks.
  24. D. The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against this risk.
  25. C. The exclusive or (XOR) operation is true when one and only one of the input values is true.
  26. A. DES uses a 64-bit encryption key but only 56 of those bits are actually used as keying material in the encryption operation. The remaining 8 bits are used to detect tampering or corruption of the key.
  27. C. The *-Security Property states that an individual may not write to a file at a lower classification level than that of the individual. This is also known as the confinement property.
  28. B. The Diffie-Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network.
  29. C. Protection Profiles (PPs) specify the security requirements and protections that must be in place for a product to be accepted under the Common Criteria.
  30. A. Hash functions must be able to work on any variable-length input and produce a fixed-length output from that input, regardless of the length of the input.
  31. C. Binary keyspaces contain a number of keys equal to two raised to the power of the number of bits. Two to the fifth power is 32, so a 5-bit keyspace contains 32 possible keys.
  32. B. Kerchoff’s principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.
  33. A. Mantraps use a double set of doors to prevent piggybacking by allowing only a single individual to enter a facility at a time.
  34. A. While it would be ideal to have wiring closets in a location where they are monitored by security staff, this is not feasible in most environments. Wiring closets must be distributed geographically in multiple locations across each building used by an organization.
  35. D. The *-Integrity Property states that a subject cannot modify an object at a higher security level than that possessed by the subject.
  36. C. Companies with BYOD environments often require nonintrusive security controls, such as remote wiping capability, device passcodes, and full device encryption. They do not normally use application control to restrict applications because users object to the use of this technology to personally owned devices.
  37. B. In the Fair Cryptosystem approach to key escrow, the secret keys used in communications are divided into two or more pieces, each of which is given to an independent third party.
  38. A. The Ready state is used when a process is prepared to execute but the CPU is not available. The Running state is used when a process is executing on the CPU. The Waiting state is used when a process is blocked waiting for an external event. The Stopped state is used when a process terminates.
  39. A. EAL1 assurance applies when the system in question has been functionally tested. It is the lowest level of assurance under the Common Criteria.
  40. A. Administrators and processes may attach security labels to objects that provide information on an object’s attributes. Labels are commonly used to apply classifications in a mandatory access control system.
  41. B. Open-source software exposes the source code to public inspection and modification. The open-source community includes major software packages, including the Linux operating system.
  42. A. Adam created a list of individual users that may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role-based, and Adam was able to modify the list, so it is not mandatory access control.
  43. C. Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.
  44. A. Kernel mode, supervisory mode, and system mode are all terms used to describe privileged modes of system operation. User mode is an unprivileged mode.
  45. D. Multistate systems are certified to handle data from different security classifications simultaneously by implementing protection mechanisms that segregate data appropriately.
  46. C. For systems running in System High mode, the user must have a valid security clearance for all information processed by the system, access approval for all information processed by the system, and a valid need to know for some, but not necessarily all, information processed by the system.
  47. B. Steganography is the art of using cryptographic techniques to embed secret messages within other content. Some steganographic algorithms work by making alterations to the least significant bits of the many bits that make up image files.
  48. C. The Caesar cipher is a shift cipher that works on a stream of text and is also a substitution cipher. It is not a block cipher or a transposition cipher. It is extremely weak as a cryptographic algorithm.
  49. A. The kernel lies within the central ring, Ring 0. Conceptually, Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0 through 2 run in privileged mode while Ring 3 runs in user mode. It is important to note that many modern operating systems do not fully implement this model.
  50. D. In an Infrastructure as a Service environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customer’s responsibility to validate that the vendor’s sanitization procedures meet their requirements prior to utilizing the vendor’s storage services.
  51. B. The major difference between a code and a cipher is that ciphers alter messages at the character or bit level, not at the word level. DES, shift ciphers, and word scrambles all work at the character or bit level and are ciphers. “One if by land; two if by sea” is a message with hidden meaning in the words and is an example of a code.
  52. C. The verification process is similar to the certification process in that it validates security controls. Verification may go a step further by involving a third-party testing service and compiling results that may be trusted by many different organizations. Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.
  53. B. When a process is confined within certain access bounds, that process runs in isolation. Isolation protects the operating environment, the operating system kernel, and other processes running on the system.
  54. B. The mean time to failure (MTTF) provides the average amount of time before a device of that particular specification fails.
  55. A. Class A fire extinguishers are useful only against common combustible materials. They use water or soda acid as their suppressant. Class B extinguishers are for liquid fires. Class C extinguishers are for flammable gasses, and Class D fire extinguishers are for combustible metals.
  56. A. Mobile Device Management (MDM) products provide a consistent, centralized interface for applying security configuration settings to mobile devices.
  57. C. Nonrepudiation occurs when the recipient of a message is able to demonstrate to a third party that the message came from the purported sender.
  58. A. The card shown in the image has a smart chip underneath the American flag. Therefore, it is an example of a smart card. This is the most secure type of identification card technology.
  59. D. The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations.
  60. B. The Trusted Computing Base (TCB) is a small subset of the system contained within the kernel that carries out critical system activities.
  61. A. The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments.
  62. B. Encrypting data on SSD drives does protect against wear leveling. Disk formatting does not effectively remove data from any device. Degaussing is only effective for magnetic media. Physically destroying the drive would not permit reuse.
  63. C. In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext.
  64. B. In a Time of Check/Time of Use (TOCTOU) attack, the attacker exploits the difference in time between when a security control is verified and the data protected by the control is actually used.
  65. A. The X.509 standard, developed by the International Telecommunications Union, contains the specification for digital certificates.
  66. D. Fences designed to deter more than the casual intruder should be at least 6 feet high. If a physical security system is designed to deter even determined intruders, it should be at least 8 feet high and topped with three strands of barbed wire.
  67. C. In an aggregation attack, individual(s) use their access to specific pieces of information to piece together a larger picture that they are not authorized to access.
  68. D. While all of the controls mentioned protect against unwanted electromagnetic emanations, only white noise is an active control. White noise generates false emanations that effectively “jam” the true emanations from electronic equipment.
  69. B. In a Software as a service environment, the customer has no access to any underlying infrastructure, so firewall management is a vendor responsibility under the cloud computing shared responsibility model.
  70. C. The grant rule allows a subject to grant rights that it possesses on an object to another subject.
  71. A. In a phlashing attack, the attacker introduces a custom, malicious BIOS that grants the attacker some level of control over the attacked system.
  72. D. Multithreading permits multiple tasks to execute concurrently within a single process. These tasks are known as threads and may be alternated between without switching processes.
  73. C. This message was most likely encrypted with a transposition cipher. The use of a substitution cipher, a category that includes AES and 3DES, would change the frequency distribution so that it did not mirror that of the English language.
  74. D. The meet-in-the-middle attack uses a known plaintext message and uses both encryption of the plaintext and decryption of the ciphertext simultaneously in a brute force manner to identify the encryption key in approximately double the time of a brute force attack against the basic DES algorithm.
  75. A. The blacklisting approach to application control allows users to install any software they wish except for packages specifically identified by the administrator as prohibited. This would be an appropriate approach in a scenario where users should be able to install any nonmalicious software they wish to use.
  76. A. Heartbeat sensors send periodic status messages from the alarm system to the monitoring center. The monitoring center triggers an alarm if it does not receive a status message for a prolonged period of time, indicating that communications were disrupted.
  77. B. In a zero-knowledge proof, one individual demonstrates to another that they can achieve a result that requires sensitive information without actually disclosing the sensitive information.
  78. A. Blowfish allows the user to select any key length between 32 and 448 bits.
  79. B. Soda acid and other dry powder extinguishers work to remove the fuel supply. Water suppresses temperature, while halon and carbon dioxide remove the oxygen supply from a fire.
  80. A. Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities.
  81. C. The Open Web Application Security Project (OWASP) produces an annual list of the top ten web application security issues that developers and security professionals around the world rely upon for education and training purposes. The OWASP vulnerabilities form the basis for many web application security testing products.
  82. A. The information flow model applies state machines to the flow of information. The Bell-LaPadula model applies the information flow model to confidentiality while the Biba model applies it to integrity.
  83. D. Each process that runs on a system is assigned certain physical or logical bounds for resource access, such as memory.
  84. C. Capacitance motion detectors monitor the electromagnetic field in a monitored area, sensing disturbances that correspond to motion.
  85. D. Halon fire suppression systems use a chlorofluorocarbon (CFC) suppressant material that was banned in the Montreal Protocol because it depletes the ozone layer.
  86. D. The Biba model focuses only on protecting integrity and does not provide protection against confidentiality or availability threats. It also does not provide protection against covert channel attacks. The Biba model focuses on external threats and assumes that internal threats are addressed programatically.
  87. A. In TLS, both the server and the client first communicate using an ephemeral symmetric session key. They exchange this key using asymmetric cryptography, but all encrypted content is protected using symmetric cryptography.
  88. B. A Faraday cage is a metal skin that prevents electromagnetic emanations from exiting. It is a rarely used technology because it is unwieldy and expensive, but it is quite effective at blocking unwanted radiation.
  89. B. The hypervisor is responsible for coordinating access to physical hardware and enforcing isolation between different virtual machines running on the same physical platform.
  90. B. Cloud computing systems where the customer only provides application code for execution on a vendor-supplied computing platform are examples of Platform as a Service (PaaS) computing.
  91. B. The feedback model of composition theory occurs when one system provides input for a second system and then the second system provides input for the first system. This is a specialized case of the cascading model, so the feedback model is the most appropriate answer.
  92. B. UPSes are designed to protect against short-term power losses, such as power faults. When they conduct power conditioning, they are also able to protect against sags and noise. UPSes have limited-life batteries and are not able to maintain continuous operating during a sustained blackout.
  93. D. Data center humidity should be maintained between 40% and 60%. Values below this range increase the risk of static electricity, while values above this range may generate moisture that damages equipment.
  94. C. Asymmetric cryptosystems use a pair of keys for each user. In this case, with 1,000 users, the system will require 2,000 keys.
  95. B. Accreditation is the formal approval by a DAA that an IT system may operate in a described risk environment.
  96. B. Abstraction uses a black box approach to hide the implementation details of an object from the users of that object.
  97. A. The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.
  98. A. The point of the digital certificate is to prove to Alison that the server belongs to the bank, so she does not need to have this trust in advance. To trust the certificate, she must verify the CA’s digital signature on the certificate, trust the CA, verify that the certificate is not listed on a CRL, and verify that the certificate contains the name of the bank.
  99. C. Covert channels use surreptitious communications’ paths. Covert timing channels alter the use of a resource in a measurable fashion to exfiltrate information. If a user types using a specific rhythm of Morse code, this is an example of a covert timing channel. Someone watching or listening to the keystrokes could receive a secret message with no trace of the message left in logs.
  100. C. Self-signed digital certificates should only be used for internal-facing applications, where the user base trusts the internally generated digital certificate.

Chapter 4: Communication and Network Security (Domain 4)

  1. A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet-switching technology that provides a Committed Information Rate (CIR), which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider-supplied DCE, which transmits the data over the network.
  2. B. LEAP, the Lightweight Extensible Authentication Protocol. is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.
  3. C. Ben is using ad hoc mode, which directly connects two clients. It can be easy to confuse this with stand-alone mode, which connects clients using a wireless access point, but not to wired resources like a central network. Infrastructure mode connects endpoints to a central network, not directly to each other. Finally, wired extension mode uses a wireless access point to link wireless clients to a wired network.
  4. C. A collision domain is the set of systems that could cause a collision if they transmitted at the same time. Systems outside of a collision domain cannot cause a collision if they send at the same time. This is important, as the number of systems in a collision domain increases the likelihood of network congestion due to an increase in collisions. A broadcast domain is the set of systems that can receive a broadcast from each other. A subnet is a logical division of a network, while a supernet is made up of two or more networks.
  5. D. The RST flag is used to reset or disconnect a session. It can be resumed by restarting the connection via a new three-way handshake.
  6. C. He should choose 802.11n, which supports 200+ Mbps in the 2.4 GHz or the 5 GHz frequency range. 802.11a and 802.11ac are both 5 GHz only, while 802.11g is only capable of 54 Mbps.
  7. C. These common ports are important to know, although some of the protocols are becoming less common. TCP 23 is used for Telnet; TCP 25 is used for SMTP (the Simple Mail Transfer Protocol); 143 is used for IMAP, the Internet Message Access Protocol; and 515 is associated with LPD, the Line Printer Daemon protocol used to send print jobs to printers.
    POP3 operates on TCP 110, SSH operates on TCP 22 (and SFTP operates over SSH), and X Windows operates on a range of ports between 6000 and 6063.
  8. A. The File Transfer Protocol (FTP) operates on TCP ports 20 and 21. UDP port 69 is used for the Trivial File Transfer Protocol, or TFTP, while UDP port 21 is not used for any common file transfer protocol.
  9. B. Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM) all use spread spectrum techniques to transmit on more than one frequency at the same time. Neither FHSS nor DHSS uses orthogonal modulation, while multiplexing describes combining multiple signals over a shared medium of any sort. Wi-Fi may receive interference from FHSS systems but doesn’t use it.
  10. B. The Challenge-Handshake Authentication Protocol, or CHAP, is used by PPP servers to authenticate remote clients. It encrypts both the username and password and performs periodic reauthentication while connected using techniques to prevent replay attacks. LEAP provides reauthentication but was designed for WEP, while PAP sends passwords unencrypted. EAP is extensible and was used for PPP connections, but it doesn’t directly address the listed items.
  11. C. SSID broadcast is typically disabled for secure networks. While this won’t stop a determined attacker, it will stop casual attempts to connect. Separating the network from other wired networks, turning on the highest level of encryption supported (like WPA2), and using MAC filtering for small groups of clients that can reasonably be managed by hand are all common best practices for wireless networks.
  12. A. A ring connects all systems like points on a circle. A ring topology was used with Token Ring networks, and a token was passed between systems around the ring to allow each system to communicate. More modern networks may be described as a ring but are only physically a ring and not logically using a ring topology.
  13. B. The firewall in the diagram has two protected zones behind it, making it a two-tier firewall design.
  14. D. Remote PCs that connect to a protected network need to comply with security settings and standards that match those required for the internal network. The VPN concentrator logically places remote users in the protected zone behind the firewall, but that means that user workstations (and users) must be trusted in the same way that local workstations are.
  15. C. An intrusion protection system can scan traffic and stop both known and unknown attacks. A web application firewall, or WAF, is also a suitable technology, but placing it at location C would only protect from attacks via the organization’s VPN, which should only be used by trusted users. A firewall typically won’t have the ability to identify and stop cross-site scripting attacks, and IDS systems only monitor and don’t stop attacks.
  16. D. Distance-vector protocols use metrics including the direction and distance in hops to remote networks to make decisions. A link-state routing protocol considers the shortest distance to a remote network. Destination metric and link-distance protocols don’t exist.
  17. B. Disabling SSID broadcast can help prevent unauthorized personnel from attempting to connect to the network. Since the SSID is still active, it can be discovered by using a wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used to broadcast the SSID, and it is possible to have multiple networks with the same SSID.
  18. B. A proxy is a form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems. A router connects networks, while a firewall uses rules to limit traffic permitted through it. A gateway translates between protocols.
  19. B. DNS poisoning occurs when an attacker changes the domain name to IP address mappings of a system to redirect traffic to alternate systems. DNS spoofing occurs when an attacker sends false replies to a requesting system, beating valid replies from the actual DNS server. ARP spoofing provides a false hardware address in response to queries about an IP, and Cain & Abel is a powerful Windows hacking tool, but a Cain attack is not a specific type of attack.
  20. B. Screen scrapers copy the actual screen displayed and display it at a remote location. RDP provides terminal sessions without doing screen scraping, remote node operation is the same as dial-up access, and remote control is a means of controlling a remote system (screen scraping is a specialized subset of remote control).
  21. A. S/MIME supports both signed messages and a secure envelope method. While the functionality of S/MIME can be replicated with other tools, the secure envelope is an S/MIME-specific concept. MOSS, or MIME Object Security Services, and PEM can also both provide authentication, confidentiality, integrity, and nonrepudiation, while DKIM, or Domain Keys Identified Mail, is a domain validation tool.
  22. A. Multilayer protocols like DNP3 allow SCADA and other systems to use TCP/IP-based networks to communicate. Many SCADA devices were never designed to be exposed to a network, and adding them to a potentially insecure network can create significant risks. TLS or other encryption can be used on TCP packets, meaning that even serial data can be protected. Serial data can be carried via TCP packets because TCP packets don’t care about their content; it is simply another payload. Finally, TCP/IP does not have a specific throughput as designed, so issues with throughput are device-level issues.
  23. C. WEP has a very weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.
  24. B. A denial of service attack is an attack that causes a service to fail or to be unavailable. Exhausting a system’s resources to cause a service to fail is a common form of denial of service attack. A worm is a self-replicating form of malware that propagates via a network, a virus is a type of malware that can copy itself to spread, and a Smurf attack is a distributed denial of service attack (DDoS) that spoofs a victim’s IP address to systems using an IP broadcast, resulting in traffic from all of those systems to the target.
  25. C. 802.11n can operate at speeds over 200 Mbps, and it can operate on both the 2.4 and 5 GHz frequency range. 802.11g operates at 54 Mbps using the 2.4 GHz frequency range, and 802.11ac is capable of 1 Gbps using the 5 GHz range. 802.11a and b are both outdated and are unlikely to be encountered in modern network installations.
  26. B. ARP and RARP operate at the Data Link layer, the second layer of the OSI model. Both protocols deal with physical hardware addresses, which are used above the Physical layer (layer 1) and below the Network layer (layer 3), thus falling at the Data Link layer.
  27. D. iSCSI is a converged protocol that allows location-independent file services over traditional network technologies. It costs less than traditional Fibre Channel. VoIP is Voice over IP, SDN is Software-defined networking, and MPLS is Multiprotocol Label Switching, a technology that uses path labels instead of network addresses.
  28. A. A repeater or concentrator will amplify the signal, ensuring that the 100-meter distance limitation of 1000Base-T is not an issue. A gateway would be useful if network protocols were changing, while Cat7 cable is appropriate for a 10Gbps network at much shorter distances. STP cable is limited to 155 Mbps and 100 meters, which would leave Chris with network problems.
  29. B. TCP 80 is typically HTTP.
  30. C. HTTP traffic is typically sent via TCP 80. Unencrypted HTTP traffic can be easily captured at any point between A and B, meaning that the instant messaging solution chosen does not provide confidentiality for the organization’s corporate communications.
  31. B. If a business need requires instant messaging, using a local instant messaging server is the best option. This prevents traffic from traveling to a third-party server and can offer additional benefits such as logging, archiving, and control of security options like the use of encryption.
  32. B. Multilayer protocols create three primary concerns for security practitioners: They can conceal covert channels (and thus covert channels are allowed), filters can be bypassed by traffic concealed in layered protocols, and the logical boundaries put in place by network segments can be bypassed under some circumstances. Multilayer protocols allow encryption at various layers and support a range of protocols at higher layers.
  33. C. A bus can be linear or tree-shaped and connects each system to trunk or backbone cable. Ethernet networks operate on a bus topology.
  34. B. When a workstation or other device is connected simultaneously to both a secure and a nonsecure network like the Internet, it may act as a bridge, bypassing the security protections located at the edge of a corporate network. It is unlikely that traffic will be routed improperly leading to the exposure of sensitive data, as traffic headed to internal systems and networks is unlikely to be routed to the external network. Reflected DDoS attacks are used to hide identities rather than to connect through to an internal network, and security administrators of managed systems should be able to determine both the local and wireless IP addresses his system uses.
  35. A. Wardriving and warwalking are both processes used to locate wireless networks, but are not typically as detailed and thorough as a site survey, and design map is a made-up term.
  36. C. The DARPA TCP/IP model was used to create the OSI model, and the designers of the OSI model made sure to map the OSI model layers to it. The Application layer of the TCP model maps to the Application, Presentation, and Session layers, while the TCP and OSI models both have a distinct Transport layer.
  37. B. ARP cache poisoning occurs when false ARP data is inserted into a system’s ARP cache, allowing the attacker to modify its behavior. RARP flooding, denial of ARP attacks, and ARP buffer blasting are all made-up terms.
  38. C. The process of using a fake MAC (Media Access Control) address is called spoofing, and spoofing a MAC address already in use on the network can lead to an address collision, preventing traffic from reaching one or both systems. Tokens are used in token ring networks, which are outdated, and EUI refers to an Extended Unique Identifier, another term for MAC address, but token loss is still not the key issue. Broadcast domains refers to the set of machines a host can send traffic to via a broadcast message.
  39. D. Direct Inward System Access uses access codes assigned to users to add a control layer for external access and control of the PBX. If the codes are compromised, attackers can make calls through the PBX or even control it. Not updating a PBX can lead to a range of issues, but this question is looking for a DISA issue. Allowing only local calls and using unpublished numbers are both security controls and might help keep the PBX more secure.
  40. D. Application-specific protocols are handled at layer 7, the Application layer of the OSI model.
  41. D. Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system. Lauren simply needs to filter out ICMP to not see her pings.
  42. D. 802.1x provides port-based authentication and can be used with technologies like EAP, the Extensible Authentication Protocol. 802.11a is a wireless standard, 802.3 is the standard for Ethernet, and 802.15.1 was the original Bluetooth IEEE standard.
  43. D. 1000Base-T is capable of a 100 meter run according to its specifications. For longer distances, a fiber-optic cable is typically used in modern networks.
  44. C. PRI, or Primary Rate Interface, can use between 2 and 23 64 Kbps channels, with a maximum potential bandwidth of 1.544 Mbps. Actual speeds will be lower due to the D channel, which can’t be used for actual data transmission, but PRI beats BRI’s two B channels paired with a D channel for 144 Kbps of bandwidth.
  45. C. SPIT stands for Spam over Internet Telephony and targets VoIP systems.
  46. D. Bluesnarfing targets the data or information on Bluetooth-enabled devices. Bluejacking occurs when attackers send unsolicited messages via Bluetooth.
  47. C. Layer 6, the Presentation layer, transforms data from the Application layer into formats that other systems can understand by formatting and standardizing the data. That means that standards like JPEG, ASCII, and MIDI are used at the Presentation layer for data. TCP, UDP, and TLS are used at the Transport layer; NFS, SQL, and RPC operate at the Session layer; and HTTP, FTP, and SMTP are Application layer protocols.
  48. D. Fully connected mesh networks provide each system with a direct physical link to every other system in the mesh. This is very expensive but can provide performance advantages for specific types of computational work.
  49. C. PPTp, L2F, L2TP, and IPsec are the most common VPN protocols. TLS is also used for an increasingly large percentage of VPN connections and may appear at some point in the CISSP exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP is the Shiva Password Authentication Protocol sometimes used with PPTP.
  50. C. FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions. It can bypass broken segments by dropping the broken point and using the second, unbroken ring to continue to function. Token Ring also uses tokens, but it does not use a dual loop. SONET is a protocol for sending multiple optical streams over fiber, and a ring topology is a design, not a technology.
  51. C. The Physical Layer includes electrical specifications, protocols, and standards that allow control of throughput, handling line noise, and a variety of other electrical interface and signaling requirements. The OSI layer doesn’t have a Device layer. The Transport layer connects the Network and Session layers, and the Data Link layer packages packets from the network layer for transmission and receipt by devices operating on the Physical layer.
  52. A. WPA2, the replacement for WPA, does not suffer from the security issues that WEP, the original wireless security protocol, and WPA, its successor, both suffer from. AES is used in WPA2 but is not specifically a wireless security standard.
  53. A. User awareness is one of the most important tools when dealing with attachments. Attachments are often used as a vector for malware, and aware users can help prevent successful attacks by not opening the attachments. Anti-malware tools, including antivirus software, can help detect known threats before users even see the attachments. Encryption, including tools like S/MIME, won’t help prevent attachment-based security problems, and removing ZIP file attachments will only stop malware that is sent via those ZIP files.
  54. A. The Transport layer provides logical connections between devices, including end-to-end transport services to ensure that data is delivered. Transport layer protocols include TCP, UDP, SSL, and TLS.
  55. B. Machine Access Control (MAC) addresses are the hardware address the machine uses for layer 2 communications. The MAC addresses include an organizationally unique identifier (OUI), which identifies the manufacturer. MAC addresses can be changed, so this is not a guarantee of accuracy, but under normal circumstances you can tell what manufacturer made the device by using the MAC address.
  56. D. PEAP provides encryption for EAP methods and can provide authentication. It does not implement CCMP, which was included in the WPA2 standard. LEAP is dangerously insecure and should not be used due to attack tools that have been available since the early 2000s.
  57. C. Double NATing isn’t possible with the same IP range; the same IP addresses cannot appear inside and outside of a NAT router. RFC 1918 addresses are reserved, but only so they are not used and routable on the Internet, and changing to PAT would not fix the issue.
  58. B. A Class B network holds 2^16 systems, and its default network mask is 255.255.0.0.
  59. C. Traditional private branch exchange (PBX) systems are vulnerable to eavesdropping because voice communications are carried directly over copper wires. Since standard telephones don’t provide encryption (and you’re unlikely to add encrypted phones unless you’re the NSA), physically securing access to the lines and central connection points is the best strategy available.
  60. A. Most cordless phones don’t use encryption, and even modern phones that use DECT (which does provide encryption) have already been cracked. This means that a determined attacker can almost always eavesdrop on cordless phones, and makes them a security risk if they’re used for confidential communication.
  61. A. VLAN hopping between the voice and computer VLANs can be accomplished when devices share the same switch infrastructure. Using physically separate switches can prevent this attack. Encryption won’t help with VLAN hopping because it relies on header data that the switch needs to read (and this is unencrypted), while Caller ID spoofing is an inherent problem with VoIP systems. A denial of service is always a possibility, but it isn’t specifically a VoIP issue and a firewall may not stop the problem if it’s on a port that must be allowed through.
  62. A. A static packet filtering firewall is only aware of the information contained in the message header of packets: the source, destination, and port it is sent from and headed to. This means that they’re not particularly smart, unlike Application layer firewalls that proxy traffic based on the service they support or stateful inspection firewalls (also known as dynamic packet inspection firewalls) that understand the relationship between systems and their communications.
  63. A. Black boxes are designed to steal long-distance service by manipulating line voltages. Red boxes simulate tones of coins being deposited into payphones; blue boxes were tone generators used to simulate the tones used for telephone networks; and white boxes included a dual tone, multifrequency generator to control phone systems.
  64. A. Data streams are associated with the Application, Presentation, and Session layers. Once they reach the Transport layer, they become segments (TCP) or datagrams (UDP). From there, they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.
  65. C. A three-tier design separates three distinct protected zones and can be accomplished with a single firewall that has multiple interfaces. Single- and two-tier designs don’t support the number of protected networks needed in this scenario, while a four-tier design would provide a tier that isn’t needed.
  66. C. Software-defined networking provides a network architecture than can be defined and configured as code or software. This will allow Lauren’s team to quickly change the network based on organizational requirements. The 5-4-3 rule is an old design rule for networks that relied on repeaters or hubs. A converged network carries multiple types of traffic like voice, video, and data. A hypervisor-based network may be software defined, but it could also use traditional network devices running as virtual machines.
  67. B. Sensitive information contained in faxes should not be left in a public area. Disabling automatic printing will help prevent unintended viewing of the faxes. Purging local memory after the faxes are printed will ensure that unauthorized individuals can’t make additional copies of faxes. Encryption would help keep the fax secure during transmission but won’t help with the public location and accessibility of the fax machine itself, and of course, enabling automatic printing will only make casual access easier.
  68. B. ISDN, cable modems, DSL, and T1 and T3 lines are all examples of broadband technology that can support multiple simultaneous signals. They are analog, not digital, and are not broadcast technologies.
  69. A. A single-tier firewall deployment is very simple and does not offer useful design options like a DMZ or separate transaction subnets.
  70. D. Network segmentation can reduce issues with performance as well as diminish the chance of broadcast storms by limiting the number of systems in a segment. This decreases broadcast traffic visible to each system and can reduce congestion. Segmentation can also help provide security by separating functional groups who don’t need to be able to access each other’s systems. Installing a firewall at the border would only help with inbound and outbound traffic, not cross-network traffic. Spanning tree loop prevention helps prevent loops in Ethernet networks (for example, when you plug a switch into a switch via two ports on each), but it won’t solve broadcast storms that aren’t caused by a loop or security issues. Encryption might help prevent some problems between functional groups, but it won’t stop them from scanning other systems, and it definitely won’t stop a broadcast storm!
  71. C. ICMP, RIP, and network address translation all occur at layer 3, the Network layer.
  72. C. One of the visibility risks of virtualization is that communication between servers and systems using virtual interfaces can occur “inside” of the virtual environment. This means that visibility into traffic in the virtualization environment has to be purpose built as part of its design. Option D is correct but incomplete because inter-hypervisor traffic isn’t the only traffic the IDS will see.
  73. B. Cut and paste between virtual machines can bypass normal network-based data loss prevention tools and monitoring tools like an IDS or IPS. Thus, it can act as a covert channel, allowing the transport of data between security zones. So far, cut and paste has not been used as a method for malware spread in virtual environments and has not been associated with denial of service attacks. Cut and paste requires users to be logged in and does not bypass authentication requirements.
  74. A. While virtual machine escape has only been demonstrated in laboratory environments, the threat is best dealt with by limiting what access to the underlying hypervisor can prove to a successful tracker. Segmenting by data types or access levels can limit the potential impact of a hypervisor compromise. If attackers can access the underlying system, restricting the breach to only similar data types or systems will limit the impact. Escape detection tools are not available on the market, restoring machines to their original snapshots will not prevent the exploit from occuring again, and Tripwire detects file changes and is unlikely to catch exploits that escape the virtual machines themselves.
  75. C. WPA2’s CCMP encryption scheme is based on AES. As of the writing of this book, there have not been any practical real-world attacks against WPA2.
    DES has been successfully broken, and neither 3DES nor TLS is used for WPA2.
  76. B. Ethernet networks use Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) technology. When a collision is detected and a jam signal is sent, hosts wait a random period of time before attempting retransmission.
  77. C. IPX, AppleTalk, and NetBEUI are all examples of non-IP protocols. TCP and UDP are both IP protocols, while routing protocols are used to send information about how traffic should be routed through networks.
  78. C. A T3 (DS-3) line is capable of 44.736 Mbps. This is often referred to as 45 Mbps. A T1 is 1.544 Mbps, ATM is 155 Mbps, and ISDN is often 64 or 128 Mbps.
  79. B. A two-tier firewall uses a firewall with multiple interfaces or multiple firewalls in series. This image shows a firewall with two protected interfaces, with one used for a DMZ and one used for a protected network. This allows traffic to be filtered between each of the zones (Internet, DMZ, and private network).
  80. B. Endpoint security solutions face challenges due to the sheer volume of data that they can create. When each workstation is generating data about events, this can be a massive amount of data. Endpoint security solutions should reduce the number of compromises when properly implemented, and they can also help by monitoring traffic after it is decrypted on the local host. Finally, non-TCP protocols are relatively uncommon on modern networks, making this a relatively rare concern for endpoint security system implementations.
  81. D. The IP address 127.0.0.1 is a loopback address and will resolve to the local machine. Public addresses are non-RFC 1918, non-reserved addresses. RFC 1918 addresses are reserved and include ranges like 10.x.x.x. An APIPA address is a self-assigned address used when a DHCP server cannot be found.
  82. B. Since Bluetooth doesn’t provide strong encryption, it should only be used for activities that are not confidential. Bluetooth PINs are four-digit codes that often default to 0000. Turning it off and ensuring that your devices are not in discovery mode can help prevent Bluetooth attacks.
  83. B. Application-level gateway firewalls are known as second-generation firewalls. Static packet filtering firewalls are known as first-generation firewalls, and stateful packet inspection firewalls are known as third-generation firewalls. UTM, or Unified Threat Management is a concept used in next generation firewalls.
  84. B. Fiber Channel over Ethernet allows Fiber Channel communications over Ethernet networks, allowing existing high-speed networks to be used to carry storage traffic. This avoids the cost of a custom cable plant for a Fiber Channel implementation. MPLS, or Multiprotocol label Switching, is used for high performance networking; VoIP is Voice over IP; and SDN is Software-Defined Networking.
  85. D. A modem (MOdulator/DEModulator) modulates between an analog carrier like a phone line and digital communications like those used between computers. While modems aren’t in heavy use in most areas, they are still in place for system control and remote system contact and in areas where phone lines are available but other forms of communication are too expensive or not available.
  86. D. The OSI layers in order are Application, Presentation, Session, Transport, Network, Data Link, and Physical.
  87. B. A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on a system handles fragment reassembly. If the attack is successful, the TCP stack fails, resulting in a denial of service. Christmas tree attacks set all of the possible TCP flags on a packet, thus “lighting it up like a Christmas tree.” Stack killer and frag grenade attacks are made-up answers.
  88. D. The Point-to-Point Protocol (PPP) is used for dial-up connections for modems, IDSN, Frame Relay, and other technologies. It replaced SLIP in almost all cases. PPTP is the Point-to-Point Tunneling Protocol used for VPNs, and SLAP is not protocol at all!
  89. B. While non-IP protocols like IPX/SPX, NetBEUI, and AppleTalk are rare in modern networks, they can present a challenge because many firewalls are not capable of filtering them. This can create risks when they are necessary for an application or system’s function because they may have to be passed without any inspection. Christmas tree attacks set all of the possible flags on a TCP packet (and are thus related to an IP protocol), IPX is not an IP-based protocol, and while these protocols are outdated, there are ways to make even modern PCs understand them.
  90. C. Of the three answers, PEAP is the best solution. It encapsulates EAP in a TLS tunnel, providing strong encryption. LEAP is a Cisco proprietary protocol that was originally designed to help deal with problems in WEP. LEAP’s protections have been defeated, making it a poor choice.
  91. A. L2TP can use IPsec to provide encryption of traffic, ensuring confidentiality of the traffic carried via an L2TP VPN. PPTP sends the initial packets of a session in plaintext, potentially including usernames and hashed passwords. PPTP does support EAP and was designed to encapsulate PPP packets. All VPNs are point to point, and multipoint issues are not a VPN problem.
  92. C. A full mesh topology directly connects each machine to every other machine on the network. For five systems, this means four connections per system.
  93. D. Ethernet uses a bus topology. While devices may be physically connected to a switch in a physical topology that looks like a star, systems using Ethernet can all transmit on the bus simultaneously, possibly leading to collisions.
  94. D. ARP spoofing is often done to replace a target’s cache entry for a destination IP, allowing the attacker to conduct a man-in-the-middle attack. A denial of service attack would be aimed at disrupting services rather than spoofing an ARP response, a replay attack will involve existing sessions, and a Trojan is malware that is disguised in a way that makes it look harmless.
  95. B. Category 3 UTP cable is primarily used for phone cables and was also used for early Ethernet networks where it provided 10 Mbps of throughput. Cat 5 cable provides 100 Mbps (and 1000 Mbps if it is Cat 5e). Cat 6 cable can also provide 1000 Mbps.
  96. B. Crosstalk occurs when data transmitted on one set of wires is picked up on another set of wires. Interference like this is electromagnetic rather than simply magnetic, transmission absorption is a made-up term, and amplitude modulation is how AM radio works.
  97. B. WEP’s implementation of RC4 is weakened by its use of a static common key and a limited number of initialization vectors. It does not use asymmetric encryption, and clients do not select encryption algorithms.
  98. B. VLANs can be used to logically separate groups of network ports while still providing access to an uplink. Per-room VPNs would create significant overhead for support as well as create additional expenses. Port security is used to limit what systems can connect to ports, but it doesn’t provide network security between systems. Finally, while firewalls might work, they would add additional expense and complexity without adding any benefits over a VLAN solution.
  99. D. MAC addresses and their organizationally unique identifiers are used at the Data Link layer to identify systems on a network. The Application and Session layers don’t care about physical addresses, while the Physical layer involves electrical connectivity and handling physical interfaces rather than addressing.
  100. C. Domain Keys Identified Mail, or DKIM, is designed to allow assertions of domain identity to validate email. S/MIME, PEM, and MOSS are all solutions that can provide authentication, integrity, nonrepudiation, and confidentiality, depending on how they are used.

Chapter 5: Identity and Access Management (Domain 5)

  1. C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.
  2. B. Since Jim’s organization is using a cloud-based Identity as a Service solution, a third party, on-premise identity service can provide the ability to integrate with the IDaaS solution, and the company’s use of Active Directory is widely supported by third-party vendors. OAuth is used to log into third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a preexisting third-party solution and may take far more time and expense to implement.
  3. C. Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC is both a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.
  4. C. Voice pattern recognition is “something you are,” a Type 3 authentication factor. Type 1 factors are “something you know,” and Type 2 factors are “something you have.” Type 4 is made up and is not a valid type of authentication factor.
  5. B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.
  6. B. Menus, shells, and database views are all commonly used for constrained interfaces. A keyboard is not typically a constrained interface, although physically constrained interfaces like those found on ATMs, card readers, and other devices are common.
  7. C. Dictionary attacks use a dictionary or list of common passwords as well as variations of those words to attempt to log in as an authorized user. This attack shows a variety of passwords based on a similar base word, which is often a good indicator of a dictionary attack. A brute force attack will typically show simple iteration of passwords, while a man-in-the-middle attack would not be visible in the authentication log. A rainbow table attack is used when attackers already have password hashes in their possession and would also not show up in logs.
  8. D. The Common Criteria defines trusted paths as a way to protect data between users and a security component. This includes attacks like replacing login windows for systems and is the reason Windows uses Ctrl+Alt_Del as a login sequence. Man-in-the-middle attacks can be prevented by using a trusted channel, which is often implemented with encryption and certificates. Brute force and dictionary attacks are often discouraged by using a back-off algorithm to slow down or prevent attacks.
  9. B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.
  10. B. A callback to a home phone number is an example of a “somewhere you are” factor. This could potentially be spoofed by call forwarding or using a VoIP system. Type 1 factors are “something you know,” Type 3 factors are biometric, and geographic factors are typically based on IP addresses or access to a GPS.
  11. D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a non-transitive trust between AD domains in separate forests.
  12. B. TACACS+ is the only modern protocol on the list. It provides advantages of both TACACS and XTACACS as well as some benefits over RADIUS, including encryption of all authentication information. Super TACACS is not an actual protocol.
  13. D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single-sign on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.
  14. C. Interface restrictions based on user privileges is an example of a constrained interface. Least privilege describes the idea of providing users with only the rights they need to accomplish their job, while need to know limits access based on whether a subject needs to know the information to accomplish an assigned task. Separation of duties focuses on preventing fraud or mistakes by splitting tasks between multiple subjects.
  15. D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant accessed based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Non-discretionary access controls apply a fixed set of rules to an environment to manage access. Non-discretionary access controls include rule-, role-, and lattice-based access controls.
  16. D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.
  17. D. The client in Kerberos logins uses AES to encrypt the username and password prior to sending it to the KDC.
  18. C. The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client.
  19. B. The client needs to install the TGT for use until it expires, and must also decrypt the symmetric key using a hash of the user’s password.
  20. A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.
  21. C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.
  22. C. Dictionary, brute force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial of service attack.
  23. A. Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.
  24. B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.
  25. A. Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.
  26. C. RADIUS is an AAA protocol used to provide authentication and authorization; it’s often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticket-based authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.
  27. A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based Infrastructure as a Service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.
  28. C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.
  29. D. A key distribution center (KDC) provides authentication services, and ticket-granting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentication services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.
  30. D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.
  31. C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.
  32. B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.
  33. B. Race conditions occur when two or more processes need to access the same resource in the right order. If an attacker can disrupt this order, they may be able to affect the normal operations of the system and gain unauthorized access or improper rights. Collisions occur when two different files produce the same result from a hashing operation, out-of-order execution is a CPU architecture feature that allows the use of otherwise unused cycles, and determinism is a philosophical term rather than something you should see on the CISSP exam!
  34. C. Mandatory access controls use a lattice to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access. RBAC could be either rule- or role-based access control and would either use system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.
  35. C. LDAP distinguished names are made up of zero or more comma-separate components known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and is not a valid DN. It is possible to have additional values in the same RDN by using a plus sign between then.
  36. B. The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor like a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.
  37. D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus none are recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.
  38. B. Password complexity is driven by length, and a longer password will be more effective against brute force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute force attacks.
  39. A. The stored sample of a biometric factor is called a reference profile or a reference template. None of the other answers are common terms used for biometric systems.
  40. A. Organizations that have very strict security requirements that don’t have a tolerance for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero as possible. That often means that the false rejection rate, or FRR, increases. Different biometric technologies or a better registration method can help improve biometric performance, but false rejections due to data quality are not typically a concern with modern biometric systems. In this case, knowing the crossover error rate, or CER, or having a very high CER doesn’t help the decision.
  41. B. The complexity of brute forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new passwords would be 62 times harder to brute force on average.
  42. B. Biometric systems can face major usability challenges if the time to enroll is long (over a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren’t typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.
  43. C. TLS provides message confidentiality and integrity, which can prevent eavesdropping. When paired with digital signatures, which provide integrity and authentication, forged assertions can also be defeated. SAML does not have a security mode and relies on TLS and digital signatures to ensure security if needed. Message hashing without a signature would help prevent modification of the message but won’t necessarily provide authentication.
  44. B. Integration with cloud-based third parties that rely on local authentication can fail if the local organization’s Internet connectivity or servers are offline. Adopting a hybrid cloud and local authentication system can ensure that Internet or server outages are handled, allowing authentication to work regardless of where the user is or if their home organization is online. Using encrypted and signed communication does not address availability, redirects are a configuration issue with the third party, and a local gateway won’t handle remote users. Also, host files don’t help with availability issues with services other than DNS.
  45. A. While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally only works for locally hosted sites, and using a third-party service requires offsite redirects. An IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-the-middle type of IPS to be configured.
  46. B. Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control system (MAC). MAC is more secure due to the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.
  47. C. While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.
  48. C. Service Provisioning Markup Language, or SPML is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.
  49. C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.
  50. B. Google’s federation with other applications and organizations allows single-sign on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single-sign on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.
  51. D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term, and thus is not an issue here.
  52. B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.
  53. A. Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268 nor 3269 is mentioned, we do not know if the server provides support for a global catalog.
  54. D. The X.500 series of standards covers directory services. Kerberos is described in RFCs; biometric systems are covered by a variety of standards, including ISO standards; and provisioning standards include SCIM, SPML, and others.
  55. B. Active Directory Domain Services is based on LDAP, the Lightweight Directory Access Protocol. Active Directory also uses Kerberos for authentication.
  56. C. Identity proofing can be done by comparing user information that the organization already has, like account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.
  57. A. By default, OpenLDAP stored the userPassword attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is the responsibility of the administrator or programmer who builds its provisioning system.
  58. C. Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 1 errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time of use, method of use errors are not specific biometric authentication terms.
  59. B. Firewalls use rule-based access control, or Rule-BAC, in their access control lists and apply rules created by administrators to all traffic that pass through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.
  60. C. When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.
  61. C. Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).
  62. D. Kerberos is an authentication protocol that uses tickets, and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third-party websites to rely on credentials from other sites like Google or Microsoft.
  63. D. Administrative access controls are procedures and the policies from which they derive. They are based on regulations, requirements, and the organization’s own policies. Corrective access controls return an environment to its original status after an issue, while logical controls are technical access controls that rely on hardware or software to protect systems and data. Compensating controls are used in addition to or as an alternative to other controls.
  64. A. When clients perform a client service authorization, they send a TGT and the ID of the requested service to the TGS, and the TGS responds with a client-to-server ticket and session key back to the client if the request is validated. An AS is an authentication server and the SS is a service server, neither of which can be sent.
  65. C. In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.
  66. D. Passwords are never stored for web applications in a well-designed environment. Instead, salted hashes are stored and compared to passwords after they are salted and hashed. If the hashes match, the user is authenticated.
  67. C. When a third-party site integrates via OAuth 2.0, authentication is handled by the service provider’s servers. In this case, Google is acting as the service provider for user authentication. Authentication for local users who create their own accounts would occur in the e-commerce application (or a related server), but that is not the question that is asked here.
  68. B. The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google’s OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the eXtensible Access Control Markup Language, not a type of attack.
  69. A. Knowledge-based authentication relies on preset questions “What is your pet’s name?” and the answers. It can be susceptible to attacks due to the availability of the answers on social media or other sites. Dynamic knowledge based authentication relies on facts or data that the user already knows which can be used to create questions they can answer on an as needed basis (for example, a previous address, or a school they attended).
    Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or “something you are,” rather than knowledge based.
  70. C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.
  71. C. Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don’t have the same impact that a self-service system does.
  72. C. RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be very difficult to both implement and maintain in a large environment, and the built-in encryption in RADIUS only protects passwords.
  73. B. OAuth provides the ability to access resources from another service and would meet Jim’s needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.
  74. B. Since physical access to the workstations is part of the problem, setting application time-outs and password-protected screensavers with relatively short inactivity time-outs can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.
  75. C. Firewalls, routers, and passwords are all examples of technical access controls and are software or hardware systems used to manage and protect access. RAID-5 is an example of a recovery control. If you’re questioning why routers are a technical access control, remember that router access control lists (ACLs) are quite often used to control network access or traffic flows.
  76. A. Verifying information that an individual should know about themselves using third-party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-of-band identity proofing would use another means of contacting the user, like a text message or phone call, and password verification requires a password.
  77. C. The US government’s Common Access Card is a smart card. The US government also issues PIV cards, or personal identity verification cards.
  78. C. OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identity verification and basic profile information. SAML is the Security Assertion Markup Language, Shibboleth is a federated identity solution designed to allow web-based SSO, and Higgins is an open-source project designed to provide users with control over the release of their identity information.
  79. C. In a mandatory access control system, classifications do not have to include rights to lower levels. This means that the only label we can be sure Jim has rights to is Secret. Despite the fact that it is unclassified, Unclassified data remains a different label, and Jim may not be authorized to access it.
  80. B. Time-based controls are an example of context-dependent controls. A constrained interface would limit what Susan was able to do in an application or system interface, while content-dependent control would limit her access to content based on her role or rights. Least privilege is used to ensure that subjects only receive the rights they need to perform their role.
  81. C. A Type 3 authentication factor is: something you are: like a biometric identifier. A Type 1 authentication factor is “something you know.” A Type 2 factor is “something you have,” like a smart card or hardware token. There is not a Type 4 authentication factor.
  82. B. Policy is a subset of the administrative layer of access controls. Administrative, technical, and physical access controls all play an important role in security.
  83. C. Google Authenticator’s constantly changing codes are part of a synchronous token that uses a time-based algorithm to generate codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smart cards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.
  84. A. Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don’t need to have challenges entered, and RFID devices are not used for challenge/response tokens.
  85. C. The crossover error rate is the point where false acceptance rate and false rejection rate cross over and is a standard assessment used to compare the accuracy of biometric devices.
  86. A. At point B, the false acceptance rate, or FAR, is quite high, while the false rejection rate, or FRR, is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of pointA.
  87. B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.
  88. B. The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. Anonymous authentication does not require or provide security, and simple authentication can be tunneled over SSL or TLS but does not provide security by itself. S-LDAP is not an LDAP protocol.
  89. C. Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.
  90. B. Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials. Since the OpenID provider URL is provided by the client, the relying party cannot select the wrong provider. The relying party never receives the user’s password, which means that they can’t steal it. Finally, the relying party receives the signed assertion but does not send one.
  91. A. IDaaS, or Identity as a Service, provides an identity platform as a third-party service. This can provide benefits including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems, but it can also create risk due to third-party control of identity services and reliance on an offsite identity infrastructure.
  92. B. Drives in a RAID-5 array are intended to handle failure of a drive. This is an example of a recovery control, which is used to return operations to normal function after a failure. Administrative controls are policies and procedures. Compensation controls help cover for issues with primary controls or improve them. Logical controls are software and hardware mechanisms used to protect resources and systems.
  93. D. The Linux filesystem allows the owners of objects to determine the access rights that subjects have to them. This means that it is a discretionary access control. If the system enforced a role-based access control, Alex wouldn’t set the controls; they would be set based on the roles assigned to each subject. A rule-based access control system would apply rules throughout the system, and a mandatory access control system uses classification labels.
  94. D. Diameter was designed to provide enhanced, modern features to replace RADIUS. Diameter provides better reliability and a broad range of improved functionality. RADIUS-NG does not exist, Kerberos is not a direct competitor for RADIUS, and TACACS is not an open protocol.
  95. A. In this example, uid=ben,ou=sales,dc=example,dc=com, the items proceed from most specific to least specific (broadest) from left to right, as required by a DN.
  96. D. Kerberos relies on properly synchronized time on each end of a connection to function. If the local system time is more than 5 minutes out of sync, otherwise valid TGTs will be invalid and the system won’t receive any new tickets.
  97. A. Kerberos, KryptoKnight, and SESAME are all single sign-on, or SSO, systems. PKI systems are public key infrastructure systems, CMS systems are content management systems, and LDAP and other directory servers provide information about services, resources, and individuals.
  98. B. Locks can be preventative access controls by stopping unwanted access, can deter potential intruders by making access difficult, and are physical access controls. They are not directive controls because they don’t control the actions of subjects.
  99. B. Windows uses Kerberos for authentication. RADIUS is typically used for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.
  100. C. The default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively. Unsecure LDAP uses 389, and unsecure global directory services use 3268.

Chapter 6: Security Assessment and Testing (Domain 6)

  1. B. TCP and UDP ports 137-139 are used for NetBIOS services, whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services.
  2. D. Mutation testing modifies a program in small ways, and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
  3. B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.
  4. A. Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.
  5. C. Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems. A static analysis relies on examining code without running the application or code, and thus would not fill forms as part of a web application. Brute-force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the environment.
  6. B. OpenVAS is an open source vulnerability scanning tool that will provide Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed source tools, although Nessus was originally open source.
  7. B. An IPS is an example of a mechanism like a hardware-, software-, or firmware-based control or system. Specifications are document-based artifacts like policies or designs, activities are actions that support an information system that involves people, and an individual is one or more people applying specifications, mechanisms, or activities.
  8. C. Jim has agreed to a black box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal or white box penetration test provides all of the information an attacker needs, whereas a gray box penetration test provides some, but not all, information.
  9. A. A vulnerability scanner that has a test (sometimes called a signature or plugin) that provides a detection method for CVE-2014-0160, also known as the Heartbleed bug, a vulnerability in OpenSSL will detect and report on the issue on any system it can connect to. Port scanners do not determine whether services are vulnerable, and Heartbleed was not a vulnerability in the Apache web server—but even without knowing this, the CVE number is a better indicator of whether the issue will be found than a generic detect for a service.
  10. C. Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type 1 report only covers a point in time, so Susan needs an SOC Type 2 report to have the information she requires to make a design and operating effectiveness decision based on the report.
  11. B. WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lock-out. WPA2 encryption will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack-ng.
  12. C. SOC 3 reports are intended to be shared with a broad community, often with a website seal, and support the organization’s claims about their ability to provide integrity, availability, and confidentiality. SOC 1 reports report on controls over financial reporting, whereas SOC 2 reports cover security, availability, integrity, and privacy for business partners, regulators, and other similar organizations in detail that would not typically be provided to a broad audience.
  13. C. Interface testing is used to ensure that software modules properly meet interface specifications and thus will properly exchange data. Dynamic testing tests software in a running environment, whereas fuzzing is a type of dynamic testing that feeds invalid input to running software to test error and input handling. API checksums are not a testing technique.
  14. B. Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidently scanning guests, neighbors, or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.
  15. C. Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information. Mutation based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples. Neither parametric nor derivative is a term used to describe types of fuzzers.
  16. B. Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.
  17. D. The IP addresses that his clients have provided are RFC 1918 non-routable IP addresses, and Jim will not be able to scan them from offsite. To succeed in his penetration test, he will either have to first penetrate their network border or place a machine inside their network to scan from the inside. IP addresses overlapping is not a real concern for scanning, and the ranges can easily be handled by current scanning systems.
  18. B. Karen can’t use MTD verification because MTD is the Maximum Tolerable Downtime. Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic tests are all valid ways to verify that the backups are working properly.
  19. B. Group Policy enforced by Active Directory can ensure consistent logging settings and can provide regular enforcement of policy on systems. Periodic configuration audits won’t catch changes made between audits, and local policies can drift due to local changes or differences in deployments. A Windows syslog client will enable the Windows systems to send syslog to the SIEM appliance but won’t ensure consistent logging of events.
  20. B. Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.
  21. B. Network Time Protocol (NTP) can ensure that systems are using the same time, allowing time sequencing for logs throughout a centralized logging infrastructure. Syslog is a way for systems to send logs to a logging server and won’t address time sequencing. Neither logsync nor SNAP is an industry term.
  22. A. When a tester does not have raw packet creation privileges, such as when they have not escalated privileges on a compromised host, a TCP connect scan can be used. TCP SYN scans require elevated privileges on most Linux systems due to the need to write raw packets. A UDP scan will miss most services that are provided via TCP, and an ICMP is merely a ping sweep of systems that respond to pings and won’t identify services at all.
  23. B. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.
  24. D. Black box testing is the most realistic type of penetration test because it does not provide the penetration tester with inside information about the configuration or design of systems, software, or networks. A gray box test provides some information, whereas a white or crystal box test provides significant or full detail.
  25. A. A test coverage analysis is often used to provide insight into how well testing covered the set of use cases that an application is being tested for. Source code reviews look at the code of a program for bugs, not necessarily at a use case analysis, whereas fuzzing tests invalid inputs. A code review report might be generated as part of a source code review.
  26. C. Testing how a system could be misused, or misuse testing, focuses on behaviors that are not what the organization desires or that are counter to the proper function of a system or application. Use case testing is used to verify whether a desired functionality works. Dynamic testing is used to determine how code handles variables that change over time, whereas manual testing is just what it implies: testing code by hand.
  27. B. Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors. Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Log analysis is typically performed against actual log data but can be performed on simulated traffic to identify issues. Simulated transaction analysis is not an industry term.
  28. C. Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.
  29. C. Vulnerability scanners that do not have administrative rights to access a machine or that are not using an agent scan remote machines to gather information, including fingerprints from responses to queries and connections, banner information from services, and related data. CVE information is Common Vulnerability and Exposure information, or vulnerability information. A port scanner gathers information about what service ports are open, although some port scanners blur the line between port and vulnerability scanners. Patch management tools typically run as an agent on a system to allow them to both monitor patch levels and update the system as needed. Service validation typically involves testing the functionality of a service, not its banner and response patterns.
  30. B. Emily is using synthetic transactions, which can use recorded or generated transactions, and is conducting use case testing to verify that the application responds properly to actual use cases. Neither actual data nor dynamic monitoring is an industry term. Fuzzing involves sending unexpected inputs to a program to see how it responds. Passive monitoring uses a network tap or other capture technology to allow monitoring of actual traffic to a system or application.
  31. B. Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface. The other answers are all made up—synthetic monitoring uses simulated behavior, but synthetic user monitoring is not a testing method. Similarly, passive monitoring monitors actual traffic, but passive user recording is not an industry term or technique. Client/server testing merely describes one possible architecture.
  32. B. Jim should ask the information security team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information, and may flag patched versions if the software provider does not update the information they see. Uninstalling and reinstalling the patch will not change this. Changing the version information may not change all of the details that are being flagged by the scanner, and may cause issues at a later date. Reviewing the vulnerability information for a workaround may be a good idea but should not be necessary if the proper patch is installed; it can create maintenance issues later.
  33. B. zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto is a web server scanner.
  34. C. An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.
  35. A. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.
    Scripted attacks are part of active scanning rather than passive scanning, and active scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be detected by detection systems. Finally, a shorter dwell time can actually miss troublesome traffic, so balancing dwell time versus coverage is necessary for passive wireless scanning efforts.
  36. D. Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging due to the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.
  37. D. Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Nonregression testing checks to see if a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.
  38. D. Nmap, Nessus, and Nikto all have OS fingerprinting or other operating system identification capabilities. sqlmap is designed to perform automated detection and testing of SQL injection flaws, and does not provide OS detection.
  39. C. Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their life cycle. Yearly risk assessments may be a good idea, but only provide a point in time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won’t necessarily show trends in risk.
  40. C. Passive monitoring only works after issues have occurred because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic, and thus can be used to proactively identify problems. Both synthetic and passive monitoring can be used to detect functionality issues.
  41. B. Getting authorization is the most critical element in the planning phase. Permission, and the “get out of jail free card” that demonstrates that organizational leadership is aware of the issues that a penetration test could cause, is the first step in any penetration test. Gathering tools and building a lab, as well as determining what type of test will be conducted, are all important, but nothing should happen without permission.
  42. C. Discovery can include both active and passive discovery. Port scanning is commonly done during discovery to assess what services the target provides, and nmap is one of the most popular tools used for this purpose. Nessus and Nikto might be used during the vulnerability scanning phase, and john, a password cracker, can be used to recover passwords during the exploitation phase.
  43. B. Penetration test reports often include information that could result in additional exposure if they were accidently released or stolen. Therefore, determining how vulnerability data should be stored and sent is critical. Problems with off-limits targets are more likely to result in issues during the vulnerability assessment and exploitation phase, and reports should not be limited in length but should be as long as they need to be to accomplish the goals of the test.
  44. B. Code coverage testing most frequently requires that every function has been called, that each statement has been executed, that all branches have been fully explored, and that each condition has been evaluated for all possibilities. API, input, and loop testing are not common types of code coverage testing measures.
  45. B. Time to remediate a vulnerability is a commonly used key performance indicator for security teams. Time to live measures how long a packet can exist in hops, business criticality is a measure used to determine how important a service or system is to an organization, and coverage rates are used to measure how effective code testing is.
  46. D. Unique user IDs provide accountability when paired with auditable logs to provide that a specific user took any given action. Confidentiality, availability, and integrity can be provided through other means like encryption, systems design, and digital signatures.
  47. B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all important to test when performing software testing. Network interfaces are not a part of the typical list of interfaces tested in software testing.
  48. C. The Security Content Automation Protocol (SCAP) is a community sourced specification for security flaw and security configuration information and is defined in NIST SP 800-126. SVML, VSCAP, and VML are not information security–related terms.
  49. B. Security vulnerabilities can be created by misconfiguration, logical or functional design or implementation issues, or poor programming practices. Fuzzing is a method of software testing and is not a type of issue. Buffer overflows and race conditions are both caused by logical or programming flaws, but they are not typically caused by misconfiguration or functional issues.
  50. C. Simply updating the version that an application provides may stop the vulnerability scanner from flagging it, but it won’t fix the underlying issue. Patching, using workarounds, or installing an application layer firewall or IPS can all help to remediate or limit the impact of the vulnerability.
  51. C. Saria’s social-engineering attack succeeded in persuading a staff member at the help desk to change a password for someone who they not only couldn’t see, but who they couldn’t verify actually needed their password reset. Black box and zero knowledge are both terms describing penetration tests without information about the organization or system, and help desk spoofing is not an industry term.
  52. D. The menu shown will archive logs when they reach the maximum size allowed (20 MB). These archives will be retained, which could fill the disk. Log data will not be overwritten, and log data should not be lost when the data is archived. The question does not include enough information to determine if needed information may not be logged.
  53. C. Penetration tests are intended to help identify vulnerabilities, and exploiting them is part of the process rather than a hazard. Application crashes; denial of service due to system, network, or application failures; and even data corruption can all be hazards of penetration tests.
  54. B. NIST SP 800-53A is titled “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” and covers methods for assessing and measuring controls.
    NIST 800-12 is an introduction to computer security, 800-34 covers contingency planning, and 800-86 is the “Guide to Integrating Forensic Techniques into Incident Response.”
  55. C. TCP SYN scans only open a connection halfway; they do not complete the TCP connection with an ACK, thus leaving the connection open. TCP Connect scans complete the connection, whereas TCP ACK scans attempt to appear like an open connection. Xmas, or Christmas tree, scans set the FIN, PSH, and URG flags, thereby “lighting up” the TCP packet.
  56. C. SOC 1 reports are prepared according to the Statement on Standards for Attestation Engagements, or SSAE number 16 (typically shortened to SSAE-16). An SOC 1 Type I report validates policies and procedures at a point in time, whereas SOC 1 Type II reports cover a period of time of at least six months. SOC 1 reports replaced SAS 70 reports in 2011, meaning that a current report should be an SSAE-16 SOC 1 report.
  57. B. Metasploit is an exploitation package that is designed to assist penetration testers. A tester using Metasploit can exploit known vulnerabilities for which an exploit has been created or can create their own exploits using the tool. While Metasploit provides built-in access to some vulnerability scanning functionality, a tester using Metasploit should primarily be expected to perform actual tests of exploitable vulnerabilities. Similarly, Metasploit supports creating buffer overflow attacks, but it is not a purpose-built buffer overflow testing tool, and of course testing systems for zero-day exploits doesn’t work unless they have been released.
  58. C. The audit finding indicates that the backup administrator may not be monitoring backup logs and taking appropriate action based on what they report, thus resulting in potentially unusable backups. Issues with review, logging, or being aware of the success or failure of backups are less important than not having usable backups.
  59. C. ITIL, which originally stood for IT Infrastructure Library, is a set of practices for IT service management, and is not typically used for auditing. COBIT, or the Control Objectives for Information and Related Technology, ISO 27002, and SSAE-16, or the Statement on Standards for Attestation Engagements number 16, are all used for auditing.
  60. A. NIST SP 800-137 outlines the process for organizations that are establishing, implementing, and maintaining an ICSM as define, establish, implement, analyze and report, respond, review, and update. Prepare, detect and analyze, contain, respond, recover, report is an incident response plan, and the others do not match the NIST process.
  61. B. Lauren’s team is using regression testing, which is intended to prevent the recurrence of issues. This means that measuring the rate of defect recurrence is an appropriate measure for their work. Time to remediate vulnerabilities is associated with activities like patching, rather than preparing the patch, whereas a weighted risk trend is used to measure risk over time to an organization. Finally, specific coverage may be useful to determine if they are fully testing their effort, but regression testing is more specifically covered by defect recurrence rates.
  62. C. Static program reviews are typically performed by an automated tool. Program understanding, program comprehension, code review, software inspections and software walkthroughs are all human-centric methods for reviewing code.
  63. A. In order to fully test code, a white box test is required. Without full visibility of the code, error conditions or other code could be missed, making a gray box or black box test an inappropriate solution. Using dynamic testing that runs against live code could also result in some conditions being missed due to sections of code not being exposed to typical usage.
  64. A. A test coverage report measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases. A penetration test report is provided when a penetration test is conducted—this is not a penetration test. A code coverage report covers how much of the code has been tested, and a line coverage report is a type of code coverage report.
  65. C. The changes from a testing environment with instrumentation inserted into the code and the production environment for the code can mask timing-related issues like race conditions. Bounds checking, input validation, and pointer manipulation are all related to coding issues rather than environmental issues and are more likely to be discoverable in a test environment.
  66. D. Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.
  67. B. Fagan testing is a detailed code review that steps through planning, overview, preparation, inspection, rework, and follow-up phases. Dynamic tests test the code in a real runtime environment, whereas fuzzing is a type of dynamic testing that feeds invalid inputs to software to test its exception-handling capabilities. Roth-Parker reviews were made up for this question.
  68. D. The Common Vulnerability Scoring System (CVSS) includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users’ unique requirements. NVD is the National Vulnerability Database, CSV is short for Comma-Separated Values, and VSS is a made-up term.
  69. D. Network-enabled printers often provided services via TCP 515 and 9100, and have both nonsecure and secure web-enabled management interfaces on TCP 80 and 443. Web servers, access points, and file servers would not typically provide service on the LPR and LPD ports (515 and 9100).
  70. A. Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools designed specifically to scan web servers and applications. While they share some functionality with broader vulnerability scanners and port scanning tools, they have a narrower focus and typically have deeper capabilities than vulnerability scanners.
  71. B. Nmap reports one of three statuses: Open, which means that the port is open and that an application responds; Closed, which means that the port is accessible but there is no application response; and Filtered, which means that a firewall is not allowing nmap to determine if the port is open or closed.
  72. C. User session monitoring is not a means of conducting synthetic performance monitoring. Synthetic performance monitoring uses scripted or recorded data, not actual user sessions. Traffic capture, database performance monitoring, and website performance monitoring can all be used during synthetic performance monitoring efforts.
  73. D. Susan is conducting interface testing. Interface testing involves testing system or application components to ensure that they work properly together. Misuse case testing focuses on how an attacker might misuse the application and would not test normal cases. Fuzzing attempts to send unexpected input and might be involved in interface testing, but it won’t cover the full set of concerns. Regression testing is conducted when testing changes and is used to ensure that the application or system functions as it did before the update or change.
  74. B. Not having enough log sources is not a key consideration in log management system design, although it may be a worry for security managers who can’t capture the data they need. Log management system designs must take into account the volume of log data and the network bandwidth it consumes, the security of the data, and the amount of effort required to analyze the data.
  75. C. Jim should ask for a code coverage report, which provides information on the functions, statements, branches, and conditions or other elements that were covered in the testing. Use cases are used as part of a test coverage calculation that divides the tested use cases by the total use cases, but use cases may not cover all possible functions or branches. A code review report would be generated if the organization was manually reviewing the application’s source code.
  76. C. Rebooting a Windows machine results in an information log entry. Windows defines five types of events: errors, which indicate a significant problem; warnings, which may indicate future problems; information, which describes successful operation; success audits, which record successful security accesses; and failure audits, which record failed security access attempts.
  77. C. Inconsistent timestamps are a common problem, often caused by improperly set time zones or due to differences in how system clocks are set. In this case, a consistent time difference often indicates that one system uses local time, and the other is using Greenwich Mean Time (GMT). Logs from multiple sources tend to cause problems with centralization and collection, whereas different log formats can create challenges in parsing log data. Finally, modified logs are often a sign of intrusion or malicious intent.
  78. A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.
    Microsoft’s STRIDE threat assessment model places threats into one of six categories:
    • Spoofing—threats that involve user credentials and authentication, or falsifying legitimate communications
    • Tampering—threats that involve the malicious modification of data
    • Repudiation—threats that cause actions to occur that cannot be denied by a user
    • Information disclosure—threats that involve exposure of data to unauthorized individuals
    • Denial of service—threats that deny service to legitimate users
    • Elevation of privilege—threats that provide higher privileges to unauthorized users
  79. B. Using role-based access controls (RBACs) for specific operations will help to ensure that users cannot perform actions that they should not be able to. Auditing and logging can help detect abuse but won’t prevent it, and data type, format checks, and whitelisting are all useful for preventing attacks like SQL injection and buffer overflow attacks but are not as directly aimed at authorization issues.
  80. D. Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue. If encrypted transactions cannot be uniquely identified by server, they cannot be proved to have come from a specific server.
  81. C. Filtering is useful for preventing denial of service attacks but won’t prevent tampering with data. Hashes and digital signatures can both be used to verify the integrity of data, and authorization controls can help ensure that only those with the proper rights can modify the data.
  82. A. NIST SP 800-137 is titled “Information Security Continuous Monitoring (ISCM) for Federal Systems and Organizations” and describes the process of building and maintaining an ISCM. NIST SP 800-145 defines cloud computing, whereas NIST SP 800-53A covers assessing security and privacy controls for federal systems and organizations. NIST SP 800-50 focuses on information security awareness programs.
  83. B. Finding severe bugs is not a fault—in fact, fuzzing often finds important issues that would otherwise have been exploitable. Fuzzers can reproduce errors, but typically don’t fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won’t handle business logic or attacks that require knowledge from the application user.
  84. C. Security audits are security assessments performed by third parties and are intended to evaluate the effectiveness of security controls. Security assessments are conducted by internal staff, and security tests are used to verify that a control is functioning effectively. Penetration tests can be conducted by internal or external staff and test systems by using actual exploitation techniques.
  85. C. After scanning for open ports using a port scanning tool like nmap, penetration testers will identify interesting ports and then conduct vulnerability scans to determine what services may be vulnerable. This will perform many of the same activities that connecting via a web server will, and will typically be more useful than trying to manually test for vulnerable accounts via Telnet. sqlmap would typically be used after a vulnerability scanner identifies additional information about services, and the vulnerability scanner will normally provide a wider range of useful information.
  86. B. The system is likely a Linux system. The system shows X11, as well as login, shell, and nfs ports, all of which are more commonly found on Linux systems than Windows systems or network devices. This system is also very poorly secured; many of the services running on it should not be exposed in a modern secure network.
  87. D. Nmap only scans 1000 TCP and UDP ports by default, including ports outside of the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports. OS fingerprinting won’t cover more ports but would have provided a best guess of the OS running on the scanned system.
  88. C. Static analysis is the process of reviewing code without running it. It relies on techniques like data flow analysis to review what the code does if it was run with a given set of inputs. Black and gray box analyses are not types of code review, although black box and gray box both describe types of penetration testing. Fuzzing provides unexpected or invalid data inputs to test how software responds.
  89. C. A manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code. Fuzzing, dynamic, and static code review can all find bugs that manual code review might not, but won’t take the intent of the programmers into account.
  90. C. Misuse case diagrams use language beyond typical use case diagrams, including threatens and mitigates. Threat trees are used to map threats but don’t use specialized languages like threatens and mitigates. STRIDE is a mnemonic and model used in threat modeling, and DREAD is a risk assessment model.
  91. C. The most important first step for a penetration test is getting permission. Once permission has been received, planning, data gathering, and then elements of the actual test like port scanning can commence.
  92. D. SSAE-16 is based on ISAE 3402, the International Standard on Assurance Engagements. It differs in a number of ways, including how it handles purposeful acts by service organizational personnel as well as anomalies, but the two share many elements. SAS-70 has been replaced by SSAE-16, whereas ISO27001 is a formal specification for an information security management system (ISMS). SOX is the Sarbanes–Oxley Act, a U.S. law that impacts accounting and investor protection.
  93. C. A TCP scan that sets all or most of the possible TCP flags is called a Christmas tree, or Xmas, scan since it is said to “light up like a Christmas tree” with the flags. A SYN scan would attempt to open TCP connections, whereas an ACK scan sends packets with the ACK flag set. There is no such type of scan known as a TCP flag scan.
  94. D. Nmap is a very popular open source port scanner. Nmap is not a vulnerability scanner, nor is it a web application fuzzer. While port scanners can be used to partially map a network, and its name stands for Network Mapper, it is not a network design tool.
  95. C. Vulnerability scanners cannot detect vulnerabilities for which they do not have a test, plug-in, or signature. Signatures often include version numbers, service fingerprints, or configuration data. They can detect local vulnerabilities as well as those that require authentication if they are provided with credentials, and of course, they can detect service vulnerabilities.
  96. C. The Common Vulnerabilities and Exposures (CVE) dictionary provides a central repository of security vulnerabilities and issues. Patching information for applications and software versions are sometimes managed using central patch management tools, but a single central database is not available for free or public use. Costs versus effort is also not what CVE stands for.
  97. D. In many cases when an exploit is initially reported, there are no prebuilt signatures or detections for vulnerability scanners, and the CVE database may not have information about the attack immediately. Jacob’s best option is to quickly gather information and review potentially vulnerable servers based on their current configuration. As more information becomes available, signatures and CVE information are likely to be published. Unfortunately for Jacob, IDS and IPS signatures will only detect attacks, and won’t detect whether systems are vulnerable unless he sees the systems being exploited.
  98. D. Privilege escalation occurs during the attack phase of a penetration test. Host and service information gathering, as well as activities like dumpster diving that can provide information about the organization, its systems, and security, are all part of the discovery phase.
  99. B. Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.
  100. B. Penetration testing reports often do not include the specific data captured during the assessment, as the readers of the report may not be authorized to access all of the data, and exposure of the report could result in additional problems for the organization. A listing of the issues discovered, risk ratings, and remediation guidance are all common parts of a penetration test report.

Chapter 7: Security Operations (Domain 7)

  1. A. The illustration shows an example of a failover cluster, where DB1 and DB2 are both configured as database servers. At any given time, only one will function as the active database server, while the other remains ready to assume responsibility if the first one fails. While the environment may use UPS, tape backup, and cold sites as disaster recovery and business continuity controls, they are not shown in the diagram.
  2. D. The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.
  3. C. While most organizations would want to log attempts to log in to a workstation, this is not considered a privileged administrative activity and would go through normal logging processes.
  4. C. Regulatory investigations attempt to uncover whether an individual or organization has violated administrative law. These investigations are almost always conducted by government agents.
  5. D. Real evidence consists of things that may actually be brought into a courtroom as evidence. For example, real evidence includes hard disks, weapons, and items containing fingerprints. Documentary evidence consists of written items that may or may not be in tangible form. Testimonial evidence is verbal testimony given by witnesses with relevant information. The parol evidence rule says that when an agreement is put into written form, the written document is assumed to contain all the terms of the agreement.
  6. A. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.
  7. B. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.
  8. B. Social media is commonly used as a command-and-control system for botnet activity. The most likely scenario here is that Toni’s computer was infected with malware and joined to a botnet. This accounts for both the unusual social media traffic and the slow system activity.
  9. D. Software-defined networking separates the control plane from the data plane. Network devices then do not contain complex logic themselves but receive instructions from the SDN.
  10. A. Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records which encompass all communications. Authentication logs and RFC logs would not have records of any network traffic.
  11. B. Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.
  12. A. The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.
  13. B. Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user’s credentials, such as a password or biometric scan.
  14. D. Gary should follow the principle of two-person control by requiring simultaneous action by two separate authorized individuals to gain access to the encryption keys. He should also apply the principles of least privilege and defense in depth, but these principles apply to all operations and are not specific to sensitive operations. Gary should avoid the security through obscurity principle, the reliance upon the secrecy of security mechanisms to provide security for a system or process.
  15. D. Privileged access reviews are one of the most critical components of an organization’s security program because they ensure that only authorized users have access to perform the most sensitive operations. They should take place whenever a user with privileged access leaves the organization or changes roles as well as on a regular, recurring basis.
  16. D. Hotfixes, updates, and security fixes are all synonyms for single patches designed to correct a single problem. Service packs are collections of many different updates that serve as a major update to an operating system or application.
  17. C. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.
  18. A. Lydia is following the need to know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.
  19. D. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker.
  20. C. Job rotation and mandatory vacations deter fraud by increasing the likelihood that it will be detected. Two-person control deters fraud by requiring collusion between two employees. Incident response does not normally serve as a deterrent mechanism.
  21. D. The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.
  22. A. The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.
  23. D. In a Software as a Service solution, the vendor manages both the physical infrastructure and the complete application stack, providing the customer with access to a fully managed application.
  24. D. The Common Vulnerability and Exposures (CVE) dictionary contains standardized information on many different security issues. The Open Web Application Security Project (OWASP) contains general guidance on web application security issues but does not track specific vulnerabilities or go beyond web applications. The Bugtraq mailing list and Microsoft Security Bulletins are good sources of vulnerability information but are not comprehensive databases of known issues.
  25. D. A disaster is any event that can disrupt normal IT operations and can be either natural or manmade. Hacking and terrorism are examples of manmade disasters, while flooding and fire are examples of natural disasters.
  26. D. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.
  27. B. The Grandfather/Father/Son, Tower of Hanoi, and Six Cartridge Weekly schemes are all different approaches to rotating backup media that balance reuse of media with data retention concerns. Meet-in-the-middle is a cryptographic attack against 2DES encryption.
  28. B. In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control.
  29. C. Evidence provided in court must be relevant to determining a fact in question, material to the case at hand, and competently obtained. Evidence does not need to be tangible. Witness testimony is an example of intangible evidence that may be offered in court.
  30. A. In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the shared tenancy model.
  31. D. CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff.
  32. C. In this scenario, all of the files on the server will be backed up on Monday evening during the full backup. The differential backup on Wednesday will then copy all files modified since the last full backup. These include files 1, 2, 3, 5, and 6: a total of five files.
  33. C. Intrusion detection systems (IDSs) provide only passive responses, such as alerting administrators to a suspected attack. Intrusion prevention systems and firewalls, on the other hand, may take action to block an attack attempt. Antivirus software also may engage in active response by quarantining suspect files.
  34. D. The hypervisor runs within the virtualization platform and serves as the moderator between virtual resources and physical resources.
  35. D. Entitlement refers to the privileges granted to users when an account is first provisioned.
  36. A. The service-level agreement (SLA) is between a service provider and a customer and documents in a formal manner expectations around availability, performance, and other parameters. An MOU may cover the same items but is not as formal a document. An OLA is between internal service organizations and does not involve customers. An SOW is an addendum to a contract describing work to be performed.
  37. A. The IT Infrastructure Library (ITIL) framework focuses on IT service management. The Project Management Body of Knowledge (PMBOK) provides a common core of project management expertise. The Payment Card Industry Data Security Standard (PCI DSS) contains regulations for credit card security. The Open Group Architecture Framework (TOGAF) focuses on IT architecture issues.
  38. D. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.
  39. A. Steganography is a technique used to hide information in an otherwise innocuous-seeming file. The suspect may have used this technique to embed hidden information in the image file. Watermarking also manipulates images but does so in an attempt to protect intellectual property. Clipping and sampling are techniques used to reduce a large set of data to a small quantity that may be used for analysis.
  40. D. A transformer failure is a failure of a manmade electrical component. Flooding, mudslides, and hurricanes are all examples of natural disasters.
  41. C. The (ISC)2 code of ethics applies only to information security professionals who are members of (ISC)2. Adherence to the code is a condition of certification, and individuals found in violation of the code may have their certifications revoked. (ISC)2 members who observe a breach of the code are required to report the possible violation by following the ethics complaint procedures.
  42. B. The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.
  43. D. There is no need to conduct forensic imaging as a preventative measure. Rather, forensic imaging should be used during the incident response process. Maintaining patch levels, implementing intrusion detection/prevention, and removing unnecessary services and accounts are all basic preventative measures.
  44. B. The scrutiny of hard drives for forensic purposes is an example of media analysis. Embedded device analysis looks at the computers included in other large systems, such as automobiles or security systems. Software analysis analyzes applications and their logs. Network analysis looks at network traffic and logs.
  45. C. Security incidents negatively affect the confidentiality, integrity, or availability of information or assets and/or violate a security policy. The unauthorized vulnerability scan of a server does violate security policy and may negatively affect the security of that system, so it qualifies as a security incident. The completion of a backup schedule, logging of system access, and update of antivirus signatures are all routine actions that do not violate policy or jeopardize security, so they are all events rather than incidents.
  46. C. Radio Frequency IDentification (RFID) technology is a cost-effective way to track items around a facility. While Wi-Fi could be used for the same purpose, it would be much more expensive to implement.
  47. C. An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.
  48. A. In a SYN flood attack, the attacker sends a large number of SYN packets to a system but does not respond to the SYN/ACK packets, attempting to overwhelm the attacked system’s connection state table with half-open connections.
  49. B. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.
  50. C. Zero-day attacks are those that are previously unknown to the security community and, therefore, have no available patch. These are especially dangerous attacks because they may be highly effective until a solution becomes available.
  51. B. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence and the infrastructure; act honorably, honestly, justly, responsibly and legally; provide diligent and competent service to principals; and advance and protect the profession.
  52. A. Interviews occur when investigators meet with an individual who may have information relevant to their investigation but is not a suspect. If the individual is a suspect, then the meeting is an interrogation.
  53. B. Beth should choose a cold site. This type of facility meets her requirements for environmental controls and power but, does not have the equipment or data found in a warm site, hot site, or service bureau. However, it does have the lowest cost of the four options.
  54. D. The image clearly contains the watermark of the US Geological Survey (USGS), which ensures that anyone seeing the image knows its origin. It is not possible to tell from looking at the image whether steganography was used. Sampling and clipping are data analysis techniques and are not used to protect images.
  55. D. The annualized rate of occurrence (ARO) is the expected number of times an incident will occur each year. In the case of a 200-year flood plain, planners should expect a flood once every 200 years. This is equivalent to a 1/200 chance of a flood in any given year, or 0.005 floods per year.
  56. B. While all hackers with malicious intent pose a risk to the organization, the malicious insider poses the greatest risk to security because they likely have legitimate access to sensitive systems that may be used as a launching point for an attack. Other attackers do not begin with this advantage.
  57. C. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.
  58. B. Hilda’s design follows the principle of separation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.
  59. D. An audit kickoff meeting should clearly describe the scope and purpose of the audit as well as the expected timeframe. Auditors should never approach an audit with any expectations about what they will discover because the findings should only be developed based upon the results of audit examinations.
  60. C. The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All of the other actions listed may take place during the disaster recovery process but the process is not complete until the organization is once again functioning normally in its primary facilities.
  61. C. A host-based intrusion detection system (HIDS) may be able to detect unauthorized processes running on a system. The other controls mentioned, network intrusion detection systems (NIDSs), firewalls, and DLP systems, are network-based and may not notice rogue processes.
  62. B. The scenario describes a privilege escalation attack where a malicious insider with authorized access to a system misused that access to gain privileged credentials.
  63. B. Carla’s account has experienced aggregation, where privileges accumulated over time. This condition is also known as privilege creep and likely constitutes a violation of the least privilege principle.
  64. C. The Mitigation phase of incident response focuses on actions that can contain the damage incurred during an incident. This includes limiting the scope and or effectiveness of the incident.
  65. C. At this point in the process, Ann has no reason to believe that any actual security compromise or policy violation took place, so this situation does not meet the criteria for a security incident or intrusion. Rather, the alert generated by the intrusion detection system is simply a security event requiring further investigation. Security occurrence is not a term commonly used in incident handling.
  66. A. DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and SCP use TCP port 22. SSL and TLS do not have ports assigned to them but are commonly used for HTTPS traffic on port 443. Unencrypted web traffic over HTTP often uses port 80.
  67. D. The attack described in this scenario has all of the hallmarks of a denial of service attack. More specifically, Ann’s organization is likely experiencing a DNS amplification attack where an attacker sends false requests to third-party DNS servers with a forged source IP address belonging to the targeted system. Because the attack uses UDP requests, there is no three-way handshake. The attack packets are carefully crafted to elicit a lengthy response from a short query. The purpose of these queries is to generate responses headed to the target system that are sufficiently large and numerous enough to overwhelm the targeted network or system.
  68. B. Now that Ann suspects an attack against her organization, she has sufficient evidence to declare a security incident. The attack underway seems to have undermined the availability of her network, meeting one of the criteria for a security incident. This is an escalation beyond a security event but does not reach the level of an intrusion because there is no evidence that the attacker has even attempted to gain access to systems on Ann’s network. Security occurrence is not a term commonly used in incident handling.
  69. D. To be admissible, evidence must be relevant, material, and competent. The laptop in this case is clearly material because it contains logs related to the crime in question. It is also relevant because it provides evidence that ties the hacker to the crime. It is not competent because the evidence was not legally obtained.
  70. C. Gordon may conduct his investigation as he wishes and use any information that is legally available to him, including information and systems belonging to his employer. There is no obligation to contact law enforcement. However, Gordon may not perform “hack back” activities because those may constitute violations of the law and/or (ISC)2 Code of Ethics.
  71. B. Software escrow agreements place a copy of the source code for a software package in the hands of an independent third party who will turn the code over to the customer if the vendor ceases business operations. Service-level agreements, mutual assistance agreements, and compliance agreements all lose some or all of their effectiveness if the vendor goes out of business.
  72. C. Most security professionals recommend at least one, and preferably two, weeks of vacation to deter fraud. The idea is that fraudulent schemes will be uncovered during the time that the employee is away and does not have the access required to perpetuate a cover-up.
  73. D. Any attempt to undermine the security of an organization or violation of a security policy is a security incident. Each of the events described meets this definition and should be treated as an incident.
  74. D. Egress filtering scans outbound traffic for potential security policy violations. This includes traffic with a private IP address as the destination, traffic with a broadcast address as the destination, and traffic that has a falsified source address not belonging to the organization.
  75. C. The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.
  76. B. Netflow data contains information on the source, destination, and size of all network communications and is routinely saved as a matter of normal activity. Packet capture data would provide relevant information, but it must be captured during the suspicious activity and cannot be re-created after the fact unless the organization is already conducting 100 percent packet capture, which is very rare. Additionally, the use of encryption limits the effectiveness of packet capture. Intrusion detection system logs would not likely contain relevant information because the encrypted traffic would probably not match intrusion signatures. Centralized authentication records would not contain information about network traffic.
  77. C. Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization’s security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.
  78. B. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
  79. C. Both the receipt of alerts and the verification of their accuracy occurs during the Detection phase of the incident response process.
  80. A. Virtual machines run full guest operating systems on top of a host platform known as the hypervisor.
  81. B. RAID level 1 is also known as disk mirroring. RAID-0 is called disk striping. RAID-5 is called disk striping with parity. RAID-10 is known as a stripe of mirrors.
  82. C. SSH uses TCP port 22, so this attack is likely an attempt to scan for open or weakly secured SSH servers. FTP uses ports 20 and 21. Telnet uses port 23, and HTTP uses port 80.
  83. C. The ping of death attack placed more data than allowed by the specification in the payload of an ICMP echo request packet. This is similar to the modern-day buffer overflow attack where attackers attempt to place more data in a targeted system’s memory that consumes more space than is allocated for that data.
  84. C. In an Infrastructure as a Service environment, the vendor is responsible for hardware- and network-related responsibilities. These include configuring network firewalls, maintaining the hypervisor, and managing physical equipment. The customer retains responsibility for patching operating systems on its virtual machine instances.
  85. B. Sandboxing is a technique where application developers (or the recipients of an untrusted application) may test the code in a virtualized environment that is isolated from production systems. White box testing, black box testing, and penetration testing are all common software testing techniques but do not require the use of an isolated system.
  86. B. Fraggle attacks use a distributed attack approach to send UDP traffic at a targeted system from many different source addresses on ports 7 and 9. The most effective way to block this attack would be to block inbound UDP traffic on those ports. Blocking the source addresses is not feasible because the attacker would likely simply change the source addresses. Blocking destination addresses would likely disrupt normal activity. The fraggle attack does not use ICMP, so blocking that traffic would have no effect.
  87. A. Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains.
  88. C. In a Platform as a Service solution, the customer supplies application code that the vendor then executes on its own infrastructure.
  89. A. Companies have an obligation to preserve evidence whenever they believe that the threat of litigation is imminent. The statement made by this customer that “we will have to take this matter to court” is a clear threat of litigation and should trigger the preservation of any related documents and records.
  90. B. The Fourth Amendment states, in part, that “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The First Amendment contains protections related to freedom of speech. The Fifth Amendment ensures that no person will be required to serve as a witness against themselves. The Fifteenth Amendment protects the voting rights of citizens.
  91. A. Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field. Direct evidence is when witnesses testify about their direct observations. Real evidence consists of tangible items brought into court as evidence. Documentary evidence consists of written records used as evidence in court.
  92. D. The standard methods for clearing magnetic tapes, according to the NIST Guidelines for Media Sanitization, are overwriting the tape with nonsensitive data, degaussing, and physical destruction via shredding or incineration. Reformatting a tape does not remove remnant data.
  93. B. RAID level 1, also known as disk mirroring, uses two disks that contain identical information. If one disk fails, the other contains the data needed for the system to continue operation.
  94. B. The analysis of application logs is one of the core tasks of software analysis because SQL injection attacks are application attacks.
  95. C. Quantum may choose to use any or all of these security controls, but data encryption is, by far, the most important control. It protects the confidentiality of data stored on the tapes, which are most vulnerable to theft while in transit between two secure locations.
  96. C. Data loss prevention (DLP) systems may identify sensitive information stored on endpoint systems or in transit over a network. This is their primary purpose. Intrusion detection and prevention systems (IDS/IDP) may be used to identify some sensitive information using signatures built for that purpose, but this is not the primary role of those tools and they would not be as effective as DLP systems at this task. TLS is a network encryption protocol that may be used to protect sensitive information, but it does not have any ability to identify sensitive information.
  97. D. If software is released into the public domain, anyone may use it for any purpose, without restriction. All other license types contain at least some level of restriction.
  98. A. In a man-in-the-middle attack, attackers manage to insert themselves into a connection between a user and a legitimate website, relaying traffic between the two parties while eavesdropping on the connection. Although similarly named, the meet-in-the-middle attack is a cryptographic attack that does not necessarily involve connection tampering. Fraggle is a network-based denial of service attack using UDP packets. Wardriving is a reconnaissance technique for discovering open or weakly secured wireless networks.
  99. C. The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.
  100. C. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. Uninterruptible power supplies (UPS) provide immediate, battery-driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power loss. RAID and redundant servers are high availability controls but do not cover power loss scenarios.

Chapter 8: Software Development Security (Domain 8)

  1. B. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class. When you are developing an object-oriented model, it is desirable to have high cohesion and low coupling.
  2. D. Botnets are used for a wide variety of malicious purposes, including scanning the network for vulnerable systems, conducting brute-force attacks against other systems, and sending out spam messages.
  3. C. Code review takes place after code has been developed, which occurs after the design phase of the system’s development life cycle (SDLC). Code review may use a combination of manual and automated techniques, or rely solely on one or the other. It should be a peer-driven process that includes developers who did not write the code. Developers should expect to complete the review of around 300 lines per hour, on average.
  4. D. A social engineering attack may trick a user into revealing their password to the attacker. Other attacks that depend on guessing passwords, such as brute-force attacks, rainbow table attacks, and dictionary attacks, are unlikely to be successful in light of the organization’s strong password policy.
  5. C. One of the responsibilities of the release control process is ensuring that the process includes acceptance testing that confirms that any alterations to end-user work tasks are understood and functional prior to code release. The request control, change control, and configuration control processes do not include acceptance testing.
  6. B. Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third-party sites. Session hijacking attacks attempt to steal previously authenticated sessions but do not force the browser to submit requests. SQL injection directly attacks a database through a web application. Cross-site scripting uses reflected input to trick a user’s browser into executing untrusted code from a trusted site.
  7. A. The SDLC consists of seven phases, in the following order: conceptual definition, functional requirements determination, control specifications development, design review, code review, system test review, and maintenance and change management.
  8. D. The error message shown in the figure is the infamous “Blue Screen of Death” that occurs when a Windows system experiences a dangerous failure and enters a fail secure state. If the system had “failed open,” it would have continued operation. The error described is a memory fault that is likely recoverable by rebooting the system. There is no indication that the system has run out of usable memory.
  9. D. Software threat modeling is designed to reduce the number of security-related design and coding flaws as well as the severity of other flaws. The developer or evaluator of software has no control over the threat environment, because it is external to the organization.
  10. C. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.
  11. A. Primary storage is a technical term used to refer to the memory that is directly available to the CPU. Nonvolatile storage mechanisms, such as flash drives, DVDs, and hard drives, are classified as secondary storage.
  12. A. Dynamic testing of software typically occurs in a black box environment where the tester does not have access to the source code. Static testing, white box testing, and code review approaches all require access to the source code of the application.
  13. B. Inheritance occurs when a subclass (or child class) is able to use methods belonging to a superclass (or parent class). Polymorphism occurs when different subclasses may have different methods using the same interfaces that respond differently. Coupling is a description of the level of interaction between objects. Cohesion is the strength of the relationship between the purposes of methods within the same class.
  14. C. Aggregate functions summarize large amounts of data and provide only summary information as a result. When carefully crafted, aggregate functions may unintentionally reveal sensitive information.
  15. B. The best protection against buffer overflow attacks is server-side input validation. This technique limits user input to approved ranges of values that fit within allocated buffers. While firewalls and intrusion prevention systems may contain controls that limit buffer overflows, it would be more effective to perform filtering on the application server. Encryption cannot protect against buffer overflow attacks.
  16. B. The log entries show the characteristic pattern of a port scan. The attacking system sends connection attempts to the target system against a series of commonly used ports.
  17. C. Acme Widgets is clearly in the initial stage of the SW-CMM. This stage is characterized by the absence of formal process. The company may still produce working code, but they do so in a disorganized fashion.
  18. B. The Repeatable stage is the second stage in the SW-CMM, following the Initial stage. It should be the next milestone goal for Acme Widgets. The Repeatable stage is characterized by basic life-cycle management processes.
  19. A. The Defined stage of the SW-CMM is marked by the presence of basic life-cycle management processes and reuse of code. It includes the use of requirements management, software project planning, quality assurance, and configuration management practices.
  20. D. The Managed stage is the fourth stage in the SW-CMM, following the Defined stage. It should be the next milestone goal for Beta Particles. The Repeatable stage is characterized by the use of quantitative software development measures.
  21. C. Referential integrity ensures that records exist in a secondary table when they are referenced with a foreign key from another table. Foreign keys are the mechanism used to enforce referential integrity.
  22. A. Macro viruses are most commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docx extension. They are not commonly found in executable files with the .com or .exe extensions.
  23. C. The degree of a database table is the number of attributes in the table. Victor’s table has six attributes: the employee’s user ID, home telephone, office telephone, mobile telephone, office location, and job title.
  24. C. The string shown in the logs is characteristic of a directory traversal attack where the attacker attempts to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user, such as the password file. The series of “double dots” is indicative of a directory traversal attack because it is the character string used to reference the directory one level up in a hierarchy.
  25. C. Design reviews should take place after the development of functional and control specifications but before the creation of code. The code review, unit testing, and functional testing all take place after the creation of code and, therefore, after the design review.
  26. C. Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.
  27. D. Assurance, when it comes to software, is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner. It is a term typically used in military and defense environments.
  28. C. The change control process is responsible for providing an organized framework within which multiple developers can create and test a solution prior to rolling it out in a production environment. Request control provides a framework for user requests. Release control manages the deployment of code into production. Configuration control ensures that changes to software versions are made in accordance with the change and configuration management policies.
  29. D. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.
  30. A. The two major classifications of covert channels are timing and storage. A covert timing channel conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner. A covert storage channel conveys information by writing data to a common storage area where another process can read it. There is no such thing as a covert firewall channel. Memory is a type of storage, so a memory-based covert channel would fit into the covert storage channel category.
  31. A. Black box testing begins with no prior knowledge of the system implementation, simulating a user perspective. White box and gray box testing provide full and partial knowledge of the system, respectively, in advance of the test. Blue boxes are a phone hacking tool and are not used in software testing.
  32. B. In this example, the two SQL commands are indeed bundled in a transaction, but it is not an error to issue an update command that does not match any rows. Therefore, the first command would “succeed” in updating zero rows and not generate an error or cause the transaction to rollback. The second command would then execute, reducing the balance of the second account by $250.
  33. D. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
  34. C. A fail open configuration may be appropriate in this case. In this configuration, the firewall would continue to pass traffic without inspection while it is restarting. This would minimize downtime, and the traffic would still be protected by the other security controls described in the scenario. Failover devices and high availability clusters would indeed increase availability, but at potentially significant expense. Redundant disks would not help in this scenario because no disk failure is described.
  35. D. An inference problem occurs when an attacker can pull together pieces of less sensitive information and use them to derive information of greater sensitivity. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.
  36. B. Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.
  37. A. The message forum is clearly susceptible to a cross-site scripting (XSS) attack. The code that Linda discovered in the message is a definitive example of an attempt to conduct cross-site scripting, and the alert box that she received demonstrates that the vulnerability exists. The website may also be vulnerable to cross-site request forgery, SQL injection, improper authentication, and other attacks, but there is no evidence of this provided in the scenario.
  38. A. The script that Linda discovered merely pops up a message on a user’s screen and does not perform any more malicious action. This type of script, using an alert() call, is commonly used to probe websites for cross-site scripting vulnerabilities.
  39. B. Web application firewalls (WAFs) sit in front of web applications and watch for potentially malicious web attacks, including cross-site scripting. They then block that traffic from reaching the web application. An intrusion detection system (IDS) may detect the attack but is unable to take action to prevent it. DLP and VPN solutions are unable to detect web application attacks.
  40. C. Input validation verifies that user-supplied input does not violate security conditions and is the most effective defense against cross-site scripting attacks. Bounds checking is a form of input validation, but it is used to ensure that numeric input falls within an acceptable range and is not applicable against cross-site scripting attacks. Peer review and OS patching are both good security practices but are unlikely to be effective against a cross-site scripting attack.
  41. C. Durability requires that once a transaction is committed to the database it must be preserved. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Isolation requires that transactions operate separately from each other.
  42. D. JavaScript is an interpreted language that does not make use of a compiler to transform code into an executable state. Java, C, and C++ are all compiled languages.
  43. B. Multipartite viruses use multiple propagation mechanisms to defeat system security controls but do not necessarily include techniques designed to hide the malware from antivirus software. Stealth viruses tamper with the operating system to hide their existence. Polymorphic viruses alter their code on each system they infect to defeat signature detection. Encrypted viruses use a similar technique, employing encryption to alter their appearance and avoid signature detection mechanisms.
  44. C. User acceptance testing (UAT) is typically the last phase of the testing process. It verifies that the solution developed meets user requirements and validates it against use cases. Unit testing, integration testing, and system testing are all conducted earlier in the process leading up to UAT.
  45. D. Functional requirements specify the inputs, behavior, and outputs of software. Derived requirements are requirements developed from other requirement definitions. Structural and behavioral requirements focus on the overall structure of a system and the behaviors it displays.
  46. C. The Open Web Application Security Project (OWASP) is widely considered as the most authoritative source on web application security issues. They publish the OWASP Top Ten list that publicizes the most critical web application security issues.
  47. B. When one object wishes to interact with another object, it does so by invoking one of the second object’s methods, including required and, perhaps, optional arguments to that method.
  48. D. It is perfectly normal for packets with public IP addresses to enter the network from external locations. However, packets with internal addresses should never originate from the outside and should be blocked as spoofed traffic. Similarly, traffic leaving the network should have an internal source address. In no case should packets with private IP addresses cross the network border.
  49. B. This is an example of a specific type of buffer overflow known as an off-by-one error. The first line of the code defines an array of 10 elements, which would be numbered 0 through 9. The second line of code tries to place a value in the 11th element of the array (remember, array counting begins at 0!), which would cause an overflow.
  50. C. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is a web application security flaw, not a database concurrency problem.
  51. A. Transport Layer Security (TLS) provides the most effective defense against session hijacking because it encrypts all traffic between the client and server, preventing the attacker from stealing session credentials. Secure Sockets Layer (SSL) also encrypts traffic, but it is vulnerable to attacks against its encryption technology. Complex and expiring cookies are a good idea, but they are not sufficient protection against session hijacking.
  52. C. When a system uses shadowed passwords, the hashed password value is stored in /etc/shadow instead of /etc/passwd. The /etc/passwd file would not contain the password in plaintext or hashed form. Instead, it would contain an x to indicate that the password hash is in the shadow file. The * character is normally used to disable interactive logins to an account.
  53. B. Time of check to time of use (TOC/TOU) attacks target situations where there is a race condition, meaning that a dependence on the timing of actions allows impermissible actions to take place.
  54. C. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside of the SQL code’s input field, and the text following is used to directly manipulate the SQL command sent from the web application to the database.
  55. B. Client-side input validation is not an effective control against any type of attack because the attacker can easily bypass the validation by altering the code on the client. Escaping restricted characters prevents them from being passed to the database, as does parameterization. Limiting database permissions prevents dangerous code from executing.
  56. B. PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones. Gantt charts use a different format with a row for each task and lines showing the expected duration of the task. Work breakdown structures are an earlier deliverable that divides project work into achievable tasks. Wireframe diagrams are used in web design.
  57. D. Regression testing is performed after developers make changes to an application. It reruns a number of test cases and compares the results to baseline results. Orthogonal array testing is a method for generating test cases based on statistical analysis. Pattern testing uses records of past software bugs to inform the analysis. Matrix testing develops a matrix of all possible inputs and outputs to inform the test plan.
  58. B. Cross-site scripting (XSS) attacks may take advantage of the use of reflected input in a web application where input provided by one user is displayed to another user. Input validation is a control used to prevent XSS attacks. XSS does not require an unpatched server or any firewall rules beyond those permitting access to the web application.
  59. A. In a white box test, the attacker has access to full implementation details of the system, including source code, prior to beginning the test. In gray box testing, the attacker has partial knowledge. In black box testing, the attacker has no knowledge of the system and tests it from a user perspective. Blue boxes are a phone hacking tool and are not used in software testing.
  60. C. Heuristic-based anti-malware software has a higher likelihood of detecting a zero-day exploit than signature-based methods. Heuristic-based software does not require frequent signature updates because it does not rely upon monitoring systems for the presence of known malware. The trade-off with this approach is that it has a higher false positive rate than signature detection methods.
  61. D. One possibility for the clean scan results is that the virus is using stealth techniques, such as intercepting read requests from the antivirus software and returning a correct-looking version of the infected file. The system may also be the victim of a zero-day attack, using a virus that is not yet included in the signature definition files provided by the antivirus vendor.
  62. A. In URL encoding, the. character is replaced by %252E and the / character is replaced by %252F. You can see this in the log entry, where the expected pattern of ../../ is replaced by %252E%252E%252F%252E%252E%252F.
  63. C. Attacks where the malicious user tricks the victim’s web browser into executing a script through the use of a third-party site are known as cross-site scripting (XSS) attacks. This particular attack is a persistent XSS attack because it remains on the discussion forum until an administrator discovers and deletes it, giving it the ability to affect many users.
  64. C. The Agile Manifesto includes 12 principles for software development. Three of those are listed as answer choices: maximizing the amount of work not done is essential, build projects around motivated individuals, and welcome changing requirements throughout the development process. Agile does not, however, consider clear documentation the primary measure of progress. Instead, working software is the primary measure of progress.
  65. C. Unit testing works on individual system components, such as code modules. Regression testing is used to validate updates to code by comparing the output of the new version with previous versions. Samantha is developing new modules, so regression testing is not relevant. Integration and system testing require a broader scope than individual modules.
  66. D. Expert systems have two components: a knowledge bank that contains the collected wisdom of human experts and an inference engine that allows the expert systems to draw conclusions about new situations based on the information contained within the knowledge bank.
  67. D. A key-value store is an example of a NoSQL database that does not follow a relational or hierarchical model like traditional databases. A graph database is another example of a NoSQL database, but it uses nodes and edges to store data rather than keys and values.
  68. C. A database failure in the middle of a transaction causes the rollback of the entire transaction. In this scenario, the database would not execute either command.
  69. B. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.
  70. B. Static testing performs code analysis in an offline fashion, without actually executing the code. Dynamic testing evaluates code in a runtime environment. Both static and dynamic testing may use automated tools, and both are important security testing techniques.
  71. D. The chart shown in the figure is a Gantt chart, showing the proposed start and end dates for different activities. It is developed based on the work breakdown structure (WBS), which is developed based on functional requirements. Program Evaluation Review Technique (PERT) charts show the project schedule as a series of numbered nodes.
  72. D. In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.
  73. D. The Time of Check to Time of Use (TOC/TOU) attack exploits timing differences between when a system verifies authorization and software uses that authorization to perform an action. It is an example of a race condition attack. The other three attacks mentioned do not depend on precise timing.
  74. A. In the diagram, Account is the name of the class. Owner and Balance are attributes of that class. AddFunds and RemoveFunds are methods of the class.
  75. B. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. SQL injection is a web application security flaw, not a database concurrency problem.
  76. D. The fail closed approach prevents any activity from taking place during a system security failure and is the most conservative approach to failure management. Fail open takes the opposite philosophy, allowing all activity in the event of a security control failure. Fail clear and fail mitigation are not failure management approaches.
  77. D. The illustration shows the spiral model of software development. In this approach, developers use multiple iterations of a waterfall-style software development process. This becomes a “loop” of iterations through similar processes. The waterfall approach does not iterate through the entire process repeatedly but rather only allows movement backward and forward one stage. The agile approach to software development focuses on iterative improvement and does not follow a rigorous SDLC model. Lean is a process improvement methodology and not a software development model.
  78. B. Relational databases use the primary key to uniquely identify each of the rows in a table. The primary key is selected by the database designer from the set of candidate keys that are able to uniquely identify each row, but the RDBMS only uses the primary key for this purpose. Foreign keys are used to establish relationships between tables. Referential keys are not a type of database key.
  79. A. The request process begins with a user-initiated request for a feature. Change and release control are initiated by developers seeking to implement changes. Design review is a phase of the change approval process initiated by developers when they have a completed design.
  80. C. Polyinstantiation allows the storage of multiple different pieces of information in a database at different classification levels to prevent attackers from inferring anything about the absence of information. Input validation, server-side validation, and parameterization are all techniques used to prevent web application attacks and are not effective against inference attacks.
  81. C. While Ursula may certainly use an object model, data dictionary, and primary key in her development effort, external developers cannot directly use them to access her code. An application programming interface (API) allows other developers to call Ursula’s code from within their own without knowing the details of Ursula’s implementation.
  82. C. In the Establishing phase of the IDEAL model, the organization takes the general recommendations from the Diagnosing phase and develops a specific plan of action that achieves those changes.
  83. D. Messages similar to the one shown in the figure are indicative of a ransomware attack. The attacker encrypts files on a user’s hard drive and then demands a ransom, normally paid in Bitcoin, for the decryption key required to restore access to the original content. Encrypted viruses, on the other hand, use encryption to hide themselves from antivirus mechanisms and do not alter other contents on the system.
  84. A. The bin2hex() function converts a string to a hexadecimal value that may then be passed to a database safely. The dechex() function performs a similar function but will not work for a string as it only functions on numeric values. The hex2bin() and hexdec() functions work in the reverse manner.
  85. D. Neural networks attempt to use complex computational techniques to model the behavior of the human mind. Knowledge banks are a component of expert systems, which are designed to capture and reapply human knowledge. Decision support systems are designed to provide advice to those carrying out standard procedures and are often driven by expert systems.
  86. B. In level 2, the Repeatable level of the SW-CMM, an organization introduces basic life-cycle management processes. Reuse of code in an organized fashion begins, and repeatable results are expected from similar projects. The key process areas for this level include Requirements Management, Software Project Planning, Software Project Tracking and Oversight, Software Subcontract Management, Software Quality Assurance, and Software Configuration Management.
  87. C. The key to this question is that Lucas suspects the tampering took place before the employee departed. This is the signature of a logic bomb: malicious code that lies dormant until certain conditions are met. The other attack types listed here: privilege escalation, SQL injection, and remote code execution would more likely take place in real time.
  88. A. The Agile approach to software development embraces four principles. It values individuals and interactions over processes and tools, working software over comprehensive documentation, customer collaboration over contract negotiation, and responding to change over following a plan.
  89. C. API developers commonly use API keys to limit access to authorized users and applications. Encryption provides for confidentiality of information exchanged using an API but does not provide authentication. Input validation is an application security technique used to protect against malicious input. IP filters may be used to limit access to an API, but they are not commonly used because it is difficult to deploy an API with IP filters since the filters require constant modification and maintenance as endpoints change.
  90. C. Signature detection is extremely effective against known strains of malware because it uses a very reliable pattern matching technique to identify known malware. Signature detection is, therefore, the most reliable way to detect known malware. This technique is not, however, effective against the zero-day malware typically used by advanced persistent threats (APTs) that does not exploit vulnerabilities identified in security bulletins. While malware authors once almost exclusively targeted Windows systems, malware now exists for all major platforms.
  91. B. In the waterfall model, the software development process follows five sequential steps which are, in order: Requirements, Design, Coding, Testing, and Maintenance.
  92. A. Atomicity ensures that database transactions either execute completely or not at all. Consistency ensures that all transactions must begin operating in an environment that is consistent with all of the database’s rules. The isolation principle requires that transactions operate separately from each other. Durability ensures that database transactions, once committed, are permanent.
  93. D. Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure the value remains within an expected range, but there was no range specified in this scenario. Fail open and fail secure are options when planning for possible system failures.
  94. A. Cookies are used to maintain authenticated sessions, even when IP addresses change. Therefore, Mal can use the stolen cookies to conduct a session hijacking attack, taking over an authorized user’s session with the website, potentially without the knowledge of the legitimate user.
  95. D. Penetration tests of web-based systems may detect any possible web application security flaw, including cross-site request forgery (XSRF), cross-site scripting (XSS), and SQL injection vulnerabilities.
  96. C. The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a seamless approach that builds collaboration between the three disciplines.
  97. B. nessus is a vulnerability testing tool designed for use by security professionals but also available to attackers. nmap may also assist attackers, but it only shows open ports and has limited capability to identify vulnerabilities. ipconfig displays network configuration information about a system, whereas traceroute identifies the network path between two systems.
  98. D. Dirty reads occur when one transaction reads a value from a database that was written by another transaction that did not commit. Lost updates occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value. Incorrect summaries occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information. SQL injection is a web application security flaw, not a database concurrency problem.
  99. B. A master boot record (MBR) virus redirects the boot process to load malware during the operating system loading process. File infector viruses infect one or more normal files stored on the system. Polymorphic viruses alter themselves to avoid detection. Service injection viruses compromise trusted components of the operating system.
  100. C. Multipartite viruses use multiple propagation mechanisms to spread between systems. This improves their likelihood of successfully infecting a system because it provides alternative infection mechanisms that may be successful against systems that are not vulnerable to the primary infection mechanism.

Chapter 9: Practice Test 1

  1. C. NIST SP 800-53 discusses security control baselines as a list of security controls. CIS releases security baselines, and a baseline is a useful part of a threat management strategy and may contain a list of acceptable configuration items.
  2. B. A Content Distribution Network (CDN) is designed to provide reliable, low-latency, geographically distributed content distribution. In this scenario, a CDN is an ideal solution. A P2P CDN like BitTorrent isn’t a typical choice for a commercial entity, whereas redundant servers or a hot site can provide high availability but won’t provide the remaining requirements.
  3. D. A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.
  4. B. RAID 1, disk mirroring, requires two physical disks that will contain copies of the same data.
  5. D. The TGS, or Ticket-Granting Service (which is usually on the same server as the KDC) receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC.
  6. D. Asynchronous communications rely on a a built-in stop and start flag or bit. This makes asynchronous communications less efficient than synchronous communications, but better suited to some types of communication.
  7. C. Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.
  8. C. Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation, and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.
  9. B. A captive portal can require those who want to connect to and use Wi-Fi to provide an email address to connect. This allows Ben to provide easy-to-use wireless while meeting his business purposes. WPA2 PSK is the preshared key mode of WPA and won’t provide information about users who are given a key. Sharing a password doesn’t allow for data gathering either. Port security is designed to protect wired network ports based on MAC addresses.
  10. B. Many modern wireless routers can provide multiple SSIDs. Ben can create a private, secure network for his business operations, but he will need to make sure that the customer and business networks are firewalled or otherwise logically separated from each other. Running WPA2 on the same SSID isn’t possible without creating another wireless network and would cause confusion for customers (SSIDs aren’t required to be unique). Running a network in Enterprise mode isn’t used for open networks, and WEP is outdated and incredibly vulnerable.
  11. D. Unencrypted open networks broadcast traffic in the clear. This means that unencrypted sessions to websites can be easily captured with a packet sniffer. Some tools like FireSheep have been specifically designed to capture sessions from popular websites. Fortunately, many now use TLS by default, but other sites still send user session information in the clear. Shared passwords are not the cause of the vulnerability, ARP spoofing isn’t an issue with wireless networks, and a Trojan is designed to look like safe software, not to compromise a router.
  12. D. The DES modes of operation are Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). The Advanced Encryption Standard (AES) is a separate encryption algorithm.
  13. D. Clipping is an analysis technique that only reports alerts after they exceed a set threshold. It is a specific form of sampling, which is a more general term that describes any attempt to excerpt records for review. Thresholding is not a commonly used term. Administrators may choose to configure automatic or manual account lockout after failed login attempts but that is not described in the scenario.
  14. B. RADIUS is a common AAA technology used to provide services for dial-up, wireless networks, network devices, and a range of other systems. OAuth is an authentication protocol used to allow applications to act on a user’s behalf without sharing the password, and is used for many web applications. While both TACACS and TACACS+ provide the functionality Sally is looking for, both are Cisco proprietary protocols.
  15. C. In an inference attack, the attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value.
  16. A. The take rule allows a subject to take the rights belonging to another object. If Alice has take rights on Bob, she can give herself the same permissions that Bob already possesses.
  17. B. Brute-force attacks try every possible password. In this attack, the password is changing by one letter at each attempt, which indicates that it is a brute-force attack. A dictionary attack would use dictionary words for the attack, whereas a man-in-the-middle or pass-the-hash attack would most likely not be visible in an authentication log except as a successful login.
  18. B. Isolation requires that transactions operate separately from each other. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Durability requires that once a transaction is committed to the database it must be preserved.
  19. B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
  20. C. In a teardrop attack, the attacker fragments traffic in such a way that the system is unable to reassemble them. Modern systems are not vulnerable to this attack if they run current operating systems, but the concept of this attack illustrates the danger of relying upon users following protocol specifications instead of performing proper exception handling.
  21. C. The TCP three-way handshake consists of initial contact via a SYN, or synchronize flagged packet, which receives a response with a SYN/ACK, or synchronize and acknowledge flagged packet, which is acknowledged by the original sender with an ACK, or acknowledge packet. RST is used in TCP to reset a connection, PSH is used to send data immediately, and FIN is used to end a connection.
  22. B. MDM products do not have the capability of assuming control of a device not currently managed by the organization. This would be equivalent to hacking into a device owned by someone else and might constitute a crime.
  23. A. Identity as a Service (IDaaS) provides an identity platform as a third-party service. This can provide benefits, including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems, but can also create risk due to third-party control of identity services and reliance on an offsite identity infrastructure.
  24. A. Gina’s actions harm the CISSP certification and information security community by undermining the integrity of the examination process. While Gina also is acting dishonestly, the harm to the profession is more of a direct violation of the code of ethics.
  25. A. The annualized loss expectancy is the amount of damage that the organization expects to occur each year as the result of a given risk.
  26. C. The whitelisting approach to application control allows users to install only those software packages specifically approved by administrators.. This would be an appropriate approach in a scenario where application installation needs to be tightly controlled.
  27. A. This is a clear example of a denial-of-service attack—denying legitimate users authorized access to the system through the use of overwhelming traffic. It goes beyond a reconnaissance attack because the attacker is affecting the system, but it is not a compromise because the attacker did not attempt to gain access to the system. There is no reason to believe that a malicious insider was involved.
  28. A. The Company ID is likely unique for each row in the table, making it the best choice for a primary key. There may be multiple companies that share the same name or ZIP code. Similarly, a single sales representative likely serves more than one company, making those fields unsuitable for use as a unique identifier.
  29. C. Personally Identifiable Information (PII) includes data that can be used to distinguish or trace that person’s identity, and also includes information like their medical, educational, financial, and employment information. PHI is personal health information, EDI is electronic data interchange, and proprietary data is used to maintain an organization’s competitive advantage.
  30. D. 129.53.44.124 is a valid public IP address and a legitimate destination for traffic leaving Bob’s network. 12.8.195.15 is a public address on Bob’s network and should not be a destination address on a packet leaving the network. 10.8.15.9 and 192.168.109.55 are both private IP addresses that should not be routed to the Internet.
  31. D. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the sixth power is 64, so a 6-bit keyspace contains 64 possible keys. The number of viable keys is usually smaller in most algorithms due to the presence of parity bits and other algorithmic overhead or security issues that restrict the use of some key values.
  32. D. Research has shown that traditional methods of sanitizing files on SSDs were not reliable. SSDs remap data sectors as part of wear leveling, and erase commands are not consistently effective across multiple SSD brands. Zero fills can be performed on SSDs but may not be effective, much like erase commands. Degaussing doesn’t work on SSDs because they are flash media, rather than magnetic media. SSDs don’t have data remanence issues, but that doesn’t create the need to destroy them.
  33. A. Encrypting the files reduces the probability that the data will be successfully stolen, so it is an example of risk mitigation. Deleting the files would be risk avoidance. Purchasing insurance would be risk transference. Taking no action would be risk acceptance.
  34. C. Sampling should be done randomly to avoid human bias. Choosing a timeframe may miss historic issues or only account for the current administrator’s processes. Sampling is an effective process if it is done on a truly random sample of sufficient size to provide effective coverage of the userbase.
  35. B. The European Data Protection Directive’s seven primary tenets are:
    • Notice
    • Choice
    • Onward transfer
    • Security
    • Data integrity
    • Access
    • Enforcement
  36. D. In a white box test, the attacker has access to full implementation details of the system, including source code, prior to beginning the test. In gray box testing, the attacker has partial knowledge. In black box testing, the attacker has no knowledge of the system and tests it from a user perspective. Blue boxes are a phone hacking tool and are not used in software testing.
  37. C. The file clearly shows HTTP requests, as evidenced by the many GET commands. Therefore, this is an example of an application log from an HTTP server.
  38. C. A blue box was used to generate the 2600 Hz tones that trunking systems required. White boxes included a dual-tone, multifrequency generator to control phone systems. Black boxes were designed to steal long-distance service by manipulating line voltages, and red boxes simulated the tones of coins being deposited into payphones.
  39. B. Social engineering exploits humans to allow attacks to succeed. Since help desk employees are specifically tasked with being helpful, they may be targeted by attackers posing as legitimate employees. Trojans are a type of malware, whereas phishing is a targeted attack via electronic communication methods intended to capture passwords or other sensitive data. Whaling is a type of phishing aimed at high-profile or important targets.
  40. C. Identity proofing that relies on a type of verification outside of the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge–based authentication builds questions using facts or data about the user. Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessairly use an out-of-band channel, such as SMS.
  41. A. The modulo function is the remainder value left over after an integer division operation takes place.
  42. C. A hybrid authentication service can provide authentication services in both the cloud and on-premise, ensuring that service outages due to interrupted links are minimized. An onsite service would continue to work during an Internet outage but would not allow the e-commerce website to authenticate. A cloud service would leave the corporate location offline. Outsourcing authentication does not indicate whether the solution is on or off-premise, and thus isn’t a useful answer.
  43. C. Federation links identity information between multiple organizations. Federating with a business partner can allow identification and authorization to occur between them, making integration much easier. Single sign-on would reduce the number of times a user has to log in but will not facilitate the sharing of identity information. Multifactor can help secure authentication, but again, doesn’t help integrate with a third party. Finally, an Identity as a Service provider might provide federation but doesn’t guarantee it.
  44. B. Security Assertion Markup Language (SAML) is frequently used to integrate cloud services and provides the ability to make authentication and authorization assertions. Active Directory integrations are possible but are less common for cloud service providers, and RADIUS is not typically used for integrations like this. Service Provisioning Markup Language (SPML) is used to provision users, resources, and services, not for authentication and authorization.
  45. B. Rainbow tables use precomputed password hashes to conduct cracking attacks against password files. They may be frustrated by the use of salting, which adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation. Password expiration policies, password complexity policies, and user education may all contribute to password security, but they are not direct defenses against the use of rainbow tables.
  46. C. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudoflaw is a false vulnerability in a system that may attract an attacker. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.
  47. C. The crossover error rate (CER) is the point where both the false acceptance rate and the false rejection rate cross. CER and ERR, or equal error rate, mean the same thing and are used interchangeably.
  48. B. A Type 2 is something you have, like a smart card or hardware token. A Type 1 authentication factor is something you know. A Type 3 authentication factor is something you are, like a biometric identifier. There is no such thing as a Type 4 authentication factor.
  49. C. Steganography is the art of using cryptographic techniques to embed secret messages within other content. Steganographic algorithms work by making invisible alterations to files, such as modifying the least significant bits of the many bits that make up image files. VPNs may be used to obscure secret communications, but they provide protection in transit and can’t be used to embed information in an image. Watermarking does embed information in an image but with the intent of protecting intellectual property. A still image would not be used for a covert timing channel because it is a fixed file.
  50. A. JavaScript is an interpreted language so the code is not compiled prior to execution, allowing Roger to inspect the contents of the code. C, C++, and Java are all compiled languages—a compiler produces an executable file that is not human-readable.
  51. D. When a system is configured to use shadowed passwords, the /etc/passwd file contains only the character x in the place of a password. It would not contain any passwords, in either plaintext, encrypted, or hashed form.
  52. D. Internet Control Message Protocol (ICMP) is used for normal pings, as well as Pings of Death. Ping of Death describes attacks that were used to overflow poorly implemented ICMP handlers; Smurf attacks, which spoof broadcast pings to create huge amounts of traffic on a network; and ping floods, which are a type of denial-of-service attack.
  53. D. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
  54. B. ISDN, cable modems, DSL, and T1 and T3 lines are all examples of broadband technology that can support multiple simultaneous signals. They are analog, not digital, and are not broadcast technologies.
  55. C. Social engineering is the best answer, as it can be useful to penetration testers who are asked to assess whether staff members are applying security training and have absorbed the awareness messages the organization uses. Port and vulnerability scanning find technical issues that may be related to awareness or training issues but that are less likely to be directly related. Discovery can involve port scanning or other data-gathering efforts, but is also less likely to be directly related to training and awareness.
  56. B. RAID level 5 is also known as disk striping with parity. It uses three or more disks, with one disk containing parity information used to restore data to another disk in the event of failure. When used with three disks, RAID 5 is able to withstand the loss of a single disk.
  57. D. The Physical layer deals with the electrical impulses or optical pulses that are sent as bits to convey data.
  58. A. In an IaaS server environment, the customer retains responsibility for most server security operations under the shared responsibility model. This includes managing OS security settings, maintaining host firewalls, and configuring server access control. The vendor would be responsible for all security mechanisms at the hypervisor layer and below.
  59. B. Proactive monitoring, aka synthetic monitoring, uses recorded or generated traffic to test systems and software. Passive monitoring uses a network span, tap, or other device to capture traffic to be analyzed. Reactive and replay are not industry terms for types of monitoring.
  60. D. Process isolation ensures that the operating system allocates a separate area of memory for each process, preventing processes from seeing each other’s data. This is a requirement for multilevel security systems.
  61. B. The use of an eletcromagnetic coil inside the card indicates that this is a proximity card.
  62. C. During a parallel test, the team actually activates the disaster recovery site for testing, but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
  63. B. The Agile approach to software development embraces 12 core principles, found in the Agile Manifesto. One of these principles is that the best architecture, requirements, and designs emerge from self-organizing teams. Another is that teams should welcome changing requirements at any step in the process. A third is that simplicity is essential. The Agile approach emphasizes delivering software frequently, not infrequently.
  64. B. Hand geometry scanners assess the physical dimensions of an individual’s hand, but do not verify other unique factors about the individual, or even verify if they are alive. This means that hand geometry scanners should not be implemented as the sole authentication factor for secure environments. Hand geometry scanners do not have an abnormally high FRR, and do not stand out as a particular issue from an accessibility standpoint compared to other biometric systems.
  65. A. The maximum tolerable downtime (MTD) is the amount of time that a business may be without a service before irreparable harm occurs. This measure is sometimes also called maximum tolerable outage (MTO).
  66. D. Attacks that change a symlink between the time that rights are checked and the file is accessed, in order to access a file that the account does not have rights to, are time of check/time of use (TOC/TOU) attacks, a form of race condition. Unlinking removes names from a Linux filesystem, setuid allows a user to run an executable with the permissions of its owner, and tick/tock is not a type of attack or Linux command.
  67. A. Smart cards are a Type II authentication factor, and include both a microprocessor and at least one certificate. Since they are something you have, they’re not a Type I or III authentication factor. Tokens do not necessarily contain certificates.
  68. C. Masquerading (or impersonation) attacks use stolen or falsified credentials to bypass authentication mechanisms. Spoofing attacks rely on falsifying an identity like an IP address or hostname without credentials. Replay attacks are a more specific type of masquerading attack that relies on captured network traffic to reestablish authorized connections. Modification attacks occur when captured packets are modified and replayed to a system to attempt to perform an action.
  69. C. A T1 (DS1) line is rated at 1.544 Mbps. ISDN is often 64 or 128 Kbps, and T3 lines are 44.736 Mbps.
  70. C. This scenario describes separation of duties—not allowing the same person to hold two roles that, when combined, are sensitive. While two-person control is a similar concept, it does not apply in this case because the scenario does not say that either action requires the concurrence of two users.
  71. C. The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.
  72. A. Network Address Translation (NAT) translates an internal address to an external address. VLANs are used to logically divide networks, BGP is a routing protocol, and S/NAT is a made-up term.
  73. A. SSAE-16 does not assert specific controls. Instead it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2, and 3 reports.
  74. D. A constrained user interface restricts what users can see or do based on their privileges. This can result in grayed-out or missing menu items, or other interface changes. Activity-based controls are called context-dependent controls, whereas controls based on the content of an object are content-dependent controls. Preventing unauthorized users from logging in is a basic authentication function.
  75. B. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. Service-level agreements (SLAs) are written contracts that document service expectations.
  76. C. Class variables exist only once and share their value across all instances of that object class. Instance variables have different values for each instance. Member variables are the combination of class and instance variables associated with a particular class. Global variables do not exist in an object-oriented programming language.
  77. B. Class B fire extinguishers use carbon dioxide, halon, or soda acid as their suppression material and are useful against liquid-based fires. Water may not be used against liquid-based fires because it may cause the burning liquid to splash, and many burning liquids, such as oil, will float on water.
  78. D. Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls. Detective controls are designed to operate after the fact. The doors and the locks on them are examples of physical controls. Preventive controls are designed to stop an event, and could also include the locks that are present on the doors.
  79. D. The seven principles that the International Safe Harbor Provisions spell out for handling personal information are notice, choice, onward transfer, access, security, data integrity, and enforcement.
  80. C. The DMCA provides safe harbor protection for the operators of Internet service providers who only handle information as a common carrier for transitory purposes.
  81. B. According to NIST SP 800-18, a system owner should update the system security plan when the system they are responsible for undergoes a significant change. Classification, selection of custodians, and designing ways to protect data confidentiality might occur if new data was added, but should have already been done otherwise.
  82. B. Provisioning that occurs through an established workflow, such as through an HR process, is workflow-based account provisioning. If Alex had set up accounts for his new hire on the systems he manages, he would have been using discretionary account provisioning. If the provisioning system allowed the new hire to sign up for an account on their own, they would have used self-service account provisioning, and if there was a central, software-driven process, rather than HR forms, it would have been automated account provisioning.
  83. C. As Alex has changed roles, he retained access to systems that he no longer administers. The provisioning system has provided rights to workstations and the application servers he manages, but he should not have access to the databases he no longer administers. Privilege levels are not specified, so we can’t determine if he has excessive rights. Logging may or may not be enabled, but it isn’t possible to tell from the diagram or problem.
  84. C. When a user’s role changes, they should be provisioned based on their role and other access entitlements. De-provisioning and re-provisioning is time consuming and can lead to problems with changed IDs and how existing credentials work. Simply adding new rights leads to privilege creep, and matching another user’s rights can lead to excessive privileges due to privilege creep for that other user.
  85. B. EAL2 assurance applies when the system has been structurally tested. It is the second-to-lowest level of assurance under the Common Criteria.
  86. C. Before granting any user access to information, Adam should verify that the user has an appropriate security clearance as well as a business need to know the information in question.
  87. B. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
  88. D. Nessus, OpenVAS, the Open Vulnerability Assessment scanner and manager, and SAINT are all vulnerability scanning tools. All provide port scanning capabilities as well but are more than simple port scanning tools.
  89. D. In the subject/object model, the object is the resource being requested by a subject. In this example, Harry would like access to the document, making the document the object of the request.
  90. C. The process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model is known as de-encapsulation. Encapsulation occurs when the header and/or footer are added. Payloads are part of a virus or malware package that are delivered to a target, and packet unwrapping is a made-up term.
  91. C. Metasploit is a tool used to exploit known vulnerabilities. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and THC Hydra is a password brute-force tool.
  92. C. Service Provisioning Markup Language (SPML) uses Requesting Authorities to issue SPML requests to a Provisioning Service Point. Provisioning Service Targets are often user accounts, and are required to be allowed unique identification of the data in its implementation. SAML is used for security assertions, SAMPL is an algebraic modeling language, and XACML is an access control markup language used to describe and process access control policies in an XML format.
  93. D. The use of a probability/impact matrix is the hallmark of a qualitative risk assessment It uses subjective measures of probability and impact, such as “high” and “low,” in place of quantitative measures.
  94. B. Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.
  95. C. RAID level 5 is also known as disk striping with parity. RAID 0 is called disk striping. RAID 1 is called disk mirroring. RAID 10 is known as a stripe of mirrors.
  96. B. Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is only rated to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.
  97. A. Developing a business impact assessment is an integral part of the business continuity planning effort. The selection of alternate facilities, activation of those facilities, and restoration of data from backup are all disaster recovery tasks.
  98. D. Smurf attacks use a distributed attack approach to send ICMP echo replies at a targeted system from many different source addresses. The most effective way to block this attack would be to block inbound ICMP traffic. Blocking the source addresses is not feasible because the attacker would likely simply change the source addresses. Blocking destination addresses would likely disrupt normal activity. The Smurf attack does not use UDP, so blocking that traffic would have no effect.
  99. C. Static packet filtering firewalls are known as first-generation firewalls and do not track connection state. Stateful inspection, application proxying, and next-generation firewalls all add connection state tracking capability.
  100. A. TKIP is only used as a means to encrypt transmissions and is not used for data at rest. RSA, AES, and 3DES are all used on data at rest as well as data in transit.
  101. C. Generational fuzzing is also known as intelligent fuzzing because it relies on the development of data models using an understanding of how the data is used by the program. Zzuf is a fuzzing program. Mutation simply modifies the inputs each time, and code based is not a description used for a type of fuzzing.
  102. B. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission. Interference is electrical noise or other disruptions that corrupt the contents of packets.
  103. B. Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self-manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and maintenance, and token failure can cause support challenges.
  104. B. Web applications communicate with web browsers via an interface, making interface testing the best answer here. Regression testing might be used as part of the interface test, but is too specific to be the best answer. Similarly, the test might be a white box, or full knowledge test, but interface testing better describes this specific example. Fuzzing is less likely as part of a browser compatibility test, as it tests unexpected inputs, rather than functionality.
  105. A. Role-based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task-based access control is not a standard approach. Rule-based access controls use rules that apply to all subjects, which isn’t something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.
  106. D. Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.
  107. D. Patents and trade secrets can both protect intellectual property in the form of a process. Patents require public disclosure and have expiration dates while trade secrets remain in force for as long as they remain secret. Therefore, trade secret protection most closely aligns with the company’s goals.
  108. D. The Security Content Automation Protocol (SCAP) is a suite of specifications used to handle vulnerability and security configuration information. The National Vulnerability Database provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup Language, an OASIS standard used for access control decisions, and neither VSML nor SCML are industry terms.
  109. B. The three components of the DevOps model are software development, operations, and quality assurance.
  110. A. The Simple Security Property prevents an individual from reading information at a higher security level than his or her clearance allows. This is also known as the “no read up” rule. The Simple Integrity Property says that a user can’t write data to a higher integrity level than their own. The *-Security Property says that users can’t write data to a lower security level than their own. The Discretionary Security Property allows the use of a matrix to determine access permissions.
  111. B. The work breakdown structure (WBS) is an important project management tool that divides the work done for a large project into smaller components. It is not a project plan because it does not describe timing or resources. Test analyses are used during later phases of the development effort to report test results. Functional requirements may be included in a work breakdown structure, but they are not the full WBS.
  112. B. Network Access Control (NAC) systems can be used to authenticate users, and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address–based security feature that can only restrict which systems or devices can connect to a given port.
  113. C. This scenario violates the least privilege principle because an application should never require full administrative rights to run. Gwen should update the service account to have only the privileges necessary to support the application.
  114. B. Trace coverage is not a type of structural coverage. Common types of structural coverage include statement, branch or decision coverage, loop coverage, path coverage, and data flow coverage.
  115. A. During the information gathering and discovery phase of a penetration test, testers will gather information about the target. Whois can provide information about an organization, including IP ranges, physical addresses, and staff contacts. Nessus would be useful during a vulnerability detection phase, and Metasploit would be useful during exploitation. zzuf is a fuzzing tool and is less likely to be used during a penetration test.
  116. C. Test directories often include scripts that may have poor protections or may have other data that can be misused. There is not a default test directory that allows administrative access to PHP. Test directories are not commonly used to store sensitive data, nor is the existence of a test directory a common indicator of compromise.
  117. A. Directory indexing may not initially seem like an issue during a penetration test, but simply knowing the name and location of files can provide an attacker with quite a bit of information about an organization, as well as a list of potentially accessible files. XDRF is not a type of attack, and indexing is not a denial-of-service attack vector. Directory indexing being turned on is typically either due to misconfiguration or design, or because the server was not properly configured at setup, rather than being a sign of attack.
  118. B. Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods, and could be used to steal a user’s cookies via cross-site scripting (XSS). The other options are not industry terms for web application or web server attacks or vulnerabilities.
  119. D. The contents of RAM are volatile, meaning that they are only available while power is applied to the memory chips. EPROM, EEPROM, and flash memory are all nonvolatile, meaning that they retain their contents even when powered off.
  120. C. Data loss prevention (DLP) systems specialize in the identification of sensitive information. In this case, Ursula would like to identify the presence of this information on endpoint devices, so she should choose an endpoint DLP control. Network-based DLP would not detect stored information unless the user transmits it over the network. Intrusion prevention systems (IPSs) are designed to detect and block attacks in progress, not necessarily the presence of sensitive information.
  121. B. In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not follow the shared tenancy model. The environment may be built by the company in its own data center or built by a vendor at a co-location site.
  122. D. Redundant Arrays of Inexpensive Disks (RAID) is designed to allow a system to continue operating without data loss in the event of a hard drive failure. Load balancing is designed to spread work across multiple servers. Intrusion prevention systems (IPSs) monitor systems and/or networks for potential attacks. Dual-power supplies protect against power supplies becoming a single point of failure.
  123. D. Integrity ensures that unauthorized changes are not made to data while stored or in transit.
  124. C. A star topology uses a central connection device. Ethernet networks may look like a star, but they are actually a logical bus topology that is sometimes deployed in a physical star.
  125. C. Input validation ensures that the data provided to a program as input matches the expected parameters. Limit checks are a special form of input validation that ensure the value remains within an expected range, as is the case described in this scenario. Fail open and fail secure are options when planning for possible system failures. Buffer bounds are not a type of software control.
  126. B. NIST SP 800-18 describes system owner responsibilities that include helping to develop system security plans, maintaining the plan, ensuring training, and identifying, implementing, and assessing security controls. A data owner is more likely to delegate these tasks to the system owner. Custodians may be asked to enforce those controls, whereas a user will be directly affected by them.
  127. C. ESP’s Transport mode encrypts IP packet data but leaves the packet header unencrypted. Tunnel mode encrypts the entire packet and adds a new header to support transmission through the tunnel.
  128. B. In level 2, the Repeatable level of the SW-CMM, an organization introduces basic life-cycle management processes. Reuse of code in an organized fashion begins and repeatable results are expected from similar projects. The key process areas for this level include Requirements Management, Software Project Planning, Software Project Tracking and Oversight, Software Subcontract Management, Software Quality Assurance and Software Configuration Management. Software Quality Management is a process that occurs during level 4, the Managed stage of the SW-CMM.
  129. A. Key risk indicators (KRIs) are often used to monitor risk for organizations that establish an ongoing risk management program. Using automated data gathering and tools that allow data to be digested and summarized can provide predictive information about how organizational risks are changing. KPIs are key performance indicators, which are used to assess how an organization is performing. Quantitative risk assessments are good for point-in-time views with detailed valuation and measurement-based risk assessments, whereas a penetration test would provide details of how well an organization’s security controls are working.
  130. D. The three-way handshake is SYN, SYN/ACK, ACK. System B should respond with “Synchronize and Acknowledge” to System A after it receives a SYN.
  131. A. Systems that respond to ping will show the time to live for packets that reach them. Since TTL is decremented at each hop, this can help build a rough network topology map. In addition, some firewalls respond differently to ping than a normal system, which means pinging a network can sometimes reveal the presence of firewalls that would otherwise be invisible. Hostnames are revealed by a DNS lookup, and ICMP types allowed through a firewall are not revealed by only performing a ping. ICMP can be used for router advertisements, but pinging won’t show them!
  132. C. Authorization defines what a subject can or can’t do. Identification occurs when a subject claims an identity, accountability is provided by the logs and audit trail that track what occurs on a system, and authorization occurs when that identity is validated.
  133. A. The commercial classification scheme discussed by (ISC)2 includes four primary classification levels: confidential, private, sensitive, and public. Secret is a part of the military classification scheme.
  134. B. All of these are objects. Although some of these items can be subjects, files, databases, and storage media can’t be. Processes and programs aren’t file stores, and of course none of these are users.
  135. A. Testing for desired functionality is use case testing. Dynamic testing is used to determine how code handles variables that change over time. Misuse testing focuses on how code handles examples of misuse, and fuzzing feeds unexpected data as an input to see how the code responds.
  136. C. When the author of a work is known, copyright protects that work for 70 years after the death of the author. Works created by a corporate author are protected for 95 years from publication or 120 years from creation, whichever expires first.
  137. C. These are examples of private IP addresses. RFC1918 defines a set of private IP addresses for use in internal networks. These private addresses including 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-196.168.255.255 should never be routable on the public Internet.
  138. B. A cognitive password authenticates users based on a series of facts or answers to questions that they know. Preset questions for cognitive passwords typically rely on common information about a user like their mother’s maiden name, or the name of their pet, and that information can frequently be found on the Internet. The best cognitive password systems let users make up their own questions.
  139. D. A transformation procedure (TP) is the only process authorized to modify constrained data items (CDIs) within the Clark-Wilson model.
  140. C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.
  141. C. Personal Health Information (PHI) is specifically defined by HIPAA to include information about an individual’s medical bills. PCI could refer to the payment card industry’s security standard but would only apply in relation to credit cards. PII is a broadly defined term for personally identifiable information, and personal billing data isn’t a broadly used industry term.
  142. D. Yagis, panel antennas, cantennas, and parabolic antennas are all types of directional antenna. Omnidirectional antennas radiate in all directions, whereas these types of antennas are not necessarily signal boosting. Finally, rubber duck antennas are a type of omnidirectional pole antenna.
  143. C. Function, statement, branch, and condition are all types of code coverage metrics. Penetration testing methodologies use phases like planning, discovery, scanning, exploit, and reporting. Fuzzing techniques focus on ways to provide unexpected inputs, whereas synthetic transactions are generated test data provided to validate applications and performance.
  144. B. Organizations should train at least two individuals on every business continuity plan task. This provides a backup in the event the primary responder is not available.
  145. B. In this scenario, all of the files on the server will be backed up on Monday evening during the full backup. Tuesday’s incremental backup will include all files changed since Monday’s full backup: files 1, 2, and 5. Wednesday’s incremental backup will then include all files modified since Tuesday’s incremental backup: files 3 and 6.
  146. A. Susan is performing passive monitoring, which uses a network tap or span port to capture traffic to analyze it without impacting the network or devices that it is used to monitor. Synthetic, or active, monitoring uses recorded or generated traffic to test for performance and other issues. Signature based technologies include IDS, IPS, and antimalware systems.
  147. A. While the differences between rights, permissions, and roles can be confusing, typically permissions include both the access and actions that you can take on an object. Rights usually refer to the ability to take action on an object, and don’t include the access to it. Privileges combine rights and permissions, and roles describe sets of privileges based on job tasks or other organizational artifacts.
  148. C. One of the core capabilities of Infrastructure as a Service is providing servers on a vendor-managed virtualization platform. Web-based payroll and email systems are examples of Software as a Service. An application platform managed by a vendor that runs customer code is an example of Platform as a Service.
  149. D. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $750,000 in damage divided by the $2 million facility value, or 37.5%.
  150. C. The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen. In this case, the analysts expect fires will occur once every 50 years, or 0.02 times per year.
  151. A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $750,000 and the ARO is 0.02. Multiplying these numbers together gives you the ALE of $15,000.
  152. A. Congestion Window Reduced (CWR) and ECN-Echo (ECE) are used to manage transmission over congested links, and are rarely seen in modern TCP networks.
  153. B. The Tower of Hanoi; Grandfather, Father, Son; and First In, First Out backup rotation strategies are all used to rotate backup tapes and other media. Key rotation is a cryptographic concept not related to disaster recovery media.
  154. A. An application programming interface (API) allows external users to directly call routines within Fran’s code. They can embed API calls within scripts and other programs to automate interactions with Fran’s company. A web scraper or call center might facilitate the same tasks, but they do not do so in a direct integration. Data dictionaries might provide useful information but they also do not allow direct integration.
  155. A. A fault is a momentary loss of power. Blackouts are sustained complete losses of power. Sags and brownouts are not complete power disruptions but rather periods of low voltage conditions.
  156. A. Lauren’s team would benefit from a credential management system. Credential management systems offer features like password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign-on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher sensitivity systems.
  157. C. Windows systems will assign themselves an APIPA address between 169.254.0.1 and 169.254.255.254 if they cannot contact a DHCP server.
  158. A. Enrollment, or registration, is the initial creation of a user account in the provisioning process. Clearance verification and background checks are sometimes part of the process that ensures that the identity of the person being enrolled matches who they claim to be. Initialization is not used to describe the provisioning process.
  159. C. Repeated audit findings indicate a performance issue, making this a key performance indicator for Susan’s organization. Audit findings may demonstrate risk, but are not guaranteed to do so. Safeguard metrics and audit tracking metrics are not common industry terms.
  160. D. The business or mission owner’s role is responsible for making sure systems provide value. When controls decrease the value that an organization gets, the business owner bears responsibility for championing the issue to those involved. There is not a business manager or information security analyst role in the list of NIST-defined data security roles. A data processor is defined but acts as a third-party data handler, and would not have to represent this issue in Olivia’s organization.
  161. A. The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual. It prohibits the unauthorized monitoring of email and voicemail communications.
  162. D. The kernel lies within the central ring, Ring 0. Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0–2 run in privileged mode whereas Ring 3 runs in user mode.
  163. B. The Common Vulnerability Scoring System (CVSS) uses measures such as attack vector, complexity, exploit maturity, and how much user interaction is required as well as measures suited to local concerns. CVE is the Common Vulnerabilities and Exposures dictionary, CNA is the CVE Numbering Authority, and NVD is the National Vulnerability Database.
  164. C. An individual does not have a reasonable expectation of privacy when any communication takes place using employer-owned communications equipment or accounts.
  165. D. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.
  166. C. OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.
  167. D. Risk acceptance occurs when an organization determines that the costs involved in pursuing other risk management strategies are not justified and they choose not to pursue any action.
  168. D. Fred should choose a fiber-optic cable. Copper cable types like 10Base2, 5, and 10BaseT, as well as 100Base-T and 1000BaseT, fall far short of the distance required, whereas fiber-optic cable can run for miles.
  169. C. Decentralized access control makes sense because it allows local control over access. When network connectivity to a central control point is a problem, or if rules and regulations may vary significantly from location to location, centralized control can be less desirable than decentralized control despite its challenges with consistency. Since the problem does not describe specific control needs, mandatory access control and rule-based access controls could fit the need but aren’t the best answer.
  170. B. The U.S. government classifies data that could reasonably be expected to cause damage to national security if disclosed, and for which the damage can be identified or described, as Secret. The U.S. government does not use Classified in its formal four levels of classification. Top Secret data could cause exceptionally grave damage, whereas Confidential data could be expected to cause damage.
  171. A. The purpose of a digital certificate is to provide the general public with an authenticated copy of the certificate subject’s public key.
  172. D. The last step of the certificate creation process is the digital signature. During this step, the certificate authority signs the certificate using its own private key.
  173. C. When an individual receives a copy of a digital certificate, he or she verifies the authenticity of that certificate by using the CA’s public key to validate the digital signature contained on the certificate.
  174. A. Mike uses the public key that he extracted from Renee’s digital certificate to encrypt the message that he would like to send to Renee.
  175. C. Wireshark is a network monitoring tool that can capture and replay communications sent over a data network, including Voice over IP (VoIP) communications. Nmap, Nessus, and Nikto are all security tools that may identify security flaws in the network, but they do not directly undermine confidentiality because they do not have the ability to capture communications.
  176. B. Studies consistently show that users are more likely to write down passwords if they have more accounts. Central control of a single account is also easier to shut off if something does go wrong. Simply decreasing the number of accounts required for a subject doesn’t increase security by itself, and SSO does not guarantee individual system logging, although it should provide central logging of SSO activity. Since a SSO system was not specified, there is no way of determining whether a given SSO system provides better or worse encryption for authentication data.
  177. D. Nonrepudiation is only possible with an asymmetric encryption algorithm. RSA is an asymmetric algorithm. AES, DES, and Blowfish are all symmetric encryption algorithms that do not provide nonrepudiation.
  178. D. Modification of audit logs will prevent repudiation because the data cannot be trusted, and thus actions cannot be provably denied. The modification of the logs is also a direct example of tampering. It might initially be tempting to answer elevation of privileges and tampering, as the attacker made changes to files that should be protected, but this is an unknown without more information. Similarly, the attacker may have accessed the files, resulting in information disclosure in addition to tampering, but again, this is not specified in the question. Finally, this did not cause a denial of service, and thus that answer can be ignored.
  179. C. Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are all routing protocols and are associated with routers.
  180. B. The Temporal Key Integrity Protocol (TKIP) was used with WPA on existing hardware to replace WEP. TKIP has been replaced by CCMP and 802.1x since 2012. PEAP and EAP are both authentication protocols. Transport Layer Security (TLS) is used to secure web transactions and other network communications.
  181. B. Each of the attributes linked to Ben’s access provides information for an attribute-based information control system. Attribute-based information controls like those described in NIST SP 800-162 can take many details about the user, actions, and objects into consideration before allowing access to occur. A role-based access control would simply consider Ben’s role, whereas both administrative and system discretionary access controls are not commonly used terms to describe access controls.
  182. A. LOIC is an example of a distributed denial-of-service attack. It uses many systems to attack targets, combining their bandwidth and making it difficult to shut down the attack because of the number and variety of attackers. Ionization and Zombie horde attacks are both made-up answers. Teardrop attacks are an older type of attack that sends fragmented packets as a denial-of-service attack.
  183. C. Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.
  184. D. Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling. In an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.
  185. C. The Waiting state is used when a process is blocked waiting for an external event. The Running state is used when a process is executing on the CPU. The Ready state is used when a process is prepared to execute, but the CPU is not available. The Stopped state is used when a process terminates.
  186. B. Operational investigations are performed by internal teams to troubleshoot performance or other technical issues. They are not intended to produce evidence for use in court and, therefore, do not have the rigid collection standards of criminal, civil, or regulatory investigations.
  187. A. Non-disclosure agreements (NDAs) are designed to protect the confidentiality of an organization’s data, including trade secrets during and after the person’s employment. NDAs do not protect against deletion or availability issues, and non-compete agreements would be required to stop competition.
  188. C. Adding a second factor can ensure that users who might be incorrectly accepted are not given access due to a higher than desired false acceptance rate (FAR) from accessing a system. The CER is the crossover between the false acceptance and false rejection rate (FRR), and is used as a way to measure the accuracy of biometric systems. Changing the sensitivity to lower the FRR may actually increase the FAR, and replacing a biometric system can be time consuming and expensive in terms of time and cost.
  189. B. SOC 2 reports typically cover 6 months of operations. SOC 1 reports cover a point in time.
  190. D. Over-the-shoulder reviews require the original developer to explain her code to a peer while walking through it. Email pass-around code reviews are done by sending code for review to peers. Pair programming requires two developers, only one of whom writes code while both collaborate. IDE forcing is not a type of code review; an IDE is an integrated development environment.
  191. A. The Time of Check to Time of Use (TOC/TOU) attack exploits timing differences between when a system verifies authorization and software uses that authorization to perform an action. It is an example of a race condition attack. The other three attacks mentioned do not depend on precise timing.
  192. B. Encapsulation is a process that adds a header and possibly a footer to data received at each layer before handoff to the next layer. TCP wrappers are a host-based network access control system, attribution is determining who or what performed an action or sent data, and data hiding is a term from object-oriented programming that is not relevant here.
  193. C. Salting adds random text to the password before hashing in an attempt to defeat automated password cracking attacks that use precomputed values. MD5 and SHA-1 are both common hashing algorithms, so using them does not add any security. Double-hashing would only be a minor inconvenience for an attacker and would not be as effective as the use of salting.
  194. A. Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.
  195. C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.
  196. C. Regression testing ensures proper functionality of an application or system after it has been changed. Unit testing focuses on testing each module of a program instead of against its previous functional state. White and black box testing both describe the amount of knowledge about a system or application, rather than a specific type or intent for testing.
  197. C. Risk transference involves shifting the impact of a potential risk from the organization incurring the risk to another organization. Insurance is a common example of risk transference.
  198. A. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.
  199. C. A trust that allows one forest to access another’s resources without the reverse being possible is an example of a one-way trust. Since Jim doesn’t want the trust path to flow as the domain tree is formed, this trust has to be nontransitive.
  200. B. Susan’s team is performing static analysis, which analyzes nonrunning code. Dynamic analysis uses running code, whereas gray box assessments are a type of assessment done without full knowledge. Fuzzing feeds unexpected inputs to a program as part of dynamic analysis.
  201. A. 201.19.7.45 is a public IP address. RFC 1918 addresses are in the ranges 10.0.0.0–0.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. APIPA addresses are assigned between 169.254.0.0 to 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback).
  202. A. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case the missing patch is the vulnerability. In this scenario, if the hacker attempts a SQL injection attack (threat) against the unpatched server (vulnerability), the result is website defacement.
  203. C. The three categories of data destruction are clear (overwriting with nonsensitive data), purge (removing all data), and destroy (physical destruction of the media). Degaussing is an example of a purging technique.
  204. A. Hot sites contain all of the hardware and data necessary to restore operations and may be activated very quickly.
  205. B. Syslog uses UDP port 514. TCP-based implementations of syslog typically use port 6514. The other ports may look familiar because they are commonly used TCP ports: 443 is HTTPS, 515 is the LPD print service, and 445 is used for Windows SMB.
  206. B. PSH is a TCP flag used to clear the buffer, resulting in immediately sending data, and URG is the TCP urgent flag. These flags are not present in UDP headers.
  207. B. Fagan inspection is a highly formalized review and testing process that uses planning, overview, preparation, inspection, rework, and follow-up steps. Static inspection looks at code without running it, dynamic inspection uses live programs, and interface testing tests where code modules interact.
  208. D. The system is set to overwrite the logs and will replace the oldest log entries with new log entries when the file reaches 20 MB. The system is not purging archived logs because it is not archiving logs. Since there can only be 20 MB of logs, this system will not have stored too much log data, and the question does not provide enough information to know if there will be an issue with not having the information needed.
  209. B. Encapsulating Security Payload (ESP) provides the ability to encrypt and thus provides confidentiality, as well as limited authentication capabilities. It does not provide availability, nonrepudiation, or integrity validation.
  210. A. Alejandro is in the first stage of the incident response process, detection. During this stage, the intrusion detection system provides the initial alert, and Alejandro performs preliminary triaging to determine if an intrusion is actually taking place and whether the scenario fits the criteria for activating further steps of the incident response process (which include response, mitigation, reporting, recovery, remediation, and lessons learned).
  211. C. After detection of a security incident, the next step in the process is response, which should follow the organization’s formal incident response procedure. The first step of this procedure is activating the appropriate teams, including the organization’s computer security incident response team (CSIRT).
  212. C. The root cause analysis examines the incident to determine what allowed it to happen and provides critical information for repairing systems so that the incident does not recur. This is a component of the remediation step of the incident response process because the root cause analysis output is necessary to fully remediate affected systems and processes.
  213. D. When using symmetric cryptography, the sender encrypts a message using a shared secret key and the recipient then decrypts the message with that same key. Only asymmetric cryptography uses the concept of public and private key pairs.
  214. A. Business logic errors are most likely to be missed by automated functional testing. If a complete coverage code test was conducted, runtime, input validation, and error handling issues are likely to have been discovered by automated testing. Any automated system is more likely to miss business logic errors, because humans are typically necessary to understand business logic issues.
  215. A. During the Lessons Learned phase, analysts close out an incident by conducting a review of the entire incident response process. This may include making recommendations for improvements to the process that will streamline the efficiency and effectiveness of future incident response efforts.
  216. B. The Digital Millennium Copyright Act (DMCA) prohibits attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder.
  217. B. Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a very long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.
  218. B. Half-duplex communications allow only one side to send at a time. Full-duplex communications allow both parties to send simultaneously, whereas simplex communications describe one-way communications. A suplex would be a bad idea for most communications—it is a wrestling move!
  219. D. Gray box testing is a blend of crystal (or white) box testing that provides full information about a target, and black box testing, which provides little or no knowledge about the target.
  220. A. Test coverage is computed using the formula test coverage = number of use cases tested/total number of use cases. Code coverage is assessed by the other formulas, including function, conditional, and total code coverage.
  221. C. TCP, UDP, and other transport layer protocols like SSL and TLS operate at the Transport layer.
  222. C. Deterrence is the first functional goal of physical security mechanisms. If a physical security control presents a formidable challenge to a potential attacker, they may not attempt the attack in the first place.
  223. A. In an automated recovery, the system can recover itself against one or more failure types. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.
  224. A. Skip should use SCP—Secure Copy is a secure file transfer method. SSH is a secure command-line and login protocol, whereas HTTP is used for unencrypted web traffic. Telnet is an unencrypted command-line and login protocol.
  225. C. The California Online Privacy Protection Act requires that commercial websites that collect personal information from users in California conspicuously post a privacy policy. The Act does not require compliance with the EU DPD, nor does it use the DPD concepts of notice or choice, and it does not require encryption of all personal data.
  226. B. Callback disconnects a remote user after their initial connection, and then calls them back at a preauthorized number. CallerID can help with this but can be spoofed, making callback a better solution. CHAP is an authentication protocol, and PPP is a dial-up protocol. Neither will verify a phone number.
  227. A. The reference monitor is a component of the Trusted Computing Base (TCB) that validates access to resources.
  228. B. Iris scans have a longer useful life than many other types of biometric factors because they don’t change throughout a person’s lifespan (unless the eye itself is damaged). Iris scanners can be fooled in some cases by high-resolution images of an eye, and iris scanners are not significantly cheaper than other scanners.
  229. B. Personnel retention deals with what happens when employees leave and share proprietary data. A data breach occurs when data is stolen or lost, and data exfiltration occurs when attackers or insiders extract data from an organization. Finally, nonproprietary data sharing should result in very little harm.
  230. C. They need a key for every possible pair of users in the cryptosystem. The first key would allow communication between Matthew and Richard. The second key would allow communication between Richard and Christopher. The third key would allow communication between Christopher and Matthew.
  231. A. The Gramm Leach Bliley Act is an example of civil law. The Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and Identity Theft and Assumption Deterrence Act are all examples of criminal law.
  232. C. The SMTP protocol does not guarantee confidentiality between servers, making TLS or SSL between the client and server only a partial measure. Encrypting the email content can provide confidentiality; digital signatures can provide nonrepudiation.
  233. D. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside of the SQL code’s input field, and the text following is used to directly manipulate the SQL command sent from the web application to the database.
  234. C. Record retention policies describe how long the organization should retain data and may also specify how and when destruction should occur. Classification policies describe how and why classification should occur and who is responsible, whereas availability and audit policies may be created for specific purposes.
  235. A. The goal of the business continuity planning process is to ensure that your recovery time objectives are all less than your maximum tolerable downtimes.
  236. C. The Remediation phase of incident handling focuses on conducting a root cause analysis to identify the factors contributing to an incident and implementing new security controls, as needed.
  237. A. The S/MIME secure email format uses the P7S format for encrypted email messages. If the recipient does not have a mail reader that supports S/MIME, the message will appear with an attachment named smime.p7s.
  238. A. Aggregation is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. An inference problem occurs when an attacker can pull together pieces of less sensitive information from multiple sources and use them to derive information of greater sensitivity. In this case, only a single source was used. SQL injection is a web application exploit. Multilevel security is a system control that allows the simultaneous processing of information at different classification levels.
  239. B. Polyinstantiation allows the storage of multiple different pieces of information in a database at different classification levels to prevent attackers from conducting aggregation or inference attacks. Kim could store incorrect location information in the database at lower classification levels to prevent the aggregation attack in this scenario. Input validation, server-side validation, and parameterization are all techniques used to prevent web application attacks and are not effective against inference attacks.
  240. B. The tail number is a database field because it is stored in the database. It is also a primary key because the question states that the database uniquely identifies aircraft using this field. Any primary key is, by definition, also a candidate key. There is no information provided that the tail number is a foreign key used to reference a different database table.
  241. B. Foreign keys are used to create relationships between tables in a database. The database enforces referential integrity by ensuring that the foreign key used in a table has a corresponding record with that value as the primary key in the referenced table.
  242. B. The waterfall model uses an approach that develops software sequentially, spending quite a bit of time up front on the development and documentation of requirements and design. The spiral and agile models focus on iterative development and are appropriate when requirements are not well understood or iterative development is preferred. DevOps is an approach to integrating development and operations activities and is not an SDLC model.
  243. A. The data owner is a senior manager who bears ultimate responsibility for data protection tasks. The data owner typically delegates this responsibility to one or more data custodians.
  244. C. A unique salt should be created for each user using a secure generation method and stored in that user’s record. Since attacks against hashes rely on building tables to compare the hashes against, unique salts for each user make building tables for an entire database essentially impossible—the work to recover a single user account may be feasible, but large scale recovery requires complete regeneration of the table each time. A single salt allows rainbow tables to be generated if the salt is stolen or can be guessed based on frequently used passwords. Creating a unique salt each time a user logs in does not allow a match against a known salted hashed password.
  245. D. NIST SP800-53 describes three processes:
    • Examination, which is reviewing or analyzing assessment objects like specifications, mechanisms, or activities
    • Interviews, which are conducted with individuals or groups of individuals
    • Testing, which involves evaluating activities or mechanisms for expected behavior when used or exercised

    Knowing the details of a given NIST document in depth can be challenging. To address a question like this, first eliminate responses that do not make sense; here, a mechanism cannot be interviewed, and test and assess both mean the same thing. This leaves only one correct answer.

  246. B. Anomaly-based intrusion detection systems may identify a zero-day vulnerability because it deviates from normal patterns of activity. Signature-based detection methods would not be effective because there are no signatures for zero-day vulnerabilities. Strong patch management would not be helpful because, by definition, zero-day vulnerabilities do not have patches available. Full-disk encryption would not detect an attack because it is not a detective control.
  247. B. Credential management systems provide features designed to make using and storing credentials in a secure and controllable way. AAA systems are authorization, authentication, and accounting systems. Two-factor authentication and Kerberos are examples of protocols.
  248. A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating disaster recovery sites.
  249. D. A mantrap uses two sets of doors, only one of which can open at a time. A mantrap is a type of preventive access control, although its implementation is a physical control.
  250. B. When following the separation-of-duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner and is also known as two-person control.

Chapter 10: Practice Test 2

  1. D. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.
  2. D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks were very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.
  3. B. Crystal box penetration testing, which is also sometimes called white box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black and gray box testing can, and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.
  4. D. The discovery phase includes activities like gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided.
  5. B. A class B network holds 2^16 systems, and its default network mask is 255.255.0.0.
  6. D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.
  7. B. The data owner is normally responsible for classifying information at an appropriate level. This role is typically filled by a senior manager or director, who then delegates operational responsibility to a data custodian.
  8. A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.
  9. C. While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.
  10. C. Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. Content Distribution Network (CDN) is not a converged protocol, and FCoE is Fiber Channel over Ethernet, a converged protocol for storage.
  11. C. The best way to ensure that data on DVDs is fully gone is to destroy them, and pulverizing DVDs is an appropriate means of destruction. DVDs are write-only media, meaning that secure erase and zero wipes won’t work. Degaussing only works on magnetic media and cannot guarantee that there will be zero data remnance.
  12. D. The five stages of the SW-CMM are, in order, Initial, Repeatable, Defined, Managed, and Optimizing. In the Optimizing stage, a process of continuous improvement occurs.
  13. A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.
  14. D. Security best practices dictate the use of shadowed password files that move the password hashes from the widely accessible /etc/passwd file to the more restricted /etc/shadow file.
  15. A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.
  16. A. Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.
  17. A. System A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK.
  18. B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.
  19. C. Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the Internet or exchange data files; buffer overflows are usually aimed at specific applications or services.
  20. C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.
  21. B. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $20 million in damage divided by the $100 million facility value, or 20%.
  22. B. The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen in any given year. In this case, the analysts expect floods once every 200 years, or 0.005 times per year.
  23. B. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000.
  24. B. The most frequent target of account management reviews are highly privileged accounts, as they create the greatest risk. Random samples are the second most likely choice. Accounts that have existed for a longer period of time are more likely to have a problem due to privilege creep than recently created accounts, but neither of these choices is likely unless there is a specific organizational reason to choose them.
  25. A. In an Infrastructure as a Service (IaaS) cloud computing model, the customer retains responsibility for managing operating system security while the vendor manages security at the hypervisor level and below.
  26. A. Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.
  27. B. The Company ID is a field used to identify the corresponding record in another table. This makes it a foreign key. Each customer may place more than one order, making Company ID unsuitable for use as a primary or candidate key in this table. Referential keys are not a type of database key.
  28. B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfaces is another term for APIs.
  29. D. The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.
  30. B. While key risk indicators can provide useful information for organizational planning and a deeper understanding of how organizations view risk, KRIs are not a great way to handle a real-time security response. Monitoring and detection systems like IPS, SIEM, and other tools are better suited to handling actual attacks.
  31. B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
  32. A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of Infrastructure as a Service (IaaS).
  33. C. In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.
  34. A. The Agile approach to software development states that working software is the primary measure of progress, that simplicity is essential, and that business people and developers must work together daily. It also states that the most efficient method of conveying information is face-to-face, not electronic.
  35. C. Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.
  36. C. Class C fire extinguishers use carbon dioxide or halon suppressants and are useful against electrical fires. Water-based extinguishers should never be used against electrical fires due to the risk of electrocution.
  37. A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet switching technology that provides a Committed Information Rate, which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider supplied DCE which transmits the data over the network.
  38. B. SOC 2 reports are released under NDA to select partners or customers, and can provide detail on the controls and any issues they may have. A SOC 1 report would only provide financial control information, and a SOC 3 report provides less information since it is publicly available.
  39. C. A SOC 2, Type 2 report includes information about a data center’s security, availability, processing integrity, confidentiality, and privacy, and includes an auditor’s opinion on the operational effectiveness of the controls. SOC 3 does not have types, and an SOC 2 Type 1 only requires the organization’s own attestation.
  40. B. SAS 70 was superseded in 2010 by the SSAE 16 standard with three SOC levels for reporting. SAS 70 included Type 2 reports, covered data centers, and used 6-month testing periods for Type 2 reports.
  41. C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet is commonly deployed as a physical star but placing a switch as the center of a star, but Ethernet still operates as a bus. Similarly, Token Ring deployments using multistation access unit (MAU) were deployed as physical stars, but operated as rings.
  42. C. Bell-LaPadula uses security labels on objects and clearances for subjects, and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.
  43. D. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.
  44. D. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of Protected Health Information (PHI). The SAFE Act deals with mortgages, the Graham Leach Bliley Act (GLBA) covers financial institutions, and FERPA deals with student data.
  45. C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.
  46. D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog, but is associated with which services are being logged. Security level and log priority are not typical syslog settings.
  47. B. In RAID 1, also known as disk mirroring, systems contain two physical disks. Each disk contains copies of the same data, and either one may be used in the event the other disk fails.
  48. B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.
  49. C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.
  50. B. The Digital Millennium Copyright Act extends common carrier protection to Internet service providers who are not liable for the “transitory activities” of their customers.
  51. C. Tokens are hardware devices (something you have) that generate a one-time password based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are US government–issued smart cards.
  52. B. A non-disclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs. Encryption would only help in transit or at rest, and Fred will likely have access to the data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a stop-loss order is used on the stock market.
  53. A. Multitasking handles multiple processes on a single processor by switching between them using the operating system. Multiprocessing uses multiple processors to perform multiple processes simultaneously. Multiprogramming requires modifications to the underlying applications. Multithreading runs multiple threads within a single process.
  54. C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.
  55. C. Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.
  56. D. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
  57. D. Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the US government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.
  58. C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. None of these controls help to recover from an issue and are thus not recovery controls.
  59. A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.
  60. C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.
  61. A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.
  62. B. Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.
  63. A. In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.
  64. C. The formula for determining the number of encryption keys required by a symmetric algorithm is ((n*(n-1))/2). With six users, you will need ((6*5)/2), or 15 keys.
  65. B. Patents have the shortest duration of the techniques listed: 20 years. Copyrights last for 70 years beyond the death of the author. Trademarks are renewable indefinitely and trade secrets are protected as long as they remain secret.
  66. C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.
  67. C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for a short period of time to cover momentary losses of power. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.
  68. C. Password histories retain a list of previous passwords (or, preferably, a list of salted hashed for previous passwords) to ensure that users don’t reuse their previous passwords. Longer minimum age can help prevent users from changing their passwords, then changing them back, but won’t prevent a determined user from eventually getting their old password back. Length requirements and complexity requirements tend to drive users to reuse passwords if they’re not paired with tools like single-sign on, password storage systems, or other tools that decrease the difficulty of password management.
  69. B. The Single Loss Expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.
  70. B. Sanitization includes steps like removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.
  71. D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.
  72. B. Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. Service-oriented architecture (SOA) is not a markup language.
  73. D. RAM is a type of primary storage. Secondary storage includes hard drives, solid state disks, and optical drives.
  74. D. SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are Internet exposed are typically quickly exploited to send email for spammers.
  75. D. Sending logs to a secure log server, sometimes called a bastion host, is the most effective way to ensure that logs survive a breach. Encrypting local logs won’t stop an attacker from deleting them, and requiring administrative access won’t stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size, and can also purge logs after a threshold is hit. Rotation won’t prevent an attacker from purging logs.
  76. C. A Security Information and Event Management tool (SIEM) is designed to provide automated analysis and monitoring of logs and security events. A SIEM that receives access to logs can help detect and alert on events like logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs, but won’t help with analysis without taking additional actions. Syslog is simply a log format.
  77. B. Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.
  78. B. Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPSec is a security protocol suite, Software Defined Networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.
  79. C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important, since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.
  80. C. L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPSec are all IP-only protocols.
  81. D. Remnant data is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.
  82. C. During a parallel test, the team activates the disaster recovery site for testing but the primary site remains operational. A simulation test involves a roleplay of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
  83. C. Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.
  84. C. Trusted paths that secure network traffic from capture and link encryption are both ways to help prevent man-in-the-middle attacks. Brute-force and dictionary attacks can both be prevented using back-off algorithms that slow down repeated attacks. Log analysis tools can also create dynamic firewall rules, or an IPS can block attacks like these in real time. Spoofed login screens can be difficult to prevent, although user awareness training can help.
  85. D. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.
  86. A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
  87. C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.
  88. D. Individuals with specific business continuity roles should receive training on at least an annual basis.
  89. B. Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.
  90. B. RFC 1918 addresses are in the range 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback). Public IP addresses are the rest of the addresses in the space.
  91. C. Since Lauren wants to monitor her production server she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.
  92. B. For web applications, input validation should always be performed on the web application server. By the time the input reaches the database, it is already part of a SQL command that is properly formatted and input validation would be far more difficult, if it is even possible. Input validation controls should never reside in the client’s browser, as is the case with JavaScript, because the user may remove or tamper with the validation code.
  93. A. RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.
  94. D. The image clearly shows a black magnetic stripe running across the card, making this an example of a magnetic stripe card.
  95. D. The log entries contained in this example show the allow/deny status for inbound and outbound TCP and UDP sessions. This is, therefore, an example of a firewall log.
  96. D. Zero-day vulnerabilities remain in the dangerous zero-day category until the release of a patch that corrects the vulnerability. At that time, it becomes the responsibility of IT professionals to protect their systems by applying the patch. Implementation of other security controls, such as encryption or firewalls, does not change the nature of the zero-day vulnerability.
  97. A. All of the techniques listed are hardening methods, but only patching the leaky roof is an example of physical infrastructure hardening.
  98. C. Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn’t scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn’t a tool that allows packet capture of traffic between systems.
  99. C. The sender of a message encrypts the message using the public key of the message recipient.
  100. D. The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient’s public key. This ensures that nobody other than the intended recipient can decrypt the message.
  101. D. Digital signatures enforce nonrepudiation. They prevent an individual from denying that he or she was the actual originator of the message.
  102. B. An individual creates a digital signature by encrypting the message digest with his or her own private key.
  103. D. The comparison of a factor to validate an identity is known as authorization. Identification would occur when Jim presented his user ID. Tokenization is a process that converts a sensitive data element to a nonsensitive representation of that element. Hashing transforms a string of characters into a fixed-length value or key that represents the original string.
  104. B. Decentralized access control empowers people closer to the resources to control access but does not provide consistent control. It does not provide redundancy, since it merely moves control points, the cost of access control depends on its implementation and methods, and granularity can be achieved in both centralized and decentralized models.
  105. C. A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility due to an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.
  106. C. Sally needs to provide nonrepudiation, the ability to provably associate a given email with a sender. Digital signatures can provide nonrepudiation and are her best option. IMAP is a mail protocol, encryption can provide confidentiality, and DKIM is a tool for identifying domains that send email.
  107. D. In most situations, employers may not access medical information due to healthcare privacy laws. Reference checks, criminal records checks, and credit history reports are all typically found during pre-employment background checks.
  108. C. In a land attack, the attacker sends a packet that has identical source and destination IP addresses in an attempt to crash systems that are not able to handle this out-of-specification traffic.
  109. A. An SSAE-16 Type I report covers controls and design of controls at the time of the report. A Type II report adds a historical element, covering controls over time. SAS-70 is outdated and should not be used.
  110. A. When a data stream is converted into a segment (TCP) or a datagram (UDP) it transitions from the Session layer to the Transport layer. This change from a message sent to an encoded segment allows it to then traverse the network layer.
  111. C. The user has successfully explained a valid need to know the data—completing the report requested by the CFO requires this access. However, the user has not yet demonstrated that he or she has appropriate clearance to access the information. A note from the CFO would meet this requirement.
  112. B. Kathleen’s needs point to a directory service, and the Lightweight Directory Access Protocol (LDAP) would meet her needs. LDAP is an open, industry standard and vendor-neutral protocol for directory services. Kerberos and RADIUS are both authentication protocols, and Active Directory is a Microsoft product and is not vendor neutral, although it does support a number of open standards.
  113. A. Application firewalls add Layer 7 functionality to other firewall solutions. This includes the ability to inspect application-layer details such as analyzing HTTP, DNS, FTP, and other application protocols.
  114. C. The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.
  115. A. Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test process and policy through social engineering and operational testing that validates how those processes and policies work.
  116. D. EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed, and tested.
  117. C. X.509 defines standards for public key certificates like those used with many smart cards. X.500 is a series of standards defining directory services. The Service Provisioning Markup Language (SPML) and the Security Assertion Markup Language (SAML) aren’t standards that Alex should expect to see when using a smart card to authenticate.
  118. C. The Children’s Online Privacy Protection Act (COPPA) regulates websites that cater to children or knowingly collect information from children under the age of 13.
  119. A. The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare information and is unlikely to apply in this situation. The Federal Information Security Management Act (FISMA) and Government Information Security Reform Act regulate the activities of all government agencies. The Homeland Security Act (HSA) created the US Department of Homeland Security, and more importantly for this question included the Cyber Security Enhancement Act of 2002 and the Critical Infrastructure Information Act of 2002. The Computer Fraud and Abuse Act (CFAA) provides specific protections for systems operated by government agencies.
  120. C. Turnstiles are unidirectional gates that prevent more than a single person from entering a facility at a time.
  121. C. Access control systems rely on identification and authentication to provide accountability. Effective authorization systems are desirable, but not required, since logs can provide information about who accessed what resources, even if access to those resources are not managed well. Of course, poor authorization management can create many other problems.
  122. B. EAP was originally intended to be used on physically isolated network channels and did not include encryption. Fortunately, it was designed to be extensible, and PEAP can provide TLS encryption. EAP isn’t limited to PEAP as an option as EAP-TLS also exists, providing an EAP TLS implementation, and the same extensibility allows a multitude of other authentication methods.
  123. C. The 192.168.0.0-192.168.255.255 address range is one of the ranges defined by RFC 1918 as private, non-routable IP ranges. Scott’s ISP (and any other organization with a properly configured router) will not route traffic from these addresses over the public Internet.
  124. B. She should use a KPI (Key Performance Indicator). KPIs are used to measure success, typically in relation to an organization’s long-term goals. Metrics are measures, and although a KPI can be a metric, metrics are not all KPIs. SLAs are service-level agreements, and metrics can help determine whether they are being met. Objectives and key results (OKRs) are used to connect employee performance to results using subjective measures for objectives and quantitative measures for key results.
  125. A. A well-designed set of VLANs based on functional groupings will logically separate segments of the network, making it difficult to have data exposure issues between VLANs. Changing the subnet mask will only modify the broadcast domain and will not fix issues with packet sniffing. Gateways would be appropriate if network protocols were different on different segments. Port security is designed to limit which systems can connect to a given port.
  126. C. Captive portals are designed to show a page that can require actions like accepting an agreement or recording an email address before connecting clients to the Internet. NAC is designed to verify whether clients meet a security profile, which doesn’t match the needs of most coffee shops. A wireless gateway is a tool to access a cellular or other network, rather than a way to interact with users before they connect, and 802.11 is the family of IEEE wireless standards.
  127. A. Active monitoring is also known as synthetic monitoring and relies on prerecorded or generated traffic to test systems for performance and other issues. Passive monitoring uses span ports, network taps, or similar technologies to capture actual traffic for analysis. Reactive monitoring is not a commonly used industry term.
  128. B. TCP headers can be 20 to 60 bytes long depending on options that are set.
  129. A. Cellular networks have the same issues that any public network does. Encryption requirements should match those that the organization selects for other public networks like hotels, conference Wi-Fi, and similar scenarios. Encrypting all data is difficult, and adds overhead, so it should not be the default answer unless the company specifically requires it. WAP is a dated wireless application protocol and is not in broad use; requiring it would be difficult. WAP does provide TLS, which would help when in use.
  130. D. Fred’s best option is to use an encrypted, trusted VPN service to tunnel all of his data usage. Trusted Wi-Fi networks are unlikely to exist at a hacker conference, normal usage is dangerous due to the proliferation of technology that allows fake towers to be set up, and discontinuing all usage won’t support Fred’s business needs.
  131. B. Remote wipe tools are a useful solution, but they only work if the phone can access either a cellular or Wi-Fi network. Remote wipe solutions are designed to wipe data from the phone regardless of whether it is in use or has a passcode. Providers unlock phones for use on other cellular networks rather than for wiping or other feature support.
  132. C. The goal of business continuity planning exercises is to reduce the amount of time required to restore operations. This is done by minimizing the recovery time objective (RTO).
  133. D. NIST Special Publication 800-53 describes depth and coverage. These terms describe depth, specifying the level of detail. Coverage measures breadth by using multiple assessment types and ensuring that each line of code is covered. If you encounter a question like this and are not familiar with the details of a standard like NIST 800-53, or may not remember them, focus on the meanings of each word and the details of the question. We can easily rule out affirmation, which isn’t a measure. Suitability is a possibility, but depth fits better than suitability or coverage.
  134. C. A structured walk-through uses only role-playing to test a disaster recovery plan. It does not involve the use of any technical controls. Simulation tests, parallel tests, and full interruption tests actually use some or all of the disaster recovery controls.
  135. C. Interference is electrical noise or other disruptions that corrupt the contents of packets. Latency is a delay in the delivery of packets from their source to their destination. Jitter is a variation in the latency for different packets. Packet loss is the disappearance of packets in transit that requires retransmission.
  136. A. Fagan inspections follow a rigorous, highly structured process to perform code review, using a planning, overview, preparation, inspection, rework, and follow-up cycle. Fuzzing feeds unexpected input to programs, while over-the-shoulder code review is simply a review by having another developer meet with them to review code using a walk-through. Pair programming uses a pair of developers, one of whom writes code while both talk through the coding and development process.
  137. B. While removing the <SCRIPT> tag from user input, it is not sufficient, as a user may easily evade this filter by encoding the tag with an XSS filter evasion technique. Frank was correct to perform validation on the server rather than at the client, but he should use validation that limits user input to allowed values, rather than filtering out one potentially malicious tag.
  138. C. Fortran is a functional programming language. Java, C++, and C# are all object-oriented languages, meaning that they use the object model and approach programming as describing the interactions between objects.
  139. C. HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).
  140. A. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
  141. D. Ed’s best option is to install an IPv6 to IPv4 gateway that can translate traffic between the networks. A bridge would be appropriate for different types of networks, whereas a router would make sense if the networks were similar. A modern switch might be able to carry both types of traffic but wouldn’t be much help translating between the two protocols.
  142. C. The Rijndael block cipher was selected as the winner and is the cryptographic algorithm underlying the Advanced Encryption Standard (AES).
  143. C. The International Safe Harbor Privacy Principles listed here are part of the Safe Harbor provisions intended to address the European Union’s Data Privacy Directive. The DPD provides seven slightly different key principles to ensure data security and privacy. The Children’s Online Privacy Act (COPA), the NY SAFE Act is not an information security or privacy law, and the Federal Information Security Modernization Act (FISMA) is a key part of the US federal government’s security posture.
  144. B. The EU Data Protection Directive does not require that organizations provide individuals with employee lists.
  145. B. Tammy should choose a warm site. This type of facility meets her requirements for a good balance between cost and recovery time. It is less expensive than a hot site but facilitates faster recovery than a cold site. A red site is not a type of disaster recovery facility.
  146. B. When data reaches the Transport layer, it is sent as segments (TCP) or datagrams (UDP). Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.
  147. D. The Advanced Encryption Standard supports encryption with 128-bit keys, 192-bit keys, and 256-bit keys.
  148. D. An application programming interface (API) allows developers to create a direct method for other users to interact with their systems through an abstraction that does not require knowledge of the implementation details. Access to object models, source code, and data dictionaries also indirectly facilitate interaction but do so in a manner that provides other developers with implementation details.
  149. D. The PGP email system, invented by Phil Zimmerman, uses the “web of trust” approach to secure email. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) encryption/decryption, and SHA hashing.
  150. B. The permissions granted on files in Linux designate what authorized users can do with those files—read, write, or execute. In the image shown, all users can read, write, and execute index.html, whereas the owner can read, write, and execute example.txt, the group cannot, and everyone can write and execute it.
  151. C. Detective access controls operate after the fact and are intended to detect or discover unwanted access or activity. Preventive access controls are designed to prevent the activity from occurring, whereas corrective controls return an environment to its original status after an issue occurs. Directive access controls limit or direct the actions of subjects to ensure compliance with policies.
  152. C. A honeypot is a decoy computer system used to bait intruders into attacking. A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore. A pseudo flaw is a false vulnerability in a system that may attract an attacker. A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.
  153. C. The CER is the point where FAR and FRR cross over, and it is a standard assessment used to compare the accuracy of biometric devices.
  154. A. At point B, the false acceptance rate (FAR) is quite high, whereas the false rejection rate (FRR) is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of point A.
  155. B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.
  156. B. Personally Identifiable Information (PII) can be used to distinguish a person’s identity. Personal Health Information (PHI ) includes data like medical history, lab results, insurance information, and other details about a patient. Personal Protected Data is a made-up term, and PID is an acronym for process ID, the number associated with a running program or process.
  157. D. The figure shows the waterfall model, developed by Winston Royce. The key characteristic of this model is a series of sequential steps that include a feedback loop that allows the process to return one step prior to the current step when necessary.
  158. B. Encapsulation creates both the benefits and potential issues with multilayer protocols. Bridging can use various protocols but does not rely on encapsulation. Hashing and storage protocols typically do not rely on encapsulation as a core part of their functionality.
  159. B. The five COBIT principles are meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management.
  160. A. The onward transfer principle requires that organizations only exchange personal information with other organizations bound by the EU Data Protection Directive’s privacy principles. The United Kingdom, Italy, and Germany, as EU member states, are all bound by those principles. The United States does not have a comprehensive privacy law codifying those principles, so the onward transfer requirement applies.
  161. C. The Domain Name System (DNS) provides human-friendly domain names that resolve to IP addresses, making it possible to easily remember websites and hostnames. ARP is used to resolve IP addresses into MAC addresses, whereas TCP is used to control the network traffic that travels between systems.
  162. B. Ben is assessing a specification. Specifications are document-based artifacts like policies or designs. Activities are actions that support an information system that involves people. Mechanisms are the hardware-, software-, or firmware-based controls or systems in an information system, and an individual is one or more people applying specifications, mechanisms, or activities.
  163. C. When done properly, a sanitization process fully ensures that data is not remnant on the system before it is reused. Clearing and erasing can both be failure prone, and of course destruction wouldn’t leave a machine or device to reuse.
  164. C. In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.
  165. D. The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a cohesive effort. It specifically attempts to eliminate the issue of “throwing problems over the fence” by building collaborative relationships between members of the IT team.
  166. B. A Security Information and Event Management (SIEM) tool is designed to centralize logs from many locations in many formats, and to ensure that logs are read and analyzed despite differences between different systems and devices. The Simple Network Management Protocol (SNMP) is used for some log messaging but is not a solution that solves all of these problems. Most non-Windows devices, including network devices among others, are not designed to use the Windows event log format, although using NTP for time synchronization is a good idea. Finally, local logging is useful, but setting clocks individually will result in drift over time and won’t solve the issue with many log sources.
  167. C. Mike should use overwriting to protect this device. While degaussing is a valid secure data removal technique, it would not be effective in this case, since degaussing only works on magnetic media. Physical destruction would prevent the reuse of the device. Reformatting is not a valid secure data removal technique.
  168. A. The single quotation mark in the input field is a telltale sign that this is a SQL injection attack. The quotation mark is used to escape outside the SQL code’s input field and the text that follows is used to directly manipulate the SQL command sent from the web application to the database.
  169. D. Procedures are formal, mandatory documents that provide detailed, step-by-step actions required from individuals performing a task.
  170. D. Durability requires that once a transaction is committed to the database it must be preserved. Atomicity ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred. Consistency ensures that all transactions are consistent with the logical rules of the database, such as having a primary key. Isolation requires that transactions operate separately from each other.
  171. D. Watermarking alters a digital object to embed information about the source, either in a visible or hidden form. Digital signatures may identify the source of a document but they are easily removed. Hashing would not provide any indication of the document source, since anyone could compute a hash value. Document staining is not a security control.
  172. C. Data centers should be located in the core of a building. Locating it on lower floors makes it susceptible to flooding and physical break-ins. Locating it on the top floor makes it vulnerable to wind and roof damage.
  173. A. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
  174. B. Criminal investigations have high stakes with severe punishment for the offender that may include incarceration. Therefore, they use the strictest standard of evidence of all investigations: beyond a reasonable doubt. Civil investigations use a preponderance of the evidence standard. Regulatory investigations may use whatever standard is appropriate for the venue where the evidence will be heard. This may include the beyond-a-reasonable-doubt standard, but it is not always used in regulatory investigations. Operational investigations do not use a standard of evidence.
  175. D. Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.
  176. B. Warm sites contain the hardware necessary to restore operations but do not have a current copy of data.
  177. C. A power spike is a momentary period of high voltage. A surge is a prolonged period of high voltage. Sags and brownouts are periods of low voltage.
  178. A. Subjects are active entities that can access a passive object to retrieve information from or about an object. Subjects can also make changes to objects when they are properly authorized. Users are often subjects, but not all subjects are users.
  179. A. OSPF is a link state protocol. Link state protocols maintain a topographical map of all connected networks and preferentially select the shortest path to remote networks for traffic. A distance vector protocol would map the direction and distance in hops to a remote network, whereas shortest path first and link mapping are not types of routing protocols.
  180. A. Machine languages are examples of first-generation programming languages. Second-generation languages include assembly languages. Third-generation languages include compiled languages. Fourth- and fifth-generation languages go beyond standard compiled languages to include natural languages and declarative approaches to programming.
  181. A. Tara first must achieve a system baseline. She does this by applying the most recent full backup to the new system. This is Sunday’s full backup. Once Tara establishes this baseline, she may then proceed to apply differential backups to bring the system back to a more recent state.
  182. B. To restore the system to as current a state as possible, Tara must first apply Sunday’s full backup. She may then apply the most recent differential backup, from Tuesday evening. Differential backups include all files that have changed since the most recent full backup, so the contents of Tuesday’s backup contain all of the data that would be contained in Monday’s backup, making the Monday backup irrelevant for this scenario.
  183. A. In this scenario, the differential backup was made at noon and the server failed at 3 p.m. Therefore, any data modified or created between noon and 3 p.m. will not be contained on any backup and will be irretrievably lost.
  184. D. By switching from differential to incremental backups, Tara’s weekday backups will only contain the information changed since the previous day. Therefore, she must apply all of the available incremental backups. She would begin by restoring the Sunday full backup and then apply the Monday, Tuesday, and Wednesday incremental backups.
  185. D. Each incremental backup contains only the information changed since the most recent full or incremental backup. If we assume that the same amount of information changes every day, each of the incremental backups would be roughly the same size.
  186. A. Information that is modifiable between a client and a server also means that it is accessible, pointing to both tampering and information disclosure. Spoofing in STRIDE is aimed at credentials and authentication, and there is no mention of this in the question. Repudiation would require that proving who performed an action was important, and elevation of privilege would come into play if privilege levels were involved.
  187. B. Record retention ensures that data is kept and maintained as long as it is needed, and that it is purged when it is no longer necessary. Data remanence occurs when data is left behind after an attempt is made to remove it, whereas data redaction is not a technical term used to describe this effort. Finally, audit logging may be part of the records retained but doesn’t describe the life cycle of data.
  188. D. The Authentication Header provides authentication, integrity, and nonrepudiation for IPSec connections. The Encapsulating Security Payload provides encryption and thus provides confidentiality. It can also provide limited authentication. L2TP is an independent VPN protocol, and Encryption Security Header is a made-up term.
  189. B. The attack described in the scenario is a classic example of TCP scanning, a network reconnaissance technique that may precede other attacks. There is no evidence that the attack disrupted system availability, which would characterize a denial-of-service attack, that it was waged by a malicious insider, or that the attack resulted in the compromise of a system.
  190. C. Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit’s execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.
  191. D. The kernel lies within the central ring, Ring 0. Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0-2 run in privileged mode, whereas Ring 3 runs in user mode.
  192. A. RAID level 0 is also known as disk striping. RAID 1 is called disk mirroring. RAID 5 is called disk striping with parity. RAID 10 is known as a stripe of mirrors.
  193. A. This is an example of a time of check/time of use, or TOC/TOU attack. It exploits the difference between the times when a system checks for permission to perform an action and when the action is actually performed. Permissions creep would occur if the account had gained additional rights over time as the other’s role or job changed. Impersonation occurs when an attacker pretends to be a valid user, and link swap is not a type of attack.
  194. B. RAID 0, or disk striping, requires at least two disks to implement. It improves performance of the storage system but does not provide fault tolerance.
  195. B. Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.
  196. A. An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.
  197. C. Synchronous communications use a timing or clock mechanism to control the data stream. This can permit very fast communication.
  198. B. The maximum allowed length of a Cat 6 cable is 100 meters, or 328 feet. Long distances are typically handled by a fiber run or by using network devices like switches or repeaters.
  199. B. One of the main functions of a forensic drive controller is preventing any command sent to a device from modifying data stored on the device. For this reason, forensic drive controllers are also often referred to as write blockers.
  200. A. Setting the Secure cookie will only allow cookies to be sent via HTTPS TLS or SSL sessions, preventing man-in-the-middle attacks that target cookies. The rest of the settings are problematic: Cookies are vulnerable to DNS spoofing. Domain cookies should usually have the narrowest possible scope, which is actually accomplished by not setting the Domain cookie. This allows only the originating server to access the cookie. Cookies without the Expires or Max-age attributes are ephemeral and will only be kept for the session, making them less vulnerable than stored cookies. Normally, the HTTPOnly attribute is a good idea, but it prevents scripting rather than requiring unencrypted HTTP sessions.
  201. D. Data remanence describes data that is still on media after an attempt has been made to remove it. Failed clearing and data pooling are not technical terms, and data permanence describes how long data lasts.
  202. B. Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule-based access control applies rules throughout a system, and role-based access control bases rights on roles, which are often handled as groups of users.
  203. B. Identity as a Service (IDaaS) provides capabilities such as account provisioning, management, authentication, authorization, reporting, and monitoring. PaaS is Platform as a Service, IaaS is Infrastructure as a Service, and SaaS is Software as a Service.
  204. C. Eavesdropping, denial-of-service attacks, and caller ID spoofing are all common VoIP attacks. Blackboxing is a made-up answer, although various types of colored boxes were associated with phone phreaking.
  205. D. This broad access may indirectly violate all of the listed security principles, but it is most directly a violation of least privilege because it grants users privileges that they do not need for their job functions.
  206. C. The Secure File Transfer Protocol (SFTP) is specifically designed for encrypted file transfer. SSH is used for secure command-line access, whereas TCP is one of the bundles of Internet protocols commonly used to transmit data across a network. IPSec could be used to create a tunnel to transfer the data but is not specifically designed for file transfer.
  207. B. TACACS+ uses TCP, and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.
  208. C. The client sends its existing valid TGT to the KDC and requests access to the resource.
  209. A. The KDC must verify that the TGT is valid and whether the user has the right privileges to access the service it is requesting access to. If it does, it generates a service ticket and sends it to the client (step B).
  210. C. The server or service that is being accessed receives all of the data it needs in the service ticket. To do so, the client uses a client-to-server ticket received from the Ticket Granting Service.
  211. B. The service ticket in Kerberos authentication provides proof that a subject is authorized to access an object. Ticket granting services are provided by the TGS. Proof that a subject has authenticated and can request tickets to other objects, uses ticket granting tickets, and authentication host is a made-up term.
  212. C. A series of questions that the user has previously provided the answer to or which the user knows the answers to like the questions listed is known as a cognitive password. A passphrase consists of a phrase or series of words, whereas multifactor authentication consists of two or more authenticators, like a password and a biometric factor or a one-time token-based code.
  213. B. CDMA, GSM, and IDEN are all 2G technologies. EDGE, DECT, and UTMS are all examples of 3G technologies, whereas 4G technologies include WiMax, LTE, and IEE 802.20 mobile broadband.
  214. A. Dry pipe, deluge, and preaction systems all use pipes that remain empty until the system detects signs of a fire. Closed-head systems use pipes filled with water that may damage equipment if there is damage to a pipe.
  215. A. Protected Health Information (PHI) is defined by HIPAA to include health information used by healthcare providers, like medical treatment, history, and billing. Personally Identifiable Information is information that can be used to identify an individual, which may be included in the PHI but isn’t specifically this type of data. Protected Health Insurance and Individual Protected Data are both made-up terms.
  216. B. Manual testing uses human understanding of business logic to assess program flow and responses. Mutation or generational fuzzing will help determine how the program responds to expected inputs but does not test the business logic. Interface testing ensures that data exchange between modules works properly but does not focus on the logic of the program or application.
  217. A. A Type 1 authentication factor is something you know. A Type 2 is something you have, like a smart card or hardware token. A Type 3 authentication factor is something you are, like a biometric identifier. There is no such thing as a Type 4 authentication factor.
  218. B. System owners have to ensure that the systems they are responsible for are properly labeled based on the highest level of data that their system processes, and they have to ensure that appropriate security controls are in place on those systems. System owners also share responsibility for data protection with data owners. Administrators grant appropriate access, whereas data owners own the classification process.
  219. A. Jack is performing misuse case analysis, a process that tests code based on how it would perform if it was misused instead of used properly. Use case testing tests valid use cases, whereas static code analysis involves reviewing the code itself for flaws rather than testing the live software. Hacker use case testing isn’t an industry term for a type of testing.
  220. D. Vendors complete security targets (STs) to describe the controls that exist within their product. During the review process, reviewers compare those STs to the entity’s Protection Profile (PP) to determine whether the product meets the required security controls.
  221. C. Both TCP and UDP port numbers are a 16-digit binary number, which means there can be 216 ports, or 65,536 ports, numbered from 0 to 65,535.
  222. A. MITRE’s Common Vulnerabilities and Exploits (CVE) dictionary and NIST’s National Vulnerability Database (NVD) both provide information about vulnerabilities.
  223. D. The military classification scheme contains three major levels. They are, in descending order of sensitivity: Top Secret, Secret, and Confidential. Unclassified is a default, and not a classification, whereas Sensitive But Unclassified (SBU) has been replaced with Controlled Unclassified Information (CUI).
  224. D. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations.
  225. A. Antenna placement, antenna design, and power level control are the three important factors in determining where a signal can be accessed and how usable it is. A captive portal can be used to control user logins, and antenna design is part of antenna types. The FCC does provide maximum broadcast power guidelines but does not require a minimum power level.
  226. C. Physically destroying the drive is the best way to ensure that there is no remnant data on the drive. SSDs are flash media, which means that you can’t degauss them, whereas both random pattern writes and the built-in erase commands have been shown to be problematic due to the wear leveling built into SSDs as well as differences in how they handle erase commands.
  227. A. Confidentiality ensures that data cannot be read by unauthorized individuals while stored or in transit.
  228. B. The recovery time objective (RTO) is the amount of time that a business believes it will take to restore a function in the event of a disruption.
  229. D. The United States Code (USC) contains the text of all federal criminal and civil laws passed by the legislative branch and signed by the President (or where the President’s veto was overruled by Congress).
  230. B. A post-admission philosophy allows or denies access based on user activity after connection. Since this doesn’t check the status of a machine before it connects, it can’t prevent the exploit of the system immediately after connection. This doesn’t preclude out-of-band or in-band monitoring, but it does mean that a strictly post-admission policy won’t handle system checks before the systems are admitted to the network.
  231. B. The principle of implicit denial states that any action that is not explicitly allowed is denied. This is an important concept for firewall rules and other access control systems. Implementing least privilege ensures that subjects have only the rights they need to accomplish their job. While explicit deny and final rule fall-through may sound like important access control concepts, neither is.
  232. B. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, web defacement is the risk. In this scenario, if the hacker attempts a SQL injection attack (threat) against the unpatched server (vulnerability), the result is website defacement (risk).
  233. A. The kernel of an operating system is the collection of components that work together to implement a secure, reliable operating system. The kernel contains both the Trusted Computing Base (TCB) and the reference monitor.
  234. A. Val can use statistical sampling techniques to choose a set of records for review that are representative of the entire day’s data. Clipping chooses only records that exceed a set threshold so it is not a representative sample. Choosing records based on the time they are recorded may not produce a representative sample because it may capture events that occur at the same time each day and miss many events that simply don’t occur during the chosen time period.
  235. D. Fiber-optic cable is more expensive and can be much harder to install than stranded copper cable or coaxial cable, but it isn’t susceptible to electromagnetic interference (EMI). That makes it a great solution for Jen’s problem, especially if she is deploying EMI-hardened systems to go with her EMI-resistant network cables.
  236. D. The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analyses, and developers can prioritize tasks.
  237. B. Change control provides an organized framework within which multiple developers can create and test solutions prior to rolling them out into a production environment.
  238. C. Release control ensures that any code inserted as a programming aid during the change process is removed before releasing the new software to production. It also includes acceptance testing to ensure that any alterations to end-user work tasks are understood and functional.
  239. A. Configuration control ensures that changes to software versions are made in accordance with the change control and configuration management process. Updates can be made only from authorized distributions in accordance with those policies.
  240. B. Ben is reusing his salt. When the same salt is used for each hash, all users with the same password will have the same hash, and the attack can either attempt to steal the salt or may attempt to guess the salt by targeting the most frequent hash occurrences based on commonly used passwords. Short salts are an issue, but the salts used here are 32 bytes (256 bits) long. There is no salting algorithm used or mentioned here; salt is an added value for a hash, and plaintext salting is a made-up term.
  241. B. Risk transference involves actions that shift risk from one party to another. Purchasing insurance is an example of risk transference because it moves risk from the insured to the insurance company.
  242. C. The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.
  243. D. Static code analysis uses techniques like control flow graphs, lexical analysis, and data flow analysis to assess code without running it. Dynamic code analysis runs code on a real or virtual processor and uses actual inputs for testing. Fuzzing provides unexpected or invalid input to test how programs handle input outside of the norm. Manual analysis is performed by reading code line by line to identify bugs or other issues.
  244. B. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections. nor does the fact that it works via network connections make it connection-oriented.
  245. A. The LDAP bind operation authenticates and specifies the LDAP protocol version. Auth, StartLDAP, and AuthDN operations do not exist in the LDAP protocol.
  246. C. The two most important elements of a qualitative risk assessment are determining the probability and impact of each risk upon the organization. Likelihood is another word for probability. Cost should be taken into account but is only one element of impact, which also includes reputational damage, operational disruption, and other ill effects.
  247. B. When a message reaches the Data Link layer, it is called a frame. Data streams exist at the application, presentation, and session layers, whereas segments and datagrams exist at the transport layer (for TCP and UDP, respectively).
  248. A. If the (ISC)2 peer review board finds that a certified individual has violated the (ISC)2 code of ethics, the board may revoke their certification. The board is not able to terminate an individual’s employment or assess financial penalties.
  249. D. SDLC approaches include steps to provide operational training for support staff as well as end-user training. The SDLC may use one of many development models, including the waterfall and spiral models. The SDLC does not mandate the use of an iterative or sequential approach; it allows for either approach.
  250. A. The Bell-LaPadula model includes the Simple Security Property, which prevents an individual from reading information that is classified at a level higher than the individual’s security clearance.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.217.156.236