Answers to Review Questions

Chapter 2

1. C The definition of the principle of least privilege is granting users only the minimum privileges needed to accomplish assigned work tasks.
2. B Separation of duties is the process of assigning groups of tasks to different users to prevent collusion and to avoid conflicts of interest. The principle of least privilege is assigning users the minimal amount of access required to accomplish their work tasks. Mandatory access control is a means to control access by using classifications of subjects and objects. Integrity assurance is the process that ensures the controls put in place to maintain data integrity are operating properly.
3. B Job rotation isn't appropriate because one person is still in charge of a particular position. M of N control, multiple key pairs, and separation of duties should be used to prevent a single person from compromising an entire system.
4. A The correct answer is to reduce or mitigate risk to an acceptable level. It's virtually impossible to remove all risks from an environment. It may be a goal of upper management in general to minimize security cost. Assigning responsibilities to job roles might be accomplished by the department heads.
5. A A PIN provides authentication. It is something you know.
6. C When nonrepudiation is used as a security technique, a sender cannot deny sending a message.
7. B Although encryption is security technique, it falls under the prevention security category.
8. C User training is the best way to use nontechnical means to enforce security. The more the users know, the more secure the system will be.
9. D Use of an alternate site after a disaster falls under the recovery primary security category.
10. D Upon termination of any user, network access should immediately be prohibited by deactivating the user account.
11. A No matter how hard you try, there is always some level of risk on everything that you attempt.
12. A Vulnerabilities are weaknesses within a network. Mitigation reduces vulnerabilities and therefore risks. Risk is the probability that a threat will exploit vulnerability. Controls are tools and techniques for mitigating vulnerabilities.
13. B Availability is the correct answer. Admission, auditing, and administration are all distractors.
14. B Remuneration is not one of the security categories.
15. C The correct answer is C, time of day restriction. The other answers are similar but not correct.
16. C Implicit deny is built into most routers and the catchall that prohibits the passage of anything that has not been ethically or explicitly authorized. Explicit deny may be any one of dozens of router rules that the administrator creates to allow specific traffic. Deny any might be part of an explicit rule. Global deny is a distractor.
17. B The correct answer is mandatory vacation, which in many security policies is stated as a mandatory one-week vacation once a year during which an investigation into ethics and job performance might occur. Ethical investigation is not the answer. Although we might like our company to send us on a mandatory cruise, that is not the correct answer either. M of N is a scheme requiring M number of people to agree to take action out of a possible universe of N number of people.
18. C The correct answer is authentication, authorization, and accounting. It might be easy to picture this as a chain of access control steps. The first step is identification and then the authentication. It's important to get the words in the correct order. Option D is incorrect because the words administration and auditing are not part of the term. Option B is wrong because admission is not part of the term. Option A includes the correct words, but they are in the wrong order. Read the questions and options carefully.
19. C The correct answer is time of day restriction. Time of week and time-based restrictions are similar, but they are distractors. Option A might be something out of a sci-fi movie.
20. B Accounts that no longer belong to any active employees were called orphan accounts. Answer A, long-term accounts, and answer C, pseudo-active accounts, are obvious distractors. Answer D sounds plausible but is not the correct answer.

Chapter 3

1. C The system is performing authentication. Option A is a distractor. Option B is incorrect because, in this case, the password is not used as identification. Option D is incorrect because the password does not provide authorization to the user.
2. B The other answers are distractors.
3. A Options B, C, and D are distractors.
4. D Options A, B, and C are distractors.
5. B Options A, C, and D are distractors.
6. C The use of identification and authorization techniques best describes access control. Options A, B, and D are distractors.
7. D Options A, B, and C are access controls, but they do not allow users to share files at their discretion.
8. B Role-based access control (RBAC) permits authorization to be assigned according to an individual's role or title in the organization. Options A, C, and D are distractors.
9. C Options A, B, and D are distractors.
10. A Authentication is the method of verifying an individual's claim of identity. Options B, C, and D are distractors.
11. D Options A, B, and C are distractors.
12. B Options A, C, and D are distractors.
13. B Privileged users are also known as super-users or administrators. Options A, C, and D are distractors.
14. B Options A, C, and D are distractors.
15. C Options A, B, and D are distractors.
16. C Options A, B, and D refer to the same factor categories thus providing only one factor authentication.
17. D The CER is where the false rejection rate (FRR) and false acceptance rate (FAR) crossover.
18. B Options A, B, and D are distractors.
19. D Options A, B, and C are distractors.
20. C Option A, B, and D are distractors.

Chapter 4

1. C Proper security administration policies, controls, and procedures enforce the AIC triad objectives, which are availability, integrity, and confidentiality.
2. B Risk is the probability for likelihood that a threat will exploit the vulnerability. Options A, C, and D are distractors.
3. D A security policy must be in alignment with the mission, objectives, nature, and culture of a business. Organizational policies are not based on best practices.
4. D The Federation consists of third-party companies that share data based upon a one-time authentication of an individual.
5. B A compensating control is a secondary control placed into use if the first or primary control is disabled or no longer usable. In this case, a hotel room door has a lock; the chain is a secondary or compensating control.
6. C The policy will be doomed to failure if it does not have senior executive endorsement or a mandate from senior management. Options A, B, and D are distractors.
7. C An acceptable use policy sets forth the acceptable behaviors that must be exhibited by all employees, contractors, and other personnel within the workplace or when accessing a network.
8. A Acceptable behavior of individuals within any organization is put forth in the acceptable use policy. This includes the use of facilities and equipment as well as a large number of other behavioral considerations. The acceptable use policy is an administrative control.
9. B An enforcement statement informs individuals of the potential penalties, fines, sanctions, or repercussions, which may result from the failure to abide by the policy.
10. B Standards are the part of a policy that lists the criteria that must be met by the organization.
11. A The organization's intranet is often the preferred method of communicating policy or policy changes. Social media and informal methods of communication such as including handouts and telephone calls should not be used to announce policy directives or policy changes.
12. D Provide competent and diligent service to principles is the third canon of the (ISC)² Code of Ethics.
13. D Service packs are issued by a manufacture to correct many software or hardware deficiencies and to upgrade the product. They may combine a large number of patches.
14. B A sandbox environment, which resembles a production environment, is a location that patches and service packs should be tested prior to distribution to a production network.
15. C Business information classification schemes generally do not include top-secret.
16. D Objects within the U.S. military or government agencies may be issued a classification, classified top secret.
17. B Any device that terminates a network connection may be classified as an endpoint device. In this case, a computer printer is an endpoint device because nothing follows it on the network.
18. C The recovery point objective (RPO) is part of a business continuity plan.
19. C A disaster recovery plan documents the procedures required to restore equipment and facilities back to the condition they were in prior to the disaster.
20. A The maximum tolerable downtime is the point in time after which the survivability of the organization is in jeopardy.

Chapter 5

1. C Option A is incorrect because eliminating risk is only part of a primary goal of security. Options B and D are incorrect because they are not primary goals of security.
2. A Option A is correct because risk reduction alters elements throughout the enterprise to minimize the ability of a threat to exploit a vulnerability. Option B is incorrect. It is impossible to remove all risks. Option C is incorrect because it is one of four potential treatments for risk. Option D is incorrect because the organization accepts all the possible risks.
3. B Option B is correct because the most likely source of an asset being lost is internal theft. Options A and C are external threats. Option D is also an external threat that might cause a denial of service attack.
4. D Options A, B, and C are correct statements. Option D is wrong because risk cannot be completely eliminated.
5. D Option A is incorrect because a weakness is a vulnerability. Option B is incorrect because a threat is not a protective control. Option C is incorrect because a threat is not a multilayer control.
6. B Option A is incorrect because a safeguard does not exploit a vulnerability. Option C is incorrect because weaknesses are defined as a vulnerability. Option D is incorrect because safeguards do not warn of an attack.
7. B Option A refers to a threat exploiting a vulnerability. Option C is a distractor. Option D is incorrect because it is the definition of asset.
8. B Option A is incorrect because the words quantitative and qualitative are switched. Option C is incorrect because high, medium, and low are subjective results in qualitative analysis. Option D is incorrect because quantitative risk analysis can be automated.
9. D Options A and B and C are correct answers. Option D is incorrect because a corrective control stops an existing attack.
10. A Option A is correct because it involves talking to people and allows for immediate improvement. Option B is incorrect because it is a distractor. Option C is incorrect because a qualitative analysis does not deal with hard cost numbers. D is incorrect because a qualitative analysis does not deal with specific measurements.
11. C The correct answer is option C because as interviewing terminated employees is not a common information-gathering technique for risk analysis. Options A, B, and D are common techniques.
12. B Option A is incorrect because useful life has no relation to the classification. Options C and D are distractors.
13. A Option B is incorrect because organizations cannot spend unlimited amounts of money to reduce all risks. C is incorrect; although it is treatment method of handling a risk, it is not the prime objective. Option D is incorrect because few individuals are prosecuted.
14. C Option A is incorrect because it describes an incident that could negatively impact the organization. Option B is incorrect because procedures are not assets. Option D is incorrect because compensation and retirement programs are not assets.
15. C Option C is the correct answer because risk assessment is not the final result of a risk management methodology; it is the first action taken. Options A, B, and D are accurate regarding the process of risk assessment.
16. C Option C is the correct answer because a prudent company will spend only as much as the value of the item being protected. Options A, B, and D are part of a safeguard selection.
17. D Option A is incorrect because it is part of continuity management planning. Option B is incorrect because it is impossible to achieve. Option C is incorrect because it refers to two concepts, neither of which is a primary goal of risk mitigation.
18. C Subjective monitoring is not a type of monitoring. Options A, B, and D are all types of monitoring used within an organization.
19. B Option B is the correct answer because it is not a risk treatment technique. If the risk is ignored, it is by default accepted. Options A, C, and D are typical risk treatment techniques.
20. C Although there are preventative controls, it is not one of the three major categories. Options A, B, and D are the three major control categories.

Chapter 6

1. B CPU cache is the closest memory to the CPU and the most volatile. Options A and D are long-term storage and not referred to as volatile memory. Option C is volatile memory, but it's not as volatile as CPU cache.
2. B Always follow the procedures in a plan. Options A, C, and D are incorrect, although they may be included as a procedure in a plan.
3. C Planned activities that enable the critical business functions to return to normal operations. Some critical business functions may resume operations at a reduced capacity. Option A is incorrect because it describes a function of risk assessment. Option B is incorrect because activities that are performed when a security-related incident occurs are a part of incident response. Option D describes a part of risk treatment.
4. A This answer is very general and vague. Options B, C, and D are all commonly accepted definitions of a disaster.
5. C Retaliation is not an acceptable incident response activity. Options A, B, and D are all part of an organization's incident handling response policy.
6. B Stress reduction programs and other employee benefit programs is usually the responsibility of the human resources department. Options A, C, and D describe responsibilities of the person designated to manage the continuity planning process.
7. B This plan is both cost effective and efficient. Option A is a very expensive test. Although they are types of tests, options C and D may be used to update information only.
8. A A cold site does not have hardware. Options B, C, and D describe warm and hot sites.
9. D Corrective controls stop an activity once it has begun. Options A, B, and C describe types of controls.
10. D A full irruption test provides the most risk for the enterprise. Options A, B, and C are other types of test scenarios.
11. C Hardware, software, and data must be installed in a cold site prior to it becoming operational. Options A, B, and D are other types of alternate recovery sites that include varying amounts of hardware and software.
12. D A hot backup site may be brought online within minutes or hours. Options A, B, and C describe alternate sites, but they're not called hot backup sites.
13. C Continuity is the act of keeping existing business functions operating. Options A, B, and D are distractors.
14. B An incremental backup stores only the current day's data in a file. Options A, C, and D are backup techniques but are not defined as incremental backups.
15. B The RPO is the location of the most accurate backup data prior to a disaster event. Options A, C, and D are distractors.
16. B The functional incident response team should consist of a broad range of talents from across the organization. Options A, C, and D, although types of incident response teams, usually featured experts, dedicated personnel, or third-party contractors.
17. B The chain of custody involves logging the location and handling of evidence. Options A, C, and D are items that may be used during investigation.
18. C Data should be copied from a hard disk using bit-by-bit copy software. Options A, B, and D are distractors.
19. B First responders should always follow the procedures as specified in the incident response plan. Options A, C, and D may be procedures included in an incident response plan but are incorrect because they might not be the correct procedures in this organization's incident response plan.
20. C It is a level at which an operator is alerted. Options A, B, and D are distractors.

Chapter 7

1. D The purpose of a hashing algorithm is to provide integrity. The message is hashed at each end of the transmission, and if the hash is equal, the message did not change. Options A, B, and C are incorrect because they have nothing to do with a hashing algorithm.
2. B The only person who would have access to the sender's private key is the sender. Option A is incorrect. Anyone could encrypt a message using the sender's public key. Option C is incorrect; although anyone could encrypt a message using the receiver's public key, it would not provide proof of origin. Option D is incorrect because the only person who has access to the receiver's private key is the receiver.
3. D Option D is correct because a set number of multiple persons (M) out of a group of persons (N) may be able to take the required action. Option A is incorrect because separation of duties has nothing to do with multiple-person key recovery. Option B is incorrect because there is no such thing as a multiple-man rule. Option C is incorrect because staged multiple interaction does not exist.
4. A Symmetric keys are kept secret and are never publicly exchanged. Options B, C, and D are incorrect because they are all characteristics of a symmetric key.
5. C Data encrypted with a user's public key can be encrypted only by the user's private key. This would not normally be in an organization's encryption policy. Options A, C, and D are all reasonable items to include in an organization's encryption policy.
6. D Keys are never reused by different departments. Options A, B, and C are all activities that represent appropriate methods to manage keys.
7. B Key clustering involves two different keys, resulting in the same ciphertext. Option A is incorrect because key clustering does not identify keys. Option C is incorrect because key clustering has nothing to do with timing. Option D is incorrect because key clustering has nothing to do with a keyed hash function.
8. C A collision occurs when two plaintext documents result in the same hash value. Option A is incorrect. Symmetric keys do not corrupt plaintext documents. Option B is incorrect because collisions have nothing to do a ciphertext. Option D is incorrect. The decryption function has nothing to do with collisions.
9. B Certificates always contain the owner's public key. Option A is incorrect because private keys are private. Option C is incorrect because certificates do not have anything to do with symmetric keys. D is incorrect because there is no such thing as a user's key.
10. C The trust architecture does not include a certificate gateway. Options A, B, and D are part of the trust architecture.
11. A The initialization vector adds to the power of a password or key so that the same text encrypted by the same key will not create the same ciphertext. Option B is incorrect. An initialization vector is not used with an owner's public key. Option C is incorrect. An initialization vector should create an environment where a code is not repetitive. Option D is incorrect because an initialization vector has nothing to do with speed.
12. B Option B is the correct answer because a block cipher, by definition, encrypts one block at a time. Option A is incorrect because it describes a serial encryption. Option C is incorrect because it describes a serial encryption. Option D is incorrect because various types of keys may be utilized on a block cipher.
13. C A hash function is a one-way function. Option A is incorrect because asymmetric functions are not one-way functions. Option B is incorrect because symmetric functions are not one-way functions. Option D is incorrect; a message authentication code may be decrypted using a symmetric key. It proves authentication because the sender possessed the same symmetric key as the receiver. Providing the receiver can decrypt the MAC with their symmetric key. The only other person who could have encrypted the message could be the sender.
14. D The Caesar cipher is a substitution cipher. Options A, B, and C are incorrect because they do not describe the encryption technique of a Caesar cipher.
15. B Steganography is the method of hiding data in a picture file, audio file, or movie file. This is referred to as hiding in plain sight. Options A, C, and D have nothing to do with hiding information in plain sight.
16. D The keys in the key pair work together. When one encrypts, the other can decrypt. Options A, B, and C are incorrect usages of the key pair.
17. B The message digest or hash value is encrypted by the sender's private key. Therefore, options A, C, and D are incorrect.
18. A RSA is a widely used asymmetric algorithm. Options B, C, and D are symmetric algorithms.
19. C With a digital signature, a hash value has been encrypted using the sender's private key. Only the sender's public key could decrypt it. Options A, B, and D are incorrect because they are not used by the receiver to verify integrity of a digital signature.
20. A All symmetric key algorithms are faster than asymmetric algorithms. Options B, C, and D are incorrect because they are characteristics of a symmetric key algorithm.

Chapter 8

1. B Encapsulation is a method of surrounding one packet with another packet. This technique completely encases the packet data. The outer packet does not have to provide encryption services. The other options are distractors.
2. B The OSI model is a seven-layer model, with each layer responding to the layer directly above and directly below it. The TCP/IP model is a four-layer model. The other options are distractors.
3. A Single-mode optical cable has the smallest diameter glass core, which decreases the number of light reflections. This allows for greater transmission distances of up to 80 km.
4. D The address space for IPv6 is 128 bits. The address space for IPv4 is 32 bits. The other options are distractors.
5. C Switches operate at layer 2 of the OSI model and route physical addresses, referred to as media access control addresses, which are unique to each node on a network. The other options are distractors.
6. A TCP is a connection-oriented protocol because it establishes, through a three-way handshake, a communication path between two entities. A TCP connection allows for the receiving entity to request that a packet be resent in the event of an error condition. The other options are distractors.
7. C Mesh topologies are used where speed and redundancy are required, such as with fault-tolerant devices, load distribution server clustering, and storage area networks (SANs). The other options are distractors.
8. B Centralized key management is more secure, or at least more desirable, in a private enterprise environment. In a public or individual environment, decentralized key management is more secure. Individual key management and distributed key management are nonstandard terms that could be used to refer to decentralized key management.
9. C Carrier Sense Multiple Access/Collision Avoidance describes a technique used to announce that a device is wishing to transmit on the media. The device will transmit or broadcast a tone prior to transmission. The tone is referred to as a jamming signal and will be heard by all other devices connected to the media.
10. C The convergence of network communications involves the transmission of multimedia and data on the same network.
11. C Continuous monitoring involves the policy, process, and technology used to detect risk issues within an organization's IT infrastructure. This monitoring may be in response to regulatory or contractual compliance mandates.
12. B Kerberos is an authentication, single sign-on protocol developed at MIT and is named after a mythical three-headed dog that stood at the gates of Hades. Kerberos allows single sign-on in a distributed environment.
13. C The hosts in a VLAN are connected to a network switch. The switch is responsible for controlling the traffic that is destined for each host.
14. B A federation is an association of nonrelated third-party organizations that share information based upon single sign-on and one-time authentication of a user.
15. B The purpose of the firewall is to filter traffic based upon various rulesets. Although firewalls are often associated with outside traffic, they can be placed anywhere. For example, one internal network may be isolated from another with the use of a firewall.
16. B A wireless intrusion prevention system (WIPS) is used to mitigate the possibility of rogue access points. These systems are typically implemented in an existing wireless LAN infrastructure and enforce wireless policies within an organization. Typically, they prevent unauthorized network access to local area networks through unauthorized access points.
17. B Amendment i provides for security enhancements to the wireless standard, is referred to as WPA2, and uses the AES encryption algorithm.
18. C Originally designed as low-power transmission media to replace wires and cables, Bluetooth has been expanded to a number of uses, including data synchronization between devices. Using a low-power, Class II transmitter, Bluetooth has a general range of approximately 10 meters, or 33 feet, and has a stated maximum range of 100 meters, or 333 feet.
19. B A rogue Wi-Fi access point that appears to be legitimate is referred to as an evil twin.
20. C The ideal antenna placement is within the center of the area served and is high enough to get around most obstacles.

Chapter 9

1. B An advanced persistent threat is a type of cyber terrorism malware usually placed by a well-funded, country-sponsored cyber-attack group.
2. D A hacktivist has a political, social, or personal agenda.
3. C A virus always requires an outside action in order to replicate.
4. D All of the other options describe a typical script kiddie.
5. A A threat vector describes the path of an attack.
6. B A member of a botnet is referred to as a bot or a zombie computer.
7. B An APT is malware usually put in place by a nation state.
8. B A retrovirus attacks anti-malware software and sometimes disables a signature library or simply turns off the detection mechanism.
9. B A whaling attack targets a senior executive to get them to click a link in an email in order to infect their computer.
10. D A zero-day attack refers to a type of attack in which the attacker uses a previously unknown attack technique or exploits a previously unknown vulnerability.
11. C By design, Java always creates a sandbox in which to execute an applet on a client machine. This prohibits the applet from being able to attack either the host machine or an application.
12. C The trusted platform module is a crypto processor that performs as a dedicated microprocessor of cryptographic algorithms.
13. A A private key is owned by the author and is used to encrypt the message digest or hash value of the code. The hash value provides the integrity, and the private key provides a digital signature and nonrepudiation by the author. The author's public key, usually provided in a digital certificate, is the only key that will decrypt the hash value.
14. D The cloud is a metering, measured service similar to a utility, sometimes referred to as a “pay as you go” model. At this point, cloud services are still fairly expensive compared to installing one more disk drive in an organization's server.
15. B According to NIST Special Publication 800-145, “The NIST Definition of Cloud Computing,” a corporate cloud is not a cloud deployment model. Corporate cloud and private cloud refer to the same thing.
16. A Help Desk as a Service is not one of the NIST-listed cloud service models, although it is a service that might be offered over the cloud.
17. D The General Data Protection Regulation, which superseded Directive 95/46 BC, requires that all member states abide by the legal principles in the regulation and that these principles are not arbitrary.
18. B eDiscovery is a legal tool used by opposing counsel to obtain requested information that may contain evidence or other useful information for a lawsuit. eDiscovery is not the information itself. It is the process of obtaining the information.
19. C Security controls may be placed anywhere in a virtual environment. Security in depth is always the best practice when securing any environment.
20. C Several big data processing models exist that illustrate how big data can be processed by parallel processors reaching into the thousands of servers.