Академический Документы
Профессиональный Документы
Культура Документы
Cover
Domain 1: Access Control
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 2: Telecommunications and Network Security
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 3: Information Security Governance and Risk Management
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 4: Software Development Security
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 5: Cryptography
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 6: Security Architecture and Design
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 7: Security Operations
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 8: Business Continuity and Disaster Recovery Planning
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 9: Legal, Regulations, Investigations, and Compliance
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Domain 10: Physical and Environmental Security
Traditional Questions, Answers, and Explanations
Scenario-Based Questions, Answers, and Explanations
Sources and References
Appendix A: CISSP Glossary 2012
Numbers and Letters
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Z
Sources and References
Appendix B: CISSP Acronyms and Abbreviations 2012
Numeric
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
W
XYZ
Sources and References
Copyright
Preface
How to Study for the CISSP Exam
Description of the CISSP Examination
Domain 1
Access Control
1. For intrusion detection and prevention system capabilities, stateful protoco
l analysis uses which of the following?
1.
2.
3.
4.
Blacklists
Whitelists
Threshold
Program code viewing
a. 1 and 2
b. 1, 2, and 3
c. 3 only
d. 1, 2, 3, and 4
1. d. Stateful protocol analysis (also known as deep packet inspection) is the p
rocess of comparing predetermined profiles of generally accepted definitions of
benign protocol activity for each protocol state against observed events to iden
tify deviations. Stateful protocol analysis uses blacklists, whitelists, thresho
lds, and program code viewing to provide various security capabilities.
A blacklist is a list of discrete entities, such as hosts or applications that h
ave been previously determined to be associated with malicious activity. A white
list is a list of discrete entities, such as hosts or applications known to be b
enign. Thresholds set the limits between normal and abnormal behavior of the int
rusion detection and prevention systems (IDPS). Program code viewing and editing
features are established to see the detection-related programming code in the I
DPS.
2. Electronic authentication begins with which of the following?
a.
b.
c.
d.
Token
Credential
Subscriber
Credential service provider
Subscriber
Registration authority
Applicant
Credential service provider
3. b. The RA performs the identity proofing after registering the applicant with
the CSP. An applicant becomes a subscriber of the CSP.
4. In electronic authentication, which of the following provides the authentica
ted information to the relying party for making access control decisions?
a.
b.
c.
d.
Claimant/subscriber
Applicant/subscriber
Verifier/claimant
Verifier/credential service provider
4. d. The relying party can use the authenticated information provided by the ve
rifier/CSP to make access control decisions or authorization decisions. The veri
fier verifies that the claimant is the subscriber/applicant through an authentic
ation protocol. The verifier passes on an assertion about the identity of the su
bscriber to the relying party. The verifier and the CSP may or may not belong to
the same identity.
5. In electronic authentication, an authenticated session is established betwee
n which of the following?
a.
b.
c.
d.
6. b. The use of digital certificates represents a logical link between the veri
fier and the CSP rather than a physical link. In some implementations, the verif
ier, relying party, and the CSP functions may be distributed and separated. The
verifier needs to directly communicate with the CSP only when there is a physica
l link between them. In other words, the verifier does not need to directly comm
unicate with the CSP for the other three choices.
7. In electronic authentication, who maintains the registration records to allo
w recovery of registration records?
a.
b.
c.
d.
7. a. The CSP maintains registration records for each subscriber to allow recove
ry of registration records. Other responsibilities of the CSP include the follow
ing:
The CSP is responsible for establishing suitable policies for renewal and reissu
ance of tokens and credentials. During renewal, the usage or validity period of
the token and credential is extended without changing the subscribers identity or
token. During reissuance, a new credential is created for a subscriber with a n
ew identity and/or a new token.
The CSP is responsible for maintaining the revocation status of credentials and
destroying the credential at the end of its life. For example, public key certif
icates are revoked using certificate revocation lists (CRLs) after the certifica
tes are distributed. The verifier and the CSP may or may not belong to the same
entity.
The CSP is responsible for mitigating threats to tokens and credentials and mana
ging their operations. Examples of threats include disclosure, tampering, unavai
lability, unauthorized renewal or reissuance, delayed revocation or destruction
of credentials, and token use after decommissioning.
The other three choices are incorrect because the (i) subscriber is a party who
has received a credential or token from a CSP, (ii) relying party is an entity t
hat relies upon the subscribers credentials or verifiers assertion of an identity,
and (iii) registration authority (RA) is a trusted entity that establishes and
vouches for the identity of a subscriber to a CSP. The RA may be an integral par
t of a CSP, or it may be independent of a CSP, but it has a relationship to the
CSP(s).
8. Which of the following is used in the unique identification of employees and
contractors?
a.
b.
c.
d.
sical artifact (e.g., identity card or smart card) issued to an individual that
contains stored identity credentials (e.g., photograph, cryptographic keys, or d
igitized fingerprint).
The other three choices are used in user authenticator management, not in user i
dentifier management. Examples of user authenticators include passwords, tokens,
cryptographic keys, personal identification numbers (PINs), biometrics, public
key infrastructure (PKI) certificates, and key cards. Examples of user identifie
rs include internal users, external users, contractors, guests, PIV cards, passw
ords, tokens, and biometrics.
9. In electronic authentication, which of the following produces an authenticat
or used in the authentication process?
a.
b.
c.
d.
9. b. The token may be a piece of hardware that contains a cryptographic key tha
t produces the authenticator used in the authentication process to authenticate
the claimant. The key is protected by encrypting it with a password.
The other three choices cannot produce an authenticator. A public key is the pub
lic part of an asymmetric key pair typically used to verify signatures or encryp
t data. A verifier is an entity that verifies a claimants identity. A private key
is the secret part of an asymmetric key pair typically used to digitally sign o
r decrypt data. A claimant is a party whose identity is to be verified using an
authentication protocol.
10. In electronic authentication, shared secrets are based on which of the foll
owing?
1.
2.
3.
4.
Asymmetric keys
Symmetric keys
Passwords
Public key pairs
a.
b.
c.
d.
1
1
2
3
only
or 4
or 3
or 4
10. c. Shared secrets are based on either symmetric keys or passwords. The asymm
etric keys are used in public key pairs. In a protocol sense, all shared secrets
are similar and can be used in similar authentication protocols.
11. For electronic authentication, which of the following is not an example of a
ssertions?
a.
b.
c.
d.
Cookies
Security assertions markup language
X.509 certificates
Kerberos tickets
a.
b.
c.
d.
12. b. Electronic credentials are digitally signed objects, in which case their
integrity is verified. When the directory or database server is trusted, unsigne
d credentials may be stored as unsigned data.
13. In electronic authentication, electronic credentials are stored as data in
a directory or database. Which of the following refers to when the directory or
database is untrusted?
a.
b.
c.
d.
Self-authenticating
Authentication to the relying party
Authentication to the verifier
Authentication to the credential service provider
ApplicantRegistration AuthoritySubscriberClaimant
Registration AuthorityApplicantClaimantSubscriber
SubscriberApplicantRegistration AuthorityClaimant
ClaimantSubscriberRegistration AuthorityApplicant
14. a. The correct flows and proper interactions between the various parties inv
olved in electronic authentication include the following:
An individual applicant applies to a registration authority (RA) through a regis
tration process to become a subscriber of a credential service provider (CSP)
The RA identity proofs that applicant
On successful identity proofing, the RA sends the CSP a registration confirmatio
n message
A secret token and a corresponding credential are established between the CSP an
d the new subscriber for use in subsequent authentication events
The party to be authenticated is called a claimant (subscriber) and the party ve
rifying that identity is called a verifier
The other three choices are incorrect because they do not represent the correct
flows and proper interactions.
15. In electronic authentication, which of the following represents the correct
order of passing information about assertions?
a.
b.
c.
d.
col to the relying party. The object created by the verifier to convey the resul
t of the authentication protocol is called an assertion. The credential service
provider and the registration authority are not part of the assertion process.
16. From an access control viewpoint, which of the following are restricted acc
ess control models?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
16. c. Both the Bell-LaPadula model and domain type enforcement model uses restr
icted access control models because they are employed in safety-critical systems
, such as military and airline systems. In a restricted model, the access contro
l policies are expressed only once by a trusted principal and fixed for the life
of the system. The identity-based and attribute-based access control policies a
re not based on restricted access control models but based on identities and att
ributes respectively.
17. Regarding password guessing and cracking threats, which of the following ca
n help mitigate such threats?
a.
b.
c.
d.
Passwords
Passwords
Passwords
Passwords
with
with
with
with
Token
Token
Token
Token
secret
secret
secret
secret
and
and
and
and
salt or challenge
seed or challenge
nonce or challenge
shim or challenge
18. c. The authenticator is generated through the use of a token. In the trivial
case, the authenticator may be the token secret itself where the token is a pas
sword. In the general case, an authenticator is generated by performing a mathem
atical function using the token secret and one or more optional token input valu
es such as a nonce or challenge.
19. b. Using one token to gain access to a second token is considered a single t
oken and a single factor scheme because all that is needed to gain access is the
initial token. Therefore, when this scheme is used, the compound solution is on
ly as strong as the token with the lowest assurance level. The other choices are
incorrect because they are not applicable to the situation here.
20. As a part of centralized password management solutions, which of the follow
ing statements are true about password synchronization?
1.
2.
3.
4.
No centralized directory
No authentication server
Easier to implement than single sign-on technology
Less expensive than single sign-on technology
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
3
4
4
3, and 4
20. d. A password synchronization solution takes a password from a user and chan
ges the passwords on other resources to be the same as that password. The user t
hen authenticates directly to each resource using that password. There is no cen
tralized directory or no authentication server performing authentication on beha
lf of the resources. The primary benefit of password synchronization is that it
reduces the number of passwords that users need to remember; this may permit use
rs to select stronger passwords and remember them more easily. Unlike single sig
n-on (SSO) technology, password synchronization does not reduce the number of ti
mes that users need to authenticate. Password synchronization solutions are typi
cally easier, less expensive, and less secure to implement than SSO technologies
.
21. As a part of centralized password management solutions, password synchroniz
ation becomes a single point-of-failure due to which of the following?
a. It uses the same password for many resources.
b. It can enable an attacker to compromise a low-security resource to gain acces
s to a high-security resource.
c. It uses the lowest common denominator approach to password strength.
d. It can lead passwords to become unsynchronized.
21. a. All four choices are problems with password synchronization solution. Bec
ause the same password is used for many resources, the compromise of any one ins
tance of the password compromises all the instances, therefore becoming a single
point-of-failure. Password synchronization forces the use of the lowest common
denominator approach to password strength, resulting in weaker passwords due to
character and length constraints. Passwords can become unsynchronized when a use
r changes a resource password directly with that resource instead of going throu
gh the password synchronization user interface. A password could also be changed
due to a resource failure that requires restoration of a backup.
22. RuBAC is rule-based access control; RAdAC is risk adaptive access control;
UDAC is user-directed access control; MAC is mandatory access control; ABAC is a
ttribute-based access control; RBAC is role-based access control; IBAC is identi
ty-based access control; and PBAC is policy-based access control. From an access
control viewpoint, separation of domains is achieved through which of the follo
wing?
a.
b.
c.
d.
RuBAC or RAdAC
UDAC or MAC
ABAC or RBAC
IBAC or PBAC
22. c. Access control policy may benefit from separating Web services into vario
us domains or compartments. This separation can be implemented in ABAC using res
ource attributes or through additional roles defined in RBAC. The other three ch
oices cannot handle separation of domains.
23. Regarding local administrator password selection, which of the following ca
n become a single point-of-failure?
a.
b.
c.
d.
23. a. Having a common password shared among all local administrator or root acc
ounts on all machines within a network simplifies system maintenance, but it is
a widespread security weakness, becoming a single point-of-failure. If a single
machine is compromised, an attacker may recover the password and use it to gain
access to all other machines that use the shared password. Therefore, it is good
to avoid using the same local administrator or root account passwords across ma
ny systems. The other three choices, although risky in their own way, do not yie
ld a single point-of-failure.
24. In electronic authentication, which of the following statements is not true
about a multistage token scheme?
a. An additional token is used for electronic transaction receipt.
b. Multistage scheme assurance is higher than the multitoken scheme assurance us
ing the same set of tokens.
c. An additional token is used as a confirmation mechanism.
d. Two tokens are used in two stages to raise the assurance level.
24. b. In a multistage token scheme, two tokens are used in two stages, and addi
tional tokens are used for transaction receipt and confirmation mechanism to ach
ieve the required assurance level. The level of assurance of the combination of
the two stages can be no higher than that possible through a multitoken authenti
cation scheme using the same set of tokens.
25. Online guessing is a threat to the tokens used for electronic authenticatio
n. Which of the following is a countermeasure to mitigate the online guessing th
reat?
a.
b.
c.
d.
Use
Use
Use
Use
25. a. Entropy is the uncertainty of a random variable. Tokens that generate hig
Use
Use
Use
Use
26. b. In token duplication, the subscribers token has been copied with or withou
t the subscribers knowledge. A countermeasure is to use hardware cryptographic to
kens that are difficult to duplicate. Physical security mechanisms can also be u
sed to protect a stolen token from duplication because they provide tamper evide
nce, detection, and response capabilities. The other three choices cannot handle
a duplicate tokens problem.
27. Eavesdropping is a threat to the tokens used for electronic authentication.
Which of the following is a countermeasure to mitigate the eavesdropping threat
?
a.
b.
c.
d.
Use
Use
Use
Use
Group accounts
Local user accounts
Guest accounts
Anonymous accounts
Use
Use
Use
Use
account credentials. It involves Internet fraudsters who send spam or pop-up mes
sages to lure personal information (e.g., credit card numbers, bank account info
rmation, social security numbers, passwords, or other sensitive information) fro
m unsuspecting victims. Pharming is misdirecting users to fraudulent websites or
proxy servers, typically through DNS hijacking or poisoning.
30. Theft is a threat to the tokens used for electronic authentication. Which o
f the following is a countermeasure to mitigate the theft threat?
a.
b.
c.
d.
Use
Use
Use
Use
Use
Use
Use
Use
a.
b.
c.
d.
1
1
1
2
only
and 3
and 4
and 4
33. b. Unencrypted password files and unsigned public key certificates are examp
les of weakly bound credentials. The association between the identity and the to
ken within a weakly bound credential can be readily undone, and a new associatio
a.
b.
c.
d.
1
1
1
2
only
and 3
and 4
and 4
34. d. Signed password files and signed public key certificates are examples of
strongly bound credentials. The association between the identity and the token w
ithin a strongly bound credential cannot be easily undone. For example a digital
signature binds the identity to the public key in a public key certificate; tam
pering of this signature can be easily detected through signature verification.
35. In electronic authentication, which of the following can be used to derive,
guess, or crack the value of the token secret or spoof the possession of the to
ken?
a.
b.
c.
d.
Private credentials
Public credentials
Paper credentials
Electronic credentials
Directive controls
Preventive controls
Detective controls
Corrective controls
36. b. Authorization controls such as access control matrices and capability tes
ts are a part of preventive controls because they block unauthorized access. Pre
ventive controls deter security incidents from happening in the first place.
Directive controls are broad-based controls to handle security incidents, and th
ey include managements policies, procedures, and directives. Detective controls e
nhance security by monitoring the effectiveness of preventive controls and by de
tecting security incidents where preventive controls were circumvented. Correcti
ve controls are procedures to react to security incidents and to take remedial a
ctions on a timely basis. Corrective controls require proper planning and prepar
ation as they rely more on human judgment.
Verifier
Relying party
Credential service provider
Registration authority
37. c. The credential service provider (CSP) is the only one responsible for mai
ntaining the credential in storage. The verifier and the CSP may or may not belo
ng to the same entity. The other three choices are incorrect because they are no
t applicable to the situation here.
38. Which of the following is the correct definition of privilege management?
a.
b.
c.
d.
Privilege
Privilege
Privilege
Privilege
management
management
management
management
=
=
=
=
Trust management
Privilege management
Policy language
Query language
39. a. The extensible access control markup language (XACML) is a standard for m
anaging access control policy and supports the enterprise-level privilege manage
ment. It includes a policy language and a query language. However, XACML does no
t define authority delegation and trust management.
40. For intrusion detection and prevention system (IDPS) security capabilities,
which of the following prevention actions should be performed first to reduce t
he risk of inadvertently blocking benign activity?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
40. d. Some intrusion detection and prevention system (IDPS) sensors have a lear
ning mode or simulation mode that suppresses all prevention actions and instead
indicates when a prevention action should have been performed. This ability enab
les administrators to monitor and fine-tune the configuration of the prevention
capabilities before enabling prevention actions, which reduces the risk of inadv
ertently blocking benign activity. Alerts can be enabled or disabled later.
43. a. In a cross site scripting (XSS) vulnerability, an attacker may use an ext
ensible markup language (XML) injection to perform the equivalent of an XSS, in
which requesters of a valid Web service have their requests transparently rerout
ed to an attacker-controlled Web service that performs malicious operations. To
prevent XSS vulnerabilities, the relying party should sanitize inputs from claim
ants or subscribers to ensure they are not executable, or at the very least not
malicious, before displaying them as content to the subscribers browser. The othe
r three choices are incorrect because they are not applicable to the situation h
ere.
44. In electronic authentication, which of the following controls is not effecti
ve against a cross site request forgery (CSRF) attack?
a.
b.
c.
d.
44. a. A cross site request forgery (CSRF) is a type of session hijacking attack
where a malicious website contains a link to the URL of the legitimate relying
party. Web applications, even those protected by secure sockets layer/transport
layer security (SSL/TLS), can still be vulnerable to the CSRF attack. One contro
l to protect the CSRF attack is by inserting random data, supplied by the relyin
g party, into any linked uniform resource locator with side effects and into a h
idden field within any form on the relying partys website. Generating a per-sessi
on shared secret is effective against a session hijacking problem. Sanitizing in
puts to make them nonexecutable is effective against cross site scripting (XSS)
attacks, not CSRF attacks.
45. In electronic authentication, which of the following can mitigate the threa
t of assertion manufacture and/or modification?
a.
b.
c.
d.
an unauthorized access.
authorized access.
an authorized access.
unauthorized access.
Proof-by-possession
Proof-by-knowledge
Proof-by-property
Proof-of-origin
Proof-by-possession
Proof-by-knowledge
Proof-by-property
Proof-of-origin
Disabling
Auditing
Notifying
Terminating
52. b. All the accounts mentioned in the question can be disabled, notified, or
terminated, but it is not effective. Auditing of account creation, modification,
notification, disabling, and termination (i.e., the entire account cycle) is ef
fective because it can identify anomalies in the account cycle process.
53. Regarding access enforcement, which of the following mechanisms should not b
e employed when an immediate response is necessary to ensure public and environm
ental safety?
a.
b.
c.
d.
Dual
Dual
Dual
Dual
cable
authorization
use certificate
backbone
54. a. Nondiscretionary access control policies have rules that are not establis
hed at the discretion of the user. These controls can be changed only through ad
ministrative action and not by users. An identity-based access control (IBAC) de
cision grants or denies a request based on the presence of an entity on an acces
s control list (ACL). IBAC and discretionary access control are considered equiv
alent and are not examples of nondiscretionary access controls.
The other three choices are examples of nondiscretionary access controls. Mandat
ory access control deals with rules, role-based access control deals with job ti
tles and functions, and temporal constraints deal with time-based restrictions a
nd control time-sensitive activities.
55. Encryption is used to reduce the probability of unauthorized disclosure and
changes to information when a system is in which of the following secure, non-o
perable system states?
a.
b.
c.
d.
Troubleshooting
Offline for maintenance
Boot-up
Shutdown
55. b. Secure, non-operable system states are states in which the information sy
stem is not performing business-related processing. These states include offline
for maintenance, troubleshooting, bootup, and shutdown. Offline data should be
stored with encryption in a secure location. Removing information from online st
orage to offline storage eliminates the possibility of individuals gaining unaut
horized access to that information via a network.
56. Bitmap objects and textual objects are part of which of the following secur
ity policy filters?
a.
b.
c.
d.
56. c. Unstructured data consists of two basic categories: bitmap objects (e.g.,
image, audio, and video files) and textual objects (e.g., e-mails and spreadshe
ets). Security policy filters include file type checking filters, dirty word fil
ters, structured and unstructured data filters, metadata content filters, and hi
dden content filters.
57. Information flow control enforcement employing rulesets to restrict informa
tion system services provides:
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
57. c. Packet filters are based on header information whereas message filters ar
e based on content using keyword searches. Both packet filters and message filte
rs use rulesets. Structured data filters and metadata content filters do not use
rulesets.
58. For information flow enforcement, what are explicit security attributes use
d to control?
a.
b.
c.
d.
58. a. Information flow enforcement using explicit security attributes are used
to control the release of certain types of information such as sensitive data. D
ata content, data structure, and source and destination objects are examples of
implicit security attributes.
59. What do policy enforcement mechanisms, used to transfer information between
different security domains prior to transfer, include?
1.
2.
3.
4.
Embedding rules
Release rules
Filtering rules
Sanitization rules
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Constrain
Constrain
Constrain
Constrain
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
file lengths
character sets
schemas
data structures
3
3
4
3, and 4
62. a. One-way flows are implemented using hardware mechanisms for controlling t
he flow of information within a system and between interconnected systems. As su
ch they cannot detect unsanctioned information.
The other three choices do detect unsanctioned information and prohibit the tran
sfer with actions such as checking all transferred information for malware, impl
ementing dirty word list searches on transferred information, and applying secur
ity attributes to metadata that are similar to information payloads.
63. Which of the following binds security attributes to information to facilita
te information flow policy enforcement?
a.
b.
c.
d.
Security labels
Resolution labels
Header labels
File labels
63. b. Means to bind and enforce the information flow include resolution labels
that distinguish between information systems and their specific components, and
between individuals involved in preparing, sending, receiving, or disseminating
information. The other three types of labels cannot bind security attributes to
information.
64. Which of the following access enforcement mechanisms provides increased inf
ormation security for an organization?
a.
b.
c.
d.
64. b. Normal access enforcement mechanisms include access control lists, access
control matrices, and cryptography. Increased information security is provided
at the application system level (i.e., accounting and marketing systems) due to
the use of password and PIN.
a.
b.
c.
d.
1 only
2 only
3 only
1, 2, 3, and 4
65. d. Specific architectural security solutions can reduce the potential for un
discovered vulnerabilities. These solutions include all four items mentioned.
66. From an access control point of view, separation of duty is of two types: s
tatic and dynamic. Which of the following are examples of static separation of d
uties?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
66. b. Separation of duty constraints require that two roles be mutually exclusi
ve because no user should have the privileges from both roles. Both role-based a
nd rule-based access controls are examples of static separation of duty.
Dynamic separation of duty is enforced at access time, and the decision to grant
access refers to the past access history. Examples of dynamic separation of dut
y include workflow policy and the Chinese Wall policy.
67. In biometrics-based identification and authentication techniques, which of
the following statements are true about biometric errors?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
2
and
and
and
and
3
4
3
4
2 only
2 and 3
2, 3, and 4
1, 2, 3, and 4
68. d. User-selected passwords generally contain less entropy, are easier for us
ers to remember, use weaker passwords, and at the same time are easier for attac
kers to guess or crack.
69. As a part of centralized password management solution, which of the followi
ng architectures for single sign-on technology becomes a single point-of-failure
?
a.
b.
c.
d.
Man-in-the-middle attack
Replay attack
Social engineering attack
Phishing attack
Two-person rule
History-based separation of duty
Design-time
Run-time
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
71. a. The two-person rule states that the first user can be any authorized user
, but the second user can be any authorized user different from the first. Histo
ry-based separation of duty regulates that the same subject (role or user) canno
t access the same object (program or device) for a variable number of times. Des
ign-time and run-time are used in the workflow policy.
72. From an access control point of view, the Chinese Wall policy focuses on wh
ich of the following?
a.
b.
c.
d.
Confidentiality
Integrity
Availability
Assurance
72. a. The Chinese Wall policy is used where company sensitive information (i.e.
, confidentiality) is divided into mutually disjointed conflict-of-interest cate
gories. The Biba model focuses on integrity. Availability, assurance, and integr
ity are other components of security principles that are not relevant to the Chi
nese Wall policy.
73. From an access control point of view, which of the following maintains cons
istency between the internal data and users expectations of that data?
a.
b.
c.
d.
Security policy
Workflow policy
Access control policy
Chinese Wall policy
73. b. The goal of workflow policy is to maintain consistency between the intern
al data and external (users) expectations of that data. This is because the workf
low is a process, consisting of tasks, documents, and data. The Chinese Wall pol
icy deals with dividing sensitive data into separate categories. The security po
licy and the access control policy are too general to be of any importance here.
74. From an access control point of view, separation of duty is not related to w
hich of the following?
a.
b.
c.
d.
Safety
Reliability
Fraud
Security
74. b. Computer systems must be designed and developed with security and safety
in mind because unsecure and unsafe systems can cause injury to people and damag
e to assets (e.g., military and airline systems). With separation of duty (SOD),
fraud can be minimized when sensitive tasks are separated from each other (e.g.
, signing a check from requesting a check). Reliability is more of an engineerin
g term in that a computer system is expected to perform with the required precis
ion on a consistent basis. On the other hand, SOD deals with people and their wo
rk-related actions, which are not precise and consistent.
75. Which of the following statements are true about access controls, safety, t
rust, and separation of duty?
1.
2.
3.
4.
No
No
No
No
a.
b.
c.
d.
1 only
2 only
1, 2, and 3
1, 2, 3, and 4
76. c. The separation of duty concept is not enforced by the access control matr
ix model because it is not safety configured and is based on an arbitrary constr
aint. The other three choices use restricted access control models with access c
onstraints that describe the safety requirements of any configuration.
77. Which of the following statements are true about access controls and safety
?
1. More complex safety policies need more flexible access controls.
2. Adding flexibility to restricted access control models increases safety probl
ems.
3. A trade-off exists between the expressive power of an access control model an
d the ease of safety enforcement.
4. In the implicit access constraints model, safety enforcement is relatively ea
sier than in the arbitrary constraints model.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
3
3
4
3, and 4
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
e deals with committing fraud or collusion when many users are involved in handl
ing a business transaction.
79. Role-based access control and the least privilege principle do not enable wh
ich of the following?
a.
b.
c.
d.
80. c. The extensible access control markup language (XACML) framework does not
provide support for representing the traditional access controls (e.g., RuBAC, M
AC, and DAC), but it does incorporate the role-based access control (RBAC) suppo
rt. The XACML specification describes building blocks from which an RBAC solutio
n is developed.
81. From an access control viewpoint, which of the following requires an audit
the most?
a.
b.
c.
d.
81. c. The goal is to limit exposure due to operating from within a privileged a
ccount or role. A change of role for a user or process should provide the same d
egree of assurance in the change of access authorizations for that user or proce
ss. The same degree of assurance is also needed when a change between a privileg
ed account and non-privileged account takes place. Auditing of privileged accoun
ts is required mostly to ensure that privileged account users use only the privi
leged accounts and that non-privileged account users use only the non-privileged
accounts. An audit is not required for public access accounts due to little or
no risk involved. Privileged accounts are riskier than nonpublic accounts.
82. From an information flow policy enforcement viewpoint, which of the followi
ng allows forensic reconstruction of events?
1.
2.
3.
4.
Security attributes
Security policies
Source points
Destination points
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
82. c. The ability to identify source and destination points for information flo
wing in an information system allows for forensic reconstruction of events and i
ncreases compliance to security policies. Security attributes are critical compo
nents of the operations security concept.
83. From an access control policy enforcement viewpoint, which of the following
should not be given a privileged user account to access security functions durin
g the course of normal operations?
1.
2.
3.
4.
a.
b.
c.
d.
1
3
4
3
and 2
only
only
and 4
management
management
management
management
86. b. Super user accounts are typically described as administrator or root acco
unts. Access to super user accounts should be limited to designated security and
system administration staff only, and not to the end-user accounts, guest accou
nts, anonymous accounts, or temporary accounts. Security and system administrati
on staff use the super user accounts to access key security/system parameters an
d commands.
87. Responses to unsuccessful login attempts and session locks are implemented
with which of the following?
a.
b.
c.
d.
87.c. Response to unsuccessful login attempts can be implemented at both the ope
rating system and the application system levels. The session lock is implemented
typically at the operating system level but may be at the application system le
vel. Hardware and firmware are not used for unsuccessful login attempts and sess
ion lock.
88. Which of the following statements is not true about a session lock in access
control?
a. A session
b. A session
c. A session
reen.
d. A session
.
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
89. c. Access to public websites and emergency situations are examples of user p
ermitted actions that don t require identification or authentication. Both unsuc
cessful login attempts and reestablishing a session lock require proper identifi
cation or authentication procedures. A session lock is retained until proper ide
ntification or authentication is submitted, accepted, and reestablished.
90. Which of the following circumstances require additional security protection
Security
Security
Security
Security
attributes
attributes
attributes
attributes
and
and
and
and
data structures
security policies
information objects
security labels
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
3
4
92. a. International standards for access control decisions do not use the U.S.based discretionary or mandatory access control policies. Instead, they use iden
tity-based and rule-based access control policies.
93. Which of the following is an example of less than secure networking protoco
ls for remote access sessions?
a.
b.
c.
d.
Secure shell-2
Virtual private network with blocking mode enabled
Bulk encryption
Peer-to-peer networking protocols
93. d. An organization must ensure that remote access sessions for accessing sec
urity functions employ security measures and that they are audited. Bulk encrypt
ion, session layer encryption, secure shell-2 (SSH-2), and virtual private netwo
rking (VPN) with blocking enabled are standard security measures. Bluetooth and
peer-to-peer (P2P) networking are examples of less than secure networking protoc
ols.
94. For wireless access, in which of the following ways does an organization co
nfine wireless communications to organization-controlled boundaries?
1. Reducing the power of the wireless transmission and controlling wireless eman
ations
2. Configuring the wireless access path such that it is point-to-point in nature
3. Using mutual authentication protocols
4. Scanning for unauthorized wireless access points and connections
a.
b.
c.
d.
1 only
3 only
2 and 4
1, 2, 3, and 4
Use
Use
Use
Use
of
of
of
of
96. d. When unclassified mobile devices are connected to classified systems cont
aining classified information, it is a risky situation because a security policy
is violated. This action should trigger an incident response handling process.
Connection of an unclassified mobile device to an unclassified system still requ
ires an approval; although, it is less risky. Use of internal or external modems
or wireless interfaces within the mobile device should be prohibited.
97. For least functionality, organizations utilize which of the following to id
entify and prevent the use of prohibited functions, ports, protocols, and servic
es?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
3
4
4
3, and 4
97. d. Organizations can utilize network scanning tools, intrusion detection and
prevention systems (IDPS), endpoint protections such as firewalls, and host-bas
ed intrusion detection systems to identify and prevent the use of prohibited fun
ctions, ports, protocols, and services.
98. An information system uses multifactor authentication mechanisms to minimiz
e potential risks for which of the following situations?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
Nonces
Challenges
Time synchronous authenticators
Challenge-response one-time authenticators
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Bidirectional authentication
Group authentication
Device-unique authentication
Individual authentication
Dynamic
Dynamic
Dynamic
Dynamic
102. a. For dynamic address allocation for devices, dynamic host configuration p
rotocol (DHCP)-enabled clients obtain leases for Internet Protocol (IP) addresse
s from DHCP servers. Therefore, the dynamic address allocation process for devic
es is standardized with DHCP. The other three choices do not have the capability
to obtain leases for IP addresses.
103. For identifier management, service-oriented architecture implementations d
o not reply on which of the following?
a.
b.
c.
d.
Dynamic identities
Dynamic attributes and privileges
Preregistered users
Pre-established trust relationships
Stored authenticators
Default authenticators
Reused authenticators
Refreshed authenticators
105. For authenticator management, use of which of the following is risky and l
eads to possible alternatives?
a.
b.
c.
d.
Deny-all, permit-by-exception
Allow-all, deny-by-exception
Allow-all, deny-by-default
Deny-all, accept-by-permission
Directive controls
Preventive controls
Detective controls
Corrective controls
108. b. Encryption prevents unauthorized access and protects data and programs w
hen they are in storage (at rest) or in transit. Preventive controls deter secur
ity incidents from happening in the first place.
Directive controls are broad-based controls to handle security incidents, and th
ey include managements policies, procedures, and directives. Detective controls e
nhance security by monitoring the effectiveness of preventive controls and by de
tecting security incidents where preventive controls were circumvented. Correcti
Deny-all, permit-by-exception
Allow-all, deny-by-exception
Allow-all, deny-by-default
Deny-all, accept-by-permission
Compensating controls
Close supervision
Team review of work
Peer review of work
a.
b.
c.
d.
1 only
2 only
1 and 2
1, 2, 3, and 4
110. d. When the enforcement of normal security policies, procedures, and rules
is difficult, it takes on a different dimension from that of requiring contracts
, separation of duties, and system access controls. Under these situations, comp
ensating controls in the form of close supervision, followed by peer and team re
view of quality of work are needed.
111. Which of the following is critical to understanding an access control poli
cy?
a.
b.
c.
d.
Reachable-state
Protection-state
User-state
System-state
112. a. DES is weak and should not be used because of several documented securit
y weaknesses. The other three choices can be used. AES can be used because it is
strong. RSA is used in key transport where the authentication server generates
the user symmetric key and sends the key to the client. DH is used in key agreem
ent between the authentication server and the client.
113. From an access control decision viewpoint, failures due to flaws in permis
sion-based systems tend to do which of the following?
a.
b.
c.
d.
113. b. When failures occur due to flaws in permission-based systems, they tend
to fail-safe with permission denied. There are two types of access control decis
ions: permission-based and exclusion-based.
114. Host and application system hardening procedures are a part of which of th
e following?
a.
b.
c.
d.
Directive controls
Preventive controls
Detective controls
Corrective controls
114. b. Host and application system hardening procedures are a part of preventiv
e controls, as they include antivirus software, firewalls, and user account mana
gement. Preventive controls deter security incidents from happening in the first
place.
Directive controls are broad-based controls to handle security incidents, and th
ey include managements policies, procedures, and directives. Detective controls e
nhance security by monitoring the effectiveness of preventive controls and by de
tecting security incidents where preventive controls were circumvented. Correcti
ve controls are procedures to react to security incidents and to take remedial a
ctions on a timely basis. Corrective controls require proper planning and prepar
ation as they rely more on human judgment.
115. From an access control decision viewpoint, fail-safe defaults operate on w
hich of the following?
1.
2.
3.
4.
a.
b.
c.
d.
1
2
2
4
only
only
and 3
only
115. c. Fail-safe defaults mean that access control decisions should be based on
permit and allow policy (i.e., permission rather than exclusion). This equates
to the condition in which lack of access is the default (i.e., no access, yes de
fault). Allow all and deny-by-default refers to yes-access, yes-default situations
.
116. For password management, automatically generated random passwords usually
provide which of the following?
1.
2.
3.
4.
Greater entropy
Passwords that are hard for attackers to guess
Stronger passwords
Passwords that are hard for users to remember
a.
b.
c.
d.
2 only
2 and 3
2, 3, and 4
1, 2, 3, and 4
117. c. The trick is balancing the trade-off between the false acceptance rate (
FAR) and false rejection rate (FRR). A high FAR means that security is unaccepta
bly weak.
A FAR is the probability that a biometric system can incorrectly identify an ind
ividual or fail to reject an imposter. The FAR given normally assumes passive im
poster attempts, and a low FAR is better. The FAR is stated as the ratio of the
number of false acceptances divided by the number of identification attempts.
An FRR is the probability that a biometric system will fail to identify an indiv
idual or verify the legitimate claimed identity of an individual. A low FRR is b
etter. The FRR is stated as the ratio of the number of false rejections divided
by the number of identification attempts.
118. In biometrics-based identification and authentication techniques, which of
the following indicates that technology used in a biometric system is not viable
?
a.
b.
c.
d.
118. d. A high false rejection rate (FRR) means that the technology is creating
a (PP) nuisance to falsely rejected users thereby undermining user acceptance an
d questioning the viability of the technology used. This could also mean that th
e technology is obsolete, inappropriate, and/or not meeting the users changing ne
eds.
A false acceptance rate (FAR) is the probability that a biometric system will in
correctly identify an individual or fail to reject an imposter. The FAR given no
rmally assumes passive imposter attempts, and a low FAR is better and a high FAR
is an indication of a poorly operating biometric system, not related to technol
ogy. The FAR is stated as the ratio of the number of false acceptances divided b
y the number of identification attempts.
A FRR is the probability that a biometric system will fail to identify an indivi
dual or verify the legitimate claimed identity of an individual. A low FRR is be
tter. The FRR is stated as the ratio of the number of false rejections divided b
y the number of identification attempts.
119. In biometrics-based identification and authentication techniques, what is
a countermeasure to mitigate the threat of identity spoofing?
a.
b.
c.
d.
Liveness detection
Digital signatures
Rejecting exact matches
Session lock
119. a. An adversary may present something other than his own biometric to trick
the system into verifying someone elses identity, known as spoofing. One type of
mitigation for an identity spoofing threat is liveness detection (e.g., pulse o
r lip reading). The other three choices cannot perform liveness detection.
120. In biometrics-based identification and authentication techniques, what is
a countermeasure to mitigate the threat of impersonation?
a.
b.
c.
d.
Liveness detection
Digital signatures
Rejecting exact matches
Session lock
120. b. Attackers can use residual data on the biometric reader or in memory to
impersonate someone who authenticated previously. Cryptographic methods such as
digital signatures can prevent attackers from inserting or swapping biometric da
ta without detection. The other three choices do not provide cryptographic measu
res to prevent impersonation attacks.
121. In biometrics-based identification and authentication techniques, what is
a countermeasure to mitigate the threat of replay attack?
a.
b.
c.
d.
Liveness detection
Digital signatures
Rejecting exact matches
Session lock
121. c. A replay attack occurs when someone can capture a valid users biometric d
ata and use it at a later time for unauthorized access. A potential solution is
to reject exact matches, thereby requiring the user to provide another biometric
sample. The other three choices do not provide exact matches.
122. In biometrics-based identification and authentication techniques, what is
a countermeasure to mitigate the threat of a security breach from unsuccessful a
uthentication attempts?
a.
b.
c.
d.
Liveness detection
Digital signatures
Rejecting exact matches
Session lock
122. d. It is good to limit the number of attempts any user can unsuccessfully a
ttempt to authenticate. A session lock should be placed where the system locks t
he user out and logs a security event whenever a user exceeds a certain amount o
f failed logon attempts within a specified timeframe.
The other three choices cannot stop unsuccessful authentication attempts. For ex
ample, if an adversary can repeatedly submit fake biometric data hoping for an e
xact match, it creates a security breach without a session lock. In addition, re
jecting exact matches creates ill will with the genuine user.
123. In the single sign-on technology, timestamps thwart which of the following
?
a.
b.
c.
d.
Man-in-the-middle attack
Replay attack
Social engineering attack
Phishing attack
ClaimantAuthentication ProtocolVerifier
ClaimantAuthenticatorVerifier
VerifierClaimantRelying Party
ClaimantVerifierRelying Party
124. d. The party to be authenticated is called a claimant and the party verifyi
ng that identity is called a verifier. When a claimant successfully demonstrates
possession and control of a token in an online authentication to a verifier thr
ough an authentication protocol, the verifier can verify that the claimant is th
e subscriber. The verifier passes on an assertion about the identity of the subs
criber to the relying party. The verifier must verify that the claimant has poss
ession and control of the token that verifies his identity. A claimant authentic
ates his identity to a verifier by the use of a token and an authentication prot
ocol, called proof-of-possession protocol.
The other three choices are incorrect as follows:
The flow of authentication process involving ClaimantAuthentication ProtocolVerifi
er: The authentication process establishes the identity of the claimant to the v
erifier with a certain degree of assurance. It is implemented through an authent
ication protocol message exchange, as well as management mechanisms at each end
that further constrain or secure the authentication activity. One or more of the
messages of the authentication protocol may need to be carried on a protected c
hannel.
The flow of tokens and credentials involving ClaimantAuthenticatorVerifier: Tokens
generally are something the claimant possesses and controls that may be used to
authenticate the claimants identity. In E-authentication, the claimant authentic
ates to a system or application over a network by proving that he has possession
of a token. The token produces an output called an authenticator and this outpu
t is used in the authentication process to prove that the claimant possesses and
controls the token.
The flow of assertions involving VerifierClaimantRelying Party: Assertions are sta
tements from a verifier to a relying party that contain information about a subs
criber (claimant). Assertions are used when the relying party and the verifier a
re not collocated (e.g., they are connected through a shared network). The relyi
ng party uses the information in the assertion to identify the claimant and make
authorization decisions about his access to resources controlled by the relying
party.
125. Which of the following authentication techniques is appropriate for access
ing nonsensitive IT assets with multiple uses of the same authentication factor?
a.
b.
c.
d.
Single-factor authentication
Two-factor authentication
Three-factor authentication
Multifactor authentication
125. a. Multiple uses of the same authentication factor (e.g., using the same pa
ssword more than once) is appropriate for accessing nonsensitive IT assets and i
s known as a single-factor authentication. The other three factors are not neede
d for authentication of low security risk and nonsensitive assets.
126. From an access control effectiveness viewpoint, which of the following rep
resents biometric verification when a user submits a combination of a personal i
dentification number (PIN) first and biometric sample next for authentication?
a.
b.
c.
d.
One-to-one matching
One-to-many matching
Many-to-one matching
Many-to-many matching
One-to-one matching
One-to-many matching
Many-to-one matching
Many-to-many matching
One-to-one matching
One-to-many matching
Many-to-one matching
Many-to-many matching
128. b. The biometric identification with one-to-many matching can result in slo
w system response times and can be more expensive depending on the size of the b
iometric database. That is, the larger the database size, the slower the system
response time. A personal identification number (PIN) is entered as a second aut
hentication factor, and the matching is slow.
129. During biometric verification, which of the following can result in faster
system response times and can be less expensive?
a.
b.
c.
d.
One-to-one matching
One-to-many matching
Many-to-one matching
Many-to-many matching
129. a. The biometric verification with one-to-one matching can result in faster
system response times and can be less expensive because the personal identifica
tion number (PIN) is entered as a first authenticator and the matching is quick.
130. From an access control effectiveness viewpoint, which of the following is
represented when a user submits a combination of hardware token and a personal i
dentification number (PIN) for authentication?
1.
2.
3.
4.
a. 1 only
b. 2 only
c. 1 and 3
d. 2 and 4
130. c. This combination represents something that you have (i.e., hardware toke
n) and something that you know (i.e., PIN). The hardware token can be lost or st
olen. Therefore, this is a weak form of two-factor authentication that can be us
ed to support unattended access controls for physical access only. Logical acces
s controls are software-based and as such do not support a hardware token.
131. From an access control effectiveness viewpoint, which of the following is
represented when a user submits a combination of public key infrastructure (PKI)
keys and a personal identification number (PIN) for authentication?
1.
2.
3.
4.
a.
b.
c.
d.
1
2
1
2
only
only
and 3
and 4
131. d. This combination represents something that you have (i.e., PKI keys) and
something that you know (i.e., PIN). There is no hardware token to lose or stea
l. Therefore, this is a strong form of two-factor authentication that can be use
d to support logical access.
132. RuBAC is rule-based access control, ACL is access control list, IBAC is id
entity-based access control, DAC is discretionary access control, and MAC is man
datory access control. For identity management, which of the following equates t
he access control policies and decisions between the U.S. terminology and the in
ternational standards?
1.
2.
3.
4.
RuBAC = ACL
IBAC = ACL
IBAC = DAC
RuBAC = MAC
a.
b.
c.
d.
1
2
3
3
only
only
only
and 4
access control lists (ACLs). These lists may be individually administered, may b
e centrally administered and distributed to individual locations, or may reside
on one or more central servers. Attribute-based access control (ABAC) deals with
subjects and objects, rule-based (RuBAC) deals with rules, and role-based (RBAC
) deals with roles or job functions.
134. RBAC is role-based access control, MAC is mandatory access control, DAC is
discretionary access control, ABAC is attribute-based access control, PBAC is p
olicy-based access control, IBAC is identity-based access control, RuBAC is rule
-based access control, RAdAC is risk adaptive access control, and UDAC is user-d
irected access control. For identity management, RBAC policy is defined as which
of the following?
a.
b.
c.
d.
RBAC
RBAC
RBAC
RBAC
=
=
=
=
MAC + DAC
ABAC + PBAC
IBAC + RuBAC
RAdAC + UDAC
One-factor authentication
Two-factor authentication
Three-factor authentication
Four-factor authentication
135. b. This situation illustrates that multiple instances of the same factor (i
.e., something you have is used two times) results in one-factor authentication.
When this is combined with something you know, it results in a two-factor authe
ntication scheme.
136. Remote access controls are a part of which of the following?
a.
b.
c.
d.
Directive controls
Preventive controls
Detective controls
Corrective controls
136. b. Remote access controls are a part of preventive controls, as they includ
e Internet Protocol (IP) packet filtering by border routers and firewalls using
access control lists. Preventive controls deter security incidents from happenin
g in the first place.
Directive controls are broad-based controls to handle security incidents, and th
ey include managements policies, procedures, and directives. Detective controls e
nhance security by monitoring the effectiveness of preventive controls and by de
tecting security incidents where preventive controls were circumvented. Correcti
ve controls are procedures to react to security incidents and to take remedial a
ctions on a timely basis. Corrective controls require proper planning and prepar
ation as they rely more on human judgment.
137. What is using two different passwords for accessing two different systems
in the same session called?
a.
b.
c.
d.
One-factor authentication
Two-factor authentication
Three-factor authentication
Four-factor authentication
137. b. Requiring two different passwords for accessing two different systems in
the same session is more secure than requiring one password for two different s
ystems. This equates to two-factor authentication. Requiring multiple proofs of
authentication presents multiple barriers to entry access by intruders. On the o
ther hand, using the same password (one-factor) for accessing multiple systems i
n the same session is a one-factor authentication, because only one type (and th
e same type) of proof is used. The key point is whether the type of proof presen
ted is same or different.
138. What is using a personal identity card with attended access (e.g., a secur
ity guard) and a PIN called?
a.
b.
c.
d.
One-factor authentication
Two-factor authentication
Three-factor authentication
Four-factor authentication
One-factor authentication
Two-factor authentication
Three-factor authentication
Four-factor authentication
139. d. Tracking the drivers physical location (perhaps with GPS or wireless sens
or network) is an example of somewhere you are (proof of first factor). Showing
the employee a physical badge with photo ID is an example of something you have
(proof of second factor). Entering a password and PIN is an example of something
you know (proof of third factor). Taking a biometric sample of fingerprint is a
n example of something you are (proof of fourth factor). Therefore, this scenari
o represents a four-factor authentication. The key point is that it does not mat
ter whether the proof presented is one item or more items in the same category (
e.g, somewhere you are, something you have, something you know, and something yo
u are).
140. Which of the following is achieved when two authentication proofs of somet
hing that you have is implemented?
a.
b.
c.
d.
Least assurance
Increased assurance
Maximum assurance
Equivalent assurance
that you have (e.g., card, key, and mobile ID device) are implemented because th
e card and the key can be lost or stolen. Consequently, multiple uses of somethi
ng that you have offer lesser access control assurance than using a combination
of multifactor authentication techniques. Equivalent assurance is neutral and do
es not require any further action.
141. Which of the following is achieved when two authentication proofs of somet
hing that you know are implemented?
a.
b.
c.
d.
Least assurance
Increased assurance
Maximum assurance
Equivalent assurance
Least assurance
Increased assurance
Maximum assurance
Equivalent assurance
Tuning
Evasion
Blocking
Normalization
on authentication products?
a.
b.
c.
d.
Full-disk encryption
Volume encryption
Virtual disk encryption
File/folder encryption
Full-disk encryption
Volume encryption
Vi rtual disk encryption
File/folder encryption
A
A
A
A
trade-off
trade-off
trade-off
trade-off
between
between
between
between
a.
b.
c.
d.
User-to-host architecture
Peer-to-peer architecture
Client host-to-server architecture
Trusted third-party architecture
148. a. When a user logs onto a host computer or workstation, the user must be i
dentified and authenticated before access to the host or network is granted. Thi
s process requires a mechanism to authenticate a real person to a machine. The b
est methods of doing this involve multiple forms of authentication with multiple
factors, such as something you know (password), something you have (physical to
ken), and something you are (biometric verification). The other three choices do
not require multifactor authentication because they use different authenticatio
n methods.
Peer-to-peer architecture, sometimes referred to as mutual authentication protoc
ol, involves the direct communication of authentication information between the
communicating entities (e.g., peer-to-peer or client host-to-server).
The architecture for trusted third-party (TTP) authentication uses a third entit
y, trusted by all entities, to provide authentication information. The amount of
trust given the third entity must be evaluated. Methods to establish and mainta
in a level of trust in a TTP include certification practice statements (CPS) tha
t establishes rules, processes, and procedures that a certificate authority (CA)
uses to ensure the integrity of the authentication process and use of secure pr
otocols to interface with authentication servers. A TTP may provide authenticati
on information in each instance of authentication, in real-time, or as a precurs
or to an exchange with a CA.
149. For password management, which of the following ensures password strength?
a. Passwords with
passphrases
b. Passwords with
ex passphrases
c. Passwords with
e passphrases
d. Passwords with
plex passphrases
150. d. One way to ensure password strength is to add a password filter utility
program, which is specifically designed to verify that a password created by a u
ser complies with the password policy. Adding a password filter is a more rigoro
us and proactive solution, whereas the other three choices are less rigorous and
reactive solutions.
Firewalls
Robust authentication
Port protection devices
Encryption
It
It
It
It
152. a. Some applications use access control (typically enforced by the operatin
g system) to restrict access to certain types of information or application func
tions. This can be helpful to determine what a particular application user could
have done. Some applications record information related to access control, such
as failed attempts to perform sensitive actions or access restricted data.
153. What occurs in a man-in-the-middle (MitM) attack on an electronic authenti
cation protocol?
1.
2.
3.
4.
An
An
An
An
attacker
attacker
attacker
attacker
poses
poses
poses
poses
as
as
as
as
the
the
the
the
a.
b.
c.
d.
1
3
4
1
only
only
only
and 2
Firewalls
Auditing
System configuration
Intrusion detection system
Proof-by-knowledge
Proof-by-property
Proof-by-possession
Proof-of-concept
155. c. Smart cards are credit card-size plastic cards that host an embedded com
puter chip containing an operating system, programs, and data. Smart card authen
tication is perhaps the best-known example of proof-by-possession (e.g., key, ca
rd, or token). Passwords are an example of proof-by-knowledge. Fingerprints are
an example of proof-by-property. Proof-of-concept deals with testing a product p
rior to building an actual product.
156. For token threats in electronic authentication, countermeasures used for w
hich one of the following threats are different from the other three threats?
a.
b.
c.
d.
Online guessing
Eavesdropping
Phishing and pharming
Social engineering
Challenge-response protocol
Service provider
Resource manager
Driver for the smart card reader
157. a. The underlying mechanism used to authenticate users via smart cards reli
es on a challenge-response protocol between the device and the smart card. For e
xample, a personal digital assistant (PDA) challenges the smart card for an appr
opriate and correct response that can be used to verify that the card is the one
originally enrolled by the PDA device owner. The challenge-response protocol pr
ovides a security service. The three main software components that support a sma
rt card application include the service provider, a resource manager, and a driv
er for the smart card reader.
158. Which of the following is not a sophisticated technical attack against smar
t cards?
a.
b.
c.
d.
Reverse engineering
Fault injection
Signal leakage
Impersonating
Smart card
Password
Memory token
Communications signal
Honeypots
Inference cells
Padded cells
Vulnerability assessment tools
160.b. Honeypot systems, padded cell systems, and vulnerability assessment tools
complement IDS to enhance an organizations ability to detect intrusion. Inferenc
e cells do not complement IDS. A honeypot system is a host computer that is desi
gned to collect data on suspicious activity and has no authorized users other th
an security administrators and attackers. Inference cells lead to an inference a
ttack when a user or intruder is able to deduce privileged information from know
n information. In padded cell systems, an attacker is seamlessly transferred to
a special padded cell host. Vulnerability assessment tools determine when a netw
ork or host is vulnerable to known attacks.
161. Sniffing precedes which of the following?
a.
b.
c.
d.
Phishing
Spoofing
Snooping
Cracking
and
and
and
and
pharming
hijacking
scanning
scamming
Signature-based detection
Misuse detection
Anomaly-based detection
Stateful protocol analysis
165. d. IDPS technologies use many methodologies to detect incidents. The primar
y classes of detection methodologies include signature-based, anomaly-based, and
stateful protocol analysis, where the latter is the only one that analyzes both
network-based and host-based activity.
Signature-based detection is the process of comparing signatures against observe
d events to identify possible incidents. A signature is a pattern that correspon
ds to a known threat. It is sometimes incorrectly referred to as misuse detectio
n or stateful protocol analysis. Misuse detection refers to attacks from within
the organizations.
Anomaly-based detection is the process of comparing definitions of what activity
is considered normal against observed events to identify significant deviations
and abnormal behavior.
Stateful protocol analysis (also known as deep packet inspection) is the process
of comparing predetermined profiles of generally accepted definitions of benign
protocol activity for each protocol state against observed events to identify d
eviations. The stateful protocol is appropriate for analyzing both network-based
and host-based activity, whereas deep packet inspection is appropriate for netw
ork-based activity only. One network-based IDPS can listen on a network segment
or switch and can monitor the network traffic affecting multiple hosts that are
connected to the network segment. One host-based IDPS operates on information co
llected from within an individual computer system and determines which processes
and user accounts are involved in a particular attack.
166. The Clark-Wilson security model focuses on which of the following?
a.
b.
c.
d.
Confidentiality
Integrity
Availability
Accountability
166. b. The Clark-Wilson security model is an approach that provides data integr
ity for common commercial activities. It is a specific model addressing integrity
, which is one of five security objectives. The five objectives are: confidential
ity, integrity, availability, accountability, and assurance.
167. The Biba security model focuses on which of the following?
a. Confidentiality
b. Integrity
c. Availability
d. Accountability
167. b. The Biba security model is an integrity model in which no subject may de
pend on a less trusted object, including another subject. It is a specific model
addressing only one of the security objectives such as confidentiality, integri
ty, availability, and accountability.
168. The Take-Grant security model focuses on which of the following?
a.
b.
c.
d.
Confidentiality
Accountability
Availability
Access rights
168. d. The Take-Grant security model uses a directed graph to specify the right
s that a subject can transfer to an object or that a subject can take from anoth
er subject. It does not address the security objectives such as confidentiality,
integrity, availability, and accountability. Access rights are a part of access
control models.
169. Which of the following is based on precomputed password hashes?
a.
b.
c.
d.
169. c. Rainbow attacks are a form of a password cracking technique that employs
rainbow tables, which are lookup tables that contain pre-computed password hash
es. These tables enable an attacker to attempt to crack a password with minimal
time on the victim system and without constantly having to regenerate hashes if
the attacker attempts to crack multiple accounts. The other three choices are no
t based on pre-computed password hashes; although, they are all related to passw
ords.
A brute force attack is a form of a guessing attack in which the attacker uses a
ll possible combinations of characters from a given character set and for passwo
rds up to a given length.
A dictionary attack is a form of a guessing attack in which the attacker attempt
s to guess a password using a list of possible passwords that is not exhaustive.
A hybrid attack is a form of a guessing attack in which the attacker uses a dict
ionary that contains possible passwords and then uses variations through brute f
orce methods of the original passwords in the dictionary to create new potential
passwords.
170. For intrusion detection and prevention system capabilities, anomaly-based
detection uses which of the following?
1.
2.
3.
4.
Blacklists
Whitelists
Threshold
Program code viewing
a.
b.
c.
d.
1 and 2
1, 2, and 3
3 only
1, 2, 3, and 4
An anomaly-based detection does not use blacklists, whitelists, and program code
viewing. A blacklist is a list of discrete entities, such as hosts or applicati
ons that have been previously determined to be associated with malicious activit
y. A whitelist is a list of discrete entities, such as hosts or applications kno
wn to be benign. Program code viewing and editing features are established to se
e the detection-related programming code in the intrusion detection and preventi
on system (IDPS).
171. Which of the following security models addresses separation of duties concep
t?
a.
b.
c.
d.
Biba model
Clark-Wilson model
Bell-LaPadula model
Sutherland model
171. b. The Clark and Wilson security model addresses the separation of duties c
oncept along with well-formed transactions. Separation of duties attempts to ens
ure the external consistency of data objects. It also addresses the specific int
egrity goal of preventing authorized users from making improper modifications. T
he other three models do not address the separation of duties concept.
172. From a computer security viewpoint, the Chinese-Wall policy is related to
which of the following?
a.
b.
c.
d.
Aggregation problem
Data classification problem
Access control problem
Inference problem
Biba model
Clark-Wilson model
Bell-LaPadula model
Sutherland model
Firewalls
Firewalls
Firewalls
Firewalls
are
are
are
are
$ -property
@ -property
Star (*) -property
# -property
177. c. The key thing in shoulder surfing is to make sure that no one watches th
e user while his password is typed. Encryption does not help here because it is
applied after a password is entered, not before. Proper education and awareness
and using difficult-to-guess passwords can eliminate this problem.
178. What does the Bell-LaPadulas star.property (* -property) mean?
a.
b.
c.
d.
No
No
No
No
write-up is allowed.
write-down is allowed.
read-up is allowed.
read-down is allowed.
178. b. The star property means no write-down and yes to a write-up. A subject c
an write objects only at a security level that dominates the subjects level. This
means, a subject of one higher label cannot write to any object of a lower secu
rity label. This is also known as the confinement property. A subject is prevent
ed from copying data from one higher classification to a lower classification. I
n other words, a subject cannot write anything below that subjects level.
179. Which of the following security models covers integrity?
a. Bell-LaPadula model
b. Biba model
Bell-LaPadula model
Biba model
Information flow model
Take-grant model
What
What
What
What
the
the
the
the
user
user
user
user
knows
has
can do
is
181. c. What the user can do is defined in access rules or user profiles, which co
me after a successful authentication. The other three choices are part of an aut
hentication process. The authenticator factor knows means a password or PIN, has mea
ns key or card, and is means a biometric identity.
182. Which of the following models is used to protect the confidentiality of cl
assified information?
a.
b.
c.
d.
Prevent
Detect
Respond
Report
Mutation engine
Processing engine
State machine
Virtual machine
184. b. The processing engine is the heart of the intrusion detection system (ID
S). It consists of the instructions (language) for sorting information for relev
ance, identifying key intrusion evidence, mining databases for attack signatures
, and decision making about thresholds for alerts and initiation of response act
ivities.
For example, a mutation engine is used to obfuscate a virus, polymorphic or not,
to aid the proliferation of the said virus. A state machine is the basis for al
l computer systems because it is a model of computations involving inputs, outpu
ts, states, and state transition functions. A virtual machine is software that e
nables a single host computer to run using one or more guest operating systems.
185. From an access control decision viewpoint, failures due to flaws in exclus
ion-based systems tend to do which of the following?
a.
b.
c.
d.
185. d. When failures occur due to flaws in exclusion-based systems, they tend t
o grant unauthorized permissions. The two types of access control decisions are
permission-based and exclusion-based.
186. Which of the following is a major issue with implementation of intrusion d
etection systems?
a.
b.
c.
d.
False-negative notification
False-positive notification
True-negative notification
True-positive notification
186. b. One of the biggest single issues with intrusion detection system (IDS) i
mplementation is the handling of false-positive notification. An anomaly-based I
DS produces a large number of false alarms (false-positives) due to the unpredic
table nature of users and networks. Automated systems are prone to mistakes, and
human differentiation of possible attacks is resource-intensive.
187. Which of the following provides strong authentication for centralized auth
entication servers when used with firewalls?
a.
b.
c.
d.
User IDs
Passwords
Tokens
Account numbers
187. c. For basic authentication, user IDs, passwords, and account numbers are u
sed for internal authentication. Centralized authentication servers such as RADI
US and TACACS/TACACS+ can be integrated with token-based authentication to enhan
ce firewall administration security.
188. How is authorization different from authentication?
a. Authorization comes after authentication.
b. Authorization and authentication are the same.
c. Authorization is verifying the identity of a user.
Initial authentication
Pre-authentication
Post-authentication
Re-authentication
189. b. The simplest form of initial authentication uses a user ID and password,
which occurs on the client. The server has no knowledge of whether the authenti
cation was successful. The problem with this approach is that anyone can make a
request to the server asserting any identity, allowing an attacker to collect re
plies from the server and successfully launching a real attack on those replies.
In pre-authentication, the user sends some proof of his identity to the server a
s part of the initial authentication process. The client must authenticate prior
to the server issuing a credential (ticket) to the client. The proof of identit
y used in pre-authentication can be a smart card or token, which can be integrat
ed into the Kerberos initial authentication process. Here, post-authentication a
nd re-authentication processes do not apply because it is too late to be of any
use.
190. Which of the following statements is not true about discretionary access co
ntrol?
a.
b.
c.
d.
190. d. Discretionary access control (DAC) permits the granting and revoking of
access control privileges to be left to the discretion of individual users. A di
scretionary access control mechanism enables users to grant or revoke access to
any of the objects under the control. As such, users are said to be the owners o
f the objects under their control. It uses access control lists.
191. Which of the following does not provide robust authentication?
a.
b.
c.
d.
Kerberos
Secure remote procedure calls
Reusable passwords
Digital certificates
Kerberos
Kerberos
Kerberos
Kerberos
uses
uses
is a
uses
192. a. Kerberos uses symmetric key cryptography and a trusted third party. Kerb
eros users authenticate with one another using Kerberos credentials issued by a
trusted third party. The bit size of Kerberos is the same as that of DES, which
is 56 bits because Kerberos uses a symmetric key algorithm similar to DES.
193. Which of the following authentication types is most effective?
a.
b.
c.
d.
Static authentication
Robust authentication
Intermittent authentication
Continuous authentication
a.
b.
c.
d.
1 only
2 only
3 only
1, 2, 3, and 4
194. d. Intrusion detection and prevention system (IDPS) technologies cannot pro
vide completely accurate detection at all times. All four items are true stateme
nts. When an IDPS incorrectly identifies benign activity as being malicious, a f
alse positive has occurred. When an IDPS fails to identify malicious activity, a
false negative has occurred.
195. Which of the following authentication techniques is impossible to forge?
a.
b.
c.
d.
Auditing
Restore to secure state
Proof-of-wholeness
Intrusion detection tool
Unique identifiers
Access rules
Audit trails
Policies and procedures
Access password
Personal password
Valid password
Virtual password
a.
b.
c.
d.
Data administration
Information systems administration
Systems security
Information systems planning
Cards
Timestamps
Tokens
Keys
Memory tokens
Smart cards
Cryptography
Biometric systems
202. d. Biometric systems require the creation and storage of profiles or templa
tes of individuals wanting system access. This includes physiological attributes
such as fingerprints, hand geometry, or retina patterns, or behavioral attribut
es such as voice patterns and hand-written signatures.
Memory tokens and smart cards involve the creation and distribution of a token d
evice with a PIN, and data that tell the computer how to recognize valid tokens
or PINs. Cryptography requires the generation, distribution, storage, entry, use
, distribution, and archiving of cryptographic keys.
203. When security products cannot provide sufficient protection through encrypt
ion, system administrators should consider using which of the following to prote
ct intrusion detection and prevention system management communications?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
4
3
4
3, and 4
203. c. System administrators should ensure that all intrusion detection and pre
vention system (IDPS) management communications are protected either through phy
sical separation (management network) or logical separation (virtual network) or
through encryption using transport layer security (TLS). However, for security
products that do not provide sufficient protection through encryption, administr
ators should consider using a virtual private network (VPN) or other encrypted t
unneling method to protect the network traffic.
204. What is the objective of separation of duties?
a.
b.
c.
d.
204. a. The objective is to limit what people can do, especially in conflict sit
uations or incompatible functions, in such a way that no one person has complete
control over a transaction or an activity from start to finish. The goal is to
limit the possibility of hiding irregularities or fraud. The other three choices
are not related to separation of duties.
205. What names does an access control matrix place?
a.
b.
c.
d.
Users in
Programs
Users in
Subjects
Managing
Managing
Managing
Managing
206. a. Kerberos is a private key authentication system that uses a central data
base to keep a copy of all users private keys. The entire system can be compromis
ed due to the central database. Kerberos is used to manage centralized access ri
ghts, encryption keys, and access permissions.
207. Which of the following security control mechanisms is simplest to administ
er?
a.
b.
c.
d.
207. b. Mandatory access controls are the simplest to use because they can be us
ed to grant broad access to large sets of files and to broad categories of infor
mation.
Discretionary access controls are not simple to use due to their finer level of
granularity in the access control process. Both the access control list and logi
cal access control require a significant amount of administrative work because t
hey are based on the details of each individual user.
208. What implementation is an example of an access control policy for a bank t
eller?
a.
b.
c.
d.
Role-based policy
Identity-based policy
User-directed policy
Rule-based policy
208. a. With role-based access control, access decisions are based on the roles
that individual users have as part of an organization. Users take on assigned ro
les (such as doctor, nurse, bank teller, and manager). Access rights are grouped
by role name, and the use of resources is restricted to individuals authorized
to assume the associated role. The use of roles to control access can be an effe
ctive means for developing and enforcing enterprise-specific security policies a
nd for streamlining the security management process.
Identity-based and user-directed policies are incorrect because they are example
s of discretionary access control. Identity-based access control is based only o
n the identity of the subject and object. In user-directed access controls, a su
bject can alter the access rights with certain restrictions. Rule-based policy i
s incorrect because it is an example of a mandatory type of access control and i
s based on specific rules relating to the nature of the subject and object.
209. Which of the following access mechanisms creates a potential security prob
lem?
a.
b.
c.
d.
209. b. IP address-based access mechanisms use Internet Protocol (IP) source add
resses, which are not secure and subject to IP address spoofing attacks. The IP
address deals with identification only, not authentication.
Location-based access mechanism is incorrect because it deals with a physical ad
dress, not IP address. Token-based access mechanism is incorrect because it uses
tokens as a means of identification and authentication. Web-based access mechan
ism is incorrect because it uses secure protocols to accomplish authentication.
The other three choices accomplish both identification and authentication and do
not create a security problem as does the IP address-based access mechanism.
210. Rank the following authentication mechanisms providing most to least prote
ction against replay attacks?
a.
b.
c.
d.
one-time password
and password only
and password only
and password only
Recurring passwords
Nonrecurring passwords
Memory tokens
Smart tokens
211. a. Recurring passwords are static passwords with reuse and are considered t
o be a relatively weak security mechanism. Users tend to use easily guessed pass
words. Other weaknesses include spoofing users, users stealing passwords through
observing keystrokes, and users sharing passwords. The unauthorized use of pass
words by outsiders (hackers) or insiders is a primary concern and is considered
the least efficient and least effective security mechanism for re-authentication
.
Nonrecurring passwords are incorrect because they provide a strong form of re-au
thentication. Examples include a challenge-response protocol or a dynamic passwo
rd generator where a unique value is generated for each session. These values ar
e not repeated and are good for that session only.
Tokens can help in re-authenticating a user or transaction. Memory tokens store
but do not process information. Smart tokens expand the functionality of a memor
y token by incorporating one or more integrated circuits into the token itself.
In other words, smart tokens store and process information. Except for passwords
, all the other methods listed in the question are examples of advanced authenti
cation methods that can be applied to re-authentication.
212. Which of the following lists a pair of compatible functions within the IT
organization?
a.
b.
c.
d.
212. c. Separation of duties is the first line of defense against the prevention
, detection, and correction of errors, omissions, and irregularities. The object
ive is to ensure that no one person has complete control over a transaction thro
ughout its initiation, authorization, recording, processing, and reporting. If t
he total risk is acceptable, then two different jobs can be combined. If the ris
k is unacceptable, the two jobs should not be combined. Both quality assurance a
nd data security are staff functions and would not handle the day-to-day operati
ons tasks.
The other three choices are incorrect because they are examples of incompatible
functions. The rationale is to minimize such functions that are not conducive to
good internal control structure. For example, if a computer operator is also re
sponsible for production job scheduling, he could submit unauthorized production
jobs.
213. A security label, or access control mechanism, is supported by which of th
e following access control policies?
a.
b.
c.
d.
Role-based policy
Identity-based policy
User-directed policy
Mandatory access control policy
213. d. Mandatory access control is a type of access control that cannot be made
more permissive by subjects. They are based on information sensitivity such as
security labels for clearance and data classification. Rule-based and administra
tively directed policies are examples of mandatory access control policy.
Role-based policy is an example of nondiscretionary access controls. Access cont
rol decisions are based on the roles individual users are taking in an organizat
ion. This includes the specification of duties, responsibilities, obligations, a
nd qualifications (e.g., a teller or loan officer associated with a banking syst
em).
Both identity-based and user-directed policies are examples of discretionary acc
ess control. It is a type of access control that permits subjects to specify the
access controls with certain limitations. Identity-based access control is base
d only on the identity of the subject and object. User-directed control is a typ
e of access control in which subjects can alter the access rights with certain r
estrictions.
214. The principle of least privilege refers to the security objective of grant
ing users only those accesses they need to perform their job duties. Which of th
e following actions is inconsistent with the principle of least privilege?
a.
b.
c.
d.
Authorization creep
Re-authorization when employees change positions
Users have little access to systems
Users have significant access to systems
Auditing requirements
Password and user ID requirements
Identification controls
Authentication controls
215. b. Accountability means holding individual users responsible for their acti
ons. Due to several problems with passwords and user IDs, they are considered to
be the least effective in exacting accountability. These problems include easy
to guess passwords, easy to spoof users for passwords, easy to steal passwords,
and easy to share passwords. The most effective controls for exacting accountabi
lity include a policy, authorization scheme, identification and authentication c
ontrols, access controls, audit trails, and auditing.
216. Which of the following statement is not true in electronic authentication?
a. The registration authority and the credential service provider may be the sam
e entity
b. The verifier and the relying party may be the same entity
c. The verifier, credential service provider, and the relying party may be separ
ate entities
d. The verifier and the relying party may be separate entities
216. a. The relationship between the registration authority (RA) and the credent
ial service provider (CSP) is a complex one with ongoing relationship. In the si
mplest and perhaps the most common case, the RA and CSP are separate functions o
Static authentication
Intermittent authentication
Continuous authentication
Robust authentication
218. c. Authentication data needs to be stored securely, and its value lies in t
he datas confidentiality, integrity, and availability. If confidentiality is comp
romised, someone may use the information to masquerade as a legitimate user. If
system administrators can read the authentication file, they can masquerade as a
nother user. Many systems use encryption to hide the authentication data from th
e system administrators.
Masquerading by system administrators cannot be entirely prevented. If integrity
is compromised, authentication data can be added, or the system can be disrupte
d. If availability is compromised, the system cannot authenticate users, and the
users may not be able to work. Because audit controls would be out of the contr
ol of the administrator, controls can be set up so that improper actions by the
system administrators can be detected in audit records. Due to their broader res
ponsibilities, the system administrators access to the system cannot be limited.
System administrators can compromise a systems integrity; again their actions can
be detected in audit records.
It makes a big difference whether an organization has one or more than one syste
m administrator for separation of duties or for least privilege principle to work.
With several system administrators, a system administrator account could be set
up for one person to have the capability to add accounts. Another administrator
could have the authority to delete them. When there is only one system administ
Integrity
Availability
Reliability
Confidentiality
219. c. Computer-based access controls are called logical access controls. These
controls can prescribe not only who or what is to have access to a specific sys
tem resource but also the type of access permitted, usually in software. Reliabi
lity is more of a hardware issue.
Logical access controls can help protect (i) operating systems and other systems
software from unauthorized modification or manipulation (and thereby help ensur
e the systems integrity and availability); (ii) the integrity and availability of
information by restricting the number of users and processes with access; and (
iii) confidential information from being disclosed to unauthorized individuals.
220. Which of the following internal access control methods offers a strong for
m of access control and is a significant deterrent to its use?
a.
b.
c.
d.
Security labels
Passwords
Access control lists
Encryption
220. a. Security labels are a strong form of access control. Unlike access contr
ol lists, labels cannot ordinarily be changed. Because labels are permanently li
nked to specific information, data cannot be disclosed by a user copying informa
tion and changing the access to that file so that the information is more access
ible than the original owner intended. Security labels are well suited for consi
stently and uniformly enforcing access restrictions, although their administrati
on and inflexibility can be a significant deterrent to their use.
Passwords are a weak form of access control, although they are easy to use and a
dminister. Although encryption is a strong form of access control, it is not a d
eterrent to its use when compared to labels. In reality, the complexity and diff
iculty of encryption can be a deterrent to its use.
221. It is vital that access controls protecting a computer system work together
. Which of the following types of access controls should be most specific?
a.
b.
c.
d.
Physical
Application system
Operating system
Communication system
d. Utility programs
222. a. Most systems can be compromised if someone can physically access the CPU
machine or major components by, for example, restarting the system with differe
nt software. Logical access controls are, therefore, dependent on physical acces
s controls (with the exception of encryption, which can depend solely on the str
ength of the algorithm and the secrecy of the key).
Application systems, operating systems, and utility programs are heavily depende
nt on logical access controls to protect against unauthorized use.
223. A system mechanism and audit trails assist business managers to hold indiv
idual users accountable for their actions. To utilize these audit trails, which
of the following controls is a prerequisite for the mechanism to be effective?
a.
b.
c.
d.
Physical
Environmental
Management
Logical access
223. d. By advising users that they are personally accountable for their actions
, which are tracked by an audit trail that logs user activities, managers can he
lp promote proper user behavior. Users are less likely to attempt to circumvent
security policy if they know that their actions will be recorded in an audit log
. Audit trails work in concert with logical access controls, which restrict use
of system resources. Because logical access controls are enforced through softwa
re, audit trails are used to maintain an individuals accountability. The other th
ree choices collect some data in the form of an audit trail, and their use is li
mited due to the limitation of useful data collected.
224. Which of the following is the best place to put the Kerberos protocol?
a.
b.
c.
d.
Application layer
Transport layer
Network layer
All layers of the network
224. d. Placing the Kerberos protocol below the application layer and at all lay
ers of the network provides greatest security protection without the need to mod
ify applications.
225. An inherent risk is associated with logical access that is difficult to pr
event or mitigate but can be identified via a review of audit trails. Which of t
he following types of access is this risk most associated with?
a.
b.
c.
d.
Call-back confirmation
Encryption of communications
Smart tokens
Password and user ID
226. d. Many computer systems provide maintenance accounts. These special login
accounts are normally preconfigured at the factory with preset, widely known wea
k passwords. It is critical to change these passwords or otherwise disable the a
ccounts until they are needed. If the account is to be used remotely, authentica
tion of the maintenance provider can be performed using callback confirmation. T
his helps ensure that remote diagnostic activities actually originate from an es
tablished phone number at the vendors site. Other techniques can also help, inclu
ding encryption and decryption of diagnostic communications, strong identificati
on and authentication techniques, such as smart tokens, and remote disconnect ve
rification.
227. Below is a list of pairs, which are related to one another. Which pair of
items represents the integral reliance on the first item to enforce the second?
a.
b.
c.
d.
The
The
The
The
227. a. The separation of duties principle is related to the least privilege princ
iple; that is, users and processes in a system should have the least number of p
rivileges and for the minimal period of time necessary to perform their assigned
tasks. The authority and capacity to perform certain functions should be separa
ted and delegated to different individuals. This principle is often applied to s
plit the authority to write and approve monetary transactions between two people
. It can also be applied to separate the authority to add users to a system and
other system administrator duties from the authority to assign passwords, conduc
t audits, and perform other security administrator duties.
There is no relation between the parity check, which is hardware-based, and the
limit check, which is a software-based application. The parity check is a check
that tests whether the number of ones (1s) or zeros (0s) in an array of binary d
igits is odd or even. Odd parity is standard for synchronous transmission and ev
en parity for asynchronous transmission. In the limit check, a program tests the
specified data fields against defined high or low value limits for acceptabilit
y before further processing. The RSA algorithm is incorrect because it uses two
keys: private and public. The DES is incorrect because it uses only one key for
both encryption and decryption (secret or private key).
228. Which of the following is the most effective method for password creation?
a.
b.
c.
d.
228. b. Password advisors are computer programs that examine user choices for pa
sswords and inform the users if the passwords are weak. Passwords produced by pa
ssword generators are difficult to remember, whereas user selected passwords are
easy to guess. Users write the password down on a paper when it is assigned to
them.
229. Which one of the following items is a more reliable authentication device
than the others?
a.
b.
c.
d.
lity and can solve many authentication problems such as forgery and masquerading
. A smart token typically requires a user to provide something the user knows (i
.e., a PIN or password), which provides a stronger control than the smart token
alone. Smart cards do not require a callback because the codes used in the smart
card change frequently, which cannot be repeated.
Callback systems are used to authenticate a person. A fixed callback system call
s back to a known telephone associated with a known place. However, the called p
erson may not be known, and it is a problem with masquerading. It is not only in
secure but also inflexible because it is tied to a specific place. It is not app
licable if the caller moves around. A variable callback system is more flexible
than the fixed one but requires greater maintenance of the variable telephone nu
mbers and locations. These phone numbers can be recorded or decoded by a hacker.
230. What does an example of a drawback of smart cards include?
a.
b.
c.
d.
A
A
A
A
means
means
means
means
of
of
of
of
access control
storing user data
gaining unauthorized access
access control and data storage
230. c. Because valuable data is stored on a smart card, the card is useless if
lost, damaged, or forgotten. An unauthorized person can gain access to a compute
r system in the absence of other strong controls. A smart card is a credit cardsized device containing one or more integrated circuit chips, which performs the
functions of a microprocessor, memory, and an input/output interface.
Smart cards can be used (i) as a means of access control, (ii) as a medium for s
toring and carrying the appropriate data, and (iii) a combination of (1) and (2)
.
231. Which of the following is a more simple and basic login control?
a.
b.
c.
d.
231. a. Login controls specify the conditions users must meet for gaining access
to a computer system. In most simple and basic cases, access will be permitted
only when both a username and password are provided. More complex systems grant
or deny access based on the type of computer login; that is, local, dialup, remo
te, network, batch, or subprocess. The security system can restrict access based
on the type of the terminal, or the remote computers access will be granted only
when the user or program is located at a designated terminal or remote system.
Also, access can be defined by the time of day and the day of the week. As a fur
ther precaution, the more complex and sophisticated systems monitor unsuccessful
logins, send messages or alerts to the system operator, and disable accounts wh
en a break-in occurs.
232. There are trade-offs among controls. A security policy would be most usefu
l in which of the following areas?
1.
2.
3.
4.
a.
b.
c.
d.
1
3
2
2
and
and
and
and
2
4
3
4
233. c. Program library controls enable only assigned programs to run in product
ion and eliminate the problem of test programs accidentally entering the product
ion environment. They also separate production and testing data to ensure that n
o test data are used in normal production. This practice is based on the separati
on of duties principle.
File placement controls ensure that files reside on the proper direct access sto
rage device so that data sets do not go to a wrong device by accident. Data file
, program, and job naming conventions implement the separation of duties princip
le by uniquely identifying each production and test data file names, program nam
es, job names, and terminal usage.
234. Which of the following pairs of high-level system services provide control
led access to networks?
a.
b.
c.
d.
ity is who he claims to be. The threat to the network that the identification an
d authentication service must protect against is impersonation.
Access control list (ACL) and access privileges do not provide controlled access
to networks because ACL is a list of the subjects that are permitted to access
an object and the access rights (privileges) of each subject. This service comes
after initial identification and authentication service.
Certification and accreditation services do not provide controlled access to net
works because certification is the administrative act of approving a computer sy
stem for use in a particular application. Accreditation is the managements formal
acceptance of the adequacy of a computer systems security. Certification and acc
reditation are similar in concept. This service comes after initial identificati
on and authentication service.
Accreditation and assurance services do not provide controlled access to network
s because accreditation is the managements formal acceptance of the adequacy of a
computer systems security. Assurance is confidence that a computer system design
meets its requirements. Again, this service comes after initial identification
and authentication service.
235. Which of the following is not subjected to impersonation attacks?
a.
b.
c.
d.
Packet replay
Forgery
Relay
Interception
235. a. Packet replay is one of the most common security threats to network syst
ems, similar to impersonation and eavesdropping in terms of damage, but dissimil
ar in terms of functions. Packet replay refers to the recording and retransmissi
on of message packets in the network. It is a significant threat for programs th
at require authentication-sequences because an intruder could replay legitimate
authentication sequence messages to gain access to a system. Packet replay is fr
equently undetectable but can be prevented by using packet timestamping and pack
et-sequence counting.
Forgery is incorrect because it is one of the ways an impersonation attack is ac
hieved. Forgery is attempting to guess or otherwise fabricate the evidence that
the impersonator knows or possesses.
Relay is incorrect because it is one of the ways an impersonation attack is achi
eved. Relay is where one can eavesdrop upon anothers authentication exchange and
learn enough to impersonate a user.
Interception is incorrect because it is one of the ways an impersonation attack
is achieved. Interception is where one can slip in between the communications an
d hijack the communications channel.
236. Which of the following security features is not supported by the principle
of least privilege?
a.
b.
c.
d.
n on files.
The time bounding of privilege is incorrect because it is one of the security fe
atures supported by the principle of least privilege. The time bounding of privi
lege is related in that privileges required by an application or a process can b
e enabled and disabled as the application or process needs them.
Privilege inheritance is incorrect because it is one of the security features su
pported by the principle of least privilege. Privilege inheritance enables a pro
cess image to request that all, some, or none of its privileges get passed on to
the next process image. For example, application programs that execute other ut
ility programs need not pass on any privileges if the utility program does not r
equire them.
237. Authentication is a protection against fraudulent transactions. Authenticat
ion process does not assume which of the following?
a.
b.
c.
d.
237. c. Authentication assures that the data received comes from the supposed or
igin. It is not extended to include the integrity of the data or messages transm
itted. However, authentication is a protection against fraudulent transactions b
y establishing the validity of messages sent, validity of the workstations that
sent the message, and the validity of the message originators. Invalid messages
can come from a valid origin, and authentication cannot prevent it.
238. Passwords are used as a basic mechanism to identify and authenticate a syst
em user. Which of the following password-related factors cannot be tested with a
utomated vulnerability testing tools?
a.
b.
c.
d.
Password
Password
Password
Password
length
lifetime
secrecy
storage
238. c. No automated vulnerability-testing tool can ensure that system users hav
e not disclosed their passwords; thus secrecy cannot be guaranteed.
Password length can be tested to ensure that short passwords are not selected. P
assword lifetime can be tested to ensure that they have a limited lifetime. Pass
words should be changed regularly or whenever they may have been compromised. Pa
ssword storage can be tested to ensure that they are protected to prevent disclo
sure or unauthorized modification.
239. Use of login IDs and passwords is the most commonly used mechanism for whic
h of the following?
a.
b.
c.
d.
Providing
Providing
Providing
Batch and
239. b. By definition, a static verification takes place only once at the start
of each login session. Passwords may or may not be reusable.
Dynamic verification of a user takes place when a person types on a keyboard and
leaves an electronic signature in the form of keystroke latencies in the elapse
d time between keystrokes. For well-known, regular type strings, this signature
can be quite consistent. Here is how a dynamic verification mechanism works: Whe
n a person wants to access a computer resource, he is required to identify himse
lf by typing his name. The latency vector of the keystrokes of this name is comp
ared with the reference signature stored in the computer. If this claimants laten
cy vector and the reference signature are statistically similar, the user is gra
nted access to the system. The user is asked to type his name a number of times
Based
Based
Based
Based
on
on
on
on
job
job
job
job
enlargement concept
duties concept
enrichment concept
rotation concept
241. b. Users take on assigned roles such as doctor, nurse, teller, and manager.
With role-based access control mechanism, access decisions are based on the rol
es that individual users have as part of an organization, that is, job duties. J
ob enlargement means adding width to a job; job enrichment means adding depth to
a job; and job rotation makes a person well rounded.
242. What do the countermeasures against a rainbow attack resulting from a pass
word cracking threat include?
a.
b.
c.
d.
242. c. Salting is the inclusion of a random value in the password hashing proce
ss that greatly decreases the likelihood of identical passwords returning the sa
me hash. If two users choose the same password, salting can make it highly unlik
ely that their hashes are the same. Larger salts effectively make the use of rai
nbow tables infeasible. Stretching involves hashing each password and its salt t
housands of times. This makes the creation of the rainbow tables correspondingly
more time-consuming, while having little effect on the amount of effort needed
by the organizations systems to verify password authentication attempts.
Keyspace is the large number of possible key values (keys) created by the encryp
tion algorithm to use when transforming the message. Passphrase is a sequence of
characters transformed by a password system into a virtual password. Entropy is
a measure of the amount of uncertainty that an attacker faces to determine the
value of a secret.
243. Passwords can be stored safely in which of the following places?
a.
b.
c.
d.
Initialization file
Script file
Password file
Batch file
Password
Password
Password
Password
sharing
guessing
capturing
spoofing
244. d. Password spoofing is where intruders trick system security into permitti
ng normally disallowed network connections. The gained passwords allow them to c
rack security or to steal valuable information. For example, the vast majority o
f Internet traffic is unencrypted and therefore easily readable. Consequently, e
-mail, passwords, and file transfers can be obtained using readily available sof
tware. Password spoofing is not that common.
The other three choices are incorrect because they are the most commonly used me
thods to gain unauthorized access to computer systems. Password sharing allows a
n unauthorized user to have the system access and privileges of a legitimate use
r, with the legitimate users knowledge and acceptance. Password guessing occurs w
hen easy-to-use or easy-to-remember codes are used and when other users know abo
ut them (e.g., hobbies, sports, favorite stars, and social events). Password cap
turing is a process in which a legitimate user unknowingly reveals the users logi
n ID and password. This may be done through the use of a Trojan horse program th
at appears to the user as a legitimate login program; however, the Trojan horse
program is designed to capture passwords.
245. What are the Bell-LaPadula access control model and mandatory access contr
ol policy examples of?
a.
b.
c.
d.
245. d. The rule-based access control (RuBAC) is based on specific rules relatin
g to the nature of the subject and object. A RuBAC decision requires authorizati
on information and restriction information to compare before any access is grant
ed. Both Bell-LaPadula access control model and mandatory access control policy
deals with rules. The other three choices do not deal with rules.
246. Which of the following security solutions for access control is simple to
use and easy to administer?
a.
b.
c.
d.
Passwords
Cryptographic tokens
Hardware keys
Encrypted data files
246. c. Hardware keys are devices that do not require a complicated process of a
dministering user rights and access privileges. They are simple keys, similar to
door keys that can be plugged into the personal computer before a person can su
ccessfully log on to access controlled data files and programs. Each user gets a
set of keys for his personal use. Hardware keys are simple to use and easy to a
dminister.
247. a. The primary goal of Kerberos is to prevent system users from claiming th
e identity of other users in a distributed computing environment. The Kerberos a
uthentication system is based on secret key cryptography. The Kerberos protocol
provides strong authentication of users and host computer systems. Further, Kerb
eros uses a trusted third party to manage the cryptographic keying relationships
, which are critical to the authentication process. System users have a signific
ant degree of control over the workstations used to access network services, and
these workstations must therefore be considered not trusted.
Kerberos was developed to provide distributed network authentication services in
volving client/server systems. A primary threat in this type of client/server sy
stem is the possibility that one user claims the identity of another user (imper
sonation), thereby gaining access to system services without the proper authoriz
ation. To protect against this threat, Kerberos provides a trusted third party a
ccessible to network entities, which supports the services required for authenti
cation between these entities. This trusted third party is known as the Kerberos
key distribution server, which shares secret cryptographic keys with each clien
t and server within a particular realm. The Kerberos authentication model is bas
ed upon the presentation of cryptographic tickets to prove the identity of clien
ts requesting services from a host system or server.
The other three choices are incorrect because they cannot reduce the risk of imp
ersonation. For example: (i) passwords can be shared, guessed, or captured and (
ii) memory tokens and smart tokens can be lost or stolen. Also, these three choi
ces do not use a trusted third party to strengthen controls as Kerberos does.
248. What do the weaknesses of Kerberos include?
1.
2.
3.
4.
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
4
4
makes intercepting and analyzing network traffic difficult. This is due to the u
se of encryption in Kerberos.
249. Less common ways to initiate impersonation attacks on the network include
the use of which of the following?
a.
b.
c.
d.
Firewalls
Passwords
Biometric
Passwords
249. c. Impersonation attacks involving the use of physical keys and biometric c
hecks are less likely due to the need for the network attacker to be physically
near the biometric equipment. Passwords and account names are incorrect because
they are the most common way to initiate impersonation attacks on the network. A
firewall is a mechanism to protect IT computing sites against Internet-borne at
tacks. Most digital certificates are password-protected and have an encrypted fi
le that contains identification information about its holder.
250. Which of the following security services can Kerberos best provide?
a.
b.
c.
d.
Authentication
Confidentiality
Integrity
Availability
Tunneling attack
Playback attack
Destructive attack
Process attack
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
Whitelists
Thresholds
Program code viewing
Blacklists
256. b. Administrators should check the intrusion detection and prevention syste
m (IDPS) thresholds and alert settings to determine whether they need to be adju
sted periodically to compensate for changes in the system environment and change
s in threats. The other three choices are incorrect because the anomaly-based de
tection does not use whitelists, blacklists, and program code viewing.
257. Intrusion detection systems cannot do which of the following?
a.
b.
c.
d.
257. c. An intrusion detection system (IDS) cannot act as a silver bullet, compens
ating for weak identification and authentication mechanisms, weaknesses in netwo
rk protocols, or lack of a security policy. IDS can do the other three choices,
such as recognizing and reporting alterations to data files, tracing user activi
ty from the point of entry to the point of exit or impact, and interpreting the
mass of information contained in operating system logs and audit trail logs.
258. Intrusion detection systems can do which of the following?
a.
b.
c.
d.
258. c. Intrusion detection systems (IDS) can recognize when a known type of att
ack is perpetrated on a system. However, IDS cannot do the following: (i) analyz
e all the traffic on a busy network, (ii) compensate for receiving faulty inform
ation from system sources, (iii) always deal with problems involving packet-leve
l attacks (e.g., an intruder using fabricated packets that elude detection to la
unch an attack or multiple packets to jam the IDS itself), and (iv) deal with hi
gh-speed asynchronous transfer mode networks that use packet fragmentation to op
timize bandwidth.
259. What is the most risky part of the primary nature of access control?
a.
b.
c.
d.
Configured or misconfigured
Enabled or disabled
Privileged or unprivileged
Encrypted or decrypted
259. b. Access control software can be enabled or disabled, meaning security fun
ction can be turned on or off. When disabled, the logging function does not work
. The other three choices are somewhat risky but not as much as enabled or disab
led.
260. Intrusion detection refers to the process of identifying attempts to penet
rate a computer system and gain unauthorized access. Which of the following assi
sts in intrusion detection?
a.
b.
c.
d.
Audit records
Access control lists
Security clearances
Host-based authentication
260. a. If audit records showing trails have been designed and implemented to re
cord appropriate information, they can assist in intrusion detection. Usually, a
udit records contain pertinent data (e.g., date, time, status of an action, user
IDs, and event ID), which can help in intrusion detection.
Access control lists refer to a register of users who have been given permission
to use a particular system resource and the types of access they have been perm
itted. Security clearances are associated with a subject (e.g., person and progr
am) to access an object (e.g., files, libraries, directories, and devices). Host
-based authentication grants access based upon the identity of the host originat
ing the request, instead of the identity of the user making the request. The oth
er three choices have no facilities to record access activity and therefore cann
ot assist in intrusion detection.
261. Which of the following is the technique used in anomaly detection in intru
sion detection systems where user and system behaviors are expressed in terms of
counts?
a.
b.
c.
d.
Parametric statistics
Threshold detection measures
Rule-based measures
Nonparametric statistics
Iris-detection technology
Voice technology
Hand technology
Fingerprint technology
262. a. An ATM customer can stand within three feet of a camera that automatical
ly locates and scans the iris in the eye. The scanned bar code is then compared
against previously stored code in the banks file. Iris-detection technology is fa
r superior for accuracy compared to the accuracy of voice, face, hand, and finge
rprint identification systems. Iris technology does not require a PIN.
263. Which of the following is true about biometrics?
a.
b.
c.
d.
263. c. Biometrics tends to be the most expensive and most secure. In general, p
asswords are the least expensive authentication technique and generally the leas
t secure. Memory tokens are less expensive than smart tokens but have less funct
ionality. Smart tokens with a human interface do not require reading equipment b
ut are more convenient to use.
264. Which of the following is preferable for environments at high risk of iden
tity spoofing?
a.
b.
c.
d.
Digital signature
One-time passwords
Digital certificate
Mutual authentication
265. c. Both users and the system can initiate session lock mechanisms. However,
a session lock is not a substitute for logging out of the information system be
cause it is done at the end of the workday. Previous logon notification occurs a
t the time of login. Concurrent session control deals with either allowing or no
t allowing multiple sessions at the same time. Session termination can occur whe
n there is a disconnection of the telecommunications link or other network opera
tional problems.
Freeware
Firmware
Spyware
Crippleware
Inline
Outline
Online
Offline
267. a. Network-based IPS performs packet sniffing and analyzes network traffic
to identify and stop suspicious activity. They are typically deployed inline, wh
ich means that the software acts like a network firewall. It receives packets, a
nalyzes them, and decides whether they should be permitted, and allows acceptabl
e packets to pass through. They detect some attacks on networks before they reac
h their intended targets. The other three choices are not relevant here.
268. Identity thieves can get personal information through which of the followi
ng means?
1.
2.
3.
4.
Dumpster diving
Skimming
Phishing
Pretexting
a.
b.
c.
d.
1 only
3 only
1 and 3
1, 2, 3, and 4
b. Proprietary authentication
c. Pass-through authentication
d. Host/user authentication
269. c. Pass-through authentication refers to passing operating system credentia
ls (e.g., username and password) unencrypted from the operating system to the ap
plication system. This is risky due to unencrypted credentials. Note that pass-t
hrough authentications can be encrypted or unencrypted.
External authentication is incorrect because it uses a directory server, which i
s not risky. Proprietary authentication is incorrect because username and passwo
rds are part of the application, not the operating system. This is less risky. H
ost/user authentication is incorrect because it is performed within a controlled
environment (e.g., managed workstations and servers within an organization). So
me applications may rely on previous authentication performed by the operating s
ystem. This is less risky.
270. Inference attacks are based on which of the following?
a.
b.
c.
d.
a.
b.
c.
d.
1
3
1
3
only
only
and 2
and 4
oss-cutting approach?
a.
b.
c.
d.
Access control
Audit and accountability
Awareness and training
Configuration management
Cryptography
Passwords
Tokens
Biometrics
Performance-based policy
Identity-based policy
Role-based policy
Rule-based policy
276. d. It is difficult to meet the security and safety requirements with flexib
le access control policies expressed in implicit constraints such as role-based
access control (RBAC) and rule-based access control (RuBAC). Static separation-o
f-duty constraints require that two roles of an individual must be mutually excl
usive, constraints must reduce the chances of collusion, and constraints must mi
nimize the conflict-of-interest in task assignments to employees.
277. Which of the following are compatible with each other in the pair in perfo
rming similar functions in information security?
a.
b.
c.
d.
277. a. A single sign-on (SSO) technology allows a user to authenticate once and
then access all the resources the user is authorized to use. A reduced sign-on
(RSO) technology allows a user to authenticate once and then access many, but no
t all, of the resources the user is authorized to use. Hence, SSO and RSO perfor
m similar functions.
The other three choices do not perform similar functions. Data encryption standa
rd (DES) is a symmetric cipher encryption algorithm. Domain name system (DNS) pr
ovides an Internet translation service that resolves domain names to Internet Pr
otocol (IP) addresses and vice versa. Address resolution protocol (ARP) is used
to obtain a nodes physical address. Point-to-point protocol (PPP) is a data-link
framing protocol used to frame data packets on point-to-point lines. Serial line
Internet protocol (SLIP) carries Internet Protocol (IP) over an asynchronous se
rial communication line. PPP replaced SLIP. Simple key management for Internet p
rotocol (SKIP) is designed to work with the IPsec and operates at the network la
yer of the TCP/IP protocol, and works very well with sessionless datagram protoc
ols.
278. How is identification different from authentication?
a.
b.
c.
d.
Identification
Identification
Identification
Identification
Identification
Availability
Authentication
Auditing
It
It
It
It
280. d. Mandatory access control is expensive and causes system overhead, result
ing in reduced system performance of the database. Mandatory access control uses
sensitivity levels and security labels. Discretionary access controls use tags.
281. What control is referred to when an auditor reviews access controls and lo
gs?
a.
b.
c.
d.
Directive control
Preventive control
Corrective control
Detective control
281. d. The purpose of auditors reviewing access controls and logs is to find ou
t whether employees follow security policies and access rules, and to detect any
violations and anomalies. The audit report helps management to improve access c
ontrols.
282. Logical access controls are a technical means of implementing security pol
icy decisions. It requires balancing the often-competing interests. Which of the
following trade-offs should receive the highest interest?
a.
b.
c.
d.
User-friendliness
Security principles
Operational requirements
Technical constraints
System-generated passwords
Encrypted passwords
Nonreusable passwords
Time-based passwords
Employee issues
Hardware issues
Operating systems software issues
Application software issues
284. a. The largest risk exposure remains with employees. Personnel security mea
sures are aimed at hiring honest, competent, and capable employees. Job requirem
ents need to be programmed into the logical access control software. Policy is a
lso closely linked to personnel issues. A deterrent effect arises among employee
s when they are aware that their misconduct (intentional or unintentional) may b
e detected. Selecting the right type and access level for employees, informing w
hich employees need access accounts and what type and level of access they requi
re, and informing changes to access requirements are also important. Accounts an
d accesses should not be granted or maintained for employees who should not have
them in the first place. The other three choices are distantly related to logic
al access controls when compared to employee issues.
285. Which of the following password methods are based on fact or opinion?
a.
b.
c.
d.
Static passwords
Dynamic passwords
Cognitive passwords
Conventional passwords
Passphrases
Passwords
Lockwords
Passcodes
Tool sets
Skill sets
Training sets
Data sets
a.
b.
c.
d.
Security
Security
Security
Security
tag
label
level
attribute
Permanent access
Guest access
Temporary access
Contractor access
289. c. The greatest problem with temporary access is that once temporary access
is given to an employee, it is not reverted back to the previous status after t
he project has been completed. This can be due to forgetfulness on both sides of
employee and employer or the lack of a formal system for change notification. T
here can be a formal system of change notification for permanent access, and gue
st or contractor accesses are removed after the project has been completed.
290. Which of the following deals with access control by group?
a.
b.
c.
d.
290. a. Discretionary access controls deal with the concept of control objective
s, or control over individual aspects of an enterprises processes or resources. T
hey are based on the identity of the users and of the objects they want to acces
s. Discretionary access controls are implemented by one user or the network/syst
em administrator to specify what levels of access other users are allowed to hav
e.
Mandatory access controls are implemented based on the users security clearance o
r trust level and the particular sensitivity designation of each file. The owner
of a file or object has no discretion as to who can access it.
An access control list is based on which user can access what objects. Logical a
ccess controls are based on a user-supplied identification number or code and pa
ssword. Discretionary access control is by group association whereas mandatory a
ccess control is by sensitivity level.
291. Which of the following provides a finer level of granularity (i.e., more r
estrictive security) in the access control process?
a.
b.
c.
d.
ne-tune those broad controls, override mandatory restrictions as needed, and acc
ommodate special circumstances.
292. For identity management, which of the following is supporting the determin
ation of an authentic identity?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
2 only
3 only
1, 2, 3, and 4
292. d. Several infrastructures are devoted to providing identities and the mean
s of authenticating those identities. Examples of these infrastructures include
the X.509 authentication framework, the Internet Engineering Task Forces PKI (IET
Fs PKI), the secure domain name system (DNS) initiatives, and the simple public k
ey infrastructure (SPKI).
293. Which one of the following methodologies or techniques provides the most ef
fective strategy for limiting access to individual sensitive files?
a. Access control list and both discretionary and mandatory access control
b. Mandatory access control and access control list
c. Discretionary access control and access control list
d. Physical access control to hardware and access control list with discretionar
y access control
293. a. The best control for protecting sensitive files is using mandatory acces
s controls supplemented by discretionary access controls and implemented through
the use of an access control list. A complementary mandatory access control mec
hanism can prevent the Trojan horse attack that can be allowed by the discretion
ary access control. The mandatory access control prevents the system from giving
sensitive information to any user who is not explicitly authorized to access a
resource.
294. Which of the following security control mechanisms is simplest to administ
er?
a.
b.
c.
d.
294. b. Mandatory access controls are the simplest to use because they can be us
ed to grant broad access to large sets of files and to broad categories of infor
mation. Discretionary access controls are not simple to use due to their finer l
evel of granularity in the access control process. Both the access control list
and logical access control require a significant amount of administrative work b
ecause they are based on the details of each individual user.
295. Which of the following use data by row to represent the access control mat
rix?
a.
b.
c.
d.
295. a. Capabilities and profiles are used to represent the access control matri
x data by row and connect accessible objects to the user. On the other hand, a p
rotection bit-based system and access control list represents the data by column
, connecting a list of users to an object.
296. The process of identifying users and objects is important to which of the
following?
a.
b.
c.
d.
297. d. The shadow password file is a hidden file that stores all users passwords
and is readable only by the root user. The password validation file uses the sh
adow password file before allowing the user to log in. The password-aging file c
ontains an expiration date, and the password reuse file prevents a user from reu
sing a previously used password. The files mentioned in the other three choices
are not hidden.
298. From an access control point of view, which of the following are examples
of task transactions and separation of conflicts-of-interests?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
Unique ID
Signed X.509 certificate
Password with access control list
Encryption
Shadow password
Encryption password
Power-on password
Network password
Risk assessment
Information flow enforcement
Access enforcement
Account management
Signature-based IDPS
Anomaly-based IDPS
Behavior-based IDPS
Statistical-based IDPS
302. a. There are two primary approaches to analyzing events to detect attacks:
signature detection and anomaly detection. Signature detection is the primary te
chnique used by most commercial systems; however, anomaly detection is the subje
ct of much research and is used in a limited form by a number of intrusion detec
tion and prevention systems (IDPS). Behavior and statistical based IDPS are part
of anomaly-based IDPS.
303. For electronic authentication, which of the following is an example of a p
assive attack?
a.
b.
c.
d.
Eavesdropping
Man-in-the-middle
Impersonation
Session hijacking
304. b. Token threats include masquerading, off-line attacks, and guessing passw
ords. Multiple factors raise the threshold for successful attacks. If an attacke
r needs to steal the cryptographic token and guess a password, the work factor m
ay be too high.
Physical security mechanisms are incorrect because they may be employed to prote
ct a stolen token from duplication. Physical security mechanisms can provide tam
per evidence, detection, and response.
Complex passwords are incorrect because they may reduce the likelihood of a succ
essful guessing attack. By requiring the use of long passwords that do not appea
r in common dictionaries, attackers may be forced to try every possible password
.
System and network security controls are incorrect because they may be employed
to prevent an attacker from gaining access to a system or installing malicious s
oftware (malware).
305. Which of the following is the correct description of roles between a regis
tration authority (RA) and a credential service provider (CSP) involved in ident
ity proofing?
a.
b.
c.
d.
The
The
The
The
RA
RA
RA
RA
may
may
may
may
be
be
be
be
305. c. The RA may be a part of the CSP, or it may be a separate and independent
entity; however a trusted relationship always exists between the RA and CSP. Ei
ther the RA or CSP must maintain records of the registration. The RA and CSP may
provide services on behalf of an organization or may provide services to the pu
blic.
306. What is spoofing?
a.
b.
c.
d.
Active attack
Passive attack
Surveillance attack
Exhaustive attack
nd checking for correctness. For a four-digit password, you might start with 000
0 and move to 0001 and 0002 until 9999.
307. Which of the following is an example of infrastructure threats related to
the registration process required in identity proofing?
a.
b.
c.
d.
Separation of duties
Record keeping
Impersonation
Independent audits
307. c. There are two general categories of threats to the registration process:
impersonation and either compromise or malfeasance of the infrastructure (RAs a
nd CSPs). Infrastructure threats are addressed by normal computer security contr
ols such as separation of duties, record keeping, and independent audits.
308. In electronic authentication, which of the following is not trustworthy?
a.
b.
c.
d.
Claimants
Registration authorities
Credentials services providers
Verifiers
309. c. Employees can come and go, but their roles do not change, such as a doct
or or nurse in a hospital. With role-based access control, access decisions are
based on the roles that individual users have as part of an organization. Employ
ee names may change but the roles does not. This access control is the best for
organizations experiencing excessive employee turnover.
Rule-based access control and mandatory access control are the same because they
are based on specific rules relating to the nature of the subject and object. D
iscretionary access control is a means to restrict access to objects based on th
e identity of subjects and/or groups to which they belong.
310. The principle of least privilege supports which of the following?
a.
b.
c.
d.
310. c. The principle of least privilege refers to granting users only those acc
esses required to perform their duties. Only the concept of appropriate privilege
is supported by the principle of least privilege.
311. What is password management an example of?
a. Directive control
b. Preventive control
c. Detective control
d. Corrective control
311. b. Password management is an example of preventive controls in that passwor
ds deter unauthorized users from accessing a system unless they know the passwor
d through some other means.
312. Which one of the following access control policy uses an access control ma
trix for its implementation?
a.
b.
c.
d.
312. a. A discretionary access control (DAC) model uses access control matrix wh
ere it places the name of users (subjects) in each row and the names of objects
(files or programs) in each column of a matrix. The other three choices do not u
se an access control matrix.
313. Access control mechanisms include which of the following?
a.
b.
c.
d.
314. b. Security labels and interfaces are used to determine access based on the
mandatory access control (MAC) policy. A security label is the means used to as
sociate a set of security attributes with a specific information object as part
of the data structure for that object. Labels could be designated as proprietary
data or public data. The other three choices do not use security labels.
315. Intrusion detection and prevention systems serve as which of the following
?
a.
b.
c.
d.
Barrier mechanism
Monitoring mechanism
Accountability mechanism
Penetration mechanism
Social implications
Legal implications
Technical implications
Psychological implications
317. b. The legal implications of using honeypot and padded cell systems are not
well defined. It is important to seek guidance from legal counsel before decidi
ng to use either of these systems.
318. From security and safety viewpoints, safety enforcement is tied to which o
f the following?
a.
b.
c.
d.
Job
Job
Job
Job
rotation
description
enlargement
enrichment
318. b. Safety is fundamental to ensuring that the most basic of access control
policies can be enforced. This enforcement is tied to the job description of an
individual employee through access authorizations (e.g., permissions and privile
ges). Job description lists job tasks, duties, roles, and responsibilities expec
ted of an employee, including safety and security requirements.
The other three choices do not provide safety enforcements. Job rotation makes a
n employee well-rounded because it broadens an employees work experience, job enl
argement adds width to a job, and job enrichment adds depth to a job.
319. Which of the following is the correct sequence of actions in access contro
l mechanisms?
a.
b.
c.
d.
Confidentiality
Integrity
Availability
Nonrepudiation
320. b. The principle of least privilege deals with access control authorization
mechanisms, and as such the principle ensures integrity of data and systems by
limiting access to data/information and information systems.
321. Which of the following is a major vulnerability with Kerberos model?
a. User
b. Server
c. Client
d. Key-distribution-server
321. d. A major vulnerability with the Kerberos model is that if the key distrib
ution server is attacked, every secret key used on the network is compromised. T
he principals involved in the Kerberos model include the user, the client, the k
ey-distribution-center, the ticket-granting-service, and the server providing th
e requested services.
322. For electronic authentication, identity proofing involves which of the fol
lowing?
a.
b.
c.
d.
CSP
RA
CSP and RA
CA and CRL
SAML assertions
X.509 public-key identity certificates
X.509 attribute certificates
Kerberos tickets
c. Detection
d. Correction
325. c. Making it more difficult to accomplish or increasing the likelihood of d
etection can deter registration fraud. The goal is to make impersonation more di
fficult.
326. Which one of the following access control policies treats users and owners
as the same?
a.
b.
c.
d.
Eavesdroppers
Subscriber impostors
Impostor verifiers
Hijackers
328. d. An attacker can send attack packets using a fake source IP address but a
rrange to wiretap the victims reply to the fake address. The attacker can do thi
s without having access to the computer at the fake address. This manipulation o
f IP addressing is called IP address spoofing.
A system scanning attack occurs when an attacker probes a target network or syst
em by sending different kinds of packets. Denial-of-service attacks attempt to s
low or shut down targeted network systems or services. System penetration attack
s involve the unauthorized acquisition and/or alteration of system privileges, r
esources, or data.
329. In-band attacks against electronic authentication protocols include which
of the following?
a.
b.
c.
d.
Password guessing
Impersonation
Password guessing and replay
Impersonation and man-in-the-middle
329. c. In an in-band attack, the attacker assumes the role of a claimant with a
genuine verifier. These include a password guessing attack and a replay attack.
In a password guessing attack, an impostor attempts to guess a password in repe
ated logon trials and succeeds when he can log onto a system. In a replay attack
, an attacker records and replays some part of a previous good protocol run to t
he verifier. In the verifier impersonation attack, the attacker impersonates the
verifier and induces the claimant to reveal his secret token. A man-in-the-midd
le attack is an attack on the authentication protocol run in which the attacker
positions himself between the claimant and verifier so that he can intercept and
alter data traveling between them.
330. Which of the following access control policies or models provides a straig
htforward way of granting or denying access for a specified user?
a.
b.
c.
d.
330. b. An access control list (ACL) is an object associated with a file and con
taining entries specifying the access that individual users or groups of users h
ave to the file. ACLs provide a straightforward way to grant or deny access for
a specified user or groups of users. Other choices are not that straightforward
in that they use labels, tags, and roles.
331. What is impersonating a user or system called?
a.
b.
c.
d.
Snooping
Spoofing
Sniffing
Spamming
attack
attack
attack
attack
d. Traffic analysis
333. c. Spoofing is using various techniques to subvert IP-based access control
by masquerading as another system by using its IP address. Attacks such as hidde
n code, inference, and traffic analysis are based on data and information.
334. Honeypot systems do not contain which of the following?
a.
b.
c.
d.
Event triggers
Sensitive monitors
Sensitive data
Event loggers
334. c. The honeypot system is instrumented with sensitive monitors, event trigg
ers, and event loggers that detect unauthorized accesses and collect information
about the attackers activities. These systems are filled with fabricated data de
signed to appear valuable.
335. Intrusion detection and prevention systems look at security policy violati
ons:
a.
b.
c.
d.
Statically
Dynamically
Linearly
Nonlinearly
335. b. Intrusion detection and prevention systems (IDPS) look for specific symp
toms of intrusions and security policy violations dynamically. IDPS are analogou
s to security monitoring cameras. Vulnerability analysis systems take a static v
iew of symptoms. Linearly and nonlinearly are not applicable here because they a
re mathematical concepts.
336. For biometric accuracy, which of the following defines the point at which
the false rejection rates and the false acceptance rates are equal?
a.
b.
c.
d.
Type I error
Type II error
Crossover error rate
Type I and II error
336. c. In biometrics, crossover error rate is defined as the point at which the
false rejection rates and the false acceptance rates are equal. Type I error, c
alled false rejection rate, is incorrect because genuine users are rejected as i
mposters. Type II error, called false acceptance rate, is incorrect because impo
sters are accepted as genuine users.
337. Which one of the following does not help in preventing fraud?
a.
b.
c.
d.
Separation of duties
Job enlargement
Job rotation
Mandatory vacations
337. b. Separation of duties, job rotation, and mandatory vacations are manageme
nt controls that can help in preventing fraud. Job enlargement and job enrichmen
t do not prevent fraud because they are not controls; their purpose is to expand
the scope of an employees work for a better experience and promotion.
338. Access triples used in the implementation of Clark-Wilson security model i
nclude which of the following?
a.
b.
c.
d.
338. c. The Clark-Wilson model partitions objects into programs and data for eac
h subject forming a subject/program/data access triple. The generic model for th
e access triples is <subject, rights, object>.
Scenario-Based Questions, Answers, and Explanations
Use the following information to answer questions 1 through 9.
The KPT Company is analyzing authentication alternatives. The company has 10,000
users in 10 locations with five different databases of users. The current authe
ntication access controls are a mix of UNIX and Microsoft related tools. KPT pri
orities include security, cost, scalability, and transparency.
1. Symbolic link (symlink) attacks do not exist on which of the operating system
s?
a.
b.
c.
d.
UNIX
Windows
LINUX
MINIX
1. b. Symbolic links are links on UNIX, MINIX, and LINUX systems that point from
one file to another file. A symlink vulnerability is exploited by making a symb
olic link from a file to which an attacker does have access to a file to which t
he attacker does not have access. Symlinks do not exist on Windows systems, so s
ymlink attacks cannot be performed against programs or files on those systems. M
INIX is a variation of UNIX and is small in size. A major difference between MIN
IX and UNIX is the editor where the former is faster and the latter is slower.
2. Which one of the following is not an authentication mechanism?
a.
b.
c.
d.
What
What
What
What
the
the
the
the
user
user
user
user
knows
has
can do
is
2. c. What the user can do is defined in access rules or user profiles, which come
after a successful authentication. The other three choices are part of an authe
ntication process.
3. Which of the following provides strong authentication for centralized authen
tication servers when used with firewalls?
a.
b.
c.
d.
User IDs
Passwords
Tokens
Account numbers
3. c. For basic authentication, user IDs, passwords, and account numbers are use
d for internal authentication. Centralized authentication servers such as RADIUS
and TACACS/TACACS+ can be integrated with token-based authentication to enhance
firewall administration security.
4. Which of the following does not provide robust authentication?
a.
b.
c.
d.
Kerberos
Secure RPC
Reusable passwords
Digital certificates
a.
b.
c.
d.
Static authentication
Robust authentication
Intermittent authentication
Continuous authentication
Something
Something
Something
Something
you
you
you
you
Unique identifiers
Access rules
Audit trails
Policies and procedures
Memory tokens
Smart tokens
Cryptography
Biometric systems
c. Memory tokens
d. Smart tokens
9. a. Recurring passwords are static passwords with reuse and are considered to
be a relatively weak security mechanism. Users tend to use easily guessed passwo
rds. Other weaknesses include spoofing users, users stealing passwords through o
bserving keystrokes, and users sharing passwords. The unauthorized use of passwo
rds by outsiders (hackers) or insiders is a primary concern and is considered th
e least efficient and least effective security mechanism for re-authentication.
Nonrecurring passwords is incorrect because they provide a strong form of re-aut
hentication. Examples include a challenge-response protocol or a dynamic passwor
d generator where a unique value is generated for each session. These values are
not repeated and are good for that session only. Tokens can help in re-authenti
cating a user or transaction. Memory tokens store but do not process information
. Smart tokens expand the functionality of a memory token by incorporating one o
r more integrated circuits into the token itself. In other words, smart tokens s
tore and process information. Except for passwords, all the other methods listed
in the question are examples of advanced authentication methods that can be app
lied to re-authentication.
Sources and References
Access Control in Support of Information Systems, Security Technical Implementati
on Guide (DISA-STIG, Version 2 and Release 2), Defense Information Systems Agency
(DISA), U.S. Department of Defense (DOD), December 2008.
Assessment of Access Control Systems (NISTIR 7316), National Institute of Standard
s and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, Se
ptember 2006.
Electronic Authentication Guideline (NIST SP800-63R1), National Institute of Stand
ards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland,
December 2008.
Guide to Enterprise Password Management (NIST SP800-118 Draft), National Institute
of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg,
Maryland, April 2009.
Guide to Intrusion Detection and Prevention Systems (NIST SP800-94), National Inst
itute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersb
urg, Maryland, February 2007.
Guide to Storage Encryption Technologies (NIST SP 800-111), National Institute of
Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Mary
land, November 2007.
Interfaces for Personal Identity Verification (NIST SP 800-73R1), National Institu
te of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg
, Maryland, March 2006.
Privilege Management (NISTIR 7657 V0.4 Draft), National Institute of Standards and
Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, Novembe
r 2009.
Domain 2
Telecommunications and Network Security
Traditional Questions, Answers, and Explanations
1. If QoS is quality of service, QoP is quality of protection, QA is quality as
surance, QC is quality control, DoQ is denial of quality, and DoS is denial of s
ervice, which of the following affects a network systems performance?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
1 and 4
2 and 3
1, 2, 3, and 4
1. d. All four items affect a network system performance. QoS parameters include
reliability, delay, jitter, and bandwidth, where applications such as e-mail, f
ile transfer, Web access, remote login, and audio/video require different levels
of the parameters to operate at different quality levels (i.e., high, medium, o
r low levels).
QoP requires that overall performance of a system should be improved by prioriti
zing traffic and considering the rate of failure or average latency at the lower
layer protocols.
QA is the planned systematic activities necessary to ensure that a component, mo
dule, or system conforms to established technical requirements. QC is the preven
tion of defective components, modules, and systems. DoQ results from not impleme
nting the required QA methods and QC techniques for delivering messages, packets
, and services.
DoS is the prevention of authorized access to resources or the delaying of timecritical operations. DoS results from DoQ. QoS is related to QoP and DoS which,
in turn, relates to DoQ. Therefore, QoS, QoP, QA, QC, DoQ, and DoS are related t
o each other.
2. The first step toward securing the resources of a local-area network (LAN) i
s to verify the identities of system users. Organizations should consider which
of the following prior to connecting their LANs to outside networks, particularl
y the Internet?
a.
b.
c.
d.
Plan
Plan
Plan
Plan
for
for
for
for
2. c. The best thing is to consider all authentication options, not just using t
he traditional method of passwords. Proper password selection (striking a balanc
e between being easy to remember for the user but difficult to guess for everyon
e else) has always been an issue. Password-only mechanisms, especially those tha
t transmit the password in the clear (in an unencrypted form) are susceptible to
being monitored and captured. This can become a serious problem if the local-ar
ea network (LAN) has any uncontrolled connections to outside networks such as th
e Internet. Because of the vulnerabilities that still exist with the use of pass
word-only mechanisms, more robust mechanisms such as token-based authentication
and use of biometrics should be considered.
Locking mechanisms for LAN devices, workstations, or PCs that require user authe
ntication to unlock can be useful to users who must frequently leave their work
areas (for a short period of time). These locks enable users to remain logged in
to the LAN and leave their work areas without exposing an entry point into the L
AN.
Modems that provide users with LAN access may require additional protection. An
intruder that can access the modem may gain access by successfully guessing a us
er password. The availability of modem use to legitimate users may also become a
n issue if an intruder is allowed continual access to the modem. A modem pool is
a group of modems acting as a pool instead of individual modems on each worksta
tion. Modem pools provide greater security in denying access to unauthorized use
rs. Modem pools should not be configured for outgoing connections unless access
can be carefully controlled.
Security mechanisms that provide a user with his account usage information may a
lert the user that the account was used in an abnormal manner (e.g., multiple lo
gin failures). These mechanisms include notification such as date, time, and loc
ation of the last successful login and the number of previous login failures.
3. Which of the following attacks take advantage of dynamic system actions and
Active attacks
Passive attacks
Asynchronous attacks
Tunneling attacks
4. a. A sink tree shows the set of optimal routes from all sources to a given de
stination, rooted at the destination. A sink tree does not contain any loops, so
each packet is delivered within a finite and bounded number of hops. The goal o
f all routing algorithms is to identify and use the sink trees for all routers.
A spanning tree uses the sink tree for the router initiating the broadcast. A sp
anning tree is a subset of the subnet that includes all the routers but does not
contain any loops.
A finger table is used for node lookup in peer-to-peer (P2P) networks. Routers u
se routing tables to route messages and packets. A fault tree is used in analyzi
ng errors and problems in computer software. A decision tree is a graphical repr
esentation of the conditions, actions, and rules in making a decision with the u
se of probabilities in calculating outcomes. A decision table presents a tabular
representation of the conditions, actions, and rules in making a decision. A tr
uth table is used in specifying computer logic blocks by defining the values of
the outputs for each possible set of input values.
5. Enforcing effective data communications security requires other types of sec
urity such as physical security. Which of the following can easily compromise su
ch an objective?
a.
b.
c.
d.
re algorithm and given to the user for use at the time of login. Each password e
xpires after its initial use and is not repeated or stored anywhere. Last login
messages are incorrect because they alert unauthorized uses of a users password a
nd ID combination.
6. Which of the following refers to closed-loop control to handle network conge
stion problems?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
4
3
only
and 2
only
and 4
6. d. With the open-loop control, when the system is up and running, mid-course
corrections are not made, thus ignoring the current states of the network. On th
e other hand, the closed-loop control is based on the concept of feedback loop w
ith mid-course corrections allowed.
7. Which of the following security threats is not applicable to wireless localarea networks (WLANs)?
a.
b.
c.
d.
Message interception
System unavailability
System unreliability
Theft of equipment
8. b. In wireless LANs, the stronger node could block the weaker one, substitute
its own messages, and even acknowledge responses from other nodes. Similarly, t
heft of equipment is a major risk in wireless LANs due to their portability. Whe
n equipment moves around, things can easily become missing. Eavesdropping and ma
squerading are common to both the wired and wireless LANs. Eavesdropping is an u
nauthorized interception of information. Masquerading is an attempt to gain acce
ss to a computer system by posing as an authorized user.
9. The World Wide Web (WWW) can be protected against the risk of eavesdropping
in an economical and convenient manner through the use of which of the following
?
a. Link and document encryption
b. Secure sockets layer and secure HTTP
10. d. Important security features of WWW include (i) disabling automatic direct
ory listings for names and addresses, (ii) placing the standalone, stripped-down
WWW computer outside the firewall in the demilitarized zone (DMZ), and (iii) pr
oviding encryption when sensitive or personal information is transmitted or stor
ed. There is a potential risk posed by dependence on a limited number of third-p
arty providers in terms of performance and availability of service.
11. For Web services, which of the following uses binary tokens for authenticat
ion, digital signatures for integrity, and content-level encryption for confiden
tiality?
a.
b.
c.
d.
a.
b.
c.
d.
Defense-in-depth strategy
Defense-in-breadth strategy
Defense-in-time strategy
Defense-in-technology strategy
12. b. Radio frequency identification (RFID) technologies are used in supply cha
in systems which, in turn, use defense-in-breadth strategy for ensuring security
. Defense-in-depth strategy considers layered defenses to make security stronger
. Defense-in-time strategy considers different time zones in the world where inf
ormation systems operate. Defense-in-technology strategy deals with making techn
ology less complicated and more secure.
13. Which of the following is not an example of race condition attacks?
a
b.
c.
d.
Symbolic links
Object-oriented
Deadlock
Core-file manipulation
14. c. Remote maintenance ports enable the vendor to fix operating problems. The
legal contract with the vendor should specify that there be no trap doors and t
hat any maintenance ports should be approved by both parties. Modem pools consis
t of a group of modems connected to a server (e.g., host, communications, or ter
minal). This provides a single point of control. Attackers can target the modem
pool, so protect it by installing an application gateway-based firewall control.
Dial-back security controls over remote maintenance ports are not effective bec
ause they are actually authenticating a place, not a person. It is good practice
to disconnect unneeded connections to the outside world, but this makes it diff
icult for a maintenance contractor to access certain ports when needed in an eme
rgency.
15. Which of the following statements is not true about Internet firewalls?
a.
b.
c.
d.
A
A
A
A
firewall
firewall
firewall
firewall
can
can
can
can
15. d. Firewalls (also known as secure gateways) cannot keep personal computer v
iruses out of a network. There are simply too many types of viruses and too many
ways a virus can hide within data. The most practical way to address the virus
problem is through host-based virus-protection software and user education conce
rning the dangers of viruses and precautions to take against them. A firewall en
forces the sites security policy, enabling only approved services to pass through a
nd those only within the rules set up for them. Because all traffic passes throu
gh the firewall, the firewall provides a good place to collect information about
system and network use and misuse. As a single point of access, the firewall ca
n record what occurs between the protected network and the external network. A f
irewall can be used to keep one section of the sites network separate from anothe
r section, which also keeps problems in one section isolated from other sections
. This limits an organizations security exposure.
16. In a distributed computing environment, system security takes on an importa
nt role. Two types of network attacks exist: passive and active. Which of the fo
llowing is an example of a passive attack?
a.
b.
c.
d.
16. d. A passive attack is an attack where the threat merely watches information
move across the system. However, no attempt is made to introduce information to
exploit vulnerability. Sniffing a system password when the system user types it
is an example of a passive attack.
The other three choices are incorrect because they are examples of active attack
s. Active attacks occur when the threat makes an overt change or modification to
the system in an attempt to take advantage of vulnerability.
17. Use of preshared keys (PSKs) in a wireless local-area network (WLAN) config
uration leads to which of the following?
1.
2.
3.
4.
Dictionary attack
Rainbow attack
Online attack
Offline attack
a.
b.
c.
d.
1
1
2
2
and
and
and
and
2
3
3
4
17. a. Dictionary attack is a form of guessing attack in which the attacker atte
mpts to guess a password using a list of possible passwords that is not exhausti
ve. Rainbow attacks occur in two ways: utilizing rainbow tables, which are used
in password cracking, and using preshared keys (PSKs) in a WLAN configuration.
The use of PSK should be avoided. In PSK environments, a secret passphrase is sh
ared between stations and access points. The PSK is generated by combining the W
LANs name and service set identifier (SSID) with a passphrase and then hashing th
is multiple times. Keys derived from a passphrase shorter than approximately 20
characters provide relatively low levels of security and are subject to dictiona
ry and rainbow attacks. Changing the WLAN name or SSID will not improve the stre
ngth of the 256-bit PSK.
An online attack is an attack against an authentication protocol where the attac
ker either assumes the role of a claimant with a genuine verifier or actively al
ters the authentication channel. An offline attack is an attack where the attack
er obtains some data through eavesdropping that he can analyze in a system of hi
s own choosing. The goal of these attacks may be to gain authenticated access or
learn authentication secrets.
18. Which of the following extensible authentication protocols is not secure?
a.
b.
c.
d.
EAP-TLS
EAP-TTLS
MD5-Challenge
PEAP
Web bug
Blacklisting
RED
BLACK
19. b. Web content filtering software is a program that prevents access to undes
irable websites, typically by comparing a requested website address to a list of
known bad websites (i.e., blacklisting). Blacklisting is a hold placed against
IP addresses to prevent inappropriate or unauthorized use of Internet resources.
The other three choices are not related to the Web content filtering software. W
eb bug is a tiny image, invisible to a user, placed on Web pages in such a way t
o enable third parties to track use of Web servers and collect information about
the user, including IP addresses, host name, browser type and version, operatin
g system name and version, and cookies. The Web bug may contain malicious code.
RED refers to data/information or messages that contain sensitive or classified
information that is not encrypted, whereas BLACK refers to information that is e
ncrypted.
20. Which of the following identifies calls originating from nonexistent teleph
one extensions to detect voice-mail fraud?
a.
b.
c.
d.
Antihacker software
Call-accounting system
Antihacker hardware
Toll-fraud monitoring system
21. Which of the following voice-mail fraud prevention controls can be counterp
roductive and at the same time counterbalancing?
1.
2.
3.
4.
Turning off direct inward system access ports during nonworking hours
Separating internal and external call-forwarding privileges
Implementing call vectoring
Disconnecting dial-in maintenance ports
a.
b.
c.
d.
1
1
3
2
and
and
and
and
2
4
4
3
21. b. Direct inward system access (DISA) is used to enable an inward calling pe
rson access to an outbound line, which is a security weakness when not properly
secured. Because hackers work during nonworking hours (evenings and weekends), t
urning off DISA appears to be a preventive control. However, employees who must
make business phone calls during these hours cannot use these lines. They have t
o use their company/personal credit cards when the DISA is turned off. Similarly
, disconnecting dial-in maintenance ports appears to be a preventive control; al
though, hackers can get into the system through these ports.
Emergency problems cannot be handled when the maintenance ports are disabled. Tu
rning off direct inward system access (DISA) ports during nonworking hours and d
isconnecting dial-in maintenance ports are counterproductive and counterbalancin
g.
By separating internal and external call-forwarding privileges for internal line
s, an inbound call cannot be forwarded to an outside line unless authorized. Cal
l vectoring can be implemented by answering a call with a recorded message or no
thing at all, which may frustrate an attacker. Separating internal and external
call-forwarding privileges and implementing call vectoring are counterproductive
and balancing.
22. Regarding instant messaging (IM), which of the following is an effective cou
ntermeasure to ensure that the enclave users cannot connect to public messaging
systems?
a.
b.
c.
d.
22. c. Blocking ports at the enclave firewall ensures that enclave users cannot
connect to public messaging systems. Although a firewall can be effective at blo
cking incoming connections and rogue outgoing connections, it can be difficult t
o stop all instant messaging (IM) traffic connected to commonly allowed destinat
ion ports (e.g., HTTP, Telnet, FTP, and SMTP), thus resulting in a bypass of fir
ewalls. Therefore, domain names or IP addresses should be blocked in addition to
port blocking at a firewall.
IM also provides file-sharing capabilities, which is used to access files on rem
ote computers via a screen name which could be infected with a Trojan horse. To
launch malware and file-sharing attacks, an attacker may use the open IM ports b
ecause he does not need new ports. Therefore, the file-sharing feature should be
disabled on all IM clients.
Restricting IM chat announcements to only authorized users can limit attackers f
rom connecting to computers on the network and sending malicious code. IM is a p
otential carrier for malware because it provides the ability to transfer text me
ssages and files, thereby becoming an access point for a backdoor Trojan horse.
Installing antivirus software with plug-ins to IM clients and scanning files as
they are received can help control malware.
23. What do terminating network connections with internal and external communic
1 and
1 and
2 and
1, 2,
2
3
4
3, and 4
23. b. An information system should terminate the internal and external network
connection associated with a communications session at the end of the session or
after a period of inactivity. This is achieved through de-allocating addresses
and assignments at the operating system level and application system level.
24. In a wireless local-area network (WLAN) environment, what is a technique us
ed to ensure effective data security called?
a.
b.
c.
d.
File locks
Record locks
Semaphores
Security labels
25. d. Security labels deal with security and confidentiality of data, not with
file updates. A security label is a designation assigned to a system resource su
ch as a file, which cannot be changed except in emergency situations. File updat
es deal with the integrity of data. The unique concept of a local-area network (
LAN) file is its capability to be shared among several users. However, security
controls are needed to assure synchronization of file updates by more than one u
ser.
File locks, record locks, and semaphores are needed to synchronize file updates.
File locks provide a coarse security due to file-level locking. Record locking
can be done through logical or physical locks. The PC operating system ensures t
hat the protected records cannot be accessed on the hard disk. Logical locks wor
k by assigning a lock name to a record or a group of records. A semaphore is a f
lag that can be named, set, tested, changed, and cleared. Semaphores can be appl
ied to files, records, group of records, or any shareable network device, such a
s a printer or modem. Semaphores are similar to logical locks in concept and can
be used for advanced network control functions.
26. Which of the following is a byproduct of administering the security policy
for firewalls?
a.
b.
c.
d.
26. c. The role of site security policy is important for firewall administration
. A firewall should be viewed as an implementation of a policy; the policy shoul
d never be made by the firewall implementation. In other words, agreement on wha
t protocols to filter, what application gateways to use, how network connectivit
y will be made, and what the protocol filtering rules are all need to be codifie
d beforehand because ad hoc decisions will be difficult to defend and will event
ually complicate firewall administration.
27. Which of the following reduces the need to secure every user endpoint?
1.
2.
3.
4.
Diskless nodes
Thin client technology
Client honeypots
Thick client technology
a.
b.
c.
d.
1
1
3
3
only
and 2
only
and 4
28. b. Due to their design, fiber optic cables are relatively safer and more sec
ure than other types of computer links. A dial-up connection through a public te
lephone network is not secure unless a dial-back control is established. Direct
wiring of lines between the computer and the user workstation is relatively secu
re when compared to the public telephone network. Microwave transmissions or sat
ellites are subject to sabotage, electronic warfare, and wiretaps.
29. Which of the following is risky for transmission integrity and confidential
ity when a network commercial service provider is engaged to provide transmissio
n services?
a.
b.
c.
d.
Commodity service
Cryptographic mechanisms
Dedicated service
Physical measures
30. b. Application system controls include data editing and validation routines
to ensure integrity of the business-oriented application systems such as payroll
and accounts payable. It has nothing to do with the network security and integr
ity.
Logical access controls prevent unauthorized users from connecting to network no
des or gaining access to applications through computer terminals.
Hardware controls include controls over modem usage, the dial-in connection, and
the like. A public-switched network is used to dial into the internal network.
Modems enable the user to link to a network from a remote site through a dial-in
connection.
Procedural controls include (i) limiting the distribution of modem telephone num
bers on a need to know basis, (ii) turning the modem off when not in use, and (i
ii) frequent changes of modem telephone numbers.
31. Which of the following questions must be answered first when planning for se
cure telecommuting?
a.
b.
c.
d.
What
What
What
What
data is confidential?
systems and data do employees need to access?
type of access is needed?
is the sensitivity of systems and data?
Mesh topology
Star topology
Bus topology
Ring topology
32. a. The Internet uses the mesh topology with a high degree of fault tolerance
. Dial-up telephone services and PBX systems (switched networks) use the star to
pology, Ethernet mostly uses the bus topology, and FDDI uses the ring topology.
33. Phishing attacks can occur using which of the following?
1.
2.
3.
4.
Cell phones
Personal digital assistants
Traditional computers
Websites
a.
b.
c.
d.
3 only
4 only
1 and 2
1, 2, 3, and 4
33. d. Phishing attacks are not limited to traditional computers and websites; t
hey may also target mobile computing devices, such as cell phones and personal d
igital assistants. To perform a phishing attack, an attacker creates a website o
r e-mail that looks as if it is from a well-known organization, such as an onlin
e business, credit card company, or financial institution in the case of cell ph
ones; it is often the SMS/MMS attack vector or calls with spoofed caller-ID.
34. A sender in a transmission control protocol (TCP) network plans to transmit
message packets of sizes 1,024, 2,048, 4,096, and 8,192 bytes to a receiver. Th
e receivers granted window size is 16,384 bytes and the timeout size is set at 8,
192 bytes. What should be the senders congestion window size to avoid network bur
sts or congestion problems?
a.
b.
c.
d.
2,048 bytes
4,096 bytes
8,192 bytes
16,384 bytes
34. b. As long as the congestion window size remains at 4,096, which is less tha
n the timeout size, no bursts take place, regardless of the receivers granted win
dow size. Network bursts can occur at a transmission of 8,192 bytes or higher be
cause 8,192 bytes are the timeout limit. To be safe, the optimum size of the sen
ders congestion window must be set at less than the receivers granted window size
or the timeout size, whichever is smaller.
35. Which of the following network architectures is designed to provide data se
rvices using physical networks that are more reliable and offer greater bandwidt
h?
a.
b.
c.
d.
35. a. Integrated services digital network (ISDN) was designed to provide both v
oice and a wide variety of data services, initially using the existing phone net
work. Broadband ISDN was designed to provide a more sophisticated set of service
s using reliable high-speed networks that can be provided using optical fiber ph
ysical networks of higher bandwidth. Both the TCP/IP and OSI protocol suites are
designed to provide communications between heterogeneous systems. These two pla
tforms support applications, such as file transfer, e-mail, and virtual terminal
protocols. Interoperability between TCP/IP and OSI cannot be accomplished witho
ut building special software, or gateways, to translate between protocols. Howev
er, these architectures were designed to provide data services using physical ne
tworks that were not always reliable and offered limited bandwidth.
36. Which of the following is the most important aspect of a remote access?
a. User authentication
b. Media authentication
c. Device authentication
d. Server authentication
36. d. Server authentication is the most important for remote access methods whe
re a user is manually establishing the remote access connections, such as typing
a URL into a Web browser. A server is a host computer that provides one or more
services for other hosts over a network as a primary function. Hence, the serve
r, especially if it is a central server, provides a major entry point into the n
etwork. If the authentication method to the server is weak, it can affect the pe
rformance and security of the entire network negatively, and can become a single
point of failure, resulting in major security risks. In terms of sequence of ac
tions, the server authentication comes first, user authentication comes next or
at the same as the server, and media (e.g., disk) and device (e.g., Phone, PDA,
or PC) authentication comes last. Although the other choices are important in th
eir own way, they are not as important as the server authentication in terms of
potential security risks at the server.
37. Possible security threats inherent in a local-area network (LAN) environmen
t include passive and active threats. Which of the following is a passive threat
?
a.
b.
c.
d.
37. c. Passive threats do not alter any data in a system. They simply read infor
mation for the purpose of gaining some knowledge. Because there is no alteration
of data and consequently no audit trail exists, passive threats are difficult t
o detect. Examples of passive threats include traffic analysis. If an attacker c
an read the packet header, then the source and destination of the message is kno
wn, even when the message is encrypted. Through traffic analysis, the attacker k
nows the total volume in the network and the amount of traffic entering and leav
ing selected nodes. Although encryption can limit the reading of header informat
ion and messages, traffic padding is also needed to counteract the traffic analy
sis. Traffic padding requires generating a continuous stream of random data or c
ipher text and padding the communication link so that the attacker would find it
difficult to differentiate the useful data from the useless data. Padded data i
n traffic is useless.
The other three choices are incorrect because they are examples of active threat
s. Active threats generate or alter the data or control signals rather than to s
imply read the contents of those signals. A denial of message service results wh
en an attacker destroys or delays most or all messages. Masquerading is an attem
pt to gain access to a computer system by posing as an authorized client or host
. An attacker poses as an authentic host, switch, router, or similar device to c
ommunicate with a peer to acquire data or services. Modification of message serv
ice occurs when an attacker modifies, deletes, delays, reorders existing real me
ssages, and adds fake messages.
38. In which of the following remote access methods is a pinholing scheme used
to facilitate the network address translation (NAT) contact to occur with intern
al workstations?
a.
b.
c.
d.
Tunneling
Application portals
Remote desktop access
Direct application access
38. c. There are two major styles of remote desktop access: (i) direct between t
he telework client device (e.g., a consumer device such as a smartphone and PDA
or PC used for performing telework) and the internal workstation, and (ii) indir
ect through a trusted intermediate system. However, direct access is often not p
ossible because it is prevented by many firewalls. For example, if the internal
Multiplexers
Network interface cards
Concentrators
Front-end processors
Ingress filtering
Egress filtering
Deny-by-default rulesets for incoming traffic
Deny-by-default rulesets for outgoing traffic
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
4
3, and 4
40. d. Because network-based firewalls can restrict both incoming and outgoing t
raffic, they can also be used to stop certain worm infections within the organiz
ation from spreading to external systems. To prevent malware incidents, organiza
tions should implement deny-by-default rulesets, meaning that the firewalls deny
all incoming and outgoing traffic that is not expressly permitted. Organization
s should also ensure that their network firewalls perform egress and ingress fil
tering. Egress filtering is blocking outgoing packets that should not exit a net
work. Ingress filtering is blocking incoming packets that should not enter a net
work.
41. A website has been vandalized. Which of the following should be monitored c
losely?
a.
b.
c.
d.
Illegal
Illegal
Illegal
Illegal
logging
privilege usage
file access
Web server shutdown
41. c. Selecting the illegal file access addresses the vandalism issue because t
hat is what the attacker can benefit from the most. Files have critical data use
ful to an attacker. The other three choices are incidental.
42. The Voice over Internet Protocol (VoIP) technology can lead to which of the
following?
a.
b.
c.
d.
Converged network
Ad hoc network
Content delivery network
Wireless sensor network
42. a. The Voice over Internet Protocol (VoIP) technology can lead to a converge
d network, where the latter combines two different networks such as data and voi
ce networks, similar to the VoIP. Ad hoc network is a network of nodes near each
other. Content delivery network delivers the contents of music, movie, sports,
and/or news from a content owners website to end users. Wireless sensor network i
s used to provide security over buildings, machinery, vehicle operation, and env
ironmental changes in a building (e.g., humidity, voltage, and temperature).
43. Which of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
a.
b.
c.
d.
Twisted pair
Coaxial cable
Optical fiber
Microwave transmission
Productivity
Availability
Throughput
Responsiveness
44. b. Availability is the ratio of the total time a functional unit is capable
of being used during a given interval to the length of the interval. It is the t
ime during which a functional unit can be used. What good are productivity, thro
ughput, and response time if the system is shut down and not available? Therefor
e, system availability is the most important objective for a local-area network
Post wiring
Wiring on demand
Buildings with high ceilings
Cable conduits
45. d. Because the cost of wiring an existing building goes up with the height o
f the ceiling and rises even higher after the tenants have moved in, making the
right decisions as early as possible can significantly reduce future costs. Dang
ling cables can be a safety hazard. Therefore, proactive thinking such as prewir
ing and cable conduits during building construction should be planned carefully
to make future changes easier with less cost. Post-wiring and wiring on demand a
re reactive in nature, relatively expensive, and disruptive to work.
46. Which of the following is a disadvantage of satellite communications versus
a conventional communications method?
a.
b.
c.
d.
User-owned stations
Cost
Frequency bands
Broadcast ability
46. c. Frequency bands are of two types: low and high frequency. All the lower f
requency bands have become increasingly crowded, and developing higher frequenci
es is difficult and expensive. Also, transmission problems typically worsen at h
igher frequencies. In satellite systems, power must be increased at both the ori
ginal transmission site (uplink) on earth and on the satellite. Increased satell
ite power generally increases costs.
The other three choices are advantages. Users purchase their own sending and rec
eiving equipment. Satellites have a low-cost, point-to-multipoint broadcast capa
bility that is most expensive to duplicate with conventional techniques.
47. Host-based firewalls can have a serious negative effect on system usability
and user satisfaction with which of the following?
a.
b.
c.
d.
Deny-by-default
Deny-by-default
Deny-by-default
Deny-by-default
rulesets
rulesets
rulesets
rulesets
for
for
for
for
incoming traffic
outgoing traffic
servers
desktops
48. d. Limited network management for most remote control programs is a major di
sadvantage. Managing a large number of host workstations is difficult; each stat
ion must be managed individually. The remote control program that LAN access met
hod uses does not implicitly minimize telephone connect time; although, it is po
ssible to automate many operations using batch files or other programming mechan
isms. Manual connect and disconnect operations are often augmented by timeout op
tions not always found with other remote LAN access methods. Compatibility betwe
en the remote control programs and host applications is not guaranteed; often, c
ompatibility must be determined by trial and error.
49. What is a data communication switch that enables many computer terminals to
share a single modem and a line called?
a.
b.
c.
d.
Bypass switch
Fallback switch
Crossover switch
Matrix switch
49. a. Data communications switches are useful for routing data, online monitori
ng, fault diagnosis, and digital/analog testing. A switch is a mechanical, elect
romechanical, or electronic device for making, breaking, or changing the connect
ion in or among circuits. It is used to transfer a connection from one circuit t
o another.
There are four basic types of switches: bypass, fallback, crossover, and matrix.
A bypass switch enables many terminals to share a single modem and line. A fall
back switch turns network components from online to standby equipment when there
is a problem in the circuit. A crossover switch provides an easy method of inte
rchanging data flows between two pairs of communications components. With a matr
ix switch a user can interconnect any combination of a group of incoming interfa
ces to any combination of a group of outgoing interfaces.
50. An intranet can be found in an organizations internal network or shared betwe
en organizations over the Internet. Which of the following controls is least sui
ted to establish a secure intranet over the Internet?
a.
b.
c.
d.
50. d. Intranets are similar to the organizations own networks, providing interna
l interaction. You do not need to be connected to the Internet to create an intr
anet. The infrastructure includes placing policies, procedures, and standards do
cuments on an internal server. The intranet could be connected to the Internet,
or an intranet could be created by using a private Web server on the Internet. E
ffective controls include encryption and firewalls. Private tunnels can be creat
ed over the Internet through the use of encryption devices, encrypting firewalls
, or encrypting routers. Implementing password controls to the private Web serve
r for each user is a weak control because password administration would be a dif
ficult if not an impossible task. Group passwords would not be effective either.
51. Which of the following is an example of an asynchronous attack?
a.
b.
c.
d.
52. Security mechanisms implement security services. Which of the following sec
urity services is provided by a notarization security mechanism?
a.
b.
c.
d.
Confidentiality
Integrity
Authentication
Nonrepudiation
53. a. Legacy IEEE 802.11 wireless LANs (WLANs) operate in the physical layer an
d the data link layer of the ISO/OSI reference model because they define the phy
sical characteristics and access rules for the network. The physical layer addre
sses areas such as frequencies used and modulation techniques employed. The data
link layer deals with how the network is shared between nodes. It defines rules
such as who can talk on the network and how much they can say.
54. Which of the following security practices is supported by most remote contr
ol program (RCP) products when accessing a host workstation on a local-area netw
ork (LAN)?
a.
b.
c.
d.
54. a. Some remote control products provide minimal security support, whereas ot
hers provide varying degrees of support. Matching a user ID and name with a pass
word and callback modem support are handled by most products. Other security mec
hanisms, such as the ability to limit access to local drives and directories to
limit the use of host hardware (such as printer ports) and to control reboot opt
ions and file transfer rights are not widely supported.
55. When a nonremote user connection is established with a remote device using
a virtual private network (VPN), the configuration settings generally prevent wh
ich of the following?
a.
b.
c.
d.
Split
Split
Split
Split
knowledge
domain name service
tunneling
gateway
e users default gateway. Remote users normally use split tunneling to communicate
with the information system as an extension of that system and to communicate w
ith local resources such as a printer or file server. The remote device, when co
nnected by a nonremote connection, becomes an extension of the information syste
m, enabling a dual communications path (i.e., split tunneling), which, in effect
, enables unauthorized external connections into the system. Here the use of VPN
for nonremote connection generally prevents the split tunneling, depending on t
he configuration settings and traffic types.
56. Extrusion detection at the information system boundary does not include whic
h of the following?
a.
b.
c.
d.
56. c. Detecting internal actions that may pose a security threat to external in
formation systems is called extrusion detection. It is also referred to as data
loss prevention. Its scope includes the analysis of incoming and outgoing networ
k traffic looking for indications of an internal threat (not an external threat)
to the security of external systems.
57. Which of the following prevents the unauthorized exfiltration of information
across managed interfaces such as proxies and routers?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
1 and 2
2 and 4
1, 2, 3, and 4
57. d. All the four items are measures to prevent unauthorized exfiltration of i
nformation from the information system. Other preventive measures against exfilt
ration include disconnecting external network interfaces except when explicitly
needed and conducting traffic profile analysis to detect deviations from the vol
ume or types of traffic expected within the organization.
58. Which of the following devices can enforce strict adherence to protocol for
mats to prevent unauthorized exfiltration of information across managed interfac
es using boundary protection devices?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
1
3
only
and 2
and 3
and 4
r or transport layer. Routers operate at the network layer and bridges operate a
t the data link layer. In addition, XML gateways are used to prevent and detect
XML-based denial-of-service (DoS) attacks. Managed interfaces using boundary pro
tection devices include proxies, gateways, routers, firewalls, software/hardware
guards, and encrypted tunnels.
59. Network management, operations, and user support for a large distributed sys
tem together represent a complex undertaking. Which of the following issues most
increases the complexity of network management?
a.
b.
c.
d.
Multiple
Multiple
Multiple
Multiple
topologies
transmission media
protocols
accesses
Configuration
Configuration
Configuration
Configuration
identification
control
requirements tracing
status accounting
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
Virtualization technology
Service-oriented architecture
Web 2.0 services
Utility computing
ATM
ATM
ATM
ATM
networks
networks
networks
networks
can
can
use
can
64. c. There are two different kinds of fast packet-switching networks: ATM and
PTM. Asynchronous transfer mode (ATM) networks use short packets called cells that
are always the same length. Packet transfer mode (PTM) does not use short cells
but more additional packets that can be longer if necessary. Most packet-switch
ing networks use packets that can be long and vary in size depending on the data
being carried. The ATM network can carry data communications where packets are
broken into several ATM cells. After travelling through the network, the cells a
re reassembled into packets. It can also carry video communications where the di
gital video bits are put in cells and sent through the network. At the destinati
on, the bits are removed from the cells. The ATM also carries voice communicatio
ns, and the voice is handled in the same way as video.
65. Which of the following effectively facilitates telecommuting?
a.
b.
c.
d.
er multimedia applications?
a.
b.
c.
d.
Web server
Terminal server
Server farm
Redundant server
67. c. In a server farm, all servers are kept in a single, secure location, and
the chances of theft or damage to computer equipment are lower. Only those indiv
iduals who require physical access should be given a key. A redundant server con
cept is used in contingency planning and disaster recovery, which is kept away f
rom the server farm.
68. Which of the following performs application content filtering?
a.
b.
c.
d.
Sensors
Gateway
Proxy
Hardware/software guard
Authentication header
TCP wrappers
Encapsulating security payload
Security parameters index
69. b. Transmission control protocol (TCP) wrappers are a freely available appli
cation that functions similarly to a firewall. It can be used to restrict access
and configured in such a way that only specified user IDs or nodes can execute
specified server processes. An authentication header is one part of IPsecs two se
curity headers: (i) the authentication header and (ii) the encapsulating securit
y payload. The authentication header provides source authentication and integrit
y to the IP datagram, and the payload provides confidentiality. A security param
eter index consists of cryptographic keys and algorithms, and the authentication
header contains the index.
70. A major risk involving the use of packet-switching networking is that:
a. It is possible that some packets can arrive at their destinations out of sequ
ence.
b. It is not possible to vary the routing of packets depending on network condit
ions.
c. Terminals attached to a public data network may not have enough intelligence.
d. Terminals attached to a public data network may not have enough storage capac
ity.
70. a. Most packet-switching networks can vary the routing of packets depending
on network conditions. Because of this, it is possible that some packets can arr
ive at their destinations out of sequence while most packets can arrive at their
destination in normal sequence because they are reassembled at the receiver end
. The reason for some packets not reaching their destinations is that there is a
potential security risk in that a smart attacker can change the packet sequence
numbers in the middle of the stream and divert the packet to his own site for l
ater attack and then change the sequence numbers back to the original condition
or forget to do it in the right way thus breaking the sequence. Even worse yet,
a malicious attacker can insert fake sequence numbers so the packet would not re
ach its destination point. Here, the attackers goal is to steal valuable informat
ion from these packets for his own benefit.
Terminals attached directly to a public data network must have enough intelligen
ce and storage capacity to break large messages into packets and to reassemble t
hem into proper sequence. A packet assembly and disassembly (PAD) facility can h
elp accommodate intelligence and storage problems.
71. One of the goals of penetration testing security controls is to determine:
a. The time between
b. The time between
iation process
c. The time between
itation
d. The time between
eaknesses
ilestones.
72. The basic protocols would not address which of the following?
a.
b.
c.
d.
Network
Network
Network
Network
contingency plans
capacity planning
application system
performance monitoring
73. c. A network application system that collects traffic statistics and provide
s reports to alert the network management does not help in minimizing communicat
ion network failures.
The other three choices are important to minimize losses from a network failure.
Network contingency plans deal with redundant switching equipment, parallel phy
sical circuits, and standby power supplies to address network disasters. Network
capacity plans assist in forecasting computer resource requirements to ensure t
hat adequate capacity exists when needed. For example, the capacity studies may
call for higher bandwidth to accommodate newer technologies such as multimedia a
nd videoconferencing. Capacity planning activities use current system performanc
e data as a starting point to predict future resource needs. Network performance
monitoring involves analyzing the performance of a computer system to determine
how resources are currently utilized and how such utilization can be improved.
74. Conducting a periodic network monitoring to verify proper operations does no
t normally include:
a.
b.
c.
d.
Detecting
Detecting
Detecting
Detecting
network layers
line errors
terminal errors
modem errors
Block inbound and outbound traffic between instant messaging clients configur
by end users.
Block inbound and outbound traffic between instant messaging clients configur
by external providers.
Disconnect all unneeded collaborative computing devices physically.
Block inbound and outbound traffic between instant messaging clients configur
by the IT security.
75. d. Collaborative computing devices are networked white boards and cameras. I
t is a good security practice to block the inbound and outbound network traffic
configured by end users and external service providers, and not block the config
urations established by the IT security function.
76. For worldwide interoperability for microwave access (WiMAX) security, when
an adversary drains a client nodes battery by sending a constant series of manage
ment messages to the subscriber station/mobile subscriber (SS/MS), what is it ca
lled?
a.
b.
c.
d.
Man-in-the-middle attack
Water torture attack
Radio frequency jamming attack
Radio frequency scrambling attack
Replay attack
Denial-of-service attack
Eavesdropping attack
Man-in-the-middle attack
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
3
3, and 4
78. d. Lack of mutual authentication occurs between subscribers station (SS) and
base station (BS). This may enable a rogue BS operator to degrade performance or
steal information by conducting denial-of-service (DoS) or forgery attacks agai
nst client SSs. In unencrypted management messages, nonunicast messages open WiM
AX systems to DoS attacks. In the use of wireless as a communications medium, a
DoS attack can be executed by the introduction of a powerful radio frequency (RF
) source intended to overwhelm system radio spectrum.
79. For worldwide interoperability for microwave access (WiMAX) security, repla
y attacks occur due to which of the following?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
3
4
79. b. Replay attacks occur due to injection of reused traffic encryption key (T
EK) and unencrypted management messages. Integrity checks are added to unicast m
essages to prevent replay attacks. Nonunicast messages are open to DoS attacks.
80. For worldwide interoperability for microwave access (WiMAX) security, a cou
ntermeasure for man-in-the-middle (MitM) attack is:
a.
b.
c.
d.
DES-CBC
AES-CCM
AES only
VPN only
80. b. If a WiMAX system is not using the advanced encryption standard Counter w
ith CBC message authentication code (AES-CCM), it can open up the possibility of
a MitM attack. Data encryption standard-cipher block chaining (DES-CBC) is a we
ak algorithm that cannot ensure confidentiality of data and may lead to MitM att
ack. Virtual private network (VPN) is a mature technology and cannot defend agai
nst the MitM attacks. The advanced encryption standard (AES) is not as strong as
the AES-CCM.
81. Which of the following worldwide interoperability for microwave access (WiM
AX) operating topologies uses only the non-line-of-sight (NLOS) signal propagati
on?
a.
b.
c.
d.
Point-to-point
Point-to-multipoint
Multihop relay
Mobile
offices, and long-range wireless backhaul services for multiple sites. Last-mile
broadband access refers to communications technology that bridges the transmiss
ion distance between the broadband service provider and the customer premises eq
uipment.
A multihop relay topology, also referred to as mesh networking, is used to exten
d a BSs coverage area by permitting SSs or MSs to replay traffic by acting as a r
elay station.
82. Which of the following worldwide interoperability for microwave access (WiM
AX) operating topologies uses a concept of security zone?
a.
b.
c.
d.
Point-to-point
Point-to-multipoint
Multihop relay
Mobile
File backup
Contingency plan
Electronic surveillance
Locks and keys
84. b. Access logs along with user IDs and passwords provide a reasonable amount
of accountability in a local-area network (LAN) environment because user action
s are recorded.
Network monitoring tools are an example of a detective control used by network m
anagement. As such they do not show any accountability of the user. They watch t
he network traffic and develop trends.
Lock and key systems and card key systems are examples of preventive controls as
a part of physical security. Keys can be lost or stolen, and, therefore, accoun
tability is difficult to prove and control.
85. Attackers use which of the following to distribute their warez files?
a.
b.
c.
d.
85. a. A warez server is a file server used to distribute illegal content such a
s copies of copyrighted songs, movies, and pirated software. Attackers often exp
loit vulnerabilities in file transfer protocol (FTP) servers to gain unauthorize
d access so that they can use the server to distribute their warez files.
The socket security (SOCKS) server is a networking-proxy protocol that enables f
ull access across the SOCKS server from one host to another without requiring di
rect IP reachability. Web proxy servers are used to access external websites. Email servers can be used to do proper things such as sending normal messages and
sending malicious code.
86. Which of the following networks provides for movement of employees within a
n organization without the associated cabling costs?
a.
b.
c.
d.
86. c. Virtual LANs are a logical collection of individual LANs, because they li
nk local- and wide-area networks using routers, switches, and backbone equipment
and related software so that users at various locations have access to data res
iding on multiple systems and locations that they would not have otherwise. The
virtual network is transparent to users. Virtual LANs reassign users without cha
nging cables when users move from one location to another. Network maintenance c
osts are lower and equipment moves are done faster. Another benefit of virtual L
ANs is that all servers in a building can be physically protected in a data cent
er instead of spreading them throughout the building in the user departments.
Traditional (wired) LANs are incorrect because they require a change of cabling
when users and their equipment move around. Network maintenance costs are higher
and moves are slower. MANs and VANs are incorrect because they do not employ ca
bles as traditional LANs do.
87. Frame relay and X.25 networks are part of which of the following?
a.
b.
c.
d.
Circuit-switched services
Cell-switched services
Packet-switched services
Dedicated digital services
Are
Are
Use
Are
platform-dependent.
platform-independent.
layered communication protocols.
easy to set up.
89. c. A Bluetooth device operates under the ad-hoc network standard because it
has no fixed network infrastructure, such as base stations or access points as i
n the wired network or other wireless networks. Bluetooth devices maintain rando
m network configurations formed on-the-fly, relying on mobile routers connected
by wireless links that enable devices to communicate with each other. The other
three choices have a fixed network infrastructure.
90. All the following are examples of performance measures of quality-of-service
(QoS) for a communications network except:
a.
b.
c.
d.
Signal-to-noise ratio
Mean time between failures
Bit error ratio
Call blocking probability
90. b. Mean time between failures (MTBF) is an indicator of expected system reli
ability based on known failure rates, which are expressed in hours. MTBF is most
ly applied to equipment whereas QoS is applied to services.
The other three choices, along with message throughput rate, are examples of cha
nnel or system performance parameters, measuring QoS. Signal-to-noise ratio is t
he ratio of the amplitude of the peak signal to the amplitude of peak noise sign
als at a given point in time in a telecommunications system. Bit error ratio is
the number of erroneous bits divided by the total number of bits transmitted, re
ceived, or processed over some stipulated time period in a telecommunications sy
stem. Call blocking probability is the probability that an unwanted incoming cal
l would be blocked from going forward.
91. Which of the following is not a function of a Web server?
a.
b.
c.
d.
Handling requests
Supplying documents
Securing requests
Navigating information
91. d. The Web browser is the most common user interface for accessing an intran
et. A Web browser provides navigating information. At the heart of an intranet i
s the Web server. Because an intranet is based on a system of requests and respo
nses, the server controls and administers that flow of information through TCP/I
P. Web servers handle requests and return the information in the form of either
Web pages or other media types such as pictures, sound, and video. In addition t
o supplying documents, the Web server is also responsible for ensuring the secur
ity of requests from outside the organization or within.
92. What is the most important element of intranet security?
a.
b.
c.
d.
Monitoring
Encryption
Authentication
Filtering
92. a. The basic elements of intranet security tools are encryption, authenticat
ion, and filtering. For example, encryption may use pretty good privacy (PGP) fo
r encrypting e-mail, digital certificates for code signing, and site certificate
s for Secure Socket Layers securing of intranet servers. Authentication deals wi
th user and group-specific access. Firewalls act as filtering devices. In additi
on to the use of these tools, vigilant monitoring of all network connections is
required on a regular basis. Each time a new feature is added to a network, the
security implications should be reviewed. These three security tools are highly
technical and automated whereas monitoring is a human activity, which is better
than automation most of the time.
93. Security mechanisms implement security services. Which of the following secu
rity mechanisms do not implement the confidentiality security service?
a.
b.
c.
d.
Encryption
Access control
Traffic padding
Routing control
93. b. An access control security mechanism provides access control security ser
vice only. This mechanism controls access to authenticated entities to resources
. They may be based upon security labels (tags), the time of attempted access, t
he route of attempted access, and the duration of access.
Encryption is incorrect because it implements confidentiality security service.
Encryption refers to cryptographic technology using keys. Two classes of encrypt
ion exist: symmetric (using secret key) and asymmetric (using public key).
Traffic padding is incorrect because it provides confidentiality services. It is
the observation of traffic patterns, even when enciphered, which may yield info
rmation to an intruder. This mechanism may be used to confound the analysis of t
raffic patterns.
Routing control is incorrect because it provides confidentiality service. With r
outing control, routes can be chosen so as to use only secure links in the commu
nication line.
94. Which of the following is not an example of information system entry and exi
t points to protect from malicious code?
a.
b.
c.
d.
Firewalls
Electronic mail servers
Workstations
Web servers
Data
Data
Data
Data
gateways
gateways
gateways
gateways
96. b. Extensible markup language (XML) is used in creating a static Web documen
t. Dynamic Web documents (pages) are written in CGI, JSP, and ASP.
97. Which of the following is not a server-side script used in dynamic hypertext
markup language (HTML)?
a.
b.
c.
d.
Encryption protocols
Digital signatures
Firewalls
Certified authorities
a.
b.
c.
d.
1
2
1
2
and
and
and
and
2
3
3
4
98. c. Both encryption protocols and firewalls can provide a false sense of secu
rity. Encryption is used to provide confidentiality of data from the point of le
aving the end users software client to the point of being decrypted on the server
system. After the data is stored in the clear on the server, data confidentiality
is no longer ensured. Data confidentiality aside, encryption cannot prevent mal
icious attackers from breaking into the server systems and destroying data and t
ransaction records. Firewalls have been used to protect internal computer system
s from outside attacks and unauthorized inside users. The effectiveness of a fir
ewall is usually in providing a deterrent for would be attacks. However, the big
One-tier architecture
Two-tier architecture
Three-tier architecture
Four-tier architecture
101. a. Sliding window protocols, which are used to integrate error control and
flow, are classified in terms of the size of the senders window and the size of t
he receivers window. Sliding window protocols (e.g., SDLC, HDLC, and LAPB) are bi
t-oriented protocols and use flag bytes to delimit frames and bit stuffing to pr
event flag bytes from occurring in the data. Wavelength division multiple access
(WDMA) is an example of medium/media access control (MAC) sublayer protocol tha
t contains two channels for each station. A narrow channel is provided as a cont
rol channel to signal the station, and a wide channel is provided so that the st
ation can output data frames.
102. Data link layer VPN protocols such as the Cisco Layer 2 Forwarding (L2F) do
not provide which of the following services?
a. RADIUS
b. TACACS+
c. Encryption
103. b. The WLAN IEEE 802.11 and its related standards explicitly state that pro
tection of the communications between the access points and authentication serve
r is not available. Therefore, it is important to ensure that communications bet
ween each access point and its corresponding authentication servers are protecte
d sufficiently through cryptography. In addition, the authentication servers sho
uld be secured through operating system configuration, firewall rules, and other
security controls. The data confidentiality and integrity protocol, such as the
counter mode with cipher block chaining message authentication code protocol (C
CMP), protects communications between stations and access points. The extensible
authentication protocol (EAP) with transport layer security (TLS) is considered
the most secure EAP method because it enables strong mutual cryptographic authe
ntications of both stations and authentication servers using public key certific
ates.
104. Storing and hosting data on which of the following instant messaging (IM)
architectures increases the risk of information theft, unauthorized access, and
data tampering?
1.
2.
3.
4.
Private hosting
Public hosting
Client-to-client
Public-switched network
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
4
3
4
104. c. There are four possible architectural designs for IM systems: private ho
sting, public hosting, client-to-client, and public-switched network. The differ
ence between the four architectures is the location of the session data.
In the private hosting design (i.e., client-to-server), the data is located behi
nd a firewall for internal users, which is safe and secure.
In public hosting design, the data is placed on public servers out on the Intern
et, which is vulnerable to attacks.
Two types of client-to-client (peer-to-peer) designs include pure and hybrid, wh
ich should be prohibited because they bypass the security and auditing policies
within the enclave.
Because the data in public-switched network is not stored on a server, store and
forward is not a security issue. However, data in transit is vulnerable to manin-the-middle (MitM) attacks between the source and destination. The Internet ha
s private global switched networks that deliver IM communications where data is
not persistently stored on servers. In other words, the public-switched network
is secure in terms of data storage on its servers. It is the data stored on publ
ic servers and client-to-client that increases the risk of information theft, un
authorized access, and data tampering. To protect the IM data, IM systems should
implement client-to-server architecture (i.e., private hosting).
105. For instant messaging (IM) systems, a virtual (remote) meeting moderator s
hould configure which of the following properly to prevent potential exploits?
a.
b.
c.
d.
105. c. Some instant messaging (IM) systems enable two or more online users to c
ommunicate immediately over a network using shared applications (virtual meeting
s), presentations, white boards, and text messaging. Virtual meetings must have
user access controls and virtual data classifications, and be restricted to auth
orized users only. Virtual users will be granted access based on the need-to-kno
w principle established by the information owner and enforced by role-based acce
ss controls, and required by a password to participate in the meeting. Applicati
on sharing allows the virtual meeting participants to simultaneously run the sam
e application with the same capability as remote control software. To limit this
capability of application sharing and to prevent potential exploits, the meetin
g moderator should configure the application identifying so that users can use t
he application sharing feature.
106. The extensible authentication protocol (EAP) method with tunneled transport
layer security (EAP-TTLS) used in a robust security network (RSN) such as wirel
ess local-area network (WLAN) using the IEEE 802.11i standard does not prevent w
hich of the following?
a.
b.
c.
d.
Eavesdropping attack
Man-in-the-middle attack
Replay attack
Dictionary attack
106. b. The root certificate may not be delivered securely to every client to pr
event man-in-the-middle (MitM) attacks, thus not providing strong assurance agai
nst MitM attacks. Because passwords sent to the Web server are encrypted, EAP-TT
LS protects the eavesdropping attack. The TLS tunnel protects the inner applicat
ions from replay attacks and dictionary attacks.
107. Which of the following classes of attacks focus on breaking security prote
ction features?
a.
b.
c.
d.
Passive
Active
Close-in
Insider
1
1
3
3
only
and 2
only
and 4
108. d. Both WPA2 and WEP do not provide a defense-in-depth strategy because the
y are weak in security. An alternative method for WPA2 and WEP for achieving con
fidentiality and integrity protection is to use virtual private network (VPN) te
chnologies such as Internet Protocol security (IPsec) VPNs and secure sockets la
yer (SSL) VPNs. Because VPNs do not eliminate all risk from wireless networking,
it is good to place the WLAN traffic on a dedicated wired network or a virtual
local-area network (VLAN) as an option to VPN technologies. VLAN can also protec
t against denial-of-service (DoS) attacks. Therefore, IPsec VPNs, SSL VPNs, dedi
cated wired network, or a VLAN provides a defense-in-depth strategy.
109. Information systems security testing is a part of which of the following?
a.
b.
c.
d.
Directive controls
Preventive controls
Detective controls
Corrective controls
Compensating controls
Third-party audits
Threshold for alerts
Service contracts
Network-based firewalls
Host-based firewalls
Source-based IP address
Destination-based IP address
Honeynets
Pay-per-click feature
Botnets
Third parties
112. a. This question relates to click fraud. Honeynets are networks of honeypot
s, which are used to create fake production systems to attract attackers to stud
y their behaviors and actions with an information system. Honeynets are not used
in click fraud.
The other three choices are used to create a click fraud, which is a major probl
em at Internet service providers (ISPs) and other websites. The click fraud is p
erpetrated by a combination of individuals, specialized computer programs, bot n
etworks (botnets), and third parties who are hired for a fee to click because th
ey are paid on a per-click basis. (For example, the more clicks they do the more
money they make.) In all these situations, fraudulent clicks are made on an onl
ine advertisement with no intention of learning further about a product or purch
asing the product. The advertiser pays the website owners based on the number of
clicks made on its advertisement. Unethical website owners are creating a click
fraud to make easy money. Specialized computer programs are written to do the a
utomatic clicking.
113. The purpose of the packet filter is not based on which of the following?
a.
b.
c.
d.
IP addresses
Protocols
Port numbers
Applications
113. d. The purpose of the packet filter is to specify how each type of incoming
and outgoing traffic should be handledwhether the traffic should be permitted or
denied (usually based on IP addresses, protocols, and port numbers), and how pe
rmitted traffic should be protected. The type of application does not matter for
the packet filter.
114. As the packet filtering rules become more complex, they can lead to which
of the following?
a.
b.
c.
d.
Authentication errors
Cryptographic errors
Configuration errors
Performance errors
114. c. One caveat in the packet filter is that the more complex the packet filt
ering rules become, the more likely it is that a configuration error may occur,
which could permit traffic to traverse networks without sufficient controls.
115. The Internet Protocol security (IPsec) implementation typically supports w
hich of the following authentication methods?
1. Preshared keys
2. Digital signatures
3. Kerberos
4. TACACS and RADIUS
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
115. d. The endpoints of an IPsec connection use the same authentication method
to validate each other. IPsec implementations typically support preshared keys a
nd digital signatures, and in some implementations external authentication servi
ces, such as Kerberos. Some IPsec implementations also support the use of legacy
asymmetric authentication servers such as terminal access controller access con
trol system (TACACS) and remote authentication dial-in user service (RADIUS).
116. Which of the following does not require redundancy and fail-over capabiliti
es to provide a robust Internet Protocol security (IPsec) solution?
a.
b.
c.
d.
116. a. Redundancy and fail-over capabilities should be considered not only for
the core IPsec components, but also for supporting systems. IPsec client softwar
e may be broken by a new operating system update. This issue can be handled rath
er easily in a managed environment, but it can pose a major problem in a nonmana
ged environment. Therefore, the IPsec client software does not require redundanc
y and fail-over capabilities.
IPsec gateways are incorrect because two IPsec gateways can be configured so tha
t when one gateway fails, users automatically fail over to the other gateway. Au
thentication servers and directory servers are incorrect because they also need
redundancy due to their support role.
117. All the following can be disallowed at the voice gateway in Voice over Inte
rnet Protocol (VoIP) except:
a.
b.
c.
d.
117. a. The application level gateway or firewall control proxy is designed for
VoIP traffic to deny packets that are not part of a properly originated call or
track the state of connections, which should be allowed to function. The protoco
ls such as H.323, SIP, and MGCP, which are connections from the data network, sh
ould be disallowed at the voice gateway of the VoIP that interfaces with the pub
lic-switched telephone network (PSTN) because they are not secure.
H.323 gateway is a gateway protocol used in the Internet telephone systems, and
it speaks the H.323 protocol on the Internet side and the PSTN protocols on the
telephone side. The session initiation protocol (SIP) just handles setup, manage
ment, and session termination. The media gateway control protocol (MGCP) is used
in large deployment for gateway decomposition.
118. Which of the following factors should be considered during the placement o
f an Internet Protocol security (IPsec) gateway?
1.
2.
3.
4.
Device performance
Traffic examination
Gateway outages
Network address translation
a.
b.
c.
d.
2 only
3 only
4 only
1, 2, 3, and 4
White team
Red team
Tiger team
Blue team
119. a. The white team establishes the rules of engagement (ROE) prior to the st
art of penetration testing. ROE describes tools, techniques, and procedures that
both the red team and blue team should follow. The tiger team is same as the re
d team, which is an old name for the red team. Outsiders (i.e., contractors and
consultants) conduct both red team and blue team testing whereas white team memb
ers are employees of the testing organization. The white team does not conduct a
ny testing.
120. Which of the following is difficult to achieve during the Internet Protoco
l security (IPsec) implementation?
a.
b.
c.
d.
Applications layer
Transport layer
Network layer
Data link layer
121. d. Data link layer VPN protocols function below the network layer in the TC
P/IP model. This means that various network protocols, such as IP, IPX, and NetB
EUI, can usually be used with a data link layer VPN. Most VPN protocols includin
g IPsec support only IP, so data link layer VPN protocols may provide a viable o
ption for protecting networks running non-IP protocols. As the name implies, IPs
ec is designed to provide security for IP traffic only.
122. Data link layer VPN protocols, such as Layer 2 Tunneling Protocols (L2TP),
provide which of the following services?
1. RADIUS
2. TACACS+
3. Encryption
1 and 2
3 only
4 only
1, 2, 3, and 4
Availability
Confidentiality
Integrity
Replay protection
123. a. VPNs cannot provide or improve availability, which is the ability for au
thorized users to access systems as needed. Many VPN implementations tend to dec
rease availability somewhat because they add more components and services to the
existing network infrastructure. A VPN can provide several types of data protec
tion, including confidentiality, integrity, data origin authentication, replay p
rotection, and access control.
124. What is the best way to handle bot attacks in an organization?
a.
b.
c.
d.
124. d. A white team is an internal team that initiates action to respond to sec
urity incidents on an emergency basis. The scope of a white teams work includes d
iagnosing attacks, profiling attacks, notifying law enforcement authorities and
the Internet service provider (ISP), measuring the impact of the attack on custo
mer service, and developing application systems to filter the bogus incoming dat
a packets. There is no single preventive solution to handle the bot attack probl
ems because new bots are created all the time. The best method is to respond on
an after-the-fact basis with a white team supplemented by installing antivirus a
nd spyware software and updating software with patches and fixes.
125. Which of the following models is used for formally specifying and verifyin
g protocols?
a.
b.
c.
d.
Markov model
Finite state machine model
Protocol stack
Protocol data unit
125. b. The finite state machine (FSM) model is used for formally specifying and
verifying protocols. In the FSM model, mathematical techniques are used in spec
ifying and verifying the protocol correctness because it defines or implements t
he control structure of a system.
The other three choices do not deal with formally specifying and verifying proto
cols. The Markov model is used to model a system regarding its failure states to
evaluate the reliability, safety, and availability of the system. A protocol st
ack is a list of protocols used by a system (e.g., TCP/IP suite). A protocol dat
a unit is a unit of data specified in a protocol and includes user data and othe
r information.
126. Which of the following cannot provide effective security at the endpoints o
f a network?
a.
b.
c.
d.
Antimalware software
Personal firewalls
Strong password policies
Host-based intrusion detection and prevention system
126. c. Password policies, even if they are strong, are difficult to implement a
nd enforce at the personal computer and workstation levels due to unpredictable
behavior of end users. If password policies are implemented incorrectly or used
poorly, an attacker can undermine the best security configuration. The other thr
ee choices provide effective security at the endpoints of a network because they
are technical security controls and do not deal with end users.
127. Both Internet Protocol security (IPsec) and a virtual private network (VPN
) can be implemented with which of the following?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
127. d. VPNs can use both symmetric and asymmetric forms of cryptography. Symmet
ric cryptography uses the same key for both encryption and decryption, whereas a
symmetric cryptography uses separate keys for encryption and decryption, or to d
igitally sign and verify a signature. Most IPsec implementations use both symmet
ric and asymmetric cryptography. Asymmetric cryptography is used to authenticate
the identities of both parties, whereas symmetric encryption is used for protec
ting the actual data because of its relative efficiency.
128. Which of the following is used to encrypt the bulk of the data being sent
over a virtual private network (VPN)?
1.
2.
3.
4.
Symmetric cryptography
Private key cryptography
Asymmetric cryptography
Public key cryptography
a.
b.
c.
d.
1
3
4
1
only
only
only
and 2
130. c. The presence of network congestion problems means that the network load
is temporarily greater than the system resources can handle. Solutions include e
ither increasing the system resources or decreasing the network load. Having use
rs schedule their work at nonpeak times is a solution to decrease the network lo
ad, which may not go well with the good principles of customer service. The othe
r three choices are solutions to increase the system resources.
131. Which of the following does not cause false positives and false negatives?
a.
b.
c.
d.
Antivirus software
Spyware detection and removal utility software
Host-based intrusion detection systems
Firewalls
131. d. False positives occur when a tool reports a security weakness when no we
akness is present. False negatives occur when a tool does not report a security
weakness when one is present. Firewalls do not cause false positives and false n
egatives due to use of rulesets and the practice of deny-by-default privileges.
Antivirus software is incorrect because it has the capability to cause false pos
itives and false negatives due to use of heuristic techniques to detect new malw
are. Spyware detection and removal utility software is incorrect because it can
cause false positives and false negatives. Host-based intrusion detection system
s are incorrect because they can cause false positives and false negatives (fals
e warnings and alerts in the form of alarms) due to malfunctioning sensors and t
hat network activity is not visible to host-based sensors.
132. Which of the following are the primary security goals of a domain name sys
tem (DNS)?
1. Source authentication
2. Confidentiality
3. Integrity
4. Availability
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
3
4
Truncation
Little or no truncation
Higher overhead
Lower overhead
a.
b.
c.
d.
1
4
1
2
only
only
and 4
and 3
133. d. TCP is used when DNS queries result in little or no truncation, but it i
s subjected to higher overhead of resources. On the other hand, DNS requests usi
ng UDP result in truncation and utilizes a lower overhead of resources.
134. A peer-to-peer (P2P) networking is similar to which of the following?
a.
b.
c.
d.
134. c. Ad-hoc networks are similar to peer-to-peer (P2P) networking in that the
y both use decentralized networking, in which the information is maintained at t
he end user location rather than in a centralized database. The networks mention
ed in the other three choices use centralized networking with centralized databa
ses.
135. Which of the following is not a function of host-based scanners?
a.
b.
c.
d.
Identify
Identify
Identify
Identify
135. d. Network-based scanners identify open ports. The other three choices are
incorrect because they are functions of host-based scanners. Another tool is a p
ort scanner, which is a program that attempts to determine remotely which ports
on systems are open (i.e., whether systems enable connections through those port
s). Port scanners help attackers to identify potential targets.
136. Which of the following system security testing and information gathering t
ools can produce false positives?
a. Information scanning tool
b. Vulnerability scanning tool
ies users using two distinctive factors such as something they have (e.g., token
or smart card), something they know (e.g., password or PIN), or something they
are (e.g., a biometric sample). Requiring two forms of electronic identification
reduces the risk of fraud.
139. Which of the following extensible authentication protocol (EAP) methods doe
s not fully satisfy the security requirements for a robust security network (RSN
) such as wireless local-area network (WLAN) using the IEEE 802.11i standard?
a.
b.
c.
d.
Retransmission policy
Timeout determination policy
Out-of-order caching policy
Flow control policy
140. b. The timeout determination policy is a part of the transport layer securi
ty policies but not a part of the data link layer security policies. The other t
hree choices are the same between these two layers policies.
141. Which of the following protects the confidentiality of data in transit in
a file-sharing environment?
a.
b.
c.
d.
141. d. Secure FTP (SFTP) and Secure Copy (SCP) encrypt their network communicat
ions to protect the confidentiality of data in transit. Examples of commonly use
d client/server file sharing services are file transfer protocol (FTP), network
file sharing, Apple filing protocol, and server message block. These are standar
dized protocols without encryption that do not protect the confidentiality of th
e data in transit, including any supplied authentication credentials such as pas
swords.
142. Countermeasures against time-of-check to time-of-use (TOC-TOU) attacks inc
lude which of the following?
1.
2.
3.
4.
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1 and 3
142. b. Time-of-check to time-of-use (TOC-TOU) attack is an example of asynchron
ous attacks where it takes advantage of timing differences between two events. A
pplying task sequence rules combined with encryption tools are effective against
such attacks. Traffic padding technique is effective against traffic analysis a
ttacks, and access controls are good against data inference attacks.
143. In a legacy wireless local-area network (WLAN) environment using wired equ
ivalent privacy (WEP) protocol (IEEE 802.11), a bit-flipping attack results in w
hich of the following?
a.
b.
c.
d.
Loss
Loss
Loss
Loss
of
of
of
of
confidentiality
integrity
availability
accountability
143. b. A bit-flipping attack occurs when an attacker knows which cyclic redunda
ncy check-32-bits (CRC-32 bits) can change when message bits are altered, result
ing in loss of integrity. A proposed countermeasure is encrypting the CRC-32 to
produce an integrity check value (ICV), but it did not work because of use of st
ream ciphers (WEPs RC4), meaning that the same bits flip whether encryption is us
ed. Therefore, WEP ICV offers no additional protection against bit flipping. Eav
esdropping attacks using sniffers result in loss of confidentiality. Packet floo
ding attacks and radio frequency signal jams result in loss of availability. Los
s of accountability is not applicable here because it deals with an individuals a
ctions.
144. Which of the following factors contribute to network congestion problems?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
2 only
4 only
1, 2, 3, and 4
144. d. Network congestion problems occur when too many packets are present in t
he subnet (i.e., too much traffic), thus degrading the network performance in te
rms of some lost packets or all packets undelivered. When a queue is built up fo
r packets and the CPU memory for computers is insufficient to hold all of them,
some packets will be lost. When there is an imbalance between the routers with m
ore memory and computers with less memory, duplicate packets are sent due to the
timeout feature. Also, routers with slow CPU processors and low bandwidth lines
can cause congestion problems.
145. Which of the following techniques to improve network quality-of-service (Q
oS) provides an easy and expensive solution?
a.
b.
c.
d.
Buffering
Over-provisioning
Traffic shaping
Packet scheduling
The other three choices do not incur costs the way over-provisioning does. Netwo
rk flows can be buffered on the receiving side before being delivered. Buffering
the flow does not affect the reliability, delay, or bandwidth, but it does smoo
th out the jitter often found in audio and video on demand applications. Traffic
shaping, also called traffic policing, is achieved through the use of a leaky b
ucket algorithm or token bucket algorithm to smooth traffic between routers and
to regulate the host output. Packet scheduling algorithms such as fair queuing a
nd weighted fair queuing are available to schedule the flow of packets through t
he router so that one flow does not dominate the other.
146. Which of the following might be unsuccessful at identifying infected hosts
running personal firewalls?
a.
b.
c.
d.
146. c. Personal firewalls can block the host scans, therefore making it unsucce
ssful in identifying the infected hosts. The other three choices are incorrect b
ecause they all can help to identify the possible infection on those hosts.
147. Which of the following is a mitigation technique to handle Internet relay
chat (IRC) vulnerability for lack of confidentiality due to messages sent in pla
intext throughout the IRC network?
a.
b.
c.
d.
147. a. The Internet relay chat (IRC) communication is inherently insecure becau
se it is a plaintext open protocol that uses transmission control protocol (TCP)
that is susceptible to sniffing and interception. The original IRC protocol doe
s not provide for any confidentiality, meaning that standard chat, nickname pass
words, channel passwords, and private messaging are sent in plaintext throughout
the IRC network. Confidentiality may be achieved by applying operating system l
evel VPNs or SSL/TLS within the IRC network. The IRC clients and servers use enc
ryption to protect information from unauthorized users. Furthermore, IPsec VPNs
with PKI certificates or tunneled through Secure Shell should be used to provide
further security for identification and authentication.
Timers are implemented to mitigate the IRC vulnerability of netsplits. A system
lockdown mode is implemented to combat denial-of-service (DoS) attacks on the IR
C network. The security administrator should block outright filtering requests b
ased on filename extensions to prevent direct client connection (DCC) vulnerabil
ity within IRC networks. DCCs are performed directly from one client application
to another, thus bypassing the IRC servers to form a client-to-client connectio
n. DCC vulnerabilities, if not controlled properly, lead to unauthorized file tr
ansfers between IRC clients, allow users to bypass server-based security, shorte
n the communication path, allow social engineering attacks, and compromise the u
sers application system.
148. Which of the following is the long-term solution as a core cryptographic a
lgorithm for the wireless local-area network (WLAN) using the IEEE 802.11i stand
ard to ensure a robust security network (RSN)?
a. Wired equivalent privacy (WEP)
b. Temporal key integrity protocol (TKIP)
c. Counter mode with cipher block chaining message authentication code protocol
(CCMP)
d. Wi-Fi protected access 2 (WPA2)
148. c. The counter mode with cipher block chaining message authentication code
protocol (CCMP) is considered the long-term solution for IEEE 802.11 WLANs becau
se it requires hardware updates and replaces pre-RSN equipment. Of all the four
choices, only CCMP uses the advanced encryption standard (AES) as the core crypt
ographic algorithm. For legacy IEEE 802.11 equipment that does not provide CCMP,
IPsec VPN can be used as auxiliary security protection. WEP is an original stan
dard as a data confidentiality and integrity protocol with several security prob
lems. Later, WPA2 was designed as the interim solution as an upgrade to existing
WEP-enabled equipment to provide a higher level of security, primarily through
the use of TKIP and MIC (message integrity code). TKIP is intended as an interim
solution along with WEP and WPA2. TKIP can be implemented through software upda
tes and does not require hardware replacement of access points and stations.
149. Which of the following provides stronger security in managing access point
(AP) configuration in a legacy wireless local-area network (WLAN) environment?
a.
b.
c.
d.
149. d. Simple network management protocol (SNMP) version 3 provides strong secu
rity feature enhancements to basic SNMP, including encryption and message authen
tication, and therefore should be used.
The earlier versions of SNMP, SNMPv1, and SNMPv2 should not be used because they
are fundamentally insecure as they support only trivial authentication based on
default plaintext community strings. The default SNMP community string that SNM
Pv1 and SNMPv2 agents commonly use is the word public with assigned read or read and
write privileges; using this string leaves devices vulnerable to attack. If an un
authorized user were to gain access and had read/write privileges, that user cou
ld write data to the AP, compromising its original configuration. Organizations
using SNMPv1 or SNMPv2 should change the community string as often as needed, ta
king into consideration that the string is transmitted in plaintext. For all ver
sions of SNMP, privileges should be set to the least required (e.g., read only).
150. Which of the following cannot defend the enclave boundary?
a.
b.
c.
d.
Firewalls
Switches and routers
Virtual private networks
Software/hardware guards
150. b. Switches and routers defend the networks and their infrastructures such
as LANs, campus area networks (CANs), MANs, and WANs. The other three choices de
fend the enclave boundary, which defines a clear separation between inside and o
utside of a network where local computing environment (LAN) is inside the enclav
e and connection to external networks and remote users (e.g., dial-up access, IS
P connection, and dedicated line) is outside the enclave. Boundary protection is
provided by software/hardware guards, firewalls, and other devices, which contr
ol access into the local computing environment (LAN). Remote access protection i
s provided by communications server, encryption, VPN, and others.
A single enclave may span a number of geographically separate locations with con
nectivity via commercially purchased point-to-point communications (e.g., T-1, T
-3, and ISDN) along with WAN connectivity such as the Internet. An enclave is a
collection of information systems connected by one or more internal networks und
er the control of a single organization and security policy. These systems may b
e structured by physical proximity or by function, independent of location. An e
nclave boundary is a point at which an enclaves internal network service layer co
nnects to an external networks service layer (i.e., to another enclave or to a wi
de-area network).
151. Which of the following virtual private network (VPN) architectures often r
eplaces costly private wide-area network (WAN) circuits?
a.
b.
c.
d.
Gateway-to-gateway
Host-to-gateway
Contractor-to-company
Host-to-host
Protocol converter
Protocol tunneling
Petri net model
Seeding model
153. c. Petri net model is used for formally specifying and verifying protocols.
Petri nets are a graphical technique used to model relevant aspects of the syst
em behavior and to assess and improve safety and operational requirements throug
h analysis and redesign.
The other three choices do not deal with formally specifying and verifying proto
cols. A protocol converter is a device that changes one type of coded data to an
other type of coded data for computer processing. Protocol tunneling is a method
to ensure confidentiality and integrity of data transmitted over the Internet.
A seeding model is used to indicate software reliability in terms of error detec
tion power of a set of test cases.
154. The penetration testing of security controls does not focus on which of the
following?
a.
b.
c.
d.
Technical controls
Physical controls
Management controls
Procedural controls
154. c. Security controls are of three types: management, technical, and operati
onal. Physical controls and procedural controls are part of operational controls
. Penetration testing does not focus on management controls, such as policies an
d directives. Instead, it focuses on technical and operational controls dealing
with ports, protocols, system services, and devices.
155. Which of the following is not used in creating static Web documents?
a.
b.
c.
d.
a.
b.
c.
d.
2
1
2
3
only
and 2
and 3
and 4
157. b. Open-loop control includes good design principles and preventive actions
whereas closed-loop control includes detective actions and corrective actions.
Tools for open-loop controls include deciding when to accept new traffic, decidi
ng when to discard packets and which ones, and making scheduling decisions at va
rious points in the network.
158. Which of the following configurations for private servers hosting instant
messaging (IM) data can lead to man-in-the middle (MitM) attack when it is not i
nstalled, installed incorrectly, or implemented improperly?
a.
b.
c.
d.
Enclave perimeter
Demilitarized zone
Encrypted communication channel
Server services
Gateway-to-gateway
Host-to-gateway
Contractor-to-company
Host-to-host
IPComp
AH
ESP
IKE protocol
Gateway-to-gateway
Host-to-gateway
Contractor-to-company
Host-to-host
161. d. Authentication header (AH) has two modes: tunnel and transport. In tunne
l mode, AH creates a new IP header for each packet. In transport mode, AH does n
ot create a new IP header. This is because transport mode cannot alter the origi
nal IP header or create a new IP header. Transport mode is generally used in hos
t-to-host architectures. AH is not used in the other three choices.
162. The encapsulating security payload (ESP) mode of Internet Protocol security
(IPsec) cannot be used to provide which of the following?
a. Only encryption
163. b. The authentication header (AH) of IPsec uses HMAC. ESP uses symmetric cr
yptography to provide encryption for IPsec packets. When an endpoint encrypts da
ta, it divides the data into small blocks and then performs multiple sets of cry
ptographic operations (known as rounds) using the data blocks and key. Encryptio
n algorithms that work in this way are known as block cipher algorithms. Example
s of encryption algorithms used by ESP are AES-CBC, AES-CTR, and 3DES.
164. Which of the following is the most important feature when evaluating Intern
et Protocol security (IPsec) client software for hosts?
a.
b.
c.
d.
Encryption
Authentication
Split tunneling
Compression
164. c. The most important Internet Protocol security (IPsec) client software fe
ature is the capability to prevent split tunneling. Split tunneling occurs when
an IPsec client on an external network is not configured to send all its traffic
to the organizations IPsec gateway. Requests with a destination on the organizat
ions network are sent to the IPsec gateway, and all other requests are sent direc
tly to their destination without going through the IPsec tunnel. Prohibiting spl
it tunneling can limit the potential impact of a compromise by preventing the at
tacker from taking advantage of the IPsec connection to enter the organizations n
etwork; the attacker could connect only to the compromised system when it is not
using IPsec. Hosts should be configured so that only the network interface used
for IPsec is enabled when IPsec is in use. Encryption, authentication, and comp
ression are important features but not as important as the split tunneling, due
to the risk it poses.
165. Which of the following Internet Protocol security (IPsec) components is co
mpatible with network address translation (NAT) implementations?
a.
b.
c.
d.
AH tunnel mode
ESP transport mode
ESP tunnel mode
AH transport mode
165. c. There are known incompatibilities between IPsec and NAT because NAT modi
fies the IP addresses in the packet, which directly violates the packet integrit
y-assurance provided by IPsec. In tunnel mode, ESP can provide encryption and in
tegrity protection for an encapsulated IP packet and authentication of the ESP h
eader. Therefore, ESP tunnel mode can be compatible with NAT. However, protocols
with embedded addresses (e.g., FTP, IRC, and SIP) can present additional compli
cations.
The AH tunnel mode and the AH transport mode are incorrect because AH is not com
patible with NAT implementations. This is because AH includes source and destina
tion IP addresses in its integrity protection calculations. The ESP transport mo
de is incorrect because it is not compatible with NAT. In transport mode, ESP ca
n provide encryption and integrity protection for the payload of an IP packet an
d integrity protection for the ESP header.
166. Which of the following is not a recommended solution to make network addres
s translation (NAT) compatible with Internet Protocol security (IPsec)?
a.
b.
c.
d.
L2TP only
L2TP with IPsec
PPTP only
L2F only
167. b. Layer 2 tunneling protocol (L2TP) with Internet Protocol security (IPsec
) is a viable option for providing confidentiality and integrity for dial-up com
munications, particularly for organizations that contract virtual private networ
k (VPN) services to an Internet service provider (ISP). L2TP and IPsec together
provide stronger security, and the IPsec makes up for the L2TP weaknesses. Point
-to-point tunneling protocol (PPTP) hides information in IP packets. Layer 2 for
warding (L2F) protocol protects communications between two network devices, such
as an ISP network access server and VPN gateways. IPsec supersedes PPTP, wherea
s L2TP supersedes L2F.
168. Virtual private network (VPN) protocols are used in environments requiring
high physical security in which of the following TCP/IP layers?
a.
b.
c.
d.
Application layer
Transport layer
Network layer
Data link layer
168. d. Data link layer virtual private network (VPN) protocols are used in high
security environments to secure particular physical links, such as a dedicated
circuit between two buildings, when there is concern for unauthorized physical a
ccess to the links components. However, network performance should be considered.
169. Which of the following items are not synergistic in nature?
a.
b.
c.
d.
HTTPS
PGP
GPG
SSH
170. a. The transport layer security (TLS) proxy server provides transport layer
VPN services. The use of HTTPS makes the proxy server architecture fully compat
ible with NAT. HTTPS usage is permitted by firewall rulesets. The other three ch
oices are incorrect because PGP, GPG, and SSH are application layer VPN protocol
s. Pretty good privacy (PGP) provides security for e-mail encryption, disk encry
ption, and digital signatures for home and office use. GNU privacy guard (GPG) i
s the software for safe and encrypted e-mail communication, which is a free soft
ware alternative to the PGP.
171. Which one of the following items replaces the other three items?
a.
b.
c.
d.
telnet
SSH
rcp and rsh
FTP
171. b. A commonly used application layer protocol suite is secure shell (SSH),
which contains secure replacements for several unencrypted application protocols
, including telnet, rcp, rsh, and FTP. SSH tunnel-based VPNs are resource-intens
ive to set up and are most commonly used by small groups of IT administrators.
172. Which of the following cannot protect non-IP protocols?
a.
b.
c.
d.
IPsec
PPTP
L2TP
L2F
172. a. The Internet Protocol security (IPsec) can protect only IP-based communi
cations and protocols, which is one of its weaknesses. The other three choices a
re incorrect because PPTP, L2TP, and L2F can protect non-IP protocols. Point-topoint tunneling protocol (PPTP) hides information in IP packets. Layer 2 tunneli
ng protocol (L2TP) protects communications between an L2TP-enabled client and a
server. Layer 2 forwarding (L2F) protocol protects communications between two ne
twork devices, such as an ISP network access server and VPN gateways.
173. Internet Protocol security (IPsec) protocols uses which of the following m
odes?
a.
b.
c.
d.
173. d. The Internet Key Exchange (IKE) of IPsec protocol consists of two phases
: Phase 1 exchange includes main mode and aggressive mode. Phase 2 exchange incl
udes quick mode and information exchange mode. If Authentication Header (AH) or
Encapsulating Security Payload (ESP) is added to an IP packet following the exis
ting IP header, it is referred to as a transport mode. A tunnel mode requires in
serting an additional IP header to the packet but offers increased inflexibility
. State mode and user mode are not relevant here.
174. From a security configuration viewpoint, what is a managed or enterprise o
perational IT environment referred to as?
a.
b.
c.
d.
Inward-facing
Inward-dialing
Outward-facing
Outward-dialing
Thick client
Thin client
Internet client
Web server
175. b. A thin client is a software application that requires nothing more than
a browser and can be run only on the users computer (e.g., Microsoft Word). A thi
ck client is a software application that requires programs other than just the b
rowser on a users computer, that is, it requires code on both a client and server
computers (e.g., Microsoft Outlook).
The terms thin and thick refer to the amount of code that must be run on the client
computer. Thin clients are generally more secure than thick clients in the way e
ncryption keys are handled. The Internet client and Web server are incorrect bec
ause they are not needed for the thin client to work but are needed for the thic
k client to work.
176. Ethernet is a part of which of the following TCP/IP layers?
a.
b.
c.
d.
Application layer
Transport layer
Network layer
Data link layer
176. d. Ethernet is a part of the data link layer, along with address resolution
protocol (ARP), network interface card (NIC), and media/medium access control (
MAC). The data link layer handles communications on the physical network compone
nts.
The application layer is incorrect because it sends and receives data for partic
ular applications. The transport layer is incorrect because it provides connecti
on-oriented or connectionless services for transporting application layer servic
One-tier architecture
Two-tier architecture
Three-tier architecture
Four-tier architecture
179. b. Multicast and broadcast routing is performed using spanning tree algorit
hm, which makes excellent use of bandwidth where each router knows which of its
lines belong to the tree. The spanning tree algorithm is used to build plug-andplay bridges and Internet relay chat (IRC) servers. Each IRC server must have ex
actly one path to any other server. Therefore, routers, bridges, and IRC servers
use the spanning tree algorithm and the other three choices do not deal with th
e spanning tree algorithm.
180. The Internet Control Message Protocol (ICMP) does not do or does not have
which of the following?
1.
2.
3.
4.
Respond
Ports
Message types
Message codes
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
180. c. The Internet Control Message Protocol (ICMP) does not have ports and mos
t ICMP messages are not intended to elicit a response. ICMP has message types, w
hich indicate the purpose of each ICMP message. Some message types also have mes
sage codes, which can be thought of as subtypes.
181. Most hardware/software guard implementations use which of the following ap
proaches?
a.
b.
c.
d.
Private network
Dual network
Public network
Backbone network
Encryption algorithms
Key management processes
Cryptographic authentication
Data-separation methods
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
Session hijacking
Invalidated input
Ping of death
SYN flood
1.
2.
3.
4.
Timestamps
Sequence numbers
Digital signatures
Keyed hash integrity checks
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
Application layer
Transport layer
Network layer
Data link layer
185. a. In most cases, the application layer contains the actual activity of int
erestmost attacks are against vulnerabilities in applications, and nearly all mis
use involves misuse of applications. The transport layer, the network layer, and
the data link layer have fewer attacks compared to the application layer.
Hypertext transfer protocol (HTTP) is a function of the application layer, along
with DNS, SMTP, FTP, and SNMP. This layer sends and receives data for particula
r applications. The transport layer provides connection-oriented or connectionle
ss services for transporting application layer services between networks. The ne
twork layer routes packets across networks. The data link layer handles communic
ations on the physical network components.
186. Which of the following statements about media access control/medium access
control (MAC) address are true?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
1 and
1, 2,
2
3
4
3, and 4
186. d. Each frame of media access control/medium access control (MAC) contains
two MAC addresses, which indicate the MAC address of the NIC that just routed th
e frame and the MAC address of the next NIC that the frame is being sent to. Bes
ides the MAC addresses, each frames payload contains either Internet protocol (IP
) or address resolution protocol (ARP). When IP is used, each IP address maps to
a particular MAC address. Multiple IP addresses can map to a single MAC address
, so a MAC address does not uniquely identify an IP address. There have been cas
es in which manufacturers have accidentally created network interface cards (NIC
s) with duplicate MAC addresses, leading to networking problems and spoofing att
acks.
187. For network data analysis, a host computer can be identified by which of t
he following?
a.
b.
c.
d.
187. c. For events within a network, an analyst can map an Internet protocol (IP
) address (i.e., logical identifiers at the IP layer) to the media access contro
l/medium access control (MAC) address of a particular network interface card (NI
C) (i.e., physical identifier at the physical layer), thereby identifying a host
of interest. Analyzing physical components and reviewing logical aspects are a
partial approach. Mapping multiple IP addresses does not identify a host.
188. Regarding network data analysis, which of the following can tell a securit
y analyst which application was most likely used or targeted?
a.
b.
c.
d.
188. a. The combination of the Internet protocol (IP) number (IP layer field) an
d port numbers (transport layer fields) can tell an analyst which application wa
s most likely used or targeted.
Network interface card (NIC) is incorrect because it is a physical device and a
part of the data link layer; it cannot tell a security analyst which application
was most likely used or targeted.
Media access control/medium access control (MAC) address is incorrect because it
is a part of the data link layer and cannot tell a security analyst which appli
cation was most likely used or targeted.
Address resolution protocol (ARP) is incorrect because it is a part of the hardw
are layer (data link layer) and cannot tell a security analyst which application
was most likely used or targeted.
189. For network traffic data sources, firewalls and routers do not typically re
cord which of the following?
a.
b.
c.
d.
189. d. Firewalls and routers do not record the contents of packets. Instead, th
ey are usually configured to log basic information for most or all denied connec
tion attempts and connectionless packets; some log every packet. Information log
ged typically includes the date and time the packet was processed, the source an
d destination IP addresses, and the transport layer protocol (e.g., TCP, UDP, an
d ICMP) and basic protocol information (e.g., TCP or UDP port numbers and ICMP t
ype and code).
190. Packet sniffers are commonly used to capture network traffic data for whic
h of the following purposes?
1.
2.
3.
4.
Troubleshooting purposes
Investigative purposes
Marketing purposes
Strategic purposes
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
190. c. Packet sniffers are designed to monitor network traffic on wired or wire
less networks and capture packets. Packet sniffers are commonly used to capture
a particular type of traffic for troubleshooting (operational) or investigative
(legal) purposes, which are technical purposes. For example, if IDS alerts indic
ate unusual network activity between two hosts, a packet sniffer could record al
l the packets between the hosts, potentially providing additional information fo
r analysts. The marketing and strategic purposes are not relevant here because t
he question refers to the operational and legal purposes.
191. A network-based intrusion detection system (IDS) does not do or contain whi
ch of the following?
a.
b.
c.
d.
Perform
Analyze
Possess
Possess
packet sniffing
network traffic
correction capabilities
prevention capabilities
192. c. Because the remote access servers (RASs) have no understanding of the ap
plications functions, they usually do not record any application-specific data.
The other three choices are proper functions of RAS. The RASs are devices such a
s VPN gateways and modem servers that facilitate connections between networks. T
his often involves external systems connecting to internal systems through the R
AS but could also include internal systems connecting to external or internal sy
stems. Some RASs also provide packet-filtering functions; this typically involve
s logging similar to that for firewalls and routers.
193. Secure gateways block or filter access between two networks. Which of the f
ollowing benefits resulting from the use of secure gateways is not true?
a.
b.
c.
d.
Secure
Secure
Secure
Secure
gateways
gateways
gateways
gateways
Bandwidth usage
Payload size
Source and destination IP addresses
Ports for each packet
194. a. Some managed switches and other network devices offer basic network moni
toring capabilities, such as collecting statistics on bandwidth usage.
The other three choices are functions of network monitoring software, which coll
ects information such as the payload size and the source and destination IP addr
esses and ports for each packet. Network monitoring software is designed to obse
rve network traffic and gather statistics on it. Packet sniffers, protocol analy
zers, and intrusion detection system (IDS) software may also perform basic netwo
rk monitoring functions.
195. Which of the following is not an example of alternative access points to an
organizations IT resources?
a.
b.
c.
d.
Internet gateway
Workstations
Modems
Wireless access points
IDS sensors
Network-based firewalls
Host-based firewalls
System logs
Protocol filtering
Application gateways
Extended logging capability
Packet switching
livery technique in which small units of information (packets) are relayed throu
gh stations in a computer network along the best route currently available betwe
en the source and the destination. A packet-switching network handles informatio
n in small units, breaking long messages into multiple packets before routing. A
lthough each packet may travel along a different path, and the packets composing
a message may arrive at different times or out of sequence, the receiving compu
ter reassembles the original message. Packet-switching networks are considered t
o be fast and efficient. To manage the tasks of routing traffic and assembling o
r disassembling packets, such networks require some intelligence from the computer
s and software that control delivery.
Protocol filtering is incorrect because it is one of the primary components or a
spects of firewall systems. A firewall filters protocols and services that are e
ither not necessary or that cannot be adequately secured from exploitation. Appl
ication gateways are incorrect because they are one of the primary components or
aspects of firewall systems. A firewall requires inside or outside users to con
nect first to the firewall before connecting further, thereby filtering the prot
ocol. Extending logging capability is incorrect because it is one of the primary
components or aspects of firewall systems. A firewall can concentrate extended
logging of network traffic on one system.
198. Which of the following is a major risk in network traffic involving service
s running on unexpected port numbers?
a.
b.
c.
d.
Capturing
Monitoring
Analyzing
Detecting
Firewalls
IDS software
Proxy servers
Remote access servers
Application layer
Transport layer
Network layer
Data link layer
a.
b.
c.
d.
1 only
2 only
3 only
1, 2, 3, and 4
200. d. Not only does the intrusion detection system (IDS) software typically at
tempt to identify malicious network traffic at all TCP/IP layers, but it also lo
gs many data fields (and sometimes raw packets) that can be useful in validating
events and correlating them with other data sources.
201. Which of the following protocols are the most likely to be spoofed?
1.
2.
3.
4.
ICMP
UDP
TCP
Ethernet
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
201. c. Internet control message protocol (ICMP) and user datagram protocol (UDP
) are connectionless protocols, thus most likely to be spoofed. Transmission con
trol protocol (TCP) and Ethernet are incorrect because they are connection-orien
ted protocols, thus least likely to be spoofed. Many attacks use spoofed IP addr
esses. Spoofing is far more difficult to perform successfully for attacks that r
equire connections to be established because the attacker needs an insight into
sequence numbers and connection status.
202. Which of the following applications are used on local-area networks (LANs)
with user datagram protocol (UDP)?
1.
2.
3.
4.
X.25
SMDS
DHCP
SNMP
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
202. d. User datagram protocol (UDP) is used for applications that are willing t
o take responsibility for ensuring reliable delivery of data, such as DNS, and a
pplications that are intended for use only on LANs, such as Dynamic Host Configu
ration Protocol (DHCP) and Simple Network Management Protocol (SNMP). Like TCP,
each UDP packet contains a source port and a destination port. X.25 and SMDS are
incorrect because they are protocols used in a wide-area network (WAN).
X.25 is an international standard that defines the interface between a computing
device and a packet-switched data network. Switched multi-megabit data service
(SMDS) provides an effective vehicle for connecting LANs in a metropolitan or la
rger area.
203. Spoofing in a local-area network (LAN) occurs with which of the following?
1. Internet Protocol (IP) addresses
2. Media access control (MAC) addresses
3. Network address translation (NAT)
1
2
1
3
or
or
or
or
2
3
4
4
203. a. Dynamic host configuration protocol (DHCP) servers typically are configu
red to log each Internet Protocol (IP) address assignment and the associated med
ia access control (MAC) address, along with a timestamp. This information can be
helpful to analysts in identifying which host-performed activity uses a particu
lar IP address. However, information security analysts should be mindful of the
possibility that attackers on an organizations internal networks have falsified t
heir IP addresses or MAC addresses to create spoofing. This is possible in light
of manufacturers accidentally creating network interface cards (NICs) with dupl
icate MAC addresses. Network address translation (NAT) modifies the IP addresses
in a packet, which directly violates the packet integrity assurance provided by
IPsec. Spoofing MACs on a LAN can also occur by a malicious user trying to bypa
ss authentication or by a malicious program modifying the device MAC.
204. For network data analysis, which of the following is difficult when trying
to identify and validate the identity of a suspicious host involving the Intern
et Protocol (IP) address spoofing?
a.
b.
c.
d.
204. c. The Internet service providers (ISPs) assistance is needed when traffic pa
sses through several ISPs. ISPs generally require a court order before providing
any information to an organization on suspicious network activity.
The other three choices are incorrect because they are examples of other possibl
e ways of attempting to validate the identity of a suspicious host. A WHOIS quer
y mechanism can identify the organization or person that owns a particular IP ad
dress. Multiple IP addresses generating suspicious activity could have been regi
stered to the same owner. Analysts can look for previous suspicious activity ass
ociated with the same IP address or IP address block. Internet search engines an
d online incident databases can be useful. Application data packets related to a
n attack may contain clues to the attackers identity. Besides IP addresses, other
valuable information could include an e-mail address or an Internet relay chat
(IRC) nickname.
205. An information systems security analyst attempts to validate the identity o
f a suspicious host. Which of the following is not an acceptable approach?
a.
b.
c.
d.
205. a. The information systems security analyst should not contact the owner di
rectly. This is due primarily to concerns involving sharing information with ext
ernal organizations; also, the owner of an Internet Protocol (IP) address could
be the person attacking the organization.
The other three choices are incorrect because they are acceptable approaches. Th
e analyst should provide information on the owner to the management and legal ad
visors for the analysts organization. Seeking the Internet service provider (ISP)
assistance is generally only an option during the most serious external network
-based attacks; particularly those that involve IP address spoofing. Some ISPs m
ay have the ability to trace ongoing attacks back to their source, whether the I
DHCP servers
Remote access servers
Directory servers
Intermediary servers
207. d. Some attackers use anonymizers to validate the Internet Protocol (IP) ad
dress, which are intermediary servers that perform activity on a users behalf to
preserve the users privacy.
DHCP servers are incorrect because they typically can be configured to log each
IP address assignment and the associated MAC address, along with a timestamp. Re
mote access servers (RAS) are incorrect because they are devices such as VPN gat
eway and modem servers that facilitate connections between networks. Directory s
ervers are incorrect because they are used for external authentication services.
208. Commonly used protocols for audio and video communications include which o
f the following?
1.
2.
3.
4.
H.323 protocols
Session Initiation Protocol (SIP)
Internet relay chat (IRC) protocol
Wired Equivalent Privacy (WEP) protocol
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
208. c. Commonly used protocols for audio and video communications include H.323
and SIP. H.323 is a suite of different protocols. Technologies such as voice ov
er IP (VoIP) permit people to conduct telephone conversations over networks such
as the Internet. Video technologies can be used to hold teleconferences or have
video phone communications between two individuals. The most popular group chat p
rotocol, IRC is a standard protocol that uses relatively simple text-based commu
nications. IRC also provides a mechanism for users to send and receive files. WE
P is a security protocol that encrypts data sent to and from wireless devices wi
thin a network. WEP is not as strong as Wi-Fi protected access (WPA) protocol.
209. Which of the following are the primary software components of a domain nam
e system (DNS)?
1.
2.
3.
4.
Operating system
File system
Name server
Resolver
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
3
4
209. d. The domain name system (DNS) software primary components include the nam
e server and the resolver. The operating system, file system, and communication
stack are part of a DNS hosting environment.
210. Which of the following is the primary type of domain name system (DNS) dat
a?
a.
b.
c.
d.
Configuration file
Zone file
File system
Zone transfer
210. b. The primary type of domain name system (DNS) data is zone file, which co
ntains information about various resources in that zone. The information about e
ach resource is represented in a record called a Resource Record (RR). Logically
, a zone file is made up of several RR sets.
Configuration file is incorrect because it is a secondary type of DNS data. File
system is incorrect because it is a part of the DNS hosting environment. Zone t
ransfer is incorrect because it is a part of DNS transactions.
211. Which of the following configurations is not a good security practice for a
single domain name system (DNS) name server to perform?
a.
b.
c.
d.
Both
Both
Both
Both
212. Which of the following is the most common transaction in a domain name syst
em (DNS)?
a.
b.
c.
d.
DNS query/response
Zone transfer
Dynamic updates
DNS NOTIFY message
212. a. Domain name system (DNS) query/response is the most common transaction i
n DNS. The most common query is a search for a Resource Record (RR), based on it
s owner name or RR type. The response may consist of a single RR, an RRset, or a
n appropriate error message.
A zone transfer is incorrect because it refers to the way a secondary (slave) se
rver refreshes the entire contents of its zone file from the primary (master) na
me servers. The dynamic update facility is incorrect because it provides operati
ons for addition and deletion of RRs in the zone file. The DNS NOTIFY message is
incorrect because it signals a secondary DNS server to initiate a zone transfer
.
213. What does a domain name system (DNS) query originate from?
a.
b.
c.
d.
Truncation
Little or no truncation
Higher overhead
Lower overhead
a.
b.
c.
d.
1
4
1
2
only
only
and 4
and 3
214. c. Domain name system (DNS) queries are sent in a single UDP packet. The re
sponse usually is a single UDP packet as well, but data size may result in trunc
ation. UDP consumes lower overhead of resources. On the other hand, TCP packet r
esults in little or no truncation but consumes higher overhead of resources.
215. Which of the following is not an example of domain name system (DNS) host p
latform threats?
a.
b.
c.
d.
215. b. Zone drift error is a threat due to domain name system (DNS) data conten
ts, not from DNS host platform threats. Zone drift error results in incorrect zo
ne data at the secondary name servers when there is a mismatch of data between t
he primary and secondary name servers. A buffer overflow attack, a packet floodi
ng attack, and an Address Resolution Protocol (ARP) spoofing attack are examples
of DNS host platform threats.
216. All the following are best practice protection approaches for domain name
system (DNS) software except:
a.
b.
c.
d.
216. c. Developing the zone file integrity checker software is a DNS data conten
t control protection approach, not a DNS software protection approach. The other
three choices are incorrect because they are examples of DNS software protectio
n approaches.
217. In domain name system (DNS) transactions, which of the following is not a t
hreat against DNS query/response transactions?
a.
b.
c.
d.
Forged response
Removal of resource records in responses
Incorrect application of wildcard expansion rules
Denial-of-service
Unauthorized updates
Tampering of messages
Spurious notifications
Replay attacks
218. c. Spurious notifications are a threat against a DNS NOTIFY message transac
tion. The other three choices are incorrect because they are examples of threats
against dynamic update transactions.
219. Transaction signature (TSIG) is used in which of the following types of do
main name system (DNS) transactions?
1.
2.
3.
4.
DNS query/response
DNS NOTIFY message
Zone transfer
Dynamic update
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
219. d. Both zone transfer and dynamic update transactions use transaction signa
ture (TSIG). In TSIG, mutual identification of servers is based on a shared secr
et key.
A DNS query/response is incorrect because IETFs DNSSEC standard is used in a DNS
query/response transaction. A DNS NOTIFY message is incorrect because IETF speci
fies hosts from which messages can be received for DNS NOTIFY message transactio
ns.
220. Which of the following statements about red teams are not true?
1.
2.
3.
4.
They
They
They
They
a.
b.
c.
d.
1
1
3
2
and
and
and
and
221. b. The screened subnet firewall adds an extra layer of security by creating
a network where the bastion host resides. Often called a perimeter network, the
screened subnet firewall separates the internal network from the external. This
leads to stronger security.
222. Who should not be given access to firewalls?
a.
b.
c.
d.
222. b. Firewalls should not be used as general-purpose servers. The only access
accounts on the firewalls should be those of the primary and backup firewall ad
ministrators and the network service manager, where the latter manages both admi
nistrators. Functional users should not be given access to firewalls because the
y do not contain business-related application systems.
223. Most common attacks against wireless technologies include which of the fol
lowing?
a.
b.
c.
d.
of availability
of integrity
loss of confidentiality
of authenticity
223. c. Wireless technologies invite privacy and fraud violations more easily th
an wired technologies due to their broadcast nature. The privacy implications of
widespread use of mobile wireless technologies are potentially serious for both
individuals and businesses. There will be a continuing need to guard against ea
vesdropping and breaches of confidentiality, as hackers and scanners develop way
s to listen in and track wireless communications devices. For example, wired equ
ivalent privacy (WEP) protocol can be attacked, and Wi-Fi protected access (WPA)
and its version 2 (WPA2) can be attacked using rainbow tables. Attacks mentione
d in the other three choices are not that common, but they do happen.
224. Which of the following merits most protection in the use of wireless techno
logies?
1.
2.
3.
4.
Privacy
Privacy
Privacy
Privacy
a.
b.
c.
d.
1
1
3
2
and
and
and
and
of
of
of
of
location
equipment
transmission contents
third parties
2
3
4
3
224. b. There are two main types of information that merit most protection in th
e wireless context: the contents of a call or transmission and the location of t
he sender or recipient. Privacy of equipment and third parties are not relevant
here.
225. Which of the following involves a complicated technique that combines the
public-key encryption method with a hashing algorithm that prevents reconstructi
ng the original message?
a.
b.
c.
d.
Digital signature
Voice over Internet Protocol
Electronic signature
Firewalls
225. a. Two steps are involved in creating a digital signature. First, the encry
ption software uses a hashing algorithm to create a message digest from the file
being transmitted. Second, the software uses a senders private (secret) key to e
ncrypt the message digest. The result is a digital signature for that specific f
ile.
Voice over Internet Protocol (VoIP) is incorrect because it is a technology that
enables network managers to route phone calls and facsimile transmissions over
the same network they use for data. Electronic signature is incorrect because it
is an electronic sound, symbol, or process attached to or logically associated
with a contract or other record and executed or adopted by a person with the int
ent to sign the record. Firewalls are incorrect because a firewall is software w
hose purpose is to block access to computing resources.
226. Which of the following are more efficient and secure for use in wireless t
echnologies?
a.
b.
c.
d.
Spread spectrum
Radio spectrum
Radio signals
Radio carriers
226. a. New digital communications systems such as time division multiple access
(TDMA) or code division multiple access (CDMA) use spread spectrum much more ef
ficiently than analog cellular and other traditional radio systems. The spread s
pectrum technology uses a wide band of frequencies to send radio signals. The ot
her three choices are not relevant here.
227. Which of the following is inherently efficient and difficult to intercept
in the use of wireless technologies?
a.
b.
c.
d.
227. a. Code division multiple access (CDMA) is more efficient and secure than t
ime division multiple access (TDMA) because it uses spread spectrum technology m
ore efficiently. Instead of assigning a time slot on a single channel, CDMA uses
many different channels simultaneously. CDMA is also inherently more difficult
to crack because the coding scheme changes with each conversation and is given o
nly once at the beginning of the transmission.
228. Voice encryption in cell/mobile phones uses which of the following algorit
hms?
a.
b.
c.
d.
RSA
3DES
IDEA
DES
228. a. Voice encryption schemes are based on Rivest, Shamir, and Adelman (RSA)
algorithm to provide privacy protection over mobile or cellular phones. The main
constraints with encryption are the slow speed of processing and the lag that o
ccurs if signals take too long to pass through the system. The other three choic
es (i.e., 3DES, IDEA, and DES) are not used in voice encryption because they are
used in transaction encryption.
229. Which of the following network connectivity devices require in-band and ou
t-of-band management services such as administrative access to distributed local
-area networks (LANs)?
a.
b.
c.
d.
229. b. Switches and routers require in-band and out-of-band management services
. In in-band management, a secure shell (SSH) session is established with the co
nnectivity device (e.g., switches and routers) in a distributed local-area netwo
rk (LAN). This method is fast and convenient but less secure due to use of Telne
t, line sniffing, and interception of privileged passwords.
In out-of-band management, the communications device is accessed via a dial-up c
ircuit with a modem, directly connected terminal device, or LANs dedicated to ma
naging traffic. Whether in-band or out-of-band, network paths and sessions used
to access the device should be protected. The other three choices do not require
in-band and out-of-band management services such as administrative access becau
se they have their own access methods.
230. For information system monitoring, which of the following anomaly within an
information system is most risky?
a.
b.
c.
d.
230. c. Anomalies at selected interior points within a system (e.g., subnets and
subsystems) include large file transfers, unusual protocols and ports in use, l
ong-time persistent connections, and attempted communications with suspected ext
ernal addresses. Of these, the attempted communications with suspected (maliciou
s) external addresses is most risky. The other three choices are less risky.
231. Which of the following are especially needed to provide a trustworthy clou
d computing infrastructure?
1. ISO/IEC 27001 certification
2. AICPA/SAS 70 attestation
3. Security training
4. Risk management
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
231. d. Microsoft, for example, has achieved a trustworthy cloud computing infra
structure by earning the International Organization for Standardization/Internat
ional Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) certification
and American Institute of Certified Public Accountants/Statement on Auditing Sta
ndards (AICPA/SAS)70 Type I and Type II attestation. The Type I attestation repo
rt states that information systems at the service organizations for processing u
ser transactions are suitably designed with internal controls to achieve the rel
ated control objectives. The Type II attestation report states that internal con
trols at the service organizations are properly designed and operating effective
ly. These two accomplishments of certification and attestation were combined wit
h security training, adequate and effective security controls, continuous review
and management of risks, and rapid response to security incidents and legal req
uests.
232. Which of the following is the true purpose of ping in cellular wireless techn
ologies?
a.
b.
c.
d.
The
The
The
The
pinging
pinging
pinging
pinging
tells
tells
tells
tells
the
the
the
the
232. c. To monitor the state of the network and to respond quickly when calls ar
e made, the main cellular controlling switch periodically pings all cellular telep
hones. This pinging lets the switch know which users are in the area and where i
n the network the telephone is located. This information can be used to give a r
ough idea of the location of the phone user to help catch the fraud perpetrator.
Vehicle location service is an application of the ping technology. The other th
ree choices are not true.
233. Telecommuting from home requires special considerations to ensure integrity
and confidentiality of data stored and used at home. Which of the following is
not an effective control?
a.
b.
c.
d.
Employee accountability
Removable hard drives
Storage encryption
Communications encryption
b. DH
c. 3DES
d. IDEA
234. b. Secure remote procedure call (RPC) uses the Diffie-Hellman (DH) key gene
ration method. Under this method, each user has a private/public key pair. Secur
e RPC does not use the other three choices.
235. In secure remote procedure call (RPC), which of the following provides the
public and private keys to servers and clients?
a.
b.
c.
d.
Users
Clients
Servers
Authentication servers
235. d. The principals involved in the secure remote procedure call (RPC) authen
tication systems are the users, clients, servers, and authentication server. The
authentication server provides the public and private keys to servers and clien
ts.
236. The screened subnet firewall acts as which of the following?
a.
b.
c.
d.
238. d. Input overflow checks ensure that input is not lost during data entry or
processing and are good against input overflow attacks. These attacks can be av
oided by proper program design. Providing a secure channel between the user and
the system can defend login spoofing. A hardware-reset button on a personal comp
uter can be effective in removing password-based spoofing attacks. Cryptographic
authentication techniques can increase security but only for complex systems.
239. Which of the following can prevent both session hijacking and eavesdroppin
g attacks?
a.
b.
c.
d.
SET
PPP
FTP
SSL
239. d. The secure sockets layer (SSL) protocol is the technology used in most W
eb-based applications. When both the Web client and the Web server are authentic
ated with SSL, the entire session is encrypted providing protection against sess
ion hijacking and eavesdropping attacks.
The other three choices are incorrect because SET is a secure electronic transac
tion protocol, PPP is a point-to-point protocol, and FTP is a file transfer prot
ocol, and as such they cannot prevent session hijacking and eavesdropping attack
s.
240. Which of the following provides a security service in authenticating a rem
ote network access?
a.
b.
c.
d.
240. a. The remote access server (RAS) provides the following services: When a r
emote user dials in through a modem connection, the server hangs up and calls th
e remote user back at the known phone number. The other three servers mentioned
do not have this kind of dial-in and callback dual control mechanism.
241. Which one of the following firewalls is simple, inexpensive, and quick to
implement?
a.
b.
c.
d.
241. a. A static packet filtering firewall is the simplest and least expensive w
ay to stop messages with inappropriate network addresses. It does not take much
time to implement when compared to other types of firewalls.
242. Which of the following can prevent e-mail spoofing?
a.
b.
c.
d.
Firewalls
Intrusion detection systems
Virus checkers
Operating systems security features
Gateway
Bridge
Modem
Firewall
245. d. Firewalls monitor network traffic that enters and leaves a network. A fi
rewall controls broad access to all networks and resources that lie inside it. By
limiting access to host systems and services, firewalls provide a necessary line
of perimeter defense against attack; that is, they form a boundary control.
A gateway is incorrect because it is an interface between two networks. A bridge
is incorrect because it is a device used to link two or more homogeneous localarea networks (LANs). A modem is incorrect because it is a device that converts
analog signals to digital signals and vice versa. The devices mentioned in the t
hree incorrect choices do not have the ability to perform as a boundary access c
ontrol.
246. Which of the following is used for high-speed remote access with virtual p
rivate networks (VPNs)?
a.
b.
c.
d.
246. b. Modem pools, calling cards, and toll-free arrangements can be an expensi
ve alternative to cable modems and asymmetric digital subscriber line (ADSL). An
ISDN line is limited to 128 bits and is slow. Cable modems and ADSL technologie
s take advantage of the Internet and IPsec functioning at the network layer. The
247. a. The static packet filter firewall offers minimum-security provisions sui
table for a low-risk computing environment. The hybrid gateway firewall is good
for medium- to high-risk computing environment. Both stateful and dynamic packet
firewalls are appropriate for high-risk computing environments.
248. The Internet Protocol security (IPsec) is usually implemented in which of
the following?
a.
b.
c.
d.
Bridge
Gateway
Firewall
Backbone
X.25
TCP
Ethernet
WAN
WSP
WTP
WTLS
WDP
252. c. Because border gateway protocol (BGP) runs on transmission control proto
col/Internet protocol (TCP/IP), any TCP/IP attack can be applied to BGP. Route f
lapping is a situation in which BGP sessions are repeatedly dropped and restarte
d, normally as a result of router problems. Examples of countermeasures for rout
e flapping attacks include graceful restart and BGP route-flap damping method, n
ot TTL hack.
Route-flap damping is a method of reducing route flaps by implementing an algori
thm that ignores the router sending flapping updates for a configurable period o
f time. Each time a flapping event occurs, peer routers add a penalty value to a
total for the flapping router. As time passes, the penalty value decays gradual
ly; if no further flaps are seen, it reaches a reuse threshold, at which time th
e peer resumes receiving routes from the previously flapping router.
The other three choices use TTL hack. The Time To Live (TTL) or hop count is an
8-bit field in each IP packet that prevents packets from circulating endlessly i
n the Internet. TTL is based on the generalized TTL security mechanism (RFC 3682
), often referred to as the TTL hack, which is a simple but effective defense th
at takes advantage of TTL processing. At each network node, the TTL is decrement
ed by one and is discarded when it is reduced to zero without reaching its desti
nation point.
In peer spoofing attack, the goal is to insert false information into a BGP peers
routing tables. A special case of peer spoofing, called a reset attack, involve
s inserting TCP RESET messages into an ongoing session between two BGP peers. Ex
amples of countermeasures against peer spoofing and TCP resets include using str
ong sequence number randomization and TTL hack.
In a denial-of-service attack via resource exhaustion, routers use a large amoun
t of storage for path prefixes. These resources are exhausted if updates are rec
eived too rapidly or if there are too many path prefixes to store due to malicio
us prefixes. Examples of countermeasures against denial-of-service via resource
exhaustion attacks include using rate limit synchronization processing, increasi
ng queue length, route filtering, and TTL hack.
In a session hijacking attack, the attack is designed to achieve more than simpl
y bringing down a session between BGP peers. The objective is to change routes u
sed by the peer, to facilitate eavesdropping, blackholing, or traffic analysis.
Examples of countermeasures against session hijacking attacks include using stro
ng sequence number randomization, IPsec authentication, and TTL hack.
253. Which of the following is not one of the actions taken by a firewall on a p
acket?
a.
b.
c.
d.
Accept
Deny
Discard
Destroy
253. d. The firewall examines a packets source and destination addresses and port
s, and determines what protocol is in use. From there, it starts at the top of t
he rule base and works down through the rules until it finds a rule that permits
or denies the packet. It takes one of the three actions: (i) The firewall passe
s the packet through the firewall as requested (accept), (ii) the firewall drops
the packets, without passing it through the firewall (deny) or (iii) the firewa
ll not only drops the packet, but it does not return an error message to the sou
rce system (discard). Destroy is not one of the actions taken by a firewall.
254. Network address translation (NAT) protocol operates at what layer of the I
SO/OSI reference model?
a.
b.
c.
d.
Presentation Layer 6
Network Layer 3
Transport Layer 4
Session Layer 5
254. b. The network address translation (NAT) protocol operates at the Layer 3 (
network) of the ISO/OSI reference model.
255. All the following are countermeasures against software distribution attacks
on software guards except:
a.
b.
c.
d.
255. c. Distribution attacks can occur anytime during the transfer of a guards so
ftware or hardware. The software or hardware could be modified during developmen
t or before production. The software is also susceptible to malicious modificati
on during production or distribution.
Audit log is a countermeasure against insider attacks on hardware/software guard
s such as modification of data by insiders. Audit logs need to be generated and
diligent reviews must be conducted in a timely manner.
Countermeasures protecting the software guards include implementing strong softw
are development processes, performing continuous risk management, conducting thi
rd-party testing and evaluation of software, following trusted product evaluatio
n program and Common Criteria guidelines, high-assurance configuration control,
cryptographic signatures over tested software products, use of tamper detection
technologies during packaging, use of authorized couriers and approved carriers,
and use of blind-buy techniques.
256. Which of the following is not used to accomplish network address translatio
n (NAT)?
a.
b.
c.
d.
two primary differences. First, port address translation is not required to use
the IP address of the external firewall interface for all network traffic. Seco
nd, with port address translation, it is possible to place resources behind a fi
rewall system and still make them selectively accessible to external users.
257. Which of the following ensures that all Web network traffic dealing with a
firewall system is secured from an administration viewpoint?
a.
b.
c.
d.
DES
SSL
HTTP
SSH
257. b. There should be a policy stating that all firewall management functions
take place over secure links. For Web-based interfaces, the security should be i
mplemented through secure sockets layer (SSL) encryption, along with a user ID a
nd password. If neither internal encryption nor SSL are available, tunneling sol
utions such as the Secure Shell (SSH) are usually appropriate. HTTP and DES are
not appropriate here as they do not provide strong security.
258. All the following are applications of spanning tree concept except:
a.
b.
c.
d.
Multicast routing
Spanning port
Risk analysis
Bridges
258. b. A spanning port is a switch port that can see all network traffic going
through the switch. The spanning port has nothing to do with the spanning tree w
hereas the other three choices are applications of the spanning tree concept. Th
e spanning tree has several applications such as (i) multicast routing which mak
es excellent use of bandwidth where each router knows which of its lines belong
to the tree, (ii) conducting risk analysis, and (iii) building plug-and-play bri
dges.
259. Which of the following does not perform prefix filtering services?
a.
b.
c.
d.
259. b. Sensors (intrusion detection systems) are composed of monitors and scann
ers, and they do not perform prefix filtering services. Sensors identify and sto
p unauthorized use, misuse, and abuse of computer systems by both internal netwo
rk users and external attackers in near real time. Sensors do not perform permit
and deny actions as do the border gateway protocol (BGP), routers, and firewall
s. Prefix filtering services are provided by BGP, routers, and firewalls in that
they perform permit and deny actions. Prefix filtering is the most basic mechan
ism for protecting BGP routers from accidental or malicious disruption, thus lim
iting the damage to the routes. Filtering of both incoming prefixes (ingress fil
tering) and outgoing prefixes (egress filtering) is needed. Router filters are s
pecified using syntax similar to that for firewalls. Two options exist. One opti
on is to list ranges of IP prefixes that are to be denied and then permit all ot
hers. The other option is to specify a range of permitted prefixes, and the rest
are denied. The option of listing a range of permitted prefixes provides greate
r security.
260. Local-area networks (LANs) operate at what layer of the ISO/OSI reference
model?
a. Physical Layer 1
b. Data link Layer 2
c. Network Layer 3
d. Transport Layer 4
260. b. Layer 2 (data link) of the ISO/OSI reference model represents the layer
at which network traffic delivery on local-area networks (LANs) occurs.
261. Which of the following are examples of major problems associated with netwo
rk address translation (NAT)?
1.
2.
3.
4.
Cannot
Cannot
Cannot
Cannot
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
261. d. Major problems associated with network address translation (NAT) include
(i) it violates the architectural model of IP, which states that every IP addre
ss must uniquely identify a single computer worldwide, (ii) it will not locate t
he TCP source port correctly, (iii) it violates the rules of protocol layering i
n that a lower-level layer should not make any assumptions about the next higher
-level layer put into the payload field, and (iv) it needs to be patched every t
ime a new application is introduced because it cannot work with file transfer pr
otocol (FTP) or H.323 Internet Telephony Protocol. The FTP and H.323 protocols w
ill fail because NAT does not know the IP addresses and cannot replace them.
262. Hardware/software guards provide which of the following functions and prop
erties?
1.
2.
3.
4.
Data-filtering
Data-blocking
Data-sanitization
Data-regrading
a.
b.
c.
d.
1 and
2 and
1 and
1, 2,
2
3
4
3, and 4
c. 5
d. 10
263. d. The equation for the number of direct paths in a fully connected network
is n (n1)/2, where n is the number of nodes. Applying the equation results in 10 (
i.e., 5(51)/2). The answer 2 is obtained by using the equation as (n1)/2. The answ
er 3 is obtained by using the equation as (n+1)/2.
264. Which of the following networks is used to distribute music, games, movies
, and news using client caching, server replication, clients request redirection,
and a proxy server?
a.
b.
c.
d.
264. b. Content delivery networks are used to deliver the contents of music, gam
es, movies, and news from content owners website to end users quickly with the us
e of tools and techniques such as client caching, server replication, clients req
uest redirection, and a proxy content server to enhance the Web performance in t
erms of optimizing the disk space and preload time.
ATMs are good for voice traffic only. VoIP is the transmission of voice over pac
ket-switched IP networks and it takes a wide variety of forms, including traditi
onal telephone handsets, conferencing units, and mobile units. ISDN is an intern
ational communications standard for sending voice, video, and data over digital
or standard telephone wires. The ISDN security must begin with the user (i.e., m
ay be a person, an organizational entity, or a computer process).
265. Firewalls are the perfect complement to which of the following?
a.
b.
c.
d.
Bridges
Routers
Brouters
Gateways
265. b. Given that all routers support some type of access control functionality
, routers are the perfect complement to firewalls. The generally accepted design
philosophy is that boundary routers should protect firewall devices before the
firewall devices ever have to protect themselves. This principle ensures that th
e boundary router can compensate for any operating system or platform-specific v
ulnerabilities that might be present on the firewall platform. Brouters combine
the functionality of bridges and routers.
266. Which of the following is the best backup strategy for firewalls?
a.
b.
c.
d.
Incremental backup
Centralized backup
Day Zero backup
Differential backup
266. c. The conduct and maintenance of backups are key points to any firewall ad
ministration policy. It is critical that all firewalls are subject to a Day Zero
backup (full backup), i.e., all firewalls should be backed up immediately prior
to production release. As a general principle, all firewall backups should be f
ull backups, and there is no need for incremental, centralized, or differential
backups because the latter are less than full backups.
267. Which of the following needs to be protected for a failsafe performance?
a.
b.
c.
d.
Virus scanners
Firewalls
Blocking filters
Network ports
267. b. Network firewalls are devices or systems that control the flow of networ
k traffic between networks employing differing security postures. A failsafe is
the automatic termination and protection of programs when a hardware or software
failure is detected. Because firewalls provide a critical access control securi
ty service, multiple firewalls should be employed for failsafe performance. Depe
nding on a persons viewpoint, firewalls provide either the first line of defense
or the last line of defense in accessing a network.
Virus scanners look for common viruses and macro viruses. Blocking filters can b
lock Active-X and Java applets. Network ports provide access points to a network
. These are not that important when compared to the firewall to have a failsafe
performance.
268. Which of the following does not require network address translation service
s?
a.
b.
c.
d.
Internet
Internet
Internet
Internet
Protocol
Protocol
Protocol
Protocol
(IP)
(IP)
(IP)
(IP)
version
version
version
version
2
3
4
6
268. d. The network address translation (NAT) services are not needed in the Int
ernet Protocol (IP) version 6 but are needed in the IPv2, IPv3, and IPv4. IP add
resses are in a limited supply. NAT is the process of converting between IP addr
esses used within an intranet or other private network (called a stub domain) an
d the Internet IP addresses. This approach makes it possible to use a large numb
er of addresses within the stub domain without depleting the limited number of a
vailable numeric Internet IP addresses. In the IP version 6, the NAT services ar
e not needed because this version takes care of the problem of insufficient IP a
ddresses with automatically assigning the IP addresses to hosts.
269. Which of the following fills the gap left by firewalls in terms of not mon
itoring authorized users actions and not addressing internal threats?
a.
b.
c.
d.
Sensors
Switches
Bridges
Routers
269. a. Firewalls do not monitor authorized users actions of both internal and ex
ternal users, and do not address internal (insider) threats, leaving a gap. Sens
ors fill the gap left by firewalls with the use of monitors and scanners. A sens
or is an intrusion detection and prevention system (IDPS) component that monitor
s, scans, and analyzes network activity.
The other three choices cannot fill the gap left by firewalls. A switch is a mec
hanical, electromechanical, or electronic device for making, breaking, or changi
ng the connections in or among circuits. A bridge is a device that connects simi
lar or dissimilar two or more LANs together to form an extended LAN. A router co
nverts between different data link protocols and resegments transport level prot
ocol data units (PDUs) as necessary to accomplish this conversion and re-segment
ation.
270. In a domain name system (DNS) environment, which of the following is refer
red to when indicating security status among parent and child domains?
a.
b.
c.
d.
Chain
Chain
Chain
Chain
of
of
of
of
trust
custody
evidence
documents
n of a chain of trust among parent and child domains. An example means to indica
te the security status of child subspaces is through the use of delegation signe
r (DS) resource records in the DNS.
The other three choices are not related to the chain of trust but they are relat
ed to each other. Chain of custody refers to tracking the movement of evidence,
chain of evidence shows the sequencing of evidence, and chain of documents suppo
rts the chain of custody and the chain of evidence, and all are required in a co
urt of law.
271. Which of the following is not an example of centralized authentication prot
ocols?
a.
b.
c.
d.
RADIUS
TACACS
SSO
DIAMETER
Assurance
Authentication
Authorization
Accounting
Repeater
Server disk drives
Network cabling
Server software
274. c. Hardware failures are grouped as follows: network cabling (60 to 80 perc
ent), repeater (10 to 20 percent), and server disk drive (10 to 20 percent). Cab
les should be tested before their first use, rather than after a problem surface
s. Testing an installed cable is a tedious job, particularly when there are many
network connections (drops) and the organization is large. Failures result when
electrical conductors either break open, short together, or are exposed to elec
tromagnetic forces. Failures are also caused when cables are poorly routed. Cabl
ing, unlike other computer equipment, is not protected from heat, electrical cha
rges, physical abuse, or damage.
Repeaters, server disk drives, and server software are incorrect. A repeater rep
eats data packets or electrical signals between cable segments. It receives a me
ssage and then retransmits it, regenerating the signal at its original strength.
Server disk drives and server software are comparatively safe and trouble-free
devices compared with cabling.
275. Which of the following internetworking devices sends traffic addressed to
a remote location from a local-area network (LAN) over the wide-area network (WA
N) to the remote destination?
a.
b.
c.
d.
Bridge
Router
Brouter
Backbone
275. b. A router sends traffic addressed to a remote location from the local net
work over the wide area connection to the remote destination. The router connect
s to either an analog line or a digital line. Routers connect to analog lines vi
a modems or to digital lines via a channel-service unit or data-service units.
Bridge is incorrect because it is a device that connects similar or dissimilar L
ANs to form an extended LAN. Brouters are incorrect because they are routers tha
t can also bridge; they route one or more protocols and bridge all other network
traffic. Backbone is incorrect because it is the high-traffic-density connectiv
ity portion of any communications network.
276. Which of the following protocols use many network ports?
a.
b.
c.
d.
276. b. TCP and UDP protocols are part of the TCP/IP suite operating at the tran
sport layer of the ISO/OSI model. Network ports are used by TCP and UDP, each ha
ving 65,535 ports. Attackers can reconfigure these ports and listen in for valua
ble information about network systems and services prior to attack. SNMP and SMT
P are application layer protocols, which use few ports. ICMP and IGMP are networ
k layer protocols, which do not use any ports. ARP and RARP are data link layer
protocols, which do not use any ports.
Network ports 0 through 1,023 are assigned for service contact used by server pr
ocesses. The contact ports are sometimes called well-known ports. These service co
ntact ports are used by system (or root) processes or by programs executed by pr
ivileged users. Ports from 1,024 through 65,535 are called registered ports. All
incoming packets that communicate via ports higher than 1,023 are replies to co
nnections initiated by internal requests. For example, Telnet service operates a
t port #23 with TCP and X Windows operate at port #6,000 with TCP.
277. Which of the following is not compatible with the Internet Protocol (IP) ve
rsion 6?
a.
b.
c.
d.
IP version 4
TCP
UDP
BGP
277. a.
Pv4 but
ervices
and/or
278. Which of the following network connectivity devices use rules that could h
ave a substantial negative impact on the devices performance?
a.
b.
c.
d.
278. b. Rules or rulesets are used in routers and firewalls. Adding new rules to
a router or firewall could have a substantial negative impact on the devices per
formance, causing network slowdowns or even a denial-of-service (DoS). The infor
mation security management should carefully consider where filtering should be i
mplemented (e.g., border router, boundary router, and firewall). A boundary rout
er is located at the organizations boundary to an external network.
The other three choices do not use rules or rulesets. A sensor is an intrusion d
etection and prevention system (IDPS) component that monitors and analyzes netwo
rk activity. A switch is a mechanical, electromechanical, or electronic device f
or making, breaking, or changing the connections in or among circuits. A hardwar
e/software guard is designed to provide a secure information path for sharing da
ta between multiple system networks operating at different security levels. A ga
teway transfers information and converts it to a form compatible with the receiv
ing networks protocols. A connector is an electromechanical device on the ends of
cables that permit them to be connected with, and disconnected from, other cabl
es. A concentrator gathers together several lines in one central location.
279. Countermeasures against sniffers do not include which of the following?
a.
b.
c.
d.
279. c. Packet filters are good against flooding attacks. Using either recent ve
rsion of secure shell (e.g., SSHv2) or IPsec protocol, using end-to-end encrypti
on, and implementing robust authentication techniques are effective against snif
fing attacks.
280. Secure remote procedure call (RPC) provides which one of the following sec
urity services?
a.
b.
c.
d.
Authentication
Confidentiality
Integrity
Availability
280. a. Secure remote procedure call (RPC) provides authentication services only
. Confidentiality, integrity, and availability services must be provided by othe
r means.
281. Which of the following does not provide confidentiality protection for Web
services?
a.
b.
c.
d.
281. c. The advanced encryption standard (AES) does not provide confidentiality
protection for Web services. However, the AES is used for securing sensitive but
unclassified information.
The other three choices provide confidentiality protection for Web services beca
use most Web service data is stored in the form of extensible markup language (X
ML). Using XML encryption before storing data should provide confidentiality pro
Traffic
Traffic
Traffic
Traffic
entering a network
to and from the Internet
to host systems
leaving a network
282. b. Firewalls police network traffic that enters and leaves a network. Firew
alls can stop many penetrating attacks by disallowing many protocols that an att
acker could use to penetrate a network. By limiting access to host systems and s
ervices, firewalls provide a necessary line of perimeter defense against attack.
The new paradigm of transaction-based Internet services makes these perimeter def
enses less effective as their boundaries between friendly and unfriendly environ
ments blur.
283. Sources of legal rights and obligations for privacy over electronic mail do
not include which of the following?
a.
b.
c.
d.
284. a. The ISO/OSI standards give a choice where either a transport layer or ne
twork layer can be used to provide end system-level security. An assumption is m
ade that the end systems are trusted and that all underlying communication netwo
rks are not trusted.
285. A primary firewall has been compromised. What is the correct sequence of a
ction steps to be followed by a firewall administrator?
1.
2.
3.
4.
a.
b.
c.
d.
1,
2,
2,
4,
2,
3,
1,
1,
3,
4,
4,
2,
and
and
and
and
4
1
3
3
285. c. Internal computer systems should not be connected to the Internet withou
t a firewall. There should be at least two firewalls in place: primary and secon
dary. First, the attacked (primary) firewall should be brought down to contain t
he damage (i.e., damage control), and the backup (secondary) firewall should be
deployed immediately. After the primary firewall is reconfigured, it must be bro
ught back or restored to an operational state.
You should not deploy the secondary firewall first until the primary firewall is
completely brought down to contain the risk due to its compromised state and to
reduce the further damage. The elapsed time between these two actions can be ve
ry small.
286. Which of the following functions of Internet Control Message Protocol (ICM
P) of TCP/IP model is used to trick routers and hosts?
a.
b.
c.
d.
286. b. Internet Control Message Protocol (ICMP) redirect messages can be used t
o trick routers and hosts acting as routers into using false routes; these false r
outes aid in directing traffic to an attackers system instead of a legitimate, tr
usted system.
287. Which of the following functions of the Internet Control Message Protocol
(ICMP) of TCP/IP model cause a buffer overflow on the target machine?
a.
b.
c.
d.
287. c. The ping command is used to send an Internet Control Message Protocol (I
CMP) echo message for checking the status of a remote host. When large amounts o
f these messages are received from an intruder, they can cause a buffer overflow
on the target host machine, resulting in a system reboot or total system crash.
This is because the recipient host cannot handle the unexpected data and size i
n the packet, thereby possibly triggering a buffer overflow condition. The other
three choices do not cause a buffer overflow on the target machine.
288. The basic causes of a majority of security-related problems in Web servers
are due to which of the following?
a.
b.
c.
d.
Hardware
Software
Hardware
Software
288. b. A Web server is like a window to the world, and therefore it must be pro
tected to provide a controlled network access to both authorized and unauthorize
d individuals. Web servers contain large and complex programs that can contain s
ecurity weaknesses. These weaknesses are due to poor software design and configu
ration of the Web server. Hardware design and protocols provide better security
than software design.
289. In electronic auctions, which of the following auction models has a minima
l security mechanism that can lead to security breaches and fraud?
a.
b.
c.
d.
Business-to-business (B2B)
Government-to-business (G2B)
Consumer-to-consumer (C2C)
Consumer-to-business (C2B)
y and sell goods with other consumers through auction sites. The C2C auction mod
el has minimal security mechanism (i.e., no encryption and possibility of fraud
in shipping defective products). The B2B, G2B, and C2B auction models are reason
ably secure due to the use of private telephone lines (leased lines) and encrypt
ion.
290. Which of the following causes an increase in the attack surface of a publi
c cloud computing environment?
a.
b.
c.
d.
Paging
Hypervisor
Checkpointing
Migration of virtual machines
Agent-based technology
Windows-based technology
Hardware-based technology
Network-based technology
291. a. Agent-based technology can boost the performance of remote access softwa
re capability. It gives the users the ability to work offline on network tasks,
such as e-mail, and complete the task when the network connection is made. Agent
-based technology is software-driven. It can work with the Windows operating sys
tem.
292. From a security viewpoint, which of the following should be the goal for a
virtual private network (VPN)?
a.
b.
c.
d.
Make
Make
Make
Make
only
only
only
only
one
one
one
one
292. b. The goal for a virtual private network (VPN) should be to make it the on
ly entry point to an organizations network from the Internet. This requires block
ing all the organizations systems or making them inaccessible from the Internet u
nless outside users connect to the organizations network via its VPN.
293. In border gateway protocol (BGP), which of the following is physically pre
sent?
a.
b.
c.
d.
Routing/forwarding table
Adj-Routing Information Base (RIB)-In table
Loc-RIB table
Adj-RIB-Out table
BGP is used in updating routing tables, which are essential in assuring the corr
ect operation of networks, as it is a dynamic routing scheme. Routing informatio
n received from other BGP routers is accumulated in a routing table. These route
s are then installed in the routers forwarding table.
An eavesdropper could easily mount an attack by changing routing tables to redir
ect traffic through nodes that can be monitored. The attacker could thus monitor
the contents or source and destination of the redirected traffic or modify it m
aliciously.
The adj-RIB-In table routes after learning from the inbound update messages from
BGP peers. The loc-RIB table routes after selecting from the adj-RIB-In table.
The adj-RIB-Out table routes to its peers that the BGP router will advertise bas
ed on its local policy.
294. In Web services, which of the following can lead to a flooding-based denia
l-of-service (DoS) attack?
a.
b.
c.
d.
Source IP address
Network packet behavior
SOAP/XML messages
Business behavior
294. d. Flooding attacks most often involve copying valid service requests and r
e-sending them to a provider. The attacker may issue repetitive SOAP/XML message
s in an attempt to overload the Web service. The user behavior (business behavio
r) in using the Web service transactions may not be legitimate and is detected,
thus constituting a DoS attack. The other three choices may not be detected beca
use they are legitimate where the source IP address is valid, the network packet
behavior is valid, and the SOAP/XML message is well formed.
295. It has been said that no system is completely secure and can handle all dis
asters. Which one of the following items is needed most, even when all the other
three items are working properly, to ensure online operation and security?
a.
b.
c.
d.
296. c. In a Voice over Internet Protocol (VoIP) technology, voice and data are
combined in the same network. The other three choices cannot combine voice and d
ata. File transfer protocol (FTP) is used to copy files from one computer to ano
ther. Content streaming is a method for playing continuous pictures and voice fr
om multimedia files over the Internet. It enables users to browse large files in
real time. Instant messaging (IM) technology provides a way to send quick notes
or text messages from PC to PC over the Internet, so two people who are online
at the same time can communicate instantly.
297. The network address translation (NAT) changes which of the following from
Internet
Transmission control protocol (TCP)
Internet Protocol (IP)
Switched multimegabit data services (SMDS)
297. a. The network address translation (NAT) changes the Internet from a connec
tionless network to a connection-oriented network through its converting, mappin
g, and hiding of the Internet IP addresses. By design, the TCP is a connection-o
riented network and both IP and SMDS are connectionless networks, which are not
changed by the NAT.
298. Which of the following would be inherently in conflict with a traffic padd
ing security mechanism?
a.
b.
c.
d.
Session-less protocols
Datagram-based protocols
Session initiation protocol (SIP)
Simple Internet Protocol Plus (SIPP)
IPv6 runs on high-speed networks, those using asynchronous transfer mode (ATM)
and wireless networks. Simple Internet Protocol Plus (SIPP) is used in IPv6.
300. Which of the following border gateway protocol (BGP) attacks does not use m
essage digest 5 (MD5) authentication signature option as a countermeasure?
a.
b.
c.
d.
Peer spoofing
Link cutting attack
Malicious route injection
Unallocated route injection
Applications layer
Transport layer
Network layer
Data link layer
301. a. DNS is a function of the application layer, along with HTTP, SMTP, FTP,
and SNMP. This layer sends and receives data for particular applications.
The transport layer is incorrect because it provides connection-oriented or conn
ectionless services for transporting application layer services between networks
. The network layer is incorrect because it routes packets across networks. The
data link layer is incorrect because it handles communications on the physical n
etwork components.
302. Regarding Voice over Internet Protocol (VoIP), packets loss is not resultin
g from which of the following?
a.
b.
c.
d.
Latency
Jitter
Speed
Bandwidth congestion
Moores law
Zipfs law
Brookes law
Paretos law
303. b. The Zipfs law states that the most popular movie is seven times as popula
r as the number seven movie. It is assumed that most customers will order the mo
st popular movie more frequently. The other three choices are not related to vid
eo servers.
The Moores law states that the number of transistors per square inch on an integr
ated circuit chip doubles every 18 months or the performance of a computer doubl
es every 18 months. The Brookes law states that adding more people to a late syst
em development project (or to any project) makes the project even later. The Par
etos law, as it applied to IT, states that 80 percent of IT-related problems are
the result of 20 percent of IT-related causes.
304. Which of the following is not a security goal of a domain name system (DNS)
?
a.
b.
c.
d.
Source authentication
Confidentiality
Integrity
Availability
304. b. The DNS data provided by public DNS name servers is not deemed confident
ial. Therefore, confidentiality is not one of the security goals of DNS. Ensurin
g authenticity of information and maintaining the integrity of information in tr
ansit is critical for efficient functioning of the Internet, for which DNS provi
des the name resolution service. The DNS is expected to provide name resolution
information for any publicly available Internet resource.
305. Which of the following provides a dynamic mapping of an Internet Protocol
(IP) address to a physical hardware address?
a.
b.
c.
d.
PPP
ARP
SLIP
SKIP
Star
Bus
Token ring
Token bus
306. a. The star topology uses a central hub connecting workstations and servers
. The bus topology uses a single cable running from one end of the network to th
Twisted-pair wire
Coaxial cable
Fiber-optical cable
Copper-based cable wire
Internet
Local-area network
Virtual private network
Wide-area network
EAP
PPP
CHAP
PAP
309. a. The Internet Key Exchange (IKE) Version 2 of IPsec supports the extensib
le authentication protocol (EAP), which permits IPsec to use external authentica
tion services such as Kerberos and RADIUS.
The point-to-point protocol (PPP) standard specifies that password authenticatio
n protocol (PAP) and challenge handshake authentication protocol (CHAP) may be n
egotiated as authentication methods, but other methods can be added to the negot
iation and used as well.
310. Which of the following supports the secure sockets layer (SSL) to perform
client-to-server authentication process?
a.
b.
c.
d.
310. c. Transport layer security (TLS) protocol supports the SSL to perform clie
nt-to-server authentication process. The TLS protocol enables client/server appl
ication to communicate in a way that is designed to prevent eavesdropping, tampe
ring, or message forgery. The TLS protocol provides communication privacy and da
ta integrity over the Internet.
311. Challenge handshake authentication protocol (CHAP) requires which of the f
ollowing for remote users?
a.
b.
c.
d.
Initial authentication
Pre-authentication
Post-authentication
Re-authentication
311. d. CHAP supports re-authentication to make sure the users are still who the
y were at the beginning of the session. The other authentication methods mention
ed would not achieve this goal.
312. A major problem with Serial Line Internet Protocol (SLIP) is which of the f
ollowing?
a.
b.
c.
d.
The
The
The
The
protocol
protocol
protocol
protocol
312. d. SLIP is a protocol for sending IP packets over a serial line connection.
Because SLIP is used over slow lines (56kb), this makes error detection or corr
ection at that layer more expensive. Errors can be detected at a higher layer. T
he addresses are implicitly defined, which is not a major problem. Point-to-poin
t connections make it less vulnerable to eavesdropping, which is strength. SLIP
is a mechanism for attaching non-IP devices to an IP network, which is an advant
age.
313. A serious and strong attack on a network is just initiated. The best approa
ch against this type of attack is to:
a.
b.
c.
d.
313. d. On any attack, preventing network attacks from occurring is the first pr
iority. For serious and strong attacks, prevention should be combined with inter
vening techniques to minimize or eliminate negative consequences of attacks that
may occur. Intervening actions start right after full prevention and right befo
re full detection, correction, and recovery actions by installing decoy systems
(e.g., honeypot), vigilant network administrators, and alerts/triggers from cent
ral network monitoring centers. In other words, intervening actions face the att
acker head on right after the initial signs and symptoms of attack detection but
do not wait until the full detection to take place as in a normal case of detec
tion, thus halting the attacker to proceed further. These intervening actions st
op the attack right at the beginning by diverting or stalling the attacker.
For serious and strong attacks, normal detection alone is not enough, correction
alone or combined with detection is not enough, recovery alone or combined with
detection and correction is not enough because they may not contain the serious
and strong attacks quickly as they are too late to be of any significant use. H
owever, they are very useful in normal attacks. Intervening is pro-active and ac
tion-oriented, whereas detecting, correcting, and recovering are re-active and p
assive-oriented.
314. Major vulnerabilities stemming from the use of the World Wide Web (WWW) ar
e associated with which of the following?
a.
b.
c.
d.
314. b. Vulnerabilities stemming from the use of the Web are associated with bro
wser software and server software. Although browser software can introduce vulne
rabilities to an organization, these vulnerabilities are generally less severe t
han the threat posed by servers. Many organizations now support an external webs
ite describing their products and services. For security reasons, these servers
are usually posted outside the organizations firewall, thus creating more exposur
e. Web clients, also called Web browsers, enable a user to navigate through info
rmation by pointing and clicking. Web servers deliver hypertext markup language
(HTML) and other media to browsers through the hypertext transfer protocol (HTTP
). The browsers interpret, format, and present the documents to users. The end r
esult is a multimedia view of the Internet.
315. Which of the following is an inappropriate control over telecommunication
hardware?
a.
b.
c.
d.
316. b. Either MOA or MOU are initial documents prior to finalizing the SLA docu
ment. The rules of network connection can be informal and not binding. The SLA d
ocument is between a user (customer) organization and a service provider, so as
to satisfy specific customer application system requirements. The SLA should add
ress performance properties such as throughput (bandwidth), transit delay (laten
cy), error rates, packet priority, network security, packet loss, and packet jit
ter.
317. For network security threats, which of the following steals or makes an un
authorized use of a service?
a.
b.
c.
d.
Denial-of-service
Misappropriation
Message replay
Message modification
Wireless
Wireless
Wireless
Wireless
LANs
LANs
LANs
LANs
will
will
will
will
318. c. Wireless LANs augment and do not replace wired LANs. In some cases, wire
less LANs serve as a direct replacement for the wired LANs when starting from sc
ratch. In most cases, a wireless LAN complements a wired LAN and does not replac
e it. Due to poor performance and high-cost reasons, wireless LANs do not take o
ver the wired LANs. Wireless LANs do not substantially eliminate cabling because
bridges rely on cabling for interconnection. Wireless LANs provide unique advan
tages such as fast and easy installation, a high degree of user mobility, and eq
uipment portability.
319. Which of the following ISO/OSI layers does not provide confidentiality serv
ices?
a.
b.
c.
d.
Presentation layer
Transport layer
Network layer
Session layer
319. d. The session layer does not provide confidentiality service. It establish
es, manages, and terminates connections between applications and provides checkp
oint recovery services. It helps users interact with the system and other users.
The presentation layer is incorrect because it provides authentication and confi
dentiality services. It defines and transforms the format of data to make it use
ful to the receiving application. It provides a common means of representing a d
ata structure in transit from one end system to another.
The transport layer is incorrect because it provides confidentiality, authentica
tion, data integrity, and access control services. It ensures an error-free, insequence exchange of data between end points. It is responsible for transmitting
a message between one network user and another.
The network layer is incorrect because it provides confidentiality, authenticati
on, data integrity, and access control services. It is responsible for transmitt
ing a message from its source to the destination. It provides routing (path cont
rol) services to establish connections across communications networks.
320. User datagram protocol (UDP) is a part of which of the following TCP/IP la
yers?
a.
b.
c.
d.
Applications layer
Transport layer
Network layer
Data link layer
320. b. User datagram protocol (UDP) is a part of the transport layer, along wit
h TCP. This layer provides connection-oriented or connectionless services for tr
ansporting application layer services between networks.
The application layer is incorrect because it sends and receives data for partic
ular applications. The network layer is incorrect because it routes packets acro
ss networks. The data link layer is incorrect because it handles communications
on the physical network components.
321. Internet control message protocol (ICMP) is a part of which of the followi
ng TCP/IP layers?
a.
b.
c.
d.
Applications layer
Transport layer
Network layer
Data link layer
321. c. Internet control message protocol (ICMP) is a part of the network layer,
along with IP, RAS, and IGMP. The network layer routes packets across networks.
The application layer is incorrect because it sends and receives data for partic
ular applications. The transport layer is incorrect because it provides connecti
on-oriented or connectionless services for transporting application layer servic
es between networks. The data link layer is incorrect because it handles communi
cations on the physical network components.
322. Which of the following cannot log the details of encryption-protected hyper
text transfer protocol (HTTP) requests?
a.
b.
c.
d.
322. a. Hypertext transfer protocol (HTTP) is the mechanism for transferring dat
a between the Web browsers and Web servers. Through Web browsers, people access
Web servers that contain nearly any type of data imaginable. The richest source
of information for Web usage is the hosts running the Web browsers. Another good
source of Web usage information is Web servers, which keep logs of the requests
that they receive. Besides Web browser and servers, several other types of devi
ces and software might also log related information. For example, Web proxy serv
ers and application proxying firewalls might perform detailed logging of HTTP ac
tivity, with a similar level of detail to Web server logs. However, Web proxy se
rvers cannot log the details of SSL or TLS-protected HTTP requests because the r
equests and the corresponding responses pass through the proxy encrypted, which
conceals their contents.
Routers, nonproxying firewalls, and other network devices might log the basic as
pects of HTTP network connections, such as source and destination IP addresses a
nd ports.
323. In a domain name system (DNS) environment, who is responsible for the conf
iguration and operation of the name servers?
a.
b.
c.
d.
Security administrators
System administrators
Zone administrators
Database administrators
323. c. Zone administrators are also called DNS administrators, and they are res
ponsible for the configuration and operation of the name servers.
324. All the following services and application traffic should always be blocked
inbound by a firewall except:
a.
b.
c.
d.
RPC
NFS
FTP
SNMP
X9.63
X9.44
X9.17
X.25
Using firewalls
Disabling active-content
Using smart tokens
Using timestamps
Heartbeat solution
Network switches
Back-end system
Custom network interface
329. d. The firewall administrator must analyze and evaluate each new release of
the firewall software to determine whether an upgrade is required. Prior to upg
rade, the firewall administrator must verify with the vendor that an upgrade is
required. The most important step occurs after an upgrade; the firewall must be
tested to ensure proper functioning prior to making it fully operational.
330. A virtual private network (VPN) creates a secure, private network over the
Internet through all the following except:
a.
b.
c.
d.
Authentication
Encryption
Packet tunneling
Firewalls
Technical attack
Tunneling attack
NAK attack
Active attack
Nonpreventable
Preventable
Detectable
Correctable
a.
b.
c.
d.
1 only
3 only
1 and 3
2, 3, and 4
332. c. Data communication channels are often insecure, subjecting messages tran
smitted over the channels to passive and active threats or attacks. An active at
tack is where the threat makes an overt change or modification to the system in
an attempt to take advantage of vulnerability. Active attacks are nonpreventable
and detectable.
A passive attack occurs when the threat merely watches information move across t
he system and when information is siphoned off the network. Passive attacks are
preventable but difficult to detect because no modification is done to the infor
mation, and audit trails do not exist. All attacks are correctable with varying
degrees of effort and cost.
333. What is an attacker connecting a covert computer terminal to a data commun
ication line between the authorized terminal and the computer called?
a.
b.
c.
d.
Tunneling attack
Salami attack
Session hijacking attack
Asynchronous attack
333. c. The attacker waits until the authorized terminal is online but not in us
e and then switches control to the covert terminal. The computer thinks it is st
ill connected to the authorized user, and the attacker has access to the same fi
les as the authorized user. Because a session was hijacked in the middle, it is
called a session hijacking attack.
A tunneling attack is incorrect because it uses one data transfer method to carr
y data for another method. A salami attack is incorrect because it is an automat
ed form of abuse using the Trojan horse method or secretly executing an unauthor
ized program that causes the unnoticed or immaterial debiting of small amounts o
f financial assets from a large number of sources or accounts. An asynchronous a
ttack is incorrect because it takes advantage of the asynchronous functioning of
a computer operating system. This may include a programmer (i) penetrating the
job queue and modifying the data waiting to be processed or printed or (ii) disr
upting the entire system by changing commands so that data is lost or programs c
rash.
334. Which of the following ISO/OSI layers provide both confidentiality and dat
a integrity services?
a.
b.
c.
d.
334. c. The application layer is the only layer listed in the question that prov
es both confidentiality and data integrity services. The application layer provi
des services directly to users such as file transfer protocols. It consists of q
uery software where a person could request a piece of information and the system
display the answer.
The data link layer and physical layer are incorrect because they provide confid
entiality service only, not data integrity. The data link layer provides a relia
ble transfer of data across physical links, error flow control, link-level encry
ption and decryption, and synchronization. It handles the physical transmission
of frames over a single data link. The physical layer provides for the transmiss
ion of unstructured bit streams over the communications channel.
The presentation layer is incorrect because it provides authentication and confi
dentiality services but not data integrity and confidentiality. The presentation
layer defines and transforms the format of data to make it useful to the receiv
ing application.
335. Wireless local-area networks (WLANs) are connected to wired local-area net
works (LANs) through the use of which of the following?
a.
b.
c.
d.
Repeaters
Bridges
Brouters
Routers
335. b. Wireless LANs are often connected to wired LANs through a bridge, or the
y depend on a central hub to pass messages between nodes. These devices make goo
Callback
Static passwords
Firewalls
Dynamic passwords
336. c. Because intranets connect between customers, suppliers, and the organiza
tion, access to information is a vital concern. Firewalls and routers keep intru
ders out of the intranets.
A callback is incorrect because it is a security mechanism used mostly on mainfr
ame and mid-range computers. The static passwords are incorrect because they are
not changed often, and as such, they are ineffective security controls. The dyn
amic passwords are not correct because they change each time a user is logged on
to the system and are most effective security controls. All the other three cho
ices are incorrect because they are most widely used in a mainframe computer env
ironment. They are not used for intranets.
337. Which of the following ISO/OSI layers provide confidentiality, authenticat
ion, and data integrity services?
a.
b.
c.
d.
Network layer
Presentation layer
Session layer
Physical layer
337. a. The network layer is responsible for transmitting a message from the sou
rce to the destination. It provides routing (path control) services to establish
connections across communications networks. Therefore, it requires confidential
ity, authentication, and data integrity services to achieve this goal.
The presentation layer is incorrect because it provides authentication and confi
dentiality services but not data integrity. The presentation layer defines and t
ransforms the format of data to make it useful to the receiving application.
Session layer is incorrect because it does not provide any security-related serv
ices. It establishes, manages, and terminates connections between applications a
nd provides checkpoint recovery services. It helps users interact with the syste
m and other users.
The physical layer is incorrect because it provides confidentiality service only
. The physical layer provides for the transmission of unstructured bit streams o
ver the communications channel. It is the innermost software that handles the el
ectrical interface between a terminal and a modem.
338. Which of the following ISO/OSI layers provide nonrepudiation services?
a.
b.
c.
d.
Presentation layer
Application layer
Transport layer
Data link layer
338. b. The application layer provides nonrepudiation services, meaning that ent
ities involved in a communication cannot deny having participated. It is a techn
ique that assures genuine communication and that cannot subsequently be refuted.
The presentation layer is incorrect because it provides authentication and confi
dentiality services but not nonrepudiation. The presentation layer defines and t
PPP
SSH
PPTP
SKIP
1. c. In the past, protocols such as PPP, SSH, and SKIP were used in a VPN. Late
r, point-to-point tunneling protocol (PPTP) became popular due to its hiding cap
abilities and is useful to implement end-to-end secure VPNs.
2. Which of the following supersedes the point-to-point tunneling protocols (PP
TP) used in VPNs?
a.
b.
c.
d.
L2TP
L2F
IPsec
PPP
e following?
a.
b.
c.
d.
Bridge
Gateway
Firewall
Backbone
EAP
PPP
CHAP
PAP
5. a. The Internet Key Exchange (IKE) Version 2 of IPsec supports the extensible
authentication protocol (EAP), which permits IPsec to use external authenticati
on services such as Kerberos and RADIUS. The point-to-point protocol (PPP) stand
ard specifies that password authentication protocol (PAP) and challenge handshak
e authentication protocol (CHAP) may be negotiated as authentication methods, bu
t other methods can be added to the negotiation and used as well.
6. A VPN creates a secure, private network over the Internet through all the fol
lowing except:
a.
b.
c.
d.
Authentication
Encryption
Packet tunneling
Firewalls
Make
Make
Make
Make
only
only
only
only
one
one
one
one
7. b. The goal for a VPN should be to make it the only entry point to an organiz
ations network from the Internet. This requires blocking all the organizations sys
tems or making them inaccessible from the Internet unless outside users connect
to the organizations network via its VPN.
Sources and References
Border Gateway Protocol Security (NIST SP 800-54), National Institute of Standards
and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, Jun
e 2007.
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (NIST SP8
00-97), National Institute of Standards and Technology (NIST), U.S. Department of
Domain 3
Information Security Governance and Risk Management
Traditional Questions, Answers, and Explanations
1. For information systems security, a penetration is defined as which of the f
ollowing combinations?
a.
b.
c.
d.
Attack
Attack
Threat
Threat
plus
plus
plus
plus
breach
threat
breach
countermeasure
To
To
To
To
a.
b.
c.
d.
Attack
Threat
Threat
Attack
plus
plus
plus
plus
breach
vulnerability
attack
vulnerability
Reduces risks
Improves reputation
Increases confidence
Enhances trust from others
a.
b.
c.
d.
1 and
2 and
1, 2,
1, 2,
2
3
and 3
3, and 4
5. d. All four items are benefits of good information security. It can even impr
ove efficiency by avoiding wasted time and effort in recovering from a computer
security incident.
6. For risk mitigation, which of the following technical security controls are
pervasive and interrelated with other controls?
a.
b.
c.
d.
Supporting controls
Prevention controls
Detection controls
Recovery controls
Top-down process
Bottom-up process
Top-down and bottom-up
Bottom-up first, top-down next
trategy. Getting direction, support, and buy-in from top management sets the rig
ht stage or right tone for the entire organization.
8. Information security baselines for information assets vary depending on whic
h of the following?
a.
b.
c.
d.
Financial reporting
Inventory information
Trade secrets
Intellectual property
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
4
4
1
1
2
3
and
and
and
and
2
3
4
4
Prioritization of applications
Development of test procedures
Assessment of threat impact on the organization
Development of recovery scenarios
14. b. Test procedures are detailed instructions that usually are not considered
during a risk analysis exercise. Risk analysis is the initial phase of the cont
ingency planning process, whereas testing comes after developing and documenting
the plan. Application prioritization, assessment of impact on the organization
(exposures and implications), and recovery scenarios are part of the risk analys
is exercise. Risk analysis is a prerequisite to a complete and meaningful disast
er recoveryplanning program. It is the assessment of threats to resources and the
determination of the amount of protection necessary to adequately safeguard the
m.
15. Which of the following is not a key activity that facilitates the integratio
n of information security governance components?
a.
b.
c.
d.
Operational planning
Organizational structure
Roles and responsibilities
Enterprise architecture
a.
b.
c.
d.
Cryptographic technologies
Data encryption methods
Discretionary access controls
Escrowed encryption algorithms
16. c. Discretionary access controls (DAC) define access control security policy
. The other choices are examples of protected communications controls, which ens
ure the integrity, availability, and confidentiality of sensitive information wh
ile it is in transit.
Cryptographic technologies include data encryption standard (DES), Triple DES (3
DES), and secure hash standard. Data encryption methods include virtual private
networks (VPNs) and Internet Protocol security (IPsec). Escrowed encryption algo
rithms include Clipper.
17. For risk mitigation strategies, which of the following is not a proper and e
ffective action to take when a determined attackers potential or actual cost is t
oo great?
a.
b.
c.
d.
17. b. Usually, protection mechanisms to deter a normal and casual attacker are
applied to decrease an attackers motivation by increasing the attackers cost when
the attackers cost is less than the potential gain for the attacker. However, the
se protection mechanisms may not prevent a determined attacker because the attac
kers potential gain could be more than the cost or the attacker is seeking for a
strategic and competitive advantage with the attack.
The other three choices are proper and effective actions to take when the potent
ial or actual cost for an attacker is too great, whether the attacker is a norma
l, casual, or determined, because they are stronger protection mechanisms. Both
technical and nontechnical security controls can be used to limit the extent of
the attack.
18. Which of the following actions are required to manage residual risk when ne
w or enhanced security controls are implemented?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
4
3, and 4
d. Network monitoring
19. c. All four choices are examples of ongoing security monitoring activities.
Incident and event statistics are more valuable in determining the effectiveness
of security policies and procedures implementation. These statistics provide se
curity managers with further insight into the status of security programs under
their control and responsibility.
20. Which of the following pairs of security objectives, rules, principles, and
laws are in conflict with each other?
a.
b.
c.
d.
20. b. Least privilege is a security principle that requires that each subject b
e granted the most restrictive set of privileges needed for the performance of a
uthorized tasks. The application of this principle limits the damage resulting f
rom an accident, error, or unauthorized use. This is in great conflict with empl
oyee empowerment in which employees are given freedom to do a wide variety of ta
sks in a given time period. Much discretion is left to each employee to achieve
the stated goals.
The all-or-nothing access principle means access is either to all objects or non
e at all. The security perimeter rule uses increasingly strong defenses as one a
pproach the core information or resources sought. Both strengthen the security p
ractices.
File protection rules are designed to inhibit unauthorized access, modification,
and deletion of a file. The access granularity principle states that protection
at the data file level is considered coarse granularity, whereas protection at
the data field level is considered to be of a finer granularity. Both strengthen
the security practices.
The objectives of trans-border data flows and data privacy laws are to protect p
ersonal data from unauthorized disclosure, modification, and destruction. Transborder data flow is the transfer of data across national borders. Privacy refers
to the social balance between an individuals right to keep information confident
ial and the societal benefit derived from sharing information. Both strengthen t
he security practices.
21. Which of the following is not the major purpose of information system securi
ty plans?
a.
b.
c.
d.
21. a. The information security plan should reflect inputs from various managers
with responsibilities concerning the system. Major applications are described w
hen defining security boundaries of a system, meaning boundaries are established
within and around application systems.
The major purposes of the information system security plan are to (i) provide an
overview of the security requirements of the system, (ii) describe the security
controls in place or planned for meeting those requirements, (iii) delineate th
e roles and responsibilities, and (iv) define the expected behavior of all indiv
iduals who access the system.
22. The information system security plan is an important deliverable in which o
f the following processes?
a. Configuration management
b. System development life cycle
c. Network monitoring
d. Continuous assessment
22. b. The information system security plan is an important deliverable in the s
ystem development life cycle (SDLC) process. Those responsible for implementing
and managing information systems must participate in addressing security control
s to be applied to their systems. The other three choices are examples of ongoin
g information security program monitoring activities.
23. Which of the following approves the system security plan prior to the secur
ity certification and accreditation process?
a.
b.
c.
d.
23. c. Prior to the security certification and accreditation process, the inform
ation system security officer (the authorizing official, independent from the sy
stem owner) typically approves the security plan. In addition, some systems may
contain sensitive information after the storage media is removed. If there is a
doubt whether sensitive information remains on a system, the information system
security officer should be consulted before disposing of the system because the
officer deals with technical aspects of a system. The information system owner i
s also referred to as the program manager and business owner.
24. Which of the following is the key factor in the development of the security
assessment and authorization policy?
a.
b.
c.
d.
Risk management
Continuous monitoring
Testing the system
Evaluating the system
24. a. An organizations risk management strategy is the key factor in the develop
ment of the security assessment and authorization policy. The other three choice
s are part of the purpose of assessing the security controls in an information s
ystem.
25. Which of the following is a prerequisite for developing an information syst
em security plan?
1.
2.
3.
4.
Security
Analysis
Grouping
Labeling
a.
b.
c.
d.
1
2
1
3
and
and
and
and
categorization of a system
of impacts
of general support systems
of major application systems
4
3
2
4
25. c. Before the information system security plan can be developed, the informa
tion system and the data/information resident within that system must be categor
ized based on impact analysis (i.e., low, medium, or high impact). Then a determ
ination can be made as to which systems in the inventory can be logically groupe
d into general support systems or major application systems.
26. Which of the following defines security boundaries for an information syste
m?
1. Information
2. Personnel
3. Equipment
4. Funds
a.
b.
c.
d.
1 only
1 and 2
1 and 3
1, 2, 3, and 4
Security control
Management control
Operational control
Technical control
27. b. For new information systems, management control can be interpreted as hav
ing budgetary or programmatic authority and responsibility for developing and de
ploying the information systems. For current systems in the inventory, managemen
t control can be interpreted as having budgetary or operational authority for th
e day-to-day operation and maintenance of the information systems.
28. Which of the following actions should be implemented when a security functi
on is unable to execute automated self-tests for verification?
1.
2.
3.
4.
Compensating controls
System-specific controls
Common controls
Accept the risk
a.
b.
c.
d.
1 only
2 and 3
1, 2, and 3
1, 2, 3, and 4
28. d. For those security functions that are unable to execute automated self-te
sts, organizations should either implement compensating controls (i.e., manageme
nt, technical, and operational controls), system-specific controls, common contr
ols, or a combination of these controls. Otherwise, organizations management expl
icitly accepts the risk of not performing the verification process.
29. Compensating security controls for an information system should be used by
an organization only under which of the following conditions?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
3 only
1 and 3
1, 2, 3, and 4
cts the compensating controls from the security control catalog, (ii) the organi
zation provides a complete and convincing rationale and justification for how th
e compensating controls provide an equivalent security capability or level of pr
otection for the information system, and (iii) the organization assesses and for
mally accepts the risk associated with using the compensating controls in the in
formation system.
30. Common security controls can be applied to which of the following?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
2 only
1 and 2
1, 2, 3, and 4
30. d. Common security controls can apply to (i) all of an organizations informat
ion systems, (ii) a group of information systems at a specific site, or (iii) co
mmon information systems, subsystems, or applications, including hardware, softw
are, and firmware, deployed at multiple operational sites.
31. Which of the following should form the basis for management authorization t
o process information in a system or to operate an information system?
a.
b.
c.
d.
A plan of actions
Milestones
System security plan
Assessment report
System
System
System
System
a.
b.
c.
d.
1 and
3 and
1, 2,
1, 2,
status
scope
architecture
interconnections
2
4
and 3
3, and 4
System management
Legal issues
Quality assurance
Management controls
a.
b.
c.
d.
1 only
3 only
4 only
1, 2, 3, and 4
34. a. Common threat sources collect data on security threats, which include nat
ural threats, human threat sources, and environmental threat sources. In additio
n, intrusion detection tools collect data on security events, thereby improving
the ability to realistically assess threats to information.
35. Which of the following provides a 360-degree inspection of the system durin
g the vulnerability identification of a system in the risk assessment process?
a.
b.
c.
d.
36. a. When the ratings for threat likelihood (i.e., high, moderate, or low) and
impact levels (i.e., high, moderate, or low) have been determined through appro
priate analysis, the level of risk to the system and the organization can be der
ived by multiplying the ratings assigned for threat likelihood (e.g., probabilit
y) and threat impact level.
37. The effectiveness of recommended security controls is primarily related to
which of the following?
a.
b.
c.
d.
System
System
System
System
safety
reliability
complexity
regulations
o system complexity and compatibility. The level and type of security controls s
hould fit with the system complexity, meaning more controls are needed for compl
ex systems and fewer controls are needed for simple systems. At the same time, s
ecurity controls should match the system compatibility, meaning application-orie
nted controls are needed for application systems, and operating systemoriented co
ntrols are needed for operating systems. Other factors that should be considered
include legislation and regulations, the organizations policy, system impact, sy
stem safety, and system reliability.
38. Risk mitigation does not strive to do which of the following?
a.
b.
c.
d.
Control
Control
Control
Control
identification
prioritization
evaluation
implementation
38. a. Risk mitigation strives to prioritize, evaluate, and implement the approp
riate risk-reducing controls recommended from the risk assessment process. Contr
ol identification is performed in the risk assessment process, which comes befor
e risk mitigation.
39. Which one of the following items can be a part of other items?
a.
b.
c.
d.
Management controls
Operational controls
Technical controls
Preventive controls
39. d. System security controls selected are grouped into one of the three categ
ories of management, operational, or technical controls. Each one of these contr
ols can be preventive in nature.
40. Risk management activities are performed for periodic system re-authorizati
on in which of the following system development life cycle (SDLC) phases?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
Need
Need
Need
Need
a.
b.
c.
d.
1
1
2
3
and
and
and
and
for
for
for
for
2
3
4
4
41. a. Minimizing a negative impact on an organization and need a for sound basi
s in decision making are the fundamental reasons why organizations implement a r
isk management process for their IT systems. The risk management methodology is
the same regardless of the system development life cycle (SDLC) phase and it is
an iterative process that can be performed during each major phase of the SDLC.
42. From a risk management viewpoint, system migration is conducted in which of
the following system development life cycle (SDLC) phases?
a.
b.
c.
d.
Development/acquisition
Implementation
Operation/maintenance
Disposal
42. d. In the disposal phase of the SDLC process, system migration is conducted
in a secure and systematic manner.
43. For gathering information in the risk assessment process, proactive technic
al methods include which of the following?
a.
b.
c.
d.
Questionnaires
Onsite interviews
Document review
Network mapping tool
43. d. A network
can identify the
way of building
choices are not
44. Which of the
vulnerabilities?
a.
b.
c.
d.
44. b. Vulnerabilities (flaws and weaknesses) are exploited by the potential thr
eat sources such as employees, hackers, computer criminals, and terrorists. Thre
at source is a method targeted at the intentional exploitation of a vulnerabilit
y or a situation that may accidentally exploit a vulnerability.
Recommended approaches for identifying system vulnerabilities include the use of
vulnerability sources, the performance of system security testing, and the deve
lopment of a security-requirements checklist.
45. From a risk mitigation viewpoint, which of the following is not an example o
f system protection controls that are part of supporting technical security cont
rols?
a.
b.
c.
d.
Modularity
Layering
Need-to-know
Access controls
45. d. From a risk mitigation viewpoint, technical security controls are divided
into two categories: supporting controls and other controls (i.e., prevention,
detection, and recovery controls). Supporting controls must be in place in order
to implement other controls. Access controls are a part of preventive technical
security controls, whereas system protections are an example of supporting tech
nical security controls.
Some examples of system protections include modularity, layering, need-to-know,
and trust minimization (i.e., minimization of what needs to be trusted).
46. Which of the following controls is typically and primarily applied at the p
oint of transmission or reception of information?
a.
b.
c.
d.
Nonrepudiation services
Access controls
Authorization controls
Authentication controls
46. a. All these controls are examples of preventive technical security controls
. Nonrepudiation control ensures that senders cannot deny sending information an
d that receivers cannot deny receiving it. As a result, nonrepudiation control i
s typically applied at the point of transmission or reception of information. Ac
cess controls, authorization controls, and authentication controls support nonre
pudiation services.
47. Setting performance targets for which of the following information security
metrics is relatively easier than the others?
a.
b.
c.
d.
Implementation metrics
Effectiveness metrics
Efficiency metrics
Impact metrics
47. a. Setting performance targets for effectiveness, efficiency, and impact met
rics is much more complex than the implementation metrics because these aspects
of security operations do not assume a specific level of performance. Managers n
eed to apply both qualitative and subjective reasoning to set effectiveness, eff
iciency, and impact performance targets.
Implementation metrics measure the results of implementation of security policie
s, procedures, and controls (i.e., demonstrates progress in implementation effor
ts). Effectiveness/efficiency metrics measure the results of security services d
elivery (i.e., monitors the results of security controls implementation).
Impact metrics measure the results of business or mission impact of security act
ivities and events (i.e., provides the most direct insight into the value of sec
urity to the firm).
48. Which of the following is not an example of detective controls in informatio
n systems?
a.
b.
c.
d.
Audit trails
Encryption
Intrusion detection
Checksums
Assurance
Authorization
Authentication
Nonrepudiation
Threat-source analysis
Vulnerability analysis
Threat analysis
Risk analysis
Risk
Risk
Risk
Risk
assumption
avoidance
limitation
planning
Rules of engagement
Rules of behavior
Non-disclosure agreement
Acceptable use agreement
Service-level agreement
Rules of engagement
Background checks
Conflict-of-interest clauses
53. c. Due to higher turnover among vendors, consultants, and contractors and du
e to short timeframe work (e.g., a month or two), it is not cost effective or pr
actical to conduct background checks because they are applicable to regular full
-time employees. Vendors, consultants, and contractors must meet all the require
ments mentioned in the other three choices. Background checks include contacting
previous employers, verifying education with schools, and contacting friends an
d neighbors. However, for consultants and other non-employees, security clearanc
e cheeks (e.g., police, court, and criminal records) are made when they handle s
ensitive information at work.
54. For risk mitigation strategies, which of the following is not a proper actio
n to take when there is a likelihood that a vulnerability can be exploited?
a.
b.
c.
d.
54. a. Assurance is the grounds for confidence that the set of intended security
controls in an information system are effective in their application. Assurance
techniques include trustworthiness and predictable execution, which may not be
effective or timely.
The other three choices reflect proper actions to take when there is likelihood
55. c. Implementing the selected controls is the first step in the control imple
mentation approach. The other three choices precede the implementation of the se
lected controls. The risk remaining after the implementation of new or enhanced
security controls is the residual risk.
56. As part of security control assessment, which of the following must be in p
lace prior to the start of penetration testing work by outsiders?
a.
b.
c.
d.
Rules
Rules
Rules
Rules
of
of
of
of
behavior
negotiation
engagement
employment
56. c. Detailed rules of engagement must be agreed upon by all parties before th
e commencement of any penetration testing scenario by outsiders. These rules of
engagement contain tools, techniques, and procedures that are anticipated to be
used by threat-sources in carrying out attacks.
Rules of behavior and rules of employment apply to internal employees. Rules of
negotiation apply to both insiders and outsiders as a matter of work ethics.
57. Which of the following is not an example of supporting technical security co
ntrols used in mitigating risk?
a.
b.
c.
d.
Identification
Authentication
Cryptographic key management
Security administration
57. b. From a risk mitigation viewpoint, technical security controls are divided
into two categories: supporting controls and other controls (i.e., prevention,
detection, and recovery controls). This means supporting controls must be in pla
ce to implement other controls. Authentication is an example of preventive techn
ical controls.
The other three choices (i.e., identification, cryptographic key management, and
security administration) are examples of supporting technical security controls
.
58. Which of the following is not an example of system protections?
a.
b.
c.
d.
Least privilege
Process separation
Authorization
Object reuse
c. Function-by-function
d. System-by-system
59. d. Typically, components, subsystems, and functions are highly interrelated,
making separation by trustworthiness problematic with unpredictable results. He
nce, system-by-system trustworthiness is best because it is wholesome and inclus
ive of system components, subsystems, and functions.
60. Which of the following is an example of detective (detection) personnel sec
urity controls?
a.
b.
c.
d.
Separation of duties
Least privilege
User computer access registration
Rotation of duties
61. a. Conducting periodic review of security controls to ensure that the contro
ls are effective is an example of detection management security controls. The ot
her three choices are examples of preventive management security controls.
62. Which of the following characterizes information domains?
1.
2.
3.
4.
Partitioning information
Access control needs
Levels of protection required
Classifying information
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
62. d. The partitioning of information according to access control needs and lev
els of protection required yields categories of information. These categories ar
e often called information domains. Classifying information as secret, top-secre
t, and sensitive is also called information domains where information is compart
mentalized.
63. A failure of common security controls can increase which of the following?
a.
b.
c.
d.
System-specific risks
Site-specific risks
Subsystem-specific risks
Organization-wide risks
64. Which of the following is the first step in the risk management process?
a.
b.
c.
d.
System functionality
System design
Information system owner
System authorizing official
a.
b.
c.
d.
1 and
3 and
1, 2,
1, 2,
2
4
and 3
3, and 4
Purpose
Scope
Compliance
Responsibilities
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
ng?
1.
2.
3.
4.
Sharing information
Installing technical controls
Controlling virus infections
Administering day-to-day computer security
a.
b.
c.
d.
1
1
2
2
and
and
and
and
2
3
3
4
68. b. Organizations can develop expertise centrally and then share it, reducing
the need to contract out repeatedly for similar services. The central computer
security program can help facilitate information sharing. Similarly, controlling
virus infections from central location is efficient and economical. Options 2 a
nd 4 are examples of benefits of a system-level computer security program.
69. Which of the following are essential to improving IT security performance t
hrough metrics?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Risk assessment
Information flow enforcement
Access enforcement
Account management
70. a. An organization employs the concept of least privilege primarily for spec
ific duties and information systems, including specific ports, protocols, and se
rvices in accordance with risk assessments as necessary to adequately mitigate r
isk to the organizations operations, assets, and individuals. The other three cho
ices are specific components of access controls.
71. Results-based training does not focus on which of the following?
a.
b.
c.
d.
71. c. The results-based training focuses on job functions or roles and responsi
bilities, not job titles, and recognizes that individuals have unique background
s, and therefore, different levels of understanding.
72. Which of the following are essential to reach a higher rate of success in p
rotecting information?
1.
2.
3.
4.
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
4
4
To
To
To
To
pinpoint problems
scope resources for remediation
track ownership of data
improve information security
74. a. If the residual risk has not been reduced to an acceptable level, the inf
ormation security manager must repeat the risk management cycle to identify a wa
y of lowering the residual risk to an acceptable level. The other three choices
are not strong enough actions to reduce the residual risk to an acceptable level
.
75. The level of protection for an IT system is determined by an evaluation of
which of the following elements?
1.
2.
3.
4.
Availability
Integrity
Sensitivity
Criticality
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
75. c. All IT systems and applications require some level of protection to ensur
e confidentiality, integrity, and availability, which is determined by an evalua
tion of the sensitivity and criticality of the information processed, the relati
on of the system to the organization mission, and the economic value of the syst
em components. Sensitivity and criticality are a part of the confidentiality goa
l.
76. Which of the following IT metrics types measure the results of security ser
vices delivery?
1.
2.
3.
4.
Implementation metrics
Effectiveness metrics
Efficiency metrics
Impact metrics
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
4
4
Security
Security
Security
Security
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
functionality
categorization
certification
assurance
2
4
4
3, and 4
Chain-of-custody
Chain-of-command
Chain-of-documents
Chain-of-trust
79. d. The external information system services documentation must include the s
ervice provider security role, end user security role, signed contract, memorand
um of agreement before the signed contract, and service-level agreement (most im
portant). The service-level agreement (SLA) defines the expectations of performa
nce for each required security control, describes measurable outcomes, and ident
ifies remedies and response requirements for any identified instance of noncompl
iance.
80. The results of information-security program assessment reviews can be used
to do which of the following?
1.
2.
3.
4.
To
To
To
To
support
support
prepare
improve
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
the
the
for
the
2
3
4
3, and 4
81. a. The rules of behavior should not be a complete copy of the security polic
y or procedures guide, but rather cover controls at a high level. Examples of co
ntrols contained in rules of behavior include controls for working at home and c
ontrols for dial-in access, use of copyrighted work, password usage, connections
to the Internet, searching databases, and divulging information. The security p
olicy may contain an acceptable use policy.
82. Which of the following represents the best definition and equation for a co
mprehensive and generic risk model?
a.
b.
c.
d.
Breach
Attack
Threat
Attack
x
+
x
+
Threat x Vulnerability
Threat + Impact
Vulnerability x Impact
Vulnerability + Impact
82. c. Risk is the potential for an unwanted outcome resulting from internal or
external factors, as determined from the likelihood of occurrence and the associ
ated consequences. In other words, risk is the product of interactions among thr
eats, vulnerabilities, and impacts. Threats deal with events and actions with po
tential to harm, vulnerabilities are weaknesses, and impacts are consequences.
The other three choices are incorrect because they do not have the required comp
onents in the correct equation for the risk.
83. Which of the following has been determined to be a reasonable level of risk
?
a.
b.
c.
d.
Minimum risk
Acceptable risk
Residual risk
Total risk
83. b. Acceptable risk is the level of residual risk that has been determined to
be a reasonable level of potential loss or disruption for a specific computer s
ystem.
Minimum risk is incorrect because it is the reduction in the total risk that res
ults from the impact of in-place safeguards or controls. Residual risk is incorr
ect because it results from the occurrence of an adverse event after adjusting f
or the impact of all safeguards in-place. Total risk is incorrect because it is
the potential for the occurrence of an adverse event if no mitigating action is
taken (i.e., the potential for any applicable threat to exploit system vulnerabi
lity).
84. When a contractor representing an organization uses an internal system to c
onnect with an external organizations system for data exchange, the contractor sh
ould comply with which of the following agreed-upon trust relationships?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
3 only
2 and 4
1, 2, 3, and 4
86. d. Two loss categories are usually identified, including (i) losses caused b
y threats with reasonably predictable occurrence rates, referred to as expected
losses expressed as dollars per year and are computed as the product of occurren
ce rate, loss potential, and vulnerability factor, and (ii) losses caused by thr
eats with a very low rate of occurrence (low-probability) that is difficult to e
stimate but the threat would cause a very high loss if it were to occur (high-co
nsequence risk), referred to as a single occurrence loss and is expressed as the
product of loss potential, vulnerability factor, and asset value. A catastrophi
c loss is referred to as a loss greater than its equity. An actual loss is the a
mount of assets or lives lost. Both catastrophic loss and actual loss do not ent
er into risk assessment because they are not estimable.
87. From a security accountability viewpoint, which of the following pose a sec
urity risk?
a.
b.
c.
d.
88. d. The safest and first thing to do is to (i) disable computer access immedi
ately, which should be a standard procedure, (ii) conduct an exit interview, and
(iii) take possession of access keys and cards. The employee can be sent to a c
areer counselor afterward (last thing).
89. Which of the following statements is true about data classification and app
lication categorization for sensitivity?
a. Data classification and application categorization is the same.
b. There are clear-cut views on data classification and application categorizati
on.
c. Data classification and application categorization must be organization-speci
fic.
d. It is easy to use simple data classification and application categorization s
chemes.
89. c. No two organizations are the same, and it is especially true in cross-ind
ustries. For example, what works for a governmental organization may not work fo
r a commercial organization. An example of data classification is critically sen
sitive, highly sensitive, sensitive, and nonsensitive.
90. What is the least effective technique for continually educating users in inf
ormation systems security?
a.
b.
c.
d.
a.
b.
c.
d.
1 only
3 only
4 only
1, 2, 3, and 4
91. d. Trustworthy information systems are those systems capable of being truste
d to operate within defined levels of risk despite the environmental disruptions
, human errors, and purposeful attacks expected to occur in the specified enviro
nments of operation.
92. Which of the following combinations of conditions can put the IT assets at
the most risk of loss?
a.
b.
c.
d.
System
System
System
System
interconnectivity
interconnectivity
interconnectivity
interconnectivity
and
and
and
and
92. a. Poor security management does not proactively and systematically assess r
isks, monitor the effectiveness of security controls, and respond to identified
problems. This situation can become much weaker with interconnected systems wher
e the risk is the greatest. The other three choices are the result of poor secur
ity management.
93. An IT security training program is a part of which of the following control
categories?
a.
b.
c.
d.
Application controls
General controls
Administrative controls
Technical controls
a.
b.
c.
d.
Verbal warning
Dismissal
Legal action
Written warning
94. c. When an insider violates security policy, the first step is a verbal warn
ing, followed by a written warning, dismissal, and the final step of legal actio
n.
95. Which of the following is referred to when data is transferred from high ne
twork users to low network users?
a.
b.
c.
d.
Data
Data
Data
Data
downgrade
regrade
upgrade
release
95. b. Data regrade is the term used when data is transferred from high network
users to low network users and from low network users to high network users.
Data downgrade is the change of a classification label to a lower label without
the changing the contents of the data. Data upgrade is the change of a classific
ation label to a higher label without the changing the contents of the data. Dat
a release is the process of returning all unused disk space to the system when a
dataset is closed at the end of processing.
96. Which of the following must be done first to protect computer systems?
a.
b.
c.
d.
Battling
Fighting
Reducing
Catching
information abusers
hackers
vulnerabilities
crackers
96. c. Reducing vulnerabilities decreases potential exposures and risks. The oth
er three choices follow the vulnerabilities.
97. Which of the following are major benefits of security awareness, training,
and education programs accruing to an organization?
a.
b.
c.
d.
Reducing fraud
Reducing unauthorized actions
Improving employee behavior
Reducing errors and omissions
97. c. Making computer system users aware of their security responsibilities and
teaching them correct practices help users change their behavior. It also suppo
rts individual accountability, which is one of the most important ways to improv
e computer security. Without knowing the necessary security measures and knowing
how to use them, users cannot be truly accountable for their actions. The other
three choices are examples of major purposes of security awareness.
98. In developing a data security program for an organization, who should be re
sponsible for defining security levels and access profiles for each data element
stored in the computer system?
a.
b.
c.
d.
Database administrator
Systems programmer
Data owner
Applications programmer
98. c. Usually, the data owner defines security levels such as confidential or h
ighly confidential and access profiles defining who can do what, such as add, ch
ange, or delete the data elements. It is the data owner who paid or sponsored th
e system for his department.
99. d. The data collection effort during the IT security metrics development pro
cess must be as nonintrusive as possible and of maximum usefulness to ensure tha
t available resources are primarily used to correct problems, not simply to coll
ect data for the sake of collecting. The collection of valid data is more import
ant than collecting more data.
100. System or network administrators will be interested in which of the follow
ing IT security metrics?
a.
b.
c.
d.
Implementation
Effectiveness
Efficiency
Impact
Due
Due
Due
Due
care
care
care
care
and
and
and
and
due
due
due
due
permissions
rights
diligence
privileges
101. c. The prudent man concept is related to due care and due diligence. Due ca
re is maintaining reasonable care, whereas due diligence requires organizations
to be vigilant and diligent. Good housekeeping in a data center is an example of
due diligence. The prudent man concept states that reasonable people always act
reasonably under the same conditions. Because people are infallible, courts and
law require that people use reasonable care all the time.
Courts will find computer owners responsible for their insecure systems. Courts
will not find liability every time a computer is hijacked. Rather, courts expect
organizations to become reasonably prudent computer owners taking due care (rea
sonable care) to ensure adequate security. Due care means having the right polic
ies and procedures, access controls, firewalls, and other reasonable security me
asures in place. Computer owners need not take super care, great care, or extrao
rdinary care.
102. What is the purpose of a system security plan?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
1 and 2
4 only
1, 2, 3, and 4
a.
b.
c.
d.
2 only
3 only
4 only
1, 2, 3, and 4
System
System
System
System
security
security
security
security
plan
plan
plan
plan
be
be
be
be
developed
analyzed
updated
accepted
104. a. Procedures should be in place outlining who reviews the security plan, k
eeps the plan current, and follows up on planned security controls. In addition,
procedures should require that system security plans be developed and reviewed
prior to proceeding with the security certification and accreditation process fo
r the system.
105. Which of the following individuals establishes the rules for appropriate u
se and protection of a systems data and information?
a.
b.
c.
d.
105. d. The information owner is responsible for establishing the rules for appr
opriate uses and protection of a systems data and information. He establishes con
Rules-of-behavior
Rules-of-access
Rules-of-use
Rules-of-information
Assessment of risk
Specific threat information
Cost-benefit analyses
Availability of compensating controls
a.
b.
c.
d.
1 only
1 and 2
1, 2, and 3
1, 2, 3, and 4
Technology-related considerations
Physical infrastructure-related considerations
Scalability-related considerations
Public accessrelated considerations
108. c. Scoping guidance provides an organization with specific terms and condit
ions on the applicability and implementation of individual security controls.
Scalability-related consideration addresses the breadth and depth of security co
ntrol implementation. Technology-related considerations deal with specific techn
ologies such as wireless, cryptography, and public key infrastructure. Physical
infrastructure-related considerations include locks and guards, and environmenta
l controls for temperature, humidity, lighting, fire, and power. Public access-r
elated considerations address whether identification and authentication, and per
sonnel security controls, are applicable to public access.
109. The major reason for using compensating security controls for an informati
on system is in lieu of which of the following?
a.
b.
c.
d.
Prescribed controls
Management controls
Operational controls
Technical controls
Access controls
Contingency planning controls
Incident response controls
Physical security controls
110. a. Access control, along with identification and authentication and audit a
nd accountability, is a part of technical control. Contingency planning controls
are incorrect because they are a part of operational controls. Incident respons
e controls are incorrect because they are a part of operational controls. Physic
al security controls are incorrect because they are a part of operational contro
ls.
111. The process of selecting the appropriate security controls and applying th
e system security scoping guidance is to achieve which of the following?
a.
b.
c.
d.
Reasonable security
Adequate security
Normal security
Advanced security
111. b. Adequate security is defined as security commensurate with the risk and
the magnitude of harm resulting from the loss, misuse, or unauthorized access to
or modification of information. The process of selecting the appropriate securi
ty controls and applying the scoping guidelines to achieve adequate security is
a multifaceted, risk-based activity involving management and operational personn
el within the organization. Note that the adequate security is more than the rea
sonable security and the normal security and less than the advanced security.
112. Which of the following is not an example of a common security control?
a.
b.
c.
d.
Access control
Management control
Operational control
Hybrid control
112. a. Security controls not designated as common controls are considered syste
m-specific controls and are the responsibility of the information system owner.
For example, access control is a part of technical control and is a system-speci
fic control. Many of the management and operational controls needed to protect a
n information system may be excellent candidates for common security control sta
tus. Common security controls reduce security costs when they are centrally mana
ged in terms of development, implementation, and assessment. Hybrid controls con
tain both common and system-specific controls.
113. Which of the following determines the adequacy of security in a software p
roduct?
1. How a product is tested?
2. How a product is evaluated?
3. How a product is applied related to other systems?
1 only
2 only
3 and 4
1, 2, 3, and 4
113. c. The way in which a software product is developed, integrated, and applie
d to other system components affects the adequacy of its security.
Even when a product successfully completes a formal security evaluation, it may
contain vulnerabilities (e.g., buffer overflow problems). Using a tested and eva
luated software product does not necessarily ensure a secure and adequate operat
ional environment.
114. Which of the following items is not a replacement for the other three items
?
a.
b.
c.
d.
114. b. Although conducted periodically, formal audits are useful, but are not a
replacement for day-to-day management of the security status of a system. Enabl
ing system logs and reviewing their contents manually or through automated repor
t summaries can sometimes be the best means of uncovering unauthorized behavior
of people and systems and detecting security problems. The critical point here i
s that day-to-day management is more timely and effective than periodic audits,
which could be too late.
115. Minimal functionality in an application system relates to which of the fol
lowing security principles?
a.
b.
c.
d.
Security
Security
Security
Security
116. d. Potential risks include all possible and probable risks. Countermeasures
cover some, but not all risks. Therefore, the residual risk is potential risks
minus covered risks.
117. Which of the following is the correct equation in risk management?
a. Risk management = Risk research + Risk analysis + Risk evaluation
It
It
It
It
can
can
can
can
be
be
be
be
either
either
either
either
assigned or accepted.
identified or evaluated.
reduced or calculated.
exposed or assessed.
118. a. Residual risk is the remaining risk after countermeasures (controls) cov
er the risk population. The residual risk is either assigned to a third party (e
.g., insurance company) or accepted by management as part of doing business. It
may not be cost-effective to further reduce residual risk.
119. Which of the following is not part of risk analysis?
a.
b.
c.
d.
Assets
Threats
Vulnerabilities
Countermeasures
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
4
4
120. a. Unacceptable risk is a situation where an attackers cost is less than gai
n and where loss anticipated by an organization is greater than its threshold le
vel. The organizations goals should be to increase an attackers cost and to reduce
an organizations loss.
121. Security safeguards and controls cannot do which of the following?
a.
b.
c.
d.
Risk
Risk
Risk
Risk
reduction
avoidance
transfer
analysis
121. d. Risk analysis identifies the risks to system security and determines the
probability of occurrence, the resulting impact, and the additional safeguards
that mitigate this impact. Risk analysis is a management exercise performed befo
re deciding on specific safeguards and controls. The other three choices are a p
art of risk mitigation, which results from applying the selected safeguards and
controls. Risk avoidance includes risk reduction and risk transfer is assigning
risk to a third party.
122. Selection and implementation of security controls refer to which of the fo
llowing?
a.
b.
c.
d.
Risk
Risk
Risk
Risk
analysis
mitigation
assessment
management
Risk
Risk
Risk
Risk
detection
prevention
tolerance
correction
Technological level
Acceptable level
Affordable level
Measurable level
124. b. Often, losses cannot be measured in monetary terms alone, such as loss o
f customer confidence and loyalty. Risk should be handled at an acceptable level
for an organization. Both affordable and technological levels vary with the typ
e of organization (e.g., small, medium, or large size and technology dependent o
r not).
125. In terms of information systems security, a risk is defined as which of th
e following combinations?
a.
b.
c.
d.
Attack
Threat
Threat
Threat
plus
plus
plus
plus
vulnerability
attack
vulnerability
breach
Risk
Risk
Risk
Risk
analysis data
assessment
mitigation
methodology
126. a. Risk management must often rely on speculation, best guesses, incomplete
data, and many unproven assumptions. The risk-based data are another source of
uncertainty and are an example of a secondary activity. Data for risk analysis n
ormally come from two sources: statistical data and expert analysis. Both have s
hortcomings; for example, the sample may be too small, or expert analysis may be
subjective based on assumptions made.
Risk assessment, the process of analyzing and interpreting risk, is composed of
three basic activities: (i) determining the assessments scope and methodology, (i
i) collecting and synthesizing data, and (iii) interpreting the risk. A risk ass
essment methodology should be a relatively simple process that could be adapted
to various organizational units and involves a mix of individuals with knowledge
of the business operations and technical aspects of the organizations systems an
d security controls.
Risk mitigation involves the selection and implementation of cost-effective secu
rity controls to reduce risk to a level acceptable to management, within applica
ble constraints. Risk methodology is a part of risk assessment. It can be formal
or informal, detailed or simplified, high or low level, quantitative (computati
onally based) or qualitative (based on descriptions or rankings), or a combinati
on of these. No single method is best for all users and all environments. The ot
her three choices are examples of primary activities.
127. From a risk management viewpoint, which of the following options is not acc
eptable?
a.
b.
c.
d.
127. d. Deferring risk means either ignoring the risk at hand or postponing the is
sue until further consideration. If the decision to defer the risk is a calculat
ed one, it is hoped that management had the necessary data.
Accept the risk is satisfactory when the exposure is small and the protection cost
is high. Assign the risk is used when it costs less to assign the risk to someone
else than to directly protect against it. Avoid the risk means placing necessary
measures so that a security incident will not occur at all or so that a security
event becomes less likely or costly.
128. What is an attacker repeatedly using multiple different attack vectors rep
eatedly to generate opportunities called?
a.
b.
c.
d.
Adverse action
Advanced threat
Threat agent
Threat source
Risk
Risk
Risk
Risk
acceptance
assignment
reduction
containment
Impact
Impact
Impact
Impact
130. a. Quantitative means of expressing both potential impact and estimated fre
quency of occurrence are necessary to perform a risk analysis. The essential ele
ments of a risk analysis are an assessment of the damage that can be caused by a
n unfavorable event and an estimate of how often such an event may happen in a p
eriod of time. Because the exact impact and frequency cannot be specified accura
tely, it is only possible to approximate the loss with an annual loss exposure,
which is the product of the estimated impact in dollars and the estimated freque
ncy of occurrence per year. The product of the impact and the frequency of occur
rence would be the statement of loss.
131. A risk analysis provides management of all the following except:
a.
b.
c.
d.
131. c. A risk analysis provides senior management with information to base deci
sions on, such as whether it is best to accept or prevent the occurrence of a ha
rmful event, to reduce the impact of such occurrences, or to simply recognize th
at a potential for loss exists.
The risk analysis should help managers compare the cost of the probable conseque
nces to the cost of effective safeguards. Ranking critical applications comes af
ter the risk analysis is completed. Critical applications are those without whic
h the organization could not function. Proper attention should be given to ensur
e that critical applications and software are sufficiently protected against los
s.
132. Which of the following methods for handling risk involves a third party?
a.
b.
c.
d.
Accepting risk
Eliminating risk
Reducing risk
Transferring risk
133. b. The Delphi method uses a group decision-making technique. The rationale
for using this technique is that it is sometimes difficult to get a consensus on
the cost or loss value and the probabilities of loss occurrence. Group members
do not meet face-to-face. Rather, each group member independently and anonymousl
y writes down suggestions and submits comments that are then centrally compiled.
This process of centrally compiling the results and comments is repeated until
full consensus is obtained.
Risk assessment audits are incorrect because these audits do not provide the sam
e consensus as the one reached by a group of experts in the Delphi method. Usual
ly, one or two individuals perform audits, not groups. Expert systems are incorr
ect because they are computer-based systems developed with the knowledge of huma
n experts. These systems do not reach a consensus as a group of people. Scenario
-based threats are incorrect because possible threats are identified based on sc
enarios by a group of people. However, this system does not have the same consen
sus reached as in the Delphi method. The process of submitting results and comme
nts makes the Delphi method more useful than the other methods.
134. The costs and benefits of security techniques should be measured in moneta
ry terms where possible. Which of the following is the most effective means to m
easure the cost of addressing relatively frequent threats?
a.
b.
c.
d.
Single-occurrence losses
Annualized loss expectancy
Fatal losses
Catastrophic losses
134. b. The annualized loss expectancy (ALE) is the estimated loss expressed in
monetary terms at an annual rate, for example, dollars per year. The ALE for a g
iven threat with respect to a given function or asset is equal to the product of
the estimates of occurrence rate, loss potential, and vulnerability factor.
Single-occurrence loss (SOL) is incorrect because it is the loss expected to res
ult from a single occurrence of a threat. It is determined for a given threat by
first calculating the product of the loss potential and vulnerability factor fo
r each function and asset for the threat being analyzed. Then the products are s
ummed to generate the SOL for the threat. Because the SOL does not depend on an
estimate of the threats occurrence rate, it is particularly useful for evaluating
rare but damaging threats. If a threats SOL estimate is unacceptably high; it is
prudent risk management to take security actions to reduce the SOL to an accept
able level.
Both fatal losses and catastrophic losses are big and rare. Fatal losses involve
loss of human life, and catastrophic loss incurs great financial loss. In short
, the ALE is useful for addressing relatively frequent threats, whereas SOL and
fatal or catastrophic losses address rare threats.
135. Surveys and statistics indicate that the greatest threat to any computer s
ystem is:
a. Untrained or negligent users
b. Vendors and contractors
c. Hackers and crackers
d. Employees
135. d. Employees of all categories are the greatest threat to any computer syst
em because they are trusted the most. They have access to the computer system, t
hey know the physical layout of the area, and they could misuse the power and au
thority. Most trusted employees have an opportunity to perpetrate fraud if the c
ontrols in the system are weak. The consequence of untrained or negligent users
is the creation of errors and other minor inconveniences.
Although vendors and contractors are a threat, they are not as great a threat as
employees are. With proper security controls, threats arising from hackers and
crackers can be minimized, if not completely eliminated. Hackers and crackers ar
e the same, and they access computer systems for fun and/or damage.
136. Risk management consists of risk assessment and risk mitigation. Which of t
he following is not an element of risk mitigation?
a.
b.
c.
d.
Measuring risk
Selecting appropriate safeguards
Implementing and test safeguards
Accepting residual risk
136. a. The term risk management is commonly used to define the process of deter
mining risk, applying controls to reduce the risk, and then determining if the r
esidual risk is acceptable. Risk management supports two goals: measuring risk (
risk assessment) and selecting appropriate controls that can reduce risk to an a
cceptable level (risk mitigation). Therefore, measuring risk is part of risk ass
essment.
The other three choices are incorrect because they are elements of risk mitigati
on. Risk mitigation involves three steps: determining those areas where risk is
unacceptable; selecting effective safeguards and evaluating the controls; and de
termining if the residual risk is acceptable.
137. The value of information is measured by its:
a.
b.
c.
d.
Negative
Value to
Value to
Value of
value
the owner
others
immediate access
137. c. The value of information is measured by what others want from the owner.
Negative value comes into play when there is a safety, security, or quality pro
blem with a product. For example, the negative value of a product affects custom
ers, manufacturers, vendors, and hackers, where the latter party can exploit an
unsafe or unsecure product. Value of immediate access is situational and persona
l.
138. Risk is the possibility of something adverse happening to an organization.
Which of the following steps is the most difficult one to accomplish in a risk
management process?
a.
b.
c.
d.
Risk
Risk
Risk
Risk
profile
assessment
mitigation
maintenance
138. b. Risk management is the process of assessing risk, taking steps to reduce
risk to an acceptable level, and maintaining that level of risk. Risk managemen
t includes two primary and one underlying activities. Risk assessment and risk m
itigation are the primary activities, and uncertainty analysis is the underlying
one.
Risk assessment, the process of analyzing and interpreting risk, is composed of
three basic activities: (i) determining the assessments scope and methodology, (i
i) collecting and synthesizing data, and (iii) interpreting the risk. A risk ass
essment can focus on many different areas of controls (including management, tec
hnical, and operational). These controls can designed into a new application and
incorporated into all areas of an organizations functions and operations (includ
ing telecommunication data centers, and business units). Because of the nature o
f the scope and the extent of risk assessment, it is the most difficult one to a
ccomplish.
Risk profile and risk maintenance are not the most difficult to accomplish becau
se they are the by-products of the risk assessment process. Risk profile for a c
omputer system or facility involves identifying threats and developing controls
and policies in order to manage risks.
Risk mitigation involves the selection and implementation of cost-effective secu
rity controls to reduce risk to a level acceptable to management, within applica
ble constraints. Again, risk mitigation comes after the completion of the risk a
ssessment process.
139. The focus of risk management is that risk must be:
a.
b.
c.
d.
Eliminated
Prevented
Avoided
Managed
Known-unknown
Unknown-unknown
Known-known
Unknown-known
Policies
Procedures
Standards
Guidelines
Unclassified
Unclassified but sensitive
Secret
Confidential
Customer lists
Supplier names
Technical specifications
Employee names
r advantage to the owner or his business. Trade secrets can include technical in
formation and customer and supplier lists. Employee names do not come under the
trade secret category because they are somewhat public information, requiring pr
otection from recruiters.
144. Which of the following covers system-specific policies and procedures?
a.
b.
c.
d.
Technical controls
Operational controls
Management controls
Development controls
144. c. Management controls are actions taken to manage the development, mainten
ance, and use of the system, including system-specific policies, procedures, and
rules of behavior, individual roles and responsibilities, individual accountabi
lity, and personnel security decisions.
Technical controls include hardware and software controls used to provide automa
ted protection to the computer system or applications. Technical controls operat
e within the technical systems and applications.
Operational controls are the day-to-day procedures and mechanisms used to protec
t operational systems and applications. Operational controls affect the system a
nd application environment.
Development controls include the process of assuring that adequate controls are
considered, evaluated, selected, designed, and built into the system during its
early planning and development stages, and that an ongoing process is establishe
d to ensure continued operation at an acceptable level of risk during the instal
lation, implementation, and operation stages.
145. Organizational electronic-mail policy is an example of which of the follow
ing?
a.
b.
c.
d.
Advisory policy
Regulatory policy
Specific policy
Informative policy
145. c. Advisory, regulatory, and informative policies are broad in nature and c
over many topics and areas of interest. E-mail policy is an example of specific
policy dealing with communication between and among individuals.
146. What should be done when an employee leaves an organization?
a.
b.
c.
d.
Review
Review
Review
Review
of
of
of
of
Accuracy
Authenticity
Completeness
Timeliness
a.
b.
c.
d.
Nonrepudiation
Secrecy
Privacy
Sensitivity
Confidentiality
Integrity
Availability
Accountability
149. c. Availability is for intended uses only and not for any other uses. Anoth
er definition of availability is ensuring timely and reliable access to and use
of system-related information by authorized entities. Confidentiality (C), integ
rity (I), and availability (A) are security goals and are often called the CIA t
riad. Confidentiality is preserving authorized restrictions on information acces
s and disclosure. Integrity is the property that protected and sensitive data ha
s not been modified or deleted in an unauthorized and undetected manner. Account
ability is tracing actions of an entity uniquely to that entity.
150. The advanced encryption standard (AES) is useful for securing which of the
following?
a.
b.
c.
d.
Private
Public
For internal use only
Secret
151. d. The data classification terms such as secret and top secret are mostly u
sed by government. The terms used in the other choices usually belong to busines
s data classification scheme.
152. Data containing trade secrets is an example of which of the following data
classification schemes?
a.
b.
c.
d.
Classified
Unclassified
Unclassified but sensitive
Confidential
Policy
Procedure
Standard
Guideline
Low-impact system
Moderate-impact system
High-impact system
No-impact system
Software/hardware guards
Automated processing
Automated blocking
Automated filtering
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
3
4
Certification
Education
Awareness
Training
156. c. Awareness, training, and education are important processes for helping s
taff members carry out their roles and responsibilities for information technolo
gy security, but they are not the same. Awareness programs are a prerequisite to
IT security training. Training is more formal and more active than awareness ac
tivities and is directed toward building knowledge and skills to facilitate job
performance.
Education integrates all the security skills and competencies of the various fun
ctional specialists and adds a multidisciplinary study of concepts, issues, and
principles. Normally, organizations seldom require evidence of qualification or
certification as a condition of appointment.
157. When developing information systems security policies, organizations shoul
d pay particular attention to which of the following?
a.
b.
c.
d.
User
User
User
User
education
awareness
behavior
training
159. b. Business managers (functional managers) should bear the primary responsi
bility for determining the level of protection needed for information systems re
sources that support business operations. Therefore, business managers should be
held accountable for managing the information security risks associated with th
eir operations, much as they would for any other type of business risk. Both the
information systems security analysts and managers can assist the business mana
ger, whereas the systems auditor can evaluate the level of protection available
in an information system.
The level of protection starts at the chief executive officer (CEO) level. This
means having a policy on managing threats, responsibilities, and obligations, wh
ich will be reflected in employee conduct, ethics, and procurement policies and
practices. Information security must be fully integrated into all relevant organ
izational policies, which can occur only when security consciousness exists at a
ll levels.
160. Which of the following is a better method to ensure that information syste
ms security issues have received appropriate attention by senior management of a
n organization?
a.
b.
c.
d.
Establish
Establish
Establish
Establish
a
a
a
a
technical-level committee
policy-level committee
control-level committee
senior-level committee
161. b. The two key characteristics that a security central group should include
(i) clearly defined information security responsibilities and (ii) dedicated st
aff resources to carry out these responsibilities.
162. To ensure that information systems security policies serve as the foundati
on of information systems security programs, organizations should link:
a.
b.
c.
d.
Policies
Policies
Policies
Policies
to
to
to
to
standards
business risks
procedures
controls
Low-impact
Moderate-impact
Potential impact
High-impact
164. c. Potential impact considers all three levels of impact such as (i) a limi
ted adverse effect representing a low impact, (ii) a serious adverse effect repr
Lack
Lack
Lack
Lack
of
of
of
of
awareness
a policy
a procedure
enforcement
165. d. If employees see that management is not serious about security policy en
forcement, they will not pay attention to security, thus minimizing its effectiv
eness. In addition to the lack of enforcement, inconsistent enforcement is a pro
blem.
166. Sensitivity criteria for a computer-based information system are not define
d in terms of which of the following?
a.
b.
c.
d.
The
The
The
The
166. b. Sensitivity criteria are largely defined in terms of the value of having
, or the cost of not having, an application system or needed information.
167. What is the first thing to do upon unfriendly termination of an employee?
a.
b.
c.
d.
167. c. Whether the termination is friendly or unfriendly, the best security pra
ctice is to disable the system access quickly, including login to systems. Out-p
rocessing often involves a sign-out form initialed by each functional manager wi
th an interest in the separation of the employee. The sign-out form is a type of
checklist. Sending the employee to the accounting and human resource department
s may be done later.
168. Which of the following have similar structures and complementary objective
s?
a.
b.
c.
d.
168. a. Training makes people learn new things and be aware of new issues and pr
ocedures. They have similar objectivesthat is, to learn a new skill or knowledge.
Hence, they complement each other.
A hacker is a person who attempts to compromise the security of an IT system, es
pecially whose intention is to cause disruption or obtain unauthorized access to
data. On the other hand, a user has the opposite objective, to use the system t
o fulfill his job duties. Hence, they conflict with each other.
Compliance means following the standards, rules, or regulations with no deviatio
ns allowed. On the other hand, common sense tells people to deviate when conditi
ons are not practical. Hence, they conflict with each other.
Need-to-know means a need for access to information to do a job. Threats are act
ions or events that, if realized, can result in waste, fraud, abuse, or disrupti
on of operations. Hence, they conflict with each other.
169. Establishing a data ownership program should be the responsibility of:
a.
b.
c.
d.
Functional users
Internal auditors
Data processors
External auditors
169. a. Functional users (business users) own the data in computer systems. Ther
efore, they have an undivided interest and responsibility in establishing a data
ownership program.
Internal/external auditors are incorrect because they have no responsibility in
establishing a data ownership program even though they recommend one. Data proce
ssors are incorrect because they are custodians of the users data.
170. When can the effectiveness of an information systems security policy be co
mpromised?
a.
b.
c.
d.
When
When
When
When
a policy is published
a policy is reexamined
a policy is tested
policy enforcement is predictable
170. d. Information systems security policies should be made public, but the act
ual enforcement procedures should be kept private. This is to prevent policies f
rom being compromised when enforcement is predictable. The surprise element make
s unpredictable enforcements more effective than predictable ones. Policies shou
ld be published so that all affected parties are informed. Policies should be ro
utinely reexamined for their workability. Policies should be tested to ensure th
e accuracy of assumptions.
171. There are many different ways to identify individuals or groups who need sp
ecialized or advanced training. Which of the following methods is least importan
t to consider when planning for such training?
a.
b.
c.
d.
Job categories
Job functions
Specific systems
Specific vendors
The
The
The
The
objective
objective
objective
objective
must
must
must
must
be
be
be
be
specific.
clear.
achievable.
well defined.
172. c. The first step in the management process is to define information system
s security objectives for the specific system. A security objective needs to be
more specific; it should be concrete and well defined. It also should be stated
so that it is clear and achievable. An example of an information systems securit
y objective is one in which only individuals in the accounting and personnel dep
artments are authorized to provide or modify information used in payroll process
ing. What good is a security objective if it is not achievable although it is sp
ecific, clear, and well defined?
173. In which of the following planning techniques are the information needs of
the organization defined?
a.
b.
c.
d.
Strategic planning
Tactical planning
Operational planning
Information systems planning
173. d. Four types of planning help organizations identify and manage IT resourc
es: strategic, tactical, operational, and information systems planning. IS plann
ing is a special planning structure designed to focus organizational computing r
esource plans on its business needs. IS planning provides a three-phased structu
red approach for an organization to systematically define, develop, and implemen
t all aspects of its near- and long-term information needs.
Strategic planning defines the organizations mission, goals, and objectives. It a
lso identifies the major computing resource activities the organization will und
ertake to accomplish these plans.
Tactical planning identifies schedules, manages, and controls the tasks necessar
y to accomplish individual computing resource activities, using a shorter planni
ng horizon than strategic planning. It involves planning projects, acquisitions,
and staffing.
Operational planning integrates tactical plans and support activities and define
s the short-term tasks that must be accomplished to achieve the desired results.
174. Which of the following is a somewhat stable document?
a.
b.
c.
d.
Information
Information
Information
Information
technology
technology
technology
technology
strategic plan
operational plan
security plan
training plan
174. a. The IT strategic plan sets the broad direction and goals for managing in
formation within the organization and supporting the delivery of services to cus
tomers. It should be derived from and relate to the organizations strategic plan.
The plan typically contains an IT mission statement, a vision describing the ta
rget IT environment of the future, an assessment of the current environment, and
broad strategies for moving into the future. The IT strategic plan is a somewha
t stable document. It does not require annual updates. However, an organization
should periodically review and update the IT strategic plan as necessary to refl
ect significant changes in the IT mission or direction. The strategies presented
in the IT strategic plan provide the basis for the IT operational plan, which i
ncludes security and training plans.
The IT operational plan describes how the organization will implement the strate
gic plan. The operational plan identifies logical steps for achieving the IT str
ategic vision. It may present an implementation schedule, identify key milestone
s, define project initiatives, and include resources (e.g., funding and personne
l) estimates. The operational plan should identify dependencies among the IT str
ategies and present a logical sequence of project initiatives to assure smooth i
mplementation.
The IT security plans and training plans are incorrect because they are componen
ts of the IT operational plan. Security plans should be developed for an organiz
ation or an individual system. These plans document the controls and safeguards
for maintaining information integrity and preventing malicious/accidental use, d
estruction, or modification of information resources within the organization. Tr
aining plans document the types of training the IT staff will require to effecti
vely perform their duties. The IT operational plans, security plans, and trainin
g plans are in a constant state of flux.
175. An information technology operational plan answers all the following questi
ons except:
a. How do we get there?
b. When will it be done?
c. What is our goal?
b. Project descriptions
c. Project resource estimates
d. Project implementation schedules
178. a. Risk assessment is part of the IT strategic plan along with mission, vis
ion, goals, environmental analysis, strategies, and critical success factors. Ty
pically a strategic plan covers a 5-year time span and is updated annually. IT o
perational planning begins when strategic planning ends. During operational plan
ning, an organization develops a realistic implementation approach for achieving
its vision based on its available resources.
The IT operational plan consists of three main parts: project descriptions, proj
ect resource estimates, and project implementation schedules. Depending upon its
size and the complexity of its projects, an organization may also include the f
ollowing types of documents as part of its operational plan: security plan summa
ry, information plans, and information technology plans.
179. The scope of the information technology tactical plan does not include:
a.
b.
c.
d.
Budget plans
Application system development and maintenance plans
Technical support plans
Service objectives
179. d. The scope of an IT tactical plan includes budget plans, application syst
em development and maintenance plans, and technical support plans, but not servi
ce objectives. This is because service objectives are part of the IT operational
plan along with performance objectives. Operational plans are based on the tact
ical plan but are more specific, providing a framework for daily activity. The f
ocus of operational plans is on achieving service objectives.
Effective plans focus attention on objectives, help anticipate change and potent
ial problems, serve as the basis for decision making, and facilitate control. IT
plans are based on the overall organizations plans. The IT strategic, tactical,
and operational plans provide direction and coordination of activities necessary
to support mission objectives, ensure that the IT meets user requirements, and
enable IT management to cope effectively with current and future changing requir
ements. Detailed plans move from abstract terms to closely controlled implementa
tion schedules.
Tactical plans span approximately 1 years time. Tactical plans address a detailed
view of IT activities and focus on how to achieve IT objectives. Tactical plans
include budgetary information detailing the allocation of resources or funds as
signed to IT components. Often, the budget is the basis for developing tactical
plans.
180. An important measure of success for any IT project is whether the:
a.
b.
c.
d.
Project
Project
Project
Project
related security issues and problems. Which of the following is the correct sequ
ence of steps involved in the staffing process?
1.
2.
3.
4.
a.
b.
c.
d.
1,
2,
2,
1,
2,
4,
4,
4,
3,
3,
1,
2,
and
and
and
and
4
1
3
3
181. c. Personnel issues are closely linked to logical access security controls.
Early in the process of defining a position, security issues should be identifi
ed and dealt with. After a job position and duties have been broadly defined, th
e responsible supervisor should determine the type of computer access levels (e.
g., add, modify, and delete) needed for that position or job.
Knowledge of the job duties and access levels that a particular position require
s is necessary for determining the sensitivity of the position (whether a securi
ty clearance is required). The responsible supervisor should correctly identify
position sensitivity levels and computer access levels so that appropriate, cost
-effective background checks and screening methods can be completed.
When a positions sensitivity has been determined, the position is ready to be sta
ffed. Background checks and screening methods help determine whether a particula
r individual is suitable for a given position. Computer access levels and positi
on sensitivity can also be determined in parallel.
182. Establishing an information system security function program within an org
anization should be the responsibility of:
a.
b.
c.
d.
182. a. Both information systems management and functional user management have
a joint and shared responsibility in establishing an information systems securit
y function within an organization. It is because the functional user is the data
owner and information systems management is the data custodian. Internal/extern
al auditors and compliance officers have no responsibility in actually establish
ing such a function; although, they make recommendations to management to establ
ish such a function.
183. Risk management is an aggregation of which of the following?
1.
2.
3.
4.
Risk assessment
Risk mitigation
Ongoing risk evaluation
Risk profile
a.
b.
c.
d.
1 and
2 and
1 and
1, 2,
2
3
4
and 3
184. Which of the following is not the major reason for conducting risk assessme
nt?
a.
b.
c.
d.
It
It
It
It
184. a. Risk assessment should be conducted and integrated into the system/softw
are development life cycle (SDLC) process for information systems, not because i
t is required by law or regulation, but because it is a good security practice a
nd supports the organizations business objectives or mission.
185. Which of the following is the first step in the risk assessment process?
a.
b.
c.
d.
Threat identification
Vulnerability identification
System characterization
Risk analysis
185. c. System characterization is the first step in the risk assessment process
. When characterizing the system, the mission criticality and sensitivity are de
scribed in sufficient terms to form a basis for the scope of the risk assessment
. Characterizing an information system establishes the scope of the risk assessm
ent effort, delineates the operational authorization or accreditation boundaries
, and provides information (e.g., hardware, software, system connectivity, and a
ssociated personnel). This step begins with identifying the system boundaries, r
esources, and information.
186. A low-impact system does not require which of the following to fully charac
terize the system?
a.
b.
c.
d.
Questionnaires
Hands-on security testing and evaluation
Interviews
Automated scanning tools
186. b. A systems impact can be defined in terms of low, moderate, or high. For e
xample, a system determined to be of low impact may not require hands-on securit
y testing and evaluation. Various techniques, such as questionnaires, interviews
, documentation reviews, and automated scanning tools can be used to collect the
information needed to fully characterize the system.
187. The level of effort and granularity of the risk assessment are based on wh
ich of the following?
a.
b.
c.
d.
Threat identification
Vulnerability identification
Risk analysis
Security categorization
187. d. The level of effort and the granularity (i.e., the level of depth at whi
ch the assessment investigates the security of the system) of the risk assessmen
t are based on security categorization.
188. Which of the following can be used to augment the vulnerability source rev
iews in the risk assessment process of identifying vulnerabilities?
a.
b.
c.
d.
Penetration testing
Previous risk assessments
Previous audit reports
Vulnerability lists
188. a. Penetration testing and system security testing methods (e.g., use of au
tomated vulnerability scanning tools and security, test, and evaluation methods)
can be used to augment the vulnerability source reviews and identify vulnerabil
ities that may not have been previously identified in other sources.
189. The risk analysis steps performed during the risk assessment process do not
include which of the following?
a.
b.
c.
d.
Control analysis
Likelihood determination
Vulnerability identification
Risk determination
189. c. Risk analysis includes four substeps: control analysis, likelihood deter
mination, impact analysis, and risk determination. Vulnerability identification
is performed prior to risk analysis. The control analysis results are used to st
rengthen the determination of the likelihood that a specific threat might succes
sfully exploit a particular vulnerability. Checklists and questionnaires are use
d in the control analysis exercise.
190. Regarding external service providers operating in external system environme
nts, which one of the following items is required when the other three items are
not present to provide sufficient confidence?
a.
b.
c.
d.
Level of trust
Compensating controls
Level of control
Chain of trust
Impact analysis
Risk mitigation
Risk analysis
Control analysis
191. b. Risk analysis, impact analysis, and control analysis are done prior to s
ecurity control recommendations. Therefore, security control recommendations are
essential input for the risk mitigation process.
192. Which of the following should reflect the results of the risk assessment p
rocess?
1.
2.
3.
4.
Control recommendations
Risk determinations
Plans of action and milestones
System security plans
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
192. d. Organizations should ensure that the risk assessment results are appropr
iately reflected in the systems plan of action and milestones and system security
plans. Control recommendations and risk determinations are done prior to docume
nting the results of the risk assessment.
193. System security categorization is used in which of the following ways?
1.
2.
3.
4.
To
To
To
To
a.
b.
c.
d.
1
1
2
3
2
3
4
4
193. a. The security categorization is used in two ways: (i) to determine which
baseline security controls are selected and (ii) to aid in estimating the level
of risk posed by a threat and vulnerability pair identified during the risk asse
ssment step. Items 3 and 4 are part of the risk mitigation step.
194. From an economies of scale viewpoint, the assessment, implementation, and m
onitoring activities of common security controls are not conducted at which of t
he following levels?
a.
b.
c.
d.
Organizational level
Individual system level
Multiple systems level
Functional level
194. b. Common security controls do not benefit at the individual system level b
ecause they benefit many systems and the principle of economies of scale is appl
icable here. Organizations can leverage controls used among multiple systems by
designating them as common controls where assessment, implementation, and monito
ring activities are conducted at an organizational level or by functional level
or areas of specific expertise (e.g., human resources and physical security).
195. Which of the following is not a goal of the risk management evaluation and
assessment process in ensuring that the system continues to operate in a safe an
d secure manner?
a.
b.
c.
d.
management program.
continuous basis.
vulnerabilities, and risks to the system.
control assessment process.
Security policies
Security procedures
Planned security features
White papers
198. c. The planned security features are described in the security design docum
entation, which occurs after identifying vulnerabilities. If the IT system has n
ot yet been designed, the search for vulnerabilities should focus on the organiz
ations security policies, security procedures, the system requirements definition
s, and the vendors or developers security product analyses (e.g., white papers).
199. Which of the following proactive technical methods is used to complement t
he security controls review?
a.
b.
c.
d.
199. d. Penetration testing tool can be used to complement the security controls
review and to ensure that different facets of the IT system are secured. The pe
netration testing occurs after the review of security controls, which includes t
he use of the automated information scanning tool, automated vulnerability scann
ing tool, and automated network scanning tool, and security test and evaluation.
The penetration testing uses the results obtained from the security controls re
view.
200. When an employee of an organization uses an internal system to connect wit
h an external organizations system for data exchange, the employee should comply
with which of the following agreed upon trust relationships?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
1, 3,
1, 2,
2
3
and 4
3, and 4
Authenticity
Sensitivity
Secrecy
Criticality
Confidentiality
Integrity
Aggregation
Availability
Strategic alignment
Information asset
Risk management
Resource management
Business strategy
Security requirements
Business processes
Risk assessments
204. b. Security requirements are the outputs of the risk management activity. I
nputs to the risk management and information security strategy include business
strategy, business processes, risk assessments, business input analysis, informa
tion resources, and regulatory requirements.
205. Which of the following is not a correct method of expressing information se
curity baselines?
a. Technical standards
b. Procedural standards
c. Vendor standards
d. Personnel standards
205. c. Information security baselines can be expressed as technical, procedural
, and personnel standards because they are internal to an organization. In addit
ion to the above standards, the baseline should consider laws, regulations, poli
cies, directives, and organizational mission/business/operational requirements,
which could identify security requirements.
Vendors are external to an organization and it would be difficult to accommodate
their standards into the baseline due to many vendors. In addition, vendor stan
dards could be unpredictable and unstable.
206. Regarding information security governance, which of the following does not
change, unlike others?
a.
b.
c.
d.
Programs
Assets
Mission
Practices
206. c. An organizations basic mission does not change because it is the guiding
principle to follow at all times. However, the organization may change its secur
ity practices and protection mechanisms over IT assets and computer programs. Ye
t, these changes must be made within the boundaries of the mission requirements
and guidelines. Note that the information security governance must follow the IT
governance and the corporate governance principles.
207. What is the most important objective of system security planning?
a.
b.
c.
d.
To
To
To
To
Program policies
Issue-specific policies
System-specific policies
Network policies
208. a. Program policy is usually broad in scope in that it does not require muc
h modification over time, whereas other types of policies are likely to require
more frequent revisions as changes in technology take place.
209. Which of the following is not a part of access agreements?
a.
b.
c.
d.
Nondisclosure agreements
Rules-of-behavior agreements
Employment agreements
Conflict-of-interest agreements
209. c. Employment agreements come before the access agreements. Access agreemen
ts include nondisclosure, acceptable use, rules-of-behavior, and conflict-of-int
erest for individuals requiring access to information and information system res
ources before authorizing access to such resources.
Security basics
Awareness
Security literacy
Education
a.
b.
c.
d.
Accuracy
Privacy
Non-repudiation
Accountability
Assurance
Integrity
Confidentiality
Availability
215. a. Assurance verifies that the security principles such as integrity, avail
ability, confidentiality, and accountability have been adequately met by a speci
fic implementation.
216. Regarding information security governance, which of the following should t
ake place for noncompliance?
a.
b.
c.
d.
Change in policies
Change in procedures
Change in practices
Periodic assessments
Confidentiality
Impact levels
Integrity
Availability
217. b. The impact levels (i.e., low, moderate, or high) must be considered when
the system boundaries are drawn and when selecting the initial set of security
controls (i.e., control baseline). Confidentiality, integrity, and availability
are security objectives for which potential impact is assessed.
Reproducibility
Utility
Integrity
Objectivity
Centralized governance
Decentralized governance
Hybrid governance
Virtual governance
219. a. The information security governance model should be aligned with the IT
governance model and the corporate governance model. A centralized approach to g
overnance requires strong, well-informed central leadership and provides consist
ency throughout the organization. Centralized governance structures also provide
less autonomy for subordinate (sector) organizations that are part of the paren
t organization. To achieve the centralized governance, interorganizational and i
ntra-organizational communication mechanisms are created.
Decentralized governance is the opposite of the centralized governance, hybrid g
overnance is a combination of centralized and decentralized governance, and virt
ual governance does not and should not exist.
220. Which of the following outcomes of information security governance, a part
of information technology (IT) governance, relates to investments in risk manag
ement?
a.
b.
c.
d.
Strategic alignment
Risk management processes
Risk management resources
Delivered value
220. d. The information security governance model should be aligned with the IT
governance model and the corporate governance model. Delivered value means optim
izing risk management investments in support of organizational objectives (i.e.,
demanding value from the investments).
Strategic alignment means risk management decisions made in business functions s
hould be consistent with organizational goals and objectives. Risk management pr
ocesses frame, assess, respond to, and monitor risk to organizational operations
and assets, individuals, and other organizations. Risk management resources dea
l with effective and efficient allocation of given resources.
221. Which of the following information security governance structures establis
h the appropriate policies, procedures, and processes dealing with risk manageme
nt and information security strategies at the cost of consistency throughout the
organization as a whole?
a.
b.
c.
d.
Centralized governance
Decentralized governance
Hybrid governance
Virtual governance
221. b. The information security governance model should be aligned with the IT
governance model and the corporate governance model. A decentralized approach ac
c. Knowledge
d. Insight
225. c. IT security training provides knowledge levels, awareness provides data
and information levels, and education provides insight levels.
Scenario-Based Questions, Answers, and Explanations
Use the following information to answer questions 1 through 9.
Risk management is a major priority of the SPK Company. The following data has b
een collected for one asset in the company: Natural threats are realized once ev
ery five years. The total asset value is $1,000,000. Every time a threat causes
damage, it cost the company an average of $100,000. The company has the choice o
f getting insurance for $10,000 per year or moving to a new location that will b
e a onetime cost of $35,000. The SPK priorities in the risk management strategy
are accuracy and long-term repeatability of process.
1. What can be done with the residual risk?
a.
b.
c.
d.
It
It
It
It
can
can
can
can
be
be
be
be
either
either
either
either
assigned or accepted.
identified or evaluated.
reduced or calculated.
exposed or assessed.
Assets
Threats
Vulnerabilities
Countermeasures
Risk
Risk
Risk
Risk
reduction
avoidance
transfer
analysis
3. d. Risk analysis identifies the risks to system security and determines the p
robability of occurrence, the resulting impact, and the additional safeguards th
at mitigate this impact. Risk analysis is a management exercise performed before
deciding on specific safeguards and controls. Risk reduction, risk avoidance, a
nd risk transfer are part of risk mitigation, which results from applying the se
lected safeguards and controls.
4. Selection and implementation of security controls refer to which of the foll
owing?
a.
b.
c.
d.
Risks analysis
Risk mitigation
Risk assessment
Risk management
ssessment. Risk management includes both risk analysis and risk mitigation.
5. Which of the following is closely linked to risk acceptance?
a.
b.
c.
d.
Risk
Risk
Risk
Risk
detection
prevention
tolerance
correction
Technological level
Acceptable level
Affordable level
Measurable level
Accept risk
Share risk
Reduce risk
Transfer risk
Single-occurrence losses
Annual loss expectancy
Fatal losses
Catastrophic losses
Domain 4
Software Development Security
Traditional Questions, Answers, and Explanations
1. Which of the following is the correct sequence of steps to be followed in an
application-software change control process?
1.
2.
3.
4.
a.
b.
c.
d.
1,
2,
3,
4,
2,
1,
2,
3,
3,
3,
1,
1,
and
and
and
and
4
4
4
2
1. c. Any application software change must start with a change request from a fu
nctional user. An information technology (IT) person can plan, test, and release
the change after approved by the functional user.
2. To overcome resistance to a change, which of the following approaches provid
es the best solution?
a.
b.
c.
d.
The
The
The
The
change
change
change
change
is
is
is
is
well planned.
fully communicated.
implemented in a timely way.
fully institutionalized.
Authorization
Validation
Configuration
Error notification
e following questions?
a.
b.
c.
d.
Identification
Change control
Status accounting
Audit
Initiation
Development/acquisition
Implementation
Operation/maintenance
Proof-of-origin
Proof-of-delivery
Techniques
Metrics
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
9. d. System assurance is the grounds for confidence that the set of intended se
curity controls in an information system are effective in their application. Sys
tem assurance requires (i) techniques to achieve integrity, confidentiality, ava
ilability, and accountability and (ii) metrics to measure them. Proof-of-origin
and proof-of-delivery are required in nonrepudiation.
10. The initiation phase of the security certification and accreditation process
does not contain which of the following?
a.
b.
c.
d.
Preparation
Resource identification
Action plan and milestones
Security plan acceptance
10. c. The action plan and milestones document is a latter part of security cert
ification and accreditation phases, which describe the measures that have been i
mplemented or planned to correct any deficiencies noted during the assessment of
the security controls and to reduce or eliminate known system vulnerabilities.
The other three choices are part of the initiation phase, which is the first pha
se, where it is too early to develop the action plan and milestones.
11. Which of the following comes first in the security certification and accred
itation process of an information system?
a.
b.
c.
d.
Security
Security
Security
Security
certification
recertification
accreditation
reaccreditation
11. a. The security certification work comes first as it determines the extent t
o which the security controls in the information system are implemented correctl
y, operating as intended, and producing the desired system security posture. Thi
s assurance is achieved through system security assessments. The security accred
itation package documents the results of the security certification.
Recertification and reaccreditation occur periodically and sequentially whenever
there is a significant change to the system or its operational environment as p
art of ongoing monitoring of security controls.
12. Which of the following security accreditation authoritys decision scenarios
require justification for the decision?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
2 only
1, 2, or 3
1, 2, 3, or 4
12. c. The security accreditation authority has three major scenarios to work wi
th: (i) accredit the system fully, (ii) accredit the system with conditions, or
(iii) deny the system accreditation. In any case, supporting rationale (justific
ation) for the decision is needed. In some cases, the system accreditation can b
e deferred based on sudden changes in regulatory requirements or unexpected merg
er and acquisition activities in the company. Management can come back to the de
ferred decision later.
13. In the continuous monitoring phase of the security certification and accred
itation process, ongoing assessment of security controls is based on which of th
e following?
a.
b.
c.
d.
13. b. To determine what security controls to select for ongoing review, organiz
ations should first prioritize testing on action plan and milestones items that be
come closed. These newly implemented controls should be validated first.
The other three documents are part of the continuous monitoring phase and come i
nto play when there are major changes or modifications to the operational system
.
14. What is the major purpose of configuration management?
a.
b.
c.
d.
To
To
To
To
reduce risks
reduce risks
reduce risks
minimize the
Initiation
Acquisition/development
Implementation
Operation/maintenance
Initiation
Security certification
Security accreditation
Continuous monitoring
16. d. The fourth phase of the security certification and accreditation process,
continuous-monitoring, primarily deals with configuration management. Documenti
ng information system changes and assessing the potential impact those changes m
ay have on the security of the system is an essential part of continuous monitor
ing and maintaining the security accreditation.
17. Constant monitoring of an information system is performed with which of the
following?
1.
2.
3.
4.
Risk management
Security certification
Security accreditation
Configuration management processes
a.
b.
c.
d.
1 and
2 and
1, 2,
1, 2,
2
3
and 3
3, and 4
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
18. c. Conducting impact analysis of changes and notifying users of system chang
es are the responsibilities of the configuration manager, whereas discussing cha
nge requests and requesting funding to implement changes are the responsibilitie
s of the configuration control review board.
19. An impact analysis of changes is conducted in which of the following config
uration management process steps?
a.
b.
c.
d.
Identify changes.
Evaluate change request.
Implement decisions.
Implement approved change requests.
19. b. After initiating a change request, the effects that the change may have o
n a specific system or other interrelated systems must be evaluated. An impact a
nalysis of the change is conducted in the evaluate change request step. Evaluation
is the end result of identifying changes, deciding what changes to approve and
how to implement them, and actually implementing the approved changes.
20. Additional testing or analysis may be needed in which of the following oper
ational decision choices of the configuration management process?
a.
b.
c.
d.
Approve
Implement
Deny
Defer
20. d. In the defer choice, immediate decision is postponed until further notice.
In this situation, additional testing or analysis may be needed before a final d
ecision can be made later.
On the other hand, approve, implement, and deny choices do not require additiona
l testing and analysis because management is already satisfied with the testing
and analysis.
21. During the initiation phase of a system development life cycle (SDLC) proce
ss, which of the following tasks is not typically performed?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Disposal
22. b. Security controls are developed, designed, and implemented in the develop
ment/acquisition phase. Additional controls may be developed to support the cont
rols already in place or planned.
23. Product acquisition and integration costs are determined in which of the fo
llowing system development life cycle (SDLC) phases?
a. Initiation
b. Development/acquisition
c. Implementation
d. Disposal
23. b. Product acquisition and integration costs that can be attributed to infor
mation security over the life cycle of the system are determined in the developm
ent/acquisition phase. These costs include hardware, software, personnel, and tr
aining.
24. A formal authorization to operate an information system is obtained in whic
h of the following system development life cycle (SDLC) phases?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Disposal
24. c. In the implementation phase, the organization configures and enables syst
em security features, tests the functionality of these features, installs or imp
lements the system, and finally, obtains a formal authorization to operate the s
ystem.
25. Which of the following gives assurance as part of systems security and funct
ional requirements defined for an information system?
a.
b.
c.
d.
Access controls
Background checks for system developers
Awareness
Training
Unit testing
Subsystem testing
Full system testing
Acceptance testing
Initiation
Development/acquisition
Implementation
Operation/maintenance
27. d. Documenting information system changes and assessing the potential impact
of these changes on the security of a system is an essential part of continuous
monitoring and key to avoiding a lapse in the system security reaccreditation.
Periodic reaccreditation is done in the operation phase.
28. Which of the following tests is driven by system requirements?
a.
b.
c.
d.
Black-box testing
White-box testing
Gray-box testing
Integration testing
28. a. Black-box testing, also known as functional testing, executes part or all
the system to validate that the user requirement is satisfied.
White-box testing, also known as structural testing, examines the logic of the u
nits and may be used to support software requirements for test coverage, i.e., h
ow much of the program has been executed.
Gray-box testing can be looked at as anything that is not tested in white-box or
black-box. An integration testing is performed to examine how units interface a
nd interact with each other with the assumption that the units and the objects (
for example, data) they manipulate have all passed their unit tests.
29. System integration is performed in which of the following system developmen
t life cycle (SDLC) phases?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
Initiation
Development/acquisition
Implementation
Operation/maintenance
Initiation
Development/acquisition
Implementation
Operation/maintenance
a.
b.
c.
d.
33. c. System assessors or auditors do not develop security controls due to loss
of objectivity in thinking and loss of independence in appearance. Security con
trols should be built by system designers and developers prior to performing int
ernal control reviews, conducting penetration testing, or using security checkli
sts by system assessors or auditors. Internal control reviews, penetration testi
ng, and security checklists simply facilitate self-assessments or independent au
dits of an information system later.
34. In the needs-determination task of the system development life cycle (SDLC)
initiation phase, which of the following optimizes the organizations system need
s within budget constraints?
a.
b.
c.
d.
Fit-gap analysis
Risk analysis
Investment analysis
Sensitivity analysis
Place of data
Timeliness of data
Form of data
Quality of data
35. d. Integrity can be examined from several perspectives. From a users or appli
cation owners perspective, integrity is the quality of data that is based on attr
ibutes such as accuracy and completeness. The other three choices do not reflect
the attributes of integrity.
36. An in-depth study of the needs-determination for a new system under develop
ment is conducted in which of the following system development life cycle (SDLC)
phases?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
36. b. The requirements analysis task of the SDLC phase of development is an indepth study of the need for a new system. The requirements analysis draws on and
further develops the work performed during the initiation phase. The needs-dete
rmination activity is performed at a high-level x of functionality in the initia
tion phase.
37. Which of the following should be conducted before the approval of system de
sign specifications of a new system under development?
a.
b.
c.
d.
37. c. A formal security risk assessment should be conducted before the approval
of system design specifications. The other three choices are considered during
a formal security risk assessment process.
38. Which of the following is often overlooked when determining the cost of a n
ew systems acquisition or development?
a.
b.
c.
d.
Hardware
Software
Training
Security
38. d. The capital planning process determines how much the acquisition or devel
opment of a new system will cost over its life cycle. These costs include hardwa
re, software, personnel, and training. Another critical area often overlooked is
security.
39. Which of the following is required when an organization uncovers deficienci
es in the security controls employed to protect an information system?
a.
b.
c.
d.
39. b. Detailed plans of action and milestones (POA&M) schedules are required to
document the corrective measures needed to increase the effectiveness of the se
curity controls and to provide the requisite security for the information system
prior to security authorization. The other three choices are not corrective ste
ps requiring action plans and milestone schedules.
40. The security-planning document developed in the development/acquisition phas
e of a system development life cycle (SDLC) does not contain which of the follow
ing?
a.
b.
c.
d.
Transaction files
Configuration files
Work files
Temporary files
Unit testing
Subsystem testing
Full system testing
Integration and acceptance testing
42. d. Integration and acceptance testing occurs after delivery and installation
of the new information system. The unit, subsystem and full system testing are
not conducted for an acquired system but conducted for the in-house developed sy
stem. The integration and acceptance testing is conducted for an acquired system
.
43. Which of the following should be done prior to final system deployment for
operation?
a.
b.
c.
d.
Test-based decision
Risk-based decision
Evaluation-based decision
Results-based decision
Information preservation
Security accreditation
Configuration management and control
Continuous monitoring
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
4
4
45. d. Managing and controlling the configuration of the system and providing fo
r a process of continuous monitoring are the two key information security steps
of the operation/maintenance phase of an SDLC. Information preservation is an ac
tivity of the disposal phase, whereas security accreditation is an activity of t
he implementation phase of an SDLC.
46. Which of the following are ways to accomplish ongoing monitoring of securit
y control effectiveness?
1. Security reviews
2. Self-assessments
1 and
2 and
1 and
1, 2,
2
3
4
3, and 4
Verifying
Verifying
Verifying
Verifying
the
the
the
the
47. a. Organizations need periodic and continuous testing and evaluation of the
security controls in an information system to ensure that the controls are effec
tive in their application. Security-control monitoring means verifying the conti
nued effectiveness of those controls over time.
48. Which of the following statements is not true about a system development li
fe cycle (SDLC) process?
a.
b.
c.
d.
48. c. Usually, there is no definitive end to an SDLC process because the system
can become a legacy system for a long-time or it can eventually be replaced wit
h a new system. Systems evolve or transition to the next generation as follow-on
systems with changing requirements and technology. Security plans evolve with t
he system. Much of management and operational controls in the old, legacy system
are still relevant and useful in developing the security plan for the follow-on
system.
49. If there is a doubt as to whether sensitive information remains on a system
, which of the following should be consulted before disposing of the system?
a.
b.
c.
d.
49. b. Some systems may contain sensitive information after the storage media is
removed. If there is a doubt whether sensitive information remains on a system,
the information system security officer should be consulted before disposing of
the system because the officer deals with technical aspects of a system. The ot
her parties mentioned do not have a technical focus but instead have a business
focus.
50. Which of the following is similar to security certification and accreditati
on?
a.
b.
c.
d.
Quality assurance
Quality control
Operational control
Management control
Risk assessment
Security requirements
Security plans
Security controls
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
51. b. Both risk assessment and security plans are essential components of the s
ecurity certification and accreditation process. These two components accurately
reflect the security requirements and security controls through the system deve
lopment life cycle (SDLC) methodology. Security requirements and security contro
ls (planned or designed) drive the risk assessment process and security plans.
52. By accrediting an information system, an organizations management official d
oes which of the following?
a.
b.
c.
d.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
53. d. System assurance is the grounds for confidence that a system meets its se
curity expectations. Good understanding of the threat environment, evaluation of
system requirements sets, knowledge of hardware and software engineering princi
ples, and the availability of product and system evaluation results are required
for system assurance.
54. What should be in place prior to the security certification and accreditati
on process?
a.
b.
c.
d.
The
The
The
The
security
security
security
security
plan
plan
plan
plan
is
is
is
is
analyzed.
updated.
accepted.
developed.
54. d. During the security certification and accreditation process, the system s
ecurity plan is analyzed, updated, and accepted. For this to happen, the system
security plan must have been developed and in place.
55. Which of the following should occur prior to a significant change in the pr
ocessing of an information system?
a.
b.
c.
d.
System
System
System
System
recertification
reaccreditation
reauthorization
reassessment
Requirements analysis
Design
Coding
Testing
56. b. The design phase translates requirements into a representation of the sof
tware. The design is placed under configuration management control before coding
begins.
Requirements analysis is incorrect because it focuses on gathering requirements
to understand the nature of the programs to be built. The design must be transla
ted into code-readable form. The coding step performs this task. Code is verifie
d, for example, through the inspection process and put under configuration manag
ement control prior to the start of formal testing. After code is generated, pro
gram testing begins. The testing focuses on the logical internals of the softwar
e, ensuring that all statements have been tested, and on the functional external
s; that is, conducting tests to uncover errors to ensure that the defined input
can produce actual results that agree with required results.
57. The security-planning document developed in the development/acquisition phas
e of a system development life cycle (SDLC) does not contain which of the follow
ing?
a.
b.
c.
d.
57. c. The request for proposal development, evaluation, and acceptance are a pa
rt of other planning components in the development/acquisition phase of an SDLC.
It is a part of project management activities. The other three choices are part
of the security-planning document.
58. A worm has infected a system. What should be the first step in handling the
worm incident?
a.
b.
c.
d.
ystem, such as looking for administrative-level user accounts and groups that ma
y have been added by the worm. Ultimately, the analyst should gather enough info
rmation to identify the worms behavior in sufficient detail so that the incident
response team can act effectively to contain, eradicate, and recover from the in
cident.
59. A worm has infected a system. From a network traffic perspective, which of
the following contains more detailed information?
a.
b.
c.
d.
59. c. Host-based intrusion detection system (IDS) and firewall products running
on the infected system may contain more detailed information than network-based
IDS and firewall products. For example, host-based IDS can identify changes to
files or configuration settings on the host that were performed by a worm. This
information is helpful not only in planning containment, eradication, and recove
ry activities by determining how the worm has affected the host, but also in ide
ntifying which worm infected the system. However, because many worms disable hos
t-based security controls and destroy log entries, data from host-based IDS and
firewall software may be limited or missing. If the software was configured to f
orward copies of its logs to centralized log servers, then queries to those serv
ers may provide some useful information (assuming the host logs integrity is not
in doubt).
Network-based IDS is incorrect because it indicates which server was attacked an
d on what port number, which indicates which network service was targeted. Netwo
rk-based firewalls are typically configured to log blocked connection attempts,
which include the intended destination IP address and port number. Other perimet
er devices that the worm traffic may have passed through, such as routers, virtu
al private network (VPN) gateways, and remote access servers may record informat
ion similar to that logged by network-based firewalls.
60. Media sanitization activity is usually most intense during which of the fol
lowing phases of the system development life cycle (SDLC)?
a.
b.
c.
d.
Development/acquisition
Implementation
Operation/maintenance
Disposal
60. d. Media sanitization ensures that data is deleted, erased, and written over
as necessary. Media sanitization and information disposition activity is usuall
y most intense during the disposal phase of the system life cycle. However, thro
ughout the life of an information system, many types of data storage media will
be transferred outside positive control, and some will be reused during all phas
es of the SDLC. This media sanitization activity may be for maintenance reasons,
system upgrades, or during a configuration update.
61. The security certification assessor is involved with which of the following
activities?
a.
b.
c.
d.
System
System
System
System
development
controls
implementation
operations
es?
1.
2.
3.
4.
Trojan horse
Mobile code
Phishing
Virus hoaxes
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
3
4
62. d. Both phishing and virus hoaxes rely entirely on social engineering, which
is a general term for attackers trying to trick people into revealing sensitive
information or performing certain actions, such as downloading and executing fi
les that appear to be benign but are actually malicious. Phishing refers to usin
g deceptive computer-based means to trick individuals into disclosing sensitive
personal information. Virus hoaxes are false virus warnings. The majority of vir
us alerts that are sent via e-mail among users are actually hoaxes.
Trojan horse is incorrect because it is a nonreplicating program that appears to
be benign but actually has a hidden malicious purpose.
Mobile code is incorrect because it is software that is transmitted from a remot
e system to be executed on a local system, typically without the users explicit i
nstruction. Trojan horse and mobile code do not rely on social engineering.
63. Defining roles and responsibilities is important in identifying infected ho
sts with malware incidents before security incidents occur. Which of the followi
ng groups can primarily assist in analyzing routers?
a.
b.
c.
d.
Security administrators
System administrators
Network administrators
Desktop administrators
Parity checks
Cyclical redundancy checks
Failed security tests
Cryptographic hashes
b. Invalidated input
c. Broken authentication
d. Cross-site scripting flaws
65. a. When restrictions on what authenticated users are allowed to do are not p
roperly enforced, it leads to broken access control vulnerability in Web applica
tions. The other three choices do not deal with accessing user accounts, viewing
sensitive files, or using unauthorized functions.
66. What do you call an attacker who can embed malicious commands in applicatio
n parameters resulting in an external system executing those commands on behalf
of the Web application?
a.
b.
c.
d.
Buffer overflows
Injection flaws
Denial-of-service
Improper error handling
66. b. Web applications pass parameters when they access external systems or the
local operating system. Injection flaws occur when an attacker can embed malici
ous commands in these parameters; the external system may execute those commands
on behalf of the Web application. The other three choices do not apply here bec
ause they do not embed malicious commands.
67. Both black-box and white-box testing are performed during which of the foll
owing?
a.
b.
c.
d.
Unit testing
Integration testing
System testing
Acceptance testing
67. a. A unit test is a test of software elements at the lowest level of develop
ment. Black-box testing, also known as functional testing, executes part or all
the system to validate that the user requirement is satisfied. White-box testing
, also known as structural testing, examines the logic of the units and may be u
sed to support software requirements for test coverage, i.e., how much of the pr
ogram has been executed. Because the unit test is the first test conducted, its
scope should be comprehensive enough to include both types of testing, that is,
black box and white box.
Integration testing is incorrect because it comes after completion of unit tests
. An integration test is performed to examine how units interface and interact w
ith each other with the assumption that the units and the objects (for example,
data) they manipulate have all passed their unit tests. Software integration tes
ts check how the units interact with other software libraries and hardware.
System testing is incorrect because it comes after completion of the integration
tests. It tests the completely integrated system and validates that the softwar
e meets its requirements.
Acceptance testing is incorrect because it comes after completion of integration
tests. It is testing of user requirements in an operational mode conducted by e
nd users and computer operations staff.
68. If manual controls over program changes were weak, which of the following w
ould be effective?
a.
b.
c.
d.
Automated controls
Written policies
Written procedures
Written standards
g programs from production to test libraries and back. It minimizes human errors
in moving wrong programs or forgetting to move the right ones. Written policies
, procedures, and standards are equally necessary in manual and automated enviro
nments.
69. Which of the following defines a managements formal acceptance of the adequa
cy of an application systems security?
a.
b.
c.
d.
System certification
Security certification
System accreditation
Security accreditation
70. c. Macro viruses are nonresident viruses. A resident virus is one that loads
into memory, hooks one or more interrupts, and remains inactive in memory until
some trigger event. All boot viruses and most common file viruses are resident
viruses. Macro viruses are found in documents, not in disks.
71. Backdoors are which of the following?
a.
b.
c.
d.
They
They
They
They
are
are
are
are
71. a. Programmers frequently create entry points (backdoors) into a program for
debugging purposes and/or insertion of new program codes at a later date. The o
ther three choices do not apply here because they do not deal with entry points.
72. Most Trojan horses can be prevented and detected by which of the following?
a. Removing the damage
b. Assessing the damage
chan
into
to f
a co
73. b. The biggest vulnerable area is in the manual handling of data before it i
s entered into an application system or after it has been retrieved from the sys
tem in hard copy form. Because human intervention is significant here, the risk
is higher. Controls over internal and external computer processing and telecommu
nications and the network can be made stronger with automated controls.
74. Which of the following is most likely to be tampered or manipulated with?
a.
b.
c.
d.
Configuration file
Password file
Log file
System file
74. c. A log file is most likely to be tampered (manipulated) with either by ins
iders or outsiders because it contains unsuccessful login attempts or system usa
ge. A configuration file contains system parameters. A password file contains pa
sswords and user IDs, whereas a system file contains general information about c
omputer system hardware and software.
75. Which of the following software assurance processes is responsible for ensu
ring that any changes to software outputs during the system development process
are made in a controlled and complete manner?
a.
b.
c.
d.
Software
Software
Software
Software
75. a. The objectives of the software configuration management (SCM) process are
to track the different versions of the software and ensure that each version of
the software contains the exact software outputs generated and approved for tha
t version. SCM is responsible for ensuring that any changes to any software outp
uts during the development processes are made in a controlled and complete manne
r.
The objective of the project management process is to establish the organization
al structure of the project and assign responsibilities. This process uses the s
ystem requirements documentation and information about the purpose of the softwa
re, criticality of the software, required deliverables, and available time and r
esources to plan and manage the software development and software assurance proc
esses. It establishes or approves standards, monitoring and reporting practices,
and high-level policy for quality, and it cites policies and regulations.
The objectives of the software quality assurance process are to ensure that the
software development and software assurance processes comply with software assur
ance plans and standards, and to recommend process improvement. This process use
s the system requirements and information about the purpose and criticality of t
he software to evaluate the outputs of the software development and software ass
urance processes.
It
It
It
It
is
is
is
is
76. b. The Reference Monitor concept is independent of any particular access con
trol policy because it mediates all types of access to objects by subjects. Mand
atory access control policy is a means of restricting access to objects based on
the sensitivity of the information contained in the objects and the formal auth
orization of subjects to access information of such sensitivity. With role-based
access control policy, access decisions are based on the roles (for example, te
ller, analyst, and manager) that individual users have as part of an organizatio
n. Discretionary access control policy is a means of restricting access to objec
ts based on the identity of subjects.
77. Which of the following are essential activities of a comprehensive informat
ion security program for an organization on an ongoing basis?
1.
2.
3.
4.
Information preservation
Security test and evaluation
Security control monitoring
Security status reporting
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
4
4
Security accreditation
Management controls
Operational controls
Technical controls
a.
b.
c.
d.
To
To
To
To
System security
System security
Plan of actions
Security impact
plan
assessment report
and milestones
analyses
80. d. Security impact analyses are conducted in the continuous monitoring phase
whenever there are changes to the information system. The other three choices a
re part of the security accreditation phase, which comes before the continuous m
onitoring phase.
81. Which of the following is not a usual common error or vulnerability in infor
mation systems?
a.
b.
c.
d.
Encryption failures
Buffer overflows
Format string errors
Failing to check input for validity
81. a. Usually, encryption algorithms do not fail due to their extensive testing
, and the encryption key is getting longer making it more difficult to break int
o. Many errors reoccur, including buffer overflows, race conditions, format stri
ng errors, failing to check input for validity, and computer programs being give
n excessive access privileges.
82. Which of the following is not the responsibility of the configuration manage
r?
a.
b.
c.
d.
a. 1 and 2
b. 2 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
83. d. The configuration management (CM) process calls for continuous system mon
itoring to ensure that it is operating as intended and that implemented changes
do not adversely impact either the performance or security posture of the system
. Configuration verification tests, system audits, patch management, and risk ma
nagement activities are performed to achieve the CM goal.
84. Which of the following levels of the software capability maturity model (CM
M) is the most basic in establishing discipline and control in the software deve
lopment process?
a.
b.
c.
d.
Initial level
Defined level
Repeatable level
Managed level
Compatibility tests
Validity checks
Security label checks
Confidentiality tests
Fault-tolerant mechanisms
Availability
Scalability
Recoverability
87. a. Expert systems are aimed at problems that cannot always be solved using a
purely algorithmic approach. These problems are often characterized by irregula
r structure, incomplete or uncertain information, and considerable complexity.
88. In the context of expert systems, a heuristic is not a:
a.
b.
c.
d.
Rule of thumb
Known fact
Known procedure
Guaranteed procedure
Knowledge base
Computing environment
Inference engine
End user interface
Expert
Expert
Expert
Expert
system knowledge is
system computations
system knowledge is
systems can explain
represented declaratively.
are performed through symbolic reasoning.
combined into program control.
their own actions.
90. c. Expert system programs differ from conventional systems in four important
ways. First, knowledge is separated from program control; the knowledge base an
d inference engine are separate. Second, knowledge is represented declaratively.
Third, expert systems perform computation through symbolic reasoning. And final
ly, expert systems can explain their own actions.
91. Which of the following categories of problem-solving activity is best suite
d to expert systems?
a.
b.
c.
d.
Tasks
Tasks
Tasks
Tasks
91. a. The size of completed expert systems is often large, consisting of hundre
ds or thousands of rules. If the task is too broad, the development effort may t
ake an inordinate amount of time, or even be impossible. Two important guideline
s on evaluating the scope and size of the problem include the task must be narro
wly focused and the task should be decomposable. In other words, expert system t
asks should be based on a limited domain.
The other three choices are areas to avoid for expert system methods. These incl
ude (i) tasks based on common sense, (ii) tasks requiring perceptual (seeing or
touching) knowledge, and (iii) tasks requiring creativity. People, not expert sy
stems, are creative.
92. Which of the following statements is not true about artificial neural networ
ks (ANNs)?
a.
b.
c.
d.
92. a. The intention is not to replicate the workings of the human brain but to
use a simple model to see if some of the strengths of the human brain can be sho
wn by computers based on that model. An important goal is to develop computers t
hat can learn from experience. In the process of learning from experience, ANNs
show a capacity to generalize. That is, recognizing a new problem as being close t
o the one they know and offering the same solution. ANNs are not meant to replac
e or supersede the existing design of computers. They are meant to complement th
em.
93. Defining roles and responsibilities is important in identifying infected ho
sts with malware incidents. Which of the following groups can assist with host s
cans?
a.
b.
c.
d.
Security administrators
System administrators
Network administrators
Desktop administrators
Analyze
Analyze
Conduct
Perform
functional requirements.
assurance requirements.
system design reviews.
system tests.
a.
b.
c.
d.
1
2
2
3
and
and
and
and
2
3
4
4
94. d. System design reviews and system tests should be performed in the impleme
ntation phase before placing the system into production operation to ensure that
it meets all required security specifications. The results of the design review
s or system tests should be fully documented, updating as new reviews or tests a
re performed. Analysis of functional requirements and assurance requirements is
done in the development/acquisition phase, which is prior to the implementation
phase.
95. System performance is monitored in which of the following system developmen
t life cycle (SDLC) phases?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
Performance requirements
Assurance requirements
Supportability requirements
Functional requirements
96. b. System assurance is the grounds for confidence that the set of intended s
ecurity controls in an information system are effective in their application. In
formation security needs should address the appropriate level of assurance becau
se this is a significant cost driver. The higher the assurance level required, t
he higher the cost and vice versa. Usually, investment analysis is structured to
translate system needs and mission into high-level performance, assurance, func
tional, and supportability requirements. However, the assurance requirements are
the significant cost driver because it integrates all the other requirements at
the highest level.
97. The security-planning document created in the development/acquisition phase
of a system development life cycle (SDLC) does not contain which of the followin
g?
a.
b.
c.
d.
97. b. The development and execution of necessary contracting plans and processe
s are a part of other planning components in the development/acquisition phase o
f an SDLC. The other three choices are part of the security-planning document.
98. The security accreditation decision does not exclusively depend on which of
the following?
a.
b.
c.
d.
System
System
System
System
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
certification
accreditation
recertification
reaccreditation
2
3
4
3, and 4
Initiation
Acquisition/development
Implementation
Operation/maintenance
100. d. Configuration management change control and auditing takes place in the
operation/maintenance phase of the SDLC. The phases in the other three choices a
re too early for this activity to take place.
101. Security impact analyses are performed in which of the following configura
tion management processes?
a.
b.
c.
d.
Baseline configuration
Configuration change control
Monitoring configuration changes
Configuration settings
a. 1 and 2
b. 3 only
c. 1, 2, and 3
d. 1, 2, 3, and 4
102. d. The information system physically or logically separates the user functi
onality (including user interface services) from information storage and managem
ent services (for example, database management). Separation may be accomplished
through the use of different computers, different CPUs, different instances of t
he operating system, different network addresses, or a combination of these meth
ods.
103. Reconciliation routines in application systems are a part of which of the
following?
a.
b.
c.
d.
Authorization controls
Integrity or validation controls
Access controls
Audit trail mechanisms
Forensic identification
Active identification
Manual identification
Multiple identifications
Backdoors
Rootkits
Keystroke loggers
Tracking cookies
105. b. Malware categories include viruses, worms, Trojan horses, and malicious
mobile code, as well as combinations of these, known as blended attacks. Malware
also includes attacker tools such as backdoors, rootkits, keystroke loggers, an
d tracking cookies used as spyware. Of all the types of malware attacker tools,
rootkits are traditionally the hardest to detect because they often change the o
perating system at the kernel level, which allows them to be concealed from anti
virus software. Newer versions of rootkits can hide in the master boot record, a
s do some viruses.
106. Which of the following virus obfuscation techniques is difficult for antiv
irus software to overcome?
a.
b.
c.
d.
Self-encryption
Polymorphism
Metamorphism
Stealth
Armoring
Tunneling
Self-decryption
Metamorphism
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
4
3, and 4
108. d. Although some worms are intended mainly to waste system and network reso
urces, many worms damage systems by installing backdoors, perform distributed de
nial-of-service (DDoS) attacks against other hosts, or perform other malicious a
cts.
109. Which of the following statements are true about malicious mobile code?
1.
2.
3.
4.
It
It
It
It
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
109. d. Malicious mobile code differs significantly from viruses and worms in th
at it does not infect files or does not attempt to propagate itself. Instead of
exploiting particular vulnerabilities, it often affects systems by taking advant
age of the default privileges granted to mobile code. It uses popular languages
such as Java, ActiveX, JavaScript, and VBScript. Although mobile code is typical
ly benign, attackers have learned that malicious code can be an effective way of
attacking systems, as well as a good mechanism for transmitting viruses, worms,
and Trojan horses to users workstations.
110. Blended attacks use which of the following?
1.
2.
3.
4.
Multiple
Multiple
Multiple
Multiple
infection methods
transmission methods
transmission methods simultaneously
infection methods in sequence
a.
b.
c.
d.
1 only
2 only
3 only
1, 2, 3, and 4
Source port
Destination port
TCP port
UDP port
a.
b.
c.
d.
1
2
1
3
only
only
or 2
or 4
111. d. Backdoor is a general term for a malicious program that listens for comm
ands on a certain TCP or UDP port. Most backdoors consist of a client component
and a server component. The client resides on the intruders remote computer, and
the server resides on the infected system. When a connection between client and
server is established, the remote intruder has some degree of control over the i
nfected computer. Both source port and destination port are incorrect because th
ey are too generic to be of any use here.
112. A proactive role to protect an organization from computer-related failures
, malfunctions, or disasters is to:
a.
b.
c.
d.
a.
b.
c.
d.
1
2
3
3
only
only
only
and 4
Viruses
Worms
Phishing
Virus hoaxes
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
3
4
114. d. There are two forms of nonmalware threats that are often associated with
malware. The first is phishing attacks, which frequently place malware or other
attacker tools onto systems. The second is virus hoaxes, which are false warnin
gs of new malware threats. Viruses and worms are true forms of malware threats.
115. Which of the following is not an example of a vulnerability mitigation tech
nique for malware?
a.
b.
c.
d.
Patch management
Antivirus software
Least privilege
Host hardening measures
Filtering spam
Filtering website content
Restricting macro use
Blocking Web browser pop-up windows
116. c. Applications such as word processors and spreadsheets often contain macr
o languages; macro viruses take advantage of this. Most common applications with
macro capabilities offer macro security features that permit macros only from t
rusted locations or prompt the user to approve or reject each attempt to run a m
acro. Restricting macro use cannot stop phishing and spyware delivery.
Filtering spam is incorrect because spam is often used for phishing and spyware
delivery (for example, Web bugs often are contained within spam), and it sometim
es contains other types of malware. Using spam-filtering software on e-mail serv
ers or clients or on network-based appliances can significantly reduce the amoun
t of spam that reaches users, leading to a corresponding decline in spam-trigger
ed malware incidents.
Filtering website content is incorrect because website content-filtering softwar
e contains lists of phishing websites and other sites that are known as hostile
(i.e., attempting to distribute malware to visitors). The software can also bloc
k undesired file types, such as by file extension.
Blocking Web browser pop-up windows is incorrect because some pop-up windows are
crafted to look like legitimate system message boxes or websites and can trick
users into going to phony websites, including sites used for phishing, or author
izing changes to their systems, among other malicious actions. Most Web browsers
can block pop-up windows; other can do so by adding a third-party pop-up blocke
r to the Web browser.
117. Which of the following is not a secondary source for malware incident detec
tion?
a.
b.
c.
d.
Antivirus software
Firewall log files
Network-based IPS sensors
Capture files from packet sniffers
117. a. Antivirus software is the primary source of data for malware incident de
tection. Examples of secondary sources include (i) firewall and router log files
, which might show blocked connection attempts, (ii) log files from e-mail serve
rs and network-based IPS sensors, which might record e-mail headers or attachmen
t names, (iii) packet capture files from packet sniffers, network-based IPS sens
ors, and network forensic analysis tools, which might contain a recording of mal
ware-related network traffic. Host-based IPS is also a secondary source.
118. In the application security environment, system or network transparency is
achieved through which of the following security principles?
a.
b.
c.
d.
120. a. Malware test systems and environments are helpful not only for analyzing
current malware threats without the risk of inadvertently causing additional da
mage to the organization, but also for training staff in malware incident handli
ng. An infected production system or a disk image of an infected production syst
em could also be placed into an isolated test environment. Physical separation m
ay not be possible at all times; although, logical separation might be possible.
Both physical and logical separation are important but not as important as usin
g an isolated test system.
121. Which of the following is not part of malware incident detection and analys
is phase?
a.
b.
c.
d.
121. b. Acquiring tools and resources is a part of the preparation phase. These
tools and resources may include packet sniffers and protocol analyzers. The othe
r three choices are incorrect because they are a part of the detection phase. Th
e malware incident response life cycle has four phases, including (i) preparatio
n, (ii) detection and analysis, (iii) containment, eradication, and recovery, an
d (iv) post-incident activity.
122. Which of the following statements is true about application software testi
ng?
a.
b.
c.
d.
Basic testing
Comprehensive
Basic testing
Comprehensive
122. a. Basic testing is a test methodology that assumes no knowledge of the int
ernal structure and implementation details of the assessment object. Basic testi
ng is also known as black-box testing.
Comprehensive testing is a test methodology that assumes explicit and substantia
l knowledge of the internal structure and implementation detail of the assessmen
t object. Comprehensive testing is also known as white- box testing.
Focused testing is a test methodology that assumes some knowledge of the interna
l structure and implementation detail of the assessment object. Focused testing
is also known as gray-box testing.
123. Which of the following cannot handle the complete workload of a malware inc
ident and cannot ensure a defense-in-depth strategy?
a.
b.
c.
d.
Antivirus software
E-mail filtering
Network-based intrusion prevention system software
Host-based IPS software
Security administrators
System administrators
Network administrators
Desktop administrators
It
It
It
It
is easy to detect.
is a resident virus.
can reveal file size increases.
doesnt need to be active to show stealth qualities.
Antivirus software
Spam-filtering software
Spyware detection and removal utility software
Patch management software
1 only
2 and 3
3 and 4
1, 2, 3, and 4
a.
b.
c.
d.
1 and 2
3 only
1, 2, and 3
1, 2, 3, and 4
128. d. Rebuild each affected system by reinstalling and reconfiguring its opera
ting system and applications, securing the operating system and applications, an
d restoring the data from known good backups.
129. Lessons learned from major malware incidents improve which of the followin
g?
1.
2.
3.
4.
Security policy
Software configurations
Malware prevention software deployments
Malware detection software deployments
a.
b.
c.
d.
1 only
1 and 2
3 and 4
1, 2, 3, and 4
129. d. Capturing the lessons following the handling of a malware incident shoul
d help an organization improve its incident handling capability and malware defe
nses, including needed changes to security policy, software configurations, and
malware detection and prevention software deployments.
130. Which of the following is the correct tool and technology deployment seque
nce for containing malware incidents, especially when a worm attacks the network
service?
1.
2.
3.
4.
a. 1, 2, 4, and 3
b. 2, 3, 1, and 4
c. 3, 4, 2, and 1
d. 4, 2, 1, and 3
130. c. When organizations develop strategies for malware incident containment,
they should consider developing tools to assist incident handlers in selecting a
nd implementing containment strategies quickly when a serious incident occurs.
Network- and host-based antivirus software does detect and stop the worm, and id
entify and clean the infected systems.
Host-based firewalls do block worm activity from entering or exiting hosts, reco
nfigure the host-based firewall itself to prevent exploitation by the worm, and
update the host-based firewall software so that it is no longer exploitable.
Network-based firewalls do detect and stop the worm from entering or exiting net
works and subnets.
Internet border and internal routers do detect and stop the worm from entering o
r exiting networks and subnets if the volume of traffic is too high for network
firewalls to handle or if certain subnets need greater protection.
The incorrect sequences listed in the other three choices does not contain malwa
re incidents because their combined effect is not as strong and effective as the
correct sequence.
131. All the following are characteristics of a managed environment dealing with
malware prevention and handling except:
a.
b.
c.
d.
Technical controls
Administrative controls
Behavioral controls
Physical controls
a.
b.
c.
d.
Application access
Administrative access
Privileged access
Root access
$280,000
$500,000
$560,000
$600,000
To
To
To
To
It
It
It
It
is
is
is
is
a
a
a
a
136. a. The Reference Monitor concept is an access control concept that refers t
o an abstract computer mediating all accesses to objects by subjects. It is usef
ul to any system providing multilevel secure computing facilities and controls.
137. Which of the following is a malicious code that replicates using a host pr
ogram?
a. Boot sector virus
b. Worm
c. Multi-partite virus
d. Common virus
137. d. A common virus is a code that plants a version of itself in any program
it can modify. It is a self-replicating code segment attached to a host executab
le.
The boot-sector virus works during computer booting, where the master boot secto
r and boot sector code are read and executed. A worm is a self-replicating progr
am that is self-contained and does not require a host program. A multi-partite v
irus combines both sector and file-infector viruses.
138. Which of the following is not an example of built-in security features?
a. Authentication controls were designed during a system development process.
b. Fail-soft security features were installed.
c. Least-privilege principles were installed during the post-implementation peri
od.
d. Fail-safe security features were implemented.
138. c. Built-in security means that security features are designed into the sys
tem during its development, not after. Any feature that is installed during post
-implementation of a system is an example of built-on security, not built-in. Se
curity and control features must be built in from a cost-benefit perspective.
139. An effective defense against new computer viruses does not include which of
the following?
a.
b.
c.
d.
139. b. Computer virus defenses are expensive to use, ineffective over time, and
ineffective against serious attackers. Virus scanning programs are effective ag
ainst viruses that have been reported and ineffective against new viruses or vir
uses written to attack a specific organization. Program change controls limit th
e introduction of unauthorized changes such as viruses. Redundancy can often be
used to facilitate integrity. Integrity checking with cryptographic checksums in
integrity shells is important to defend against viruses. System or equipment is
olation to limit the spread of viruses is good, too.
140. Which of the following fully characterizes an information systems security?
a.
b.
c.
d.
Confidentiality
Integrity
Assurance
Availability
140. c. System assurance is the basis for confidence that the security measures,
both technical and operational, work as intended to protect the system and the
data and information it processes. For example, software assurance achieves trus
tworthiness and predictable execution.
The three well-accepted and basic-level security objectives are confidentiality,
integrity, and availability, and assurance can be considered an advanced-level
security objective because the former culminates into the latter. What good is a
n information system that cannot provide full assurance with regards to its secu
rity?
141. Which of the following is an example of both preventive and detective cont
rol?
a.
b.
c.
d.
Audit trails
Antivirus software
Policies and procedures
Contingency plans
System
System
System
System
initiation phase
development phase
implementation phase
operation phase
143. b. During the system development phase, the system is designed, purchased,
programmed, developed, or otherwise constructed. During this phase, functional u
sers and system/security administrators develop system controls and audit trails
used during the operational phase.
144. Which of the following levels of the software capability maturity model de
al with security requirements?
a.
b.
c.
d.
Initial level
Repeatable level
Defined level
Optimizing level
145. Which of the following is not a direct method to conduct data leakage attac
ks?
a.
b.
c.
d.
Trojan horse
Asynchronous attacks
Logic bombs
Scavenging methods
145. b. Data leakage is removal of data from a system by covert means, and it mi
ght be conducted directly through the use of Trojan horse, logic bomb, or scaven
ging methods. Asynchronous attacks are indirect attacks on a computer program th
at act by altering legitimate data or codes at a time when the program is idle a
nd then causing the changes to be added to the target program at later execution
.
146. Which of the following infects both boot-sectors and file-infectors?
a.
b.
c.
d.
Worm
Link virus
Multi-partite
Macro
a.
b.
c.
d.
1
2
3
1
and
and
and
and
2
3
4
4
147. c. Hidden code attacks are based on data and information. Using layered pro
tections and disabling active-content code (for example, ActiveX and JavaScript)
from the Web browser are effective controls against such attacks. War dialing s
oftware is good at detecting trapdoors (backdoor modems) and not good against tr
apdoor attacks. Firewalls are effective against spoofing attacks.
148. The scope of a functional configuration audit does not include which of the
following?
a.
b.
c.
d.
Evaluation
Testing of
Tracing of
Evaluation
of change control
software product
system requirements
of test approach and results
ally planned and executed as part of the physical configuration audit include ev
aluation of product composition and structure, product functionality, and change
control.
The functional configuration audit provides an independent evaluation of configu
ration items to determine whether actual functionality and performance are consi
stent with the requirements specifications. Specifically, this audit is conducte
d prior to the software delivery to verify that all requirements specified in th
e requirements document have been met. Activities typically planned and executed
as part of a functional configuration audit include testing of software product
s, tracing of system requirements from their initial specification through syste
m testing, evaluation of the test approach and results attained, and evaluating
the consistency between the baselined product elements.
149. Which of the following statements is not true about applets?
a.
b.
c.
d.
Applets
Applets
Applets
Applets
are
are
are
are
149. a. Applets are small application programs mostly written in Java programmin
g language that are automatically downloaded and executed by applet-enabled Web
browsers.
150. The contingency processes should be tested in which of the following phase
s of system development life cycle (SDLC)?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
150. c. The contingency processes should be tested and maintained during the imp
lementation phase of the SDLC. The capability to recover and reconstitute data s
hould be considered during the initiation phase. Recovery strategies should be c
onsidered during the development phase. The contingency plan should be exercised
and maintained during the operation/maintenance phase.
151. Programmers frequently create entry points into a program for debugging pu
rposes and/or insertion of new program codes at a later date. What are these ent
ry points called?
a.
b.
c.
d.
Logic bombs
Worms
Backdoors
Trojan horses
151. c. Backdoors are also called hooks and trapdoors. Logic bomb is incorrect b
ecause it is a program that triggers an unauthorized, malicious act when some pr
edefined condition occurs. Worms are incorrect because they search the network f
or idle computing resources and use them to execute the program in small segment
s. Trojan horses are incorrect because a Trojan horse is a production program th
at has access to otherwise unavailable files and is changed by adding extra, una
uthorized instructions. It disguises computer viruses.
152. Software vendors and contractors can install a backdoor entry into their o
wn products or clients computer systems. Which of the following are major risks a
rising from such installation?
a.
b.
c.
d.
152. a. Some vendors can install a backdoor or a trapdoor entry for remote monit
oring and maintenance purposes. The good news is that the backdoor is a convenie
nt approach to solve operational problems. The bad news is that the backdoor is
wide open for hackers. Also, the vendor can modify the software at will without
the users knowledge or permission. An unhappy vendor can disconnect a user from a
ccessing the software as a penalty for nonpayment or disputes in payment. Access
codes should be required for remote monitoring and maintenance.
153. A macro virus is most difficult to:
a.
b.
c.
d.
Prevent
Detect
Correct
Attach
153. b. A macro virus is associated with a word processing file, which can damag
e the computer system. Macro viruses pass through the firewall with ease because
they are usually passed on as either an e-mail message or simply downloaded as
a text document. The macro virus represents a significant threat because it is d
ifficult to detect. A macro virus consists of instructions in Word Basic, Visual
Basic for applications, or some other macro languages, and resides in documents
. Any application that supports macros that automatically execute is a potential
platform for macro viruses. Now, documents are more widely shared through netwo
rks and the Internet than via disks.
154. Which of the following is most vulnerable to Trojan horse attacks?
a.
b.
c.
d.
154. a. Because the discretionary access control system restricts access based o
n identity, it carries with it an inherent flaw that makes it vulnerable to Troj
an horse attacks. Most programs that run on behalf of a user inherit the discret
ionary access control rights of that user.
155. Which of the following is the best place to check for computer viruses?
a.
b.
c.
d.
Each computer
Each workstation
The e-mail server
Each network
155. c. Virus checkers monitor computers and look for malicious code. A problem
is that virus-checking programs need to be installed at each computer, workstati
on, or network, thus duplicating the software at extra cost. The best place to u
se the virus-checking programs is to scan e-mail attachments at the e-mail serve
r. This way, the majority of viruses are stopped before ever reaching the users.
156. What do you call attacks that can disclose the end users session token and
attack the local machine?
a.
b.
c.
d.
156. d. In cross-site scripting (XSS) flaws, the Web application can be used as
a mechanism to transport an attack to an end users browser. A successful attack c
an disclose the end users session token, attack the local machine, or spoof conte
nt to fool the user.
157. A polymorphic virus uses which of the following?
a.
b.
c.
d.
Inference engine
Heuristic engine
Mutation engine
Search engine
157. c. Virus writers use a mutation engine to transform simple viruses into pol
ymorphic ones for proliferation purposes and to evade detection. The other three
choices do not deal with the transformation process.
158. All the following techniques can help in achieving process isolation securi
ty principle except:
a.
b.
c.
d.
Encapsulation
Naming distinctions
Virtual mapping
Security kernel
Security administrators
System administrators
Network administrators
Desktop administrators
Integrity checkers
Software patching
Host firewalls
Stateful firewalls
Access controls
Audit trails
Passwords
Least privilege principle
162. c. Passwords are administrative controls; although, access controls are tec
hnical controls. Access controls include discretionary access controls and manda
tory access controls. An audit trail is the collection of data that provides a t
race of user actions, so security events can be traced to the actions of a speci
fic individual. To fully implement an audit trails program, audit reduction and
analysis tools are also required. Least privilege is a concept that deals with l
imiting damage through the enforcement of separation of duties. It refers to the
principle that users and processes should operate with no more privileges than
those needed to perform the duties of the role they are currently assuming.
163. Which of the following security principle balances various variables such
as cost, benefit, effort, value, time, tools, techniques, gain, loss, risks, and
opportunities involved in a successful compromise of security features?
a.
b.
c.
d.
Compromise recording
Work factor
Psychological acceptability
Least common mechanism
163. b. The goal of work factor principle is to increase an attackers work factor
in breaking an information system or a networks security features. The amount of
work required for an attacker to break the system or network (work factor) shou
ld exceed the value that the attacker would gain from a successful compromise. V
arious variables such as cost and benefit; effort; value (negative and positive)
; time; tools and techniques; gains and losses; knowledge, skills, and abilities
(KSAs); and risks and opportunities involved in a successful compromise of secu
rity features must be balanced.
The principle of compromise recording means computer or manual records and logs
should be maintained so that if a compromise does occur, evidence of the attack
is available. The recorded information can be used to better secure the host or
network in the future and can assist in identifying and prosecuting attackers.
The principle of psychological acceptability encourages the routine and correct
use of protection mechanisms by making them easy to use, thus giving users no re
ason to attempt to circumvent them. The security mechanisms must match the users
own image of protection goals.
The principle of least common mechanism requires the minimal sharing of mechanis
ms either common to multiple users or depended upon by all users. Sharing repres
ents possible communications paths between subjects used to circumvent security
policy.
164. Certification and accreditation needs must be considered in all the followi
ng phases of system development life cycle except:
a. Initiation
b. Development/acquisition
c. Implementation
d. Operation/maintenance
164. d. Certifications performed on applications under development are interleav
ed with the system development process. Certification and accreditation needs mu
st be considered in the validation, verification, and testing phases employed th
roughout the system development process (i.e., development and implementation).
It does not address the operation/maintenance phase.
165. A security evaluation report and an accreditation statement are produced i
n which of the following phases of the system development life cycle (SDLC)?
a.
b.
c.
d.
Initiation
Development/acquisition
Operation/maintenance
Implementation
165. d. The major outputs from the implementation (testing) phase include the se
curity evaluation report and accreditation statement. The purpose of the testing
phase is to perform various tests (unit, integration, system, and acceptance).
Security features are tested to see if they work and are then certified.
166. Which of the following phases of a system development life cycle (SDLC) sho
uld not be compressed so much for the proper development of a prototype?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
167. a. Managers still need to define what they want from the system, some asses
sment of costs/benefits is still needed, and a plan to proceed with individual r
esponsibilities is still required. The difference may be in the way activities a
re accomplished. The tools, techniques, methods, and approaches used in the prot
otype development project and traditional system development project are differe
nt.
168. A general testing strategy for conducting an application software regressi
on testing includes which of the following sequence of tasks?
a.
b.
c.
d.
168. c. Each test program involves preparing the executable program, executing i
t, and deleting it. This saves space on mass storage and generates a complete lo
g. This approach is recommended for debugging and validating purposes. Read, ins
ert, and delete include the transfer of all rows from Table A to Table B in that
a table is read, inserted, and deleted. A source program is precompiled, linked
, and compiled to become an object or executable program. A source program is te
sted (errors discovered), debugged (errors removed), and logged for review and f
urther action.
169. Which of the following tests would be conducted when an application system
in an organization exchanges data with external application systems?
a.
b.
c.
d.
Unit test
Integration test
End-to-end test
System acceptance test
169. c. The purpose of end-to-end testing is to verify that a defined set of int
errelated systems, which collectively support an organizational core business ar
ea or function, interoperate as intended in an operational environment. These in
terrelated systems include not only those owned and managed by the organization,
but also the external systems with which they interface.
Unit test is incorrect because its purpose is to verify that the smallest define
d module of software (i.e., individual subprograms, subroutines, or procedures)
works as intended. These modules are internal to an organization. Integration te
st is incorrect because its purpose is to verify that units of software, when co
mbined, work together as intended. Typically, a number of software units are int
egrated or linked together to form an application. Again, this test is performed
internally in an organization. System acceptance test is incorrect because its
purpose is to verify that the complete system satisfies specified requirements a
nd is acceptable to end users.
170. Which of the following can give a false sense of security?
a.
b.
c.
d.
A
A
A
A
test
test
test
test
tool
tool
tool
tool
that
that
that
that
requires
produces
requires
requires
planning.
error-free software.
time and effort.
experience to use
171. c. Errors are made in several places and times: (i) when source code is dev
eloped, (ii) when modules are initially written, (iii) when an enhancement is be
ing added to a module, (iv) when another error is fixed, and (v) when code is be
ing moved from one module to another. Software configuration management products
have a backtracking feature to correct these types of errors. The product shoul
d list the exact source code changes that make up each build. Then, these change
s are examined to identify which one can create the new error. The concept of ch
eck-in/check-out software enables multiple developers to work on a project witho
ut overwriting one anothers work. It is a fundamental method of preventing errors
from being included or reintroduced into software modules.
172. Which of the following requires a higher level of security protection in t
erms of security controls?
a.
b.
c.
d.
Test
Test
Test
Test
procedures
cases
repository
plans
172. c. The test repository consists of test plans, test cases, test procedures,
test requirements, and test objectives maintained by the software test manager.
Because of the concentrated work products, the test repository needs a higher l
evel of security protection from unauthorized changes. Test procedures, test cas
es, and test plans are part of test repository.
173. From a security viewpoint, which of the following pose a severe security p
roblem?
a.
b.
c.
d.
Unattended
Unattended
Unattended
Unattended
computer operations
computer terminal
software testing
facsimile machine
174. c. Fan-in and fan-out are based on program coupling. Fan-in is a count of t
he number of modules that call a given module, and fan-out is a count of the num
ber of modules that are called by a given module. Both fan-in and fan-out measur
e program complexity. Check-in and check-out are program change controls where d
ocuments or data/program files will have a check-in or check-out indicator in sy
stem libraries to prevent their concurrent use by programmers and computer progr
ams.
175. Which of the following application software libraries can raise questions
about data ownership rights?
a.
b.
c.
d.
Test library
Quality assurance library
Reusable library
Production library
175. c. A reusable library can improve software productivity and quality by incr
easing the efficient reuse of error-free code for both new and modified applicat
ion software. Who owns the reusable code? is a legal question that requires a care
ful answer due to difficulty in tracing to the original author of the software.
A test library is incorrect because it is where the new software is developed or
the existing software is modified. A quality assurance library is incorrect bec
ause it is a staging area where final quality reviews and production setup proce
dures take place. A production library is incorrect because it is the official p
lace where operational programs reside and execute to process data. Data ownersh
ip rights in these three libraries (test, quality assurance, and production) are
clear and traceable to the author(s).
176. Which of the following application software testing approaches does not req
uire stubs or drivers?
a.
b.
c.
d.
Top-down approach
Bottom-up approach
Sandwich approach
Big-bang approach
176. d. The big-bang approach puts all the units or modules together at once, wi
th no stubs or drivers. In it, all the program units are compiled and tested at
once.
Top-down approach is incorrect because it uses stubs. The actual code for lower
level units is replaced by a stub, which is a throwaway code that takes the plac
e of the actual code. Bottom-up approach is incorrect because it uses drivers. U
nits at higher levels are replaced by drivers that emulate the procedure calls.
Drivers are also a form of throwaway code. Sandwich approach is incorrect becaus
e it uses a combination of top-down (stubs) and bottom-up (drivers) approaches.
177. Which of the following is a less-formal review technique?
a.
b.
c.
d.
Inspections
Traceability analysis
Reviews
Walkthroughs
Inspections
Code reading
Testing
Tracing
179. c. Dynamic analysis techniques involve the execution of a product and analy
sis of its response to sets of input data to determine its validity and to detec
t errors. The behavioral properties of the program are also observed. The most c
ommon type of dynamic analysis technique is testing. Testing of software is usua
lly conducted on individual components (for example, subroutines and modules) as
they are developed, on software subsystems when they are integrated with one an
other or with other system components, and on the complete system. Another type
of testing is acceptance testing performed before the user accepts the product.
Inspections, code reading, and tracing are examples of static analysis. Static a
nalysis is the analysis of requirements, design, code, or other items either man
ually or automatically, without executing the subject of the analysis to determi
ne its lexical and syntactic properties as opposed to its behavioral properties.
180. Decision tables are used in which of the following phases of a system deve
lopment life cycle (SDLC)?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
180. a. The purpose of decision tables is to provide a clear and coherent analys
is of complex logical combinations and relationships. This method uses two-dimen
sional tables to concisely describe logical relationships between Boolean progra
m variables (for example, AND and OR). Advantages of decision tables include (i)
their conciseness and tabular nature enables the analysis of complex logical co
mbinations expressed in code and (ii) they are potentially executable if used as
specifications. Disadvantages include that they require tedious effort. The req
uirements analysis, which is a part of initiation phase, is the best place to us
e the decision table.
181. Data-flow diagrams are used in which of the following phases of a system d
evelopment life cycle (SDLC)?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
181. a. Data-flow diagrams are used to describe the data flow through a program
in a diagrammatic form. They show how data input is transformed to output, with
each stage representing a distinct transformation. The diagrams use three types
of components:
1. Annotated bubbles represent transformation centers, and the annotation specif
ies the transformation.
2. Annotated arrows represent the data flow in and out of the transformation cen
Initiation
Development/acquisition
Implementation
Operation/maintenance
Initiation
Development/acquisition
Implementation
Operation/maintenance
Initiation
Development/acquisition
Implementation
Operation/maintenance
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
Requirements
Design
Implementation
Maintenance
Initiation
Development/acquisition
Implementation
Operation/maintenance
188. a. The purpose of formal methods is to check whether software fulfills its
intended function. It involves the use of theoretical and mathematical models to
prove the correctness of a program without executing it. The requirements shoul
d be written in a formal specification language (for example, VDM and Z) so that
these requirements can then be verified using a proof of correctness. Using thi
s method, the program is represented by a theorem and is proved with first-order
Prototyping
Reviews
Simulation
Walkthroughs
Initiation
Development/acquisition
Implementation
Operation/maintenance
a.
b.
c.
d.
Regression testing
Interoperability testing
Load testing
Security testing
Functional testing
Performance testing
Resiliency testing
Recovery testing
After
After
After
After
completion
completion
completion
completion
of
of
of
of
integration testing
unit testing
systems testing
acceptance testing
193. a. Integration testing is the cutoff point for the development project, and
, after integration, it is labeled the back end. Integration is the development
phase in which various parts and components are integrated to form the entire so
ftware product, and, usually after integration, the product is under formal chan
ge control. Specifically, after integration testing, every change of the softwar
e must have a specific reason and must be documented and tracked. It is too earl
y to have a formal change control mechanism during unit testing because of const
ant changes to program code. It is too late to have a formal change control mech
anism after completing system and acceptance testing.
194. What is the correct sequence of application software testing?
a. Integration test, unit test, systems test, acceptance test
b. Unit test, systems test, integration test, acceptance test
195. c. Activity logs contain a record of all the test cases executed. Incident
reports show a priority assigned to test problems during test execution. All inc
idents logged should be resolved within a reasonable time. Software versioning c
ontrols the program source versions to ensure that there is no duplication or co
nfusion between multiple versions.
Test cases and test documentation are incorrect because test cases contain a lis
ting of all possible tests to be executed with their associated data and test do
cumentation includes test plans, test objectives, and approaches.
Test summaries and test execution reports are incorrect because test summary is
a brief description of what is changing. Key words are used so that project pers
onnel reading the log can scan for items that may affect their work. Test execut
ion reports show a status of software testing execution to management with summa
ry information.
Test cases rejected and test cases accepted are incorrect because they simply li
st what test cases were rejected or accepted. The documents such as test cases,
test documentation, test summaries, test execution reports, and test cases rejec
ted and accepted do not have the same monitoring and controlling effect as do th
e documents such as activity logs, incident reports, and software versioning.
196. Which of the following software testing levels is least understood by softw
are developers and end users?
a.
b.
c.
d.
Integration testing
Unit testing
System testing
Module testing
196. a. Integration testing is conducted when software units are integrated with
other software units or with system components. Its objective is to test the in
terfaces among separately tested program units. Software integration tests check
how the units interact with other software (for example, libraries) and hardwar
e. Integration testing is in the middle; it is neither unit testing nor system t
esting. The approach to integration testing varies such as top-down, bottom-up,
a combination of top-down and bottom-up (sandwich), or all-at-once (big-bang) ap
proaches. Due to a variety of ways, integration testing can be conducted and bec
ause there is no base document such as specifications to rely upon for testing c
reates difficulty in understanding the objectives of integration testing clearly
.
Unit testing and module testing are incorrect because they are best understood o
f all. Unit testing is the same as module testing. Unit/module test cases are de
rived from the detailed design documentation of the unit. Each unit or module ha
s a defined beginning and ending and deals with specific inputs and outputs. Bou
ndaries are also well defined.
System testing is incorrect because it is better understood than integration tes
ting. End users know what they expect from the system because it is based on fun
ctional instead of structural knowledge. System test cases are derived from the
requirements specification document.
197. Which of the following system development approaches is best when system re
quirements are fully understood by either the end user or the software developer
?
a.
b.
c.
d.
Waterfall model
Incremental development model
Evolutionary development model
Rapid prototyping model
197. a. Functional decomposition works best when the system requirements are com
pletely understood by the software developer or the end user. The waterfall mode
l works with the functional decomposition principle. It assumes that system requ
irements can be defined thoroughly, and that end users know exactly what they wa
nted from the system.
Incremental and evolutionary development models are incorrect because successive
versions of the system are developed reflecting constrained technology or resou
rces. Requirements are added in a layered manner.
Rapid prototyping model is incorrect because it is quite opposite to the waterfa
ll model. That is, it is good when requirements are not fully understood by both
parties. Due to the iterative process, the specification-to-customer feedback c
ycle time is reduced, thus producing early versions of the system.
198. Which of the following is the least beneficial of an application software t
est log?
a.
b.
c.
d.
198. c. An application software test log has several benefits. Reporting problem
s for the sake of reporting/compliance to a policy or a procedure is the least b
eneficial. What is done with the report is more important than just reporting. T
he other three choices are incorrect because they are the most important benefit
s. The log shows a record of all problems encountered during testing so events c
an be traced for verification. The log can also be used as a training tool for n
ew testers because the log shows what happened in the past. Most of all, the log
indicates what the tester did or did not do during testing. It forces testers t
o document the actions or decisions taken place during testing.
199. The application software test objective of verifying boundary conditions o
f a program is achieved in which of the following types of software testing appr
oaches?
a.
b.
c.
d.
Stress testing
Conversion testing
Performance testing
Regression testing
199. a. Stress testing involves the response of the system to extreme conditions
(for example, with an exceptionally high workload over a short span of time) to
identify vulnerable points within the software and to show that the system can
withstand normal workloads. Examples of testing conditions that can be applied d
uring stress testing include the following: (i) if the size of the database play
s an important role, then increase it beyond normal conditions, (ii) increase th
e input changes or demands per time unit beyond normal conditions, (iii) tune in
fluential factors to their maximum or minimal speed, and (iv) for the most extre
me cases, put all influential factors to the boundary conditions at the same tim
e.
Waterfall model
Object-oriented model
Prototype model
Spiral model
200. b. The notion of software component reuse has been developed with the inven
tion of object-oriented development approach. After the design model has been cr
eated, the software developer browses a library, or repository, that contains ex
isting program components to determine if any of the components can be used in t
he design at hand. If reusable components are found, they are used as building b
locks to construct a prototype of the software.
The waterfall model is incorrect because it takes a linear, sequential view of t
he software engineering process. The waterfall method is another name for the cl
assic software development life cycle.
The prototype model is incorrect because it is a process that enables the develo
per to create a model of the software built in an evolutionary manner.
The spiral model is incorrect because it is another type of evolutionary model.
It has been developed to provide the best feature of both the classic life cycle
approach and prototyping. None of these three choices provide for software reus
e.
201. Security categorization is performed in which of the following phases of a
n application system development life cycle (SDLC)?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operations/maintenance
Initiation
Development/acquisition
Implementation
Operations/maintenance
b. Development/acquisition
c. Implementation
d. Operations/maintenance
203. d. Continuous monitoring ensures that controls continue to be effective in
their application through periodic testing and evaluation. It is a task performe
d in the operation/maintenance phase.
204. Which of the following are examples of local threats in Windows Extreme Pr
ogramming (XP) systems?
a.
b.
c.
d.
205. b. According to the open Web application security project, information from
Web requests is not validated before being used by a Web application leading to
vulnerability from invalidated input.
206. What do you call it when attacks consume Web application resources to a po
int where other legitimate users can no longer access or use the application?
a.
b.
c.
d.
Buffer overflows
Injection flaws
Denial-of-service
Improper error handling
b. Injection flaws
c. Denial-of-service
d. Improper error handling
207. d. Improper error handling means error conditions that occur during normal
operation are not handled properly. If an attacker can cause errors to occur tha
t the Web application does not handle, they can gain detailed system information
, deny service, cause security mechanisms to fail, or crash the server.
208. The information systems security analysts participation in which of the fol
lowing system development life cycle (SDLC) phases provides maximum benefit to t
he organization?
a.
b.
c.
d.
208. a. It is during the system requirements definition phase that the project t
eam identifies the required controls needed for the system. The identified contr
ols are then incorporated into the system during the design phase. When there is
a choice between the system requirements definition phase and the design phase,
the auditor would benefit most by participating in the former phase. The analys
t does not need to participate in the program development or testing phase.
209. What is a malicious unauthorized act that is triggered upon initiation of
a predefined event or condition and resides within a computer program known as?
a.
b.
c.
d.
Logic bomb
Computer virus
Worm
NAK attack
209. a. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set
to trigger at a particular time, whereas the logic bomb is set to trigger at a
particular condition, event, or command. The logic bomb could be a computer prog
ram or a code fragment.
Computer virus is incorrect because it reproduces by making copies of it and inser
ting them into other programs. Worm is incorrect because it searches the network
for idle computing resources and uses them to execute the program in small segm
ents. NAK (negative acknowledgment character) attack is incorrect because it is
a penetration technique capitalizing on a potential weakness in an operating sys
tem that does not handle asynchronous interrupts properly, thus leaving the syst
em in an unprotected state during such interrupts. NAK uses binary synchronous c
ommunications where a transmission control character is sent as a negative respo
nse to data received. Here, negative response means data was not received correc
tly or that a command was incorrect or unacceptable.
210. What is the name of the malicious act of a computer program looking normal
but containing harmful code?
a.
b.
c.
d.
Trapdoor
Trojan horse
Worm
Time bomb
210. b. A Trojan horse fits the description. It is a program that performs a use
ful function and an unexpected action as well as a form of virus.
Trapdoor is incorrect because it is an entry point built into a program created
by programmers for debugging purposes. Worm is incorrect because it searches the
network for idle computing resources and uses them to execute a program in smal
l segments. Time bomb is incorrect because it is a part of a logic bomb, where a
damaging act triggers at some period of time after the bomb is set.
Managed level
Optimizing level
Defined level
Repeatable level
Functional test
Performance test
Stress test
Security test
212. d. The purpose of security testing is to assess the robustness of the syste
ms security capabilities (for example, physical facilities, procedures, hardware,
software, and communications) and to identify security vulnerabilities. All the
tests listed in the question are part of system acceptance tests where the purp
ose is to verify that the complete system satisfies specified requirements and i
s acceptable to end users.
Functional test is incorrect because the purpose of functional or black-box test
ing is to verify that the system correctly performs specified functions. Perform
ance test is incorrect because the purpose of performance testing is to assess h
ow well a system meets specified performance requirements. Examples include spec
ified system response times under normal workloads (for example, defined transac
tion volumes) and specified levels of system availability and mean-times-to-repa
ir. Stress test is incorrect because the purpose of stress testing is to analyze
system behavior under increasingly heavy workloads (for example, higher transac
tion rates), severe operating conditions (for example, higher error rates, lower
component availability rates), and, in particular, to identify points of system
failure.
213. When does a major risk in application software prototyping occur?
a.
b.
c.
d.
213. a. The application software prototype becoming the finished system is a maj
or risk in prototyping unless this is a conscious decision, as in evolutionary p
rototyping where a pilot system is built, thrown away, another system is built,
and so on. Inflated user expectations is a risk that can be managed with proper
education and training. Paying attention to cosmetic details is not bad except t
hat it wastes valuable time. The prototype model is supposed to be iterated many
times because that is the best way to define and redefine user requirements and
security features until satisfied.
214. Security planning is performed in which of the following phases of a syste
m development life cycle (SDLC)?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operations/maintenance
Initiation
Development/acquisition
Implementation
Operations/maintenance
215. c. Security certification ensures that the controls are effectively impleme
nted through established verification techniques and procedures and gives an org
anization confidence that the appropriate safeguards and countermeasures are in
place to protect the organizations information systems. Security accreditation pr
ovides the necessary security authorization of an information system to process,
store, or transmit information that is required. Both security certification an
d accreditation tasks are performed in the implementation phase.
216. Which of the following actions is performed in the detailed design phase o
f a system development life cycle (SDLC) project?
a.
b.
c.
d.
Defining control,
Developing screen
Identifying major
Developing system
216. b. A detailed design occurs after the general design is completed where kno
wn tasks are described and identified in a much more detailed fashion and are re
ady for program design and coding. This includes developing screen/program flows
with specifications, input and output file specifications, and report specifica
tions.
The other three choices are incorrect because, by definition, they are examples
of activities taking place in the general design phase. System requirements are
the input to the general design where the system is viewed from top-down and whe
re higher-level design issues are addressed. This includes (i) identifying the p
urpose and major functions of the system and its subsystems, (ii) defining contr
ol, security, and audit requirements, and (iii) developing system justification
for the approval of analysis of alternative design choices.
217. When attackers compromise passwords, keys, and session cookies, it can lea
d to which of the following flaws?
a.
b.
c.
d.
217. c. Broken authentication means account credentials and session tokens are n
ot properly protected. Attackers that can compromise passwords, keys, session co
okies, or other tokens can defeat authentication restrictions and assume other u
sers identities.
218. Attackers use which of the following to corrupt a Web application executio
n stack?
a.
b.
c.
d.
Buffer overflows
Injection flaws
Denial-of-service
Improper error handling
218. a. Buffer overflows occur when web application components (for example, com
mon gateway interface, libraries, drivers, and Web application servers) that do
not properly validate input can be crashed and, in some cases, used to take cont
rol of a process.
219. When Web applications use cryptographic factors that were proven difficult
to code properly, it can lead to which of the following?
a.
b.
c.
d.
Insecure storage
Improper error handling
Injection flaws
Insecure configuration management
220. a. Layering, abstraction, and data hiding are part of security design archi
tecture. The other three choices deal with security control architecture. Layeri
ng uses multiple, overlapping protection mechanisms to address the people, techn
ology, and operational aspects of IT. Abstraction is related to stepwise refinem
ent and modularity of computer programs. Data hiding is closely related to modul
arity and abstraction and, subsequently, to program maintainability.
221. Which of the following best defines adequate information security?
1.
2.
3.
4.
Security commensurate
Operating systems and
Operating systems and
Operating systems and
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
221. d. Adequate information security means (i) security commensurate with the r
isk and the magnitude of harm resulting from the loss, misuse, or unauthorized a
ccess to or modification of information, (ii) operating systems and applications
operate effectively, (iii) operating systems and applications provide appropria
te confidentiality (C), integrity (I), and availability (A), known as CIA securi
ty objectives, and (iv) security objectives use cost-effective management, opera
tional, and technical controls (security controls).
222. Computer viruses continue to pose a threat to the following computer servic
es except:
a.
b.
c.
d.
Integrity
Availability
Confidentiality
Usability
of computer services, and end users may not use the system due to loss of files
or disruption of services.
223. Which of the following should have extremely limited access in a client/se
rver environment?
a.
b.
c.
d.
Source code
Object code
Executable code
Machine code
223. a. Access to source code can provide tremendous assistance to any criminal
wishing to penetrate a systems security. Without the source code, an intruder has
to probe through a system to find its flaws. Access to the source code helps th
e intruder to identify gaps or flaws in security. It is important to ensure that
adequate security is provided for the systems source code. It is not good to all
ow source code to reside on client machines or on the server. It should be locat
ed only on a workstation belonging to the configuration management group. The wo
rkstation should have extremely limited access. If the workstation can be discon
nected from the network most of the time, that would provide additional security
for the source code. Moreover, the source code is in human-readable format whil
e the other three types of codes listed are not.
224. In the context of a reference monitor concept, a reference validation mech
anism doesn t need to meet which one of the following design requirements?
a.
b.
c.
d.
The
The
The
The
reference
reference
reference
reference
validation
validation
validation
validation
mechanism
mechanism
mechanism
mechanism
must
must
must
must
be tamperproof.
be large.
not be bypassed.
always be invoked.
Waterfall model
Incremental development model
Evolutionary development model
Rapid prototyping model
225. d. Due to its iterative process and end-user involvement, the rapid prototy
pe model brings the operational viewpoint to the requirements specification phas
e. Requirements are defined, refined, tested, and changed until the end user can
not change it any more. Later, these requirements will become input to the desig
n work.
Waterfall model is incorrect because it will not bring the operational viewpoint
to the requirements phase until the system is completely implemented. Although
the incremental development model and the evolutionary development models are be
tter than the waterfall model, they are not as good as rapid prototyping in term
s of bringing the operational viewpoint to the requirements specification.
Scenario-Based Questions, Answers, and Explanations
Use the following information to answer questions 1 through 11.
The RGO Company is undertaking a new business process that represents a 15 perce
nt increase in volume and a 10 percent increase in the number of employees. The
business is dependent on software to run remote processing. The new process need
Initiation
Development/acquisition
Implementation
Operations/maintenance
Initiation
Development/acquisition
Implementation
Operations/maintenance
Initiation
Development/acquisition
Implementation
Operations/maintenance
Initiation
Development/acquisition
Implementation
Operations/maintenance
c. Implementation
d. Operations/maintenance
5. d. Continuous monitoring ensures that controls continue to be effective in th
eir application through periodic testing and evaluation. It is a task performed
in the operation/maintenance phase.
6. Media sanitization is performed in which of the following phases of an SDLC?
a.
b.
c.
d.
Development/acquisition
Implementation
Operations/maintenance
Disposition
6. d. Media sanitization ensures that data is deleted, erased, and written over
as necessary. It is a task performed in the disposition phase.
7. Security controls and audit trails should be built into computer systems in
which of the following SDLC phases?
a.
b.
c.
d.
System
System
System
System
initiation phase
development phase
implementation phase
operation phase
is designed, purchased, pr
this phase, functional use
controls and audit trails
statement are produced in
8. d. Major outputs from the testing phase include the security evaluation repor
t and accreditation statement. The purpose of the testing phase is to perform va
rious tests (unit, integration, system, and acceptance). Security is tested to s
ee if it works and is then certified.
9. Which of the following phases of a system development life cycle (SDLC) shou
ld not be compressed so much for the proper development of a prototype?
a.
b.
c.
d.
Initiation
Development/acquisition
Implementation
Operation/maintenance
11. c. Each test program involves preparing the executable program, executing it
, and deleting it. This saves space on mass storage and generates a complete log
. This approach is recommended for debugging and validating purposes. Read, inse
rt, and delete include the transfer of all rows from Table A to Table B in that
a table is read, inserted, and deleted. A source program is precompiled, linked,
and compiled to become an object or executable program.
Sources and References
Capability Maturity Model for Software, Version 1.1, Technical Report, CMU/SEI-93TR-024, Software Engineering Institute (SEI), Carnegie Mellon University (CMU),
Pittsburg, Pennsylvania, February 1993. (www.sei.cum.edu/publications/documents/
93.reports/93.tr.024.html).
The Case for Using Layered Defenses to Stop Worms (NSA Report# C43-002R-2004), Nat
ional Security Agency (NSA), Fort Meade, Maryland, June 2004.
Guide for the Security Certification and Accreditation of Federal Information Sys
tems (NIST SP800-37), National Institute of Standards and Technology (NIST), U.S.
Department of Commerce, Gaithersburg, Maryland, May 2004.
Guide to Securing Microsoft Windows XP Systems for IT Professionals (NIST SP800-6
8R1), National Institute of Standards and Technology (NIST), U.S. Department of C
ommerce, Gaithersburg, Maryland, October 2008.
Guidelines on Active Content and Mobile Code (NIST SP800-28 V2 Draft), National In
stitute of Standards and Technology (NIST), U.S. Department of Commerce, Gaither
sburg, Maryland, August 2007.
Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft), Chapte
r 3, System Development Life Cycle, National Institute of Standards and Technolo
gy (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.
Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft), Chapte
r 11, Certification, Accreditation, and Security Assessments, National Institute
of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg,
Maryland, June 2006.
Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft), Chapte
r 14, Configuration Management, National Institute of Standards and Technology (
NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.
An Introduction to Computer Security: The NIST Handbook (NIST SP800-12), National
Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaith
ersburg, Maryland, October 1995.
The Open Web Application Security Project, (www.owasp.org), January 2004.
Security Considerations in the Information Systems Development Lifecycle (NIST SP
800-64R1), National Institute of Standards and Technology (NIST), U.S. Department
of Commerce, Gaithersburg, Maryland, October 2003.
Security Requirements for Cryptographic Modules (NIST FIPS PUB 140-3 Draft), Natio
nal Institute of Standards and Technology (NIST), U.S. Department of Commerce, G
aithersburg, Maryland, July 2007.
Source Code Security Analysis Tool Functional Specification (NIST SP500-268 V1), N
ational Institute of Standards and Technology (NIST), U.S. Department of Commerc
e, Gaithersburg, Maryland, May 2007.
Domain 5
Cryptography
Traditional Questions, Answers, and Explanations
1. For security protection mechanisms for cryptographic data in storage, backup
, and archives, the storage of keying material is a part of which of the followi
ng cryptographic services?
a.
b.
c.
d.
Confidentiality
Availability
Integrity
Labels
1. b. The availability service for data in storage deals with backup and archive
storages. During a keys crypto-period, keying material (i.e., keys and initializ
ation vectors) should be stored in both normal operational storage and in backup
storage. After the end of a keys crypto-period, keying material should be placed
in archive storage. The other three choices do not deal with backup and archive
storages.
2. Which of the following is referred to when two cryptographic key component h
olders manage the process of handling the two components of a cryptographic key?
a.
b.
c.
d.
Key
Key
Key
Key
list
escrow
loader
exchange
DNSSEC-aware resolver
Key rollover
Zone signing key
Key signing key
4. b. Key rollover is the process of generating and using a new key (symmetric o
r asymmetric key pair) to replace one already in use. Rollover is done because a
key has been compromised as a result of usage and age.
The DNSSEC-aware resolver is incorrect because it is an entity that sends DNS qu
eries, receives DNS responses, and understands the DNSSEC specification, even if
it is incapable of performing validation. A zone-signing key is incorrect becau
se it is an authentication key that corresponds to a private key used to sign a
zone. A key signing key is incorrect because it is an authentication key that co
rresponds to a private key used to sign one or more other authentication keys fo
r a given zone.
5. Which of the following protocols is used to encrypt individual messages?
a.
b.
c.
d.
Max-entropy
Min-entropy
Guessing entropy
Min-Max entropy
Change keys
Increase key length
Change protocol
Change algorithm
a.
b.
c.
d.
1
2
3
1
and
and
and
and
2
3
4
3
7. a. Changing cryptographic keys frequently and increasing the key length can f
ight against the brute force attacks on keys. Changing protocols and algorithms
cannot fight against the brute force attacks because the changed protocols and a
lgorithms could be subjected to the same attacks or different attacks.
8. For cryptography, what is nonce?
a.
b.
c.
d.
DES
RSA-512 bit key
AES-128 bit key
RC2
a.
b.
c.
d.
a.
b.
c.
d.
1
2
1
3
or
or
or
or
2
3
3
4
12. b. Most commonly, the certificate revocation lists (CRLs) are distributed vi
a lightweight directory access protocol (LDAP) directories or Web servers. The c
ertificate management protocol (CMP) and HTTP uniform resource locators (HTTP UR
Ls) are not used to distribute CRLs. Both the LDAP and HTTP URLs are used to spe
cify the location of CRLs. Both certification authority (CA) and registration au
thority (RA) software support the use of a certificate management protocol (CMP)
. An LDAP is a centralized directory that becomes a major focal point as a tool
for access control.
13. Which of the following is generally the most difficult method of attacking
a computer system?
a.
b.
c.
d.
Password cracking
Packet sniffing
Encryption key breaking
Sendmail
15. b. The transport layer security (TLS) and secure socket layer (SSL) protocol
s are the primary end-to-end security protocols used to protect information on t
he Internet. TLS is an enhanced version of SSL; these protocols are similar but
not identical. TLS is a robust protocol that is used to protect various links, s
uch as authentication server to a wireless access point, the electronic mail lin
k between client and server, or dedicated network infrastructure applications pr
imarily involving machines with no human user involvement.
16. Which of the following are examples of mandatory-to-implement cryptographic
algorithms that do not provide adequate security over computer networks?
a.
b.
c.
d.
AES or 3-TDEA
RSA or ECDSA
DES or RC2
DH or ECDH
DH key agreement
RSA key transport
Ephemeral DH key
Static-to-static DH key agreement
a.
b.
c.
d.
Key
Key
Key
Key
transport
update
wrapping
bundle
18. c. A key used for key wrapping is known as a key encrypting key, which is us
ed to encrypt a symmetric key using another symmetric key. Key wrapping provides
both confidentiality and integrity protection using a symmetric key.
The other three choices are not used in key wrapping. Key transport is a key est
ablishment procedure whereby one party (sender) selects and encrypts the keying
material and then distributes the material to another party (the receiver). Key
update is a function performed on a cryptographic key to compute a new but relat
ed key. Key bundle is a set of keys used during one operation, typically a TDEA
operation.
19. Which of the following represents the correct order of nodes (from highest
to lowest) in a cryptographic key management infrastructure?
1.
2.
3.
4.
Client node
User entities
Key processing facility
Service agent
a.
b.
c.
d.
4,
3,
3,
2,
2,
4,
4,
4,
3,
1,
2,
1,
and
and
and
and
1
2
1
3
hy, each user independently generates two mathematically related keys. One is ty
pically made public, so it is referred to as the public key. The other is kept p
rivate, so it is referred to as the users private key. The public key becomes in
effect part of the users identity and should be made well known as necessary, lik
e a phone number. Conversely, the private key should be known only to the user b
ecause it can be used to prove ownership of the public key and thus the users ide
ntity. It is computationally infeasible to derive a users private key from the co
rresponding public key, so free distribution of the public key poses no threat t
o the secrecy of the private key.
The private key component of the public key cryptography is used to create the d
igital signatures. Similar to a written signature, a digital signature is unique
to the signer except that it can be verified electronically. This is made possi
ble by the fact that in public key crypto-systems, digital signatures are genera
ted with the private key component of the public/private key pair. The correspon
ding public key is used to verify the signature. Because a given users private ke
y does not need to be shared with other parties, there is a strong association b
etween the users identity and possession of the private key.
Key escrow cryptographic techniques are used in electronic surveillance of telec
ommunications by law enforcement officials. A definition of a key escrow system
is that an encryption key or a document is delivered to a third person to be giv
en to the grantee only upon the fulfillment of a condition. A key escrow system
is one that entrusts the two components comprising a cryptographic key (for exam
ple, a device unique key) to two key component holders (also called escrow agents)
.
The key component holders provide the components of a key to a grantee (for exampl
e, a law enforcement official) only upon fulfillment of the condition that the g
rantee has properly demonstrated legal authorization to conduct electronic surve
illance of telecommunications encrypted using the specific device whose device u
nique key is being requested. The key components obtained through this process a
re then used by the grantee to reconstruct the device unique key and obtain the
session key that is then used to decrypt the telecommunications that are encrypt
ed with that session key. The digital signature does not use the key escrow cryp
tography.
The primary feature distinguishing secret key algorithms is the use of a single
secret key for cryptographic processing. The use of advanced encryption standard
(AES) is an example of secret key cryptography. The AES algorithm can be implem
ented with reasonable efficiency in the firmware of a smart token. Electronic si
gnatures can use either secret key or public key cryptography. The digital signa
ture is not using the secret key cryptography due to sharing of a secret key by
two parties. Hybrid approaches are possible, where public key cryptography is us
ed to distribute keys for use by secret key algorithms. However, the digital sig
nature is not using the hybrid approaches.
22. Effective controls to detect attempts to replay an earlier successful authen
tication exchange do not include:
a.
b.
c.
d.
A timestamp
A sequence number
An unpredictable value
A statistical random value
1 and
1 and
3 and
1, 2,
2
4
4
3, and 4
23. d. All four items are examples of procedural security controls for recognizi
ng trusted CA and RA roles. The CA is a trusted third party that generates, issu
es, signs, and revokes public key certificates. The CA can delegate responsibili
ty for the verification of the subjects identity to an RA. The RA is a trusted en
tity that establishes and vouches for the identity of a subscriber to a credenti
als service provider (CSP).
24. Which of the following need not be subject to maintenance of special account
ing records for cryptographic keying materials?
a.
b.
c.
d.
Ephemeral keys
Encrypted keys
Decrypted keys
Key encrypting keys
24. a. Ephemeral keys are cryptographic keys that are generated for each executi
on of a key establishment process and that meet other requirements of the key (f
or example, unique to each message or session and short-lived). It may not be pr
actical or necessary to maintain accounting records for relatively short-lived k
eys such as ephemeral keys. This is because user devices (for example, user enti
ties at client nodes) generate ephemeral keys, and they are intended for use wit
hin the client node.
The other three choices need accounting records. Encrypted keys are encrypted wi
th a key encrypting key to disguise the value of the underlying plaintext key. T
he key encrypting key is used for the encryption or decryption of other keys.
25. For the willful or negligent mishandling of cryptographic keying materials,
the consequences of policy violation should be commensurate with which of the f
ollowing?
a.
b.
c.
d.
Actual harm
Known harm
Potential harm
Guaranteed harm
Key destruction
Notification of users of compromised keys
Emergency key revocation
Replacement of the compromised keys
27. d. The AES-128 bit key in counter mode with CBC-MAC provides both encryption
and integrity protection. The AES-128 bit in CBC mode and the AES-128 bit in co
unter mode provide only encryption whereas the HMAC SHA1-96 bit provides only in
tegrity protection. The encrypted ESP should not be used without integrity prote
ction because the ESP needs both encryption and integrity protection.
28. Within the Internet Protocol security (IPsec) protocol suite, which of the f
ollowing should not be used because it introduces unnecessary complexity in proc
essing?
a.
b.
c.
d.
28. a. The authentication header (AH) protects the Internet Protocol (IP) header
and the data following the IP header. However, the AH processing introduces unn
ecessary complexity. Because the encapsulating security protocol (ESP) can provi
de equivalent functionality as the AH, the use of AH is not recommended due to i
ts complexity in processing. Moreover, the ESP protects the source and destinati
on addresses in the IP header in both transport and tunnel modes. Hence, the ESP
is better than the AH.
29. The security of which of the following cryptographic algorithms confidentiali
ty mechanism is not compromised?
a.
b.
c.
d.
29. c. The counter value in the AES-GCM or AES-GMAC is used for more than one pa
cket with the same key. Therefore, the security of these algorithms confidentiali
ty mechanism is compromised. The DES-CBC mode is susceptible to compromise. Also
, the AES-GCM and AES-GMAC should not be used with manually distributed keys. Au
tomated keying using the Internet key exchange (IKE) establishes secret keys for
the two peers within each security association (SA) with low probability of dup
licate keys.
30. The transport layer security (TLS) protocol does not provide which of the fo
llowing cryptographic services?
a.
b.
c.
d.
Authentication
Integrity
Nonrepudiation
Encryption
30. c. After completion of the handshake sequence, the transport layer security
(TLS) protocol provides a secure communication channel between the server and cl
ient for the duration of a communication session. All cipher suites provide auth
entication and integrity protection for transferred data, and most TLS cipher su
ites also provide encryption. If encryption is provided, data is encrypted when
sent and decrypted when received. TLS does not, however, provide a cryptographic
nonrepudiation service to allow a validation of the session data or authenticat
ion after the communication session has been ended by a third party.
31. In secure/multipurpose Internet mail extension (S/MIME), TDEA in CBC mode o
r AES-128 bit in CBC mode is used to provide which of the following?
a.
b.
c.
d.
Digital signatures
Hash values
Key transport
Encryption
32. d. An end user is the individual using a client to access the system. Even w
ithin a centrally managed environment, end users may find that they have a signi
ficant amount of control over some of the security features within an S/MIME imp
lementation. End users should not send the same message both encrypted and in pl
aintext. The end users can do the other three choices.
33. The RSA-1024-bit key or the DSA-1024 bit key is used to provide which of th
e following?
a.
b.
c.
d.
Digital signatures
Hash values
Key agreement
Encryption
33. a. Either the Rivest, Shamir, and Adelman (RSA) or digital signature algorit
hm (DSA) with key sizes greater than or equal to 1024 bits is used to provide di
gital signatures. They are not used for hash values and key agreement, although
less than 1024-bit keys are used for encryption.
34. The Diffie-Hellman (DH) algorithm is used to provide which of the following
?
a. Digital signatures
b. Hash values
c. Key agreement
d. Encryption
34. c. The Diffie-Hellman (DH) algorithm is used to provide key agreement. The D
H algorithm cannot provide digital signatures, hash values, and encryption.
35. The owner of a cryptographic key pair demonstrates proof-of-possession by u
sing:
a.
b.
c.
d.
Private key
Public key
Ephemeral key
Encrypted key
a.
b.
c.
d.
1 and
2 and
1, 3,
1, 2,
4
3
and 4
3, and 4
Trust anchors
Root certificate store
Trust list
Trust keys
38. c. Cryptographic hash algorithms (hash functions) do not require keys. The h
ash functions generate a relatively small digest (hash value) from a large input
that is difficult to reverse. However, in some instances such as in the generat
ion of hashed message authentication codes (HMAC), keyed hash functions are used
.
Symmetric key algorithms (known as secret/private) transform data that is diffic
ult to undo without knowledge of a secret key. Asymmetric key algorithms (known
as public) use two related keys to perform their functions (i.e., a public key a
nd a private key forming a key pair).
39. Which of the following is a noncryptographic technique that provides messag
e integrity and creates insecurity?
a.
b.
c.
d.
40. a. Key wrapping is the encryption of a key by a key encrypting key using a s
ymmetric algorithm. Key wrapping provides both confidentiality and integrity ser
vices to the wrapped material and does not provide services listed in the other
three choices.
41. Countermeasures against man-in-the-middle attacks include which of the foll
owing?
1.
2.
3.
4.
a.
b.
c.
d.
1
2
3
1
and
and
and
and
2
3
4
4
Confidentiality
Authentication
Integrity
Nonrepudiation
.
43. The transport layer security (TLS) protocol does not provide which of the fo
llowing?
a.
b.
c.
d.
Integrity
Error recovery
Authentication
Encrypted payload
43. b. The transport layer security (TLS) protocol is protected by strong crypto
graphic integrity, an authentication mechanism, and encrypted payload. The TLS c
an detect any attack or noise event but cannot recover from errors. If an error
is detected, the protocol run is simply terminated. Hence, the TLS needs to work
with the TCP (transport control protocol) to recover from errors.
44. Which of the following statements is true about digital signatures using th
e digital signature algorithm?
a.
b.
c.
.
d.
The length of the digital signature is one-time the length of the key size.
The length of the digital signature is two-times the length of the key size.
The length of the digital signature is three-times the length of the key size
The length of the digital signature is four-times the length of the key size.
44. b. The digital signature algorithm (DSA) produces digital signatures of 320,
448, or 512 bits using the key size of 160, 224, or 256 respectively. Hence, th
e length of the digital signature is two-times the length of the key size.
45. Cryptographic key establishment schemes use which of the following?
a.
b.
c.
d.
Key
Key
Key
Key
45. a. Cryptographic key establishment schemes are used to set up keys to be use
d between communicating entities. The scheme uses key transport and key agreemen
t. The key transport is the distribution of a key from one entity to another ent
ity. The key agreement is the participation by both entities in the creation of
shared keying material (for example, keys and initialization vectors). The key e
stablishment scheme does not deal with the other three choices.
46. Network communication channels contain unintentional errors due to transmiss
ion media and create network congestion, leading to lost packets. Which of the f
ollowing statements is incorrect about forward error-correcting codes?
a. Forward error-correcting
b. Forward error-correction
c. Forward error-correcting
retransmission.
d. Forward error-correction
a.
b.
c.
d.
47. a. Shared secrets are generated during a key establishment process. Intermed
iate results of cryptographic operations are generated using secret information.
Therefore, both shared secrets and intermediate results should not exist outsid
e the cryptographic boundary of the crypto-module due to their sensitivity and c
riticality. The other three choices either do not exist outside the cryptographi
c boundary or they are less sensitive and critical.
48. What describes the crypto-period of a symmetric key?
a.
b.
c.
d.
48. c. The crypto-period of a symmetric key is the period of time from the begin
ning of the originator usage period to the end of the recipient usage period.
49. Which of the following should be destroyed immediately after use?
a.
b.
c.
d.
49. a. Both random number generator (RNG) seeds and intermediate results should
be destroyed after use due to their sensitivity. Domain parameters remain in eff
ect until changed. Shared secrets and initialization vectors should be destroyed
as soon as they are no longer needed. A nonce should not be retained longer tha
n needed for cryptographic processing.
50. Which of the following provides the weakest cryptographic algorithms?
1.
2.
3.
4.
A
A
A
A
160-bit
256-bit
256-bit
256-bit
a.
b.
c.
d.
1
1
2
2
only
and 3
and 3
and 4
Shared secrets
Domain parameters
Initialization vectors
Random number generator seeds
52. a. A shared secret is a secret value that has been computed using a key agre
ement scheme and is used as input to a key derivation function. Hence, shared se
crets should not be distributed while the other three choices can be safely dist
ributed most of the time. Because the initialization vectors are often stored wi
th the data that they protect, a determined attacker (not a normal attacker) cou
ld take advantage of them for hacking.
53. Which of the following need not be backed up?
a.
b.
c.
d.
53. d. The private signature key need not be backed up because nonrepudiation wo
uld be in question. This is because proof-of-origin and proof-of-delivery are ne
eded for a successful nonrepudiation using private signature key by the originat
or (i.e., the signatory). Therefore, the private signature key should be protect
ed in a safe and secure location. The other three choices can be backed up witho
ut any question.
54. What is the major advantage of a checksum program?
a.
b.
c.
d.
55. a. An archive for keying material (i.e., keys and initialization vectors) sh
ould provide both integrity and access control. When archived, keying material s
hould be archived prior to the end of the crypto-period of the key. When no long
er required, the keying material should be destroyed. Private signature key need
not be archived because it is private but should be protected in a safe and sec
ure location.
Both symmetric and public authentication keys should be archived until no longer
Hash function
Digital certificate
Handwritten signature
Certificate authority
Domain parameters
Shared secrets
Random number generator seeds
Intermediate results
57. a. Domain parameters should be archived until all keying material, signature
s, and signed data using the domain parameters are removed from the archive. The
other three choices should not be archived due to their secrecy and because the
y are temporary in nature. One exception is that a shared secret is sometimes pe
rmanent as in a preshared key (PSK) for a site-to-site IPsec VPN.
58. If cryptographic key materials are compromised, the compromise recovery pro
cess can be relatively simple and inexpensive for which of the following?
a.
b.
c.
d.
58. a. Where symmetric keys or private asymmetric keys are used to protect only
a single users local information in communications between a single pair of users
, the compromise recovery process can be relatively simple and inexpensive. The
damage assessment and mitigation measures are often local matters. On the other
hand, damage assessment can be complex and expensive where (i) a key is shared b
y or affects a large number of users, (ii) certification authoritys (CAs) private
key is replaced, (iii) transport keys are widely used, (iv) keys are used by man
y users of large distributed databases, and (v) a key is used to protect a large
number of stored keys.
59. The strength of all cryptographically based mechanisms lies in large part i
n which of the following?
a.
b.
c.
d.
The
The
The
The
59. b. For all cryptographically based mechanisms, the strength of the mechanism
lies partly in the strength of the cryptographic algorithm (including key size)
61. b. Reliable delivery of data implies that all messages presented to the send
ing TCP/IP stack are delivered in proper sequence by the receiving TCP/IP stack.
These messages may be broken up into packets and fragmented or segmented as the
y are sent and routed through any arrangement of local-area, wide-area, or metro
politan-area networks. During routing through networks, data are augmented with
cyclical redundancy checks or forward error correction techniques to help ensure
that the delivered messages are identical to the transmitted messages. Reliable
delivery means that the messages are properly reassembled and presented in prop
er sequence to the peer protocol TLS entity. Here, the TLS relies on the communi
cations functionality of the OSI/ISO lower layer protocols.
62. The transport layer security (TLS) protocol version 1.1 mandates the use of
which of the following cipher suites?
a.
b.
c.
d.
TLS
TLS
TLS
TLS
and
and
and
and
62. d. The TLS version 1.1 mandates the use of the TLS and RSA with 3DES-EDE-CBC
and SHA-1 cipher suite, and is more commonly used. The DES with RC4-40, RC2-CBC
-40, and DES-40 cannot be combined with TLS because the algorithm is deprecated.
The TLS and DHE-DSA with 3DES-EDE-CBCand SHA-1 is not often used. The TLS versi
on 1.0 uses the TLS and DHE-DSS with 3DES-EDE-CBC and SHA-1.
63. The transport layer security (TLS) protocols security specification for ensu
ring confidentiality goal is:
a. Rivest, Shamir, and Adelman (RSA)
b. Digital signature algorithm (DSA)
c. Triple-data encryption standard (3DES) using encryption-decryption-encryption
A password-protected file
An encrypted file
A password-protected and encrypted file
A password-protected and modem-protected file
Tamper-evident envelope
Attribute certificate
Public key certificate
Basic certificate content
65. b. The ISO/ITU-T X.509 standard defines two types of certificates: the X.509
public key certificate and the X.509 attribute certificate. Most commonly, an X
.509 certificate refers to the X.509 public key certificate. The public key cert
ificate contains three nested elements: (i) the tamper-evident envelope (digital
ly signed by the source), (ii) the basic certificate content (for example, ident
ifying information and public key), and (iii) extensions that contain optional c
ertificate information. The X.509 attribute certificate is less commonly used.
66. Which of the following features of Secure Hypertext Transfer Protocol (S-HT
TP) achieves higher levels of protection?
a.
b.
c.
d.
Freshness feature
Algorithm independence feature
Syntax compatibility feature
Recursive feature
66. d. In the recursive feature, the message is parsed one protection at a time
until it yields a standard HTTP content type. Here, protections are applied in l
ayers, one layer after another to achieve higher levels of protection. S-HTTP us
es a simple challenge-response to ensure that data being returned to the server
is fresh. Algorithm independence means new cryptographic methods can be easily imp
lemented. Syntax compatibility means that the standard HTTP messages are syntact
ically the same as secure HTTP messages.
67. The Secure Sockets Layer (SSL) transport protocol provides all the following
services except:
a.
b.
c.
d.
Mutual authentication
Message privacy
Message integrity
Mutual handshake
67. d. The
t provides
integrity.
68. Which
?
a.
b.
c.
d.
Passwords
Smart tokens
Encryption
Memory tokens
Encryption algorithms
Hashing algorithms
File seals
File labels
69. d. File labels are used in computer job runs to process application systems
data to ensure that the right file is used. Encryption algorithms, due to their
encryption and decryption mechanisms and by keeping the encryption keys secure,
provide integrity to the message transmitted or stored. Hashing algorithms are a
form of authentication that provides data integrity. File seal is adding a sepa
rate signature to software and partly works with virus checking software. When t
he file seal and virus checking software signatures do not match, it is an indic
ation that data integrity has been compromised.
70. During the design of data communication networks, a functional capability o
f providing link encryption and end-to-end encryption is addressed by which of t
he following?
a.
b.
c.
d.
Administrative control
Access control
Cost control
Technical control
Traffic
Message
Message
Message
analysis
modification
delay
deletion
71. a. Passive wiretapping includes not only information release but also traffi
c analysis (using addresses, other header data, message length, and message freq
uency). Security measures such as traffic padding can be used to prevent traffic
analysis attacks. Active wiretapping includes message stream modifications, inc
luding delay, duplication, deletion, or counterfeiting.
72. What is a hash-based message authentication code (HMAC) based on?
a.
b.
c.
d.
Asymmetric key
Public key
Symmetric key
Private key
Recovery
Prevention
Detection
Correction
Encrypt data
Decrypt data
Generate signatures
Verify signatures
a.
b.
c.
d.
1
2
1
2
only
only
or 4
or 3
74. c. The public key is the public part of an asymmetric key pair that is typic
ally used to encrypt data or verify signatures. The private key is the secret pa
rt of an asymmetric key pair that is typically used to decrypt data and to digit
ally sign (i.e., generate signatures).
75. Approved hash functions must satisfy which of the following properties?
1.
2.
3.
4.
One-way
Collision resistant
Resistant to offline attacks
Resistant to online attacks
a.
b.
c.
d.
1
3
4
1
only
only
only
and 2
75. d. A hash function maps a bit string of arbitrary length to a fixed length b
it string. Approved hash functions must satisfy the following two properties: on
e-way and collision resistant. It is computationally infeasible to find any inpu
t that map to any prespecified output or two distinct inputs that map to the sam
e output.
Offline attack is an attack where the attacker obtains some data through eavesdr
opping that he can analyze in a system of his own choosing. Online attack is an
attack against an authentication protocol where the attacker either assumes the
role of a claimant with a genuine verifier or actively alters the authentication
channel. The goal of the attack may be to gain authenticated access or learn au
thentication secrets.
76. Which of the following is a measure of the amount of uncertainty that an at
tacker faces to determine the value of a secret?
a.
b.
c.
d.
Entropy
Random number
Nonce
Pseudonym
Salt
Shared secret
Min-entropy
Guessing entropy
a.
b.
c.
d.
Digital
Digital
Digital
Digital
libraries
signals
watermarks
signatures
78. c. Digital watermarks are used to prove proprietary rights. It is the proces
s of irreversibly embedding information into a digital signal. An example is emb
edding copyright information about the copyright owner.
Digital libraries are storage places for data and programs. Digital signals are
electronic switches in computers and are represented as binary digits called bit
s. Digital signatures are a security authorization method to prove that a messag
e was not modified.
79. Which of the following specifically deals with hiding messages and obscurin
g senders and receivers?
a.
b.
c.
d.
Quantum cryptography
Steganography
Cryptology
Cryptography
79. b. Steganography is a part of cryptology that deals with hiding messages and
obscuring who is sending or receiving them. Message traffic is padded to reduce
the signals that otherwise would come from the sudden beginning of messages. Qu
antum cryptography is based on quantum-mechanics principles where eavesdroppers
alter the quantum state of the system.
Cryptology is the science and study of writing, sending, receiving, and decipher
ing secret messages. It includes authentication, digital signatures, steganograp
hy, and cryptanalysis. Cryptology includes both cryptography and cryptanalysis.
Cryptology is the science that deals with hidden communications. Cryptography in
volves the principles, means, and methods used to render information unintelligi
ble and for restoring encrypted information to intelligible form.
80. What is an encryption algorithm that encrypts and decrypts arbitrarily size
d messages called?
a.
b.
c.
d.
Link encryption
Bulk encryption
End-to-end encryption
Stream encryption
80. d. The cipher block chaining method is used to convert a block encryption sc
heme with a variable length key into a stream encryption of arbitrarily sized me
ssages.
In link encryption, all information passing over the link is encrypted in its en
tirety. Link encryption is also called an online encryption. Simultaneous encryp
tion of all channels of a multichannel telecommunications trunk is called a bulk
encryption.
In end-to-end encryption, the information is encrypted at its origin and decrypt
ed at its intended destination without any intermediate decryption. End-to-end e
ncryption is also called an offline encryption. In link encryption, bulk encrypt
ion, and end-to-end encryption, the algorithm takes a fixed-length block of mess
age (for example, 64 bits in the case of both DES and IDEA).
81. What is a message authentication code?
a.
b.
c.
d.
Data checksum
Cryptographic checksum
Digital signature
Cyclic redundancy check
81. b. A checksum is digits or bits summed according to arbitrary rules and used
to verify the integrity of data. All forms of checksums have the same objective
, that is, to ensure that the conveyed information has not been changed in trans
it from sender to recipient. The difference between these checksums is how stron
g the protective mechanism is for changing the information, that is, how hard it
will be to attack for a knowledgeable attacker, not for a natural source. A mes
sage authentication code is a cryptographic checksum with the highest form of se
curity against attacks. The public key is used to encrypt the message prior to t
ransmission, and knowledge of a private (secret) key is needed to decode or decr
ypt the received message.
A data checksum is incorrect because it catches errors that are the result of no
ise or other more natural or nonintentional sources. For example, most of these
errors are due to human errors.
A digital signature is incorrect because it is a form of authenticator. It is de
crypted using the secret decryption key and sent to the receiver. The receiver m
ay encrypt, using the public key, and may verify the signature, but the signatur
e cannot be forged because only the sender knows the secret decryption key. Nonp
ublic key algorithms can also be used for digital signatures. The basic differen
ce between the message authentication code and the digital signature is that alt
hough message authentication codes require a secret (private) key to verify, dig
ital signatures are verifiable with a public key, that is, a published value. Me
ssage authentication codes are used to exchange information between two parties,
where both have knowledge of the secret key. A digital signature does not requi
re any secret key to be verified.
A cyclic redundancy check (CRC) is incorrect because it uses an algorithm for ge
nerating error detection bits, and the receiving station performs the same calcu
lation as the transmitting station. If the results differ, then one or more bits
are in error. Both message authentication codes and digital signatures operate
with keys (whether public or private), are based on cryptography, and are hard t
o attack by intruders. On the other hand, data checksums and cyclic redundancy c
hecks operate on algorithms, are not based on cryptography, and are easily attac
ked by intruders.
82. For security protection mechanisms for cryptographic data in storage, the en
cryption mechanism should not be easier to recover the key encrypting key than i
t is to recover the key being encrypted is a part of which of the following cryp
tographic service?
a.
b.
c.
d.
Confidentiality
Availability
Integrity
Labels
. The intent is that someone cannot re-create the code with the same input unles
s that person also knows the secret key (password). A digital signature is a mes
sage digest encrypted with someones private key to certify the contents. Digital
signatures perform three important functions: integrity, authentication, and non
repudiation. A message digest is a hash code produced by a mathematical function
. It takes variable length input and reduces it to a small value, and a small ch
ange in the input results in a significant change in the output.
Secure hash algorithms create a short message digest. The message digest is then
used, with the senders private key and the algorithm specified in digital signat
ure standard, to produce a message-specific signature. Verifying the digital sig
nature standard involves a mathematical operation on the signature and message d
igest, using the senders public key and the hash standard.
84. What is password hashing?
a.
b.
c.
d.
84. a. Password hashing requires storing a password in its hash form, which is b
etter than storing an unencrypted password. When a password is supplied, it comp
utes the passwords hash and compares it with the stored value. If they match, the
password is correct. An attacker cannot derive the password from the hashes. It
is good to hide the hashed password list.
The other three incorrect choices are weak forms of handling a password. Encrypt
ing passwords leads to judgmental errors. A password can be easily guessed if th
e user selects the password from a word dictionary. An exhaustive search may the
n crack the password.
85. Which of the following statements is true about message padding?
a.
b.
c.
d.
It
It
It
It
is
is
is
is
85. c. Message padding adds bits to a message to make it a desired lengthfor inst
ance, an integral number of bytes. Traffic padding involves adding bogus traffic
into the channel to prevent traffic analysis, which is a passive attack. Data c
hecksums are digits or bits summed according to arbitrary rules and used to veri
fy the integrity of data. The one-time pad contains a random number for each cha
racter in the original message. The pad is destroyed after its initial use.
86. What is a public key cryptographic algorithm that does both encryption and
digital signature?
a.
b.
c.
d.
86. a. RSAs technique can be used for document encryption as well as creating dig
ital signatures. DSS is a public key cryptographic system for computing digital
signatures only, but not for encryption. Both RSA and DSS appear to be similar.
DES is a secret key cryptographic scheme. IDEA is also a secret key cryptographi
c scheme gaining popularity. Both DES and IDEA use secret (private) key algorith
ms, whereas DSS and RSA use public key algorithms.
87. What is a digital signature?
a. A form of authenticator
b. An actual signature written on the computer
c. The same as the checksum
Certificate authority
Internet addresses
Message digest
Digital signature
88. b. A major drawback of digital certificates is that they do not identify ind
ividuals, only Internet addresses. A different person could use the same compute
r with bad intent and be seen as the legitimate owner of the digital certificate
. The certificate authority, the message digest, and the digital signatures are
the strengths of digital certificates.
89. Which of the following methods can prevent eavesdropping?
a.
b.
c.
d.
Authentication
Access controls
Encryption
Intrusion detection
89. c. Encryption can be used to prevent eavesdroppers from obtaining data trave
ling over unsecured networks. The items mentioned in the other three choices do
not have the same features as encryption.
Authentication is the act of verifying the identity of a user and the users eligi
bility to access computerized information. Access controls determine what users
can do in a computer system. Intrusion detection systems are software or hardwar
e systems that detect unauthorized use of, or attack upon, a computer or network
.
90. Which of the following is more secure?
a.
b.
c.
d.
90. b. The public key system is more secure because transmission involves the pu
blic key only; the private key is never transmitted and is kept secret by its ho
lder. On the other hand, in a private key system, both the sender and the recipi
ent know the secret key and thus it can be less secure. Authentication and encry
ption key systems are incorrect because they can be either public (more secure)
or private (less secure) key systems.
91. For security protection mechanisms for cryptographic data in transit, side
channel attacks are possible in which of the following cryptographic services?
a.
b.
c.
d.
Confidentiality
Availability
Integrity
Labels
91. c. Improper error handling during a transmission between a sender and a rece
iver can result in side channel attacks, which can result in integrity failures.
A security policy should define the response to such a failure. Remedies for in
Are faster
Do not use
Are slower
Do not use
92. c. Public key methods are much slower than private methods and cause overhea
d, which are their main disadvantages. The public key contains alphanumeric char
acters. The public key systems use digital signatures for authentication.
93. Which of the following is not a common route to data interception?
a.
b.
c.
d.
Direct observation
Data encryption
Interception of data transmission
Electromagnetic interception
93. b. There are three routes of data interception: direct observation, intercep
tion of data transmission, and electromagnetic interception. Data encryption can
be a solution to data interception.
94. The combination of XEX tweakable block cipher with ciphertext stealing and
advanced encryption standard (XTS-AES) algorithm was designed to provide which o
f the following?
1.
2
3.
4.
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
94. c. The XTS-AES mode was designed for the cryptographic protection of data on
storage devices that use fixed length data units, and it was not designed for e
ncryption of data in transit. This mode also provides confidentiality for the pr
otected data but not authentication of data or access control.
95. Which of the following is not used for public key infrastructure-based (PKIbased) authentication of system users?
a. Validates certificates by constructing a certification path to an accepted tr
ust anchor
b. Establishes user control of the corresponding private key
c. Maps the authenticated identity to the user account
d. Uses a radius server with extensible authentication protocol and transport la
yer security authentication
95. d. A radius server with extensible authentication protocol (EAP) and transpo
rt layer security (TLS) authentication is used to identify and authenticate devi
ces on LANs and/or WANs. It is not used for authenticating system users. The oth
96. b. The message authentication code (MAC) provides data authentication and in
tegrity. A MAC is a cryptographic checksum on the data that is used to provide a
ssurance that the data has not changed and that the MAC was computed by the expe
cted entity. It cannot provide other security services.
97. Which of the following are countermeasures against traffic analysis attacks
?
1.
2.
3.
4.
Traffic
Traffic
Traffic
Traffic
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
4
4
RED
BLACK
Black core
Striped core
a.
b.
c.
d.
99. c. Digital signature generation should provide security strength of 112 bits
or more. Digital signature verification should provide security strength of 80
bits or more. Less than 80 bits or a range between 80 and 112 bits are not accep
table for the digital signature generation.
100. Which of the following is not true about a digital signature?
a.
b.
c.
d.
Interoperable
Scalable
Mobile
Portable
102. b. Scalability means the system can be made to have more or less computatio
SHA-1
SHA-224
SHA-256
SHA-384
103. a. Secure hash algorithm -1 (SHA-1), which is 160 bits, provides less secur
ity than SHA-224, SHA-256, and SHA-384. Cryptographic hash functions that comput
e a fixed size message digest (MD) from arbitrary size messages are widely used
for many purposes in cryptography, including digital signatures. A hash function
produces a short representation of a longer message. A good hash function is a
one-way function: It is easy to compute the hash value from a particular input;
however, backing up the process from the hash value back to the input is extreme
ly difficult. With a good hash function, it is also extremely difficult to find
two specific inputs that produce the same hash value. Because of these character
istics, hash functions are often used to determine whether data has changed.
Researchers discovered a way to break a number of hash algorithms, including MD4,
MD5, HAVAL-128, RIPEMD, and SHA-0. New attacks on SHA-1 have indicated that SHA1 provides less security than originally thought. Therefore, the use of SHA-1 is
not recommended for generating digital signatures in new systems. New systems s
hould use one of the larger and better hash functions, such as SHA-224, SHA-256,
SHA-384, and SHA-512.
104. In symmetric cryptography, if there are four entities using encryption, ho
w many keys are required for each relationship?
a.
b.
c.
d.
4
6
8
12
104. b. In symmetric cryptography, the same key is used for both encryption and
decryption. If there are four entities such as A, B, C, and D, there are six pos
sible relationships such as A-B, A-C, A-D, B-C, B-D, and C-D. Therefore, six key
s are required. It uses the formula (n)(n1)/2 where n equals the number of entities
.
105. Which of the following key combinations is highly recommended to use in th
e triple data encryption algorithm (TDEA)?
a.
b.
c.
d.
Independent
Independent
Independent
Independent
key
key
key
key
1,
1,
1,
2,
Independent
Independent
Independent
Independent
key
key
key
key
2,
2,
2,
3,
Independent
Independent
Independent
Independent
key
key
key
key
3
1
2
3
d third keys are identical and the second key is distinctly different, is highly
discouraged. Other configurations of keys in the key bundle shall not be used.
106. For a cryptographic module, which of the following presents the correct re
lationships for sensitive security parameters?
a.
b.
c.
d.
40
56
75
90
bits
bits
bits
bits
107. a. Encryption using keys of 40 or fewer bits is only acceptable for use beh
ind the firewall. Leading cryptographers recommend businesses use key lengths of
at least 75 bits, with 90 bits being preferable. The Data Encryption Standard (
DES) uses 56 keys, which is still acceptable for near term use.
108. Which of the following should be considered during configuration of crypto
graphic controls in the implementation phase of a system development life cycle
(SDLC) as it applies to selecting cryptographic mechanisms?
1.
2.
3.
4.
a.
b.
c.
d.
2 only
3 only
1, 2, and 3
1, 2, 3, and 4
108. d. In the implementation phase, the focus is on configuring the system for
use in the operational environment. This includes configuring the cryptographic
controls. After the system has been configured, certification testing is perform
ed to ensure that the system functions as specified and that the security contro
ls are operating effectively. The security provided by a cryptographic control d
epends on the mathematical soundness of the algorithm, the length of the cryptog
raphic keys, key management, and mode of operation. A weakness in any one of the
se components may result in a weakness or compromise to the security of the cryp
tographic control. A weakness may be introduced at any phase of the system life
cycle.
109. Audit trails should be considered as part of which of the following securi
ty controls during the security design, implementation, and use of a cryptograph
ic module?
a.
b.
c.
d.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
111. a. Configuration management (CM) is needed most for high-risk areas such as
hardware and firmware and system software maintenance and update. CM ensures th
e integrity of managing system and security features through controlling changes
made to a systems hardware, firmware, software, and documentation. The documenta
tion may include user guidance, test scripts, test data, and test results. The h
ardware and firmware maintenance scope covers adding new capabilities, expanding
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Domain parameters
Passwords
Audit information
Random number generator seed
113. d. The keying material backup on an independent, secure storage medium prov
ides a source for key recovery. Keying material maintained in backup should rema
in in storage for at least as long as the same keying material is maintained in
storage for normal operational use. Not all keys need be backed up. For example,
random number generator (RNG) seed need not be backed up because it is a secret
value that is used to initialize a deterministic random bit generator. In addit
ion, storing the RNG seed would actually decrease the security of the keys by in
creasing the risk of the material being used to reverse-engineer the keys.
Domain parameters are incorrect because they can be backed up. It is a parameter
used with some public key algorithm to generate key pairs, to create digital si
gnatures, or to establish keying material. Passwords are incorrect because they
can be backed up. A password is a string of characters (for example, letters, nu
mbers, and other symbols) that are used to authenticate an identity or to verify
access authorization. Audit information is incorrect because it can be backed u
p and can be used to trace events and actions.
114. During the post-operational phase of cryptography, which of the following k
eying material does not require archive storage?
a.
b.
c.
d.
Initialization vector
Audit information
Passwords
Domain parameters
tional use, but access to the keying material may still be possible. A key manag
ement archive is a repository containing keying material and other related infor
mation of historical interest. Not all keying material needs to be archived. For
example, passwords which often change need not be archived because storing pass
words for the keys can increase the risk of disclosure.
Initialization vector is incorrect because it can be archived. It can be retaine
d until its no longer needed to process the protected data. An initialization vec
tor is a vector used in defining the starting point of a cryptographic process.
Audit information can be archived and can be retained until no longer needed. Do
main parameters are incorrect because they can be archived. These parameters can
be retained until all keying material, signatures, and signed data using the do
main parameters are removed from the archive.
115. Regarding cryptographic key management systems, which of the following req
uire frequent audits?
a.
b.
c.
d.
Security plans
Security procedures
Human actions
Protective mechanisms
115. c. On a more frequent basis, the actions of the humans who use, operate, an
d maintain the system should be reviewed to verify that they continue to follow
established security procedures. Strong cryptographic systems can be compromised
by lax and inappropriate human actions. Highly unusual events should be noted a
nd reviewed as possible indicators of attempted attacks on the system.
Security plans, security procedures, and protective mechanisms are incorrect bec
ause they are considered as part of the human actions audit and they continue to
support the cryptographic key management policy.
116. Regarding cryptographic key management system survivability, which of the
following keys need to be backed up to decrypt stored enciphered information?
1.
2.
3.
4.
Master keys
Key encrypting key
Public signature verification keys
Authorization keys
a.
b.
c.
d.
1 only
3 only
4 only
1, 2, 3, and 4
116. d. Without access to the cryptographic keys that are needed to decrypt info
rmation, organizations risk losing their access to that information. Consequentl
y, it is prudent to retain backup copies of the keys necessary to decrypt stored
enciphered information, including master keys, key encrypting keys, public sign
ature verification keys, and authorization keys. These items should be stored un
til there is no longer any requirement for access to the underlying plain text i
nformation.
117. Which of the following is not a critical component of cryptographic key man
agement system?
a.
b.
c.
d.
Point-to-point environment
Key distribution center environment
Key translation center environment
Key disclosure center environment
117. d. A cryptographic key management system must have three components to oper
ate: a point-to-point environment, a key distribution center environment, and a
key translation center environment. A key disclosure center environment is not r
elevant here.
118. Which of the following is not used to obtain nonrepudiation service?
a.
b.
c.
d.
Digital signatures
Digital message receipts
Integrity checks
Timestamps
Key
Key
Key
Key
recovery
regeneration
destruction
correction
120. c. Binding an individuals identity to the public key corresponds to the prot
ection afforded to the individuals private signature key. Digital certificates ar
e used in this process.
121. Public key technology and digital certificates do not provide which of the
following security services?
a.
b.
c.
d.
Authentication
Nonrepudiation
Availability
Data integrity
121. c. Public key technology and digital certificates can be used to support au
thentication, encryption, nonrepudiation, and data integrity, but not availabili
ty.
122. Quantum cryptography could be a possible replacement for public key algori
thms used in which of the following computing environments?
a.
b.
c.
d.
Utility computing
On-demand computing
Quantum computing
Virtual computing
gorithms would be threatened. This would be a major negative result for many cry
ptographic key management systems that rely on these algorithms for the establis
hment of cryptographic keys. Lattice-based public-key cryptography would be resi
stant to quantum computing threats.
Utility computing means allowing users to access technology-based services witho
ut much technical knowledge. On-demand computing deals with providing network ac
cess for self-services. Virtual computing uses virtual machine with software tha
t allows a single host to run one or more guest operating systems. Utility compu
ting, on-demand computing, and virtual computing are part of cloud computing.
123. Which of the following is good practice for organizations issuing digital
certificates?
a.
b.
c.
d.
Develop
Develop
Develop
Develop
a consulting agreement.
an employment agreement.
a subscriber agreement.
a security agreement.
The
The
The
The
application
application
application
application
must
must
must
must
be PKI-enabled.
be PKI-aware.
use X.509 Version 3.
use PKI-vendor plug-ins.
124. c. Using the X.509 Version 3 standard helps application programs in accepti
ng digital certificates from multiple vendor CAs, assuming that the certificates
conform to consistent Certificate Profiles. Application programs either have to
be PKI-enabled, PKI-aware, or use PKI vendor plug-ins prior to the use of X.509
Version 3 standard. Version 3 is more interoperable so that an application prog
ram can accept digital certificates from multiple vendor certification authoriti
es. Version 3 standard for digital certificates provides specific bits that can
be set in a certificate to ensure that the certificate is used only for specific
services such as digital signature, authentication, and encryption.
125. Which of the following is primarily required for continued functioning of
a public key infrastructure (PKI)?
a.
b.
c.
d.
a.
b.
c.
d.
126. b. Public key cryptography verifies integrity by using public key signature
s and secure hashes. A secure hash algorithm (SHA) is used to create a message d
igest (hash). The hash can change if the message is modified. The hash is then s
igned with a private key. The hash may be stored or transmitted with the data. W
hen the integrity of the data is to be verified, the hash is recalculated, and t
he corresponding public key is used to verify the integrity of the message.
127. Which of the following mitigate threats to nonrepudiation?
a.
b.
c.
d.
Secure hashes
Message digest 4
Message digest 5
Digital signatures and certificates
Data
Data
Data
Data
at
in
in
to
rest
transit
use
recover
128. d. The data sanitization practices have serious implications for security a
nd data recovery in the cloud computing environment and are most affected. Sanit
ization is the removal of sensitive data from a storage device such as (i) when
a storage device is removed from service or moved elsewhere to be stored, (ii) w
hen residual data remains upon termination of service, and (iii) when backup cop
ies are made for recovery and restoration of service. Data sanitization matters
can get complicated when data from one subscriber is physically commingled with
the data of other subscribers. It is also possible to recover data from failed d
rives (for example, hard drives and flash drives) that are not disposed of prope
rly by cloud providers.
Procedures for protecting data at rest are not as well standardized in a cloud c
omputing environment. Cryptography can be used to protect data in transit. Trust
mechanisms such as requiring service contracts and performing risk assessments
can protect data in use because this is an emerging area of cryptography.
129. Which of the following provides a unique user ID for a digital certificate
?
a.
b.
c.
d.
User
User
User
User
name
organization
e-mail
message digest
129. d. The digital certificate contains information about the users identity (fo
r example, name, organization, and e-mail), but this information may not necessa
rily be unique. A one-way (hash) function can be used to construct a fingerprint
(message digest) unique to a given certificate using the users public key.
130. Which of the following is not included in the digital signature standard (D
SS)?
a.
b.
c.
d.
130. b. DSA, RSA, and ECDSA are included in the DSS that specifies a digital sig
nature used in computing and verifying digital signatures. DES is a symmetric al
gorithm and is not included in the DSS. DES is a block cipher and uses a 56-bit
key.
DES has been replaced by advanced encryption standard (AES) where the latter is
preferred as an encryption algorithm for new products. The AES is a symmetric ke
y encryption algorithm to protect electronic data as it is fast and strong due t
o its Key-Block-Round combination. The strength of DES is no longer sufficient.
131. What keys are used to create digital signatures?
a.
b.
c.
d.
Public-key cryptography
Private-key cryptography
Hybrid-key cryptography
Primary-key cryptography
Asymmetric algorithms
Symmetric algorithms
Public-key systems
Private-key systems
a.
b.
c.
d.
2
1
2
1
and
and
and
and
3
3
4
4
Encryption
Access control
Integrity
Authentication
133. d. Data encryption standard (DES) provides encryption, access control, inte
grity, and key management standards. It cannot provide authentication services.
The DES is a cryptographic algorithm designed for access to and protection of un
classified data. Because the original single DES is insecure, the Triple DES shoul
d be used instead.
134. The elliptic curve system uses which of the following to create digital si
gnatures?
a. Hash algorithm
b. Prime algorithm
c. Inversion algorithm
d. Linear algorithm
134. a. The elliptic curve systems are used to create digital signatures with a
hash algorithm such as SHA-1 (160-bit key). The SHA-1 is used to generate a cond
ensed representation of a message called a message digest. SHA-1 is a technical
revision of SHA. A secure hash algorithm (SHA) is used to generate a condensed m
essage representation called a message digest. SHA is used by PGP or GNU PGP to
generate digital signatures.
135. Which of the following clearly defines end-to-end encryption?
1.
2.
3.
4.
Encryption at origin
Decryption at destination
Visible routing information
No intermediate decryption
a.
b.
c.
d.
1 and
3 and
1, 2,
1, 2,
2
4
and 3
3, and 4
136. a. A cyclic redundancy check (CRC) can be used to verify the integrity of d
ata transmitted over a communications line. Passwords, PINs, and biometrics can
be used to authenticate user identity. Digitized signatures do not provide data
integrity because they are simply created by scanning a handwritten signature.
137. Symmetric key algorithms are ideally suited for which of the following?
a.
b.
c.
d.
Authentication
Integrity
Confidentiality
Nonrepudiation
Using
Using
Using
Using
138. c. As part of controls, all encrypted messages must contain some redundancy
as part of the message but have no meaning to the message, such as cryptographi
c hash or a Hamming code, to do error detection or correction to make the attack
er work harder. The redundancy should not be in the form of n zeros at the start o
r end of a message because they yield predictable results to the attacker. Hammi
ng code is based on Hamming distance, which is the number of bit positions in wh
ich two codewords differ. The codeword contains both data and check bits. The go
al is to keep the Hamming distance shorter.
The cyclic redundancy code (CRC) is also known as the polynomial code, which is
based on treating bit strings as representations of polynomials with coefficient
s of 0 and 1 only. Checksums based on CRC are not effective in detecting errors
because it yields undetected errors due to the lack of random bits in the checks
ums. The CRC uses an algorithm for generating error detection bits in a data lin
k protocol. The receiving station performs the same calculation as done by the t
ransmitting station. If the results differ, then one or more bits are in error.
CRC is not a cryptographically secure mechanism unlike a cryptographic hash or m
essage authentication code (MAC). Hence, CRC is least effective in verifying aga
inst malicious tampering of data.
The parity bit code is not as effective as the Hamming code because the former i
s used to detect single errors whereas the latter is used to detect both single
and burst errors. Hence, the Hamming code is the most efficient way of detecting
transmission errors.
139. For large volumes of data, asymmetric-key cryptography is not efficient to
support which of the following?
a.
b.
c.
d.
Authentication
Confidentiality
Integrity
Nonrepudiation
Data integrity
Confidentiality
Authentication
Nonrepudiation
140. a. The secure hash algorithm (SHA) and hash-based message authentication co
de (HMAC) provide the basis for data integrity in electronic communications. The
y do not provide confidentiality and are a weak tool for authentication or nonre
pudiation.
141. Which of the following is not part of public key infrastructure (PKI) data
structures?
a.
b.
c.
d.
141. d. Two basic data structures are used in PKIs. These are the public key cer
tificates and the certificate revocation lists (CRLs). A third data structure, t
he attribute certificate, may be used as an addendum. The certificate authority
(CA) issues a public key certificate for each identity confirming that the ident
ity has the appropriate credentials. CAs must also issue and process CRLs, which
are lists of certificates that have been revoked. The X.509 attribute certifica
te binds attributes to an attribute certificate holder. This definition is being
profiled for use in Internet applications. Subject certificate is meaningless h
ere.
142. Which of the following is an example of asymmetric encryption algorithm?
a.
b.
c.
d.
DH
DES
3DES
IDEA
SHA
DES
MD5
DAC
and
and
and
and
3DES
CBC
SHA-1
MAC
143. c. Both message digests 4 and 5 (MD4 and MD5) are examples of hashing algor
ithms. They are effective when they work with SHA-1 algorithms. Cryptographic ha
sh functions such as MD5 and SHA-1 execute much faster and use less system resou
rces than typical encryption algorithms. The other three choices are not relevan
t here.
144. Which of the following statement is true about hash functions?
a.
b.
c.
d.
They
They
They
They
produce
produce
produce
produce
144. b. Hash functions produce a much smaller message digest than the original m
essage. Encrypting them saves time and effort and improves performance.
145. Which of the following is the best technique to detect duplicate transactio
ns?
a.
b.
c.
d.
ECDSA
ECDSA
ECDSA
ECDSA
and
and
and
and
SHA
SHA-1
MID
MD5
145. c. When the elliptic curve digital signature algorithm (ECDSA) is used with
a message identifier (MID), it provides the capability of detecting duplicate t
ransactions. The MID operates on checking the sequence number of transactions.
146. Countermeasures against replay attacks do not include which of the followin
g?
a.
b.
c.
d.
Time-stamps
Protocols
Nonces
Kerberos
146. b. The term protocols is too generic to be of any use. A replay attack refers
to the recording and retransmission of message packets in the network. Nonces a
re random numbers that are unique and fresh each time of use. Kerberos and times
tamps go hand-in-hand.
Algorithm level
Module level
Application level
Product level
147. c. The highest level of testing occurs at the application or system level.
This level is also called certification testing. Algorithm level and module leve
l are incorrect because they provide low-level testing. Product level is incorre
ct because it is the next higher level above algorithm and module level testing.
148. For message digests to be effectively used in digital certificates, what m
ust they be?
a.
b.
c.
d.
Access-resistant
Authorization-resistant
Collision-resistant
Attack-resistant
One-to-one function
One-to-many function
Many-to-one function
Many-to-many function
SSL
Regular MIME
SHA
S/MIME
PPTP
HTTP
IPsec
PPP
Symmetric
Asymmetric
Semi-symmetric
Semi-asymmetric
152. b. Asymmetric keys (public keys) by definition are slow and suitable for en
crypting and distributing keys and for providing authentication. On the other ha
nd, symmetric (private keys) are faster and suitable for encrypting files and co
mmunication channels.
153. Most cryptographic attacks focus on which of the following?
a.
b.
c.
d.
Cryptographic
Cryptographic
Cryptographic
Cryptographic
keys
passwords
parameters
PINs
ECB
CBC
CBC-MAC
CFB
154. c. In the Advanced Encryption Standard (AES), there are five modes that can
provide data confidentiality and one mode that can provide data authentication.
The confidentiality modes are the Electronic Codebook (ECB), Cipher Block Chain
ing (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) modes
. The authentication mode is the Cipher Block Chaining-Message Authentication Co
de (CBC-MAC) mode.
155. Hash-based message authentication code (HMAC) is heavily used in which of
the following?
a.
b.
c.
d.
PPP operations
SET operations
IPsec operations
PPTP operations
Message
Message
Message
Message
confidentiality
integrity
availability
identity
157. b. Secure hash algorithms (for example, SHA-224, 256,384, and 512) are used
to hash a message. These algorithms enable the determination of a messages integ
rity; meaning any change to the message results in a different message digest. S
HA and SHA-1 should not be used because they are not secure. Message identity is
a field (for example a sequence number) that may be used to identify a message.
158. Which of the following is not usually seen on a digital certificate?
a.
b.
c.
d.
Owner name
Public key
Effective dates for keys
Insurance company name
It
It
It
It
must
must
must
must
be independent.
have a proper contract.
be trusted.
have a good reputation.
159. c. A public key certificate is a credential that binds a key pair and the i
dentity of the owner of the key (i.e., to a legal person). The necessary trust m
ay come from several sources such as the role and independence of the certificat
ion authority, reputation, contract, management integrity, and other legal oblig
ations.
160. Which of the following statements is true about elliptic curve cryptograph
y?
a.
b.
c.
d.
It
It
It
It
160. a. The elliptic curve is well suited for low bandwidth systems and uses an
asymmetric-key algorithm for encryption. The Rivest, Shamir, and Adelman (RSA) a
nd elliptic curve algorithms are used for encryption, where the latter is a new
one with shorter key lengths and is less computationally intensive. The Whitfiel
d-Diffie algorithm is used for secure key exchange. The digital signature algori
thm is used only for digital signatures. Both Whitfield and digital signatures d
o not compete with elliptic curve.
161. What is the best way to encrypt data?
a.
b.
c.
d.
Bulk encryption
Link encryption
Transaction encryption
End-to-end encryption
Encrypt-decrypt-encrypt
Decrypt-encrypt-decrypt
Encrypt-encrypt-encrypt
Decrypt-decrypt-decrypt
Certification authorities
Registration authorities
Trusted third parties
Subscribers
163. c. Trusted third parties, who are independent of the certification and regi
stration authorities and subscribers and who are employed by independent audit o
r consulting organizations are good candidates to conduct security evaluations (
for example, reviews and audits) of the PKI systems and procedures. A written re
port is published after the security evaluation. A certification authority is a
person or institution that is trusted and can vouch for the authenticity of a pu
blic key. The authority can be a principal or a government agency that is author
ized to issue a certificate. A registration authority manages the certificate li
fe cycle in terms of maintenance and revocation. Subscribers include both indivi
duals and business organizations that use the certificate in their businesses.
164. Which of the following statements is not true about Secure Sockets Layer (S
SL)?
a.
b.
c.
d.
It
It
It
It
164. c. Secure sockets layer (SSL) uses a combination of symmetric and asymmetri
c key cryptography to perform authentication and encryption services. It is a se
ssion-oriented protocol used to establish a secure connection between the client
and the server for a particular session. SSL is not a point-to-point protocol.
165. The two protocol algorithms used in cryptographic applications for compres
sing data are which of the following?
a.
b.
c.
d.
165. a. The secure hash algorithm (SHA1) produces a 160-bit hash of the message
contents. Message digest 5 (MD5) produces a 128-bit hash of the message contents
. Many cryptographic applications generate and process both SHA1 and MD5. These
are faster and take less space to store data. The algorithms mentioned in the ot
her three choices do not have the ability to compress data. 3DES uses a 168-bit
key.
166. Which of the following statements is not true about asymmetric-key cryptogr
aphy?
a.
b.
c.
d.
It
It
It
It
To
To
To
To
167. d. Digital certificates are used as a means of user and device authenticati
on. Entities can prove their possession of the private key by digitally signing
known data or by demonstrating knowledge of a secret exchanged using public-key
cryptographic methods.
168. For integrity protection, most Internet Protocol security (IPsec) implemen
tations use which of the following algorithms?
1.
2.
3.
4.
SHA-1
MD5
HMAC-SHA-1
HMAC-MD5
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
168. d. Both HMAC-SHA-1 and HMAC-MD5 algorithms are stronger than SHA-1 or MD5,
either alone or together, because they use hash-based message authentication cod
es (HMACs). Both the SHA-1 and MD5 algorithms are weaker by themselves.
169. Which of the following methods provide the highest level of security to pr
otect data access from unauthorized people?
a.
b.
c.
d.
Encryption
Callback or dial-back systems
Magnetic cards with personal identification number
User ID and password
169. a. Encryption provides the highest level of security to protect data access
from unauthorized people. It is the process of transforming data to an unintell
igible form in such a way that the original data either cannot be obtained (oneway encryption) or cannot be obtained without using the inverse decryption proce
ss (two-way encryption). It is difficult to break the encryption algorithm and t
he keys used in that process.
Callback or dial-back systems and magnetic cards with personal identification nu
mbers provide medium protection, whereas user identification numbers and passwor
ds provide minimum protection. Callback systems can be negated through the use o
f call forwarding features in a telephone system. Magnetic cards can be lost, st
olen, or counterfeited. User IDs and passwords can be shared with others or gues
sed by others, a control weakness.
170. To achieve effective security over transmission, what is the best area whe
re stronger encryption can be applied the most?
a.
b.
c.
d.
Packet level
Record level
File level
Field level
170. d. Encryption can protect anything from one message field to an entire mess
age packet in the transmission over network lines. Because the message field is
the lowest level element and an important element in terms of message content an
d value, security is effective and enhanced. Here, encryption is focused on wher
e it matters the most. Note that the field-level encryption is stronger than fil
e-, record-, and packet-level encryption although encryption can be applied at e
ach of these levels.
171. What is the least powerful method of protecting confidential data or progra
m files?
a.
b.
c.
d.
171. d. Use of passwords and other identification codes is not powerful due to t
heir sharing and guessable nature. Scrambling, encoding, and decoding are crypto
graphic methods used in data transmission. Encryption is used in scrambling, enc
oding (encrypting), and decoding (decrypting) of data. Encryption is the process
of transforming data to an unintelligible form in such a way that the original
data either cannot be obtained (one way encryption) or cannot be obtained withou
t using the inverse decryption process (two-way encryption). Authorized users of
encrypted computer data must have the key that was used to encrypt the data to
decrypt it. The unique key chosen for use in a particular application makes the
results of encrypting data using the algorithm unique. Using a different key cau
ses different results. The cryptographic security of the data depends on the sec
urity provided for the keys used to encrypt and decrypt the data.
172. What is the best technique to thwart network masquerading?
a.
b.
c.
d.
Dial-back technique
Dial-forward technique
File encryption only
Dial-back combined with data encryption
172. d. Personal computers (PCs) are in increasing use as computer terminal devi
ces are connected to larger host systems and when two or more PCs are connected
to networks. Information transmitted over unprotected telecommunications lines c
an be intercepted by someone masquerading as an authorized user, thereby activel
y receiving sensitive information.
Encryption can be adapted as a means of remote user authorization. A user key, e
ntered at the keyboard, authenticates the user. A second encryption key can be s
tored in encrypted form in the calling system firmware that authenticates the ca
lling system as an approved communications endpoint. When dial-back is used with
two-key encryption, data access can be restricted to authorized users (with the
user key) with authorized systems (those whose modems have the correct second k
ey), located at authorized locations (those with phone numbers listed in the ans
wering systems phone directory).
Dial-back technique alone cannot guarantee protection against masquerading becau
se hackers can use the dial-forward technique to reroute calls and spoof the con
nection. File encryption only may not be adequate because an intruder may have a
n opportunity to intercept the key while it is in transit. Managing the encrypti
on key is critical.
173. Which of the following describes message authentication correctly?
a. A process of guaranteeing that the message was sent as received by the party
identified in the header of the message.
b. A process of guaranteeing that the message was sent as received by the party
identified in the footer of the message.
c. A process of guaranteeing that the message sent was received at the same time
regardless of the location.
d. A process of guaranteeing that all delivered and undelivered messages are rec
onciled immediately.
173. a. Message authentication is a process for detecting unauthorized changes m
ade to data transmitted between users or machines or to data retrieved from stor
age. Message authentication keys should receive greater protection. It is the me
ssage header not the footer that identifies the receiving party of the message.
There will be some delay for the messages to be transmitted and received, especi
ally to remote, foreign destinations. Undelivered message reports may be produce
d at specific time intervals, not immediately.
174. What is the control technique that best achieves confidentiality of data in
transfer?
a.
b.
c.
d.
Line encryption
One-time password
File encryption
End-to-end encryption
174. a. Here, the communication link from a user site to a CPU computer is encry
pted to provide confidentiality. Line encryption protects data in a transfer.
One-time password is incorrect because it ensures that a particular password is
used only once, in connection with a specific transaction. It is similar to the
one-time key used in the encryption process. The one-time password protects data
in process.
File encryption is incorrect because it protects only the file in storage, not t
he entire communication line where the data transfer is taking place. File encry
ption protects data in storage.
The end-to-end encryption is incorrect because it is applied to messages on the
communication line twice, once by hardware and once by software techniques.
175. Which of the following provides both integrity and confidentiality service
s for data and messages?
a.
b.
c.
d.
Digital signatures
Encryption
Cryptographic checksums
Granular access control
178. d. Any encryption scheme can be made more secure through multiple encryptio
ns with different keys. Similarly, a triple encryption is stronger than a double
or single encryption. However, costs and overhead increase as the number of enc
ryptions increase. Also, system performance degrades as the number of encryption
s increase.
For example, 2DES encryption with two keys is no more secure than a 1DES encrypt
ion due to the possibility of the meet-in-the middle attack. Therefore, 3DES (tr
iple DES) should be considered.
179. Which of the following technologies are required to ensure reliable and se
cure telecommunications networks?
a.
b.
c.
d.
s,
179. d. Secure and reliable telecommunications networks must have effective ways
for authenticating information and assuring the confidentiality of information.
There is no single technology or technique that can produce the needed security
and reliability of networks. A range of technologies, including cryptography, i
mproved identification and authentication technologies, and firewalls will be re
quired, along with trusted encryption keys and security management infrastructur
es.
180. Which of the following should not be subject to review during a periodic re
view of a cryptographic system?
a.
b.
c.
d.
Parameters
Operations
Keys
Controls
Masquerade
Replay attacks
Password compromise
Denial-of-service
Both
Both
Both
Both
signatures
signatures
signatures
signatures
It
It
It
It
is assumed that the public knows about public keys. Private keys are never share
d. Anyone can verify the signature of a user by employing that users public key.
Only the possessor of the users private key can perform signature generation. Bec
ause of this, nonrepudiation of a message is achieved. This means that the parti
es to an electronic communication could not dispute having participated in the c
ommunication, or it can prove to a third party that data was actually signed by
the generator of the signature.
The DSS can be implemented in hardware, software, and/or firmware and is subject
to U.S. Commerce Department export controls. The DSS technique is intended for
use in electronic mail, electronic funds transfer, electronic data interchange,
software distribution, data storage, and other applications that require data in
tegrity assurance and origin authentication.
A digital signature system requires a means for associating pairs of public and
private keys with the corresponding users. A mutually trusted third party such a
s a certifying authority can bind a users identity and his public key. The certif
ying authority could issue a certificate by signing credentials containing a users
identity and public key. Hence, a third-party certificate is needed.
184. Pretty good privacy (PGP) and privacy enhanced mail (PEM) are electronic-ma
il security programs. Which of the following statements is not true about PGP an
d PEM?
a.
b.
c.
d.
They
They
They
They
184. c. Both pretty good privacy (PGP) and privacy enhanced mail (PEM) encrypt m
essages and sign messages based on public-key cryptography. However, they operat
e on different philosophies. PGP is based on a distributed network of individual
s. PEM is based on the concept of a hierarchical organization. PGP is suited for
individuals communicating on the Internet, whereas PEM might be more suited for
application systems in all organizations. PGP is a product, not a standard. It
does not interoperate with any other security product, either PEM or non-PEM. PG
P is portable to a wide variety of hardware platforms.
185. It is particularly important to protect audit trail data against modificat
ion during communication between parties. Which of the following security contro
l techniques would protect against such modifications?
a.
b.
c.
d.
a.
b.
c.
d.
1
2
1
3
and
and
and
and
4
3
2
4
187. b. The Rivest, Shamir, and Adelman (RSA) scheme uses a public key encryptio
n algorithm and is an asymmetric cipher system. The data encryption standard (DE
S) uses a secret key encryption algorithm and is a symmetric cipher system. RSA
uses two keys (private and public), whereas DES uses one key (private).
188. What is the most common attack against cryptographic algorithms?
a.
b.
c.
d.
Ciphertext-only attack
Birthday attack
Chosen plain text attack
Adaptive chosen plain text attack
a.
b.
c.
d.
2
2
3
1
and
and
and
and
4
3
4
4
190. b. One-time pad is unbreakable given infinite resources. Each random key in
the one-time pad is used exactly once, for only one message, and for only a lim
ited time period. The algorithm for a one-time pad requires the generation of ma
ny sets of matching encryption keypads. Each pad consists of a number of random
key characters, not generated by a cryptographic key generator. Each key charact
er in the pad is used to encrypt one and only one plain text character; then the
key character is never used again. The number of random keypads that need to be
generated must be at least equal to the volume of plain text messages to be enc
rypted. Due to the number of random keypads to be generated, this approach is no
t practical for high-speed communication systems. This is the reason the one-tim
e pad is absolutely unbreakable.
Brute force attack is possible with the data encryption standard (DES) and inter
national data encryption algorithm (IDEA). The key length in Rivest cipher 2 and
4 (RC2 and RC4) is variable, and details of their algorithms are unknown becaus
e they are new proprietary algorithms. IDEA is a new algorithm and works as a do
uble-DES (2DES). DES is in the public domain so that anyone can use it. IDEA is
patented and requires a license for commercial use. RC2 and RC4 are unpatented b
ut are trade secrets.
191. Which of the following statements is true about one-way hash function and
encryption algorithm?
a.
b.
c.
d.
They
They
They
They
both
both
both
both
a.
b.
c.
d.
192. b. A message integrity code uses a secret key to produce a fixed length has
h code that is sent with the message. Integrity codes are used to protect the in
tegrity of large interbank electronic funds transfers. A message authentication
code is a hashed representation of a message and is computed by the message orig
inator as a function of the message being transmitted and the secret key. If the
message authentication code computed by the recipient matches the authenticatio
n code appended to the message, the recipient is assured that the message was no
t modified. Both integrity codes and authentication codes are cryptographic chec
ksums, which are stronger than non-cryptographic checksums.
Cryptography can effectively detect both intentional and unintentional modificat
ion; however, cryptography does not protect files from being modified. Both secr
et key and public key cryptography can be used to ensure integrity. When secret
key cryptography is used, a message authentication code is calculated and append
ed to the data. To verify that the data has not been modified at a later time, a
ny party with access to the correct secret key can recalculate the authenticatio
n code. The new authentication code is compared with the original authentication
code. If they are identical, the verifier has confidence that an unauthorized p
arty has not modified the data.
Data checksums are digits or bits summed according to arbitrary rules and used t
o verify the integrity of data. A cyclic redundancy code (CRC) uses an algorithm
for generating error detection bits in a data link protocol. The receiving stat
ion performs the same calculation as done by the transmitting station. If the re
sults differ, then one or more bits are in error. Both data checksums and CRC ar
e not based on cryptographic checksums. Instead, they are based on algorithms.
193. Which of the following statements about secret key and message digest algor
ithms are not true?
1.
2.
3.
4.
The drive for message digest algorithms starts with public key cryptography.
Message digest algorithms make the RSA much more useful.
Secret key algorithm is designed to be irreversible.
Message digest algorithm is designed to be reversible.
a.
b.
c.
d.
1
3
1
2
and
and
and
and
2
4
3
4
193. b. The significant difference between a secret key algorithm and a message
digest algorithm is that a secret key algorithm is designed to be reversible and
a message digest algorithm is designed to be impossible to reverse. It is true
that the drive for a message digest algorithm started with public key cryptograp
hy. Rivest, Shamir, and Adelman (RSA) is used to perform digital signatures on m
essages. A cryptographically secure message digest function with high performanc
e would make RSA much more useful. This is because a long message is compressed
into a small size by first performing a message digest and then computing an RSA
signature on the digest.
194. When compared to the Rivest, Shamir, and Adelman (RSA) algorithm, the Digit
al Signature Standard (DSS) does not provide:
a.
b.
c.
d.
Digital signature
Authentication
Encryption
Data integrity
194. c. Both RSA and DSS provide digital signature, authentication, and data int
egrity capabilities. RSA provides encryption; DSS does not. The digital signatur
e algorithm (DSA) is specified in the DSS. The DSS contains the DSA to create si
gnatures as well as the secure hash algorithm (SHA) to provide data integrity. S
HA is used in electronic mail and electronic funds transfer applications.
195. Which of the following attacks are made on block ciphers?
a.
b.
c.
d.
Meet-in-the-middle attacks
Codebook attacks
Man-in-the-middle attacks
Bucket brigade attacks
195. a. Meet-in-the-middle (MIM) attacks occur when one end is encrypted and the
other end is decrypted, and the results are matched in the middle. MIM attacks
are made on block ciphers. A block cipher algorithm is a (i) symmetric key crypt
ographic algorithm that transforms a block of information at a time using a cryp
tographic key and (ii) a family of functions and their inverse functions that is
parameterized by a cryptographic key; the functions map bit strings of a fixed
length to bit strings of the same length. This means, the length of the input bl
ock is the same as the length of the output block.
The other three choices are incorrect because they do not use block ciphers. Cod
ebook attacks are a type of attack where the intruder attempts to create a codeb
ook of all possible transformations between plaintext and ciphertext under a sin
gle key. Man-in-the-middle (MitM) attacks are a type of attack that takes advant
age of the store-and-forward mechanism used by insecure networks, such as the In
ternet. MitM attacks are also called bucket brigade attacks.
196. Which of the following statements about digital signatures is not true?
a.
b.
c.
d.
It
It
It
It
enhances authentication.
makes repudiation by the sender possible.
prevents nonrepudiation by the receiver.
makes repudiation by the sender impossible.
196. b. Digital signatures use Rivest, Shamir, and Adelman (RSA), a public-key (
two-key) cryptographic algorithm. RSA enhances authentication and confidentialit
y due to the use of a two-key system; one key is public and the other one is pri
vate. The use of RSA in digital signatures prevents repudiation by the sender as
well as by the receiver. Nonrepudiation means the sender cannot say that he nev
er sent the message, and the receiver cannot say that he never received the mess
age. Nonrepudiation is possible due to the use of a two-key system where the pri
vate key of the sender and the receiver is kept secret while their public key is
known only to each party. Both the sender and the receiver cannot deny having p
articipated in the message transmission.
197. Which of the following statements is true? Rivest, Shamir, and Adelman (RS
A) algorithm has a:
a.
b.
c.
d.
Slower
Slower
Faster
Faster
signature
signature
signature
signature
generation
generation
generation
generation
and
and
and
and
slower
faster
faster
slower
verification
verification
verification
verification
than
than
than
than
DSA
DSA
DSA
DSA
197. b. It has been tested and proven that the RSA algorithm has a slower signat
ure generation capability and faster verification than the digital signature alg
orithm (DSA). On the other hand, the DSA has faster signature generation and slo
wer verification than the RSA.
RSA is much slower to compute than popular secret key algorithms like data encry
ption standard (DES) and international data encryption algorithm (IDEA). RSA alg
orithm uses a variable length public keya long key for enhanced security or a sho
rt key for efficiency.
Authentication
Confidentiality
Integrity
Availability
S-box
P-box
Product ciphers
Sandbox
199. d. Sandbox is not related to S-box, P-box, and product ciphers. Sandbox is
a system that allows an untrusted application to run in a highly controlled envi
ronment where the applications permissions are restricted to an essential set of
computer permissions. In particular, an application in a sandbox (for example, J
avaApplet) is usually restricted from accessing the file system or the network.
The other three choices are related to each other. S-box is a nonlinear substitu
tion table box used in several byte substitution transformations and in the key
expansion routine to perform a one-for-one substitution of a byte value. This su
bstitution, which is implemented with simple electrical circuits, is done so fas
t in that it does not require any computation, just signal propagation.
P-box is a permutation box used to effect a transposition on an 8-bit input in a
product cipher. This transposition, which is implemented with simple electrical
circuits, is done so fast in that it does not require any computation, just sig
nal propagation.
Product ciphers are a whole series of combination of S-boxes and P-boxes cascade
d. In each iteration or round, first there is an S-box followed by a P-box. In a
ddition, there is one P-box at the beginning and one P-box at the end of each ro
und. Common product ciphers operate on k-bit inputs to product k-bit outputs.
200. Which of the following key algorithms decrypt data with the same key used
for encryption?
a.
b.
c.
d.
201. c. Symmetric cryptography uses the same key for both encryption and decrypt
ion, whereas asymmetric cryptography uses separate keys for encryption and decry
ption, or to digitally sign and verify a signature. RSA is an example of asymmet
ric cryptography. DES, 3DES, and AES are examples of symmetric cryptography.
202. Which of the following are examples of block cipher algorithms for encrypt
ion and decryption?
a.
b.
c.
d.
202.
cted
text
The
yption standard (AES) and the triple data encryption algorithms (TDEA). Each of
these algorithms operates on blocks (chunks) of data during an encryption or dec
ryption operation. For this reason, these algorithms are commonly referred to as
block cipher algorithms.
RAS is remote access server, which is not a block cipher, and DES is data encryp
tion standard, which is a block cipher.
Message authentication code (MAC) is incorrect because it is not a block cipher
because it provides an assurance of authenticity and integrity. HMAC is a MAC th
at uses a cryptographic hash function in combination with a secret key. Both MAC
and HMAC are based on hash functions, which are used by (i) keyed hash message
authentication coded algorithms, (ii) digital signature algorithms, (iii) key de
rivation functions for key agreement, and (iv) random number generators. Typical
ly, MACs are used to detect data modifications that occur between the initial ge
neration of the MAC and the verification of the received MAC. They do not detect
errors that occur before the MAC is originally generated.
203. Cross-certification is not allowed in which of the following public key inf
rastructure (PKI) architectures?
a.
b.
c.
d.
203. a. There are four architectures used to link certificate authorities (CAs),
including hierarchical, mesh, bridge, and complex. In a hierarchical PKI model,
authorities are arranged hierarchically under a root CA that issues certificates
to subordinate CAs. A CA delegates when it certifies a subordinate CA. Trust del
egation starts at a root CA that is trusted by every node in the infrastructure.
Therefore, cross-certification is not allowed in the hierarchical PKI model.
Mesh (network) PKI model is incorrect because trust is established between any t
wo CAs in peer relationships (cross-certification), thus allowing the possibilit
y of multiple trust paths between any two CAs. Independent CAs cross-certify eac
h other resulting in a general mesh of trust relationships between peer CAs. The
bridge PKI model was designed to connect enterprise PKIs regardless of the arch
itecture; enterprises can link their own PKIs to those of their business partner
s. The complex PKI model is a combination of hierarchical PKI model and mesh PKI
model because they are not mutually exclusive.
204. Which of the following should not be archived during the disposition phase
of a system development life cycle (SDLC) because it applies to selecting crypto
graphic mechanisms?
a.
b.
c.
d.
204. c. When a system is shut down or transitioned to a new system, one of the p
rimary responsibilities is ensuring that cryptographic keys are properly destroy
ed or archived. Long-term symmetric keys may need to be archived to ensure that
they are available in the future to decrypt data. Signing keys used by tradition
al and non-traditional CAs may also need to be maintained for signature verifica
tion.
An individuals signing keys should not be archived due to constant changes and em
ployee turnover.
205. Which of the following provides the level of trust required for the digital
certificates to reliably complete a transaction?
a. Certificate policy
b. Certification practices statement
c. Identity proofing
d. Outsourcing
205. c. A level of trust is required for an organization to complete the digital c
ertificate transaction reliably. This includes determining the level of identity
proofing required for a subscriber to get a certificate, the strength of the ke
y lengths and algorithms employed, and how the corresponding private key is prot
ected. The Certificate Authority (CA) operates under a Certificate Policy (CP) a
nd Certification Practices Statement (CPS) that collectively describe the CAs res
ponsibilities and duties to its customers and trading partners. Organizations ca
n operate their own certification authority duties or outsource that function.
206. A birthday attack is targeted at which of the following?
a.
b.
c.
d.
MD5
SSL
SLIP
SET
207. b. One of the fundamental principles for protecting keys is the practice of
split knowledge and dual control. These are used to protect the centrally store
d secret keys and root private keys and secure the distribution of user tokens.
Zeroization is a method of erasing electronically stored data by altering the co
ntents of the data storage so as to prevent the recovery of data. Zero-knowledge
proof is where one party proving something to another without revealing any add
itional information. Total knowledge, single control, triple control, and formal
proof are not relevant here.
208. The primary goal of a public key infrastructure (PKI) is to create which o
f the following?
a.
b.
c.
d.
Closed environment
Trusted environment
Open environment
Bounded environment
208. b. Use of electronic processes provides benefits such as time savings, enha
nced services, cost-savings, and improved data quality and integrity. Public key
technology can create a trusted environment that promotes the use and growth of
all electronic processes, not just digital signatures.
209. In a public key infrastructure (PKI), which one of the following certifica
te authorities (CA) is subordinate to another CA and has a CA subordinate to it?
a.
b.
c.
d.
Root CA
Superior CA
Intermediate CA
Subordinate CA
Authentication
Availability
Nonrepudiation
Integrity
Symmetric-key algorithms
Asymmetric-key algorithms
Hybrid-key algorithms
Hash-key algorithms
212. a. In symmetric key algorithms, parties share a single, secret key. Establi
shing that shared key is called key management, and it is a difficult problem. I
n asymmetric key algorithms, there are two keys (public and private) for each pa
rty. The public and private keys are generated at the same time, and data encryp
ted with one key can be decrypted with the other key. Hybrid key algorithms comb
ine the best features of public and private key systems. Hash key algorithms is
meaningless here.
213. Which of the following should be used to prevent an eavesdropping attack f
rom remote access to firewalls?
a.
b.
c.
d.
File encryption
Bulk encryption
Session encryption
Stream encryption
213. c. Session encryption is used to encrypt data between application and end u
sers. This provides strong authentication. File encryption protects data in stor
age. Bulk encryption is simultaneous encryption of all channels of a multichanne
l telecommunications trunk. Stream encryption encrypts and decrypts arbitrarily
sized messagesnot a strong authentication.
214. Common encryption algorithms that implement symmetric cryptography do not i
nclude which of the following?
a. Elliptic curve DSA (ECDSA)
b. Hash message authentication code (HMAC)
c. Message digest 5 (MD5)
Rekeying
Key update
Entity deregistration
Key derivation
Client authenticates the gateway and then uses that channel to authenticate t
client.
Authenticating the server to the client.
Authenticating the client to the server.
Authenticating each endpoint to other.
217. a. Zero-knowledge proof requires that one party proves something to another
without revealing any additional information. This proof has applications in pu
blic-key encryption process.
Zeroization process is a method of erasing electronically stored data by alterin
g the contents of the data storage so as to prevent the recovery of data. Degaus
sing operation is a process whereby the magnetic media is erased, that is, retur
ned to its original state. Data remanence operation is the residual physical rep
resentation of data that has been in some way erased.
218. Which of the following is not part of cryptographic key management process?
a.
b.
c.
d.
Key
Key
Key
Key
layering
distribution
storage
generation
218. a. Key management provides the foundation for the secure generation, storag
e, distribution, and translation of cryptographic keys. Key layering is a meanin
gless term here.
219. An original cryptographic key is split into n multiple key components using
split knowledge procedure. If knowledge of k components is required to construct t
he original key, knowledge of which of the following provides no information abo
ut the original key?
a.
b.
c.
d.
n
k
k
n
1
1
n
k
key
key
key
key
components
components
components
components
Message
Message
Message
Message
authentication code
identifier
header
trailer
220. a. When private (secret) key cryptography is used, a data (message) authent
ication code is generated. Typically, a code is stored or transmitted with data.
When data integrity is to be verified, the code is generated on the current dat
a and compared with the previously generated code. If the two values are equal,
the integrity (i.e., authenticity) of the data is verified. Message identifier i
s a field that may be used to identify a message, usually a sequence number. Mes
sage header and trailer contain information about the message. The other three c
hoices do not have the code generation and verification capabilities.
221. In a public key infrastructure (PKI) environment, finding which of the fol
lowing is a major challenge in the public-key certificates path discovery?
a.
b.
c.
d.
Root certificate
Trust anchor
Cross certificate
Intermediate certificate
221. d. All certification paths begin with a trust anchor, include zero or more
intermediate certificates, and end with the certificate that contains the users p
ublic key. This can be an iterative process, and finding the appropriate interme
diate certificates is one of PKIs challenges in path discovery, especially when t
here is more than one intermediary involved. A certificate authority (CA) genera
lly issues a self-signed certificate called a root certificate or trust anchor;
this is used by applications and protocols to validate the certificates issued b
y a CA. Note that CAs issue cross certificates that bind another issuers name to
that issuers public key.
222. Public-key cryptographic systems are not suitable for which of the followin
g?
a.
b.
c.
d.
Link encryption
End-to-end encryption
Bulk encryption
Session encryption
222. c. Public-key cryptographic systems have low bandwidth and hence are not su
itable for bulk encryption, where the latter requires a lot of bandwidth. The ot
MAC
DES
RSA
RSA
and
and
and
and
DAC
3DES
IDEA
DSS
224. b. Side channel attacks result from the physical implementation of a crypto
system through the leakage of information by monitoring sound from computations
to reveal cryptographic key-related information. Side-channel attacks are based
on stealing valuable information whereas the other three choices deal with decei
ving people.
Social engineering attacks focus on coercing people to divulge passwords and oth
er valuable information. Phishing attack involves tricking individuals into disc
losing sensitive personal information through deceptive computer-based means. Ph
ishing is a digital form of social engineering that uses authentic-lookingbut bo
guse-mails to request information from users or direct them to a fake website th
at requests valuable personal information. Shoulder surfing attack is similar to
social engineering where the attacker uses direct observation techniques such a
s looking over someones shoulder to obtain passwords, PINs, and other valuable co
des.
225. A cryptographic key may pass through several states between its generation
and its distribution. A cryptographic key may not enter the compromised state fr
om which of the following states?
a.
b.
c.
d.
Pre-activation state
Destroyed state
Active state
Deactivated state
225. b. A cryptographic key may pass through several states between its generati
on and its destruction. Six key-states include pre-activation state, active stat
e, deactivated state, destroyed state, compromised state, and destroyed compromi
sed state. In general, keys are compromised when they are released to or determi
ned by an unauthorized entity. If the integrity or secrecy of the key is suspect
, the compromised key is revoked. A cryptographic key may enter the compromised
state from all states except the destroyed state and destroyed compromised state
s. A compromised key is not used to apply cryptographic protection to informatio
n. Even though the key no longer exists in the destroyed state, certain key attr
ibutes such as key name, key type, and crypto-period may be retained, which is r
isky.
The other three choices are not risky. In the pre-activation state, the key has
been generated but is not yet authorized for use. In this state the key may be u
sed only to perform proof-of-possession or key confirmation. In the active state
, a key may be used to cryptographically protect information or to cryptographic
ally process previously protected information (for example, decrypt ciphertext o
r verify a digital signature) or both. When a key is active, it may be designate
d to protect only, process only, or both protect and process. In the deactivated
state, a keys crypto-period has expired, but it is still needed to perform crypt
ographic processing until it is destroyed.
Scenario-Based Questions, Answers, and Explanations
Use the following information to answer questions 1 through 7.
The ARK Company just discovered that its mail server was used for phishing by an
outside attacker. To protect its reputation and reduce future impersonation att
acks, the company wants to implement reasonable, cost-effective, public key infr
astructure (PKI) tools.
1. Which of the following is required to accept digital certificates from multi
ple vendor certification authorities?
a.
b.
c.
d.
The
The
The
The
application
application
application
application
must
must
must
must
be PKI-enabled.
be PKI-aware.
use X.509 Version 3.
use PKI-vendor plug-ins.
1.c. Using the X.509 Version 3 standard helps application programs in accepting
digital certificates from multiple vendor CAs, assuming that the certificates co
nform to a consistent Certificate Profiles. Application programs either have to
be PKI-enabled, PKI-aware, or use PKI vendor plug-ins prior to the use of X.509
Version 3 standard. Version 3 is more interoperable so that an application progr
am can accept digital certificates from multiple vendor certification authoritie
s. Version 3 standard for digital certificates provides specific bits that can b
e set in a certificate to ensure that the certificate is used only for specific
services such as digital signature, authentication, and encryption.
2. Which of the following provides a unique user ID for a digital certificate?
a.
b.
c.
d.
Username
User organization
User e-mail
User message digest
2. d. The digital certificate contains information about the users identity (for
example, name, organization, and e-mail), but this information may not necessari
ly be unique. A one-way (hash) function can be used to construct a fingerprint (
message digest) unique to a given certificate using the users public key.
3. Which of the following is not included in the digital signature standard (DSS
)?
a.
b.
c.
d.
3. b. DSA, RSA, and ECDSA are included in the DSS that specifies a digital signa
ture used in computing and verifying digital signatures. DES is a symmetric algo
rithm and is not relevant here. DES is a block cipher and uses a 56-bit key.
4. Digital signatures are not used for which of the following?
a.
b.
c.
d.
Authentication
Availability
Nonrepudiation
Integrity
Public-key cryptography
Private-key cryptography
Hybrid-key cryptography
Primary-key cryptography
Owner name
Public key
Effective dates for keys
Insurance company name
6. d. The information on the digital certificate includes the owner name, the pu
blic key, and start and end dates of its validity. The certificate should not co
ntain any owner information that changes frequently (for example, the insurance
company name).
7. What is the major purpose of a digital certificate?
a.
b.
c.
d.
To
To
To
To
Domain 6
Security Architecture and Design
Traditional Questions, Answers, and Explanations
1. A trusted channel will not allow which of the following attacks?
1.
2.
3.
4.
Man-in-the-middle attack
Eavesdropping
Replay attack
Physical and logical tampering
a.
b.
c.
d.
1 and
1 and
1, 2,
1, 2,
2
3
and 3
3, and 4
Desktop computers
Local-area networks
Servers
Websites
Security-by-rules
Security-by-obscurity
Deny-by-default
Data-by-hiding
Trusted
Trusted
Trusted
Trusted
computer system
platform module chip
computing base
operating system
4. b. The trusted platform module (TPM) chip, through its key cache management,
offers a format for protecting keys used in encrypted file system (EFS). The TPM
chip, which is a specification, provides secure storage of keys on computers. T
he other three choices do not provide key cache management.
5. In the encrypted file system (EFS) environment, which of the following is us
ed to secure the storage of key encryption keys on the hard drive?
a.
b.
c.
d.
Trusted
Trusted
Trusted
Trusted
computer system
platform module chip
computing base
operating system
5. b. Using the trusted platform module (TPM) chip, the key encryption keys are
securely stored on the TPM chip. This key is also used to decrypt each file encr
yption key. The other three choices do not provide secure storage of the key enc
ryption key.
6. Which of the following provides additional security for storing symmetric ke
ys used in file encryption to prevent offline exhaustion attacks?
a.
b.
c.
d.
a strong password.
computer itself or on the hardware token.
key component on the computer itself.
other key component on the hardware token.
6. a. When a key is split between the hardware token and the computer, an attack
er needs to recover both pieces of hardware to recover (decrypt) the key. Additi
onal security is provided by encrypting the key splits using a strong password t
o prevent offline exhaustion attacks.
7. Which of the following storage methods for file encryption system (FES) is t
he least expensive solution?
a.
b.
c.
d.
7. a. The file encryption system (FES) uses a single symmetric key to encrypt ev
ery file on the system. This single key is generated using the public key crypto
graphy standard (PKCS) from a users password; hence it is the least expensive sol
ution. Key encryption key is relatively a new technology where keys are stored o
n the same computer as the file. It utilizes per-file encryption keys, which are
stored on the hard disk, encrypted by a key encryption key. The asymmetric user
owned private key utilizes per-file encryption keys, which are encrypted under
the file owners asymmetric private key. It requires either a user password or a u
ser token.
8. Which of the following storage methods for file encryption system (FES) is le
ss secure?
a.
b.
c.
d.
8. a. The public key cryptography standard (PKCS) is less secure because the sec
urity is dependent only on the strength of the password used. Key encryption key
is relatively a new technology where keys are stored on the same computer as th
e file. It utilizes per-file encryption keys, which are stored on the hard disk,
encrypted by a key encryption key. The asymmetric user owned private key utiliz
es per-file encryption keys, which are encrypted under the file owners asymmetric
private key. It requires either a user password or a user token.
9. Which of the following storage methods for file encryption system (FES) is m
ore expensive?
a.
b.
c.
d.
9. c. The file encryption system (FES) uses per-file encryption keys that are sp
lit into two components that will be an Exclusive-Or operation (XORed) to re-cre
ate the key, with one key component stored on hardware token and the other key c
omponent derived from a password using the public key cryptography standard (PKC
S) to derive the key. Because of the key split, hardware tokens are more expensi
ve.
The public key cryptography standard (PKCS) generates a single key from a users p
assword. Key encryption key is relatively a new technology where keys are stored
on the same computer as the file. It utilizes per-file encryption keys, which a
re stored on the hard disk, encrypted by a key encryption key. The asymmetric us
er owned private key utilizes per-file encryption keys, which are encrypted unde
r the file owners asymmetric private key. It requires either a user password or a
user token.
10. Which of the following storage methods for file encryption system (FES) is
highly secure?
a.
b.
c.
d.
10. c. Because of the key split, hardware tokens are highly secure if implemente
d correctly. The other three choices are not highly secure. The public key crypt
ography standard (PKCS) generates a single key from a users password. Key encrypt
ion key is relatively a new technology where keys are stored on the same compute
r as the file. It utilizes per-file encryption keys, which are stored on the har
d disk, encrypted by a key encryption key. The asymmetric user owned private key
utilizes per-file encryption keys, which are encrypted under the file owners asy
mmetric private key. It requires either a user password or a user token.
11. Which of the following can limit the number of network access points to an
information system that enables monitoring of inbound and outbound network traff
ic?
a.
b.
c.
d.
Trusted
Trusted
Trusted
Trusted
path
computer system
computing base
Internet connection
Information availability
Hardware availability
Software availability
System availability
Proof-of-wholeness
Proof-of-origin
Proof-of-correspondence
Proof-of-correctness
13. c. The proof-of-correspondence deals with verifying the design between a for
mal model and the functional specifications. A proof-of-wholeness is having all
of an objects parts or components include both the sense of unimpaired condition
(i.e., soundness) and being complete and undivided (i.e., completeness). It appl
ies to preserving the integrity of objects in that different layers of abstracti
on for objects cannot be penetrated, and their internal mechanisms cannot be mod
ified or destroyed. A proof-of-origin is the basis to prove an assertion. For ex
ample, a private signature key is used to generate digital signatures as a proof
-of-origin. A proof-of-correctness applies mathematical proofs-of-correctness to
demonstrate that a computer program conforms exactly to its specifications and
to prove that the functions of the computer programs are correct.
14. Regarding cryptographic modules, the implementation of a trusted channel pr
otects which of the following?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
16. c. It is not good to assume that an unknown state is safe until proven becau
se it is risky. The other three choices are examples of acceptable situations be
cause of little or no risk.
17. Memory protection is achieved through which of the following?
1.
2.
3.
4.
System partitioning
Nonmodifiable executable programs
Resource isolation
Domain separation
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
4
4
3, and 4
17. d. Memory protection is achieved through the use of system partitioning, non
modifiable executable programs, resource isolation, and domain separation. Inade
quate protection of memory leads to many security breaches through the operating
system and applications.
18. Organizations should not design which of the following?
a.
b.
c.
d.
Operating systems
Business application systems
Computer memory chips
Hardware circuits
d. 1, 2, 3, and 4
20. d. A trusted channel can be realized as follows: It is a communication pathw
ay between the cryptographic module and endpoints that is entirely local, direct
ly attached to the cryptographic module, and has no intervening systems. It is a
mechanism that cryptographically protects SSPs during entry and output. It does
not allow misuse of any transitory SSPs.
21. Usually, a trusted path is not employed for which of the following?
a.
b.
c.
d.
To
To
To
To
provide
provide
protect
protect
authentication
reauthentication
cryptographic keys
user login
21. c. A trusted path is employed for high confidence connections between the se
curity functions of the information system (i.e., authentication and reauthentic
ation) and the user (e.g., for login). A trusted path cannot protect cryptograph
ic keys. On the other hand, a trusted platform module (TPM) chip is used to prot
ect small amounts of sensitive information (e.g., passwords and cryptographic ke
ys).
22. Distributed system security services can be no stronger than the underlying
:
a.
b.
c.
d.
Hardware components
Firmware components
Operating system
Application system
22. c. The operating system security services underlie all distributed services.
Therefore, distributed system security can be no stronger than the underlying o
perating system.
23. Which of the following statement is not true about operating system security
services as a part of multilayer distributed system security services?
a.
b.
c.
d.
Security services do not exist at any one level of the OSI model.
Security services are logically distributed across layers.
Each layer is supported by higher layers.
Security services are physically distributed across network.
Flexibility
Domain parameters
Tailored protections
Domain inter-relationships
24. b. Domain parameters are used with cryptographic algorithms that are usually
common to a domain of users (e.g., DSA or ECDSA). Security domains can be physi
cal or logical and hence domain parameters are not applicable. Security domain i
s a system or subsystem that is under the authority of a single trusted authorit
y. These domains may be organized (e.g., hierarchically) to form larger domains.
Memory channel
Exploitable channel
Communications channel
Security-compliant channel
Physical security
Network monitors
Software testing
Quality assurance
Remote server
Web server
Firewall
Secure shell program
28. a. Increasing the bandwidth can make a covert channel noisy as one of the go
als is to reduce its bandwidth. Covert channels are not only difficult to find,
but also difficult to block. Normal information cannot be reliably sent through
covert channels.
The other three choices can send normal information reliably because they use an
error correcting code (e.g., hamming code) or introducing page faults at random
Cross-domain systems
Multilevel secure systems
Multilayer systems
Multiple security level systems
Floating label
Low bandwidth
Fixed label
Absence of application software
30. c. A fixed label contains a subjects maximum security label, which dominates
that of the floating label. Hence, a fixed label does not favor acceptability of
a covert channel. The other three choices favor a covert channel.
31. From an information security viewpoint, a Security-in-Depth strategy means
which of the following?
a.
b.
c.
d.
Memory channel
Communications channel
Covert channel
Exploitable channel
Evaluation scheme
Evaluation methodology
Evaluation base
Certification processes
Trusted channel
Overt channel
Security-compliant channel
Exploitable channel
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
3
4
35. d. Control zones and white noise are countermeasures against emanation attac
ks. A control zone is the space surrounding equipment processing sensitive infor
mation that is under sufficient physical and technical control to prevent an una
uthorized entry or compromise. White noise is a distribution of uniform spectrum
of random electrical signals so that an intruder cannot decipher real data from
random (noise) data due to use of constant bandwidth.
A high watermark policy is used to maintain an upper bound on fused data. An inf
ormation label results from a floating label. The high watermark policy, informa
tion label, and floating label are part of a covert channel.
36. Which of the following can increase emanation attacks?
a.
b.
c.
d.
36. c. The trend toward wireless local-area network (WLAN) connections can incre
ase the likelihood of successful interception leading to emanation attack. The o
ther three choices decrease the emanation attacks.
37. In the trust hierarchy of a computer system, which of the following is least
trusted?
a.
b.
c.
d.
Operating system
System user
Hardware/firmware
Application system
37. c. In a computer system, trust is built from the bottom layer up, with each
layer trusting all its underlying layers to perform the expected services in a r
eliable and trustworthy manner. The hardware/firmware layer is at the bottom of
the trust hierarchy and is the least trusted. The system user layer is at the to
p of the trust hierarchy and is the most trusted. For example, the users trust t
he application system to behave in the manner they expect of it. The layers from
the top to the bottom include system user, application system, operating system
, and hardware/firmware.
38. In organizations, isolating the information system security functions from
nonsecurity functions is achieved through:
1.
2.
3.
4.
Hardware separation
Independent modules
Layered structure
Minimal interactions
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Compromise
Compromise
Compromise
Compromise
from
from
from
from
above
within
below
cross domains
39. a. The compromise resulting from the execution of a Trojan horse that misuse
s the discretionary access control (DAC) mechanism is an example of compromise f
rom above.
The other three choices do not allow such an examination. Compromise from within
occurs when a privileged user or process misuses the allocated privileges. Comp
romise from below occurs as a result of accidental failure of an underlying trus
ted component. Compromise from cross domains is not relevant here.
40. All of the following are the most simplest and practical approaches to contr
olling active content documents and mobile code except:
a.
b.
c.
d.
Isolation
Isolation
Isolation
Isolation
40. b.
ulting
ion at
l (low
at
at
at
at
the
the
the
the
system level
physical level
program level
logical level
sical level means being close to the PC/workstations hardware, circuits, and moth
erboards, which is not practical with remote computing. This means physical isol
ation is not always possible due to location variables.
Regarding system level isolation, a production computer system that is unable to
receive active content documents cannot be affected by malicious hidden code in
sertions. Logical level isolation consists of using router settings or firewall
rulesets. Program level isolation means isolating tightly bounded, proprietary p
rogram components. By integrating products from different manufacturers, you can
effectively isolate program components from not using the standard documented i
nterfaces.
41. Which of the following assumes that control over all or most resources is p
ossible?
a.
b.
c.
d.
41. c. Security and survivability requirements are based on the bounded system c
oncept, which assumes that control over all resources is possible. Security and
survivability must be part of the initial design to achieve the greatest level o
f effectiveness. Security should not be something added on later to improve qual
ity, reliability, availability, integrity, or durability or when budget permits
or after an attack has already occurred.
42. Which of the following eliminates single point-of-failure?
a.
b.
c.
d.
SCSI
PATA
RAID
SATA
42. c. Redundant arrays of independent disks (RAID) protect from single points-o
f-failure. RAID technology provides greater data reliability through redundancyda
ta can be stored on multiple hard drives across an array, thus eliminating singl
e points-of-failure and decreasing the risk of data loss significantly. RAID sys
tems often dramatically increase throughput of both reading and writing as well
as overall capacity by distributing information across multiple drives. Initiall
y, RAID controllers were based on using small computer systems interface (SCSI),
but currently all common forms of drives are supported, including parallel-ATA
(PATA), serial-ATA (SATA), and SCSI.
43. In an end user computing environment, what is the least important concern fo
r the information security analyst?
a.
b.
c.
d.
Data
Data
Data
Data
mining
integrity
availability
usefulness
43. a. Data mining is a concept where the data is warehoused for future retrieva
l and use. Data mining takes on an important role in the mainframe environment a
s opposed to the personal computer (end user) environment. Management at all lev
els relies on the information generated by end user computer systems. Therefore,
data security, integrity, availability, and usefulness should be considered wit
hin the overall business plans, requirements, and objectives. Data security prot
ects confidentiality to ensure that data is disclosed to authorized individuals
only.
Data integrity addresses properties such as accuracy, authorization, consistency
, timeliness, and completeness. Data availability ensures that data is available
anywhere and anytime to authorized parties. Data usefulness ensures that data i
s used in making decisions or running business operations.
44. In the trusted computing base (TCB) environment, which of the following is n
ot a sufficient design consideration for implementing domain separation?
a.
b.
c.
d.
Memory mapping
Multistate hardware
Multistate software
Multistate compiler
Consistency
Efficiency
Reliability
Effectiveness
46. c. For a trusted computing base (TCB) to enforce the security policy, the TC
B must be both tamperproof and uncompromisable. The other three choices are not
strong.
47. In the trusted computing base (TCB) environment, resource isolation does not
mean which of the following?
a.
b.
c.
d.
47. c. The trusted computing base (TCB) imposes discretionary access controls (D
ACs) and not mandatory access controls (MACs). The other three choices, along wi
th discretionary access controls, provide resource isolation.
48. Which of the following can lead to a single point-of-failure?
a.
b.
c.
d.
Quarantine server
Proxy server
Centralized authentication server
Database server
49. c. A single sign-on (SSO) solution usually includes one or more centralized
authentication servers containing authentication credentials for many users. Suc
h a server becomes a single point-of-failure for authentication to many resource
s, so the availability of the server affects the availability of all the resourc
es that they rely on the server for authentication services. Also, any compromis
e of the server can compromise authentication credentials for many resources. Th
e servers in the other three choices do not contain authentication credentials.
50. Which of the following provides a centralized approach to enforcing identit
y and security management aspects of service-oriented architecture (SOA) impleme
ntation using Web services?
a.
b.
c.
d.
Firewall
Public key infrastructure
Digital signature
Encryption
51. a. An XML gateway-based SOAs security features include public key infrastruct
ure (PKI), digital signatures, encryption, XML schema validation, antivirus, and
pattern recognition. It does not contain a firewall feature; although, it opera
tes like a firewall at the network perimeter.
52. The accountability security objective does not need which of the following s
ecurity services?
a.
b.
c.
d.
Audit
Nonrepudiation
Access control enforcement
Transaction privacy
b. Authorization
c. Access control enforcement
d. Proof-of-wholeness
53. a. Audit security service is needed for the assurance security objective but
not to the availability security objective. The other three choices are common
to availability and the assurance security objective.
54. Restricting the use of dynamic port allocation routines is a part of which
of the following to secure multi-user and multiplatform environments?
a.
b.
c.
d.
Management controls
Technical controls
Physical controls
Procedural controls
Demilitarized zones
Screened subnet firewalls
Electronic mail gateways
Proxy servers
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
55. a. System isolation means separating system modules or components from each
other so that damage is eliminated or reduced. Layers of security services and m
echanisms include demilitarized zones (DMZs) and screened subnet firewalls. E-ma
il gateways and proxy servers are examples of logical access perimeter security
controls.
56. In which of the following security operating models is the minimum user clea
rance not cleared and the maximum data sensitivity not classified?
a.
b.
c.
d.
56. b. Security policies define security modes. A security mode is a mode of ope
ration in which management accredits a computer system to operate. One such mode
is the limited access mode, in which the minimum user clearance is not cleared
and the maximum data sensitivity is not classified but sensitive.
Dedicated security mode is incorrect. It is the mode of operation in which the s
ystem is specifically and exclusively dedicated to and controlled for the proces
sing of one particular type or classification of information, either for full-ti
me operation or for a specified period of time.
System high-security mode is incorrect. It is the mode of operation in which sys
tem hardware or software is trusted to provide only need-to-know protection betw
een users. In this mode, the entire system, to include all components electrical
ly and/or physically connected, must operate with security measures commensurate
with the highest classification and sensitivity of the information being proces
sed and/or stored. All system users in this environment must possess clearances
and authorizations for all information contained in the system, and all system o
utput must be clearly marked with the highest classification and all system cave
ats, until the information has been reviewed manually by an authorized individua
l to ensure appropriate classifications and caveats have been affixed.
Partitioned mode is incorrect. It is a mode of operation in which all persons ha
ve the clearance, but not necessarily the need-to-know and formal access approva
l, for all data handled by a computer system.
57. Which of the following is not like active content?
a.
b.
c.
d.
Character documents
Trigger actions automatically
Portable instructions
Interpretable content
57. a. Broadly speaking, active content refers to electronic documents that, unl
ike past character documents based on ASCII, can carry out or trigger actions au
tomatically without an individual directly or knowingly invoking the actions.
Active content technologies allow code, in the form of a script, macro, or other
kind of portable instruction representation, to execute when the document is re
ndered. Examples of active content include PostScript documents, Web pages conta
ining Java applets and JavaScript instructions, proprietary desktop-application
formatted files containing macros, spreadsheet formulas, or other interpretable
content, and interpreted electronic mail formats having embedded code or bearing
executable attachments. Electronic mail and Web pages accessed through the Inte
rnet provide efficient means for conveying active content, but they are not the
only ones. Active content technologies span a broad range of products and servic
es, and involve various computational environments including those of the deskto
p, workstations, servers, and gateway devices.
58. Which of the following creates a covert channel?
a.
b.
c.
d.
Use
Use
Use
Use
of
of
of
of
fixed labels
variable labels
floating labels
nonfloating labels
58. c. The covert channel problem resulting from the use of floating labels can
lead to erroneous information labels but cannot be used to violate the access co
ntrol policy enforced by the fixed labels. A fixed label contains a sensitivity le
vel and is the only label used for access control. The floating label contains a
n information level that consists of a second sensitivity level and additional sec
urity markings.
59. Attackers installing spyware and connecting the computing platform to a bot
net are examples of which of the following?
a.
b.
c.
d.
Browser-oriented attacks
Server-oriented attacks
Network-oriented attacks
User-oriented attacks
a.
b.
c.
d.
Policy
Procedure
Standard
Control
60. a. A security policy is applied to all aspects of the system design or secur
ity solution. The policy identifies security goals (i.e., confidentiality, integ
rity, and availability) the system should support and theses goals guide the pro
cedures, standards, and controls used in the IT security architecture design.
61. A system employs sufficient hardware and software integrity measures to all
ow its use for processing simultaneously a range of sensitive or classified info
rmation. Which of the following fits this description?
a.
b.
c.
d.
Boundary system
Trusted system
Open system
Closed system
61. b. A trusted system employs sufficient hardware and software integrity measu
res to allow its use for processing simultaneously a range of sensitive or class
ified information.
A boundary system can establish external boundaries and internal boundaries to m
onitor and control communications between systems. A boundary system employs bou
ndary protection devices (e.g., proxies, gateways, routers, firewalls, hardware/
software guards, and encrypted tunnels) at managed interfaces. An open system is
a vendor-independent system designed to readily connect with other vendors produ
cts. A closed system is the opposite of an open system in that it uses a vendordependent system.
62. A flaw in a computer system is exploitable. Which of the following provides
the best remedy?
a.
b.
c.
d.
Hire more IT
Hire more IT
Install more
Hire more IT
security analysts.
system auditors.
IT layered protections.
security contractors.
63. c. The encryption of transmission of cardholder data across open, public net
works meets a different control objective of protecting cardholder data, not the
control objective of building and maintaining a secure network. The other three
choices meet the objective of building and maintaining a secure network.
64. For the payment card industry data security standard (PCI-DSS), which of the
following security controls cannot meet the control objective of maintaining a
vulnerability management program?
a. Regularly update antivirus software.
b. Protect stored cardholder data.
Integrity issue
Privacy issue
Connectivity issue
Accountability issue
65. b. Cookies were invented to enable websites to remember its users from visit
to visit. Because cookies collect personal information about the Web user, it r
aises privacy issues such as what information is collected and how it is used. C
ookies do not raise integrity, connectivity, or accountability issues.
66. Which of the following is not a risk by itself for a Structured Query Langua
ge (SQL) server?
a.
b.
c.
d.
Concurrent transactions
Deadlock
Denial-of-service
Loss of data integrity
66. a. The concurrent transaction is not a risk by itself. The SQL server must e
nsure orderly access to data when concurrent transactions attempt to access and
modify the same data. The SQL server must provide appropriate transaction manage
ment features to ensure that tables and elements within the tables are synchroni
zed. The other three choices are risks resulting from handling concurrent transa
ctions.
67. System assurance cannot be increased by which of the following?
a.
b.
c.
d.
67. a. System assurance is grounds for confidence that an entity meets its secur
ity objectives as well as system characteristics that enable confidence that the
system fulfills its intended purpose. Applying more complex technical solutions
can create more complexity in implementing security controls. Simple solutions
are better. The other three choices can increase system assurance.
68. Which of the following security services are applicable to the confidential
ity security objective?
a.
b.
c.
d.
Prevention services
Detection services
Correction services
Recovery services
68. a. Only the prevention services are needed to maintain the confidentiality s
ecurity objective. When lost, confidentiality cannot be restored. The other thre
e choices do not apply to the confidentiality security objective.
69. The security services that provide for availability security objectives als
o provide for which of the following security objectives?
a. Integrity
b. Confidentiality
c. Accountability
d. Assurance
69. a. Examples of common security services between availability and integrity o
bjectives include access authorization and access control enforcement.
The primary availability services are those that directly impact the ability of
the system to maintain operational effectiveness. One aspect of maintaining oper
ational effectiveness is protection from unauthorized changes or deletions by de
fining authorized access and enforcing access controls. Operational effectivenes
s is also maintained by detecting intrusions, detecting loss of wholeness, and p
roviding the means of returning to a secure state.
The services that provide for availability also provide for integrity. This is b
ecause maintaining or restoring system integrity is an essential part of maintai
ning system availability.
By definition, integrity is the property that protected and sensitive data has n
ot been modified or deleted in an unauthorized and undetected manner. By definit
ion, availability means ensuring timely and reliable access to and use of data a
nd information by authorized users. How is the data available to authorized user
s if it was deleted or destroyed?
The security services provided to fulfill the security objectives of availabilit
y, confidentiality, accountability, and assurance together have nothing in commo
n.
70. Web spoofing using the man-in-the-middle attack is an example of which of t
he following?
a.
b.
c.
d.
Browser-oriented attacks
Server-oriented attacks
Network-oriented attacks
User-oriented attacks
Filters
Incident response handling
Security policy
Risk analysis
71. a. Filters can examine program code at points of entry and block or disable
it if deemed harmful. Examples of filters include ingress filtering, egress filt
ering, and intrusion detection systems. The other three choices are examples of
management and operational safeguards (controls).
72. To mitigate the risks of using active content, which of the following is an
example of a technical safeguard?
a.
b.
c.
d.
Security audit
Evaluated technology
Application settings
Software cages
Version control
Digital signatures
Patch management
System isolation
73. b. Digital signatures can prevent a program code execution unless it is digi
tally signed by a trusted source (a technical safeguard). The other three choice
s are examples of management and operational safeguards.
74. To mitigate the risks of using active content, which of the following is an
example of a technical safeguard?
a.
b.
c.
d.
Virtualization
Isolate proprietary program components
Proof carrying code
Isolate tightly bounded programs
74. c. Proof carrying code (a technical safeguard) contains the safety propertie
s of the program code. The code and the proof are sent together to the code cons
umer (user) where the safety properties can be verified before the code is execu
ted. The other three choices are examples of management and operational safeguar
ds.
75. Which of the following statements are true about the operation of a trusted
platform module (TPM) chip?
1. TPM
2. TPM
3. TPM
.
4. TPM
ion.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
3
4
4
3, and 4
75. b. Each trusted platform module (TPM) chip requires an owner password to pro
tect data confidentiality. Hence, the selected passwords should be strong. Eithe
r the owner password or the data on the TPM should be backed up to an alternativ
e secure location. The TPM chip cannot be circumvented even after it is shut off
by someone with physical access to the system because the chip is residing on t
he computer motherboard. If the owner password is lost, stolen, or forgotten, th
e chip can be reset by clearing the TPM, but this action also clears all data st
ored on the TPM.
76. A trusted platform module (TPM) chip can protect which of the following?
1.
2.
3.
4.
Digital signatures
Digital certificates
Passwords
Cryptographic keys
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
4
4
3, and 4
Cryptography
Physical security controls
Locked storage container
Procedural security controls
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
77. a. Both digital and nondigital media should be protected with cryptography (
encryption) and physical security controls when they are at rest on selected sec
ondary storage devices. Locked storage containers and procedural security contro
ls are not appropriate for media at rest.
78. Polyinstantiation approaches are designed to solve which of the following p
roblems in databases?
a.
b.
c.
d.
Lack
Lack
Lack
Lack
of
of
of
of
tranquility
reflexivity
transitivity
duality
78. a. Lack of tranquility exposes what has been called the multiple update confl
ict problem. Polyinstantiation approaches are the best solution to this problem.
Tranquility is a property applied to a set of controlled entities saying that th
eir security level may not change. The principle behind tranquility is that chan
ges to an objects access control attributes are prohibited as long as any subject
has access to the object. Reflexivity and transitivity are two basic informatio
n flow properties. Duality is a relationship between nondisclosure and integrity
.
79. Which of the following strategies is used to protect against risks and vuln
erabilities at every stage of system, network, and product life cycles?
a.
b.
c.
d.
Defense-in-breadth
Defense-in-depth
Defense-in-technology
Defense-in-time
3. It is language-independent.
4. It is not platform-specific.
a.
b.
c.
d.
1
2
3
1
and
and
and
and
2
3
4
4
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
systems
level systems
by lower layers on the functionality of higher layers
between layers of the design
3
4
4
3, and 4
82. c. Hybrid safeguards combine more than one control. Combining software cages
and digital signatures is an example of hybrid technical safeguard. The other t
hree choices are examples of management and operational safeguards.
83. To mitigate the risks of using active content, which of the following is an
example of hybrid technical safeguards?
a.
b.
c.
d.
83. a. Hybrid technical safeguards combine more than one control. Blending the p
roof carrying code and filters is an example of hybrid technical safeguard. The
blending of proof carrying code and software cage is known as model-carrying cod
e. The other three choices are examples of management and operational safeguards
.
84. Which of the following IT platforms face a single point-of-failure situatio
n?
a.
b.
c.
d.
Wide-area networks
Distributed systems
Mainframe systems
Websites
Sandbox
S-box
Dynamic sandbox
Behavioral sandbox
85. b. S-box is a nonlinear substitution table box used in several byte substitu
tion transformations in the cryptographic key expansion routine to perform a one
-for-one substitution of a byte value. S-box is not related to the three choices
. An application in a sandbox is usually restricted from accessing the file syst
em or the network (e.g., JavaApplet). Extended technologies of a sandbox include
dynamic sandbox or runtime monitor (i.e., behavioral sandbox), which are used i
n software cages and proof carrying code to protect against active content and f
or controlling the behavior of mobile code.
86. For information assurance vulnerabilities, what is independent validation o
f an information system conducted through?:
a.
b.
c.
d.
Penetration testing
Conformance testing
Red team testing
Blue team testing
Distributed
Subject-oriented
Time-variant
Static in nature
87. a. Databases can be distributed, but not the data warehouse. A distributed d
ata warehouse can have all the security problems faced by a distributed database
. From a security viewpoint, data warehousing provides the ability to centrally
manage access to an organizations data regardless of a specific location. A data
warehouse is subject-oriented, time-variant, and static in nature.
88. Database application systems have similarities and differences from traditio
nal flat file application systems. Database systems differ most in which of the
Referential integrity
Access controls
Data editing and validation routines
Data recovery
88. a. Referential integrity means that no record may contain a reference to the
primary key of a nonexisting record. Cascading of deletes, one of the features
of referential integrity checking, occurs when a record is deleted and all other
referenced records are automatically deleted. This is a special feature of data
base applications.
The other three choices are incorrect because they are the same for flat file an
d database systems. They both need access controls to prevent unauthorized users
accessing the system, they both need data editing and validation controls to en
sure data integrity, and they both need data recovery techniques to recover from
a damaged or lost file.
89. Software re-engineering is where:
a.
b.
c.
d.
Rollback
Roll-forward
Commit
Savepoint
91. The structured query language (SQL) server enables many users to access the
same database simultaneously. Which of the following locks is held until the en
d of the transaction?
a.
b.
c.
d.
Exclusive lock
Page lock
Table lock
Read lock
Perimeter barriers
Property insurance
Separation of duties
Integrity verification software
93. c. Penetration testing (e.g., blue team or red team testing) against circumv
enting the security features of a computer system is an example of the second li
ne-of-defense.
The other three choices are examples of the first line-of-defense mechanisms. Pe
netration testing follows vulnerability scanning and network scanning, where the
latter are first line-of-defenses. Penetration testing either proves or disprov
es the vulnerabilities identified in vulnerability/network scanning.
The line-of-defenses are security mechanisms for limiting and controlling access
to and use of computer system resources. They exercise a directing or restraini
ng influence over the behavior of individuals and the content of computer system
s. The line-of-defenses form a core part of defense-in-depth strategy or securit
y-in-depth strategy.
94. Which of the following is an example of last line-of-defense?
a.
b.
c.
d.
Quality assurance
System administrators
Physical security controls
Employee bond coverage
e security mechanisms for limiting and controlling access to and use of computer
system resources. They exercise a directing or restraining influence over the b
ehavior of individuals and the content of computer systems.
95. In a public cloud computing environment, which of the following provides se
rver-side protection?
a.
b.
c.
d.
95. d. Virtual firewalls can be used to isolate groups of virtual machines from
other hosted groups, such as the production system from the development system o
r the development system from other cloud-resident systems. Hardening of the ope
rating system and applications should occur to produce virtual machine images fo
r deployment. Carefully managing virtual machine images is also important to avo
id accidentally deploying images under development or containing vulnerabilities
.
Plug-ins, add-ons, backdoor Trojan viruses, and keystroke loggers are examples o
f client-side risks or threats to be protected from. Encrypted network exchanges
provide client-side protection.
96. Which of the following is not a core part of defense-in-depth strategy?
a.
b.
c.
d.
Least functionality
Layered protections
System partitioning
Line-of-defenses
Encrypted cookies
Session cookies
Persistent cookies
Tracking cookies
pyware detection and removal utility software specifically looks for tracking co
okies on systems.
Encrypted cookies are incorrect because they protect the data from unauthorized
access. Session cookies are incorrect because they are temporary cookies that ar
e valid only for a single website session. Persistent cookies are incorrect beca
use they are stored on a computer indefinitely so that a website can identify th
e user during subsequent visits.
98. A system is in a failure state when it is not in a:
1.
2.
3.
4.
Protection-state
Reachable-state
System-state
Initial-state
a.
b.
c.
d.
1 or 2
1 and 3
3 and 4
1, 2, 3, and 4
Browser-oriented
User-oriented
Server-oriented
Network-oriented
tify the systems components and their interrelationships and create representatio
ns of the system in another form or at a higher level of abstraction. Some shrin
k-wrap agreements contain an express prohibition on reverse engineering, decompi
lation, or disassembly. The correct answer does not hurt the software copyright
owner, and it is legal. The other three choices are based on bad intentions on t
he part of the user and hence can be illegal.
101. When the requirements of the ISOs Information Security Management Systems (
ISO/IEC 27001) framework are applied to any computing environment, measure and im
prove controls belong to which of the following PDCA cycle steps?
a.
b.
c.
d.
Plan
Do
Check
Act
Repeatability
Objectivity
Judgment
Knowledge
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
Reducing risks
Protecting assets
Objective elements
Subjective elements
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
103. d. Evaluation should lead to objective and repeatable results that can be c
ited as evidence, even if there is no totally objective scale for representing t
he results of a security evaluation. As the application of criteria contains obj
ective and subjective elements, precise and universal ratings for IT security ar
e infeasible. Reducing risks and protecting assets are the outcomes of a target
of evaluation (TOE).
104. Regarding Common Criteria (CC), how should a Security Target (ST) be used?
1.
2.
3.
4.
Before evaluation
After evaluation
Detailed specification
Complete specification
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
104. c. A typical security target (ST) fulfills two roles such as before and dur
ing the evaluation and after the evaluation. Two roles that an ST should not ful
fill include a detailed specification and a complete specification.
105. For Common Criteria (CC), how should a Protection Profile (PP) be used?
1.
2.
3.
4.
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
Objective results
Repeatable results
Defensible results
Evidential results
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
106. d. The target of evaluation (TOE) in the Common Criteria (CC) leads to obje
ctive and repeatable results that are defensible and can be cited as evidence.
107. Regarding Common Criteria (CC), reference monitor concept is applied to en
force which of the following?
a.
b.
c.
d.
Communication channel
Covert channel
Exploitable channel
Overt channel
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
4
3, and 4
SOAP attacks.
SOAs are dynamic and can seldom be fully constrained to the physical boundaries
of a single network.
110. Which of the following cannot protect simple object access protocol (SOAP)
messages in a service-oriented architecture (SOA) providing Web services?
a.
b.
c.
d.
XML
XML
XML
XML
encryption
gateway
signature
parser
Chain
Chain
Chain
Chain
of
of
of
of
auctioneers
providers
intermediaries
consumers
Mesh topology
Star topology
Bus topology
Tree topology
113. a. A mesh topology is a network in which there are at least two nodes with
two or more paths between them. If one path fails, the network reroutes traffic
over an alternative path thus providing a high degree of fault tolerance mechani
sm. Thus, mesh topology is not vulnerable to a single point-of-failure.
The other three choices are subjected to a single point-of-failure. The single c
entral hub in star and tree topology and the single cable in bus topology are vu
lnerable to a single point-of-failure.
114. Which of the following describes one process signaling information to anot
her by modulating its own use of system resources in such a way that this manipu
lation affects the real response time observed by the second process?
a.
b.
c.
d.
A communication channel
A covert storage channel
A covert timing channel
An exploitable channel
114. c. The statement fits the description of a covert timing channel. A communi
cation channel is the physical media and device that provides the means for tran
smitting information from one component of a network to other components. An exp
loitable channel is any channel usable or detectable by subjects external to the
Trusted Computing Base (TCB).
115. Which of the following is not vulnerable to a single point-of-failure?
a.
b.
c.
d.
Internet
Converged network
Password synchronization
Domain name system server
115. a. Despite its security weaknesses, the Internet is not vulnerable to a sin
gle point-of-failure because it uses a point-to-point protocol (PPP) as the prim
ary data link layer protocol over point-to-point lines. PPP handles error detect
ion, supports multiple framing mechanisms, performs data compression and reliabl
e transmission, enables IP addresses to be negotiated at connection time, and pe
rmits authentication. If one path or point fails, the Internet switches to anoth
er path or point therefore providing a solid connection.
The other three choices are vulnerable to a single point-of-failure. A converged
network combines both data and voice, and as such it is vulnerable. Password sy
nchronization can be a single point-of-failure because it uses the same password
for many resources. The domain name system (DNS) server can become a single poi
nt-of-failure if there are no fault-tolerant and redundant mechanisms.
116. It is best to assume that external computer systems are:
a.
b.
c.
d.
Simple
Secure
Insecure
Complex
System partitioning
Nonmodifiable executable programs
Resource isolation
Domain separation
Communication channel
Security-compliant channel
Trusted channel
Memory channel
Exploitable channel
Communications channel
Security-compliant channel
Memory channel
119. c. A security-compliant channel enforces the network policy and depends onl
y upon characteristics of the channel either included in the evaluation or assum
ed as an installation constraint.
120. The use of which of the following can lead to the existence of a covert ch
annel?
a.
b.
c.
d.
Data label
Dual label
Floating label
Fixed label
120. c. The covert channel problem resulting from the use of floating labels can
lead to erroneous information labels. A fixed label is a part of a dual label.
121. Which of the following is needed for the correct operation of other securi
ty mechanisms?
a.
b.
c.
d.
Compromise
Compromise
Compromise
Compromise
from
from
from
from
above
within
below
cross domains
Sequencing plan
System lifecycle
Technical architecture
Logical architecture
Collection of data
Management of data
Use of data
Archiving of data
127. c. The action item Base security on open standards for portability and inter
operability is a part of the ease-of-use security principle. The other three choi
ces are part of the reduce vulnerabilities security principle.
128. Which of the following security controls are needed to protect digital and
nondigital media during their transport?
1.
2.
3.
4.
Cryptography
Physical security controls
Locked storage container
Procedural security controls
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
128. d. Both digital and nondigital media during transport should be protected w
ith cryptography (encryption), physical security controls, locked storage contai
ners, and procedural security controls.
129. Information system partitioning is a part of which of the following protec
tion strategies?
a.
b.
c.
d.
Defense-in-breadth
Defense-in-depth
Defense-in-technology
Defense-in-time
nse-in-time considers different time zones in the world to operate global inform
ation systems.
130. Which of the following creates several independent demilitarized zones (DM
Zs) on a network?
a.
b.
c.
d.
First line-of-defense
Second line-of-defense
Last line-of-defense
Multiple lines-of-defense
Functional
Technical
Physical
Mechanical
Cloud computing
Smart grid computing
Utility computing
Quantum computing
mart grid is essential because it improves power reliability, quality, and resil
ience. The goal is to build a safe and secure smart grid that is interoperable,
end-to-end. Smart grid computing needs cyber security measures because it uses c
yber computing.
Utility computing means allowing functional users (end-users) to access technolo
gy-based services to perform specific and simple tasks (for example, to run a st
orage backup program and a disk/file recovery program) without requiring much of
the technical knowledge. Quantum computing deals with computers with large word
sizes.
134. In a public cloud computing environment, which of the following provides cl
ient-side protection?
a.
b.
c.
d.
Create
Create
Create
Create
encrypted cookies
session cookies
persistent cookies
tracking cookies
135. a. A cookie is a small data file that holds information about the use of a
particular website. Cookies often store data in plain text, which could allow an
unauthorized party that accesses a cookie to use or alter the data stored in it
. Some websites create encrypted cookies, which protect the data from unauthoriz
ed access during a users Web browsing session.
Session cookies are incorrect because they are temporary cookies that are valid
only for a single website session. Persistent cookies are incorrect because they
are stored on a computer indefinitely so that a website can identify the user d
uring subsequent visits. These cookies can help websites serve their users more
effectively. Unfortunately, persistent cookies also can be misused as spyware to
track a users Web browsing activities for questionable reasons without the users
knowledge or consent. Tracking cookies are incorrect because they are placed on
a users computer to track the users activity on different websites, creating a det
ailed profile of the users behavior.
136. The detect-and-respond infrastructure for information assurance requires w
hich of the following?
1.
2.
3.
4.
Intrusion detection
Cryptographic key management infrastructure
Monitoring software
Public key infrastructure
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
3
4
Principles
Practices
Avoidance
Harm reduction
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
137. d. Two main approaches to mitigate the risks in using active content includ
e avoidance, which is staying completely clear of known and potential vulnerabil
ities and harm reduction, which is applying measures to limit the potential loss
due to exposure. The other three choices are incorrect because principles and p
ractices are a part of security policy, which is a part of safeguards or control
s.
138. Implementing layered and diverse defenses to an information system means:
1.
2.
3.
4.
Attacks
Attacks
Placing
Placing
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
4
3, and 4
It
It
It
It
is
is
is
is
a
a
a
a
central
central
central
central
catalog
catalog
catalog
catalog
of
of
of
of
programs.
processes.
data.
objects.
140. c. A data dictionary is a tool to help organizations control their data ass
ets by providing a central catalog of data. The data dictionary requires securit
y protection.
141. What is a database relation containing multiple rows with the same primary
key called?
a.
b.
c.
d.
Polyinstantiation
Polymorphism
Inference
Aggregation
Raw data
Massaged data
Source data
Transaction data
142. b. A database contains raw data whereas a data warehouse contains massaged
data (i.e., summarized data or correlated data). Source data and transaction dat
a are the same as raw data.
143. Which of the following tools is most useful in detecting security intrusion
s?
a.
b.
c.
d.
Data
Data
Data
Data
mining tools
optimization tools
reorganization tools
access tools
143. a. Data mining is a set of automated tools that convert the data in the dat
a warehouse to some useful information. It selects and reports information deeme
d significant from a data warehouse or database. Data mining techniques can also
be used for intrusion detection, fraud detection, and auditing the databases. Y
ou can apply data mining tools to detect abnormal patterns in data, which can pr
ovide clues to fraud.
Data optimization tools improve database performance. Data reorganization tools
help relocate the data to facilitate faster access. Data access tools help in re
aching the desired data.
144. Which of the following can be most easily exploited when executing behind f
irewalls?
a.
b.
c.
d.
Electronic mail
Web requests
Active-X controls
File transfer protocol
Active-X controls
Java Applets
JavaScripts
E-mail attachments
145. b. Java Applets have a sound security model to prevent malicious code behav
ior when compared to Active-X controls, JavaScripts, and e-mail attachments. Jav
a applets use a technology-oriented policy called the sandbox concept. The Java
Sandbox prevents Java applets from using sensitive system services. With all oth
er forms of active content, the security policy is trust-based. That is, the use
r must trust the source of the active content and assume the risk in case the ac
tive content causes harm, whether through malicious intention or through inadver
tent flaws in the code.
Although most malicious file attachments have suspicious file extensions, such a
s .bat, .cmd, .exe, .pif, .vbs, and .scr, the use of once-benign file extensions
, such as .zip, has become more prevalent for malicious file attachments.
146. Which one of the following security features and mechanisms is specified b
y the structured query language (SQL) standards?
a.
b.
c.
d.
146. b. The database language SQL is a standard interface for accessing and mani
pulating relational databases. Many critical security features are not specified
by SQL; others are specified in one version of SQL but omitted from earlier ver
sions. A database may be in a consistent or inconsistent state. A consistent sta
te implies that all tables (or rows) reflect some real-world change. An inconsis
tent state implies that some tables (or rows) have been updated but others still
reflect the old world. Transaction management mechanisms are applied to ensure
that a database remains in a consistent state at all times. These mechanisms ena
ble the database to return to the previous consistent state if an error occurs.
Identification and authentication mechanisms are not specified in SQL. However,
they are required implicitly. In the simplest case, the user authenticates his i
dentity to the system at logon. That information is maintained throughout the se
ssion. The information is passed to the DBMS when the DBMS is accessed. The stre
ngth of authentication varies with the type, implementation, and management of t
he authentication mechanisms. The SQL specification does not include auditing re
quirements, but SQL products may include some auditing functionality. Warning me
chanisms are closely related to auditing requirements. If the SQL processor incl
udes auditing, the operating system must have sufficient access controls to prev
ent modification of, or access to, the audit trail. Fault tolerance is not requi
red by any SQL specification but is a feature of certain SQL implementations. Fa
ult-tolerant systems address system failure; disk array technology can be used t
o address storage media failure.
147. Which of the following characterizes the relational database technology?
a.
b.
c.
d.
147. a. Relational database technology deals with tables, rows, and columns. A h
ierarchical data model (tree structure) consists of nodes and branches and paren
ts and children. The highest node is called a root. The node types are called se
gment-types. The root node type is called the root-segment-type. Blocks and arro
ws can be found in the network data model.
148. In a relational database management system, which one of the following typ
es of security locking mechanisms best achieves the concept of fine-grain lockin
g?
a.
b.
c.
d.
Row-level locking
Table-level locking
Block-level locking
File-level locking
Autonomy
Reliability
Flexibility
Data backup
149. d. Distributed database management systems are complex to develop and maint
ain and mission critical data may need to be placed centrally to use backup faci
lities typically available at a central location. These are some disadvantages o
f being distributed.
The other three choices are incorrect. Autonomy and better control are provided
to local management. Reliability is increased; that is, if one server goes down,
most of the data remains accessible. Flexibility is provided; that is, users te
nd to request locally created and maintained data more frequently than data from
other locations. These are advantages of being distributed.
150. Which one of the following data models is suitable for predetermined data
relationships?
a.
b.
c.
d.
150. a. The hierarchical data structures are suitable for predetermined data rel
ationships, so frequently found, that have a superior/inferior connotation, as p
arents to child, manager to subordinate, whole to parts, and so on. Despite this
naturalism, this model requires the user to understand fairly complex arrangeme
nts when a large, diverse database is assembled with it. Depending on the DBMS i
mplementation, this model can be efficient in saving storage and in processing h
igh volume, routine transactions while accessing records one at a time. It has p
roven also to be an effective model for query techniques that operate on sets of
records.
The network model provides somewhat more general structures than the hierarchica
l, for relating diversified data with concern for saving storage. The resulting
database may be complex, and the user, normally a programmer, must carefully tra
ck the current reference position among the data occurrences. For this reason, t
he network structure is said to induce a navigational approach in processing tra
nsactions. The network model is capable of high efficiency in performance and st
orage use. Query facilities, although available, are less developed for this mod
el than for the other models.
The relational model is widely accepted as the most suitable for end users becau
se its basic formulation is easily understood, and its tabular data structure is
obvious and appealing to laymen. Query language innovations are most pronounced
for this model over others.
The distributed model can be thought of as having many network nodes and access
paths between the central and local computers and within the local computer site
s. Database security becomes a major issue in a truly distributed environment, w
here data itself is distributed and there are many access paths to the data from
far-flung locations.
151. A restart and recovery mechanism for a database management system (DBMS) wo
uld not include which of the following?
a.
b.
c.
d.
Rollback approach
Reorganization
Shadowing approach
Versioning facility
ems.
d. A data dictionary can exist only with a database system.
152. b. In the case of an active data dictionary, there is no option, meaning th
at the data dictionary and the database management system go together; they need
each other to function effectively.
The other three choices are not correct because (i) both active and passive data
dictionaries are useful, (ii) a passive data dictionary may or may not require
a check for currency of data descriptions before a program is executed, and (iii
) nondatabase systems can have data dictionaries.
153. Deadly embraces or deadlock situations in a database can best be handled t
hrough which of the following?
a.
b.
c.
d.
Prevention
Detection
Correction
Ignoring
153. a. There are two general methods of handling deadlocks. The preferred metho
d involves detecting the probability of deadlock and preventing its occurrence.
The other method involves detecting the deadlock when it occurs and doing someth
ing to correct it. Deadlocks can be prevented through good database design, espe
cially with physical design efforts. Deadlock situations are too common to ignor
e. Consistent use of the database can minimize the chances of deadlock.
154. Which of the following is not an example of a first line-of-defense?
a.
b.
c.
d.
154. c. Audit trails and logs provide after-the-fact information to detect anoma
lies and therefore cannot provide the first line-of-defenses in terms of prevent
ing an anomaly. Audit trails and logs provide second line-of-defenses, whereas a
ll the other three choices provide first line-of-defense mechanisms.
155. Which of the following is an example of last line-of-defense?
a.
b.
c.
d.
Employee vigilance
Program change controls
Fault-tolerant techniques
Exterior protection
155. a. People can detect abnormalities that machines cannot through their commo
n sense; therefore, employee vigilance is the last line-of-defense against anyth
ing that has escaped the first and/or second line-of-defense mechanisms. Exterio
r protection, such as walls and ceilings designed to prevent unauthorized entry,
are examples of second line-of-defense, whereas the other three choices are exa
mples of the first line-of-defense mechanisms.
The line-of-defenses are security mechanisms for limiting and controlling access
to and use of computer system resources. They exercise a directing or restraini
ng influence over the behavior of individuals and the content of computer system
s. The line-of-defenses form a core part of defense-in-depth strategy or securit
y-in-depth strategy.
156. The principal aspects of the defense-in-depth strategy to achieve an effect
ive information-assurance posture do not include which of the following?
a.
b.
c.
d.
People
Processes
Technology
Operations
a.
b.
c.
d.
1 and
2 and
1, 2,
1, 2,
2
3
and 3
3, and 4
HTTP cookies
CGI scripts
PGP cookie cutter program
Applets
160. c. The full name of a cookie is a Persistent Client State HTTP Cookie, whic
h can be an intrusion into the privacy of a Web user. A cookie is a basic text f
ile, transferred between the Web server and the Web client (browser) that tracks
where a user went on the website, how long the user stayed in each area, and so
on. The collection of this information behind the scenes can be seen as an intr
usion into privacy. Access to hypertext transfer protocol (HTTP) cookies can be
denied. The pretty good privacy (PGP) cookie cutter program can prevent informat
ion about a user from being captured.
A common gateway interface (CGI) script is a small program to execute a single t
ask on a Web server. These scripts are useful for filling out and submitting Web
forms and hold information about the server on which they run. This information
is also useful to an attacker, which makes its risky. The script can be attacke
d while running. Applets enable a small computer program to be downloaded along
with a Web page.
Applets have both good and bad features. Making a Web page look richer in featur
es is a good aspect. Siphoning off files and erasing a hard drive are some examp
les of bad aspects.
161. What is the least effective way to handle the Common Gateway Interface (CGI
) scripts?
a.
b.
c.
d.
Avoid them.
Delete them.
Execute them.
Move them away.
161. c. Some hypertext transfer protocol (HTTP) servers come with a default dire
ctory of CGI scripts. The best thing is to delete or avoid these programs, or mo
ve them away to another location. The CGI scripts are dangerous because they are
vulnerable to attack while executing.
162. Which of the following action items is not a part of the security principle
of increase resilience?
a.
b.
c.
d.
162. b. The action item Use common languages in developing security requirements i
s a part of ease-of-use security principle. The other three choices are part of
the increase resilience security principle.
163. Which of the following is not the common security approach taken by Java an
d Active-X?
a.
b.
c.
d.
Hardware
Software
Human judgment
Digital signature
163. a. Active-X technology relies on human judgment and the use of digital sign
atures. Java relies more on software. They are not dependent on hardware.
164. What is the most effective control against Active-X programs?
a.
b.
c.
d.
164. d. The problem with Active-X programs is that users may download a program
signed by someone with whom the user is unfamiliar. A policy statement about who
can be trusted is difficult to implement. The most effective control is to proh
ibit all Active-X programs.
165. Which of the following represents a single point-of-failure?
a. Network server
b. Database server
c. Firewall
d. Router
165. c. A firewall tends to concentrate security in a single point, which can le
ad to the potential of compromising the entire network through a single point. I
f the firewall fails, the entire network could be attacked. The other three choi
ces are not examples of single point-of-failure.
166. Which of the following is an example of second line-of-defense?
a.
b.
c.
d.
It
It
It
It
167. b. The system protection profile (PP) format of Common Criteria (CC) can be
used for presenting the results of the needs determination and requirements ana
lysis. Further, a system PP acts as a record of the security analysis performed
during this specification generation process. The PP provides all the things men
tioned in the other three choices. Therefore, a system PP should be viewed as an
evolving document that is not simply the result of the initial security analysis,
but is also the full record of the security analysis performed during the cours
e of the specification generation process.
168. Which of the following actions is not a part of the increase resilience sec
urity principle?
a. Operate an IT system to limit damage and to be resilient in response.
b. Do not implement unnecessary security mechanisms.
c. Isolate public access systems from mission-critical resources.
d. Implement audit mechanisms to detect unauthorized use and to support incident
investigations.
168. b. The action item Do not implement unnecessary security mechanisms is a part
of the reduce vulnerabilities. security principle. The other three choices are
part of the increase resilience security principle.
169. Which of the following is required for a distributed information system to
support migration to new technology or upgrade of new features?
1.
2.
3.
4.
Modular design
Common language
Interoperability
Portability
a.
b.
c.
d.
1 and
2 and
1 and
1, 2,
2
3
4
3, and 4
169. d. The security design should be modular so that individual parts of the se
curity design can be upgraded without the requirement to modify the entire syste
m. The use of a common language (e.g., the Common Criteria) during the developme
nt of security requirements permits organizations to evaluate and compare securi
ty products and features. This evaluation can be made in a common test environme
nt. For distributed information systems to be effective, security program design
ers should make every effort to incorporate interoperability and portability int
o all security measures, including hardware and software, and implementation pra
ctices.
170. From a relative risk viewpoint, the need for layered security protection i
s most important for which of the following systems in order to protect against
sophisticated attacks?
a.
b.
c.
d.
170. b. The need for layered security protection is most important when commerci
al off-the-shelf products are used from software vendors. Practical experience h
as shown that the current state-of-the-art for security quality in vendors commer
cial system products does not provide a high degree of protection against sophis
ticated attacks. Additional security controls are needed to provide a layered se
curity protection because the vendor product is a generic product with minimal s
ecurity controls for all customers use.
The systems in the other three choices are internal systems to an organization t
hat are developed with a specific business purpose and with adequate security co
ntrols. General support system is an interconnected set of information resources
under the same direct management control that share common functionality, inclu
ding hardware, software, data/information, applications, communications, and peo
ple. An information system is classified as a major system when its development,
maintenance, and operating cost are high and when it has a significant role in
the overall operations of an organization.
171. Which of the following are required for an information system to become re
silient?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
1 and
1, 2,
2
3
3
3, and 4
a.
b.
c.
d.
Passwords
Disk mirroring
Audit trails
Redundant array of independent disk
Perimeter-based security
Network-based computing environment
Host-based computing environment
Host-based security
173. c. Detect and respond actions effectively mitigate the effects of attacks t
hat penetrate and compromise the network. The host-based computing environment i
s the last (final) line-of-defense for the defense-in-depth strategy. The protec
tion approach must take into account some facts such as workstations and servers
can be vulnerable to attacks through poor security postures, misconfigurations,
software flaws, or end-user misuse.
Perimeter-based security is incorrect because it is a technique of securing a ne
twork by controlling accesses to all entry and exit points of the network. Netwo
rk-based computing environment is incorrect because it focuses on effective cont
rol and monitoring of data flow into and out of the enclave, which consists of m
ultiple LANs, ISDNs, and WANs connected to the Internet. It provides a first lin
e-of-defense. Host-based security is incorrect because it is a technique of secu
ring an individual system from attacks.
The line-of-defenses are security mechanisms for limiting and controlling access
to and use of computer system resources. They exercise a directing or restraini
ng influence over the behavior of individuals and the content of computer system
s. The line-of-defenses form a core part of defense-in-depth strategy or securit
y-in-depth strategy.
174. What do fundamental goals of the defense-in-depth include?
a.
b.
c.
d.
175. a. Passwords and user identification are the first line-of-defense against
a breach to a networks security. Several restrictions can be placed on passwords
to improve their effectiveness. These restrictions may include minimum length an
d format and forced periodic password changes.
Software testing is the last line-of-defense to ensure data integrity and securi
ty. Therefore, the software must be tested thoroughly by end users, information
systems staff, and computer operations staff.
Switched ports (not Cisco switches) are among the most vulnerable security point
s on a network. These allow dial in and dial out access. They are security risks
because they allow users with telephone terminals to access systems. Although c
allback or dial-back is a potential control as a first line-of-defense, it is no
t necessarily the most effective because of the call forwarding capability of te
lephone circuits.
For online applications, the logging of all transactions processed or reflected
by input programs provides a complete audit trail of actual and attempted entrie
s, thus providing a last line-of-defense. The log can be stored on tape or disk
files for subsequent analysis. The logging control should include the date, time
, user ID and password used, the location, and number of unsuccessful attempts m
ade.
The line-of-defenses are security mechanisms for limiting and controlling access
to and use of computer system resources. They exercise a directing or restraini
ng influence over the behavior of individuals and the content of computer system
s. The line-of-defenses form a core part of defense-in-depth strategy or securit
y-in-depth strategy.
176. Which of the following enables adequate user authentication of mobile hand
-held devices?
a.
b.
c.
d.
First line-of-defense
Second line-of-defense
Third line-of-defense
Last line-of-defense
Abstraction
Data hiding
Layering
Encryption
b. 60 percent
c. 70 percent
d. 91 percent
178. d. Controls work in an additive way, meaning that their combined effect is
far greater than the sum of each individual effect. In combination, both control
s should miss only 9 percent (i.e., 0.3 x 0.3) of attacks. This means 91 percent
(i.e., 100 percent 9 percent) of attacks should be caught. Forty percent is inc
orrect because it adds 30 percent and 30 percent and subtracts the result from 1
00%. Sixty percent is incorrect because it simply adds 30 percent for Control A
and B. Seventy percent is incorrect because it subtracts 30 percent from 100 per
cent, resulting in 70 percent.
179. Pharming attacks are an example of which of the following?
a.
b.
c.
d.
Browser-oriented attacks
Server-oriented attacks
Network-oriented attacks
User-oriented attacks
179. c. An attacker may modify the domain name system (DNS) mechanism to direct
it to a false website. These techniques are often used to perform pharming attac
ks, where users may divulge sensitive information. Note that pharming attacks ca
n also be initiated by subverting the victims host computer files.
180. Which of the following is an example of a single point-of-failure?
a.
b.
c.
d.
Security administration
Single sign-on
Multiple passwords
Network changes
Firewall
Attack detection software
Password
Internal controls
a.
b.
c.
d.
182. c. The perimeter barriers such as gates and guards, which are located at an
outer edge of a property, provide a first line-of-defense. Exterior walls, ceil
ings, roofs, and floors of a building themselves provide a second line-of-defens
e. Interior areas within a building such as doors and windows provide a third li
ne-of-defense. All these examples are physical security mechanisms. The first li
ne-of-defense is always better than the other lines-of-defenses due to cost, tim
e, and effectiveness factors.
The line-of-defenses are security mechanisms for limiting and controlling access
to and use of computer system resources. They exercise a directing or restraini
ng influence over the behavior of individuals and the content of computer system
s. The line-of-defenses form a core part of defense-in-depth strategy or securit
y-in-depth strategy.
183. Which of the following is the correct approach for an information system t
o separate user functionality from management functionality?
a.
b.
c.
d.
Application partitioning
Boundary protection
Security parameters
Controlled interfaces
Hardware
Software
Architecture
Vendor
d. Domain separation
185. b. A nonmodifiable executable program is the one that loads and executes th
e operating environment and application system from hardware-enforced and read-o
nly media (e.g., CD-R/DVD-R disk drives). The term operating environment is defi
ned as the code upon which application systems are hosted (e.g., a monitor, exec
utive, operating system, or application system running directly on the hardware
platform). Use of nonmodifiable storage ensures the integrity of the software pr
ogram from the point of creation of the read-only image. It can eliminate the po
ssibility of malicious code insertion via persistent, writeable storage.
System partitioning means breaking the system into components to reside in separ
ate physical domains or environments as deemed necessary. Resource isolation is
the containment of subjects and objects in a system in such a way that they are
separated from one another. Domain separation relates to the mechanisms that pro
tect objects in the system.
186. Which of the following provides organizations with the ability to disguise
information systems and to reduce the likelihood of successful attacks without
the cost of having multiple platforms?
a.
b.
c.
d.
Virtual computing
Virtual machine software
Virtualization technologies
Virtualized networking
b. Scripts
c. Document formats
d. Active-X controls
187. d. On the browser (client) side, unnecessary plug-ins, add-ons, or Active-X
controls should be removed. It is also recommended to substitute programs with
lesser functionality in lieu of fully capable helper applications or plug-ins.
The other three choices are risks from the server side. On the server side, any
unnecessary software not needed in providing Web services should be removed as w
ell, particularly any software development tools that could be used to further a
n attack if an intruder should gain an initial foothold. Ideally, server-side sc
ripts should constrain users to a small set of well-defined functionality and va
lidate the size and values of input parameters so that an attacker cannot overru
n memory boundaries or piggyback arbitrary commands for execution. Scripts shoul
d be run only with minimal privileges (i.e., nonadministrator) to avoid compromi
sing the entire website in case the scripts have security flaws. Potential secur
ity weaknesses can be exploited even when Web applications run with low privileg
e settings. For example, a subverted script could have enough privileges to mail
out the system password file, examine the network information maps, or launch a
login to a high numbered port.
Whenever possible, content providers and site operators should provide material
encoded in less harmful document formats. For example, if document distillers ar
e not available to convert textual documents into portable document format (PDF)
, an alternative is to make available a version in .rtf (rich text format), rath
er than a proprietary word processing format.
188. Which of the following is an issue when dealing with information cross-dom
ains?
a.
b.
c.
d.
Authentication policy
Level of trust
Common infrastructure
Shared infrastructure
Physical isolation
Demilitarized zones
Screened subnets
Security policies and procedures
a.
b.
c.
d.
1 and
2 and
1 and
1, 2,
2
3
4
3, and 4
s may include using network architecture designs such as demilitarized zones (DM
Z) and screened subnets. Finally, system designers and administrators should enf
orce organizational security policies and procedures regarding use of public-acc
ess systems.
190. Enclave boundary for information assurance is defined as which of the foll
owing?
1.
2.
3.
4.
The
The
The
The
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
3
4
4
3, and 4
190. d. The enclave boundary is the point at which information enters or leaves
the enclave or organization. Due to multiple entry and exit points, a layer of p
rotection is needed to ensure that the information entering does not affect the
organizations operation or resources, and that the information leaving is authori
zed. Information assets exist in physical and logical locations and boundaries e
xist between these locations.
191. Operations, one of the principal aspects of the defense-in-depth strategy d
oes not include which of the following?
a.
b.
c.
d.
Readiness assessments
Security management
Cryptographic key management
Physical security
191. d. Physical security is a part of the people principal, whereas all the oth
er three choices are part of the operations principal.
192. Border routers, firewalls, and software/hardware guards provide which of t
he following?
a.
b.
c.
d.
First line-of-defense
Second line-of-defense
Last-of-defense
Multiple lines-of-defense
Because
Because
Because
Because
it
it
it
it
is interpreted.
gives root access.
accepts checked input.
can be precompiled.
193. a. The common gateway interface (CGI) scripts are interpreted, not precompi
led. As such, there is a risk that a script can be modified in transit and not p
erform its original actions. CGI scripts should not accept unchecked input.
194. Which of the following form the basic component technology of the Active-X
framework?
a.
b.
c.
d.
Active-X
Active-X
Active-X
Active-X
controls
containers
documents
scripts
195. c. The first place to focus on security improvements is at the database lev
el. One advantage is that security imposed at the database level will be consist
ent across all applications in a client/server system.
196. Poorly implemented session-tracking may provide an avenue for which of the
following?
a.
b.
c.
d.
Browser-oriented attacks
Server-oriented attacks
Network-oriented attacks
User-oriented attacks
1 and
1 and
2 and
1, 2,
2
4
3
3, and 4
197. b. Management should recognize the uniqueness of each system to allow for a
layered security strategy. This is achieved by implementing lower assurance sol
utions with lower costs to protect less critical systems and higher assurance so
lutions only at the most critical areas of a system. It is not practical or cost
-effective to implement all management, operational, technical, compensating, an
d common controls for all systems.
198. Which of the following consists of a layered security approach to protect
against a specific threat or to reduce vulnerability?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
3
3, and 4
Compromise
Compromise
Compromise
Compromise
from
from
from
from
above
within
below
cross domains
199. c. Compromise from below results when a failure occurs due to modification
to the hardware. This is because the hardware is located at the bottom of the hi
erarchy. Compromise from above occurs when an unprivileged user can write untrus
ted code that exploits vulnerability. Compromise from within occurs when a privi
leged user or process misuses the allocated privileges. Compromise from cross do
mains is not relevant here.
200. Which of the following is the most important property of well-designed dist
ributed systems?
a.
b.
c.
d.
TOE is incorrect because it is a product that has been installed and is being op
erated according to its guidance. ST is incorrect because it is an implementatio
n-dependent statement of security needs for a specific identified TOE. EAL is in
correct because it is an assurance package, consisting of assurance requirements
, representing a point on the CC predefined assurance scale.
202. Which of the following contains a security kernel, some trusted-code facil
ities, hardware, and some communication channels?
a.
b.
c.
d.
Security
Security
Security
Security
domain
model
perimeter
parameters
Browser-oriented attacks
Server-oriented attacks
Network-oriented attacks
User-oriented attacks
203. d. In a phishing attack, attackers try to trick users into accessing a fake
website and divulging personal information. Social engineering methods are empl
oyed in phishing attacks. Note that some phishing attacks can be a blended attac
k targeting the browser.
204. In which of the following security operating modes is the system access se
cured to at least the top level?
a.
b.
c.
d.
204. c. Compartmented security mode is the mode of operation that allows the sys
tem to process two or more types of compartmented information (information requi
ring a special authorization) or any one type of compartmented information with
other than compartmented information. In this mode, system access is secured to
at least the top-secret level, but all system users do not necessarily need to b
e formally authorized to access all types of compartmented information being pro
cessed and/or stored in the system.
Multilevel security mode is incorrect. It is the mode of operation that allows t
wo or more classification levels of information to be processed simultaneously w
ithin the same system when some users are not cleared for all levels of informat
ion present.
Dedicated security mode is incorrect. It is the mode of operation in which the s
ystem is specifically and exclusively dedicated to and controlled for the proces
sing of one particular type or classification of information, either for full-ti
me operation or for a specified period of time.
Controlled mode is incorrect. It is a type of multilevel security in which a mor
e limited amount of trust is placed in the hardware/software base of the system,
with resultant restrictions on the classification levels and clearance levels t
hat may be supported.
205. According to the Common Criteria (CC), security functional requirements do
not include which of the following?
a.
b.
c.
d.
Privacy
Development
Tests
Vulnerability assessment
206. a. According to the Common Criteria (CC), privacy is part of security funct
ional requirements, not a security assurance requirement. The other three choice
s are part of the security assurance requirements.
207. A factor favoring acceptability of a covert channel is which of the follow
ing?
a.
b.
c.
d.
High bandwidth
Low bandwidth
Narrow bandwidth
Broad bandwidth
No
No
No
No
single
single
single
single
point
point
point
point
of
of
of
of
access
use
responsibility
vulnerability
208. d. Good IT principles provide a foundation for better IT security. For exam
ple, a sound security policy provides a strong foundation for system design. Sim
ilarly, implementing a layered security approach ensures no single point of vuln
erability in a computer system. The concern here is that if the single point-offailure occurs because vulnerability is exploited, then the entire system can be
compromised, which is risky.
209. What is the best time to implement a data dictionary system?
a.
b.
c.
d.
During
During
During
During
the
the
the
the
Management controls
Technical controls
Physical controls
Procedural controls
210. a. Management controls deal with policies and directives. Mapping informati
on security needs to business data is a management policy. Technical controls de
al with technology and systems. Physical controls and procedural controls are pa
rt of operational controls, which are day-to-day procedures.
211. Which of the following is not an example of the basic components of a gener
ic Web browser?
a.
b.
c.
d.
Java
Active-X
CGI
Plug-ins
211. c. The common gateway interface (CGI) is an industry standard for communica
ting between a Web server and another program. It is a part of a generic Web ser
ver. Java, Active X, and plug-ins are incorrect because they are a part of a gen
eric Web browser.
212. Masquerading is an example of which of the following threat categories tha
t apply to systems on the Internet?
a.
b.
c.
d.
Browser-oriented
Software-oriented
Server-oriented
Network-oriented
212. a. Internet-related threats are broken down into three categories: browseroriented, server-oriented, and network-oriented. Software-oriented is a generic
category useful to the other categories. Software-oriented threats may result fr
om software complexity, configuration, and quality. Web servers can launch attac
ks against Web browser components and technologies. Because browsers can support
multiple associations with different Web servers as separate windowed contexts,
the mobile code of one context can also target another context. Unauthorized ac
cess may occur simply through a lack of adequate access control mechanisms or we
ak identification and authentication controls, which allow untrusted code to act
or masquerade as a trusted component. After access is gained, information resid
ing at the platform can be disclosed or altered.
213. Which of the following is required to ensure a foolproof security over a m
obile code?
a.
b.
c.
d.
Firewalls
Antivirus software
Intrusion detection and prevention systems
Cascaded defense-in-depth measures
Usability
Comparability
Scalability
Reliability
214. b. The Common Criteria (CC) permits comparability between the results of in
Development
Evaluation
Procurement
Implementation
215. d. The CC is useful as a guide for the development, evaluation, and/or proc
urement of products with IT security functionality. The CC is not useful in impl
ementation because implementation scenarios can vary from organization to organi
zation.
216. The Common Criteria (CC) addresses which of the following in an uncommon w
ay?
a.
b.
c.
d.
Confidentiality
Risks
Integrity
Availability
216. b. The Common Criteria (CC) addresses information protection from unauthori
zed disclosure (confidentiality), modification (integrity), or loss of use (avai
lability), which is a common way. The CC is also applicable to risks arising fro
m human activities (malicious or otherwise) and to risks arising from nonhuman a
ctivities, which is an uncommon way.
217. The scope of Common Criteria (CC) covers which of the following?
a.
b.
c.
d.
Physical protection
Administrative security
Electromagnetic emanation control
Quality of cryptographic algorithm
217. a. In particular, the Common Criteria (CC) addresses some aspects of physic
al protection. CC does not contain security evaluation criteria pertaining to ad
ministrative security measures not related directly to the IT security functiona
lity. CC does not cover the evaluation of technical physical aspects of IT secur
ity such as electromagnetic emanation control. CC does not cover the inherent qu
alities of cryptographic algorithms.
218. Which of the following requires that all users must have formal access app
roval?
a.
b.
c.
d.
218. b. The system-high security mode requires that if the system processes spec
ial access information, all users must have formal access approval.
Management controls
Technical controls
Physical controls
Procedural controls
219. c. Physical controls and procedural controls are part of operational contro
ls, which are day-to-day procedures. Physical security controls (e.g., locked ro
oms and closets) are used to protect interconnectivity communication devices. Ma
nagement controls deal with policies and directives. Technical controls deal wit
h technology and systems.
220. Which of the following is not a broad-based security objective for ensuring
information systems protection?
a.
b.
c.
d.
220. b. Breach and damage are narrow-based security objectives because they sign
ify the occurrence of a security incident and recovery from its damage. The scop
e of prepare and prevent includes minimizing the possibility of a significant at
tack on critical information assets and networks. Detect and respond includes id
entifying and assessing an attack in a timely manner. Build and grow is building
organizations and facilities, hiring and training people, and establishing poli
cies and procedures.
221. The totality of protection mechanisms used for enforcing a security policy
is which of the following?
a.
b.
c.
d.
Trusted
Trusted
Trusted
Trusted
computing base
path
software
subject
221. a. The trusted computing base (TCB) is the totality of protection mechanism
s within a computer system, including hardware, firmware, and software, the comb
ination of which is responsible for enforcing a security policy. The other three
choices are part of the TCB.
222. Requiring signed conflict-of-interest and nondisclosure statements are a p
art of which of the following to secure multi-user and multiplatform environment
s?
a.
b.
c.
d.
Management controls
Technical controls
Physical controls
Procedural controls
222. d. Physical controls and procedural controls are part of operational contro
ls, which are day-to-day procedures. Requiring signed conflict of interest and n
ondisclosure statements are a part of procedural controls. Management controls d
eal with policies and directives. Technical controls deal with technology and sy
stems.
223. Taken to its extreme, what does active content become?
a.
b.
c.
d.
223. b. Taken to its extreme, active content becomes, in effect, a delivery mech
anism for mobile code. Active content involves a host of new technologies such a
s built-in macro processing, scripting language, and virtual machine.
224. A denial-of-service attack is an example of which of the following threat
categories that apply to systems on the Internet?
a.
b.
c.
d.
Browser-oriented
User-oriented
Server-oriented
Network-oriented
224. d. Attacks can be launched against the network infrastructure used to commu
nicate between the browser and server. An attacker can gain information by masqu
erading as a Web server using a man-in-the middle attack, whereby requests and r
esponses are conveyed via the impostor as a watchful intermediary. Such a Web sp
oofing attack allows the impostor to shadow not only a single targeted server, b
ut also every subsequent server accessed. Other obvious attack methods lie outsi
de the browser-server framework and involve targeting either the communications
or the supporting platforms. Denial-of-service (DoS) attacks through available n
etwork interfaces are another possibility, as are exploits involving any existin
g platform vulnerability.
225. In the trusted computing base (TCB) environment, which of the following is
referred to when a security administrator accidentally or intentionally configu
res the access tables incorrectly?
a.
b.
c.
d.
Compromise
Compromise
Compromise
Compromise
from
from
from
from
above
within
below
cross domains
Usability
Comparability
Scalability
Reliability
2. b. The Common Criteria (CC) permits comparability between the results of inde
pendent security evaluations. The evaluation process establishes a level of conf
idence that the security functionality of IT products and the assurance measures
applied to these IT products meet a common set of requirements. The CC is appli
cable to IT security functionality implemented in hardware, firmware, or softwar
e. Usability is incorrect because it means easy to learn and remember, productiv
ity enhancing, error resistant, and friendly. Scalability is incorrect because i
t means the system can be made to have more or less computational power by confi
guring it with a larger or smaller number of processors, amount of memory, inter
connection bandwidth, input/output bandwidth, and amount of mass storage. Reliab
ility is incorrect because it means the system can be counted upon to perform as
expected.
3. The Common Criteria (CC) is not useful as a guide for which of the following
when evaluating the security functionality of IT products?
a.
b.
c.
d.
Development
Evaluation
Procurement
Implementation
3. d. The Common Criteria (CC) is useful as a guide for the development, evaluat
ion, and/or procurement of products with IT security functionality. Implementati
on scenarios can vary from organization to organization.
4. The Common Criteria (CC) addresses which of the following in an uncommon way
?
a.
b.
c.
d.
Confidentiality
Risks
Integrity
Availability
Physical protection
Administrative security
Electromagnetic emanation control
Quality of cryptographic algorithm
a.
b.
c.
d.
Security designers
Consumers
Developers
Evaluators
6. a. There are three groups with a general interest in evaluating the security
properties of target of evaluations (TOEs): consumers, developers, and evaluator
s. Additional interest groups that can benefit from information contained in the
Common Criteria (CC) are system custodians, system security officers, auditors,
security architects, and security designers.
7. Regarding the Common Criteria (CC), which of the following alone is not suff
icient for use in common evaluation methodology?
1.
2.
3.
4.
Repeatability
Objectivity
Judgment
Knowledge
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
Reducing risks
Protecting assets
Objective elements
Subjective elements
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
8. d. Evaluation should lead to objective and repeatable results that can be cit
ed as evidence, even if there is no totally objective scale for representing the
results of a security evaluation. As the application of criteria contains objec
tive and subjective elements, precise and universal ratings for IT security are
infeasible. Reducing risks and protecting assets are the outcomes of a target of
evaluation (TOE).
9. Regarding the Common Criteria (CC), how should a Security Target (ST) be use
d?
1.
2.
3.
4.
Before evaluation
After evaluation
Detailed specification
Complete specification
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
9. c. A typical ST fulfills two roles, such as before and during the evaluation
and after the evaluation. Two roles that a security target (ST) should not fulfi
ll include a detailed specification and a complete specification.
10. Regarding the Common Criteria (CC), how should a Protection Profile (PP) be
used?
1.
2.
3.
4.
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
Objective results
Repeatable results
Defensible results
Evidential results
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
11. d. The TOE leads to objective and repeatable results that are defensible and
can be cited as evidence.
12. Regarding the Common Criteria (CC), which of the following is not an exampl
e of mitigating the effects of a threat?
a. Restricting the ability of a threat agent in accessing IT assets to perform a
dverse actions
b. Making frequent backup copies of IT assets
c. Obtaining extra copies or spare parts of IT assets
d. Insuring IT assets
12. a. Examples of threats include (i) a hacker remotely copying confidential fi
les from a company network, (ii) a worm seriously degrading the performance of a
wide-area network, (iii) a virus sending out stored confidential e-mail to rand
om recipients, (iv) a system administrator violating user privacy, and (v) a mal
icious TOE developer-employee modifying the source code. Restricting the ability
of a threat agent to perform adverse actions is an example of diminishing a thr
eat, not mitigating the effects of a threat with security controls.
The other three choices are incorrect because they are examples of mitigating th
e effects of a threat with security controls (e.g., backup, spare parts, and ins
urance). Threat agents are entities that can adversely act on assets. Examples o
f threat agents are hackers, users, computer processes, TOE development personne
l, and accidents.
Sources and References
Common Criteria for Information Technology Security Evaluation Part 1: Introduct
ion and General Model, Version 3.1 and Revision 1, Common Criteria Portal, Septem
ber 2006. (www.commoncriteriaportal.org/files/ccfiles).
Engineering Principles for Information Technology Security (NIST SP800-27Revision
A), National Institute of Standards and Technology (NIST), U.S. Department of Co
mmerce, Gaithersburg, Maryland, June 2004.
Guidelines on Active Content and Mobile Code (NIST SP800-28V2 Draft), National Ins
titute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithers
burg, Maryland, August 2007.
Guidelines to Federal Organizations on Security Assurance and Acquisition, Use of
Tested, Evaluated Products (NIST SP 800-23), National Institute of Standards and
Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August
2000.
Information Assurance Technical Framework (IATF), Release 3.1, National Security A
gency (NSA), Fort Meade, Maryland, September 2002.
Information Technology Security Evaluation Criteria (ITSEC), Harmonized Criteria
of France Germany, the Netherlands, the United Kingdom, Commission of the Europea
n Communities Directorate XIII/F SOG-IS, June 1991. (www.iwar.org.uk/comsec/reso
urces/standards/itsec.htm).
Service Component-Based Architectures, Version 2.0, CIO Council, June 2004 (www.ci
o.gov).
Underlying Technical Models for Information Technology Security (NIST SP800-33), N
ational Institute of Standards and Technology (NIST), U.S. Department of Commerc
e, Gaithersburg, Maryland, December 2001.
Domain 7
Security Operations
Traditional Questions, Answers, and Explanations
1. Regarding media sanitization, which of the following is the correct order fo
r fully and physically destroying hand-held devices, such as cell phones?
1.
2.
3.
4.
Incinerate
Disintegrate
Pulverize
Shred
a.
b.
c.
d.
3,
4,
1,
1,
2,
2,
4,
2,
1,
3,
3,
4,
and
and
and
and
4
1
2
3
1. b. The correct order for fully and physically destroying hand-held devices su
ch as cell phones is shred, disintegrate, pulverize, and incinerate. This is the
best recommended practice for both public and private sector organizations.
Shredding is a method of sanitizing media and is the act of cutting or tearing i
nto small particles. Here, the shredding step comes first to make the cell phone
inoperable quickly. Disintegration is a method of sanitizing media and is the a
ct of separating the equipment into component parts. Disintegration cannot be th
e first step because some determined attacker can assemble these parts and can m
ake the cell phone work. Pulverization is a method of sanitizing media and is th
e act of grinding to a powder or dust. Incineration is a method of sanitizing me
dia and is the act of burning completely to ashes done in a licensed incinerator
. Note that one does not need to complete all these methods, but can stop after
any specific method and after reaching the final goal based on the sensitivity a
a.
b.
c.
d.
2 only
2 and 3
3 and 4
1, 2, 3, and 4
a.
b.
c.
d.
1 only
3 only
2 and 4
1, 2, 3, and 4
a.
b.
c.
d.
2 only
3 only
4 only
1, 2, 3, and 4
a.
b.
c.
d.
To
To
To
To
Patch-and-patch
Penetrate-and-patch
Patch-and-penetrate
Penetrate-and-penetrate
6. b. Crackers and hackers attempt to break into computer systems by finding fla
ws in software, and then system administrators apply patches sent by vendors to
fix the flaws. In this scenario of penetrate-and-patch, patches are applied afte
r penetration has occurred, which is an example of a reactive approach. The scen
ario of patch-and patch is good because one is always patching, which is a proac
tive approach. The scenario of patch-and-penetrate is a proactive approach in wh
ich organizations apply vendor patches in a timely manner. There is not much dam
age done when crackers and hackers penetrate (break) into the computer system be
cause all known flaws are fixed. In this scenario, patches are applied before pe
netration occurs. The scenario of penetrate-and-penetrate is bad because patches
are not applied at all or are not effective.
7. Regarding a patch management program, which of the following is an example o
f vulnerability?
a.
b.
c.
d.
Misconfigurations
Rootkits
Trojan horses
Exploits
Restart
Shutdown
Startup
Abort
d. Restore
9. b. A rollback is restoring a database from one point in time to an earlier po
int. A roll forward is restoring the database from a point in time when it is kn
own to be correct to a later time. A restart is the resumption of the execution
of a computer system using the data recorded at a checkpoint. A restore is the p
rocess of retrieving a dataset migrated to offline storage and restoring it to o
nline storage.
10. Which of the following updates the applications software and the systems so
ftware with patches and new versions?
a.
b.
c.
d.
Preventive maintenance
Component maintenance
Hardware maintenance
Periodic maintenance
Router rules
Access control lists
Filter rules
Software libraries
11. d. Software libraries are part of access restrictions for change so changes
are controlled. Dynamic reconfiguration (i.e., changes on-the-fly) can include c
hanges to router rules, access control lists, intrusion detection and prevention
systems (IDPS) parameters, and filter rules for firewalls and gateways.
12. Prior to initiating maintenance work by maintenance vendor personnel who do
not have the needed security clearances and access authorization to classified
information, adequate controls include:
1.
2.
3.
4.
a.
b.
c.
d.
1 only
2 only
2, 3, and 4
1, 2, 3, and 4
12. d. All four items are adequate controls to reduce the risk resulting from ma
intenance vendor personnels access to classified information. For handling classi
fied information, maintenance personnel should possess security clearance levels
equal to the highest level of security required for an information system.
13. A security configuration checklist is referred to as which of the following
?
1.
2.
3.
4.
Lockdown guide
Hardening guide
Security guide
Benchmark guide
a.
b.
c.
d.
1 and
1 and
2 and
1, 2,
2
3
3
3, and 4
a.
b.
c.
d.
1,
3,
2,
2,
2,
4,
1,
3,
3,
2,
3,
4,
and
and
and
and
4
1
4
1
14. d. The correct order of alternative actions is notify the system administrat
or, shut down the system, restart the system, and report the results of security
function verification.
15. The audit log does not include which of the following?
a.
b.
c.
d.
Timestamp
Users identity
Objects identity
The results of action taken
15. d. The audit log includes a timestamp, users identity, objects identity, and t
ype of action taken, but not the results from the action taken. The person revie
wing the audit log needs to verify that the results of the action taken were app
ropriate.
16. Which of the following fault tolerance metrics are most applicable to the p
roper functioning of redundant array of disks (RAID) systems?
1.
2.
3.
4.
Mean
Mean
Mean
Mean
a.
b.
c.
d.
1
1
2
3
and
and
and
and
time
time
time
time
2
3
3
4
16. c. Rapid replacement of RAIDs failed drives or disks and rebuilding them quic
kly is important, which is facilitated specifically and mostly through applying
MTTDL and MTTR metrics. The MTTDL metric measures the average time before a loss
of data occurred in a given disk array. The MTTR metric measures the amount of
time it takes to resume normal operation, and includes the time to replace a fai
led disk and the time to rebuild the disk array. Thus, MTTDL and MTTR metrics pr
Fast Ethernet
Fiber distributed data interface
Normal Ethernet
Synchronous optical network
17. c. Normal Ethernet does not have a built-in redundancy. Fast Ethernet has bu
ilt-in redundancy with redundant cabling for file servers and network switches.
Fiber distributed data interface (FDDI) offers an optional bypass switch at each
node for addressing failures. Synchronous optical network (SONET) is inherently
redundant and fault tolerant by design.
18. Which of the following go hand-in-hand?
a.
b.
c.
d.
Zero-day
Zero-day
Zero-day
Zero-day
warez
warez
warez
warez
and
and
and
and
18. a. Zero-day warez (negative day or zero-day) refers to software, games, musi
c, or movies (media) unlawfully released or obtained on the day of public releas
e. An internal employee of a content delivery company or an external hacker obta
ins illegal copies on the day of the official release. Content delivery networks
distribute such media from the content owner. The other three networks do not d
istribute such media.
Bluetooth mobile devices use ad-hoc networks, wireless sensor networks monitor s
ecurity of a building perimeter and environmental status in a building (temperat
ure and humidity), and converged networks combine two different networks such as
voice and data.
19. Which of the following provides total independence?
a.
b.
c.
d.
Single-person control
Dual-person control
Two physical keys
Two hardware tokens
19. a. Single-person control means total independence because there is only one
person performing a task or activity. In the other three choices, two individual
s or two devices (for example, keys and tokens) work together, which is difficul
t to bypass unless collusion is involved.
20. The use of a no-trespassing warning banner at a computer systems initial log
on screen is an example of which of the following?
a.
b.
c.
d.
Correction tactic
Detection tactic
Compensating tactic
Deterrence tactic
1.
2.
3.
4.
a.
b.
c.
d.
1 only
2 only
3 only
1, 2, 3, and 4
Controls
Controls
Controls
Controls
that
that
that
that
are
are
are
are
22. d. Controls that are available in a computer system, but not implemented, pr
ovide no protection.
23. A computer system is clogged in which of the following attacks?
a.
b.
c.
d.
24. a. Backing up the audit records is a passive and detective action, and hence
not effective in protecting integrity. In general, backups provide availability
of data, not integrity of data, and they are there when needed. The other three
choices, which are active and preventive, use cryptographic mechanisms (for exa
mple, keys and hashes), and therefore are effective in protecting the integrity
of audit-related information.
25. Regarding a patch management program, which of the following should not be d
one to a compromised system?
a. Reformatting
b. Reinstalling
c. Restoring
d. Remigrating
25. d. In most cases a compromised system should be reformatted and reinstalled
or restored from a known safe and trusted backup. Remigrating deals with switchi
ng between using automated and manual patching tools and methods should not be p
erformed on a compromised system.
26. Which of the following is the most malicious Internet-based attack?
a.
b.
c.
d.
Spoofing attack
Denial-of-service attack
Spamming attack
Locking attack
Redundancy
Isolation
Policies
Procedures
27. a. Redundancy in data and/or equipment can be designed so that service canno
t be removed or denied. Isolation is just the opposite of redundancy. Policies a
nd procedures are not effective against denial-of-service (DoS) attacks because
they are examples of management controls. DoS requires technical controls such a
s redundancy.
28. Which of the following denial-of-service attacks in networks is least common
in occurrence?
a.
b.
c.
d.
Service overloading
Message flooding
Connection clogging
Signal grounding
29. b. Smurf attacks use a network that accepts broadcast ping packets to flood
the target computer with ping reply packets. The goal of a smurf attack is to de
ny service.
Internet Protocol (IP) address spoofing attack and transmission control protocol
(TCP) sequence number attack are examples of session hijacking attacks. The IP
address spoofing is falsifying the identity of a computer system. In a redirect
attack, a hacker redirects the TCP stream through the hackers computer. The TCP s
equence number attack is a prediction of the sequence number needed to carry out
an unauthorized handshake.
30. The demand for reliable computing is increasing. Reliable computing has whi
ch of the following desired elements in computer systems?
a.
b.
c.
d.
30. a. Data integrity and availability are two important elements of reliable co
mputing. Data integrity is the concept of ensuring that data can be maintained i
n an unimpaired condition and is not subject to unauthorized modification, wheth
er intentional or inadvertent. Products such as backup software, antivirus softw
are, and disk repair utility programs help protect data integrity in personal co
mputers (PCs) and workstations. Availability is the property that a given resour
ce will be usable during a given time period. PCs and servers are becoming an in
tegral part of complex networks with thousands of hardware and software componen
ts (for example, hubs, routers, bridges, databases, and directory services) and
the complex nature of client/server networks drives the demand for availability.
System availability is increased when system downtime or outages are decreased
and when fault tolerance hardware and software are used.
Data security, privacy, and confidentiality are incorrect because they deal with
ensuring that data is disclosed only to authorized individuals and have nothing
to do with reliable computing. Modularity deals with the breaking down of a lar
ge system into small modules. Portability deals with the ability of application
software source code and data to be transported without significant modification
to more than one type of computer platform or more than one type of operating s
ystem. Portability has nothing to do with reliable computing. Feasibility deals
with the degree to which the requirements can be implemented under existing cons
traints.
31. Which of the following is not a part of implementation of incident response
support resources in an organization?
a.
b.
c.
d.
Help desk
Assistance group
Forensics services
Simulated events
ources in an organization.
32. Software flaw remediation is best when it is incorporated into which of the
following?
a.
b.
c.
d.
Confidentiality
Integrity
Accountability
Availability
Training
Deterrence
Detection
Prosecution
34. a. Audit trails are useful in detecting unauthorized and illegal activities.
They also act as a deterrent and aid in prosecution of transgressors. They are
least useful in training because audit trails are recorded after the fact. They
show what was done, when, and by whom.
35. In terms of audit records, which of the following information is most useful
?
1.
2.
3.
4.
Timestamps
Source and destination address
Privileged commands
Group account users
a.
b.
c.
d.
1 only
1 and 2
3 and 4
1, 2, 3, and 4
35. c. Audit records contain minimum information such as timestamps, source and
destination addresses, and outcome of the event (i.e., success or failure). But
the most useful information is recording of privileged commands and the individu
al identities of group account users.
36. Which of the following is an example of improper separation of duties?
a.
b.
c.
.
d.
36. a. A natural tension often exists between computer security and computer ope
rations functions. Some organizations embed a computer security program in compu
ter operations to resolve this tension. The typical result of this organizationa
l strategy is a computer security program that lacks independence, has minimal a
uthority, receives little management attention, and has few resources to work wi
th. The other three choices are examples of proper separation of duties.
37. What are labels used on internal data structures called?
a.
b.
c.
d.
Automated marking
Automated labeling
Hard-copy labeling
Output labeling
37. b. Automated labeling refers to labels used on internal data structures such
as records and files within the information system. Automated marking refers to
labels used on external media such as hard-copy documents and output from the i
nformation system (for example, reports).
38. Which of the following is not allowed when an information system cannot be s
anitized due to a system failure?
a.
b.
c.
d.
Periodic maintenance
Remote maintenance
Preventive maintenance
Detective maintenance
38. b. Media sanitization (scrubbing) means removing information from media such
that information recovery is not possible. Specifically, it removes all labels,
markings, and activity logs. An organization approves, controls, and monitors r
emotely executed maintenance and diagnostic activities. If the information syste
m cannot be sanitized due to a system failure, remote maintenance is not allowed
because it is a high-risk situation. The other three types of maintenance are l
ow risk situations.
39. Regarding configuration change management, organizations should analyze new
software in which of the following libraries before installation?
a.
b.
c.
d.
Development library
Test library
Quarantine library
Operational library
39. b. Organizations should analyze new software in a separate test library befo
re installation in an operational environment. They should look for security imp
acts due to software flaws, security weaknesses, data incompatibility, or intent
ional malice in the test library. The development library is used solely for new
development work or maintenance work. Some organizations use a quarantine libra
ry, as an intermediate library, before moving the software into operational libr
ary. The operational library is where the new software resides for day-to-day us
e.
40. Current operating systems are far more resistant to which of the following
types of denial-of-service attacks and have become less of a threat?
a. Reflector attack
b. Amplified attack
c. Distributed attack
d. SYNflood attack
40. d. Synchronized flood (SYNflood) attacks often target an application and dae
mon, like a Web server, and not the operating system (OS) itself; although the O
S may get impacted due to resources used by the attack. It is good to know that
current operating systems are far more resistant to SYNflood attacks, and many f
irewalls now offer protections against such attacks, so they have become less of
a threat. Still, SYNfloods can occur if attackers initiate many thousands of tr
ansmission control protocol (TCP) connections in a short time.
The other three types of attacks are more of a threat. In a reflector attack, a
host sends many requests with a spoofed source address to a service on an interm
ediate host. Like a reflector attack, an amplified attack involves sending reque
sts with a spoofed source address to an intermediate host. However, an amplified
attack does not use a single intermediate host; instead, its goal is to use a w
hole network of intermediate hosts. Distributed attacks coordinate attacks among
many computers (i.e., zombies).
41. Which of the following is the correct sequence of solutions for containing
a denial-of-service incident?
1.
2.
3.
4.
a.
b.
c.
d.
2,
2,
3,
4,
3,
4,
4,
3,
1,
3,
2,
1,
and
and
and
and
4
1
1
2
t threats and controls recommended by incident handling staff provides users wit
h information more specifically directed to their current needs. Using the incid
ent data in enhancing the risk assessment process is the best answer when compar
ed to enhancing the training and awareness program.
43. Automatic file restoration requires which of the following?
a.
b.
c.
d.
43. a. Automatic file restoration requires log file and checkpoint information t
o recover from a system crash. A backup file is different from a log file in tha
t it can be a simple copy of the original file whereas a log file contains speci
fic and limited information. The other three choices do not have the log file ca
pabilities.
44. Which of the following is the most common type of redundancy?
a.
b.
c.
d.
Cable backup
Server backup
Router backup
Data backup
Reliability
Availability
Redundancy
Serviceability
Disks
Processors
Electrical power
Controllers
46. c. Redundant electric power and cooling is an important but often overlooked
part of a contingency plan. Network administrators usually plan for backup disk
s, processors, controllers, and system boards.
47. Network availability is increased with which of the following?
a.
b.
c.
d.
Data redundancy
Link redundancy
Software redundancy
Power redundancy
fails. The other three redundancies are good in their own way, but they do not
increase network availability. In other words, there are two paths: a main path
and an alternative path.
48. What does an effective backup method for handling large volumes of data in
a local-area-network environment include?
a.
b.
c.
d.
48. b. Backing up at the file server is effective for a local-area network due t
o its greater storage capacity. Backing up at the workstation lacks storage capa
city, and redundant array of independent disks (RAID) technology is mostly used
for the mainframe. Using faster network connection increases the speed but not b
ackup.
49. Network reliability is increased most with which of the following?
a.
b.
c.
d.
Alternative
Alternative
Alternative
Alternative
cable
network carrier
supplies
controllers
Cables
Servers
Power supplies
Hubs
50. d. Many physical problems in local-area networks (LANs) are related to cable
s because they can be broken or twisted. Servers can be physically damaged due t
o disk head crash or power irregularities such as over or under voltage conditio
ns. An uninterruptible power supply provides power redundancy and protection to
servers and workstations. Servers can be disk duplexed for redundancy. Redundant
topologies such as star, mesh, or ring can provide a duplicate path should a ma
in cable link fail. Hubs require physical controls such as lock and key because
they are stored in wiring closets; although, they can also benefit from redundan
cy, which can be expensive. Given the choices, it is preferable to have redundan
t facilities for cables, servers, and power supplies.
51. System reliability controls for hardware include which of the following?
a. Mechanisms to decrease mean time to repair and to increase mean time between
failures
b. Redundant computer hardware
c. Backup computer facilities
d. Contingency plans
51. a. Mean time to repair (MTTR) is the amount of time it takes to resume norma
l operation. It is expressed in minutes or hours taken to repair computer equipm
ent. The smaller the MTTR for hardware, the more reliable it is. Mean time betwe
en failures (MTBF) is the average length of time the hardware is functional. MTB
F is expressed as the average number of hours or days between failures. The larg
er the MTBF for hardware, the more reliable it is.
Redundant computer hardware and backup computer facilities are incorrect because
they are examples of system availability controls. They also address contingenc
ies in case of a computer disaster.
52. Fail-soft control is an example of which of the following?
a.
b.
c.
d.
Continuity controls
Accuracy controls
Completeness controls
Consistency controls
53. b. Storage media has nothing to do with information availability. Data will
be stored somewhere on some media. It is not a decision criterion. Managements go
al is to gather useful information and to make it available to authorized users.
System backup and recovery procedures and alternative computer equipment and fa
cilities help ensure that the recovery is as timely as possible. Both physical a
nd logical access controls become important. System failures and other interrupt
ions are common.
54. From an operations viewpoint, the first step in contingency planning is to p
erform a(n):
a.
b.
c.
d.
54. d. Hardware backup is the first step in contingency planning. All computer i
nstallations must include formal arrangements for alternative processing capabil
ity in the event their data center or any portion of the work environment become
s disabled. These plans can take several forms and involve the use of another da
ta center. In addition, hardware manufacturers and software vendors can be helpf
ul in locating an alternative processing site and in some cases provide backup e
quipment under emergency conditions. The more common plans are service bureaus,
reciprocal arrangements, and hot sites.
After hardware is backed up, operating systems software is backed up next, follo
wed by applications software backup and documentation.
55. The primary contingency strategy for application systems and data is regular
backup and secure offsite storage. From an operations viewpoint, which of the f
ollowing decisions is least important to address?
a.
b.
c.
d.
How
How
How
How
often
often
often
often
is
is
is
is
the
the
the
the
backup
backup
backup
backup
performed?
stored offsite?
used?
transported?
55. c. Normally, the primary contingency strategy for applications and data is r
Detection
Prevention
Correction
Recovery
56. b. Prevention is totally impossible because of its high cost and technical l
imitations. Under these conditions, detection becomes more important, which coul
d be cheaper than prevention; although, not all attacks can be detected in time.
Both correction and recovery come after prevention or detection.
57. The return on investment on quality is highest in which of the following so
ftware defect prevention activities?
a.
b.
c.
d.
Code inspection
Reviews with users
Design reviews
Unit test
57. b. It is possible to quantify the return on investment (ROI) for various qua
lity improvement activities. Studies have shown that quality ROI is highest when
software products are reviewed with user customers. This is followed by code in
spection by programmers, design reviews with the project team, and unit testing
by programmers.
58. The IT operations management of KPT Corporation is concerned about the reli
ability and availability data for its four major, mission-critical information s
ystems that are used by business end-users. The KPT corporate managements goal is
to improve the reliability and availability of these four systems in order to i
ncrease customer satisfaction both internally and externally. The IT operations
management collected the following data on percent reliability. Assume 365 opera
ting days per year and 24 hours per day for all these systems. The IT operations
management thinks that system reliability is important in providing quality of
service to end-users.
System
Reliability
1
99.50
97.50
3
98.25
4
95.25
Which of the following systems has the highest downtime in a year expressed in
hours and rounded up?
a.
b.
c.
d.
System
System
System
System
1
2
3
4
58. d. The system 4 has the highest downtime in hours. Theoretically speaking, t
he higher the reliability of a system, the lower its downtime (including schedul
ed maintenance), and higher the availability of that system, and vice versa. In
fact, this question does not require any calculations to perform because one can
find out the correct answer just by looking at the reliability data given in th
at the lower the reliability, the higher the downtime, and vice versa.
Calculations for System 1 are shown below and calculations for other systems fol
low the System 1 calculations.
Downtime = (Total hours) [(100 Reliability%)/100] = 8,760 0.005 = 44 hours
Availability for System 1 = [(Total time Downtime)/Total time] 100 = [(8,760 44)
/8,760] 100 = 99.50%
Check: Availability for System 1 = [Uptime/(Uptime + Downtime)] 100 = (8,716/8,7
60) 100 = 99.50%
59. Which of the following is the most important requirement for a software qual
ity program to work effectively?
a.
b.
c.
d.
Quality metrics
Process improvement
Software reengineering
Commitment from all parties
59. d. A software quality program should reduce defects, cut service costs, incr
ease customer satisfaction, and increase productivity and revenues. To achieve t
hese goals, commitment by all parties involved is the most important factor. The
other three factors such as quality metrics, process improvement, and software
reengineering have some merit, but none is sufficient on its own.
60. As the information system changes over time, which of the following is requ
ired to maintain the baseline configuration?
a.
b.
c.
d.
Enterprise architecture
New baselines
Operating system
Network topology
Defect levels
Customer satisfaction
Timetodesign
Continuous process improvement
61. c. Quality is more than just defect levels. It should include customer satis
faction, timetomarket, and a culture committed to continuous process improveme
nt. Timetodesign is not a complete answer because it is a part of timetomark
et, where the latter is defined as the total time required for planning, designi
ng, developing, and delivering a product. It is the total time from concept to d
elivery. These software quality values lead to quality education, process assess
ments, and customer satisfaction.
62. Which of the following responds to security incidents on an emergency basis
?
a.
b.
c.
d.
Tiger team
White team
Red team
Blue team
62. b. A white team is an internal team that initiates actions to respond to sec
urity incidents on an emergency basis. Both the red team and blue team perform p
enetration testing of a system, and the tiger team is an old name for the red te
am.
63. Which of the following is the most important function of software inventory
tools in maintaining a consistent baseline configuration?
a.
b.
c.
d.
and internal audit departments. This is because these auditing activities can ha
ve legal and audit implications.
Consultants and contractors should not be contacted at all. It is too early to t
alk to the public affairs or media relations within the organization. External l
aw enforcement authorities should be contacted only after the session auditing w
ork is completed and only after there is a discovery of highrisk incidents.
65. Regarding access restrictions associated with changes to information system
s, which of the following makes it easy to discover unauthorized changes?
a.
b.
c.
d.
65. c. Change windows mean changes occur only during specified times, and making
unauthorized changes outside the window are easy to discover. The other three c
hoices are also examples of access restrictions, but changes are not easy to dis
cover in them.
66. Which of the following is an example of software reliability metrics?
a.
b.
c.
d.
66. d. Software quality can be expressed in two ways: defect rate and reliabilit
y. Software quality means conformance to requirements. If the software contains
too many functional defects, the basic requirement of providing the desired func
tion is not met. Defect rate is the number of defects per million lines of sourc
e code or per function point. Reliability is expressed as number of failures per
n hours of operation, meantimeto failure, or the probability of failurefree op
eration in a specified time. Reliability metrics deal with probabilities and tim
eframes.
67. From a CleanRoom software engineering viewpoint, software quality is certif
ied in terms of:
a.
b.
c.
d.
67. b. CleanRoom operations are carried out by small independent development and
certification (test) teams. In CleanRoom, all testing is based on anticipated c
ustomer usage. Test cases are designed to practice the more frequently used func
tions. Therefore, errors that are likely to cause frequent failures to the users
are found first. For measurement, software quality is certified in terms of mea
ntimeto failure (MTTF). MTTF is most often used with safetycritical systems s
uch as airline traffic control systems because it measures the time taken for a
system to fail for the first time.
Meantime between failures (MTBF) is incorrect because it is the average length
of time a system is functional. Meantimetorepair (MTTR) is incorrect because
it is the total corrective maintenance time divided by the total number of corre
ctive maintenance actions during a given period of time. Meantimebetween outag
es (MTBO) is incorrect because it is the mean time between equipment failures th
at result in loss of system continuity or unacceptable degradation.
68. In redundant array of independent disks (RAID) technology, which of the foll
owing RAID level does not require a hot spare drive or disk?
a. RAID3
b. RAID4
c. RAID5
d. RAID6
68. d. A hot spare drive is a physical drive resident on the disk array which is
active and connected but inactive until an active drive fails. Then the system
automatically replaces the failed drive with the spare drive and rebuilds the di
sk array. A hot spare is a hot standby providing a failover mechanism.
The RAID levels from 3 to 5 have only one disk of redundancy and because of this
a second failure would cause complete failure of the disk array. On the other h
and, the RAID6 level has two disks of redundancy, providing a greater protection
against simultaneous failures. Hence, RAID6 level does not need a hot spare dri
ve whereas the RAID 3 to 5 levels need a shot spare drive.
The RAID6 level without a spare uses the same number of drives (i.e., 4 + 0 spar
e) as RAID3 to RAID 5 levels with a hot spare (i.e., 3 + 1 spare) thus protectin
g data against simultaneous failures. Note that a hot spare can be shared by mul
tiple RAID sets. On the other hand, a cold spare drive or disk is not resident o
n the disk array and not connected with the system. A cold spare requires a hot
swap, which is a physical (manual) replacement of the failed disk with a new dis
k done by the computer operator.
69. An example of illdefined software metrics is which of the following?
a.
b.
c.
d.
Number
Number
Number
Number
of
of
of
of
of code
software product
to the size of the product
per user month
69. c. Software defects relate to source code instructions, and problems encount
ered by users relate to usage of the product. If the numerator and denominator a
re mixed up, poor metrics result. An example of an illdefined metric is the met
ric relating total customer problems to the size of the product, where size is m
easured in millions of shipped source instructions. This metric has no meaningfu
l relation. On the other hand, the other three choices are examples of meaningfu
l metrics. To improve customer satisfaction, you need to reduce defects and over
all problems.
70. Which of the following information system component inventory is difficult
to monitor?
a.
b.
c.
d.
Hardware specifications
Software license information
Virtual machines
Network devices
70. c. Virtual machines can be difficult to monitor because they are not visible
to the network when not in use. The other three choices are easy to monitor.
71. Regarding incident handling, which of the following deceptive measures is u
sed during incidents to represent a honeypot?
a.
b.
c.
d.
False
False
False
False
data flows
status measures
state indicators
production systems
71. d. Honeypot is a fake (false) production system and acts as a decoy to study
how attackers do their work. The other three choices are also acceptable decept
ive measures, but they do not use honeypots. False data flows include made up (f
ake) data, not real data. Systemstatus measures include active or inactive para
meters. Systemstate indicators include startup, restart, shutdown, and abort.
72. For large software development projects, which of the following models prov
ides greater satisfactory results on software reliability?
a.
b.
c.
d.
Software
Software
Software
Software
73. a. The goals of software quality assurance management include (i) software q
uality assurance activities are planned, (ii) adherence of software products and
activities to the applicable standards, procedures, and requirements is verifie
d objectively, and (iii) noncompliance issues that cannot be resolved are addres
sed by higher levels of management.
The objectives of software configuration management are to establish and maintai
n the integrity of products of the software project throughout the projects softw
are life cycle. The objectives of software requirements management are to establ
ish a common understanding between the customer and the software project require
ments that will be addressed by the software project. The objectives of software
project management are to establish reasonable plans for performing the softwar
e engineering activities and for managing the software development project.
74. Which of the following identifies required functionality to protect against
or mitigate failure of the application software?
a.
b.
c.
d.
Software
Software
Software
Software
safety analysis
hazard analysis
fault tree analysis
sneak circuit analysis
Software safety
Completing the project on schedule
Spending less than budgeted
Documenting all critical work
77. a. Software safety is important compared to the other three choices because
lack of safety considerations in a computerbased application system can cause d
anger or injury to people and damage to equipment and property.
78. A software product has the least impact on:
a.
b.
c.
d.
Loss
Loss
Loss
Loss
of
of
of
of
life
property
physical attributes
quality
It
It
It
It
System administrator
Security administrator
Computer operator
System programmer
Local maintenance
Scheduled maintenance
Nonlocal maintenance
Unscheduled maintenance
ms. Based on a storage management consultants report, the RDS management is plann
ing to install redundant array of independent disks 6 (RAID6), which is a block
level striping with double distributed parity system to meet this growth. If fou
r disks are arranged in RAID6 where each disk has a storage capacity of 250GB, a
nd if space efficiency is computed as [1(2/n)] where n is the number of disks, ho
w much of this capacity is available for data storage purposes?
a.
b.
c.
d.
125GB
250GB
375GB
500GB
82. d. The RAID6 storage system can provide a total of 500GB of usable space for
data storage purposes. Space efficiency represents the fraction of the sum of t
he disks capacities that is available for use.
Space efficiency = [1(2/n)] = [1(2/4)] = 10.5= 0.5
Total available space for data storage = 0.5 4 250 = 500GB
83. In redundant array of independent disks (RAID) technology, when two drives
or disks have a logical joining, it is called:
a.
b.
c.
d.
Disk
Disk
Disk
Disk
concatenation
striping
mirroring
replication
84. c. Information system components, when not operational, can result in increa
sed risk to organizations because the security functionality intended by that co
mponent is not being provided. Examples of securitycritical components include
firewalls, hardware/software guards, gateways, intrusion detection and preventio
n systems, audit repositories, and authentication servers. The organizations nee
d to have a maintenance vendor servicelevel agreement, stock spare parts invent
ory, and a delivery service agreement with a commercial transportation courier t
o deliver the required parts on time to reduce the risk of running out of compon
ents and parts.
Helpdesk staff, whether they are internal or external, are not needed for all t
ypes of maintenance work, whether it is scheduled or unscheduled, or whether it
is normal or emergency. Their job is to help system users on routine matters (pr
oblems and issues) and escalate them to the right party when they cannot resolve
these matters.
85. Which of the following is the basis for ensuring software reliability?
a. Testing
b. Debugging
c. Design
d. Programming
85. c. The basis for software reliability is design, not testing, debugging, or
programming. For example, using the topdown design and development techniques a
nd employing modular design principles, software can be made more reliable than
otherwise. Reliability is the degree of confidence that a system will successful
ly function in a certain environment during a specified time period.
Testing is incorrect because its purpose is to validate that the software meets
its stated requirements. Debugging is incorrect because its purpose is to detect
, locate, and correct faults in a computer program. Programming is incorrect bec
ause its purpose is to convert the design specifications into program instructio
ns that the computer can understand.
86. In software configuration management, changes to software should be subject
ed to which of the following types of testing prior to software release and dist
ribution?
a.
b.
c.
d.
Blackbox testing
Regression testing
Whitebox testing
Graybox testing
86. b. Regression testing is a method to ensure that changes to one part of the
software system do not adversely impact other parts. The other three choices do
not have such capabilities. Blackbox testing is a functional analysis of a syst
em, and known as generalized testing. Whitebox testing is a structural analysis
of a system, and known as detailed testing or logic testing. Graybox testing a
ssumes some knowledge of the internal structures and implementation details of t
he assessment object, and known as focused testing.
87. Which of the following software quality characteristics is difficult to def
ine and test?
a.
b.
c.
d.
Functionality
Reliability
Usability
Efficiency
87. c. Usability is a set of attributes that bear on the effort needed for use,
and on the individual assessment of such use, by a stated or implied set of user
s. In a way, usability means understandability and ease of use. Because of its s
ubjective nature, varying from person to person, it is hard to define and test.
Functionality is incorrect because it can easily be defined and tested. It is a
set of attributes that bear on the existence of a set of functions and their spe
cified properties. The functions are those that satisfy stated or implied needs.
Reliability is incorrect because it can easily be defined and tested. It is the
ability of a component to perform its required functions under stated condition
s for a specified period of time. Efficiency is incorrect because it can easily
be defined and tested. It is the degree to which a component performs its design
ated functions with minimum consumption of resources.
88. Portable and removable storage devices should be sanitized to prevent the e
ntry of malicious code to launch:
a.
b.
c.
d.
Maninthemiddle attack
Meetinthemiddle attack
Zeroday attack
Spoofing attack
Forward tracing
Backward tracing
Cross tracing
Ad hoc tracing
RAID3
RAID4
RAID5
RAID6
90. d. RAID6 is used for highavailability systems due to its high tolerance for
failure. Each RAID level (i.e., RAID0 to RAID6) provides a different balance be
tween increased data reliability through redundancy and increased input/output p
erformance. For example, in levels from RAID3 to RAID5, a minimum of three disks
is required and only one disk provides a fault tolerance mechanism. In the RAID
6 level, a minimum of four disks is required and two disks provide fault toleran
ce mechanisms.
In the single disk fault tolerance mechanism, the failure of that single disk wi
ll result in reduced performance of the entire system until the failed disk has
been replaced and rebuilt. On the other hand, the double parity (two disks) faul
t tolerance mechanism gives time to rebuild the array without the data being at
risk if a single disk fails before the rebuild is complete. Hence, RAID6 is suit
able for highavailability systems due to high fault tolerance mechanisms.
91. Which of the following makes a computer system more reliable?
a.
b.
c.
d.
Nversion programming
Structured programming
Defensive programming
GOTOless programming
91. c. Defensive or robust programming has several attributes that makes a compu
ter system more reliable. The major attribute is expected exception domain (i.e.
, errors and failures); when discovered, it makes the system reliable.
Nversion programming is based on design or version diversity, meaning different
versions of the software are developed independently with the thinking that the
se versions are independent in their failure behavior. Structured programming an
d GOTOless programming are part of robust programming techniques to make progra
ms more readable and executable.
92. Which of the following is an example of a static quality attribute of a sof
tware product?
a.
b.
c.
d.
Meantimebetweenfailure
Simplicity in functions
Meantimetorepair
Resource utilization statistics
When
When
When
When
93. b. Auditing an information system is not reliable when performed by the syst
em to which the user being audited has privileged access. This is because the pr
ivileged user can inhibit the auditing activity or modify the audit records. The
other three choices are control enhancements that reduce the risk of audit comp
romises by the privileged user.
94. Software quality is based on user needs. Which of the following software qu
ality factors address the users need for performance?
a.
b.
c.
d.
ly managed? Expandability and flexibility are incorrect because they are a part o
f the changes needed. Expandability asks, How easy is it to expand? whereas flexib
ility asks, How easy is it to change?
95. Developing safe software is crucial to prevent loss of life, property damage
, or liability. Which of the following practices is least useful to ensuring a s
afe software product?
a.
b.
c.
d.
Use high coupling between critical functions and data from noncritical ones.
Use low data coupling between critical units.
Implement a failsafe recovery system.
Specify and test for unsafe conditions.
Multiversion software
Proofofcorrectness
Software fault tree analysis
Software reliability models
Meantimetorepair (MTTR)
Meantimetofailure (MTTF)
Meantime between failures (MTBF)
Meantime between outages (MTBO)
97. b. MTTF focuses on the potential failure of specific components of the infor
mation system that provide security capability. MTTF is the amount of meantime
to the next failure. MTTR is the amount of time it takes to resume normal operat
ion. MTBF is the average length of time the system is functional. MTBO is the me
an time between equipment failures that result in a loss of system continuity or
unacceptable degradation.
98. Regarding software installation, All software is checked against a list appr
oved by the organization refers to which of the following?
a.
b.
c.
d.
Blacklisting
Blackbox testing
Whitebox testing
Whitelisting
Documented standards
CleanRoom processes
Formal technical reviews
Documentation standards
99. c. Formal technical reviews (for example, inspections and walkthroughs) are
used for defect detection, not prevention. If properly conducted, formal technic
al reviews are the most effective way to uncover and correct errors, especially
early in the life cycle, where they are relatively easy and inexpensive to corre
ct.
Documented standards are incorrect because they are just one example of defect p
revention methods. Documented standards should be succinct and possibly placed i
nto a checklist format as a ready application reference. A documented standard a
lso permits audits for adherence and compliance with the approved method.
CleanRoom processes are incorrect because they are just one example of defect pr
evention methods. The CleanRoom process consists of (i) defining a set of softwa
re increments that combine to form the required system, (ii) using rigorous meth
ods for specification, development, and certification of each increment, (iii) a
pplying strict statistical quality control during the testing process, and (iv)
enforcing a strict separation of the specification and design tasks from testing
activities.
Documentation standards are incorrect because they are just one example of defec
t prevention methods. Standard methods can be applied to the development of requ
irements and design documents.
100. The scope of formal technical reviews conducted for software defect removal
would not include:
a.
b.
c.
d.
100. a. The formal technical review is a software quality assurance activity tha
t is performed by software developers. The objectives of these reviews are to (i
) uncover errors in function and logic, (ii) verify that software under review m
eets its requirements, (iii) ensure that software represents the predefined stan
dards. Configuration management specifications are a part of project planning do
cuments, not technical documents. The purpose is to establish the processes that
the project uses to manage the configuration items and changes to them. Program
development, quality, and configuration management plans are subject to review
but are not directly germane to the subject of defect removal.
The other three choices are incorrect because they are part of technical documen
ts. The subject matter for formal technical reviews includes requirements specif
ications, detailed design, and code and test specifications. The objectives of r
eviewing the technical documents are to verify that (i) the work reviewed is tra
ceable to the requirements set forth by the predecessors tasks, (ii) the work is
complete, (iii) the work has been completed to standards, and (iv) the work is c
orrect.
101. Patch management is a part of which of the following?
a.
b.
c.
d.
Directive controls
Preventive controls
Detective controls
Corrective controls
Denialofservice
Degradationofservice
Destructionofservice
Distributionofservice
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
3
3
4
Disposal
Clearing
Purging
Destroying
a.
b.
c.
d.
1,
2,
3,
4,
2,
3,
4,
3,
3,
4,
1,
2,
and
and
and
and
4
1
2
1
Ad hoc backup
Full backup
Incremental backup
Differential backup
105. a. Ad hoc means when needed and irregular. Ad hoc backup is not a wellthou
ghtout strategy because there is no systematic way of backing up required data
and programs. Full (normal) backup archives all selected files and marks each as
having been backed up. Incremental backup archives only those files created or
changed since the last normal backup and marks each file. Differential backup ar
chives only those files that have been created or changed since the last normal
backup. It does not mark the files as backed up. The backups mentioned in other
three choices have a systematic procedure.
106. Regarding a patch management program, which of the following is not a metho
d of patch remediation?
a.
b.
c.
d.
Damaged media
Nondamaged media
Rewriteable media
Nonrewriteable media
a.
b.
c.
d.
1
4
1
2
only
only
or 4
or 3
107. c. Overwriting cannot be used for media that are damaged or not rewriteable
. The media type and size may also influence whether overwriting is a suitable s
anitization method.
108. Regarding media sanitization, which of the following is the correct sequen
ce of fully and physically destroying magnetic disks, such as hard drives?
1.
2.
3.
4.
Incinerate
Disintegrate
Pulverize
Shred
a.
b.
c.
d.
4,
3,
1,
2,
1,
4,
4,
4,
2,
2,
3,
3,
and
and
and
and
3
1
2
1
108. d. The correct sequence of fully and physically destroying magnetic disks s
uch as hard drives (for example, advanced technology attachment (ATA) and serial
ATA (SATA) hard drives), is disintegrate, shred, pulverize, and incinerate. Thi
s is the best recommended practice for both public and private sector organizati
ons.
Disintegration is a method of sanitizing media and is the act of separating the
equipment into component parts. Here, the disintegration step comes first to mak
e the hard drive inoperable quickly. Shredding is a method of sanitizing media a
nd is the act of cutting or tearing into small particles. Shredding cannot be th
e first step because it is not practical to do for many companies. Pulverization
is a method of sanitizing media and is the act of grinding to a powder or dust.
Incineration is a method of sanitizing media and is the act of burning complete
ly to ashes done in a licensed incinerator.
Note that one does not need to complete all these methods, but can stop after an
y specific method and after reaching the final goal based on the sensitivity and
criticality of data on the disk.
109. Who initiates audit trails in computer systems?
a.
b.
c.
d.
Functional users
System auditors
System administrators
Security administrators
109. a. Functional users have the utmost responsibility in initiating audit trai
ls in their computer systems for tracing and accountability purposes. Systems an
d security administrators help in designing and developing these audit trails. S
ystem auditors review the adequacy and completeness of audit trails and issue an
opinion whether they are effectively working. Auditors do not initiate, design,
or develop audit trails due to their independence in attitude and appearance as
dictated by their Professional Standards.
110. The automatic termination and protection of programs when a failure is det
ected in a computer system are called a:
a.
b.
c.
d.
Failsafe
Failsoft
Failover
Failopen
Firewalls
Intrusion detection
Audit trails
Access controls
111. c. Audit trails provide one of the best and most inexpensive means for trac
king possible hacker attacks, not only after attack, but also during the attack.
You can learn what the attacker did to enter a computer system, and what he did
after entering the system. Audit trails also detect unauthorized but abusive us
er activity. Firewalls, intrusion detection systems, and access controls are exp
ensive when compared to audit trails.
112. What is the residual physical representation of data that has been in some
way erased called?
a.
b.
c.
d.
Clearing
Purging
Data remanence
Destruction
112. c. Data remanence is the residual physical representation of data that has
been in some way erased. After storage media is erased, there may be some physic
al characteristics that allow the data to be reconstructed, which represents a s
ecurity threat. Clearing, purging, and destruction are all risks involved in sto
rage media. In clearing and purging, data is removed, but the media can be reuse
d. The need for destruction arises when the media reaches the end of its useful
life.
113. Which of the following methods used to safeguard against disclosure of sen
sitive information is effective?
a.
b.
c.
d.
Degaussing
Overwriting
Encryption
Destruction
113. c. Encryption makes the data unreadable without the proper decryption key.
Degaussing is a process whereby the magnetic media is erased, i.e., returned to
its initial virgin state. Overwriting is a process whereby unclassified data are
written to storage locations that previously held sensitive data. The need for
destruction arises when the media reaches the end of its useful life.
114. Magnetic storage media sanitization is important to protect sensitive infor
mation. Which of the following is not a general method of purging magnetic stora
ge media?
a.
b.
c.
d.
Overwriting
Clearing
Degaussing
Destruction
114. b. The removal of information from a storage medium such as a hard disk or
tape is called sanitization. Different kinds of sanitization provide different l
evels of protection. Clearing information means rendering it unrecoverable by ke
yboard attack, with the data remaining on the storage media. There are three gen
eral methods of purging magnetic storage media: overwriting, degaussing, and des
truction. Overwriting means obliterating recorded data by writing different data
on the same storage surface. Degaussing means applying a variable, alternating
current fields for the purpose of demagnetizing magnetic recording media, usuall
y tapes. Destruction means damaging the contents of magnetic media through shred
ding, burning, or applying chemicals.
115. Which of the following redundant array of independent disks (RAID) technol
ogy classifications increases disk overhead?
a.
b.
c.
d.
RAID1
RAID2
RAID3
RAID4
115. a. Disk array technology uses several disks in a single logical subsystem.
To reduce or eliminate downtime from disk failure, database servers may employ d
isk shadowing or data mirroring. A disk shadowing, or RAID1, subsystem includes
two physical disks. User data is written to both disks at once. If one disk fai
ls, all the data is immediately available from the other disk. Disk shadowing in
curs some performance overhead (during write operations) and increases the cost
of the disk subsystem because two disks are required. RAID levels 2 through 4 ar
e more complicated than RAID1. Each involves storage of data and error correcti
on code information, rather than a shadow copy. Because the error correction dat
a requires less space than the data, the subsystems have lower disk overhead.
116. Indicate the correct sequence of degaussing procedures for magnetic disk f
iles.
1.
2.
3.
4.
Write
Write
Write
Write
zeros
a special character
ones
nines
a.
b.
c.
d.
1,
3,
2,
1,
and 2
4, and 2
4, and 3
3, and 4
3,
1,
1,
2,
116. a. Disk files can be demagnetized by overwriting three times with zeros, on
es, and a special character, in that order, so that sensitive information is com
pletely deleted.
117. Which of the following is the best control to prevent a new user from acces
sing unauthorized file contents when a newly recorded file is shorter than those
previously written to a computer tape?
a.
b.
c.
d.
Degaussing
Cleaning
Certifying
Overflowing
117. a. If the new file is shorter than the old file, the new user could have op
en access to the existing file. Degaussing is best used under these conditions a
nd is considered a sound and safe practice. Tape cleaning functions are to clean
and then to properly wind and create tension in the computer magnetic tape. Rec
orded tapes are normally not erased during the cleaning process. Tape certificat
ion is performed to detect, count, and locate tape errors and then, if possible,
repair the underlying defects so that the tape can be placed back into active s
tatus. Overflowing has nothing to do with computer tape contents. Overflowing is
a memory or file size issue where contents could be lost due to size limitation
s.
118. Which of the following data integrity problems can be caused by multiple s
ources?
a.
b.
c.
d.
Disk failure
File corruption
Power failure
Memory failure
118. b. Hardware malfunction, network failures, human error, logical errors, and
other disasters are possible threats to ensuring data integrity. Files can be c
orrupted as a result of some physical (hardware) or network problems. Files can
also become corrupted by some flaw in an application programs logic. Users can co
ntribute to this problem due to inexperience, accidents, or missed communication
s. Therefore, most data integrity problems are caused by file corruption.
Disk failure is a hardware malfunction caused by physical wear and tear. Power f
ailure is a hardware malfunction that can be minimized by installing power condi
tioning equipment and battery backup systems. Memory failure is an example of ha
rdware malfunction due to exposure to strong electromagnetic fields. File corrup
tion has many problem sources to consider.
119. Which of the following provides network redundancy in a localareanetwork
(LAN) environment?
a.
b.
c.
d.
Mirroring
Shadowing
Dual backbones
Journaling
119. c. A backbone is the high traffic density connectivity portion of any commu
nications network. Backbones are used to connect servers and other service provi
ding machines on the network. The use of dual backbones means that if the primar
y network goes down, the secondary network will carry the traffic.
In packet switched networks, a backbone consists of switches and interswitch tru
nks. Switched networks can be managed with a network management console. Network
component failures can be identified on the console and responded to quickly. M
any switching devices are built modularly with hot swappable circuit boards. If
a chip fails on a board in the device, it can be replaced relatively quickly jus
t by removing the failed card and sliding in a new one. If switching devices hav
e dual power supplies and battery backups, network uptime can be increased as we
ll.
Mirroring, shadowing, and duplexing provide application system redundancy, not n
etwork redundancy. Mirroring refers to copying data as it is written from one de
vice or machine to another. Shadowing is where information is written in two pla
ces, one shadowing the other, for extra protection. Any changes made will be ref
lected in both places. Journaling is a chronological description of transactions
that have taken place, either locally, centrally, or remotely.
120. Which of the following controls prevents a loss of data integrity in a loc
alareanetwork (LAN) environment?
a.
b.
c.
d.
Data
Data
Data
Data
120. a. Data mirroring refers to copying data as it is written from one device o
r machine to another. It prevents data loss. Data archiving is where files are r
emoved from network online storage by copying them to longterm storage media su
ch as optical disks, tapes, or cartridges. It prevents accidental deletion of fi
les.
Data correction is incorrect because it is an example of a corrective control wh
ere bad data is fixed. Data vaulting is incorrect because it is an example of co
rrective control.
ally or manually.
e control where a
121. In general,
a.
b.
c.
d.
It is a way
Data backup
compromised
a failover
Corrective control
Preventive control
Recovery control
Detective control
121. c. Failover mechanism is a backup concept in that when the primary system
fails, the backup system is activated. This helps in recovering the system from
a failure or disaster.
122. Which of the following does not trigger zeroday attacks?
a.
b.
c.
d.
Malware
Web browsers
Zombie programs
Email attachments
To
To
To
To
detect
detect
detect
detect
electromagnetic disclosures
electronic dependencies
electronic destructions
electromagnetic emanations
123. d. TEMPEST is a short name, and not an acronym. It is the study and control
of spurious electronic signals emitted by electrical equipment. It is the uncla
ssified name for the studies and investigations of compromising electromagnetic
emanations from equipment. It is suggested that TEMPEST shielded equipment is us
ed to prevent compromising emanations.
124. Which of the following is an example of directive controls?
a.
b.
c.
d.
c. Technical controls
d. Management controls
125. d. Management controls are actions taken to manage the development, mainten
ance, and use of the system, including systemspecific policies, procedures, and
rules of behavior, individual roles and responsibilities, individual accountabi
lity, and personnel security decisions.
Administrative controls include personnel practices, assignment of responsibilit
ies, and supervision and are part of management controls. Operational controls a
re the daytoday procedures and mechanisms used to protect operational systems
and applications. Operational controls affect the system and application environ
ment. Technical controls are hardware and software controls used to provide auto
mated protection for the IT system or application. Technical controls operate wi
thin the technical system and applications.
126. A successful incident handling capability should serve which of the follow
ing?
a.
b.
c.
d.
126. d. The focus of a computer security incident handling capability may be ext
ernal as well as internal. An incident that affects an organization may also aff
ect its trading partners, contractors, or clients. In addition, an organizations
computer security incident handling capability may help other organizations and,
therefore, help protect the industry as a whole.
127. Which of the following encourages compliance with IT security policies?
a.
b.
c.
d.
Use
Results
Monitoring
Reporting
Preventive maintenance
Remedial maintenance
Hardware maintenance
Software maintenance
129. b. Remedial maintenance corrects faults and returns the system to operation
in the event of hardware or software component fails. Preventive maintenance is
Reflector attack
Amplifier attack
Distributed attack
SYNflood attack
132. a. Because the intermediate host unwittingly performs the attack, that host
is known as reflector. During a reflector attack, a denialofservice (DoS) cou
ld occur to the host at the spoofed address, the reflector itself, or both hosts
. The amplifier attack does not use a single intermediate host, like the reflect
or attack, but uses a whole network of intermediate hosts. The distributed attac
k coordinates attacks among several computers. A synchronous (SYN) flood attack
is a stealth attack because the attacker spoofs the source address of the SYN pa
cket, thus making it difficult to identify the perpetrator.
133. Sometimes a combination of controls works better than a single category of
133. c. Edit and limit checks are an example of preventive or detective control,
file recovery is an example of corrective control, and access controls are an e
xample of preventive control. A combination of controls is stronger than a singl
e type of control.
Edit and limit checks, digital signatures, and access controls are incorrect bec
ause they are an example of a preventive control. Preventive controls keep undes
irable events from occurring. In a computing environment, preventive controls ar
e accomplished by implementing automated procedures to prohibit unauthorized sys
tem access and to force appropriate and consistent action by users.
Error reversals, automated error correction, and file recovery are incorrect bec
ause they are an example of a corrective control. Corrective controls cause or e
ncourage a desirable event or corrective action to occur after an undesirable ev
ent has been detected. This type of control takes effect after the undesirable e
vent has occurred and attempts to reverse the error or correct the mistake.
Edit and limit checks, reconciliation, and exception reports are incorrect becau
se they are an example of a detective control. Detective controls identify error
s or events that were not prevented and identify undesirable events after they h
ave occurred. Detective controls should identify expected error types, as well a
s those that are not expected to occur.
134. What is an attack in which someone compels system users or administrators
into revealing information that can be used to gain access to the system for per
sonal gain called?
a.
b.
c.
d.
Social engineering
Electronic trashing
Electronic piggybacking
Electronic harassment
a. 1, 2, 3, and 4
b. 3, 4, 2, and 1
c. 2, 4, 1, and 3
d. 4, 3, 1, and 2
135. d. The question is asking for the correct sequence of activities that shoul
d take place when reviewing for fraud. The organization should have something of
value to others. Detection of fraud is least important; prevention is most impo
rtant.
136. Which of the following zeroday attack protection mechanisms is not suitabl
e to computing environments with a large number of users?
a.
b.
c.
d.
Port knocking
Access control lists
Local serverbased firewalls
Hardwarebased firewalls
136. a. The use of port knocking or single packet authorization daemons can prov
ide effective protection against zeroday attacks for a small number of users. H
owever, these techniques are not suitable for computing environments with a larg
e number of users. The other three choices are effective protection mechanisms b
ecause they are a part of multiple layer security, providing the first lineofd
efense. These include implementing access control lists (one layer), restricting
network access via local server firewalling (i.e., IP tables) as another layer,
and protecting the entire network with a hardwarebased firewall (another layer
). All three of these layers provide redundant protection in case a compromise i
n any one of them is discovered.
137. A computer fraud occurred using an online accounts receivable database appl
ication system. Which of the following logs is most useful in detecting which da
ta files were accessed from which terminals?
a.
b.
c.
d.
Database log
Access control security log
Telecommunications log
Application transaction log
137. b. Access control security logs are detective controls. Access logs show wh
o accessed what data files, when, and from what terminal, including the nature o
f the security violation. The other three choices are incorrect because database
logs, telecommunication logs, and application transaction logs do not show who
accessed what data files, when, and from what terminal, including the nature of
the security violation.
138. Audit trails should be reviewed. Which of the following methods is not the
best way to perform a query to generate reports of selected information?
a.
b.
c.
d.
By
By
By
By
a
a
a
a
known
known
known
known
damage or occurrence
user identification
terminal identification
application system name
Data diddling
Salami technique
Scavenging
Piggybacking
Preventive control
Detective control
Corrective control
Directive control
Log
Hash totals
Batch totals
Checkdigit control
143. d. In fraud situations, the auditor should proceed with caution. When certa
in about a fraud, he should report it to company management, not to external org
anizations. The auditor should not talk to the employee suspected of fraud. When
the auditor is not certain about fraud, he should talk to the audit management.
144. An effective relationship between risk level and internal control level is
which of the following?
a.
b.
c.
d.
144. d. There is a direct relationship between the risk level and the control le
vel. That is, highrisk situations require stronger controls, lowrisk situation
s require weaker controls, and mediumrisk situations require medium controls. A
control is defined as the policies, practices, and organizational structure des
igned to provide reasonable assurance that business objectives will be achieved
and that undesired events would be prevented or detected and corrected. Controls
should facilitate accomplishment of an organizations objectives.
145. Incident handling is not closely related to which of the following?
a.
b.
c.
d.
Contingency planning
System support
System operations
Strategic planning
145. d. Strategic planning involves longterm and major issues such as managemen
t of the computer security program and the management of risks within the organi
zation and is not closely related to the incident handling, which is a minor iss
ue.
Incident handling is closely related to contingency planning, system support, an
d system operations. An incident handling capability may be viewed as a componen
t of contingency planning because it provides the ability to react quickly and e
fficiently to disruptions in normal processing. Broadly speaking, contingency pl
anning addresses events with the potential to interrupt system operations. Incid
ent handling can be considered that portion of contingency planning that respond
s to malicious technical threats.
146. In which of the following areas do the objectives of systems auditors and
information systems security officers overlap the most?
a.
b.
c.
d.
147. d. Keystroke monitoring is the process used to view or record both the keys
trokes entered by a computer user and the computers response during an interactiv
e session. It is usually considered a special case of audit trails. Keystroke mo
nitoring is conducted in an effort to protect systems and data from intruders wh
o access the systems without authority or in excess of their assigned authority.
Monitoring keystrokes typed by intruders can help administrators assess and rep
air any damage they may cause.
Access control lists refer to a register of users who have been given permission
to use a particular system resource and the types of access they have been perm
itted. Hostbased authentication grants access based upon the identity of the ho
st originating the request, instead of the identity of the user making the reque
st. Centralized security administration allows control over information because
the ability to make changes resides with few individuals, as opposed to many in
a decentralized environment. The other three choices do not protect computer sys
tems from intruders, as does the keystroke monitoring.
148. Which of the following is not essential to ensure operational assurance of
a computer system?
a.
b.
c.
d.
System audits
System changes
Policies and procedures
System monitoring
148. b. Security is not perfect when a system is implemented. Changes in the sys
tem or the environment can create new vulnerabilities. Strict adherence to proce
dures is rare over time, and procedures become outdated. Thinking risk is minima
l, users may tend to bypass security measures and procedures. Operational assura
nce is the process of reviewing an operational system to see that security contr
ols, both automated and manual, are functioning correctly and effectively.
To maintain operational assurance, organizations use three basic methods: system
audits, policies and procedures, and system monitoring. A system audit is a one
time or periodic event to evaluate security. Monitoring refers to an ongoing ac
tivity that examines either the system or the users. In general, the more real t
ime an activity is, the more it falls into the category of monitoring. Policies
and procedures are the backbone for both auditing and monitoring.
System changes drive new requirements for changes. In response to various events
such as user complaints, availability of new features and services, or the disc
overy of new threats and vulnerabilities, system managers and users modify the s
ystem and incorporate new features, new procedures, and software updates. System
changes by themselves do not assure that controls are working properly.
149. What is an example of a security policy that can be legally monitored?
a.
b.
c.
d.
Keystroke monitoring
Electronic mail monitoring
Web browser monitoring
Password monitoring
149. d. Keystroke monitoring, email monitoring, and Web browser monitoring are
controversial and intrusive. These kinds of efforts could waste time and other r
esources due to their legal problems. On the other hand, examples of effective s
ecurity policy statements include (i) passwords shall not be shared under any ci
rcumstances and (ii) password usage and composition will be monitored.
150. What is a common security problem?
a.
b.
c.
d.
150. a. Here, the keyword is common, and it is relative. Discarded storage media
, such as CDs/DVDs, paper documents, and reports, is a major and common problem
in every organization. Telephone wiretapping and electronic bugs require experti
se. Intelligent consultants gather a companys proprietary data and business infor
mation and government trade strategies.
151. When controlling access to information, an audit log provides which of the
following?
a.
b.
c.
d.
151. d. An audit log must be kept and protected so that any actions impacting se
curity can be traced. Accountability can be established with the audit log. The
audit log also helps in verifying the other three choices indirectly.
152. What is a detective control in a computer operations area?
a.
b.
c.
d.
Policy
Log
Procedure
Standard
152. b. Logs, whether manual or automated, capture relevant data for further ana
lysis and tracing. Policy, procedure, and standard are directive controls and ar
e part of management controls because they regulate human behavior.
153. In terms of security functionality verification, which of the following is
the correct order of information systems transitional states?
1.
2.
3.
4.
Startup
Restart
Shutdown
Abort
a.
b.
c.
d.
1,
1,
3,
4,
2,
3,
2,
3,
3,
2,
1,
2,
and
and
and
and
4
4
4
1
Keystroke monitoring
Penetration testing
Audit trails
Telephone wiretap
155. b. Intrusion detection tools detect computer attacks in several ways: (i) o
Batchmode analysis
Realtime audit analysis
Audit trail review after an event
Periodic review of audit trail data
156. b. Audit trail data can be used to review what occurred after an event, for
periodic reviews, and for realtime analysis. Audit analysis tools can be used
in a realtime, or near realtime, fashion. Manual review of audit records in re
al time is not feasible on large multiuser systems due to the large volume of r
ecords generated. However, it might be possible to view all records associated w
ith a particular user or application and view them in real time.
Batchmode analysis is incorrect because it is a traditional method of analyzing
audit trails. The audit trail data are reviewed periodically. Audit records are
archived during that interval for later analysis. The three incorrect choices d
o not provide the convenience of displaying or reporting all records associated
with a user or application, as do the realtime audit analysis.
157. Many errors were discovered during application system filemaintenance work
. What is the best control?
a.
b.
c.
d.
File labels
Journaling
Runtorun control
Before and after image reporting
157. d. Before and after image reporting ensures data integrity by reporting dat
a field values both before and after the changes so that functional users can de
tect data entry and update errors.
File labels are incorrect because they verify internal file labels for tapes to
ensure that the correct data file is used in the processing. Journaling is incor
rect because it captures system transactions on a journal file so that recovery
can be made should a system failure occur. Runtorun control is incorrect becau
se it verifies control totals resulting from one process or cycle to the subsequ
ent process or cycle to ensure their accuracy.
158. Which of the following is not an example of denialofservice attacks?
a.
b.
c.
d.
Flawbased attacks
Information attacks
Flooding attacks
Distributed attacks
c. Access controls
d. Data validation controls
159. b. Assignment of security responsibility is a part of management controls.
Screening of personnel is another example of management controls. The other thre
e choices are part of technical controls.
160. Which of the following individuals or items cause the highest economic los
s to organizations using computerbased information systems?
a.
b.
c.
d.
Dishonest employees
Disgruntled employees
Errors and omissions
Outsiders
160. c. Users, data entry clerks, system operators, and programmers frequently m
ake errors that contribute directly or indirectly to security problems. In some
cases, the error is the threat, such as a data entry error or a programming erro
r that crashes a system. In other cases, the errors create vulnerabilities. Erro
rs can occur during all phases of the system life cycle. Many studies indicate t
hat 65 percent of losses to organizations are the result of errors and omissions
followed by dishonest employees (13%), disgruntled employees (6%), and outsider
s/hackers (3%).
161. Which one of the following situations renders backing up program and data
files ineffective?
a.
b.
c.
d.
When
When
When
When
161. c. Computer viruses that are timed to activate at a later date can be copie
d onto the backup media thereby infecting backup copies as well. This makes the
backup copy ineffective, unusable, or risky. Backups are useful and effective (i
) in the event of a catastrophic accident, (ii) in case of disruption to the net
work, and (iii) when they are performed automatically. Human error is eliminated
.
162. What does an ineffective localareanetwork backup strategy include?
a.
b.
c.
d.
c. Redirected restores
d. Group file restores
163. a. Full restores are used to recover from catastrophic events or when perfo
rming system upgrades and system reorganizations and consolidations. All the dat
a on media is fully restored.
Individual file restores, by their name, restore the last version of a file that
was written to media because it was deleted by accident or ruined. Redirected r
estores store files on a different location or system than the one they were cop
ied from during the backup operations. Group file restores handle two or more fi
les at a time.
164. Which of the following file backup strategies is preferred when a full sna
pshot of a server is required prior to upgrading it?
a.
b.
c.
d.
Full backups
Incremental backups
Differential backups
Ondemand backups
164. d. Ondemand backups refer to the operations that are done outside of the r
egular backup schedule. This backup method is most useful when backing up a few
files/directories or when taking a full snapshot of a server prior to upgrading
it. Ondemand backups can act as a backup for regular backup schedules.
Full backups are incorrect because they copy all data files and programs. It is
a brute force method providing a peace of mind at the expense of valuable time.
Incremental backups are incorrect because they are an inefficient method and cop
y only those files that have changed since the last backup. Differential backups
are incorrect because they copy all data files that have changed since the last
full backup. Only two files are needed to restore the entire system: the last f
ull backup and the last differential backup.
165. Which one of the following database backup strategies is executed when a d
atabase is running in a localareanetwork environment?
a.
b.
c.
d.
Cold backup
Hot backup
Logical backup
Offline backup
165. b. Hot backups are taken when the database is running and updates are being
written to it. They depend heavily on the ability of log files to stack up tran
saction instructions without actually writing any data values into database reco
rds. While these transactions are stacking up, the database tables are not being
updated, and therefore can be backed up with integrity. One major problem is th
at if the system crashes in the middle of the backup, all the transactions stack
ing up in the log file are lost.
The idea of cold backup is to shut down the database and back it up while no end
users are working on the system. This is the best approach where data integrity
is concerned, but it does not service the customer (end user) well.
Logical backups use software techniques to extract data from the database and wr
ite the results to an export file, which is an image file. The logical backup ap
proach is good for incremental backups. Offline backup is another term for cold
backup.
166. Contrary to best practices, information systems security training is usually
not given to which of the following parties?
a.
b.
c.
d.
Computer
Trickery
Computer
Computer
fraud
or coercion techniques
theft
sabotage
168. d. A fault tolerant design should make a system resistant to failure and ab
le to operate continuously. Many ways exist to develop fault tolerance in a syst
em, including using two or more components to duplicate functionality, duplicati
ng systems in separate locations, or using modular components in which failed co
mponents can be replaced with new ones. It does not include providing backup pow
er supplies because it is a part of preventive maintenance, which should be used
with fault tolerant design. Preventive maintenance measures reduce the likeliho
od of significant impairment to components.
169. The process of degaussing involves which of the following?
a.
b.
c.
d.
171. a. Many types of tools have been developed to help reduce the amount of inf
ormation contained in audit records, as well as to distill useful information fr
om the raw data. Especially on larger systems, audit trail software can create l
arge files, which can be extremely difficult to analyze manually. The use of aut
omated tools is likely to be the difference between unused audit trail data and
a robust program. Trend analysis and variance detection tools look for anomalies
in user or system behavior.
Audit data reduction tools are preprocessors designed to reduce the volume of au
dit records to facilitate manual review. These tools generally remove records ge
nerated by specified classes of events, such as records generated by nightly bac
kups.
Attack signature detection tools look for an attack signature, which is a specif
ic sequence of events indicative of an unauthorized access attempt. A simple exa
mple is repeated failed login attempts. Audit datacollection tools simply gath
er data for analysis later.
172. Regarding a patch management program, which of the following helps system a
dministrators most in terms of monitoring and remediating IT resources?
1.
2.
3.
4.
Supported equipment
Supported applications software
Unsupported hardware
Unsupported operating systems
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
172. d. Here, supported and unsupported means whether a company management has a
pproved the acquisition, installation, and operation of hardware and software; a
pproved in the former case and not approved in the latter case. System administr
ators should be taught how to independently monitor and remediate unsupported ha
rdware, operating systems, and applications software because unsupported resourc
es are vulnerable to exploitation. This is because noncompliant employees could
have purchased and installed the unsupported hardware and software on their per
sonal computers, which is riskier than the supported ones. A potential risk is t
hat the unsupported systems could be incompatible with the supported systems and
Clearing
Purging
Destroying
Disposal
Avoiding
Avoiding
Avoiding
Avoiding
a.
b.
c.
d.
1
2
1
3
an unstable website
an unusable website
a security incident
unplanned downtime
only
only
and 2
and 4
Number
Number
Number
Number
a.
b.
c.
d.
1
2
1
3
of
of
of
of
patches needed
vulnerabilities found
vulnerabilities per computer
unapplied patches per computer
only
only
and 2
and 4
175. d. Ratios, not absolute numbers, should be used when comparing the effectiv
eness of the security programs of multiple systems. Ratios reveal better informa
tion than absolute numbers. In addition, ratios allow effective comparison betwe
en systems. Number of patches needed and number of vulnerabilities found are inc
orrect because they deal with absolute numbers.
176. All the following are examples of denialofservice attacks except:
a.
b.
c.
d.
IP address spoofing
Smurf attack
SYNflood attack
Sendmail attack
Keyboard attack
Stream attack
Piggyback attack
Buffer overflow attack
Integrity
Availability
Confidentiality
Reliability
b. Detection
c. Recovery
d. Remediation
179. c. Of all the malware incidentresponse lifecycle phases, recovery phase i
s the most complex. Recovery involves containment, restore, and eradication. Con
tainment addresses how to control an incident before it spreads to avoid consumi
ng excessive resources and increasing damage caused by the incident. Restore add
resses bringing systems to normal operations and hardening systems to prevent si
milar incidents. Eradication addresses eliminating the affected components of th
e incident from the overall system to minimize further damage to it.
More tools and technologies are relevant to the recovery phase than to any other
phase; more technologies mean more complexity. The technologies involved and th
e speed of malware spreading make it more difficult to recover.
The other three phases such as preparation, detection, and remediation are less
complex. The scope of preparation and prevention phase covers establishing plans
, policies, and procedures. The scope of detection phase covers identifying clas
ses of incidents and defining appropriate actions to take. The scope of remediat
ion phase covers tracking and documenting security incidents on an ongoing basis
to help in forensics analysis and in establishing trends.
180. Which of the following determines the system availability rate for a compu
terbased application system?
a.
b.
c.
d.
d. Safety requirements
182. a. There are a number of startup costs and funding issues to consider when
planning an incident handling capability. Because the success of an incident ha
ndling capability relies so heavily on the users perceptions of its worth and whe
ther they use it, it is important that the capability meets users requirements. T
wo important funding issues are personnel and education and training.
183. Which of the following is not a primary benefit of an incident handling cap
ability?
a.
b.
c.
d.
Helpdesk function
System backup schedules
System development activity
Risk management process
Electronic mail
Physical bulletin board
Terminal and modem
Electronic bulletin board
a.
b.
c.
d.
Preparation
Detection
Recovery
Reporting
186. b. Detection, for many organizations, is the most challenging aspect of the
incident response process. Actually detecting and assessing possible incidents
is difficult. Determining whether an incident has occurred and, if so, the type,
extent, and magnitude of the problem is not an easy task.
The other three phases such as preparation, recovery, and reporting are not that
challenging. The scope of preparation and prevention phase covers establishing
plans, policies, and procedures. The scope of recovery phase includes containmen
t, restore, and eradication. The scope of reporting phase involves understanding
the internal and external reporting requirements in terms of the content and ti
meliness of the reports.
187. Regarding incident response data, nonperformance of which one of the follo
wing items makes the other items less important?
a.
b.
c.
d.
Quality of data
Review of data
Standard format for data
Actionable data
187. b. If the incident response data is not reviewed regularly, the effectivene
ss of detection and analysis of incidents is questionable. It does not matter wh
ether the data is of high quality with standard format for data, or actionable d
ata. Proper and efficient reviews of incidentrelated data require people with e
xtensive specialized technical knowledge and experience.
188. Which of the following statements about incident management and response is
not true?
a.
b.
c.
d.
189. b. The correct sequence of events taking place in the incident response lif
e cycle is detection, response, reporting, recovery, and remediation. Although t
he correct sequence is started with detection, there are some underlying activit
ies that should be in place prior to detection. These prior activities include p
reparation and prevention, addressing the plans, policies, procedures, resources
, support, metrics, patch management processes, host hardening measures, and pro
perly configuring the network perimeter.
Detection involves the use of automated detection capabilities (for example, log
analyzers) and manual detection capabilities (for example, user reports) to ide
ntify incidents. Response involves security staff offering advice and assistance
to system users for the handling and reporting of security incidents (for examp
le, held desk or forensic services). Reporting involves understanding the intern
al and external reporting requirements in terms of the content and timeliness of
the reports. Recovery involves containment, restore, and eradication. Containme
nt addresses how to control an incident before it spreads to avoid consuming exc
essive resources and increasing damage caused by the incident. Restore addresses
bringing systems to normal operations and hardening systems to prevent similar
incidents. Eradication addresses eliminating the affected components of the inci
dent from the overall system to minimize further damage to the overall system. R
emediation involves tracking and documenting security incidents on an ongoing ba
sis.
190. Which of the following is not a recovery action after a computer security i
ncident was contained?
a.
b.
c.
d.
190. c. Preserving the evidence is a containment strategy, whereas all the other
choices are part of recovery actions. Preserving the evidence is a legal matter
, not a recovery action, and is a part of the containment strategy. In recovery
action, administrators restore systems to normal operation and harden systems to
prevent similar incidents, including the actions taken in the other three choic
es.
191. Contrary to best practices, which of the following parties is usually not n
otified at all or is notified last when a computer security incident occurs?
a.
b.
c.
d.
System administrator
Legal counsel
Disaster recovery coordinator
Hardware and software vendors
Audit logs
Keyboard monitoring
Network sniffing
Online monitoring
193. a. Audit logs collect data passively on computer journals or files for late
r review and analysis followed by action. The other three choices are examples o
f active surveillance techniques where electronic (online) monitoring is done fo
Systems software
Applications software
Training and awareness program
Help desk
Internet security
Residual data security
Network security
Application system security
195. b. System users seldom consider residual data security as part of their job
duties because they think it is the job of computer operations or information s
ecurity staff. Residual data security means data remanence where corporate spies
can scavenge discarded magnetic or paper media to gain access to valuable data.
Both system users and system managers usually consider the measures mentioned i
n the other three choices.
196. Which of the following is not a special privileged user?
a.
b.
c.
d.
System administrator
Business enduser
Security administrator
Computer operator
Division of responsibilities
Handling incidents at multiple locations
Current and future quality of work
Lack of organizationspecific knowledge
198. The incident response team should work with which of the following when at
tempting to contain, eradicate, and recover from largescale incidents?
a.
b.
c.
d.
198. d. Patch management staff work is separate from that of the incident respon
se staff. Effective communication channels between the patch management team and
the incident response team are likely to improve the success of a patch managem
ent program when containing, eradicating, and recovering from largescale incide
nts. The activities listed in the other choices are the responsibility of the in
cident response team.
199. Which of the following is the foundation of the incident response program?
a.
b.
c.
d.
Incident
Incident
Incident
Incident
response
response
response
response
policies
procedures
standards
guidelines
199. a. The incident response policies are the foundation of the incident respon
se program. They define which events are considered as incidents, establish the
organizational structure for the incident response program, define roles and res
ponsibilities, and list the requirements for reporting incidents.
200. All the following can increase an information systems resilience except:
a. A system achieves a secure initial state.
b. A system reaches a secure failure state after failure.
c. A systems recovery procedures take the system to a known secure state after fa
ilure.
d. All of a systems identified vulnerabilities are fixed.
200. d. There are vulnerabilities in a system that cannot be fixed, those that h
ave not yet been fixed, those that are not known, and those that are not practic
al to fix due to operational constraints. Therefore, a statement that all of a sy
stems identified vulnerabilities are fixed is not correct. The other three choices
can increase a systems resilience.
201. Media sanitization ensures which of the following?
a.
b.
c.
d.
Data
Data
Data
Data
integrity
confidentiality
availability
accountability
201. b. Media sanitization refers to the general process of removing data from s
torage media, such that there is reasonable assurance, in proportion to the conf
identiality of the data, that the data may not be retrieved and reconstructed. T
he other three choices are not relevant here.
202. Regarding media sanitization, degaussing is the same as:
a.
b.
c.
d.
Incinerating
Melting
Demagnetizing
Smelting
202. c. Degaussing reduces the magnetic flux to virtual zero by applying a rever
se magnetizing field. It is also called demagnetizing.
203. Regarding media sanitization, what is residual information remaining on st
orage media after clearing called?
a.
b.
c.
d.
Residue
Remanence
Leftover data
Leftover information
To
To
To
To
replace
replace
replace
replace
204. c. The security goal of the overwriting process is to replace written data
with random data. The process may include overwriting not only the logical stora
ge of a file (for example, file allocation table) but also may include all addre
ssable locations.
205. Which of the following protects the confidentiality of information against
a laboratory attack?
a.
b.
c.
d.
Disposal
Clearing
Purging
Disinfecting
205. c. A laboratory attack is a data scavenging method through the aid of what
could be precise or elaborate and powerful equipment. This attack involves using
signalprocessing equipment and specially trained personnel. Purging informatio
n is a media sanitization process that protects the confidentiality of informati
on against a laboratory attack and renders the sanitized data unrecoverable. Thi
s is accomplished through the removal of obsolete data by erasure, by overwritin
g of storage, or by resetting registers.
The other three choices are incorrect. Disposal is the act of discarding media b
y giving up control in a manner short of destruction, and is not a strong protec
tion. Clearing is the overwriting of classified information such that the media
may be reused. Clearing media would not suffice for purging. Disinfecting is a p
rocess of removing malware within a file.
206. Computer fraud is increased when:
a.
b.
c.
d.
206. c. Audit trails indicate what actions are taken by the system. Because the
system has adequate and clear audit trails deters fraud perpetrators due to fear
of getting caught. For example, the fact that employees are trained, documentat
ion is available, and employee performance appraisals are given (preventive meas
ures) does not necessarily mean that employees act with due diligence at all tim
es. Hence, the need for the availability of audit trails (detection measures) is
very important because they provide a concrete evidence of actions and inaction
s.
207. Which of the following is not a prerequisite for system monitoring?
a.
b.
c.
d.
207. c. Exception reports are the result of a system monitoring activity. Deviat
ions from standards or policies will be shown in exception reports. The other th
ree choices are needed before the monitoring process starts.
208. What is the selective termination of affected nonessential processing when
a failure is detected in a computer system called?
a.
b.
c.
d.
Failsafe
Failsoft
Failover
Failunder
Recovery control
Corrective control
Preventive control
Detective control
209. d. Audit trails show an attackers actions after detection; hence they are an
example of detective controls. Recovery controls facilitate the recovery of los
t or damaged files. Corrective controls fix a problem or an error. Preventive co
ntrols do not detect or correct an error; they simply stop it if possible.
210. From a best security practices viewpoint, which of the following falls und
er the ounceofprevention category?
a.
b.
c.
d.
210. a. It has been said that An ounce of prevention equals a pound of cure. Patch
and vulnerability management is the ounce of prevention compared to the pound of c
ure in the incident response, in that timely patches to software reduce the chanc
es of computer incidents.
Symmetric cryptography uses the same key for both encryption and decryption, whe
reas asymmetric cryptography uses separate keys for encryption and decryption, o
r to digitally sign and verify a signature. Key rollover is the process of gener
ating and using a new key (symmetric or asymmetric key pair) to replace one alre
ady in use.
211. Which of the following must be manually keyed into an automated IT resourc
es inventory tool used in patch management to respond quickly and effectively?
a.
b.
c.
d.
211. b. Although most information can be taken automatically from the system dat
a, the physical location of an IT resource must be manually entered. Connected n
etwork port numbers can be taken automatically from the system data. Software an
Exploit scripts
Worms
Software flaws
Viruses
Disable
Uninstall
Enable
Install
Nonmagnetic media
Damaged media
Media with large storage capacity
Quickly purging diskettes
Disposal
Clearing
Purging
Destroying
215. d. Media destruction is the ultimate form of sanitization. After media are
destroyed, they cannot be reused as originally intended, and that information is
virtually impossible to recover or prohibitively expensive from that media. Phy
sical destruction can be accomplished using a variety of methods, including disi
ntegration, incineration, pulverization, shredding, melting, sanding, and chemic
al treatment.
216. Organizations that outsource media sanitization work should exercise:
a. Due process
b. Due law
c. Due care
d. Due diligence
216. d. Organizations can outsource media sanitization and destruction if busine
ss and security management decide this would be the most reasonable option for m
aintaining confidentiality while optimizing available resources. When choosing t
his option, organizations exercise due diligence when entering into a contract w
ith another party engaged in media sanitization. Due diligence requires organiza
tions to develop and implement an effective security program to prevent and dete
ct violation of policies and laws.
Due process means each person is given an equal and a fair chance of being repre
sented or heard and that everybody goes through the same process for considerati
on and approval. It means all are equal in the eyes of the law. Due law covers d
ue process and due care. Due care means reasonable care in promoting the common
good and maintaining the minimal and customary practices.
217. Redundant arrays of independent disks (RAID) provide which of the followin
g security services most?
a.
b.
c.
d.
Data
Data
Data
Data
confidentiality
reliability
availability
integrity
218. a. Pressure includes financial and nonfinancial types, and it could be real
or perceived. Opportunity includes real or perceived categories in terms of tim
e and place. Rationalization means the illegal actions are consistent with the p
erpetrators personal code of conduct or state of mind.
219. When a system preserves a secure state, during and after a failure is call
ed a:
a.
b.
c.
d.
System failure
Failsecure
Failaccess
System fault
219. b. In failsecure, the system preserves a secure condition during and after
an identified failure. System failure and fault are generic and do not preserve
a secure condition like failsecure. Failaccess is a meaningless term here.
220. Faulttolerance systems provide which of the following security services?
a.
b.
c.
d.
220. b. The goal of faulttolerance systems is to detect and correct a fault and
to maintain the availability of a computer system. Faulttolerance systems play
an important role in maintaining high data and system integrity and in ensuring
highavailability of systems. Examples include disk mirroring and server mirror
ing techniques.
221. What do faulttolerant hardware control devices include?
a.
b.
c.
d.
221. a. Disk duplexing means that the disk controller is duplicated. When one di
sk controller fails, the other one is ready to operate. Disk mirroring means the
file server contains duplicate disks, and that all information is written to bo
th disks simultaneously. Server consolidation, localarea network (LAN) consolid
ation, and disk distribution are meaningless to fault tolerance; although, they
may have their own uses.
222. Performing automated deployment of patches is difficult for which of the f
ollowing?
a.
b.
c.
d.
222. b. Manual patching is useful and necessary for many legacy and specialized
systems due to their nature. Automated patching tools allow an administrator to
update hundreds or even thousands of systems from a single console. Deployment i
s fairly simple when there are homogeneous computing platforms, with standardize
d desktop systems, and similarly configured servers.
223. Regarding media sanitization, degaussing is an acceptable method for which
of the following?
a.
b.
c.
d.
Disposal
Clearing
Purging
Disinfecting
224. c. Before performing the remediation, the system administrator may want to
conduct a full backup of the system to be patched. This allows for a timely syst
em restoration to its previous state if the patch has an unintended or unexpecte
d impact on the host. The other three choices are part of the patch remediation
testing procedures.
225. Regarding a patch management program, an experienced administrator or secu
rity officer should perform which of the following?
a.
b.
c.
d.
Functional users
System auditors
System administrators
Security administrators
Firewalls
Intrusion detection
Audit trails
Access controls
2. c. Audit trails provide one of the best and most inexpensive means for tracki
ng possible hacker attacks, not only after attack, but also during the attack. O
ne can learn what the attacker did to enter a computer system, and what he did a
fter entering the system. Audit trails also detect unauthorized but abusive user
activity. Firewalls, intrusion detection systems, and access controls are expen
sive when compared to audit trails.
3. What is an audit trail an example of?
a.
b.
c.
d.
Recovery control
Corrective control
Preventive control
Detective control
3. d. Audit trails show an attackers actions after detection; hence they are an e
xample of detective controls. Recovery controls facilitate the recovery of lost
By
By
By
By
a
a
a
a
known
known
known
known
damage or occurrence
user identification
terminal identification
application system name
Batchmode analysis
Realtime audit analysis
Audit trail review after an event
Periodic review of audit trail data
6. b. Audit trail data can be used to review what occurred after an event, for p
eriodic reviews, and for realtime analysis. Audit analysis tools can be used in
a realtime, or near realtime, fashion. A manual review of audit records in re
al time is not feasible on large multiuser systems due to the large volume of r
ecords generated. However, it might be possible to view all records associated w
The
The
The
The
8. a. Many types of tools have been developed to help reduce the amount of infor
mation contained in audit records, as well as to distill useful information from
the raw data. Especially on larger systems, audit trail software can create lar
ge files, which can be extremely difficult to analyze manually. The use of autom
ated tools is likely to be the difference between unused audit trail data and a
robust program. Trend analysis and variance detection tools look for anomalies i
n user or system behavior.
Audit datareduction tools are preprocessors designed to reduce the volume of au
dit records to facilitate manual review. These tools generally remove records ge
nerated by specified classes of events, such as records generated by nightly bac
kups. Attack signaturedetection tools look for an attack signature, which is a
specific sequence of events indicative of an unauthorized access attempt. A simp
le example is repeated failed login attempts. Audit datacollection tools simpl
y gather data for analysis later.
Sources and References
Creating a Patch and Vulnerability Management Program (NIST SP80040V2), National
Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gait
hersburg, Maryland, November 2005.
Engineering Principles for IT Security (NIST SP80027 Revision A), National Instit
ute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersbur
g, Maryland, June 2004.
Guide to Malware Incident Prevention and Handling (NIST SP80083), National Instit
ute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersbur
g, Maryland, November 2005.
Guide to Storage Encryption Technologies for End User Devices (NIST SP800111Draf
t), National Institute of Standards and Technology (NIST), U.S. Department of Com
merce, Gaithersburg, Maryland, August 2007.
Guidelines for Media Sanitization (NIST SP80088 Revision 1), National Institute o
f Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Ma
ryland, September 2006.
Walden, Bob. Data Storage Management. An NSS Groups White Paper, 19912001.
Domain 8
Business Continuity and Disaster Recovery Planning
Traditional Questions, Answers, and Explanations
1. Which of the following information technology (IT) contingency solution for
servers minimizes the recovery time window?
a.
b.
c.
d.
Electronic vaulting
Remote journaling
Load balancing
Disk replication
1. d. With disk replication, recovery windows are minimized because data is writ
ten to two different disks to ensure that two valid copies of the data are alway
s available. The two disks are called the protected server (the main server) and
the replicating server (the backup server). Electronic vaulting and remote jour
naling are similar technologies that provide additional data backup capabilities
, with backups made to remote tape or disk drives over communication links. Load
balancing increases server and application system availability.
2. Which of the following IT contingency solutions for servers provides high av
ailability?
a.
b.
c.
d.
Networkattached storage
System backups
Redundant array of independent disks
Electronic vaulting
Desktop computers
Servers
Distributed systems
Widearea networks
Mainframe systems
Distributed systems
Desktop computers
Websites
Synchronous mirroring
Asynchronous shadowing
Single location disk replication
Multiple location disk replication
System
Downtime, hours
Uptime, hours
1
200
8,560
2
150
8,610
3
250
8,510
4
100
8,660
Which of the following systems has the highest availability in a year expressed
in percentages and rounded up?
a. System 1
b. System 2
c. System 3
d. System 4
7. d. System 4 has the highest availability percentage. Theoretically speaking,
the lower the downtime for a system, the higher the availability of that system,
and higher the reliability of that system, and vice versa. In fact, this questi
on does not require any calculations to perform because one can find out the cor
rect answer just by looking at the downtime and uptime data given in that the lo
wer the downtime hours, the higher the uptime hours, and the higher the availabi
lity of the system, and vice versa.
System
Availability, percent
Reliability, percent
1
97.7
97.7
2
98.3
98.3
3
97.1
97.1
98.9
98.9
Calculations for System 1 are shown below and calculations for other systems fol
low the System 1 calculations.
Availability for System 1 =
[Uptime/(Uptime + Downtime)] 100 = [(8,560/8,760)] 100 = 97.7%
Reliability for System 1 =
[1 (Downtime/Downtime + Uptime)] 100 = [1 (200/8,760)] 100 = 97.7%
Check: Reliability for System 1 =
100 (100 Availability percent) = 100 (100 97.7) = 97.7%
This goes to say that the availability and reliability goals are intrinsically r
elated to each other, where the former is a component of the latter.
8. Regarding BCP and DRP, redundant array of independent disk (RAID) does not do
which of the following?
a.
b.
c.
d.
8.
cy
r,
9.
he
b. Redundant array of independent disk (RAID) does not provide power redundan
and should be acquired through an uninterruptible power supply system. Howeve
RAID provides the other three choices.
Redundant array of independent disk (RAID) technology does not use which of t
following?
a.
b.
c.
d.
Electronic vaulting
Mirroring
Parity
Striping
9. a. Redundant array of independent disk (RAID) technology uses three data redu
ndancy techniques such as mirroring, parity, and striping, not electronic vaulti
ng. Electronic vaulting is located offsite, whereas RAID is placed at local serv
ers where the former may use the latter.
10. Regarding BCP and DRP, the board of directors of an organization is not requ
ired to follow which of the following?
a.
b.
c.
d.
Duty
Duty
Duty
Duty
of
of
of
of
due care
absolute care
loyalty
obedience
10. b. Duty of absolute care is not needed because reasonable and normal care is
expected of the board of directors because no one can anticipate or protect fro
m all disasters. However, the directors need to follow the other three duties of
due care, loyalty, and obedience.
11. Which of the following tasks is not a part of business continuity plan (BCP)
?
a.
b.
c.
d.
Project scoping
Impact assessment
Disaster recovery procedures
Disaster recovery strategies
11. c. Tasks are different between a business continuity plan (BCP) and disaster
recovery planning (DRP) because of timing of those tasks. For example, disaster
recovery procedures come into play only during disaster, which is a part of DRP
.
12. Which of the following tasks is not a part of disaster recovery planning (DR
P)?
a.
b.
c.
d.
Restoration procedures
Procuring the needed equipment
Relocating to a primary processing site
Selecting an alternate processing site
12. d. Tasks are different between business continuity plan (BCP) and disaster r
ecovery planning (DRP) because of timing of those tasks. For example, selecting
an alternative processing site should be planned out prior to a disaster, which
is a part of a BCP. The other three choices are a part of DRP. Note that DRP is
associated with data processing and BCP refers to actions that keep the business
running in the event of a disruption, even if it is with pencil and paper.
13. Regarding BCP and DRP, critical measurements in business impact analysis (B
IA) include which of the following?
a.
b.
c.
d.
13. c. Two critical measurements in business impact analysis (BIA) include recov
ery time objectives (RTOs) and recovery point objectives (RPOs). Usually, system
s are classified as general support systems (for example, networks, servers, com
puters, gateways, and programs) and major application systems (for example, bill
ing, payroll, inventory, and personnel system). Uninterruptible power supply (UP
S) system is an auxiliary system supporting general systems and application syst
ems. Regardless of the nature and type of a system, they all need to fulfill the
RTOs and RPOs to determine their impact on business operations.
14. Regarding BCP and DRP, which of the following establishes an information sy
stems recovery time objective (RTO)?
a.
b.
c.
d.
Cost of
Maximum
Cost of
Cost of
14. b. The balancing point between the maximum allowable outage (MAO) and the co
st to recover establishes an information systems recovery time objective (RTO). R
ecovery strategies must be created to meet the RTO. The maximum allowable outage
is also called maximum tolerable downtime (MTD). The other three choices are in
correct because they do not deal with time and cost dimensions together.
15. Regarding BCP and DRP, which of the following determines the recovery cost
balancing?
a.
b.
c.
d.
Cost of
Maximum
Cost of
Cost of
unavailable. The other three choices are incorrect because they do not deal with
the recovery cost balancing principle.
16. Regarding contingency planning, which of the following actions are performe
d when malicious attacks compromise the confidentiality or integrity of an infor
mation system?
1.
2.
3.
4.
Graceful degradation
System shutdown
Fallback to manual mode
Alternate information flows
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
16. d. The actions to perform during malicious attacks compromise the confidenti
ality or integrity of the information system include graceful degradation, infor
mation system shutdown, fallback to a manual mode, alternative information flows
, or operating in a mode that is reserved solely for when the system is under at
tack.
17. In transactionbased systems, which of the following are mechanisms support
ing transaction recovery?
1.
2.
3.
4.
Transaction rollback
Transaction journaling
Router tables
Compilers
a.
b.
c.
d.
1 only
1 and 2
3 and 4
1, 2, 3, and 4
a.
b.
c.
d.
1
2
3
1
and 2
and 3
only
and 4
18. a. Both alternative storage site and alternative processing site are suscept
ible to potential accessibility problems in the event of an areawide disruption
or disaster. Explicit mitigation actions are needed to handle this problem. Tel
ecommunication services (ISPs and network service providers) and remote redundan
t secondary systems are located far away from the local area, hence not suscepti
ble to potential accessibility problems.
19. Which of the following ensures the successful completion of tasks in the de
velopment of business continuity and disaster recovery plans?
a.
b.
c.
d.
Both
Both
Both
Both
sites
sites
sites
sites
a.
b.
c.
d.
1 and
1, 2,
1, 2,
1, 2,
2
and 3
and 4
3, and 4
20. a. It is important to ensure that both sites (i.e., alternative storage site
and primary storage site) are not susceptible to the same hazards, are not colo
cated in the same area, have the same recovery time objectives (RTOs), and have
the same recovery point objectives (RPOs).
21. Regarding BCP and DRP, if MAO is maximum allowable outage, BIA is business
impact analysis, RTO is recovery time objective, MTBF is meantimebetweenfailu
res, RPO is recovery point objective, MTTR is meantimetorepair, and UPS is un
interruptible power supply, which one of the following is related to and compati
ble with each other within the same choice?
a.
b.
c.
d.
MAO,
BIA,
MAO,
MAO,
Passwords
Digital signatures
Encryption
Cryptographic hashes
22. a. Backups are performed at the userlevel and systemlevel where the latter
contains an operating system, application software, and software licenses. Only
userlevel information backups require passwords. Systemlevel information back
ups require controls such as digital signatures, encryption, and cryptographic h
ashes to protect their integrity.
23. Which of the following is an operational control and is a prerequisite to d
eveloping a disaster recovery plan?
a.
b.
c.
d.
System backups
Business impact analysis
Costbenefit analysis
Risk analysis
23. a. System backups provide the necessary data files and programs to recover f
rom a disaster and to reconstruct a database from the point of failure. System b
ackups are operational controls, whereas the items mentioned in the other choice
s come under management controls and analytical in nature.
24. Which of the following is a critical benefit of implementing an electronic
vaulting program?
a. It supports unattended computer center operations or automation.
b. During a crisis situation, an electronic vault can make the difference betwee
n an organizations survival and failure.
c. It reduces required backup storage space.
d. It provides faster storage data retrieval.
24. b. For some organizations, time becomes money. Increased system reliability
improves the likelihood that all the information required is available at the el
ectronic vault. If data can be retrieved immediately from the offsite storage,
less is required in the computer center. It reduces retrieval time from hours to
minutes. Because electronic vaulting eliminates tapes, which are a hindrance to
automated operations, electronic vaulting supports automation.
25. Regarding contingency planning, information system backups require which of
the following?
1. Both the primary storage site and alternative storage site do
susceptible to the same hazards.
2. Both operational system and redundant secondary system do not
cated in the same area.
3. Both primary storage site and alternative storage site do not
e same recovery time objectives.
4. Both operational system and redundant secondary system do not
e same recovery point objectives.
a.
b.
c.
d.
1 and
1, 2,
1, 2,
1, 2,
not need to be
need to be colo
need to have th
need to have th
2
and 3
and 4
3, and 4
2. Disruption impacts
3. Allowable outage times
4. Interdependent systems
a.
b.
c.
d.
I only
1 and 2
1, 2, and 3
1, 2, 3, and 4
26. d. A disaster recovery strategy must be in place to recover and restore data
and system operations within the recovery time objective (RTO) period. The stra
tegies should address disruption impacts and allowable outage times identified i
n the business impact analysis (BIA). The chosen strategy must also be coordinat
ed with the IT contingency plans of interdependent systems. Several alternatives
should be considered when developing the strategy, including cost, allowable ou
tage times, security, and integration into organizationlevel contingency plans.
27. The final consideration in the disaster recovery strategy must be which of
the following?
a.
b.
c.
d.
27. c. The final consideration in the disaster recovery strategy must be final c
osts and benefits; although, cost and benefit data is considered initially. No p
rudent manager or executive would want to spend ten dollars to obtain a one doll
ar benefit. When costs exceed benefits, some managers accept the risk and some d
o not. Note that it is a human tendency to understate costs and overstate benefi
ts. Some examples of costs include loss of income from loss of sales, cost of no
t meeting legal and regulatory requirements, cost of not meeting contractual and
financial obligations, and cost of loss of reputation. Some examples of benefit
s include assurance of continuity of business operations, ability to make sales
and profits, providing gainful employment, and satisfying internal and external
customers and other stakeholders.
The recovery strategy must meet criticality and availability of data and systems
and recovery time objective (RTO) requirements while remaining within the cost
and benefit guidelines.
28. Regarding BCP and DRP, which of the following does not prevent potential dat
a loss?
a.
b.
c.
d.
Disk mirroring
Offsite storage of backup media
Redundant array of independent disk
Load balancing
d. The LAN server must be recovered fully to distribute payroll checks on Friday
to all employees.
29. c. The LAN server must be recovered within 8 hours to avoid a delay in time s
heet processing is an example of BIAs recovery time objective (RTO). Time and atten
dance reporting may require the use of a LAN server and other resources is an exa
mple of BIAs critical resource. LAN disruption for 8 hours may create a delay in t
ime sheet processing is an example of BIAs resource impact. The LAN server must be
recovered fully to distribute payroll checks on Friday to all employees is an exa
mple of BIAs recovery point objective (RPO).
30. Which of the following are closely connected to each other when conducting
business impact analysis (BIA) as a part of the IT contingency planning process?
1.
2.
3.
4.
Systems
Systems
Systems
Systems
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
components
interdependencies
critical resources
downtime impacts
2
3
4
3, and 4
Internal audits
Selfassessments
External audits
Thirdparty audits
unctional and IT management, thus saving their audit time, resulting in reductio
n in audit costs. However, auditors will conduct their own independent tests to
validate the answers given in the assessments. The audit process validates compl
iance with disaster recovery standards, reviews recovery problems and solutions,
verifies the appropriateness of recovery test exercises, and reviews the criter
ia for updating and maintaining a BCP.
Here, the major point is that selfassessments should be performed in an indepen
dent and objective manner without the company managements undue influence on the
results. Another proactive thinking is sharing these selfassessments with audit
ors earlier to get their approval prior to actually using them in the company to
ensure that right questions are asked and right areas are addressed.
32. A companys vital records program must meet which of the following?
1.
2.
3.
4.
a.
b.
c.
d.
1 only
1 and 2
1, 3, and 4
1, 2, 3, and 4
32. d. Vital records support the continuity of business operations and present t
he necessary legal evidence in a court of law. Vital records should be retained
to meet the requirements of functional departments of a company (for example, ac
counting, marketing, production, and human resources) to run daytoday business
operations (current and future). In addition, companies that are heavily regula
ted (for example, banking and insurance) require certain vital records to be ret
ained for a specified amount of time. Also, internal auditors, external auditors
, and thirdparty auditors (for example, regulatory auditors and banking/insuran
ce industry auditors) require certain vital records to be retained to support th
eir audit work. Periodically, these auditors review compliance with the record r
etention requirements either as a separate audit or as a part of their scheduled
audit. Moreover, vital records are needed during recovery from a disaster. In o
ther words, vital records are so vital for the longrun success of a company.
First, a company management with the coordination of corporate legal counsel mus
t take an inventory of all records used in a company, classify what records are
vital, and identify what vital records support the continuity of business operat
ions, legal evidence, disaster recovery work, and audit work; knowing that not a
ll records and documents that a company handles everyday are vital records.
Some records are on paper media while other records are on electronic media. An
outcome of inventorying and classifying records is developing a list of record re
tention showing each document with its retention requirements in terms of years.
Then, a systematic method is needed to preserve and store these vital records on
site and offsite with rotation procedures between the onsite and offsite locatio
ns.
Corporate legal counsel plays an important role in defining retention requiremen
ts for both business (common) records and legal records. IT management plays a s
imilar role in backing up, archiving, and restoring the electronic records for f
uture retrieval and use. The goal is to ensure that the current version of the v
ital records is available and that outdated backup copies are deleted or destroy
ed in a timely manner.
Examples of vital records follow:
Legal records: General contracts; executive employment contracts; bank loan docu
ments; business agreements with third parties, partners, and joint ventures; and
regulatory compliance forms and reports.
Accounting/finance records: Payroll, accounts payable, and accounts receivable r
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Memorandum of agreement
Maximum allowable outage
Servicelevel agreement
Cost to recover
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
3
4
4
3, and 4
34. b. The balancing point between the maximum allowable outage (MAO) for a reso
urce and the cost to recover that resource establishes the information systems re
covery time objective (RTO). Memorandum of agreement is another name for develop
ing a servicelevel agreement (SLA).
35. Contingency planning integrates the results of which of the following?
a.
b.
c.
d.
35. b. Contingency planning integrates and acts on the results of the business i
mpact analysis. The output of this process is a business continuity plan consist
ing of a set of contingency planswith a single plan for each core business proces
s and infrastructure component. Each contingency plan should provide a descripti
on of the resources, staff roles, procedures, and timetables needed for its impl
ementation.
36. Which of the following must be defined to implement each contingency plan?
a.
b.
c.
d.
Triggers
Risks
Costs
Benefits
Fullscale testing
Pilot testing
Parallel testing
Endtoend testing
37. d. The purpose of endtoend testing is to verify that a defined set of inte
rrelated systems, which collectively support an organizational core business are
a or function, interoperate as intended in an operational environment. Generally
, endtoend testing is conducted when one major system in the endtoend chain
is modified or replaced, and attention is rightfully focused on the changed or n
ew system. The boundaries on endtoend tests are not fixed or predetermined but
rather vary depending on a given business areas system dependencies (internal an
d external) and the criticality to the mission of the organization.
Fullscale testing is costly and disruptive, whereas endtoend testing is least
costly. Pilot testing is testing one system or one department before testing ot
her systems or departments. Parallel testing is testing two systems or two depar
tments at the same time.
38. Organizations practice contingency plans because it makes good business sen
se. Which of the following is the correct sequence of steps involved in the cont
ingency planning process?
1.
2.
3.
4.
a.
b.
c.
d.
1,
1,
2,
2,
2,
3,
1,
4,
3,
2,
4,
1,
and
and
and
and
4
4
3
3
38. d. Contingency planning involves more than planning for a move offsite after
a disaster destroys a data center. It also addresses how to keep an organizatio
ns critical functions operating in the event of disruptions, both large and small
. This broader perspective on contingency planning is based on the distribution
of computer support throughout an organization. The correct sequence of steps is
as follows:
Identify the mission or business or critical functions.
Identify the resources that support the critical functions.
Anticipate potential contingencies or disasters.
Select contingency planning strategies.
39. A contingency planning strategy consists of the following four parts. Which
Incident response
Remote computing
Backup operations
Recovery plans
a. 1, 2, 3, and 4
b. 3, 2, 1, and 4
c. 4, 1, 3, and 2
d. 4, 2, 1, and 3
41. c. The health and safety of employees and general public should be the first
concern during a disaster situation. The second concern should be to minimize t
he disasters economic impact on the organization in terms of revenues and sales.
The third concern should be to limit or contain the disaster. The fourth concern
should be to reduce physical damage to property, equipment, and data.
42. Rank the following benefits to be realized from a comprehensive disaster rec
overy plan (DRP) from most to least important:
1.
2.
3.
4.
a.
b.
c.
d.
1,
3,
3,
4,
2,
2,
4,
2,
3,
1,
2,
3,
and
and
and
and
4
4
1
1
43. a. Because there are many types of disasters that can occur, it is not pract
ical to consider all such disasters. Doing so is costprohibitive. Hence, disast
er recovery planning exercises should focus on major types of disasters that occ
ur frequently. One approach is to perform risk analysis to determine the annual
loss expectancy (ALE), which is calculated from the frequency of occurrence of a
possible loss multiplied by the expected dollar loss per occurrence.
44. Which of the following items is usually not considered when a new applicatio
n system is brought into the production environment?
a.
b.
c.
d.
Mitigation
Preparedness
Response
Recovery
A
A
A
A
basic policy
broad policy
special allrisk policy
policy commensurate with risks
47. d. Because insurance reduces or eliminates risk, the best insurance is the o
ne commensurate with the most common types of risks to which a company is expose
d.
The other three choices are incorrect. A basic policy covers specific named peri
ls including fire, lightning, and windstorm. A broad policy covers additional pe
rils such as roof collapse and volcanic action. A special allrisk policy covers
everything except specific exclusions named in the policy.
48. Which of the following IT contingency solutions increases a servers performa
nce and availability?
a.
b.
c.
d.
Electronic vaulting
Remote journaling
Load balancing
Disk replication
48. c. Load balancing systems monitor each server to determine the best path to
route traffic to increase performance and availability so that one server is not
overwhelmed with traffic. Electronic vaulting and remote journaling are similar
technologies that provide additional data backup capabilities, with backups mad
e to remote tape or disk drives over communication links. Disk replication can b
e implemented locally or between different locations.
49. Which of the following can be called the disaster recovery plan of last res
ort?
a.
b.
c.
d.
50. b. The last step is establishing priorities for recovery based on critical n
eeds. The following describes the sequence of steps in a risk assessment process
:
1. Possible threats include natural (for example, fires, floods, and earthquakes
), technical (for example, hardware/software failure, power disruption, and comm
unications interference), and human (for example, riots, strikes, disgruntled em
ployees, and sabotage).
2. Assess impacts from loss of information and services from both internal and e
xternal sources. This includes financial condition, competitive position, custom
er confidence, legal/regulatory requirements, and cost analysis to minimize expo
sure.
3. Evaluate critical needs. This evaluation also should consider timeframes in w
hich a specific function becomes critical. This includes functional operations,
key personnel, information, processing systems, documentation, vital records, an
d policies and procedures.
4. Establish priorities for recovery based on critical needs.
51. For business continuity planning/disaster recovery planning (BCP/DRP), busi
ness impact analysis (BIA) primarily identifies which of the following?
a.
b.
c.
d.
eir own way, they do not directly address the retrieval of electronic records. E
xamples of physical security controls include keys and locks, sensors, alarms, s
prinklers, and surveillance cameras. Examples of environmental controls include
humidity, air conditioning, and heat levels. Rotating vital records between onsi
te and offsite is needed to purge the obsolete records and keep the current reco
rds only.
53. What is the purpose of a business continuity plan (BCP)?
a.
b.
c.
d.
To
To
To
To
53. a. Continuity planning involves more than planning for a move offsite after
a disaster destroys a data center. It also addresses how to keep an organizations
critical functions operating in the event of disruptions, both large and small.
This broader perspective on continuity planning is based on the distribution of
computer use and support throughout an organization. The goal is to sustain bus
iness operations.
54. The main body of a contingency or disaster recovery plan document should not
address which of the following?
a.
b.
c.
d.
What?
When?
How?
Who?
54. c. The plan document contains only the why, what, when, where, and who, not
how. The how deals with detailed procedures and information required to carry ou
t the actions identified and assigned to a specific recovery team. This informat
ion should not be in the formal plan because it is too detailed and should be in
cluded in the detail reference materials as an appendix to the plan. The why des
cribes the need for recovery, the what describes the critical processes and reso
urce requirements, the when deals with critical time frames, the where describes
recovery strategy, and the who indicates the recovery team members and support
organizations. Keeping the how information in the plan document confuses people,
making it hard to understand and creating a maintenance nightmare.
55. Which of the following contingency plan test results is most meaningful?
a. Tests met all planned
b. Tests met all planned
systems software.
c. Tests met all planned
d. Tests met all planned
systems software.
a.
b.
c.
d.
1
1
2
2
and
and
and
and
2
3
3
4
57. b. The frequency of information system backups and the transfer rate of back
up information to alternative storage sites should be consistent with the organi
zations recovery time objective (RTO) and recovery point objective (RPO). Recover
y strategies must be created to meet the RTO and RPO. Meantimetofailure (MTTF
) is most often used with safetycritical systems such as airline traffic contro
l systems (radar control services) to measure time between failures. Meantimeb
etweenoutages (MTBO) is the mean time between equipment failures that result in
loss of system continuity or unacceptable degradation. MTTF deals with software
issues, whereas MTBO measures hardware problems.
58. All the following are misconceptions about a disaster recovery plan except:
a.
b.
c.
d.
It
It
It
It
59. c. Management is interested to find out what worked (successful) and what di
d not (unsuccessful) after a recovery from a disaster. The idea is to learn from
experience.
61. d. In the case of contingency planning, a test should be used to improve the
plan. If organizations do not use this approach, flaws in the plan may remain h
idden or uncorrected. Although the other three choices are important in their ow
n way, the most important outcome is to learn from the test results in order to
improve the plan next time, which is the real benefit.
62. A major risk in the use of cellular radio and telephone networks during a d
isaster include:
a.
b.
c.
d.
62. a. The airwaves are not secure and a mobile telephone switching office can b
e lost during a disaster. The cellular company may need to divert a route from t
he cell site to another mobile switching office. User organizations can take car
e of the other three choices because they are mostly applicable to them, and not
to the telephone company.
63. Regarding BCP and DRP, which of the following is not an element of risk?
a.
b.
c.
d.
Threats
Assets
Costs
Mitigating factors
63. c. Whether it is BCP/DRP or not, the three elements of risk include threats,
assets, and mitigating factors.
Risks result from events and their surroundings with or without prior warnings,
and include facilities risk, physical and logical security risk, reputation risk
, network risk, supplychain risk, compliance risk, and technology risk.
Threat sources include natural (for example, fires and floods), manmade attacks
(for example, social engineering), technologybased attacks (DoS and DDoS), and
intentional attacks (for example, sabotage).
Assets include people, facilities, equipment (hardware), software, and technolog
ies.
Controls in the form of physical protection, logical protection, and asset prote
ction are needed to avoid or mitigate the effects of risks. Some examples of pre
ventive controls include passwords, smoke detectors, and firewalls and some exam
ples of reactive/recovery controls include hot sites and cold sites.
Costs are the outcomes or byproducts of and derived from threats, assets, and mi
tigating factors, which should be analyzed and justified along with benefits pri
or to the investment in controls.
64. Physical disaster prevention and preparedness begins when a:
a.
b.
c.
d.
64. a. The data center should be constructed in such a way as to minimize exposu
re to fire, water damage, heat, or smoke from adjoining areas. Other considerati
ons include raised floors, sprinklers, or fire detection and extinguishing syste
ms and furniture made of noncombustible materials. All these considerations shou
ld be taken into account in a costeffective manner at the time the data (comput
er) center is originally built. Addons will not only be disruptive but also cos
tly.
65. Disaster notification fees are part of which of the following cost categori
es associated with alternative computer processing support?
a.
b.
c.
d.
Initial costs
Recurring operating costs
Activation costs
Development costs
65. c. There are three basic cost elements associated with alternate processing
support: initial costs, recurring operating costs, and activation costs. The fir
st two components are incurred whether the backup facility is put into operation
; the last cost component is incurred only when the facility is activated.
The initial costs include the cost of initial setup, including membership, const
ruction or other fees. Recurring operating costs include costs for maintaining a
nd operating the facility, including rent, utilities, repair, and ongoing backup
operations. Activation costs include costs involved in the actual use of the ba
ckup capability. This includes disaster notification fees, facility usage charge
s, overtime, transportation, and other costs.
66. When comparing alternative computer processing facilities, the major objecti
ve is to select the alternative with the:
a.
b.
c.
d.
66. d. The major objective is to select the best alternative facility that meets
the organizations recovery needs. An annualized cost is obtained by multiplying
the annual frequency with the expected dollar amount of cost. The product should
be a small figure.
67. Which of the following statements is not true about contracts and agreements
associated with computer backup facilities?
a.
b.
c.
d.
67. a. All vendors, regardless of their size, need written contracts for all cus
tomers, whether commercial or governmental. Nothing should be taken for granted,
Employees
Customers
Suppliers
Public relations officers
68. d. A public relations (PR) officer is a companys spokesperson and uses the me
dia as a vehicle to consistently communicate and report to the public, including
all stakeholders, during precrisis, interim, and postcrisis periods. Hence, t
he PR officer is a reporter, not a stakeholder. Examples of various media used f
or crisis notification include print, radio, television, telephone (voice mail a
nd text messages), post office (regular mail), the Internet (for example, electr
onic mail and blogs), and press releases or conferences.
The other stakeholders (for example, employees, customers, suppliers, vendors, l
abor unions, investors, creditors, and regulators) have a vested interest in the
positive and negative effects and outcomes, and are affected by a crisis situat
ion, resulting from the disaster recovery process.
69. Which of the following is the most important consideration in locating an al
ternative computing facility during the development of a disaster recovery plan?
a.
b.
y
c.
d.
69. b. There are several considerations that should be reflected in the backup s
ite location. The optimum facility location is (i) close enough to allow the bac
kup function to become operational quickly, (ii) unlikely to be affected by the
same contingency, (iii) close enough to serve its users, and (iv) convenient to
airports, major highways, or train stations when located out of town.
70. Which of the following alternative computing backup facilities is intended
to serve an organization that has sustained total destruction from a disaster?
a.
b.
c.
d.
Service bureaus
Hot sites
Cold sites
Reciprocal agreements
70. b. Hot sites are fully equipped computer centers. Some have fire protection
and warning devices, telecommunications lines, intrusion detection systems, and
physical security. These centers are equipped with computer hardware that is com
patible with that of a large number of subscribing organizations. This type of f
acility is intended to serve an organization that has sustained total destructio
n and cannot defer computer services. The other three choices do not have this k
ind of support.
71. A fullscale testing of application systems cannot be accomplished in which
of the following alternative computing backup facilities?
a.
b.
c.
d.
71. d. The question is asking about the two alternative computing facilities tha
t can perform fullscale testing. Cold sites do not have equipment, so fullscal
e testing cannot be done until the equipment is installed. Adequate time may not
be allowed in reciprocal agreements due to time pressures and scheduling confli
cts between the two parties.
Fullscale testing is possible with shared contingency centers and hot sites bec
ause they have the needed equipment to conduct tests. Shared contingency centers
are essentially the same as dedicated contingency centers. The difference lies
in the fact that membership is formed by a group of similar organizations which
use, or could use, identical hardware.
72. Which of the following computing backup facilities has a cost advantage?
a.
b.
c.
d.
Computer operations
Safety
Human resources
Accounting
73. c. Human resource policies and procedures impact employees involved in the r
esponse to a disaster. Specifically, it includes extended work hours, overtime p
ay, compensatory time, living costs, employee evacuation, medical treatment, not
ifying families of injured or missing employees, emergency food, and cash during
recovery. The scope covers the predisaster plan, emergency response during rec
overy, and postrecovery issues. The major reason for ignoring the human resourc
e issues is that they encompass many items requiring extensive planning and coor
dination, which take a significant amount of time and effort.
74. Which of the following is the best organizational structure and management s
tyle during a disaster?
a.
b.
c.
d.
Peopleoriented
Productionoriented
Democraticoriented
Participativeoriented
74. b. During the creation of a disaster recovery and restoration plan, the mana
gement styles indicated in the other three choices are acceptable due to the inv
olvement and input required of all people affected by a disaster. However, the s
ituation during a disaster is entirely different requiring execution, not planni
ng. The commandandcontrol structure, which is a productionoriented management
style, is the best approach to orchestrate the recovery, unify all resources, a
nd provide solid direction with a single voice to recover from the disaster. Thi
s is not the time to plan and discuss various approaches and their merits. The o
ther three choices are not suitable during a disaster.
75. The primary objective of emergency planning is to:
a.
b.
c.
d.
75. b. Emergency planning provides the policies and procedures to cope with disa
sters and to ensure the continuity of vital data center services. The primary ob
jective of emergency planning is personnel safety, security, and welfare; second
ary objectives include (i) minimizing loss of assets, (ii) minimizing business i
nterruption, (iii) providing backup facilities and services, and (iv) providing
trained personnel to conduct emergency and recovery operations.
76. Which of the following is most important in developing contingency plans for
information systems and their facilities?
a.
b.
c.
d.
Criteria
Criteria
Criteria
Criteria
for
for
for
for
content
format
usefulness
procedures
76. c. The only reason for creating a contingency plan is to provide a document
and procedure that will be useful in time of emergency. If the plan is not desig
ned to be useful, it is not satisfactory. Suggestions for the plan content and f
ormat can be described, but no two contingency plans will or should be the same.
77. All the following are objectives of emergency response procedures except:
a.
b.
c.
d.
Protect life
Control losses
Protect property
Maximize profits
What happened?
What should have happened?
What should happen next?
Who caused it?
78. d. The postincident review after a disaster has occurred should focus on wh
at happened, what should have happened, and what should happen next, but not on
who caused it. Blaming people will not solve the problem.
79. An effective element of damage control after a disaster occurs is to:
a.
b.
c.
d.
Maintain silence.
Hold press conferences.
Consult lawyers.
Maintain secrecy.
Direct costs
Opportunity costs
Hidden costs
Variable costs
81. c. Hidden costs are not insurable expenses and include (i) unemployment comp
ensation premiums resulting from layoffs in the work force, (ii) increases in ad
vertising expenditures necessary to rebuild the volume of business, (iii) cost o
f training new and old employees, and (iv) increased cost of production due to d
ecline in overall operational efficiency. Generally, traditional accounting syst
ems are not set up to accumulate and report the hidden costs. Opportunity costs
are not insurable expenses. They are costs of foregone choices, and accounting s
ystems do not capture these types of costs. Both direct and variable costs are i
nsurable expenses and are captured by accounting systems.
82. Which of the following disasterrecovery alternative facilities eliminates
the possibility of competition for time and space with other businesses?
a.
b.
c.
d.
Hot sites
Cold sites
Mirrored sites
Warm sites
82. c. A dedicated second site eliminates the threat of competition for time and
space with other businesses. These benefits coupled with the evergrowing deman
ds of todays data and telecommunications networks have paved the way for a new br
eed of mirrored sites (intelligent sites) that can serve as both primary and con
tingency site locations. These mirrored sites employ triple disaster avoidance s
ystems covering power, telecommunications, life support (water and sanitation),
and 24hour security systems. Mirrored sites are fully redundant facilities with
automated realtime information mirroring. A mirrored site (redundant site) is
equipped and configured exactly like the primary site in all technical respects.
Some organizations plan on having partial redundancy for a disaster recovery pu
rpose and partial processing for normal operations. The stocking of spare person
al computers and their parts or LAN servers also provide some redundancy. Hot, c
old, and warm sites are operated and managed by commercial organizations, wherea
s the mirrored site is operated by the user organization.
83. The greatest cost in data management comes from which of the following?
a.
b.
c.
d.
Backing up files
Restoring files
Archiving files
Journaling files
83. b. Manual tape processing has the tendency to cause problems at restore time
. Multiple copies of files exist on different tapes. Finding the right tape to r
estore can become a nightmare, unless the software product has automated indexin
g and labeling features. Restoring files is costly due to the considerable human
intervention required, causing delays. Until the software is available to autom
ate the file restoration process, costs continue to be higher than the other cho
ices. Backing up refers to a duplicate copy of a data set that is held in storag
e in case the original data are lost or damaged. Archiving refers to the process
of moving infrequently accessed data to less accessible and lower cost storage
media. Journaling applications post a copy of each transaction to both the local
and remote storage sites when applicable.
84. All the following need to be established prior to a crisis situation except
:
a.
b.
c.
d.
Public relationships
Credibility
Reputation
Goodwill
84. a. The other three choices (i.e., credibility, reputation, and goodwill) nee
d to exist in advance of a crisis situation. These qualities cannot be generated
quickly during a crisis. They take a long time to develop and maintain, way bef
ore a disaster occurs. On the other hand, public (media) relationships require a
proactive approach during a disaster. This includes distributing an information
kit to the media at a moments notice. The background information about the compa
ny in the kit must be regularly reviewed and updated. When disaster strikes, it
is important to get the company information out early. By presenting relevant in
formation to the media, more time is available to manage the actual daytoday a
spects of crisis communications during the disaster.
85. Which of the following disaster recovery plan testing options should not be
scheduled at critical points in the normal processing cycle?
a.
b.
c.
d.
Checklist testing
Parallel testing
Fullinterruption testing
Structured walkthrough testing
Availability requirements
Accessibility requirements
Inventory requirements
Retention requirements
86. c. The first step toward protecting data is a comprehensive inventory of all
servers, workstations, applications, and user data throughout the organization.
When a comprehensive study of this type is completed, various backup, access, s
torage, availability, and retention strategies can be evaluated to determine whi
ch strategy best fits the needs of an organization.
87. Which of the following natural disasters come with an advanced warning sign
?
a.
b.
c.
d.
87. c. The main hazards caused by hurricanes most often involve the loss of powe
r, flooding, and the inability to access facilities. Businesses may also be impa
cted by structural damage as well. Hurricanes are the only events that give adva
nced warnings before the disaster strikes. Excessive rains lead to floods. Earth
quakes do not give advanced warnings. Tornado warnings exist but provide little
advance warning, and they are often inaccurate.
88. The most effective action to be taken when a hurricane advance warning is pr
ovided is to:
a.
b.
c.
d.
Declare
Install
Provide
Acquire
88. a. The first thing is to declare the disaster as soon as the warning sign is
known. Protecting the business site is instrumental in continuing or restoring
operations in the event of a hurricane. Ways to do this include an uninterruptib
le power supply (batteries and generators), a backup water source, and a supply
of gasolinepowered pumps to keep the lower levels of the facility clear of floo
dwaters. Boarding up windows and doors is good to protect buildings from highsp
eed flying debris and to prevent looting.
89. Which of the following requires advance planning to handle a real flooddri
ven disaster?
a.
b.
c.
d.
To
To
To
To
the
the
the
the
91. c. The goal is to capture all data points necessary to restart a system with
out loss of any data in the workinprogress status. The recovery team should re
cover all application systems to the actual point of the interruption. The other
three choices are incorrect because there could be a delay in processing or pos
ting data into master files or databases depending on their schedules.
92. Which of the following may not reduce the recovery time after a disaster str
ikes?
a.
b.
c.
d.
92. d. Documenting the recovery plan should be done first and be available to us
e during a recovery as a guidance. The amount of time and effort in developing t
he plan has no bearing on the real recovery from a disaster. On the other hand,
the amount of time and effort spent on the other three choices and the degree of
perfection attained in those three choices will definitely help in reducing the
recovery time after a disaster strikes. The more time spent on these three choi
ces, the better the quality of the plan. The key point is that documenting the r
ecovery plan alone is not enough because it is a paper exercise, showing guidanc
e. The real benefit comes from careful implementation of that plan in actions.
93. An organizations effective presentation of disaster scenarios should be base
d on which of the following?
a.
b.
c.
d.
93. a. The disaster scenarios, describing the types of incidents that an organiz
ation is likely to experience, should be based on events or situations that are
severe in magnitude (high in damages and longer in outages), occurring at the wo
rst possible time (i.e., worstcase scenario with pessimistic time), resulting i
n severe impairment to the organizations ability to conduct and/or continue its b
usiness operations.
The planning horizon for these scenarios include shortterm (i.e., less than one
month outage) and longterm (i.e., more than three month outage), the severity
magnitude levels include low, moderate, and high; and the timing levels include
worst possible time, most likely time, and least likely time. The combination of
high severity level and the worst possible time is an example of highrisk scen
ario. The other three choices are incorrect because they are not relevant direct
ly to the disaster scenarios in terms of severity and timing levels except that
they support the severity and timing levels indirectly.
94. The focus of disaster recovery planning should be on:
a.
b.
c.
er
d.
94. a. The focus of disaster recovery planning should be on protecting the organ
ization against the consequences of a disaster, not on the probability that it m
ay or may not happen.
95. Which of the following statements is not true about the critical application
categories established for disaster recovery planning purposes?
a. Predefined categories need not be followed during a disaster because time is
short.
96. c. The decision to activate a disaster recovery plan is made after damage as
sessment and evaluation is completed. This is because the real damage from a dis
aster could be minor or major where the latter involves full activation only aft
er damage assessment and evaluation. Minor damages may not require full activati
on as do the major ones. The decision to activate should be based on costbenefi
t analysis.
A list of equipment, software, forms, and supplies needed to operate contingency
category I (high priority) applications should be available to use as a damage
assessment checklist.
97. Which of the following IT contingency solutions requires a higher bandwidth
to operate?
a.
b.
c.
d.
Remote journaling
Electronic vaulting
Synchronous mirroring
Asynchronous mirroring
97. c. Depending on the volume and frequency of the data transmission, remote jo
urnaling or electronic vaulting could be conducted over a connection with limite
d or low bandwidth. However, synchronous mirroring requires higher bandwidth for
data transfers between servers. Asynchronous mirroring requires smaller bandwid
th connection.
98. The business continuity planning (BCP) process should focus on providing wh
ich of the following?
a.
b.
c.
d.
and services
and services
services
services
98. c. The business continuity planning (BCP) process should safeguard an organi
zations capability to provide a minimum acceptable level of outputs and services
in the event of failures of internal and external missioncritical information s
ystems and services. The planning process should link risk management and risk m
itigation efforts to operate the organizations core business processes within the
constraints such as a disaster time.
99. Which of the following IT contingency solutions is useful over larger bandw
idth connections and shorter physical distances?
a.
b.
c.
d.
Synchronous mirroring
Asynchronous shadowing
Single location disk replication
Multiple location disk replication
99. a. The synchronous mirroring mode can degrade performance on the protected s
erver and should be implemented only over shorter physical distances where bandw
idth is larger that will not restrict data transfers between servers. The asynch
ronous shadowing mode is useful over smaller bandwidth connections and longer ph
ysical distances where network latency could occur. Consequently, shadowing help
s to preserve the protected servers performance. Both synchronous and asynchronou
s are techniques and variations of disk replication (i.e., single and multiple l
ocation disk replication).
100. Regarding contingency planning, an organization obtains which of the follo
wing to reduce the likelihood of a single point of failure?
a.
b.
c.
d.
to reduc
telecomm
highris
recovery
101. d. Management commitment and involvement are always needed for any major pr
ograms, and developing a disaster recovery plan is no exception. Better commitme
nt leads to greater funding and support. The other three choices come after mana
gement commitment.
102. With respect to business continuity planning/disaster recovery planning (B
CP/DRP), risk analysis is part of which of the following?
a.
b.
c.
d.
Costbenefit analysis
Business impact analysis
Backup analysis
Recovery analysis
102. b. The risk analysis is usually part of the business impact analysis. It es
timates both the functional and financial impact of a risk occurrence to the org
anization and identifies the costs to reduce the risks to an acceptable level th
rough the establishment of effective controls. The other three choices are part
of the correct choice.
103. Which of the following disaster recovery plan testing approaches is not rec
ommended?
a.
b.
c.
d.
Deskchecking
Simulations
Endtoend testing
Fullinterruption testing
103. d. Management will not allow stopping of normal production operations for t
esting a disaster recovery plan. Some businesses operate on a 24x7 schedule and
losing several hours of production time is tantamount to another disaster, finan
cially or otherwise.
104. The business impact analysis (BIA) should critically examine the business p
rocesses and which of the following?
a.
b.
c.
d.
Composition
Priorities
Dependencies
Service levels
104. c. The business impact analysis (BIA) examines business processes compositi
on and priorities, business or operating cycles, service levels, and, most impor
tant, the business process dependency on missioncritical information systems.
105. The major threats that a disaster recovery contingency plan should address
include:
a.
b.
c.
d.
Physical
Physical
Software
Hardware
which
which
which
which
106. b. It is true that during a disaster, not all application systems have to b
e supported while the localarea network (LAN) is out of service. Some LAN appli
cations may be handled manually, some as standalone PC tasks, whereas others nee
d to be supported offsite. Although these duties are clearly defined, it is not
so clear which users must secure and back up their own data. It is important to
communicate to users that they must secure and back up their own data until norm
al LAN operations are resumed. This is often a missing link in developing a LAN
methodology for contingency planning.
107. Which of the following uses both qualitative and quantitative tools?
a.
b.
c.
d.
Anecdotal analysis
Business impact analysis
Descriptive analysis
Narrative analysis
No
No
No
No
production exists
vendor exists
redundancy exists
maintenance exists
Cold site
Hot site
Warm site
Redundant site
109. c. A warm site has telecommunications ready to be utilized but does not hav
e computers. A cold site is an empty building for housing computer processors la
ter but equipped with environmental controls (for example, heat and air conditio
ning) in place. A hot site is a fully equipped building ready to operate quickly
. A redundant site is configured exactly like the primary site.
110. Which of the following computer backup alternative sites is the least expen
sive method and the most difficult to test?
a.
b.
c.
d.
and test
continue
continue
continue
111. d. The correct sequence of events to take place when surviving a disaster i
s plan, test, respond, recover, and continue.
112. Which of the following tools provide information for reaching people durin
g a disaster?
a.
b.
c.
d.
112. b. A call tree diagram shows who to contact when a required person is not a
vailable or not responding. The call tree shows the successive levels of people
to contact if no response is received from the lower level of the tree. It shows
the backup people when the primary person is not available. A decision tree dia
gram shows all the choices available with their outcomes to make a decision. An
event tree diagram can be used in project management, and a parse tree diagram c
an be used in estimating probabilities and the nature of states in software engi
neering.
ScenarioBased Questions, Answers, and Explanations
Use the following information to answer questions 1 through 7.
The GKM Company has just completed the business impact analysis (BIA) for its da
ta processing facilities. The continuity planning team found in the risk analysi
s that there is a single point of failure in that backup tapes from offsite loca
tions are controlled by an individual who works for the vendor. The contract for
the vendor does not expire for 3 years.
1. Which of the following uses both qualitative and quantitative tools?
a.
b.
c.
d.
Anecdotal analysis
Business impact analysis
Descriptive analysis
Narrative analysis
Costbenefit analysis
Business impact analysis
Backup analysis
Recovery analysis
2. b. The risk analysis is usually part of the business impact analysis (BIA). I
t estimates both the functional and financial impact of a risk occurrence to the
organization and identifies the costs to reduce the risks to an acceptable leve
l through the establishment of effective controls. Costbenefit analysis, backup
analysis, and recovery analysis are part of the BIA.
3. With respect to BCP/DRP, the BIA identifies which of the following?
a.
b.
c.
d.
Composition
Priorities
Dependencies
Service levels
6. a. The airwaves are not secure, and a mobile telephone switching office can b
e lost during a disaster. The cellular company may need a diverse route from the
cell site to another mobile switching office.
7. Contingency planning integrates the results of which of the following?
a.
b.
c.
d.
Domain 9
Legal, Regulations, Investigations, and Compliance
Traditional Questions, Answers, and Explanations
1. Computer fraud is discouraged by:
a.
b.
c.
d.
Willingness to prosecute
Ostracizing whistle blowers
Overlooking inefficiencies in the judicial system
Accepting the lack of integrity in the system
fraud, whether or not computer related. There is nothing new about the act of co
mmitting fraud. There is perhaps no new way to commit fraud because someone some
where has already tried it. The other three choices encourage computer fraud.
2. When computers and peripheral equipment are seized in relation to a computer
crime, what is it is an example of?
a.
b.
c.
d.
Duplicate evidence
Physical evidence
Best evidence
Collateral evidence
Hearsay evidence
Primary evidence
Material evidence
Substantive evidence
Detect
Respond
Report
Recover
Distributed logging
Local logging
Centralized logging
Centralized monitoring
a.
b.
c.
d.
2 only
3 only
4 only
1, 2, 3, and 4
Full containment
Phase containment
Partial containment
Delayed containment
following?
a.
b.
c.
d.
Incident
Incident
Attacker
Recovery
containment
eradication
identification
from incident
9. b. Some incident handlers may perform pings, traceroutes, and run port and v
ulnerability scans to gather more information on the attacker. Incident handlers
should discuss these activities with the legal department before performing suc
h scans because the scans may violate an organizations privacy policies or even b
reak the law. The other choices are technical in nature.
10. Which of the following postincident activities and benefits can become the
basis for subsequent prosecution by legal authorities?
a.
b.
c.
d.
10. c. The followup report provides a reference that can be used to assist in h
andling similar, future incidents. Creating a formal chronology of events (inclu
ding timestamped information such as log data from systems) is important for le
gal reasons, as is creating a monetary estimate of the amount of damage the inci
dent caused in terms of any loss of software and files, hardware damage, and sta
ffing costs (including restoring services). This estimate may become the basis f
or subsequent prosecution activity by legal authorities. The other choices deal
with issues that are internal to an organization.
11. Which of the following security metrics for incidentrelated data are genera
lly not of value in comparing multiple organizations?
a.
b.
c.
d.
11. d. Security metrics such as the total number of incidents handled are genera
lly not of value in comparing multiple organizations because each organization i
s likely to have defined keyincident terms differently. The total number of inci
dents handled is not specific and is best taken as a measure of the relative amou
nt of work that the incident response team had to perform, not as a measure of t
he quality of the team. It is more effective to produce separate and specific in
cident counts for each incident category or subcategory, as shown in the other t
hree choices. Stronger security controls can then be targeted at these specific
incidents to minimize damage or loss.
12. Which of the following indications is not associated with an inappropriate u
User reports
Network intrusion detection alerts
Inappropriate files on workstations or servers
Network, host, and application log entries
12. d. Network, host, and application log entries provide indications of attacks
against external parties. The other three choices are examples of possible indi
cations of internal access to inappropriate materials.
13. Which of the following is not generally a part of auditing the incident resp
onse program?
a.
b.
c.
d.
Regulations
Security policies
Incident metrics
Security best practices
Awareness
Logs and alerts
Compliance
Common sense
Quarantine server
Remote access server
Warez server
Email server
15. c. A Warez server is a file server that is used to distribute illegal conten
t such as copies of copyrighted songs and movies as well as pirated software.
16. Log monitoring cannot assist efforts in which of the following?
a.
b.
c.
d.
Incident handling
Policy violations
Auditing
Data sources
16. d. Various forensic tools and techniques can assist in log monitoring, such
as analyzing log entries and correlating log entries across multiple systems. Th
is can assist in incident handling, identifying policy violations, auditing, and
other efforts. Data sources include desktops, laptops, servers, removable hard
drives, and backup media. Data sources cannot assist in log monitoring.
17. Which of the following requires accountability of a data controller?
a.
b.
c.
d.
17. a. The Organization for Economic CoOperation and Development (OECD) guideli
nes cover data collection limitations, quality of data, limitations on data use,
information system security safeguards, and accountability of the data controll
er. The ISO, CC, and IETF do not require a data controller.
18. Regarding the United States import and export laws about using encryption i
n products exporting to trading partners in the world, which of the following is
required to monitor internal communications or computer systems and to prepare
for disaster recovery?
a.
b.
c.
d.
Key
Key
Key
Key
renewal
escrow
retrieval
transport
18. b. A key escrow system entrusts the two components (encryption and decryptio
n) comprising a cryptographic key to two key component holders such as escrow ag
ents. A key component is the two values from which a key can be derived. Key esc
row is a recovery control to protect privacy and commerce in a way that preserve
s the U.S. law enforcements ability to monitor internal communications using comp
uter systems in order to protect public safety and national security and to prep
are for disaster recovery. Data cannot be recovered if either the encryption key
or the decryption key is lost, damaged, or destroyed.
The other three choices are incorrect because they cannot help in key recovery.
Key renewal is the process used to extend the validity period of a cryptographic
key so that it can be used for an additional time period. Key retrieval helps t
o obtain a cryptographic key from active or archived electronic storage or from
a backup facility. Key transport is the secure movement of cryptographic keys fr
om one cryptographic module to another module.
19. Which of the following minimizes the potential for incident encroachment?
1.
2.
3.
4.
Firewalls
Laws
Separation of duties
Regulations
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
4
3
4
19. c. Firewalls and separation of duties minimize the potential for incident en
croachment. A firewall is a technical safeguard that provides separation between
activities, systems, or system components so that a security failure or weaknes
s in one is contained and has no impact on other activities or systems (e.g., en
forcing separation of the Internet from a localarea network).
The objective of separation of duties is to ensure that no single individual (ac
ting alone) can compromise an application. In both cases, procedural and technic
al safeguards are used to enforce a basic security policy in that high risk acti
vities should be segregated from lowrisk activities and that one person should
not be able to compromise a system. These two controls when combined provide a s
trong barrier for incidents to occur, which minimize the potential for incident
encroachment.
Laws and regulations guide the security objectives and form the foundation for d
eveloping basic security policies and controls.
20. Which of the following Organization for Economic CoOperation and Developme
nts (OECDs) principles deal with so that the rights and legitimate interests of ot
hers are respected?
a.
b.
c.
d.
Accountability
Ethics
Awareness
Multidisciplinary
20. b. The ethics principle of OECD states that the information systems and the
security of information systems should be provided and used in such a manner tha
t the rights and legitimate interests of others are respected.
21. Which of the following establishes security layers to minimize incident imp
act?
1.
2.
3.
4.
Zoning
Needtoknow
Compartmentalization
Unique identifiers
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
4
3
4
Computer
Computer
Computer
Computer
security
security
security
security
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
23. a. Most organizations use several types of networkbased and hostbased secu
rity software to detect malicious activity and protect systems and data from dam
age. Accordingly, security software is the primary source of computer security l
og data for most organizations.
24. Which of the following logs record significant operational actions?
a. Networkbased security software logs
b. Hostbased security software logs
c. Operating system logs
25. b. Web server logs are an example of application logs. The other three logs
are examples of security software logs.
26. Which of the following logs is primarily useful in analyzing attacks agains
t desktops or workstations?
a.
b.
c.
d.
26. a. The antimalware software logs have higher accuracy of data than operating
system logs from desktops or workstations. Accordingly, these logs are primaril
y useful in analyzing attacks. The other three logs have a secondary usage.
27. Which of the following provides a secondary source in analyzing inappropria
te usage?
a.
b.
c.
d.
27. a. Authentication server logs are a part of security software logs, whereas
all the other logs are examples of application logs. These application logs gene
rate highly detailed logs that reflect every user request and response, which pr
ovide a primary source in analyzing inappropriate usage. Authentication servers
typically log each authentication attempt, including its origin, success or fail
ure, and date and time. Application logs capture data prior to authentication se
rver logs, where the former is a primary source, and the latter is a secondary s
ource.
28. All the following can make log generation and storage challenging except:
a.
b.
c.
d.
28. b. The distributed nature of logs, inconsistent log formats, and volume of l
ogs all make the management of log generation and storage challenging. For examp
le, inconsistent log formats present challenges to people reviewing logs. A sing
le standard format is preferred. Log management utility software may fail or mis
handle the log data when an attacker provides binary data as input to a program
that is expecting text data. The problem with the log management utility softwar
e is not as challenging as with the other three choices.
29. Which of the following solutions to overcome log management challenges addr
ess both peak and expected volumes of log data?
a. Prioritize log management function.
b. Establish policies and procedures for log management.
a.
b.
c.
d.
1 and
2 and
1, 2,
1, 2,
2
3
and 3
3, and 4
30. d. Log analysis has often been treated as a lowpriority task by system or s
ecurity administrators and management alike. Administrators often do not receive
training on doing it efficiently and effectively. Administrators consider log a
nalysis work to be boring and providing little benefit for the amount of time re
quired. Log analysis is often treated as reactive rather than proactive. Most lo
gs have been analyzed in a batch mode, not in a realtime or nearrealtime mann
er.
31. Which of the following Organization for Economic CoOperation and Developme
nts (OECDs) principles state that information systems and the requirements for its
security change over time?
a.
b.
c.
d.
Proportionality
Integration
Reassessment
Timeliness
31. c. The reassessment principle of OECD states that the security of informatio
n system should be reassessed periodically, as information systems and the requi
rements for its security vary over time.
32. Routine log analysis is beneficial for which of the following reasons?
1.
2.
3.
4.
Identifying
Identifying
Identifying
Identifying
security incidents
policy violations
fraudulent activities
operational problems
a.
b.
c.
d.
1 only
3 only
4 only
1, 2, 3, and 4
Log
Log
Log
Log
filtering
aggregation
normalization
correlation
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Log
Log
Log
Log
filtering
aggregation
correlation
parsing
35. d. Log parsing is converting log entries into a different format. For exampl
e, log parsing can convert an extensible markup language (XML)format log into a
plaintext file. Log parsing sometimes includes actions such as log filtering, l
og aggregation, log normalization, and log correlation.
36. Major categories of log management infrastructures are based on which of th
e following?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
36. a. Log management infrastructures are typically based on one of the two majo
r categories of log management software: syslogbased centralized logging softwa
re and security event management (SEM) software. Network forensic analysis tools
and hostbased intrusion detection systems are examples of additional types (se
condary sources) of log management software.
37. Regarding log management infrastructure functions, which of the following d
efines closing a log and opening a new log when the first log is considered to b
e complete?
a. Log archival
b. Log rotation
c. Log reduction
d. Log clearing
37. b. Log rotation is closing a log and opening a new log when the first log is
considered to be complete. The primary benefits of log rotation are preserving
log entries and keeping the size of logs manageable by compressing the log to sa
ve space. Logs can also be rotated through simple scripts and utility software.
The other three logs do not provide rotation functions.
38. Regarding log management infrastructure functions, which one of the followi
ng is often performed with the other?
1.
2.
3.
4.
Log
Log
Log
Log
archival
reduction
parsing
viewing
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
38. a. Log reduction is removing unneeded entries or data fields from a log to c
reate a new log that is smaller in size. Log reduction is often performed with l
og archival so that only the log entries of interest are placed into longterm s
torage. Log parsing and log viewing are two separate activities.
39. Which of the following is used to ensure that changes to archival logs are
detected?
a.
b.
c.
d.
39. a. To ensure that changes to archived logs are detected, log fileintegrity
checking can be performed with software. This involves calculating a message dig
est hash for each file and storing that message digest hash securely. The other
three choices do not calculate a message digest.
40. Regarding log management infrastructure, which of the following characteriz
es the syslogbased centralized logging software?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
2
and
and
and
and
3
4
3
4
1
1
2
2
and
and
and
and
2
3
3
4
41. b. The network forensic analysis tools and hostbased intrusion detection so
ftware are often part of a log management infrastructure, but they cannot take t
he place of syslogbased centralized logging software and security event managem
ent software. Syslogbased centralized logging software and security event manag
ement software are used as primary tools whereas network forensic analysis tools
and hostbased intrusion detection software are used as additional tools.
42. Which of the following are major factors to consider when designing the org
anizationallevel log management processes?
1.
2.
3.
4.
Network bandwidth
Volume of log data to be processed
Configuration log sources
Performing log analysis
a.
b.
c.
d.
1
2
1
3
and
and
and
and
2
3
3
4
43. a. The use of most data concealment tools is unlikely to be captured in logs
because their intention is to hide. The other three choices are incorrect becau
se they are examples of security applications. Along with content filtering soft
ware, they are usually logged.
44. What is the major reason why computer security incidents go unreported?
a.
b.
c.
d.
To
To
To
To
44. a. Avoiding negative publicity is the major reason; although, there are othe
r minor reasons. This is because bad news can cause current clients or potential
clients to worry about their own sensitive information contained in computer sy
stems. Taking legal action is not done regularly because it costs significant am
ounts of time and money. Fixing system problems and learning from system attacks
could be byproducts of a security incident. The other three choices are minor r
Motive
Action
Opportunity
Means
45. b. A person must have a motive, the opportunity, and the means to commit a c
rime. Action is the resulting decision.
46. Multiple forensic tools (such as forensic, nonforensic, and hybrid) are use
d to recover digital evidence from a mobile/cell phone. Which of the following c
an resolve conflicts from using such multiple forensic tools?
a.
b.
c.
d.
46. a. Conflicts can arise when using multiple forensic tools due to their incom
patibility in functional design specifications. One method to resolve such confl
icts is to use a product such as virtual machine ware (VMware) to create a virtu
al machine (VM) environment on each forensic workstation for the tool to execute
. Because multiple independent VMs can run simultaneously on a single workstatio
n, several tools or tool collections that otherwise would be incompatible are re
adily supported.
The other three choices are incorrect because they do not have the ability to ha
ndle conflicts from using multiple tools because they are examples of individual
tools. Examples of forensic tools include universal subscriber identity module
(USIM) tools, handset tools, and integrated toolkits. A forensic hash is used to
maintain the integrity of data by computing a cryptographically strong, nonrev
ersible value over the acquired data. Examples of nonforensic tools include por
t monitoring to capture protocol exchanges, infrared and Bluetooth monitoring, a
nd phone manager to recover data. For nonforensic tools, hash values should be
created manually using a tool, such as SHA1sum or MD5 sum, and retained for int
egrity verification. Examples of hybrid forensic tools include port monitoring w
ith monitoring of USIM tool exchanges.
47. Which of the following is not a part of active identification of infected ho
sts with a malware incident?
a.
b.
c.
d.
Sinkhole router
Packet sniffers
Custom networkbased IPS or IDS signatures
Vulnerability assessment software
It
It
It
It
48. d. Freeware is software that is made available to the public at no cost. The
author retains copyright rights and can place restrictions on how the program i
s used. The other three choices are examples of risks and actions involved in pi
rated software that can lead to legal problems. Control measures include (i) not
allowing employees to bring software from home or outside, (ii) not permitting
program downloads from the Internet, and (iii) testing the downloaded program on
a standalone system first before it is allowed on the network.
49. Which of the following is a legal activity?
a.
b.
c.
d.
Competitive intelligence
Industrial espionage
Economic espionage
Corporate espionage
51. d. A floating licensing method puts users on a queue until their turn is up.
For example, if software is licensed for 10 users and all are using the softwar
e, the 11th user will be asked to wait until one user is logged off. In a single
licensing method, only one user is allowed to use the system. For small size us
er groups, a concurrent licensing method may be useful because it allows multipl
e users to work simultaneously. A site licensing method is used when there is a
large group of users due to volume discount for heavy usage. The other licensing
method would not put a user on a queue as the floating method does.
52. What is an effective way to prevent software piracy?
a.
b.
c.
d.
Dongle device
Awareness
Education
Reminders
52. a. A dongle is a small hardware device that is shipped with some software pa
ckages. The dongle is hardcoded with a unique serial number that corresponds to
the software. When the program runs, it checks for the presence of the device.
If the device is not plugged in, the program will not run. Despite inconvenience
, it is the most effective way to prevent software piracy. The other three choic
es are useful to prevent software piracy, but they are not that effective.
53. Computer crime is possible when controls are:
a.
b.
c.
d.
Predictable, unavoidable
Unpredictable, unavoidable
Predictable, avoidable
Unpredictable, avoidable
53. c. When controls are predictable and can be bypassed, computer crime is grea
tly increased. Predictable means the attacker knows how the system works, when,
and how to beat it. When controls are unpredictable, it is difficult for crimina
l attacks to take place.
54. The major reason for the inability to calculate the risk resulting from comp
uter crime is due to:
a.
b.
c.
d.
Systemmotivated
Greedmotivated
Technologymotivated
Situationmotivated
System complexity
System users
Human skills
System predictability
56. d. Predictability is a key to successful crime as hackers know how the syste
m works. System complexity is a deterrent to crime to a certain extent; system u
sers, and people in general, are unpredictable. Human skills vary from person to
person. Computers perform functions the same way all the time given the same in
put. This consistency opens the door to computer crime.
57. Computer crimes can be minimized with which of the following situations?
a.
b.
c.
d.
57. b. Both controls and features of a system can be manual and/or automated. Th
e key is to vary both of them to prevent predictability of the nature of their o
peration. The degree of variation depends on the criticality of the system in th
at the greater the criticality the higher the variation.
Copyrights
Patents
Trade secrets
Trademarks
58. c. Because trade secrets are the targets for employees and industrial espion
age alike, they should be subject to confidentiality controls, whereas copyright
s, patents, and trademarks require integrity, authenticity, and availability con
trols.
59. A person threatening another person through electronic mail is related to w
hich of the following computersecurity incident types?
a.
b.
c.
d.
Denialofservice
Malicious code
Unauthorized access
Inappropriate usage
59. d. An inappropriate usage incident occurs when a user performs actions that
violate acceptable computinguse policies. Email harassing messages to coworker
s and others are an example of inappropriate usage actions.
A denialofservice (DoS) attack prevents or impairs the authorized use of netwo
rks, systems, or applications by exhausting resources. Malicious code includes a
virus, worm, Trojan horse, or other codebased malicious entity that infects a
host. Unauthorized access is where a person gains logical or physical access wit
hout permission to a network, operating system, application system, data, or dev
ice.
60. A compliance auditors working papers should:
a.
b.
c.
d.
60. a. The purpose of audit working papers is to document the audit work perform
ed and the results thereof. The other three choices are incorrect because the au
ditors working papers can contain comments about information security management
as well as IT management responses to the recommendations. The audit working pap
ers are not a substitute for computer system logs and reports because it is the
auditors own work product supporting the auditors report.
61. Which of the following produces the best results when data is recent; altho
ugh, it is less comprehensive in identifying infected hosts?
a.
b.
c.
d.
Forensic identification
Active identification
Manual identification
Multiple identification
Forensic identification
Active identification
Manual identification
Multiple identification
62. c. Manual identification methods are generally not feasible for comprehensiv
e enterprisewide identification, but they are a necessary part of identification
when other methods are not available and can fill in gaps when other methods ar
e insufficient.
63. From a log management perspective, logon attempts to an application are rec
orded in which of the following logs?
1.
2.
3.
4.
Audit log
Authentication log
Event log
Error log
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
63. c. Audit log entries, also known as security log entries, contain informatio
n pertaining to audited activities, such as successful and failed logon attempts
, security policy changes, file access, and process execution. Some applications
record logon attempts to a separate authentication log. Applications may use au
dit capabilities built into the operating system or provide their own auditing c
apabilities.
Event log entries typically list all actions that were performed, the date and t
ime each action occurred, and the result of each action. Error logs record infor
mation regarding application errors, typically with timestamps. Error logs are h
elpful in troubleshooting both operational issues and attacks. Error messages ca
n be helpful in determining when an event of interest occurred and identifying i
mportant characteristics of the event.
64. From a log management perspective, which of the following provides more inf
ormation on the results of each action recorded into an application event log?
a.
b.
c.
d.
Date
What
Time
What
64. b. Event logs list all actions that were performed, the date and time each a
ction occurred, and the result of each action. Event log entries might also incl
ude supporting information, such as what username was used to perform each actio
n and what status code was returned. The returned status code provides more info
rmation on the result than a simple successful/failed status.
65. Spyware is often bundled with which of the following?
a.
b.
c.
d.
65. a. Spyware is often bundled with software, such as certain peertopeer (P2P
) file sharing client programs; when the user installs the supposedly benign P2P
software, it then covertly installs spyware programs.
Network service worms are incorrect because they spread by exploiting vulnerabil
ity in a network service associated with an operating system or an application.
Mass mailing worms and emailborne viruses are incorrect because mass mailing w
orms are similar to emailborne viruses, with the primary difference being that
mass mailing worms are selfcontained instead of infecting an existing file as
emailborne viruses do. After a mass mailing worm has infected a system, it typ
ically searches the system for email addresses and then sends copies of itself
to those addresses, using either the systems email client or a selfcontained m
ailer built into the worm itself.
66. Which of the following is not an example of security software logs?
a.
b.
c.
d.
66. d. File sharing logs are an example of application logs. The other three cho
ices are examples of security software logs.
67. Which of the following logs are most beneficial for identifying suspicious a
ctivity involving a particular host?
a.
b.
c.
d.
67. c. Operating systems logs are most beneficial for identifying suspicious act
ivity involving a particular host, or for providing more information on suspicio
us activity identified by another host. Operating system logs collect informatio
n on servers, workstations, and network connectivity devices (e.g., routers and
switches) that could be useful in identifying suspicious activity involving a pa
rticular host.
The other three logs are not that beneficial when compared to the operating syst
em logs. Both networkbased and hostbased security software logs contain basic
securityrelated information such as user access profiles and access rights and
permissions. Application system logs include email logs, Web server logs, and f
ilesharing logs.
68. The chain of custody does not ask which of the following questions?
a.
b.
c.
d.
Who
Who
Who
Who
68. a. The chain of custody deals with who collected, stored, and controlled the
evidence and does not ask who damaged the evidence. It looks at the positive si
de of the evidence. If the evidence is damaged, there is nothing to show in the
court.
69. Software site licenses are best suited for:
a.
b.
c.
d.
Unique purchases
Fixed price license
Single purchase units
Small lots of software
69. b. Software site licenses are best suited for moderate to large software req
uirements where fixed price license or volume discounts can be expected. Discoun
ts provide an obvious advantage. By obtaining discounts, an organization not onl
y acquires more software for its investment but also improves its software manag
ement. Factors that expand the requirements past normal distribution/package pra
ctices are also prime candidates for site licenses. Examples of such factors are
software and documentation copying and distribution, conversion, and training.
Site licenses are not appropriate for software deployed in a unique situation, s
ingle purchase units, or small lots of software.
70. Which of the following statements about Cyberlaw is not true?
a. A person copying hypertext links from one website to another is liable for co
pyright infringement.
b. An act of copying of graphical elements from sites around the Web and copying
them into a new page is illegal.
c. The icons are protected under copyright law.
d. There are no implications in using the Internet as a computer software distri
bution channel.
70. d. The Cyberlaw precludes commercial rental or loan of computer software wit
hout authorization of the copyright owner. It is true that a person constructing
an Internet site needs to obtain permission to include a link to anothers home p
age or site. There may be copyrightable expressions in the structure, sequence,
and organization of those links. A person copying those links into another websi
te could well be liable for copyright infringement. Although it is quite easy to
copy graphics from sites around the Web and copy them into a new page, it is al
so clear that in most cases such copying constitutes copyright infringement. Ico
ns are part of graphics and are protected by copyright laws.
71. Which of the following is a primary source for forensic identification of i
nfected hosts?
a.
b.
c.
d.
71. a. Spyware detection and removal utility software is a primary source along
with antivirus software, content filtering, and hostbased IPS software.
Network device logs, sinkhole routers, and network forensic tools are incorrect
because they are examples of secondary sources. Network device logs show specifi
c port number combinations and unusual protocols. A sinkhole router is a router
within an organization that receives all traffic that has an unknown route (e.g.
, destination IP addresses on an unused subnet). A sinkhole router is usually co
nfigured to send information about received traffic to a log server and an IDS;
a packet sniffer is also used sometimes to record the suspicious activity. Netwo
rk forensic tools include packet sniffers and protocol analyzers.
72. Which of the following is not an example of security software logs?
a.
b.
c.
d.
72. c. Email logs are an example of application logs. The other three logs are
examples of security software logs.
73. Logs can be useful for which of the following reasons?
1.
2.
3.
4.
To
To
To
To
establish baselines
perform forensic analysis
support internal investigations
identify operational trends
a.
b.
c.
d.
1 only
3 only
4 only
1, 2, 3, and 4
73. d. Logs can be useful for establishing baselines, performing auditing and fo
rensic analysis, supporting investigations, and identifying operational trends a
nd longterm problems.
74. Network time protocol (NTP) servers are used to keep log sources clocks cons
istent with each other in which of the following logmanagement infrastructure f
unctions?
a.
b.
c.
d.
Log
Log
Log
Log
filtering
aggregation
normalization
correlation
Log
Log
Log
Log
clearing
retention
preservation
reduction
76. b. Although both MD5 and SHA1 are commonly used message digest algorithms,
SHA1 is stronger and better than MD5. Hence, SHA1 is mostly recommended for en
suring log file integrity. UDP is a connectionless and unreliable protocol used
to transfer logs between hosts. TCP is a connectionoriented protocol that attem
pts to ensure reliable delivery of information across networks.
77. Regarding log management infrastructure, which of the following characteriz
es the security event management software?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
2
and
and
and
and
3
4
3
4
software is often more resourceintensive for individual hosts than syslog becau
se of the processing that agents perform.
78. Which of the following network operational environment is the easiest in wh
ich to perform log management functions?
a.
b.
c.
d.
Standalone
Enterprise
Custom
Legacy
78. b. Of all the network operational environments, the enterprise (managed) env
ironment is typically the easiest in which to perform log management functions a
nd usually does not necessitate special consideration in log policy development.
This is because system administrators have centralized control over various set
tings on workstations and servers and have a formal structure.
The other three choices require special considerations and hence difficult to pe
rform log management functions. For example, the standalone (small office/home o
ffice) environment has an informal structure, the custom environment deals with
specialized securitylimited functionality, and the legacy environment deals wit
h older systems, which could be less secure.
79. Which of the following are major factors to consider when designing the sys
temlevel log management processes?
1.
2.
3.
4.
a.
b.
c.
d.
1
1
2
3
and
and
and
and
2
4
3
4
79. d. The major systemlevel processes for log management are configuring log s
ources, providing ongoing operational support, performing log analysis, initiati
ng responses to identified events, and managing longterm data storage. Online a
nd offline data storage and security needs for the data deal with organizational
level log management processes.
80. Which of the following is an example of deploying malicious code protection
at the application server level?
a.
b.
c.
d.
80. b. Malicious code protection should be deployed at the host level (e.g., ser
ver and workstation operating systems), the application server level (e.g., ema
il server and Web proxies), and the application client level (e.g., email clien
ts and instant messaging clients).
81. Regarding signs of an incident, which of the following characterizes an ind
icator?
1.
2.
3.
4.
Future incident
Past incident
Present incident
All incidents
a.
b.
c.
d.
2 only
1 and 2
2 and 3
1, 2, 3, and 4
82. c. Web server log entries that show the usage of a Web vulnerability scanner i
s an example of precursor because it deals with a future incident. The other thr
ee choices are examples of indications dealing with the past and present inciden
ts.
83. Which of the following statements are correct about signs of an incident?
1.
2.
3.
4.
a.
b.
c.
d.
1 and 2
1and 3
2 and 3
1, 2, 3, and 4
83. d. A precursor is a sign that an incident may occur in the future (future in
cident). An indicator is a sign that an incident may have occurred (past inciden
t) or may be occurring now (present incident). It is true that not every attack
can be detected through precursors. Some attacks have no precursors, whereas oth
er attacks generate precursors that the organization fails to detect. If precurs
ors are detected, the organization may have an opportunity to prevent the incide
nt by altering the security posture through automated or manual means to save a
target from attack. It is true that there are always some attacks with indicator
s.
84. Which of the following is not used as primary source of precursors or indica
tions?
a.
b.
c.
d.
84. c. Logs from network devices such as firewalls and routers are not typically
used as a primary source of precursors or indications. Network device logs prov
ide little information about the nature of activity.
Frequently, operating system logs, services logs, and application logs provide g
reat value when an incident occurs. These logs can provide a wealth of informati
on, such as which accounts were accessed and what actions were performed.
85. Which of the following records the username used to attack?
a.
b.
c.
d.
Firewall logs
Network intrusion detection software logs
Host intrusion detection software logs
Application logs
85. d. Evidence of an incident may be captured in several logs. Each log may con
tain different types of data regarding the incident. An application log may cont
ain a username used to attack and create a security incident. Logs in the other
three choices do not contain a username.
86. Which of the following records information concerning whether an attack tha
t was launched against a particular host was successful?
a.
b.
c.
d.
Firewall logs
Network intrusion detection software logs
Host intrusion detection software logs
Application logs
86. c. Evidence of an incident may be captured in several logs. Each log may con
tain different types of data regarding the incident. A host intrusion detection
sensor may record information whether an attack that was launched against a part
icular host was successful. Logs in the other three choices may also record host
related information but may not indicate whether a host is successful.
87. When applying computer forensics to redundant array of independent disks (R
AID) disk imaging, acquiring a complete disk image is important proof as evidenc
e in a court of law. This is mostly accomplished through which of the following?
a.
b.
c.
d.
Ensuring accuracy
Ensuring completeness
Ensuring transparency
Using a hash algorithm
87. d. In the field of computer forensics and during the redundant array of inde
pendent disks (RAID) disk imaging process, two of the most critical properties a
re obtaining a complete disk image and getting an accurate disk image. One of th
e main methods to ensure either or both of these properties is through using a h
ash algorithm. A hash is a numerical code generated from a stream of data, consi
derably smaller than the actual data itself, and is referred to as a message dig
est. It is created by processing all of the data through a hashing algorithm, wh
ich generates a fixed length output. Here, transparency means that the data is w
idely accessible to nonproprietary tools.
88. Computer security incidents should not be prioritized according to:
a.
b.
c.
d.
Collection
Examination
Analysis
Reporting
Brazil
Mexico
Western Europe
Argentina
92. d. File transfer protocol (FTP) is used for file sharing where the FTP is su
bjected to attacks and hence is not a primary source for analyzing fraud. File s
haring logs have secondary usages. The other three logs are primarily useful in
analyzing fraud.
93. Data diddling can be prevented by all the following except:
a.
b.
c.
d.
Access controls
Program change controls
Rapid correction of data
Integrity checking
93. c. Data diddling can be prevented by limiting access to data and programs an
d limiting the methods used to perform modification to such data and programs. R
apid detection (not rapid correction) is neededthe sooner the betterbecause correc
ting data diddling is expensive.
94. From a malicious code protection mechanism viewpoint, which of the following
is most risky?
a.
b.
c.
d.
Electronic mail
Removable media
Electronic mail attachments
Web accesses
94. b. Malicious code includes viruses, Trojan horses, worms, and spyware. Malic
ious code protection mechanisms are needed at system entry and exit points, work
stations, servers, and mobile computing devices on the network. The malicious co
de can be transported by electronic mail, email attachments, Web accesses, and
removable media (e.g., USB devices, flash drives, and compact disks). Due to the
ir flexibility and mobility, removable media can carry the malicious code from o
ne system to another; therefore it is most risky. Note that removable media can
be risky or not risky depending on how it is used and by whom it is used. The ot
her three choices are less risky.
95. Regarding signs of an incident, which of the following is not an example of
indications?
a. The Web server crashes.
b. A threat from a hacktivist group stating that the group will attack the organ
ization.
c. Users complain of slow access to hosts on the Internet.
d. The system administrator sees a filename with unusual characters.
95. b. A threat from a hacktivist group stating that the group will attack the or
ganization is an example of precursors because it deals with a future incident. T
he other three choices are examples of indications dealing with past and present
indications.
96. Regarding log management data analysis, security event management (SEM) soft
ware does not do which of the following?
a.
b.
c.
d.
a.
b.
c.
d.
1 and
2 and
2, 3,
1, 2,
2
3
and 4
3, and 4
97. c. Incident handlers should review log entries and security alerts to gain a
solid understanding of normal behavior or characteristics of networks, systems,
and applications so that abnormal behavior can be recognized more easily. Incid
ent handlers should focus more on major risks such as unusual entries, unexplain
ed entries, and abnormal entries, which are generally more important to analyze
and investigate than usual entries with minor risk. This follows the principle o
f management by exception, which focuses on major risks because management time
is limited.
98. Information regarding an incident can be recorded in which of the following
places?
1.
2.
3.
4.
Firewall log
Network IDS logs
Host IDS logs
Application logs
a.
b.
c.
d.
1 only
2 and 3
4 only
1, 2, 3, and 4
Organizational policies
Departmental procedures
Information system lifecycle phases
Incident response staffing models
101. c. Many computer incidents can be handled more effectively and efficiently
if data analysis considerations have been incorporated into the information syst
ems life cycle.
Examples include (i) configuring missioncritical applications to perform auditi
ng, including recording all authentication attempts, (ii) enabling auditing on w
orkstations, servers, and network devices, and (iii) forwarding audit records to
secure centralized log servers.
Organizational policies and departmental procedures are incorrect because most o
f these considerations are extensions of existing provisions in policies and pro
cedures. Incident response staffing models are incorrect because staffing models
are usually a function of the human resources department.
102. Acquiring network traffic data can pose some legal issues. Which of the fol
lowing should be in place first to handle the legal issues?
1.
2.
3.
4.
Access policies
Warning banners
System logs
System alerts
a.
b.
c.
d.
1
2
1
3
only
only
and 2
and 4
102. c. Acquiring network traffic data can pose some legal issues, including the
capture (intentional or incidental) of information with privacy or security imp
lications, such as passwords or email contents. The term network traffic refers
to computer network communications that are carried over wired or wireless netw
orks between hosts. Access policies and warning banners are the first step to be
completed. It is important to have policies regarding the monitoring of network
s, as well as warning banners on system that indicate that activity may be monit
ored. System logs and alerts are part of monitoring activities.
103. Regarding network data analysis, which of the following is not a data conce
alment tool?
a.
b.
c.
d.
103. b. Some people use tools that conceal data from others. This may be done fo
Criminal law
Civil law
Common law
Administrative law
104. c. Common law is also called case law and is based on past and present cour
t cases that become a precedent for future cases. Criminal law deals with crimes
, and the government on behalf of the people brings criminal cases. A precedent
may not be used. Civil laws rely primarily on statutes for the law without the u
se of a precedent. Administrative law is based on governments rules and regulatio
ns to oversee business activity. A precedent may not be used.
105. What is a data diddling technique?
a.
b.
c.
d.
Changing
Changing
Changing
Changing
data
data
data
data
before
during
during
before
105. d. Data diddling involves changing data before or during input to computers
or during output from a computer system.
106. What is a salami technique?
a.
b.
c.
d.
106. d. A salami technique is a theft of small amounts of assets and money from
a number of sources (e.g., bank accounts, inventory accounts, and accounts payab
le and receivable accounts). It is also using a roundingdown fraction of money
from bank accounts.
107. Trade secret elements do not include which of the following?
a.
b.
c.
d.
Secrecy
Value
Publicity
Use
d. Uses the traffic/event profiles to reduce the number of false positives and f
alse negatives
108. d. After security personnel are notified about inappropriate or unusual act
ivities, the system triggers a series of alerts. The most important benefit of t
hese alerts is to finetune the systemmonitoring devices to reduce the number o
f false positives and false negatives to an acceptable number.
109. An attacker sending specially crafted packets to a Web server is an exampl
e of which of the following computersecurity incident type?
a.
b.
c.
d.
Denialofservice
Malicious code
Unauthorized access
Inappropriate usage
109. a. A denial of service (DoS) attack prevents or impairs the authorized use
of networks, systems, or applications by exhausting resources. An attacker can s
end specially crafted packets to a Web server.
Malicious code includes a virus, worm, Trojan horse, or other codebased malicio
us entity that infects a host. Unauthorized access is where a person gains logic
al or physical access without permission to a network, operating system, applica
tion system, data, or device. Inappropriate usage occurs when a person violates
acceptable computing use policies.
110. Initial analysis revealed that an employee is the apparent target of or is
suspected of causing a computer security incident in a company. Which of the fo
llowing should be notified first?
a.
b.
c.
d.
Legal department
Human resources department
Public affairs department
Information security department
111. b. Periodic audits are one way to confirm that logging standards and guidel
ines are being followed throughout the organization. Testing and validation can
further ensure that the policies and procedures in the log management process ar
e being performed properly. The other three choices do not address the periodic
audits, testing, and validation.
112. A welldefined incident response capability helps the organization in whic
h of the following ways?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
3 and
1, 2,
2
3
4
3, and 4
Even if these transactions are found, there is no assurance that the task is com
plete.
116. With respect to computer security, a legal liability exists to an organiza
tion under which of the following conditions?
a.
b.
c.
d.
When
When
When
When
116. c. Courts do not expect organizations to spend more money than losses resul
ting from a security flaw, threat, risk, or vulnerability. Implementing counterm
easures and safeguards to protect information system assets costs money. Losses
can result from risks, that is, exploitation of vulnerabilities. When estimated
costs are less than estimated losses, then a legal liability exists. Courts can
argue that the organizations management should have installed safeguards but did
not, and that management did not exercise due care and due diligence.
When estimated security costs are greater than estimated losses they pose no leg
al liability because costs are greater than losses. When estimated security cost
s are equal to estimated losses the situation requires judgment and qualitative
considerations because costs are equal to losses. The situation when actual secu
rity costs are equal to actual losses is not applicable because actual costs and
actual losses are not known at the time of implementing safeguards.
117. Which of the following is used by major software vendors to update softwar
e for their customers?
a.
b.
c.
d.
Pull technology
Push technology
Pullpush technology
Pushpull technology
117. b. For convenience, major vendors are offering software updates via secure
channels using push technology. This technology automatically installs the update
files at a scheduled time or upon user request. There is a tradeoff here betwee
n convenience and security. An attacker can spoof a customer into accepting a Troj
an horse masquerading as an update. Security technical staff should always revie
w update files and patches before installing them. It is safe to download the up
date files and patches directly from the vendors website via a secure connection.
The pull technology is used by customers to receive information from websites.
118. Changing firewall rulesets is a part of which of the following recovery ac
tions for a computer security incident?
a.
b.
c.
d.
Deter
Detect
Delay
Deny
mputer system, investigative authorities can trace his origins and location. The
other three choices would not allow such a trap.
120. What is most of the evidence submitted in a computer crime case?
a.
b.
c.
d.
Corroborative evidence
Documentary evidence
Secondary evidence
Admissible evidence
Chain
Chain
Chain
Chain
of
of
of
of
command
control
custody
communications
Relevance
Competence
Materiality
Sufficiency
Best evidence
Flowchart evidence
Magnetic tapes evidence
Demonstrative evidence
124. a. Best evidence is primary evidence, which is the most natural evidence. B
est evidence gives the most satisfactory proof of the fact under investigation.
It is confined to normal, small size (low volume) documents, records, and papers
. Hence, the best evidence is inapplicable to large volumes of writing.
The other three choices are applicable to large volumes of writing. A recommenda
tion for court cases with a large volume of evidence is to assemble a single exh
ibit book containing all documents, send copies to the defense and to the judge,
and introduce it as a single exhibit in court. This saves time in court. Also,
preparing a record of exhibits, the counts each is connected with, and the names
of the witnesses who are to testify as to each item are part of the evidence. F
or example, submitting a system flowchart and magnetic tapes evidence is proper
to the court. Demonstrative evidence or visual aids can be real things (such as
charts and tables) or representation of real things (such as a photograph or blu
eprint).
125. Evidence is needed to do which of the following?
a.
b.
c.
d.
Charge a case
Classify a case
Make a case
Prove a case
125. d. Proper elements of proof and correct types of evidence are needed to pro
ve a case. The other three choices come before proving a case.
126. What determines whether a computer crime has been committed?
a.
b.
c.
d.
When
When
When
When
a.
b.
c.
d.
4,
3,
4,
1,
1,
1,
2,
4,
2,
2,
3,
2,
and
and
and
and
3
4
1
3
127. a. Substantiating the allegation is the first step. Consulting with a compu
Investigator
District attorney
Computer expert
Systems auditor
Discovery
Protection
Recording
Collection
the items.
in a cardboard box.
in a paper bag.
in a plastic bag.
132. d. After all equipment and magnetic media have been labeled and inventoried
, seal and store each item in a paper bag or cardboard box to keep out dust. An
additional label should be attached to the bag identifying its contents and noti
ng any identifying numbers, such as the number of the evidence tag. Do not use p
lastic bags or sandwich bags to store any piece of computer equipment and/or mag
netic storage media because plastic material can cause both static electricity a
nd condensation, which can damage electronically stored data and sensitive elect
ronic components.
133. Indicate the most objective and relevant evidence in a computer environment
involving fraud.
a.
b.
c.
d.
Physical examination
Physical observation
Inquiries of people
Computer logs
134. a. Online systems and services run a risk that subscribers will receive fal
se or misleading information. The case law ruled that situations described in th
e other three choices are subject to negligent liability. However, an organizati
on may not be liable if it followed a preventive maintenance program despite equ
ipment downtime. This is because of proactive and preventive actions taken by th
e organization.
135. Which of the following is needed to produce technical evidence in computer
related crimes?
a. Audit methodology
b. System methodology
c. Forensic methodology
d. Criminal methodology
135. c. A forensic methodology is a process for the analysis of electronically s
tored data. The process must be completely documented to ensure that the integri
ty of the evidence is not questioned in court. The forensic methodology deals wi
th technical evidence.
The audit methodology deals with reviewing business transactions and systems and
reaching an opinion by an auditor. The phrases system methodology and criminal
methodology have many meanings.
136. Which of the following is not a key factor in a crime warrant search?
a.
b.
c.
d.
Ownership
Occupancy
Possession
Purchase
136. d. A key fact in any search is ownership or rightful occupancy of the premi
ses to be searched, and ownership or rightful possession of the items to be seiz
ed. Different search and seizure rules apply when the properties and premises ar
e government or privately owned or leased. Purchase has nothing to do with searc
h. One may purchase and others can occupy or possess.
137. Which of the following is not an example of evidentiary errors?
a.
b.
c.
d.
Harmless errors
Reversible errors
Plain errors
Irreversible errors
137. d. A harmless error is an error that does not affect a substantial right of
a party. A reversible error is one that does affect a substantial right of a part
y. A plain error is a reversible error that is so obviously wrong that the court
will reverse it even though the party harmed failed to take the steps necessary
to preserve the error. An irreversible error is not defined in the law.
138. Which of the following crime team members has a clear role in solving a co
mputer crime?
a.
b.
c.
d.
Manager
Auditor
Investigator
Security officer
139. c. Computer
nic and is based
l people such as
ctually occurred
ge. Preparing technical evidence and collecting proper evidence (paper or electr
onic) are not major challenges.
140. Which of the following is not a proper criterion for measuring the effectiv
eness of a computersecurity incident response capability?
a.
b.
c.
d.
Dollars saved
Incidents reported
Vulnerabilities fixed
Tools implemented
140. a. The payoff from a computer security incident response capability (CSIRC)
cannot be quantified in terms of dollars saved and incidents handled. It may no
t be possible to satisfactorily quantify the benefits a CSIRC provides within it
s first year of operation. One of the ways in which a CSIRC can rate its success
is by collecting and analyzing statistics on its activity. For example, a CSIRC
could keep statistics on incidents reported, vulnerabilities reported and fixed
, and tools implemented.
141. A computersecurity incidentresponse capability structure can take differe
nt forms, depending on organization size, its diversity of technologies, and its
geographic locations. Which of the following organization structures is best fo
r reporting computer securityrelated problems?
a.
b.
c.
d.
Centralized reporting
Decentralized reporting
Distributed reporting
Centralized, decentralized, and distributed reporting
Contact logs
Activity logs
Incident logs
Audit logs
142. b. Activity logs reflect the course of each day. It is not necessary to des
cribe each activity in detail, but it is useful to keep such a log so that the C
SIRC can account for its actions. Noting all contacts, telephone conversations,
and so forth ultimately saves time by enabling one to retain information that ma
y prove useful later.
Contact logs are incorrect because they contain vendor contacts, legal and inves
tigative contacts, and other contacts. Incident logs are incorrect because they
contain information generated during the course of handling an incident, includi
ng all actions taken, all conversations, and all events. Audit logs are incorrec
t because they contain personal identification and activity information and tran
saction processing information so that actions can be traced back and forth.
143. Which of the following approaches provides an effective way of reporting c
omputer securityrelated problems?
a.
b.
c.
d.
Help desks
Selfhelp information
Site security offices
Telephone hotline
Proactive
Reactive
Proactive and reactive
Detective
Recurring events
Current state of the system
Historical events
Nonrecurring events
145. b. Security is affected by the actions of both the users and the system adm
inistrators. Users may leave their files open to attack; the system administrato
r may leave the system open to attack by insiders or outsiders. The system can b
e vulnerable due to misuse of the systems features. Automated tools can search fo
r vulnerabilities that arise from common administrator and user errors. Vulnerab
ility testing tools analyze the current state of the system (a snapshot), which
is a limitation. These test tools review the objects in a system, searching for
anomalies that might indicate vulnerabilities that could allow an attacker to (i
) plant Trojan horses, (ii) masquerade as another user, or (iii) circumvent the
organizational security policy.
The other three choices are incorrect because they represent a state that is not
accessible by the vulnerability testing tools. Generalized audit software or sp
ecial utility programs can handle such events better.
146. What is oral testimony?
a.
b.
c.
d.
Cumulative evidence
Proffered evidence
Direct evidence
Negative evidence
147. c. There are four phases in the investigation process. Initiating the inves
tigation (phase 1) includes securing the crime scene, collecting evidence, devel
oping incident hypothesis, and investigating alternative explanations. Testing a
nd validating the incident hypothesis (phase 2) deals with proving or disproving
prior assumptions, opinions, conditions, and situations; and validating the acc
uracy of a computer systems prior security parameters such as configuration setti
ngs, firewall rulesets, and account access privileges and authorizations. Analyz
ing the incident (phase 3) covers analysis of the evidence collected in the prev
ious phases to determine whether a computer crime has occurred. Presenting the e
vidence (phase 4) involves preparing a report with findings and recommendations
to management or law enforcement authorities.
The correct order of the investigation process is gather facts (phase 1), interv
iew witnesses (phase 1), develop incident hypothesis (phase 1), test and validat
e the hypothesis (phase 2), analyze (phase 3), and report the results to managem
ent and others (phase 4).
148. Which of the following investigative tools is most effective when large vol
umes of evidence need to be analyzed?
a.
b.
c.
d.
Interviews
Questionnaires
Forensic analysis
Computer analysis
148. d. Computers can be used to collect and compile and analyze large amounts o
f data and provide statistics, reports, and graphs to assist the investigator in
analysis and decision making. Forensic analysis is the art of retrieving comput
er data in such a way that will make it admissible in court. Interviews and ques
tionnaires are examples of structured approach used in interrogations.
149. Which of the following methods is acceptable to handle computer equipment
seized in a computer crime investigation?
a.
b.
c.
d.
149. c. Forensic analysis is the art of retrieving computer data in such a way t
hat makes it admissible in court. Exposing magnetic media to magnetic fields, su
ch as radio waves, may alter or destroy data. Do not carry magnetic media in the
trunk of a vehicle containing a radio unit, and do not lay magnetic media on to
p of any electronic equipment.
150. To preserve the integrity of collected evidence in a criminal prosecution d
ealing with computer crime, who should not be invited to perform data retrieval
and analysis of electronically stored information on a computer?
a.
b.
c.
d.
A
A
A
A
150. d. Retrieval and analysis of electronically stored data that could be poten
tial evidence in a criminal prosecution must follow a uniform and specific metho
dology to prove that the evidence could not have been altered while in the posse
ssion of law enforcement. Law enforcement personnel who have received the necess
ary training to perform this analysis or someone else with the requisite experti
se who can withstand challenge in court are essential to ensure the integrity of
any resulting evidence because consistency in methodology and procedure may bec
ome a critical issue in a criminal prosecution. The proper selection and use of
a civilian expert witness to aid in the retrieval and analysis of computerrelat
ed evidence is critical. However, the use of a teenage hacker as an expert witne
ss would be inadvisable, at best.
151. To properly conduct computer crime investigations, the law enforcement com
munity must receive which of the following?
a.
b.
c.
d.
Training
Policies
Procedures
Guidelines
151. a. Law enforcement staff must be provided with specialized training for inv
estigations in the area of technological crime investigation. The learning curve
for this type of instruction can be lengthy due to the complexity and sophistic
ation of the technology. In addition, policies and procedures are needed to ensu
re consistency in the investigation of computer crimes. The seizure, transportat
ion, and storage of computers and related equipment must be completed according
to uniform guidelines.
152. From a human nature point of view, a good incidenthandling capability is
closely linked to which of the following?
a.
b.
c.
d.
Contingency planning
Training and awareness
Support and operations
Risk management
Liaison skills
Technical skills
Communication skills
Problem solving skills
a.
b.
c.
d.
1 and
3 and
1, 3,
1, 2,
3
4
and 4
3, and 4
153. d. The incident response team manager must have several skills: acting as a
liaison with upper management and others, defusing crisis situations (i.e., hav
ing problemsolving skills), technically adept, having excellent communications
skills, and maintaining positive working relationships, even under times of high
pressure.
154. Which of the following is not a primary impact of a security incident?
a.
b.
c.
d.
Fraud
Waste
Abuse
Notice
154. d. Notice is not a primary impact of a security incident. Fraud, waste, and
abuse are potential adverse actions that may result from a breakdown in IT secu
rity controls and practices. Consequently, these three are primary impacts of a
security incident. Notice occurs after an incident is known.
155. Which of the following software licensing approaches requires the user to
pay for the software when used for commercial purposes after downloading it from
the Internet?
a.
b.
c.
d.
Demoware
Timeware
Crippleware
Shareware
155. d. The Internet has allowed many software companies to use new means of dis
tributing software. Many companies allow the downloading of trial versions of th
eir product (demoware), sometimeslimited versions (crippleware) or versions tha
t only operate for a limited period of time (timeware). However, many companies
take a shareware approach, allowing fully functional copies of software to be do
wnloaded for trial use and requiring the user to register and pay for the softwa
re when using it for commercial purposes.
156. From a copyright owner point of view, when is electronic information decla
red as being used?
a. When a reader has made a purchase
b. When a reader has downloaded the information for immediate use
157. d. Traditionally, copyright law does not give copyright owners rights to co
ntrol the access that readers have to information. Copyright owners in the elect
ronic world use contracts to impose restrictions to make sure that they are paid
for every instance of access or use. Still, as a practical matter, these restri
ctions do not prevent unauthorized copying. After users have paid for one legiti
mate copy of something, there is often not much except moral suasion to prevent
them making other copies. Digital information is easily copied and easily transm
itted to many locations. These characteristics make electronic distribution an a
ttractive publishing medium; but they have a flip side (downside); almost any re
ader is a potential publisher of unauthorized copies.
158. For libraries, the copyright law applies to which of the following?
a.
b.
c.
d.
Computer data
Mixed media
Computer programs
Digital information
158. c. Digital information allows libraries new ways to offer services, and com
pletely new services to offer. Libraries have some uncertainties with regard to
copyright laws. For example, libraries may not be the owners of the computer pro
grams. Vendors often say that programs are licensed, not sold. The library, as a
licensee rather than an owner, does not have the rights described in the copyri
ght law; these are abrogated by the terms of the license. For example, the copyr
ight law gives the owner of a computer program the right to make an archival (ba
ckup) copy under certain conditions.
Some provisions in the copyright law also deal with copying and other uses of co
mputer programs, but do not specifically extend to digital information. Digital
information includes multimedia or mixed media databases, which may include imag
es, music, text, or other types of work. Digital information is not just words a
nd numbers. Anything that can be seen or heard can be digitized, so databases ca
n include music, motion pictures, or photographs of art works.
Copyright laws currently refer only to computer programs and not to data or digi
tal information. Computer data is stored in the same medium as computer programs
, and it would seem logical to treat them in the same way, but the argument rema
ins that digital data does not fit the definitions currently set out in the copy
right laws, so owners have no right to make archival copies. The two points rais
ed here become even more complicated for libraries in the case of mixedmedia wo
rks where printed material, digital data, computer programs, microfiche, and oth
er forms might be packaged and used together.
159. Which of the following is not protected by copyright laws?
a. Program structure
b. Program sequence
c. Program organization
d. User interface
159. d. A court (case law) found that computer programs are protected under copy
right against comprehensive nonliteral similarity, and held that copyright protect
ion of computer programs may extend beyond a programs literal code to its structu
re, sequence, and organization. The court also said that user interface in the fo
rm of input and output reports are not copyrightable.
160. Which of the following is not copyrightable?
a.
b.
c.
d.
Formats
Databases
Program functions
Program code
160. a. A court (case law) held that formats are not copyrightable. Databases ar
e protected under copyright law as compilations. However, copyright protection i
n a compilation does not provide protection for every element of the compilation
. It extends only to the material contributed by the author of such work, not to
preexisting material used in the work. Both program functions and program code
are copyrightable.
161. Which of the following Pacific Rim countries has trade secret protection p
rovided for computer programs?
a.
b.
c.
d.
Japan
Korea
Taiwan
Thailand
161. a. Japan is the only Pacific Rim nation whose law provides for trade secret
protection. Computer programs can be a part of the trade secrets. The owner of
a trade secret may request that the media on which the computer program is store
d be destroyed. The other countries such as Korea, Taiwan, and Thailand do not h
ave such laws or are in the process of developing one.
162. Which of the following logs are useful for security monitoring?
a.
b.
c.
d.
162. d. Some applications, such as Web and email services, can record usage inf
ormation that might also be useful for security monitoring. (That is, a tenfold
increase in email activity might indicate a new emailborne malware threat.)
Both networkbased and hostbased security software logs contain basic security
related information such as user access profiles and access rights and permissio
ns, which is not useful for security monitoring. Operating system logs collect i
nformation on servers, workstations, and network connectivity devices (e.g., rou
ters and switches) that could be useful in identifying suspicious activity invol
ving a particular host, but not useful for security monitoring.
163. From a computer security viewpoint, accountability of a person using a comp
uter system is most closely tied to which of the following?
a.
b.
c.
d.
Responsibility
Usability
Traceability
Accessibility
163. c. The issue here is to determine who did what and when. For accountability
to function, information about who attempted an action, what action, when, and
what the results were must be logged. This log can be used to trace a persons act
ions. The logs must not be subject to tampering or loss. Logs provide traceabili
ty of user actions.
Responsibility is a broader term defining obligations and expected behavior. The
term responsibility implies a proactive stance on the part of the responsible p
arty and a casual relationship between the responsible party and a given outcome
. The term accountability refers to the ability to hold people responsible for t
heir actions. People could be responsible for their actions but not held account
able. For example, an anonymous user on a system is responsible for not compromi
sing security but cannot be held accountable if a compromise occurs because the
action cannot be traced to an individual.
Usability is incorrect because it deals with a set of attributes that bear on th
e effort needed for use, and on the individual assessment of such use, by a stat
ed or implied set of users.
Accessibility is incorrect because it is the ability to obtain the use of a comp
uter system or a resource or the ability and means necessary to store data, retr
ieve data, or communicate with a system. Responsibility, usability, and accessib
ility are not traceable to an individuals actions.
164. Detection measures are needed to identify computerrelated criminal activi
ties. Which one of the following measures is reactive in nature?
a.
b.
c.
d.
164. b. Reactive measures are designed to detect ongoing crimes and crimes that
have already been committed. Such measures include performing regular audits of
the system and checking the system logs generated automatically by the system. P
roactive measures detect crimes before or as they are being committed. Examples
include recording all login attempts, notifying the user or security officer abo
ut system anomalies by sounding an alarm or displaying a message, and limiting t
he number of login attempts before automatically disconnecting the login process
.
165. Which one of the following is not intrinsically a computer crime or even a
misdeed?
a.
b.
c.
d.
Wiretapping
Eavesdropping
Superzapping
Masquerading
167. a. Software site licenses decrease support expenses due to economies of sca
le. For user organizations a site license permits using many copies of a softwar
e package at reduced cost and allows better management of the organizations softw
are inventory. For software vendors a site license can reduce marketing and dist
ribution costs and provide predictable payments.
Site license contracts improve management of software inventories, centralize or
dering, and streamline software distribution functions. Accurate inventories are
important when ordering software upgrades, designing a local area network, and
protecting against computer viruses. Centralized ordering and software distribut
ion functions gain acceptance when they are shown to be advantageous to the orga
nization. A benefit of site licensing is a standardized support, which reduces t
raining and other support expenses, and is the easiest way to gain seamless and
transparent sharing of information. The benefits of standardization include ease
of information exchange, shared application processing, shared application deve
lopment, and reduced training time and costs.
168. Which one of the following refers to striking a balance between an individ
uals rights and controls over information about themselves?
a.
b.
c.
d.
Confidentiality
Privacy
Security
Integrity
d. User reports
169. d. Automated incident detection methods include intrusion detection softwar
e, whether networkbased or hostbased, antivirus software, and log analyzers. I
ncidents may also be detected through manual means, such as user reports, but th
ey do not work well for all situations due to their being static in nature. Some
incidents have overt signs that can be easily detected, whereas others are virt
ually undetectable without automation.
170. The person who most frequently reports illegal copying and use of vendorde
veloped PCbased software in an organization to either government officers or to
the software vendor representative is:
a.
b.
c.
d.
Systems consultants
Software dealers
Hard disk loaders
Disgruntled employees
170. d. In a majority of cases (9095 percent) illegal copying and use of softwa
re is reported by disgruntled employees. The other tips tend to come from system
s consultants who work at client sites. Software dealers and hard disk loaders w
ould not report because they are usually involved in illegal copying of the soft
ware for their customers.
171. Which of the following logs can be helpful in identifying sequences of mal
icious events?
a.
b.
c.
d.
171. d. Application system logs generate highly detailed logs that reflect every
user request and response, which can be helpful in identifying sequences of mal
icious events and determining their apparent outcome. For example, many Web, fil
e transfer protocol (FTP), and email servers can perform such application loggi
ng.
Both networkbased and hostbased security software logs contain basic security
related information such as user access profiles and access rights and permissio
ns, which is not helpful in identifying sequences of malicious events. Operating
system logs collect information on servers, workstations, and network connectiv
ity devices (for example, routers and switches) that could be useful in identify
ing suspicious activity involving a particular host, but is not helpful in ident
ifying sequences of malicious events.
172. A single and effective control procedure to detect illegal use of copyrigh
ted software in the organization is to:
a. Send an electronicmail questionnaire to all users.
b. Remind all users periodically not to use illegally obtained software.
c. Develop a software inventory management tool and periodically compare the inv
entory software list to company purchase orders.
d. Develop a software antipiracy policy immediately and distribute to all users
without fail.
172. c. With the use of either a publicly available software inventory managemen
t tool or utility program, the software searches hard disks for the presence of
popular applications, and a list is prepared when a match is found. The list is
then compared to company issued purchase orders. When illegal software is found,
it is destroyed, and a new one is purchased. The software inventory management
tool is the best means to do software audits, and it can be managed remotely by
system administrators, who are independent from users. The actions suggested in
the other three choices are superficial and do not achieve the same purpose as t
It
It
It
It
173. d. Many application software vendors do not release the source code to the
purchaser. This is intended to protect their systems integrity and copyright. The
application system is installed in object code. An alternative to receiving the
source programs is to establish an escrow agreement by a thirdparty custodian.
In this agreement, the purchaser is allowed to access source programs under cer
tain conditions (e.g., vendor bankruptcy and discontinued product support). A th
ird party retains these programs and documents in escrow. Key escrow system is i
ncorrect because it has nothing to do with application software escrow. A key es
crow system is a system that entrusts the two components (private and public key
) comprising a cryptographic key used in encryption to two key component holders
or escrow agents. Computer programs in a bank vault are incorrect because they
do not need to be placed in a bank vault. They can be placed with a third party
agent regardless of the location. Object code is incorrect because it is not esc
rowed; only the source code is.
174. Which of the following statements about Cyberlaw (i.e., law dealing with t
he Internet) is true?
a. All materials published on the Internet and computer bulletin boards are subj
ect to copyright protection only when accompanied by a formal copyright notice.
b. The bulletin board provider is liable for copyright infringement on its board
only when it is aware of it.
c. Organizations own the copyright for building Internet sites by freelance writ
ers.
d. An employer will always be the owner of an Internet work created by an employ
ee within the scope of employment.
174. d. An employer will be the owner of a work created by an employee within th
e scope of employment. All material published on the Internet and computer bulle
tin boards are subject to copyright protection, whether or not it is accompanied
by a formal copyright notice. It is true that an independent contractor, a free
lancer, may hold the copyright in a work made for someone else if there is no ex
press agreement to the contrary.
175. Under which of the following conditions has a copyright infringement not oc
curred?
a.
b.
c.
d.
When
When
When
When
a work is viewed.
a printed work is scanned into a digital file.
a work is uploaded from a users computer to a bulletin board system.
the contents of a downloaded file are modified.
a. When the same name is used that has been in use for years by a competitor or
noncompetitor.
b. When a new name is used.
c. When the company that assigns an Internet address assigns the same name.
d. When the company that assigns an Internet address has no change control syste
m.
176. b. The Internet domain name contains elements that are in an electronic add
ress directly following the symbol @, which serves as the key identifier of a comp
uter connected to the Internet. A new name is not illegal. The case law ruled th
at the other three choices are illegal uses of a domain name. The company that a
ssigns an Internet address is called a gatekeeper.
177. Sources of legal rights and obligations for privacy over electronic mail do
not include:
a.
b.
c.
d.
177. c. Because email can cross many state and national boundaries and even con
tinents, it is advised to review the principal sources of legal rights and oblig
ations. These sources include the law of the country and employer policies and p
ractices. Employee practices have no effect on the legal rights and obligations.
178. Which of the following represents risk mitigation measures to detect, limi
t, or eliminate the malicious code attacks in software?
1.
2.
3.
4.
a.
b.
c.
d.
1 and 3
3 only
3 and 4
1, 2, 3, and 4
178. d. The goal is to ensure that software does not perform functions other tha
n those intended. Risk mitigation measures to ensure that software does not perf
orm unintended functions (e.g., malicious code attacks) include strong integrity
controls, secure coding practices, trusted procurement processes for acquiring
networkrelated hardware and software, configuration management and control, and
system monitoring practices.
179. A person sets up an electronic bulletin board on which he encourages other
s to upload computerbased applications software and games for free. The software
and games are copyrighted. He then transfers the uploaded programs to a second
bulletin board without any fees to potential users. The users with password acce
ss to the second bulletin board can download the programs. Under this scenario,
who would be liable under wire fraud statutes?
a.
b.
c.
d.
179. a. The originator of the bulletin board would be fully liable because he ma
de illegal copying and distribution of copyrighted software available without pa
yment of license fees and royalties to software manufacturers and vendors.
180. Which one of the following can cause the least damage in terms of severe fi
nancial losses?
a.
b.
c.
d.
Online stalkers
Computer worm designers
Computer virus designers
An employee tapping into a former employers computer
181. c. Information that is in digital form, and is thus easy to reuse and manip
ulate, raises a number of legal issues about what constitutes fair use. For exam
ple, if computer software is reverseengineered, the systems analyst might copy
the entire work, not just parts of it. This causes a significant loss of market
share to the software vendor.
The other choices deal with paper media where fair use is clearly defined in terms
of percentage of the work copied or used.
182. Which of the following is a major risk of not tracking personal computer ha
rdware and software assets?
a.
b.
c.
d.
182. c. Managing PC hardware and software assets alerts management of any new, u
nauthorized software brought into the organization for the purpose of using it.
These alerts not only find the presence of computer viruses but also protect fro
m software piracy charges. Any unauthorized use of software should be discourage
d.
The other three choices are incorrect because incorrect depreciation and amortiz
ation charges and lost vendor discounts are also risks, but not as big as the co
mputer viruses and charges of software piracy. Amortization is used for software
, whereas depreciation is used for hardware. An incorrect depreciation and amort
ization charge will result when the hardware and software assets are not properl
y accounted for and valued for. Vendor purchase discounts will be lost when cent
ralized purchasing management is not aware of the potential assets.
183. A United States organization is transmitting its data outside the country.
Its management must be alerted to which of the following?
a.
b.
c.
d.
The
The
The
The
183. a. Many European countries (e.g., Germany) place strong restrictions on the
international flow of personal and financial data. This includes personal recor
ds, bank statements, and even mailing lists. Therefore, the transmitting country
should be aware of the receiving countrys transborder data flow laws. A specific
data centers policies have nothing to do with the countrys transborder data flow
laws.
184. Which one of the following logs helps in assessing the final damage from c
omputer security incidents?
a.
b.
c.
d.
Contact logs
Activity logs
Incident logs
Audit logs
184. c. An organization needs to retain a variety of information for its own ope
rational use and for conducting reviews of effectiveness and accountability. Inc
ident logs are generated during the course of handling an incident. Incident log
s are important for accurate recording of events that may need to be relayed to
others. Information in incident logs is helpful for establishing new contacts; p
iecing together the cause, course, and extent of the incident; and for postinci
dent analysis and final assessment of damage. An incident should minimally conta
in (i) all actions taken, with times noted, (ii) all conversations, including th
e person(s) involved, the date and time, and a summary, and (iii) all system eve
nts and other pertinent information such as user IDs. The incident log should be
detailed, accurate, and the proper procedures should be followed so that the in
cident log could be used as evidence in a court of law.
Contact logs are incorrect because they include such items as vendor contacts, l
egal and investigative contacts, and other individuals with technical expertise.
A contact database record might include name, title, address, phone/fax numbers
, email address, and comments.
Activity logs are incorrect because they reflect the course of each day. Noting
all contacts, telephone conversations, and so forth ultimately saves time by ena
bling one to retain information that may prove useful later.
Audit logs are incorrect because they contain information that is useful to trac
e events from origination to destination and vice versa. This information can be
used to make users accountable on the system.
185. Software is an intellectual property. Which one of the following statement
s is true about software use and piracy?
a. An employee violated the piracy laws when he copied commercial software at wo
rk to use at home for 100 percent business reasons.
b. An employee violated the piracy laws when he copied commercial software for b
ackup purposes.
c. An employee violated the piracy laws when he copied commercial software at wo
rk to use on the road for 100 percent business reasons.
d. The terms of the software license contract determines whether a crime or viol
ation has taken place.
185. d. Software piracy laws are complex and varied. A software vendor allows us
ers to have two copies (one copy at work and the other one at home or on the roa
d as long as they are using only one copy at a time), and a copy for backup purp
oses. Because each vendors contractual agreement is different, it is best to cons
ult with that vendors contractual terms.
186. Regarding presenting evidence in a court of law, which one of the following
items is not directly related to the other three items?
a.
b.
c.
d.
Exculpatory evidence
Inculpatory evidence
Internal body of evidence
Electronic evidence
Malware advisories
Security tool alerts
System administrators
Security tools
a.
b.
c.
d.
3
4
1
3
only
only
or 2
and 4
188. c. Signs of an incident fall into one of two categories: precursors and ind
ications. A precursor is a sign that an incident (e.g., malware attack) may occu
r in the future (i.e., future incident). Most malware precursors are either malw
are advisories or security tool alerts. Detecting precursors gives organizations
an opportunity to prevent incidents by altering their security posture and to b
e on the alert to handle incidents that occur shortly after the precursor.
System administrators and security tools are examples of indications of malware
incidents. An indication is a sign that an incident (malware attack) may have oc
curred or may be occurring. The primary indicators include users, IT staff such
as system, network, and security administrators and security tools such as antiv
irus software, intrusion prevention systems, and network monitoring software.
189. From a legal standpoint, which of the following prelogon screen banners i
s sufficient to warn potential system intruders?
a.
b.
c.
d.
No
No
No
No
tampering
trespassing
hacking
spamming
190. a. Collecting incident data by itself does not prevent computer security in
cidents. A good use of the data is measuring the success of the incident respons
e team. The other three choices prevent computer security incidents.
191. Which of the following is not the preferred characteristic of security inci
dentrelated data?
a.
b.
c.
d.
Objective data
Subjective data
Actionable data
Available data
192. d. Usually, a separate team, other than the incident response team provides
patch management services, and the patch management work could be a combination
of manual and computer processes. Automation is needed to perform an analysis o
f the incident data and select events of interest for human review. Event correl
ation software, centralized log management software, and security software can b
e of great value in automating the analysis process. The other three choices are
used in the detection and analysis phase, which is prior to the recovery phase
where patches are installed.
193. When applying computer forensics to redundant array of independent disks (
RAID) disk imaging technology, which of the following are not used as a hash fun
ction in verifying the integrity of digital data on RAID arrays as evidence in a
court of law?
1.
2.
3.
4.
a. 1 only
b. 3 only
c. 1 and 2
d. 3 and 4
193. c. Both CRC32 and checksums are not used as a hash function in verifying t
he integrity of digital data on RAID arrays as evidence in a court of law. To be
complete and accurate in the eyes of the court, data must be verified as bitbi
t match. Failure to provide the court assurance of data integrity can result in
the evidence being completely dismissed or used in a lesser capacity as an artif
act, finding, or as item of note. The court system needs an absolute confidence
that the data presented to it is an exact, unaltered replication of the original
data in question.
The CRC32 is not a hash function, is a 32bit checksum, and is too weak to be h
eavily relied upon. The main weakness is that the probability of two separate an
d distinct datastreams generating the same value using CRC32 is too high. Chec
ksums are digits or bits summed according to some arbitrary rules and are used t
o verify the integrity of normal data, but they are not hash functions, as requi
red in disk imaging.
Both MD5 and SHA1 are used as a hash function in verifying the integrity of digi
tal data on RAID arrays as evidence in a court of law. The MD5 is a 128bit hash
algorithm, and is not susceptible to the same weakness of CRC32. The chances o
f any two distinct datastreams generating the same hash value using MD5 is extr
emely low. SHA1 is a 160bit hash algorithm, which is computationally stronger
than the MD5. In relation to disk imaging, the benefit of using a hash algorithm
is that if any bit is changed or missing between the source and the destination
copy, a hash of the datastream will show this difference.
194. A user providing illegal copies of software to others is an example of whi
ch of the following computersecurity incident types?
a.
b.
c.
d.
Denialofservice
Malicious code
Unauthorized access
Inappropriate usage
195. b. The incident response team should become acquainted with its various law
enforcement representatives before an incident occurs to discuss conditions und
er which incidents should be reported to them, how the reporting should be perfo
rmed, what evidence should be collected, and how the evidence should be collecte
d.
196. Which of the following is the major reason for many securityrelated incide
nts not resulting in convictions?
a. Organizations do not properly contact law enforcement agencies.
b. Organizations are confused about the role of various law enforcement agencies
.
Packet sniffers
Forensic software
Protocol analyzers
Forensic workstations
a.
b.
c.
d.
1
1
2
2
and
and
and
and
2
3
3
4
197. b. Packet sniffers and protocol analyzers capture and analyze network traff
ic that may contain malware activity and evidence of a security incident. Packet
sniffers are designed to monitor network traffic on wired or wireless networks
and capture packets. Most packet sniffers are also protocol analyzers, which mea
n that they can reassemble streams from individual packets and decode communicat
ions that use any of hundreds or thousands of different protocols. Because packe
t sniffers and protocol analyzers perform the same functions, they could be comb
ined into a single tool.
Computer forensic software is used to analyze disk images for evidence of an inc
ident, whereas forensic workstations are used to create disk images, preserve lo
gs files, and save incident data.
198. Which of the following facilitates faster response to computer security in
cidents?
a.
b.
c.
d.
Rootkit
Tool kit
Computer kit
Jump kit
198. d. Many incident response teams create a jump kit, which is a portable bag
containing materials such as a laptop computer loaded with the required software
, blank media, backup devices, network equipment and cables, and operating syste
m and application software patches. This jump kit is taken with the incident han
dler during an offsite investigation of an incident for faster response. The jum
p kit is ready to go at all times so that when a serious incident occurs, incide
nt handlers can grab the jump kit and go, giving them a jump start.
A rootkit is a set of tools used by an attacker after gaining rootlevel access
to a host. The rootkit conceals the attackers activities on the host, permitting
the attacker to maintain rootlevel access to the host through covert means. Roo
tkits are publicly available, and many are designed to alter logs to remove any
evidence of the rootkits installation or execution. Tool kit and computer kit are
generic terms without any specific value here.
199. Which of the following statements about security controls, vulnerabilities,
risk assessment, and incident response awareness is not correct?
a. Insufficient security controls lead to slow responses and larger negative bus
iness impacts.
b. A large percentage of incidents involve exploitation of a small number of vul
nerabilities.
c. Risk assessment results can be interpreted to ignore security over resources
that are less than critical.
d. Improving user awareness regarding incidents reduces the frequency of inciden
ts.
199. c. Risk assessments usually focus on critical resources. This should not be
interpreted as a justification for organizations to ignore the security of reso
urces that are deemed to be less than critical because the organization is only
as secure as its weakest link.
If security controls are insufficient, high volumes of incidents may occur, whic
h can lead to slow and incomplete responses which, in turn, are translated to a
larger negative business impacts (e.g., more extensive damage, longer delays in
providing services, and longer system unavailability). Many security experts agr
ee that a large percentage of incidents involve exploitation of a relatively sma
ll number of vulnerabilities in operating systems and application systems (i.e.,
an example of Paretos 80/20 principle). Improving user awareness regarding incid
ents should reduce the frequency of incidents, particularly those involving mali
cious code and violations of acceptable use policies.
200. Some security incidents fit into more than one category for identification
and reporting purposes. An incident response team should categorize incidents b
y the use of:
a.
b.
c.
d.
Access mechanism
Target mechanism
Transmission mechanism
Incident mechanism
200. c. When incidents fit into more than one category, the incident response te
am should categorize incidents by the transmission mechanism used. For example,
a virus that creates a backdoor that has been used to gain unauthorized access s
hould be treated as a multiple component incident because two transmission mecha
nisms are used: one as a malicious code incident and the other one as an unautho
rized access incident.
201. What is incorrectly classifying a malicious activity as a benign activity
called?
a.
b.
c.
d.
False
False
False
False
negative
positive
warnings
alerts
201. a. Forensic tools create false negatives and false positives. False negativ
es incorrectly classify malicious activity as benign activity. False positives i
ncorrectly classify benign activity as malicious activity. False warnings and fa
lse alerts are generated from intrusion detection system sensors or vulnerabilit
y scanners.
202. Which of the following computer and network data analysis methods dealing
with computerincident purposes helps identify policy violations?
a.
b.
c.
d.
Operational troubleshooting
Log monitoring
Data recovery
Data acquisition
202. b. Various tools and techniques can assist with log monitoring, such as ana
lyzing log entries and correlating log entries across multiple systems. This can
assist with incident handling, identifying policy violations, auditing, and oth
er efforts.
Operational troubleshooting is incorrect because it applies to finding the virtu
al and physical location of a host with an incorrect network configuration, reso
lving a functional problem with an application, and recording and reviewing the
current operating system and application configuration settings for a host.
Data recovery is incorrect because data recovery tools can recover lost data fro
m systems. This includes data that has been accidentally or purposely deleted, o
verwritten, or otherwise modified.
Data acquisition is incorrect because it deals with tools to acquire data from h
osts that are being redeployed or retired. For example, when a user leaves an or
ganization, the data from the users workstation can be acquired and stored in cas
e the data is needed in the future. The workstations media can then be sanitized
to remove all the original users data.
203. Which of the following is best for reviewing packet sniffer data?
a.
b.
c.
d.
203. b. Packet sniffer data is best reviewed with a protocol analyzer, which int
erprets the data for the analyst based on knowledge of protocol standards and co
mmon implementations.
Security event management software is incorrect because it is capable of importi
ng security event information from various network trafficrelated security even
t data sources (e.g., IDS logs and firewall logs) and correlating events among t
he sources.
Log filtering tool is incorrect because it helps an analyst to examine only the
events that are most likely to be of interest. Visualization tool is incorrect b
ecause it presents security event data in a graphical format.
204. What is a technique for concealing or destroying data so that others cannot
access it?
a.
b.
c.
d.
Antiforensic
Steganography
Digital forensic
Forensic science
205. b. After the allegation has been substantiated, the prosecutor should be co
ntacted to determine if there is probable cause for a search. Because of the tec
hnical orientation of a computerrelated crime investigation, presenting a prope
r technical perspective in establishing probable cause becomes crucial to securi
ng a search warrant.
206. Law enforcement agencies have developed personality profiles of computer c
riminals. Careful planning prior to an actual crime is an example of which one o
f the following characteristics?
a.
b.
c.
d.
Organizational characteristics
Operational characteristics
Behavioral characteristics
Resource characteristics
206. b. In many cases, computer crimes are carefully planned. Computer criminals
spend a great deal of time researching and preparing to commit crimes. These ar
e grouped under operational characteristics.
Organizational characteristics describe the ways in which computer criminals gro
up themselves with national and international connections. Behavioral characteri
stics deal with motivation and personality profiles. Resource characteristics ad
dress training and equipment needs and the overall support structure.
207. When n incident reports are made by an organization, it can lead to a wrong
conclusion that:
a.
b.
c.
d.
There
There
There
There
are
are
are
are
n
n
n
n
207. c. It is important not to assume that because only n reports are made, that n i
s the total number of incidents; it is not likely that all incidents are reporte
d.
208. Which of the following should be established to minimize security incident
impact?
a.
b.
c.
d.
The
The
The
The
person
person
person
person
who
who
who
who
Directive controls
Preventive controls
Detective controls
Corrective controls
211. b. Protocols such as the network time protocol (NTP) synchronize clocks amo
ng hosts. This is important for incident response because event correlation will
be more difficult if the devices reporting events have inconsistent clock setti
ngs.
212. Which of the following is required when computer security evidence is tran
sferred from person to person?
a.
b.
c.
d.
212. c. Computer security incident evidence is needed for legal proceedings. Evi
dence should be accounted for at all times; whenever evidence is transferred fro
m person to person; chain of custody forms should detail the transfer and includ
e each partys signature. The other choices are part of evidence log.
213. Inappropriate usage incidents are not detected through which of the followi
ng ways?
a.
b.
c.
d.
Precursors
User reports
Users screen
Threatening email
c. Analysis
d. Reporting
214. d. A computer forensic process dealing with computer incidents is composed
of four phases: collection, examination, analysis, and reporting. Lessons learne
d during the reporting phase should be incorporated into future data analysis ef
forts.
The collection phase is incorrect because it deals with acquiring data from the
possible sources of relevant data and complying with the guidelines and procedur
es that preserve the integrity of the data. The examination phase is incorrect b
ecause it applies the tools and techniques to the collected data in order to ide
ntify and extract the relevant information while protecting its integrity. The a
nalysis phase is incorrect because it analyzes the results of the examination, w
hich may include the actions used in the examination and recommendations for imp
rovement.
215. In terms of functionality, which of the following is not a part of network
forensic analysis tools?
a.
b.
c.
d.
Unusual connections
Unexpected listening ports
Unknown processes
Unusual entries
216. b. The analyst can look at several different aspects of the hosts current st
ate. It is good to start with identifying unusual connections (e.g., large numbe
r, unexpected port number usage, and unexpected hosts) and unexpected listening
ports (e.g., backdoors created by the worm). Other steps that may be useful incl
ude identifying unknown processes in the running process list, and examining the
hosts logs to reveal any unusual entries that may be related to the infection.
217. In a computerrelated crime investigation, maintenance of evidence is impo
rtant for which of the following reasons:
a.
b.
c.
d.
To
To
To
To
a.
b.
c.
d.
218. d. An incident indication analyst sees a large volume of data daily for ana
lysis, which consumes large amounts of time. An effective strategy is to filter
indications so that insignificant indications are not shown or only significant
indications are shown to the analyst.
219. Which of the following is directly applicable to computer security inciden
t prioritization?
a.
b.
c.
d.
Gapfit analysis
Sensitivity analysis
Option analysis
Business impact analysis
Disk image
Standard file system backup
Deleted files
File fragments
220. a. A disk image preserves all data on the disk, including deleted files and
file fragments. A standard file system backup can capture information on existi
ng files, which may be sufficient for handling many incidents, particularly thos
e that are not expected to lead to prosecution. Both disk images and file system
backups are valuable regardless of whether the attacker will be prosecuted beca
use they permit the target to be restored while the investigation continues usin
g the image or backup.
221. Which of the following indications is not associated with a networkbased d
enialofservice attack against a particular host?
a.
b.
c.
d.
Prevent
Detect
Respond
Recover
223. c. Countermeasures and controls prevent, detect, and recover from security
incidents, not respond to them. Incident response emphasizes interactions with o
utside parties, such as the media/press, law enforcement authorities, and incide
nt reporting organizations. It is not easy to exercise control over these outsid
e parties.
224. Which of the following forensic tools and techniques are useful for comply
ing with regulatory requirements?
a.
b.
c.
d.
Operational troubleshooting
Data recovery
Due diligence
Data acquisition
Directive controls
Preventive controls
Detective controls
Corrective controls
Unusual connections
Unexpected listening ports
Unknown processes
Unusual entries
1. b. The analyst can look at several different aspects of the hosts current stat
e. It is good to start with identifying unusual connections (e.g., large number,
unexpected port number usage, and unexpected hosts) and unexpected listening po
rts (e.g., backdoors created by the worm). Other steps that may be useful includ
e identifying unknown processes in the running process list, and examining the h
osts logs to reveal any unusual entries that may be related to the infection.
2. A worm has infected a system. From a network data analysis perspective, whic
h of the following contains more detailed information?
a.
b.
c.
d.
2. c. Intrusion detection system (IDS) and firewall products running on the infe
cted system may contain more detailed information than networkbased IDS and fir
ewall products. For example, a hostbased IDS can identify changes to files or c
onfiguration settings on the host that were performed by a worm. This informatio
n is helpful not only in planning containment, eradication, and recovery activit
ies by determining how the worm has affected the host, but also in identifying w
hich worm infected the system. However, because many worms disable hostbased se
curity controls and destroy log entries, data from hostbased IDS and firewall s
oftware may be limited or missing. If the software were configured to forward co
pies of its logs to centralized log servers, then queries to those servers may p
rovide some useful information.
Networkbased IDS is incorrect because they indicate which server was attacked a
nd on what port number, which indicates which network service was targeted. Netw
orkbased firewalls are typically configured to log blocked connection attempts,
which include the intended destination IP address and port number. Other perime
ter devices that the worm traffic may have passed through, such as routers, VPN
gateways, and remote access servers may record information similar to that logge
d by networkbased firewalls.
3. Which of the following parties is usually not notified at all or is notified
last when a computer security incident occurs?
a.
b.
c.
d.
System administrator
Legal counsel
Disaster recovery coordinator
Hardware and software vendors
EPartners
Suppliers
Investors
Trading partners
4. c. Investors will punish the organization that was subject to a computer secu
rity incident such as hacking. They have the most to lose, thereby negatively im
pacting the companys valuation. The other parties do not have the same stake.
5. A computer security incident was detected. Which of the following is the best
reaction strategy for management to adopt?
a.
b.
c.
d.
Domain 10
Physical and Environmental Security
Traditional Questions, Answers, and Explanations
1. Regarding physical security of cryptography, which modules are used the most
in the production, implementation, and operation of encrypting routers?
a.
b.
c.
d.
which two or more integrated circuits (IC) chips are interconnected and the ent
ire enclosure is physically protected. Examples of such implementations include
encrypting routers or secure radios. Note that the security measures provided to
these modules vary with the security levels of these modules.
The other three choices are incorrect because they are not used in the implement
ation of encrypting routers or secure radios. Singlechip cryptographic modules
are physical embodiments in which a single IC chip may be used as a standalone m
odule or may be embedded within an enclosure or a product that may not be physic
ally protected. Cryptographic modules can be implemented in software, hardware,
firmware, and hybrid.
2. Regarding cryptographic modules, which of the following refers to an attack o
n the operations of the hardware module that does not require physical contact w
ith components within the module?
a.
b.
c.
d.
d. Tamper response
4. b. Tamper is an unauthorized modification that alters the proper functioning
of a cryptographic module or automated information system security equipment in
a manner that degrades the security or functionality it provides. Tamper evidenc
e is the external indication that an attempt has been made to compromise the phy
sical security of a cryptographic module. The evidence of the tamper attempt sho
uld be observable by the module operator subsequent to the attempt.
The other three choices are incorrect because do not indicate a compromise and t
heir actions are internal. Tamper attempt means that an attacker has made a seri
ous try to defeat the physical security of a cryptographic module. Tamper detect
ion is the automatic determination by a cryptographic module that an attempt has
been made to compromise the physical security of the module. Tamper response is
the automatic action taken by a cryptographic module when a tamper attempt has
been detected.
5. Which of the following are not substitutes for tamper evidence of a cryptogra
phic module?
a.
b.
c.
d.
Tamper
Tamper
Tamper
Tamper
5. a. For cryptographic module, tamper detection and tamper response are not sub
stitutes for tamper evidence. Tamper evidence is the external indication that an
attempt has been made to compromise the physical security of a cryptographic mo
dule. The sequence of events taking place is as follows: Tamper prevention comes
first, detection comes next or at the same time as prevention, evidence comes n
ext or at the same time as detection, and response or correction comes last. The
evidence of a tamper attempt should be observable by the module operator subseq
uent to the attempt. Tamper detection is the automatic determination by a crypto
graphic module that an attempt has been made to compromise the physical security
of the module. Tamper response is demonstrated through tamper correction, which
is the automatic action taken by a cryptographic module when a tamper attempt h
as been detected.
6. Which of the following analyzes the variations of the electrical power consu
mption of a cryptographic module to extract information about cryptographic keys
?
a.
b.
c.
d.
d. Physical tokens
7. d. The physical tokens are authorized for the protection of nonmissioncritic
al, unclassified, and nonsensitive IT assets. Physical tokens consist of keys an
d unique documents, such as handcarried orders. When the smart card is used as
a repository of information without requiring the cardholder to input a PIN or w
ithout presenting a biometric reference sample, the smart card is implemented as
a memory card. Hardware tokens can be integrated into either a physical access
control or logical access control solution.
8. From a cryptographic modules physical security viewpoint, tamperevident seal
s or pickresistant locks are placed on covers or doors to protect against unaut
horized physical access to which of the following?
a.
b.
c.
d.
Environmental equipment
Critical security parameters
Configuration management system
Data center furniture
Encryption
Authentication
Fluctuations in temperature
Fluctuations in voltage
a.
b.
c.
d.
1 only
2 only
1 and 2
1, 2, 3, and 4
9. d. The cryptographic modules that contain software must provide for the encry
ption and authentication of all retained parameters and integrity test code when
the module is not in use. In addition, environmental failure protection mechani
sms that protect the module from fluctuations in temperature and voltage are nee
ded.
10. The highest security level of cryptographic modules requires the environmen
tal failure protection from which of the following?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
1 and
3 and
1, 2,
2
3
4
3, and 4
isablement.
11. Regarding cryptographic module security, which of the following must be zer
oized to protect against disablement of services?
1.
2.
3.
4.
a.
b.
c.
d.
1 and
2 and
1, 2,
1, 2,
2
3
and 3
3, and 4
11. c. Both critical security parameters (CSPs) and public security parameters (
PSPs) must be zeroized to protect them against disablement of services. Sensitiv
e security parameters (SSPs) contain both CSPs and PSPs. Any security parameter
need not be protected, only when it is sensitive or critical.
12. Which of the following is the first step to be taken during testing procedur
es of a cryptographic module that were interrupted when the temperature is outsi
de the modules normal operating range?
a.
b.
c.
d.
The
All
The
All
12. c. The first step is to shut down the module to prevent further operation an
d to contain the damage. The next step is to zeroize all critical security param
eters and public security parameters. The module enters a failure mode is the la
st step.
13. Which of the following conditions can result in a failure of a cryptographi
c module during its environmental failure testing procedures?
1.
2.
3.
4.
The
The
The
The
modules
modules
modules
modules
a.
b.
c.
d.
1 and
2 and
2 and
1, 2,
3
3
4
3, and 4
Smart cards
Memory cards
Hardware tokens
Physical tokens
14. b. Memory cards are data storage devices, and they do not process informatio
n but serve as a repository of information. When the smart card is used as a rep
Smart cards
Memory cards
Hardware tokens
Physical tokens
15. a. A smart card has one or more integrated circuit (IC) chips and can store
data using memory chips on the card. The smart cards can process data like a sim
ple computer. When the smart card is used as a repository of information without
requiring the cardholder to input a PIN or without presenting a biometric refer
ence sample, the smart card is implemented as a memory card. Hardware tokens can
be integrated into either a physical access control or logical access control s
olution. Physical tokens consist of keys and unique documents such as handcarri
ed orders.
16. Which of the following physical security devices are equipped with computin
g capabilities integrated into the device?
a.
b.
c.
d.
Smart cards
Memory cards
Hardware tokens
Physical tokens
16. c. Hardware tokens (etokens) are devices with computing capabilities integr
ated into the device. For example, hardware tokens can be integrated into either
a physical access control or logical access control solution. When the smart ca
rd is used as a repository of information without requiring the cardholder to in
put a personal identification number (PIN) or without presenting a biometric ref
erence sample, the smart card is implemented as a memory card. Physical tokens c
onsist of keys and unique documents, such as handcarried orders.
17. Which of the following physical security devices are suitable for protectin
g IT assets with a low risk and low confidentiality level?
a.
b.
c.
d.
Smart cards
Memory cards
Hardware tokens
Physical tokens
17. d. Physical tokens provide a low level of assurance and are only suitable fo
r use when protecting IT assets with a low risk and low confidentiality level. P
hysical tokens consist of keys and unique documents, such as handcarried orders
. When the smart card is used as a repository of information without requiring t
he cardholder to input a personal identification number (PIN) or without present
ing a biometric reference sample, the smart card is implemented as a memory card
. Hardware tokens can be integrated into either a physical access control or log
ical access control solution.
18. From a cryptographic modules physical security viewpoint, which of the follo
wing refers to timing analysis attack?
a. Elapsed time between when the command is issued and the time the result is ob
tained
b. Elapsed time between when the vulnerability is discovered and the time it is
exploited
a.
b.
c.
d.
1
1
1
2
and
and
and
and
2
3
4
4
Physical keys
Threeplane keys
Conventional keys with locksets
Pickresistant locksets
20. b. A threeplane key (3plane key) is used as a physical access control meth
od, is more secure and complex, is complicated to copy, requires blank key stock
s, which are not readily available to adversaries, and is more difficult to coun
terfeit, and the locks controlled by 3plane keys are more difficult to compromi
se. Physical keys are simple keys that are highly susceptible to copying or thef
t, and locks controlled by simple keys are easy to compromise. Conventional keys
with locksets are inexpensive but easy to duplicate (copy). Pickresistant lock
sets are more expensive than conventional keys with locksets, and the keys are m
uch more difficult to duplicate. The pickresistant locksets are not as strong o
r secure as the 3plane keys.
21. Which of the following is not an example of fire suppression and detection d
evices?
a.
b.
c.
d.
21. a. Master shutoff valves are closed in the event of a significant water leak
. The other three choices are part of the fire suppression and detection devices
.
22. What is the best action to take when there is no uninterruptible power suppl
y (UPS) in a data center?
a.
b.
c.
d.
Install
Install
Install
Install
a
a
a
a
surge suppressor.
line conditioner.
backup generator.
transformer.
22. b. Undervoltages represent the majority of power problems (sags and brownou
ts) for computer systems. Instantaneous power from UPS prevents data loss caused
by sags and brownouts. UPS is superior to separate surge suppressors. A line co
nditioner automatically corrects undervoltages and overvoltages to levels that
are safe for the computer system. Both generators and transformers are power so
urces that need to be cleaned for computer use because computers are sensitive.
23. What is the best technique to identify an intruder?
a.
b.
c.
d.
23. d. A video
ish a positive
three choices
24. What would
a.
b.
c.
d.
Call the
Pull the
Evacuate
Call the
fire department.
fire alarm device.
people from the building.
police department.
24. c. The first thing is to save peoples lives, and therefore evacuating people
from the building on fire is the right thing to do. The actions mentioned in the
other choices can be performed later.
25. The most frequently used fencing for physical security purposes is which of
the following?
a.
b.
c.
d.
Barbed wire
Concertina wire
Chainlink
Barbed tape
Eightfoot wall
Eightfoot wall with barbed wire on top
Electric gate
Key and locked door
26. b. An eightfoot wall with barbed wire is more secure than the other choices
mentioned. The requirements for barbed wire include that its height should not
be less than 7 feet, excluding top guard. It is a twisted, doublestranded, 12g
auge wire. Intruders will have a problem climbing or standing over because the w
ire cannot hold any person straight up. Using a long ladder can circumvent an 8
foot wall. An electric gate can be opened by guessing passwords or other codes u
sed to open and close it. A key and locked door is easy to break in by tampering
with it.
27. The best location for a data center in a multistoried building is on which o
f the following:
a.
b.
c.
d.
First floor
Basement level
Top floor
Any floor other than the above
27. d. The first floor is not a good location to prevent undesirable access. The
basement is not good because of flooding and volatile storage. The top floor of
a highrise building is not good because it may be beyond reach of fire departm
ent equipment.
28. Which of the following is not a complementary control when implementing the
given logical access security controls?
a.
b.
c.
d.
Access profiles
User ID
ID badge card
Password
28. c. Identification (ID) badge cards are an example of physical security contr
ols and are not complementary with the given logical security controls. A functi
on or an area need not be weak to use complementary controls. Complementary cont
rols can enhance the effectiveness of two or more controls when applied to a bus
iness function, computer program, or operation. These individual controls are ef
fective as a standalone and are maximized when combined or integrated with each
other. In other words, complementary controls have a synergistic effect. Access
profiles, user IDs, and passwords go together to provide a moderate level of an
access control mechanism. Profiles are needed for each system user to define wha
t he can do on the system. User IDs and passwords are needed to identify and aut
henticate the user to the computer system. These three controls are examples of
logical access security controls, where they provide a technical means of contro
lling what information users can utilize, the computer programs they can run, an
d the modifications they can make to programs and data files.
29. Why is it better to use a biometric control along with an access key?
a.
b.
c.
d.
It
It
It
It
provides
provides
provides
provides
a
a
a
a
preventive control.
detective control.
corrective control.
twofactor control.
29. d. Biometrics and access keys are two separate controls, providing a twofac
tor authentication. When they are combined in a session, they provide a synergis
tic or combination control. The total effect is greater than the single control
alone.
30. Which of the following is ineffective in extinguishing Class A and B fires i
n a building?
a.
b.
c.
d.
Carbon dioxide
Water fog
Dry powder
Dry chemical
30. c. Dry powder is effective against Class D fires and ineffective against Cla
ss A and B fires. The other three choices are effective against Class A and B fi
Sags
Spikes
Blackouts
Surges
Water
Carbon dioxide
Soda ash
Halon gas
33. a. Water takes the heat off the fire, and it is safe compared to the other
choices. Carbon dioxide, soda ash, and Halon can be injurious.
34. What is an undervoltage in electric power called?
a.
b.
c.
d.
Brownout
Blackout
Burnout
Dropout
34. a. A brownout is a condition in which electrical power dips below normal for
more than a few seconds and is caused by undervoltage. Brownouts are a result
of a load near to or equaling generating capacity. A blackout is a complete loss
of electrical power (that is, actual failure). Blackouts can result from windst
orms, floods, failures of electronic system equipment, or human error. A dropout
is an area on a disk or tape that cannot effectively record data. Persistent br
ownouts can cause data corruption and loss and can also cause computer power sup
plies to overheat and burn out.
35. Which of the following fire types is most common?
a. Furniture fires
b. Electrical fires
c. Paper fires
d. Gasoline fires
35. b. Statistics indicate that most fires are electrical in origin. Furniture f
ires and paper fires are Class A fires, whereas gasoline fires are Class B fires
.
36. Electronic surveillance and wiretapping has increased due to which of the f
ollowing?
a.
b.
c.
d.
Telephone lines
Bugging techniques
Microchip technology
Surveillance equipment
36. c. Miniaturization has greatly aided spying. With advances in microchip tech
nology, transmitters can be so small as to be enmeshed in wallpaper, inserted un
der a stamp, or placed on the head of a nail.
37. The failure of a sprinkler system most often is due to which of the followin
g reasons?
a.
b.
c.
d.
Equipment error
Computer error
Human error
Design error
37. c. The failure of a sprinkler system most often is due to human errorthe wate
r supply was turned off at the time of the fire.
38. When freezing temperatures and broken pipes are a problem, which of the fol
lowing should be used?
a.
b.
c.
d.
Wetpipe system
Drypipe system
Carbondioxide system
Halon system
38. b. When freezing temperatures and broken pipes are a problem, the drypipe s
ystem is useful. Air pressure is maintained in the pipes until a sprinkler head
ruptures. Then, the air escapes, and water enters the pipes and exits through th
e opened sprinklers. With the wetpipe system, water is in the pipes at all time
s and is released when heat ruptures the seal in the sprinkler head.
39. Which of the following cannot defend the computing environment?
a.
b.
c.
d.
Operating systems
Biometrics
Cryptographic key recovery
Hardware tokens
39. c. Operating systems, biometrics, and hardware tokens, either alone or toget
her, can defend the computing environment. The cryptographic key recovery is a p
art of key management infrastructure/public key infrastructure (KMI/PKI), which
is a supporting infrastructure for information assurance. The cryptographic key
recovery by itself cannot defend the computing environment.
40. Information leakage occurs due to which of the following physical and envir
onmental hazards?
a.
b.
c.
d.
Flooding
Electromagnetic radiation
Vandalism
Electrical interference
akage due to electromagnetic signal emanations. All the other choices are exampl
es of hazards but not related to an information leakage problem.
41. Which of the following is a direct physical measure used to protect the int
egrity and confidentiality of transmitted information?
a.
b.
c.
d.
41. a. The information system should protect the integrity and confidentiality o
f transmitted information with a protective distribution system in the first pla
ce (a physical measure). The other three choices are alternatives to the protect
ive distribution system. Transport layer security (TLS) is an authentication and
security protocol widely implemented in Web browsers and servers. Internet prot
ocol security (IPsec) provides security capabilities at the IP layer of communic
ations. An organization employs cryptographic mechanisms to ensure recognition o
f changes to information (i.e., integrity) and to prevent unauthorized disclosur
e of information (i.e., confidentiality) during transmission. The other three ch
oices do not directly deal with physical measures.
42. Which of the following information security control families requires a cro
sscutting approach?
a.
b.
c.
d.
Contingency planning
Identification and authentication
Maintenance
Physical and environmental protection
Wet pipe
Preaction pipe
Water pipe
Gas pipe
43. b. A wet pipe releases water at a set temperature. The preaction pipe sound
s an alarm and delays water release. A water pipe does not delay water release.
A gas pipe is not relevant here.
44. What is the best location for a data center?
a.
b.
c.
d.
Near stairways
Near elevators
Near restrooms
Any location other than the above
44. d. The objective is to reduce the risk of close physical proximity in terms
of vandalism and other disasters (e.g., bombings). The data center should be rem
ote from publicly used areas due to their easy access for both insiders (disgrun
tled employees) and outsiders (intruders).
45. Which of the following security safeguards is ineffective in an online appl
ication system serving multiple users at multiple locations?
a. Procedural controls
b. Physical controls
c. Hardware controls
d. Software controls
45. b. An online application system serving multiple users at multiple locations
assumes that a network is in place. With a network there is often no centralize
d computer room with physical security controls that can be implemented. Therefo
re, physical controls are ineffective. Examples of physical controls include loc
ked doors, intrusion detection devices, security guards, and magnetic badge read
ers that restrict physical access. Procedural controls are incorrect because the
y include instructions to request a user profile, adding and deleting users, and
instructions to request database views, and so on. Hardware controls are incorr
ect because they include fault tolerance devices such as disk mirroring and disk
duplexing, smart card processing, encryption, parity checks, and switched ports
. Software controls are incorrect because they include user IDs and passwords, s
mart card processing, encryption, check digits, and message authentication.
46. What is the most effective control in handling potential terrorist attacks,
especially bombing?
a.
b.
c.
d.
46. c. There is no substitute for vigilant and resourceful security guards prote
cting the buildings. Simulation software is available that can assess the vulner
ability of a structure to explosive blasts by simulating the detonation of devic
es at various design points. Security can be improved by simply keeping vehicles
away from a near proximity to the structure. It also makes sense to examine all
letters and parcels coming into a building for explosives.
47. Which of the following is the most commonly used sprinkler system?
a.
b.
c.
d.
Wetpipe system
Drypipe system
Carbon dioxide system
Halon system
47. a. Wetpipe systems are the most commonly used and are applicable when freez
ing is no threat to their operation. The next most popular one is the dry pipe.
The carbon dioxide system is dangerous to peoples health, and the Halon system ca
nnot be used any more due to a halt in Halon production.
48. Which of the following statements about sprinkler systems is not always true
?
a.
b.
c.
d.
Sprinkler
Sprinkler
Sprinkler
Sprinkler
systems
systems
systems
systems
48. a. When properly installed, maintained, and provided with an adequate supply
of water, automatic sprinkler systems are highly effective in protecting buildi
ngs and their contents. Nonetheless, you often hear uninformed people speak of t
he water damage done by sprinkler systems as a disadvantage. Fires that trigger
sprinkler systems cause the water damage. In short, sprinkler systems reduce the
fire damage, protect the lives of building occupants, and limit the fire damage
to the building itself.
49. Which of the following is a physical security measure for cryptographic key
s such as plaintext secret keys and private keys during their physical maintenan
ce?
a. Zeroization proof
b. Zeroknowledge proof
c. Zerodefects proof
d. Zeroquantum proof
49. a. When performing physical maintenance, all plaintext secret and private ke
ys and other unprotected critical security parameters (CSPs) contained in the cr
yptographic module should be zeroized. Zeroization proof is a method of erasing
electronically stored data by altering the contents of the data storage so as to
prevent the recovery of data. The cryptographic module can either perform zeroi
zation procedurally by the operator or automatically.
The other three choices do not provide security measures for cryptographic keys.
Zeroknowledge proof deals with keeping information secret in that it refers to
one party proving something to another without revealing any additional informa
tion. Zerodefects proof is a total quality management concept in which products
are made with zero defectsone of the goals of quality. Zeroquantum proof is bas
ed on principles of quantummechanics where eavesdroppers alter the quantum stat
e of the cryptographic system.
50. Which of the following is the best defense against hardwarebased key logger
s?
a.
b.
c.
d.
50. b. A key logger is software or hardware that collects every keystroke a user
makes on his PC. Law enforcement authorities have used key loggers as a form of
wiretap against suspected individuals. Now some viruses and worms can install k
ey loggers to search for passwords and account numbers. The hardwarebased key l
ogger device plugs in between the user keyboard and his PC, which requires physi
cal access to the PC to install the device. Under these circumstances, physical
security controls are the best defense against hardwarebased key loggers.
51. Which of the following is not an explicit design goal of a physical protecti
on system based on sound engineering principles?
a.
b.
c.
d.
Provide protectionindepth.
Provide lineofsight to assets.
Minimize the consequences of component failures.
Exhibit balanced protection.
Response
Deterrent
Detection
Defeat
52. b. Delay is the slowing down of adversary progress. Delay can be accomplishe
d by responseforce personnel (security guards), barriers, locks, and activated
and automated delays. The measure of a delays effectiveness is the time required
by the adversary after detection to bypass each delay element. Therefore, delay
before detection is primarily a deterrent.
Response is incorrect because it consists of the actions taken by the response f
No
No
No
No
more
more
more
more
than
than
than
than
one door
two doors
three doors
four doors
53. b. A secure and safe room should have no more than two doors. These doors sh
ould be solid, fireproof, lockable, and observable by physical security staff. O
ne door is for entrance and the other one is for exit according to building fire
code. Too many doors provide too many escape routes for an intruder that securi
ty staff cannot observe.
54. Which of the following is not one of the four legs of a fire?
a.
b.
c.
d.
Heat
Fuel
Oxygen
Smoke
54. d. Smoke is a byproduct of a fire whereas heat, fuel, oxygen, and chemical r
eaction are the four legs of a fire.
55. Where do you start when considering physical security protection for new co
mputer facilities?
a.
b.
c.
d.
Front to back
Back to front
Outside in
Inside out
55. d. The best strategy is to start with interior security, proceed to the exte
rior security, and then to the outer perimeter. This path provides a clear pictu
re of all areas needing protection and ensures completeness of analysis.
56. Dry powder is used to extinguish which of the following fires?
a.
b.
c.
d.
Class
Class
Class
Class
A
B
C
D
fires
fires
fires
fires
Motion sensors
Control unit
Monitor unit
Transmission lines
57. c. The physical intrusion detection system contains four components: motion
sensors, control unit, monitor unit, and transmission lines. These components ar
e integrated to operate in a specified manner. A monitor unit is a device that s
enses and reports on the condition of a system. Motion sensors detect movement i
nside the area to be protected. A control unit is the terminal box for all senso
Proximity sensors
Microwave sensor
Ultrasonic sensor
Photoelectric sensor
Contact sensor
Duress sensor
Vibration sensor
Infrared sensor
60. b. The duress sensor is used to call for assistance in case of danger, and i
t consists of a hand or footoperated switch usually found in bank teller areas
. A contact sensor is activated when an electrical circuit is broken. A vibratio
n sensor detects forced entry through metal barriers placed over windows, for ex
ample. An infrared sensor detects body heat.
61. An effective physical security control when accessing sensitive facilities
and systems includes which of the following?
a.
b.
c.
d.
Smart card
Biometric measure
Photo ID
Combination of smart card, biometric, and photo ID
61. d. Smart card technology, in combination with biometrics, offers great level
s of security when accessing buildings, computers, and large dollar accounts. Th
e smart card can be used in a number of ways to identify the cardholder to the p
hysical access control system. These include (i) carrying a number that can be u
sed to retrieve the cardholders access privileges from the physical access contro
l systems files, (ii) carrying access control privileges onboard the card, (iii)
carrying a photo ID to verify the cardholders identity, and (iv) carrying a biom
etric template against which the cardholders live scan is compared to verify the
cardholders identity.
62. A power brownout condition is which of the following?
a.
b.
c.
d.
Longterm lag
Longterm sag
Shortterm lag
Shortterm sag
It
It
It
It
is
is
is
is
a
a
a
a
63. a. A voltage spike is a sharp but brief increase in voltage, commonly caused
by the turning off of heavy electrical loads such as air conditioners or photoc
opiers. The other three choices are meaningless.
64. Water sprinklers operate at what temperatures?
a.
b.
c.
d.
Between
Between
Between
Between
120
130
135
145
and
and
and
and
130
165
145
160
F
F
F
F
64. b. Most water sprinkler systems operate at temperatures between 130 and 165
degrees Fahrenheit.
65. Which one of the following fire sensors is useful in giving an early warnin
g?
a.
b.
c.
d.
Ionization detector
Photoelectric smoke detector
Infrared flame detector
Thermal detector
65. a. The ionization detector is useful in giving an early warning so that huma
n lives can be saved. It uses an ion exchange process to achieve the detection.
The photoelectric smoke detector alarms when the source of light is interrupted.
The infrared flame detector reacts to emissions from flame. The thermal detecto
r operates on a significant change in temperature.
66. Which one of the following fire stages does not produce smoke?
a.
b.
c.
d.
Incipient stage
Smoldering stage
Flame stage
Heat stage
66. a. A normal fire proceeds through four stages: the incipient, smoldering, fl
ame, and heat stages. In the incipient stage, no smoke is emitted. Smoke begins
to appear in the smoldering stage. In the flame stage, actual flame can be seen.
The heat is intense and building up in the final, heat stage.
67. Which one of the following water sprinkler system elements consists of fire
activated devices?
a.
b.
c.
d.
Water
Water
Water
Alarm
supply
heads
control valves
system
67. b. A water sprinkler system consists of the following elements: water supply
, fireactivated sprinkler devices (heads), water control valves, and a mechanis
m to activate the audible alarm system.
68. What is the first step to do in case of a fire?
a.
b.
c.
d.
68. a. As part of fire prevention tips, fire should be reported first, and then
attempts should be made to extinguish it. Other actions include (i) never open a
hot door, (ii) pull alarm system, and (iii) try to escape.
69. Which one of the following is filled with water?
a.
b.
c.
d.
Smoke/fire detectors
Water sprinklers
Uninterruptible power supply equipment
Fire or evacuation drills
70. c. Uninterruptible power supply (UPS) equipment does not by itself help in e
xtinguishing a fire. UPS can prolong an electrical power supply when there is a
power failure. Smoke/fire detectors combined with water sprinklers can help dete
ct or put out an actual fire. Fire or evacuation drills can help in getting read
y for an actual fire. A single control would rarely suffice to meet control obje
ctives. Rather, a combination of controls is needed to make up a whole and to pr
ovide a synergistic effect. In the example, all three controls are needed to be
effective.
71. Modern drypipe systems:
a.
b.
c.
d.
71. d. Drypipe systems are more sophisticated than waterbased sprinkler system
s. They minimize the chances of accidental discharge of water because they disch
arge water only as needed. Therefore, they are a substitute for waterbased spri
nkler systems, which are used to extinguish fire. Carbon dioxide is a clean gas
and does not leave a residue on computer equipment or magnetic media. However, i
ts use is diminishing due to potential health problems. Carbon dioxide and water
sprinklers, respectively, are ranked from most to least harmful to people when
activated.
72. Which of the following causes more fire fatalities?
a. Smoke
b. Toxic gases
c. Heat
d. Flames
72. b. Toxic gases cause more fire fatalities than flames, smoke, or heat.
73. Which one of the following replacements for the Halogenated agents (Halon 1
211 and 1301) is the safest to humans?
a.
b.
c.
d.
FM200
Argon
Water fog
Inergen
73. c. The production of Halogenated agents (Halon 1211 and 1301) was stopped in
January 1994 due to their depletion of the ozone layer. Many replacements were
found, but the water fog is the safest one to humans.
74. Which of the following prevents tailgating or piggybacking in a computer ce
nter?
a.
b.
c.
d.
Cameras
Mantraps
Sensors
Alarms
75. c. Prior to any wiring installation, it is good to contact the official loca
l building code standard sources and people to ensure that the planned cable pla
nt is consistent with electrical and fire codes. This is to protect the safety a
nd security of the facility. Physical security controls can include acquiring de
dicated space with a locked door to serve as a wiring closet. After checking wit
h the local building codes, the next step is to test the cable for bad spots. By
labeling both ends of a cable, a builtin map is available that identifies each
cable, its termination point and length, and electrical characteristics.
76. Which of the following should be considered as delaying devices in physical
security?
a.
b.
c.
d.
Lights
Safes
Locks
Vaults
76. c. Locks are considered as delaying devices only and not bars to entry. The
longer it takes to open or break a lock, the shorter the patience for an intrude
r, and the wider the window of opportunity for detection. The idea is that offic
ials will soon be arriving at the place if it takes longer to open a lock.
Inspection
History of losses
Security controls
Security budget
77. d. Examining a security budget cannot reveal much because there is no direct
correlation between the budget and the vulnerability. An inspection of the faci
lity by an experienced inspector can reveal the status of the facility and its a
ssociated controls. Examination of the facilitys record of losses can reveal how
bad the situation is. The degree of security controls installed can reveal wheth
er highvalue property is properly safeguarded from theft by insiders or attack
by outsiders.
78. Which of the following is a safe practice to ensure physical security?
a.
b.
c.
d.
Deter
Detect
Delay
Deny
Class
Class
Class
Class
A
B
C
D
fires
fires
fires
fires
80. b. A seismic detector is a device that senses vibration or motion and thereb
y senses a physical attack upon an object or structure. A vibration detector is
the same as a seismic detector. A proximity detector is a device that initiates
a signal (alarm) when a person or object comes near the protected object. An int
rusion detector is a device designed to detect an individual crossing a line or
entering an area.
81. Which of the following represents the upper end of the protection scale aga
inst electrical problems (e.g., sags) in a computer center?
a.
b.
c.
d.
Battery backup
Power filters
Power conditioners
Uninterruptible power supply
81. d. The order of the protection scale from the lower end to upper end is as f
ollows: battery backup, power filters, power conditioners, and uninterruptible p
ower supply (UPS). Battery backup has a short life (that is, lowend protection)
compared to the UPS (which is highend protection). Power filters filter the sa
gs, spikes, and impulse noises. Power conditioners regulate the voltage into the
system. A UPS can clean up most of the power problems such as spikes, surges, s
ags, brownouts, blackouts, frequency variations, transient noises, and impulse h
its.
82. Which of the following pairs of items create a conflicting situation in a c
omputer center?
a.
b.
c.
d.
82. b. Sprinkler systems are desirable if the computer room construction contain
s combustible materials. Although sprinklers extinguish fire, extensive water ca
n damage some areas and materials in the room due to use of the sprinkler system
. Therefore, sprinkler systems and water damage create a conflicting situation.
Fireresistant file cabinets and vital records have no conflict because vital re
cords should be stored in a fireresistant cabinet file. Fire detection systems
and alarms have no conflict because fire detection and extinguishing systems sho
uld have alarms to signal trouble and to communicate problems to a specific loca
tion that is always manned. Furniture and equipment and noncombustible materials
have no conflict because furniture and equipment in a computer room should be c
onstructed of metal or other noncombustible material.
83. What is the least important factor to be considered when selecting an uninte
rruptible power system (UPS)?
a.
b.
c.
d.
Fuel options
Electrical load
Battery duration
Physical space
Smoke
Smoke
Smoke
Smoke
detection
detection
detection
detection
equipment
equipment
equipment
equipment
shuts
shuts
shuts
shuts
down
down
down
down
the
the
the
the
wetpipe equipment.
air conditioning equipment.
preaction pipe equipment.
water pipe equipment.
84. b. The smoke detection system should shut down the air conditioning equipmen
t. Similarly, an emergency power shutdown should include shutting down the air c
onditioning system. The reason is that when there is smoke or a power loss, the
air conditioning equipment should be turned off so that people do not inhale smo
ke.
85. What is not a proper place for installing smoke detectors?
a.
b.
c.
d.
85. d. Putting a smoke detector in water drains on the floor is improper. For ma
ximum use and benefit, smoke detectors should be installed in the ceiling, under
the raised floor, and in air return ducts.
86. Which of the following is the best place for sounding an alarm coming from a
computer room?
a.
b.
c.
d.
Local station
Security guard station
Central station
Fire or police station
86. d. The best place for sounding an alarm coming from a computer room is at a
fire or police station because immediate action can be taken. There can be a del
ay at the other three choices.
87. Physical access controls are a part of which of the following?
a.
b.
c.
d.
Directive controls
Preventive controls
Detective controls
Corrective controls
87. b. Physical access controls are a part of preventive controls, as they inclu
de locks, security guards, and biometric devices. Preventive controls deter secu
rity incidents from happening in the first place.
Directive controls are broadbased controls to handle security incidents, and th
ey include managements policies, procedures, and directives. Detective controls e
nhance security by monitoring the effectiveness of preventive controls and by de
tecting security incidents where preventive controls were circumvented. Correcti
ve controls are procedures to react to security incidents and to take remedial a
ctions on a timely basis. Corrective controls require proper planning and prepar
ation as they rely more on human judgment.
88. The justification process in selecting electronic surveillance and wiretapp
ing detection equipment includes which of the following?
a. Low cost of detection equipment, high value of assets to be protected, and a
high rate of equipment usage
b. Medium cost of detection equipment, high value of assets to be protected, and
a low rate of equipment usage
c. High cost of detection equipment, high value of assets to be protected, and a
high rate of equipment usage
d. Low cost of detection equipment, low value of assets to be protected, and a h
igh rate of equipment usage
88. c. The high cost of detection equipment is justified when the assets to be p
rotected are highly valued and when a high rate of use can be made of the equipm
ent. This is based on the costbenefit principle.
89. Which of the following parties poses a greater risk to an organization when
guarding against electronic surveillance and wiretapping activities?
a. Spy stationed in another building
b. Janitor in the same building
91. a. A number of security measures are available to address electric power fai
lures differing in both cost and performance. For example, the cost of a UPS dep
ends on the size of the electric load it can support, the number of minutes it c
an support the load, and the speed with which it assumes the load when the prima
ry power source fails. An onsite power generator can also be installed either in
lieu of a UPS or to provide longterm backup to a UPS system. The size of the g
as fuel supply is a design decision along with the magnitude of the load the gen
erator will support and the facilities to switch the load from the primary sourc
e or the UPS to the onsite generator.
92. What instrument measures atmospheric humidity in a computer room?
a.
b.
c.
d.
Hygrometer
Hydrometer
Barometer
Voltmeter
b. Password
c. Magnetic stripe card
d. Visitor log
93. b. Passwords provide logical access controls, not physical access controls.
The other three choices are examples of complementary physical access controls.
Each control enhances the other. A function or an area doesnt need to be weak to
use complementary controls. Complementary controls can magnify the effectiveness
of two or more controls when applied to a function, program, or operation. Iden
tification (ID) badge cards, magnetic stripe cards, and visitor logs have a syne
rgistic effect in providing a strong physical access control.
94. Which of the following is not appropriate to ensure continuity of electric p
ower supply?
a.
b.
c.
d.
Disk mirroring
Power line conditioners
Uninterruptible power supply equipment
Backup generators
94. a. Disk mirroring is not appropriate to ensure the continuity of the electri
c power supply because it prevents data loss. It is a faulttolerant mechanism b
ecause it copies and stores data in two places (disks). The other three choices
are incorrect because they are needed to provide continuity of the electric powe
r supply. Power line conditioners smooth out power fluctuations. Uninterruptible
power supply (UPS) equipment provides relief from short power outages. Backup g
enerators support relief from long power outages.
95. Which of the following is not a benefit of automated environmental controls
over manual monitoring?
a.
b.
c.
d.
95. c. The automation of monitoring and controlling the environmental system can
help minimize the damage and speed up the recovery process. The major objective
is to reduce the effect of a disaster resulting from malfunctioning of the envi
ronmental control system. Manual monitoring can be time consuming, error prone,
and unreliable because it requires constant attention.
96. Which of the following controls is not appropriate to prevent unauthorized p
eople from entering a computer center?
a.
b.
c.
d.
Doublelocked doors
CCTV monitors
Terminal IDs
Picture ID badges
96. c. Logical access controls verify the terminal identification (ID) number an
d are not a part of physical security. Logical access controls provide a technic
al means of controlling what information users can utilize, the programs they ca
n run, and the modifications they can make. The other three choices deal with ph
ysical security, which is the right kind of control to prevent unauthorized peop
le from entering a computer center.
97. Which one of the following statements is not true regarding a waterbased fi
re extinguishing system?
a.
b.
c.
d.
97. c. Water and Halon gas should be used with heat and smoke detectors and mech
anisms for automatically shutting off electrical power and air conditioning devi
ces. (That is, they are not used in a waterbased fire extinguishing system.) It
is true that water cools the equipment relatively quickly. It is true that the
release of water can be localized to where it is needed. It is true that jet spr
ayers can be an alternative to water sprinklers. Jet sprayers located on the cei
ling spray a fine water mist that turns to steam on contact with the fire, smoth
ering it.
98. Controls such as locked doors, intrusion detection devices, and security gu
ards address which of the following risks?
a.
b.
c.
d.
Heat failure
Fraud or theft
Power failure
Equipment failure
98. b. Locked doors, intrusion detection devices, and security guards that restr
ict physical access are important preventive measures to control sabotage, riots
, fraud, or theft. Sabotage can be caused by a disgruntled employee as well as b
y outsiders. Personnel policies should require the immediate termination and rem
oval from the premise of any employee considered a threat. Restricting access to
information that may be altered reduces fraud or theft exposures.
Heat failure may cause an inconvenience to employees. Power failure can be contr
olled by uninterruptible power supply. Equipment failure may result in extended
processing delays. Performance of preventive maintenance enhances system reliabi
lity and should be extended to all supporting equipment, such as temperature and
humidity control systems and alarm or detecting devices.
99. Which of the following security controls is the simplest safeguard with the
least amount of delay?
a.
b.
c.
d.
99. c. Physical security is achieved through the use of locks, guards, and admin
istratively controlled procedures such as visitor badges. It also protects the s
tructures housing the computer and related equipment against damage from acciden
t, fire, and environmental hazards, thus ensuring the protection of their conten
ts. Physical security measures are the first line of defense against the risks t
hat stem from the uncertainties in the environment as well as from the unpredict
ability of human behavior. Frequently, they are the simplest safeguards to imple
ment and can be put into practice with the least delay. The controls listed in t
he other three choices take a long time to implement and are not simple to insta
ll.
100. Which of the following is not a technical security measure?
a.
b.
c.
d.
Hardware
Software
Firmware
Physical control
100. d. A major part of the security of an IT system can often be achieved throu
gh nontechnical measures, such as organizational, personnel, physical, and admin
istrative controls. However, there is a growing tendency and need to employ tech
nical IT security measures implemented in hardware, software, and firmware eithe
r separately or converged.
101. Which of the following is not a protective measure to control physical acce
ss to information system distribution and transmission lines?
a.
b.
c.
d.
Card readers
Locked wiring closets
Locked jacks
Protected cables
101. a. Card readers are physical access devices to control entry to facilities
containing information systems. Protective measures to control physical access t
o information system distribution and transmission lines include locked wiring c
losets, disconnected or locked spare jacks, and cables protected by conduit or c
able trays.
102. Biometricsbased access controls are implemented using which of the follow
ing?
a.
b.
c.
d.
102. b. Physical controls (e.g., memory cards, smart cards, or hardware tokens)
are used to identify a user, and logical controls (e.g., fingerprint or voice pr
int) are used to authenticate the same user.
103. Protective lighting does which of the following for computer facilities?
a.
b.
c.
d.
103. b. Protective lighting should act as a deterrent and make detection likely.
The lighting should enable the security staff to observe others without being s
een.
104. The effectiveness of physical security controls is most determined by whic
h of the following?
a.
b.
c.
d.
104. b. Organizations should determine whether intruders could easily defeat the
controls (i.e., vulnerabilities) in the access control devices. Until the vulne
rabilities are eliminated, implementation and operation of the control device do
not matter much.
105. Which of the following intruder detection systems cannot be used as a prima
ry system?
a.
b.
c.
d.
A
A
A
A
persons
persons
persons
persons
body
body
body
body
weight
weight
weight
weight
and
and
and
and
a
a
a
a
smart card
biometric feature
memory card
personal identification number
106. b. Mantraps are used in highlysensitive areas and have a builtin weighing
scale. The mantrapcontrolling software looks at a combination of a persons body
weight and a biometric feature such as fingerprint scan, hand geometry, facial
recognition, iris scan, and voice recognition, and compares it to stored informa
tion about that person. Smart cards, memory cards, and personal identification n
umbers (PINs) can be stolen or lost, and they are a weak form of authentication
even when combined with the body weight. A persons body weight and a biometric fe
atures authenticate what the user is, which is stronger than the other controls.
107. The primary function of a physical protection system should be performed i
n which of the following order?
a.
b.
c.
d.
Communication
Interruption
Assessment
Deployment
108. c. When a physical intrusion detection alarm is initiated and reported, sit
uation assessment begins. You need to know whether the alarm is a valid or a nui
sance alarm and details about the cause of the alarm.
109. Which of the following is the most costly countermeasure to reduce physical
security risks?
a.
b.
c.
d.
Procedural controls
Hardware devices
Electronic systems
Personnel
109. d. Personnel such as security guards are the greatest expense due to direct
salaries plus fringe benefits paid to them. It is good to use people only in th
ose areas where procedural controls, hardware devices, or electronic systems can
not be utilized at all or cannot be utilized more effectively.
Procedural controls, such as logging visitors and recording temperatures, are ge
nerally the least expensive. They can be manual or automated; the latter can be
expensive. Hardware devices can include, for example, locks, keys, fences, gates
, document shredders, vaults, and barricades. Electronic systems can include, fo
r example, access controls, alarms, CCTV, and detectors.
110. Which of the following is the last line of defense in a physical security?
a.
b.
c.
d.
Perimeter barriers
Exterior protection
Interior barriers
People
110. d. The perimeter barriers (e.g., fences) are located at the outer edge of p
roperty and usually are the first line of defense. The exterior protection, such
as walls, ceilings, roofs, and floors of buildings, is considered the second li
ne of defense. Interior barriers within the building such as doors and locks are
considered the third line of defense. After all the preceding defenses fail, th
e last line of defense is peopleemployees working in the building. They should qu
estion strangers and others unfamiliar to them.
111. Which of the following has a bearing on opportunities for electronic surve
illance?
a.
b.
c.
d.
Electrical characteristics of
Physical characteristics of a
Mechanical characteristics of
Environmental characteristics
a building
building
a building
of a building
ID badge card
Password
Magnetic stripe card
Visitor log
a.
b.
c.
d.
Doublelocked doors
Television monitors
Terminal IDs
Picture ID badges
2. c. Logical access controls verify the terminal identification (ID) number and
not a part of physical security. Logical access controls provide a technical me
ans of controlling what information users can utilize, the programs they can run
, and the modifications they can make. The other three choices deal with physica
l security, which is the right kind of control to prevent unauthorized people fr
om entering a computer center.
3. Controls such as locked doors, intrusion detection devices, and security gua
rds address which of the following risks?
a.
b.
c.
d.
Heat failure
Fraud or theft
Power failure
Equipment failure
3. b. Locked doors, intrusion detection devices, and security guards that restri
ct physical access are important preventive measures to control sabotage, riots,
fraud, or theft. Sabotage can be caused by a disgruntled employee and by outsid
ers. Personnel policies should require the immediate termination and removal fro
m the premise of any employee considered a threat. Restricting access to informa
tion that may be altered reduces fraud or theft exposures. Power failure can be
controlled by an uninterruptible power supply. Heat failure may cause an inconve
nience to employees. Equipment failure may result in extended processing delays.
Performance of preventive maintenance enhances system reliability and should be
extended to all supporting equipment, such as temperature and humidity control
systems and alarm or detecting devices.
4. Which of the following security controls is simple to implement with the lea
st amount of delay?
a.
b.
c.
d.
4. c. Physical security is achieved through the use of locks, guards, and admini
stratively controlled procedures such as visitor badges. It also protects the st
ructures housing the computer and related equipment against damage from accident
, fire, and environmental hazards, thus ensuring the protection of their content
s. Physical security measures are the first line of defense against the risks th
at stem from the uncertainties in the environment and from the unpredictability
of human behavior. Frequently, they are the simplest safeguards to implement and
can be put into practice with the least delay. The controls listed in the other
three choices take a long time to implement and are not simple to install.
5. Which of the following is not a technical security measure?
a.
b.
c.
d.
Hardware
Software
Firmware
Physical control
Procedural controls
Physical controls
Hardware controls
Software controls
Appendix A
CISSP Glossary 2012
This appendix provides a glossary of key information systems and information tec
hnology security terms useful to the CISSP Exam candidates. Reading the glossary
terms prior to reading the practice chapters (domains) can help the candidate u
nderstand the chapter contents better. More than one definition of a key term is
provided to address multiple meanings and contexts in which the term is used or
applied.
The glossary is provided for a clear understanding of technical terms used in th
e ten domains of this book. The CISSP Exam candidates should know these terms fo
r a better comprehension of the subject matter presented. This glossary is a goo
d source for answering multiplechoice questions on the CISSP Exam.
Numbers and Letters
1G
The first generation of analogbased wireless technology.
2G
The second generation of digital wireless technology that supports voice and tex
t.
3G
The third generation of digital wireless technology that supports video.
4G
The fourth generation of digital wireless technology that provides faster displa
y of multimedia.
802.1Q
The IEEE standard for virtual localarea networks (VLANs).
802.2
The IEEE standard for logical link control. (IEEE is Institute of Electrical and
Electronics Engineers.)
802.3
The IEEE standard for carrier sense multiple access with collision detection (CS
MA/CD) access method and physical layer specifications for Ethernet localarea n
etworks (LANs).
802.4
The IEEE standard for Token bus access method and physical layer specifications
for LANs.
802.5
The IEEE standard for Token ring access method and physical layer specifications
for LANs.
802.6
The IEEE standard for Distributed queue dual bus access method and physical laye
r specifications for wired metropolitanarea networks (MANs).
802.11
The IEEE standard for wireless LAN medium access control (MAC) sublayer and phys
ical layer specifications. It uses a pathsharing protocol.
802.11a
The IEEE standard for radio band that is faster than 80211b but has a smaller ra
nge.
802.11b
The IEEE standard that is inexpensive and popular with sufficient speed but with
interference problems.
802.11e
The IEEE standard for providing quality of service (QoS).
802.11f
The IEEE standard for achieving access point interoperability.
802.11g
The IEEE standard that is fast but expensive and is mostly used by businesses.
802.11i
The IEEE standard for providing improved security over wired equivalent privacy
(WEP).
802.11n
The IEEE standard for improving throughput rates.
802.11r
The IEEE standard for improving the amount of time for data connectivity.
802.11t
The IEEE standard for providing performance metrics.
802.11w
The IEEE standard for providing data integrity, data origination authenticity, r
Access mode
A distinct operation recognized by protection mechanisms as possible operations
on an object. Read, write, and append are possible modes of access to a file, wh
ile whereas execute is an additional mode of access to a program.
Access password
A password used to authorize access to data and distributed to all those who are
authorized similar access to those data. This is a preventive and technical con
trol.
Access path
The sequence of hardware and software components significant to access control.
Any component capable of enforcing access restrictions, or any component that co
uld be used to bypass an access restriction should be considered part of the acc
ess path. The access path can also be defined as the path through which user req
uests travel, including the telecommunications software, transaction processing
software, and applications software.
Access period
A segment of time, generally expressed on a daily or weekly basis, during which
access rights prevail.
Access port
A logical or physical identifier that a computer uses to distinguish different t
erminal input/output data streams.
Access priorities
Deciding who gets what priority in accessing a system. Access priorities are bas
ed on employee job functions and levels rather than data ownership.
Access privileges
Precise statements defining the extent to which an individual can access compute
r systems and use or modify programs and data on the system. Statements also def
ine under what circumstances this access is allowed.
Access profiles
There are at least two types of access profiles: user profile and standard profi
le. (1) A user profile is a set of rules describing the nature and extent of acc
ess to each resource that is available to each user. (2) A standard profile is a
set of rules describing the nature and extent of access to each resource that i
s available to a group of users with similar job duties, such as accounts payabl
e clerks.
Access rules
Clear action statements describing expected user behavior in a computer system.
Access rules reflect security policies and practices, business rules, informatio
n ethics, system functions and features, and individual roles and responsibiliti
es, which collectively form access restrictions. Access rules are often describe
d as user security profiles (access profiles). Access control software implement
s access rules.
Access time minimization
A risk reducing principle that attempts to avoid prolonging access time to speci
fic data or to the system beyond what is needed to carry out requisite functiona
lity.
Access type
The nature of an access right to a particular device, program, or file (e.g., re
ad, write, execute, append, modify, delete, or create).
Accessibility
The ability to obtain the use of a computer system or a resource or the ability
and means necessary to store data, retrieve data, or communicate with a system.
Account management, user
Involves (1) the process of requesting, establishing, issuing, and closing user
accounts, (2) tracking users and their respective access authorizations, and (3)
managing these functions.
Accountability
(1) The security goal that generates the requirement for actions of an entity to
be traced uniquely to that entity. This supports nonrepudiation, deterrence, f
ault isolation, intrusion detection and prevention, and afteraction recovery an
d legal action. (2) The property that enables system activities to be traced to
individuals who may then be held responsible for their actions. This is a manage
ment and preventive control.
Accountability principle
A principle that calls for holding individuals responsible for their actions. In
computer systems, this is enabled through identification and authentication, th
e specifications of authorized actions, and the auditing of the users activity.
Accreditation
The official management decision given by a senior officer to authorize operatio
n of an information system and to explicitly accept the risk to organizations (i
ncluding mission, functions, image, or reputation), organization assets, or indi
viduals, based on the implementation of an agreedupon set of security controls.
Accreditation authority
Official with the authority to formally assume responsibility for operating an i
nformation system at an acceptable level of risk to organization operations, ass
ets, or individuals. Synonymous with authorizing official or accrediting authori
ty.
Accreditation boundary
All components of an information system to be accredited by an authorizing offic
ial and excludes separately accredited systems, to which the information system
is connected.
Accreditation package
The evidence provided to the authorizing official to be used in the security acc
reditation decision process. Evidence includes, but is not limited to (1) the sy
stem security plan, (2) the assessment results from the security certification,
and (3) the plan of actions and milestones.
Accuracy
A qualitative assessment of correctness or freedom from error.
Acoustic cryptanalysis attack
An exploitation of sound produced during a computation. It is a general class of
a side channel attack (Wikipedia).
Activation data
Private data, other than keys, that is required to access cryptographic modules.
Active attack
An attack on the authentication protocol where the attacker transmits data to th
e claimant or verifier. Examples of active attacks include a maninthemiddle (
MitM), impersonation, and session hijacking. Active attacks can result in the di
sclosure or dissemination of data files, denialofservice, or modification of d
ata.
Active content
Electronic documents that can carry out or trigger actions automatically on a co
mputer platform without the intervention of a user. Active content technologies
allow enable mobile code associated with a document to execute as the document i
s rendered.
Active security testing
(1) Handson security testing of systems and networks to identity their security
vulnerabilities. (2) Security testing that involves direct interaction with a t
arget, such as sending packets to a target.
Active state
The cryptographic key lifecycle state in which a cryptographic key is available
for use for a set of applications, algorithms, and security entities.
Active wiretapping
The attaching of an unauthorized device, such as a computer terminal, to a commu
nications circuit for the purpose of obtaining access to data through the genera
tion of false messages or control signals or by altering the communications of l
egitimate users.
ActiveX
Software components downloaded automatically with a Web page and executed by a W
e place. (2) An access control approach in which access is mediated based on att
ributes associated with subjects (requesters) and the objects to be accessed. Ea
ch object and subject has a set of associated attributes, such as location, time
of creation, and access rights. Access to an object is authorized or denied dep
ending upon whether the required (e.g., policydefined) correlation can be made
between the attributes of that object and of the requesting subject.
Attributebased authorization
A structured process that determines when a user is authorized to access informa
tion, systems, or services based on attributes of the user and of the informatio
n, system, or service.
Attribute certificate
A live scan of a persons biometric measure is translated into a biometric templat
e, which is then placed in an attribute certificate.
Audit
The independent examination of records and activities to assess the adequacy of
system controls, to ensure compliance with established controls, policies, and o
perational procedures, and to recommend necessary changes in controls, policies,
or procedures.
Audit reduction tools
Preprocessors designed to reduce the volume of audit records to facilitate manua
l review. Before a security review, these tools can remove many audit records kn
own to have little security significance. These tools generally remove records g
enerated by specified classes of events, such as records generated by nightly ba
ckups.
Audit trail
(1) A chronological record of system activities that is sufficient to enable the
reconstruction and examination of the sequence of events and activities surroun
ding or leading to an operation, procedure, or event in a securityrelevant tran
saction from inception to results. (2) A record showing who has accessed an IT s
ystem and what operations the user has performed during a given period. (3) An a
utomated or manual set of records providing documentary evidence of user transac
tions. (4) It is used to aid in tracing system activities. This is a technical a
nd detective control.
Auditability
Features and characteristics that allow verification of the adequacy of procedur
es and controls and of the accuracy of processing transactions and results in ei
ther a manual or automated system.
Authenticate
To confirm the identity of an entity when that identity is presented.
Authentication
(1) Verifying the identity of a user, process, or device, often as a prerequisit
e to allowing access to resources in an information system. (2) A process that e
stablishes the origin of information or determines an entitys identity. (3) The p
rocess of establishing confidence of authenticity and, therefore, the integrity
of data. (4) The process of establishing confidence in the identity of users or
information system. (5) It is designed to protect against fraudulent activity, a
uthentication verifies the users identity and eligibility to access computerized
information. It is proving that users are who they claim to be and is normally p
aired with the term identification. Typically, identification is performed by en
tering a name or a user ID, and authentication is performed by entering a passwo
rd, although many organizations are moving to stronger authentication methods su
ch as smart cards and biometrics. Although the ability to sign onto a computer s
ystem (enter a correct user ID and password) is often called accessing the system
, this is actually the identification and authentication function. After a user h
as entered a system, access controls determine which data the user can read or m
odify and what programs the user can execute. In other words, identification and
authentication come first, followed by access control. Continuous authenticatio
n is most effective. When two types of identification are used to authenticate a
user, it is called a twofactor authentication process.
Authentication code
protocol (TCP) or user datagram protocol (UDP) port. Synonymous with trapdoor.
Backup
A copy of files and programs made to facilitate recovery if necessary. This is a
n operational and preventive control and ensures the availability goal.
Backup computer facilities
A computer (data) center having hardware and software compatible with the primar
y computer facility. The backup computer is used only in the case of a major int
erruption or disaster at the primary computer facility. It provides the ability
for continued computer operations, when needed, and should be established by a f
ormal agreement. A duplicate of a hardware system, of software, of data, or of d
ocuments intended as replacements in the event of malfunction or disaster.
Backup operations
Methods for accomplishing essential business tasks subsequent to disruption of a
computer facility and for continuing operations until the facility is sufficien
tly restored.
Backup plan
Synonymous with contingency plan.
Backup procedures
The provisions made for the recovery of data files and program libraries, and fo
r restart or replacement of computer equipment after the occurrence of a system
failure or of a disaster. Examples include normal (full) backup, incremental bac
kup, differential backup, image backup, filebyfile backup, copy backup, daily
backup, recordlevel backup, and zeroday backup.
Bandwidth
Measures the data transfer capacity or speed of transmission in bits per second.
Bandwidth is the difference between the highest frequencies and the lowest freq
uencies measured in a range of Hertz (that is, cycles per second). Bandwidth com
pression can reduce the time needed to transmit a given amount of data in a give
n bandwidth without reducing the information content of the signal being transmi
tted. Bandwidth can negatively affect the performance of networks and devices, i
f it is inadequate.
Banner grabbing
The process of capturing banner information, such as application type and versio
n, that is transmitted by a remote port when a connection is initiated.
Base station (WMAN/WiMAX)
A base station (BS) is the node that logically connects fixed and mobile subscri
ber stations (SSs) to operator networks. A BS consists of the infrastructure ele
ments necessary to enable wireless communications (i.e., antennas, transceivers,
and other equipment).
Baseline (configuration management)
A baseline indicates a cutoff point in the design and development of a configur
ation item beyond which configuration does not evolve without undergoing strict
configuration control policies and procedures. Note that baselining is first and
versioning is next.
Baseline (software)
(1) A set of critical observations or data used for comparison or control. (2) A
version of software used as a starting point for later versions.
Baseline architecture
The initial architecture that is or can be used as a starting point for subseque
nt architectures or to measure progress.
Baseline controls
The minimumsecurity controls required for safeguarding an IT system based on it
s identified needs for confidentiality, integrity, and/or availability protectio
n objectives. Three sets of baseline controls (i.e., lowimpact, moderateimpact
, and highimpact) provide a minimum security control assurance.
Baselining
Monitoring resources to determine typical utilization patterns so that significa
nt deviations can be detected.
Basic authentication
A technology that uses the Web server contents directory structure. Typically, al
l files in the same directory are configured with the same access privileges usi
ng passwords, thus not secure. The problem is that all password information is t
ransferred in an encoded, rather than an encrypted, form. These problems can be
overcome using basic authentication in conjunction with SSL/TLS.
Basis path testing
It is a whitebox testing technique to measure the logical complexity of a proce
dural design. The goal is to execute every computer program statement at least o
nce during testing realizing that many programs paths could exist.
Basic testing
A test methodology that assumes no knowledge of the internal structure and imple
mentation details of the assessment object. Basic testing is also known as black
box testing.
Bastion host
A host system that is a strong point in the networks security perimeter. Bastion ho
sts should be configured to be particularly resistant to attack. In a hostbased
firewall, the bastion host is the platform on which the firewall software is ru
n. Bastion hosts are also referred to as gateway hosts. A bastion host is typicall
y a firewall implemented on top of an operating system that has been specially c
onfigured and hardened to be resistant to attack.
Bearer assertion
An assertion that does not provide a mechanism for the subscriber to prove that
he is the rightful owner of the assertion. The relying party has to assume that
the assertion was issued to the subscriber who presents the assertion or the cor
responding assertion reference to the relying party.
Behavioral outcome
What an individual who has completed the specific training module is expected to
be able to accomplish in terms of IT securityrelated job performance.
Benchmark testing
Uses a small set of data or transactions to check software performance against p
redetermined parameters to ensure that it meets requirements.
Benchmarking
It is the comparison of core process performance with other components of an int
ernal organization or with leading external organizations.
Best practices
Business practices that have been shown to improve an organizations IT function a
s well as other business functions.
Beta testing
Use of a product by selected users before formal release.
Betweenthelines entry
(1) Access, obtained through the use of active wiretapping by an unauthorized us
er, to a momentarily inactive terminal of a legitimate user assigned to a commun
ications channel. (2) Unauthorized access obtained by tapping the temporarily in
active terminal of a legitimate use.
Binding
(1) Process of associating two related elements of information. (2) An acknowled
gment by a trusted third party that associates an entitys identity with its publi
c key. This may take place through (i) certification authoritys generation of a p
ublic key certificate, (ii) a security officers verification of an entitys credent
ials and placement of the entitys public key and identifier in a secure database,
or (iii) an analogous method.
Biometric access controls
Biometricsbased access controls are implemented using physical and logical cont
rols. They are most expensive and most secure compared to other types of access
control mechanisms.
Biometric information
The stored electronic information pertaining to a biometric. This information ca
n be in terms of raw or compressed pixels or in terms of some characteristic (e.
g., patterns).
Biometric system
An automated system capable of the following: (1) capturing a biometric sample f
rom an end user, (21) extracting biometric data from that sample, (3) comparing
the extracted biometric data with data contained in one or more references, (4)
deciding how well they match, and (5) indicating whether or not an identificatio
n or verification of identity has been achieved.
Biometric template
A characteristic of biometric information (e.g., minutiae or patterns).
Biometrics
(1) Automated recognition of individuals based on their behavioral and biologica
l characteristics. (2) A physical or behavioral characteristic of a human being.
(3) A measurable, physical characteristic or personal behavioral trait used to
recognize the identity, or verify the claimed identity, of an applicant. Facial
patterns, fingerprints, eye retinas and irises, voice patterns, and hand measure
ments are all examples of biometrics. (4) Biometrics may be used to unlock authe
ntication tokens and prevent repudiation of registration.
Birthday attack
An attack against message digest 5 (MD5), a hash function. The attack is based o
n probabilities of two messages that hash to the same value (collision) and then
exploit it to attack. The attacker is looking for birthday pairsthat is, two messa
ges with the same hash values. This attack is not feasible given todays computer
technology.
Bit error ratio
It is the number of erroneous bits divided by the total number of bits transmitt
ed, received, or processed over some stipulated period in a telecommunications s
ystem.
Bit string
An ordered sequence of 0s and 1s. The leftmost bit is the most significant bit of
the string. The rightmost bit is the least significant bit of the string.
Black bag cryptanalysis
A euphemism for the acquisition of cryptographic secrets via burglary, or the co
vert installation of keystroke logging or Trojan horse software on target comput
ers or ancillary devices. Surveillance technicians can install bug concealed equ
ipment to monitor the electromagnetic emissions of computer displays or keyboard
s from a distance of 20 or more meters and thereby decode what has been typed. I
t is not a mathematical or technical cryptanalytic attack, and the law enforceme
nt authorities can use a sneakandpeek search warrant on a keystroke logger (Wi
kipedia).
Black box testing
A test methodology that assumes no knowledge of the internal structure and imple
mentation detail of the assessment object. It examines the software from the use
rs viewpoint and determines if the data are processed according to the specificat
ions, and it does not consider implementation details. It verifies that software
functions are performed correctly. It focuses on the external behavior of a sys
tem and uses the systems functional specifications to generate test cases. It ens
ures that the system does what it is supposed to do and does not do what it is n
ot supposed to do. It is also known as generalized testing or functional testing
, and should be combined with white box testing for maximum benefit because neit
her one by itself does a thorough testing job. Black box testing is functional a
nalysis of a system. Basic testing is also known as black box testing.
BLACK concept (encryption)
It is a designation applied to encrypted data/information and the information sy
stems, the associated areas, circuits, components, and equipment processing of t
hat data and information. It is a separation of electrical and electronic circui
ts, components, equipment, and systems that handle unencrypted information (RED)
in electrical form from those that handle encrypted information (BLACK) in the
same form.
Black core
A communications network architecture in which user data traversing a core Inter
net Protocol (IP) network is endtoend encrypted at the IP layer.
Blackholing
Blackholing occurs when traffic is sent to routers that drop some or all of the
ct any hard disk or floppy accessed by the user. With the advent of more modern
operating systems and a great reduction in users sharing floppies, there has bee
n a major reduction in this type of virus. These viruses are now relatively unco
mmon.
Border Gateway Protocol (BGP)
An Internet routing protocol used to pass routing information between different
administrative domains.
Border Gateway Protocol (BGP) flapping
A situation in which BGP sessions are repeatedly dropped and restarted, normally
as a result of line or router problems.
Border Gateway Protocol (BGP) peer
A router running the BGP protocol that has an established BGP session active.
Border Gateway Protocol (BGP) session
A Transmission Control Protocol (TCP) session in which both ends are operating B
GP and have successfully processed an OPEN message from the other end.
Border Gateway Protocol (BGP) speaker
Any router running the BGP protocol.
Border router
Border router is placed at the network perimeter. It can act as a basic firewall
.
Botnet
Botnet is a jargon term for a collection of software robots, or bots, which run
autonomously. A botnets originator can control the group remotely, usually throug
h a means such as Internet relay chat (IRC), and usually for nefarious purposes.
A botnet can comprise a collection of cracked machines running programs (usuall
y referred to as worms, Trojan horses, or backdoors) under a common command and
control infrastructure. Botnets are often used to send spam emails, launch DoS
attacks, phishing attacks, and viruses.
Bound metadata
Metadata associated with a cryptographic key and protected by the cryptographic
key management system against unauthorized modification and disclosure. It uses
a binding operation that links two or more data elements such that the data elem
ents cannot be modified or replaced without being detected.
Boundary
A physical or logical perimeter of a system.
Boundary protection
Monitoring and control of communications (1) at the external boundary between in
formation systems completely under the management and control of the organizatio
n and information systems not completely under the management and control of the
organization, and (2) at key internal boundaries between information systems co
mpletely under the management and control of the organization.
Boundary protection employs managed interfaces and boundary protection devices.
Boundary protection device
A device with appropriate mechanisms that (1) facilitates the adjudication of di
fferent interconnected system security policies (e.g., controlling the flow of i
nformation into or out of an interconnected system); and/or (2) monitors and con
trols communications at the external boundary of an information system to preven
t and detect malicious and other unauthorized communications. Boundary protectio
n devices include such components as proxies, gateways, routers, firewalls, hard
ware/software guards, and encrypted tunnels.
Boundary router
A boundary router is located at the organizations boundary to an external network
. A boundary router is configured to be a packet filter firewall.
Boundary value analysis
The purpose of boundary value analysis is to detect and remove errors occurring
at parameter limits or boundaries. Tests for an application program should cover
the boundaries and extremes of the input classes.
Breach
The successful and repeatable defeat (circumvention) of security controls with o
r without detection or an arrest, which if carried to completion, could result i
A bus topology is a network topology in which all nodes (i.e., stations) are con
nected to a central cable (called the bus or backbone) and all stations are atta
ched to a shared transmission medium. Note that linear bus topology is a variati
on of bus topology.
Business continuity plan (BCP)
The documentation of a predetermined set of instructions or procedures that desc
ribe how an organizations business functions will be sustained during and after a
significant disruption.
Business impact analysis (BIA)
An analysis of an IT systems requirements, processes, and interdependencies used
to characterize system contingency requirements and priorities in the event of a
significant disruption.
Business process improvement (BPI)
It focuses on how to improve an existing process or service. BPI is also called
continuous process improvement.
Business process reengineering (BPR)
It focuses on improving efficiency, reducing costs, reducing risks, and improvin
g service to internal and external customers. Radical change is an integral part
of BPR.
Business recovery/resumption plan (BRP)
The documentation of a predetermined set of instructions or procedures that desc
ribe how business processes will be restored after a significant disruption has
occurred.
Business rules processor
The subcomponent of a serviceoriented architecture (SOA) that manages and exec
utes the set of complex business rules that represent the core business activity
supported by the component.
Bypass capability
The ability of a service to partially or wholly circumvent encryption or cryptog
raphic authentication.
C
C2C
Consumertoconsumer (C2C) is an electronic commerce model involving consumers s
elling directly to consumers (e.g., eBay).
Cache attack
Computer processors are equipped with a cache memory, which decreases the memory
access latency. First, the processor looks for the data in cache and then in th
e memory. When the data is not where the processor is expecting, a cachemiss oc
curs. The cachemiss attacks enable an unprivileged process to attack other proc
esses running in parallel on the same processor, despite partitioning methods us
ed (for example, memory protection, sandboxing, and virtualization techniques).
Attackers use the cachemiss situation to attack weak symmetric encryption algor
ithms (for example, DES). AES is stronger than DES, and the former should be use
d during the execution of a processor on a known plaintext.
Callback
Procedure for identifying and authenticating a remote information system termina
l, whereby the host system disconnects the terminal and reestablishes the contac
t.
Campusarea network (CAN)
An interconnected set of localarea networks (LANs) in a limited geographical ar
ea such as a college campus or a corporate campus.
Capability list
A list attached to a subject ID specifying what accesses are allowed to the subj
ect.
Capability maturity model (CMM)
CMM is a fivestage model of how software organizations improve, over time, in t
heir ability to develop software. Knowledge of the CMM provides a basis for asse
ssment, comparison, and process improvement. The Carnegie Mellon Software Engine
ering Institute (SEI) has developed the CMM.
Capture
t is sent to the verifier. The verifier knows the shared secret and can independ
ently compute the response and compare it with the response generated by the cla
imant. If the two are the same, the claimant is considered to have successfully
authenticated himself. When the shared secret is a cryptographic key, such proto
cols are generally secure against eavesdroppers. When the shared secret is a pas
sword, an eavesdropper does not directly intercept the password itself, but the
eavesdropper may be able to find the password with an offline password guessing
attack.
Channel scanning
Changing the channel being monitored by a wireless intrusion detection and preve
ntion system.
Chatterbots
Bots that can talk (chat) using animation characters.
Checkdigit
A checkdigit calculation helps ensure that the primary key or data is entered c
orrectly. This is a technical and detective control.
Checkpoint
Restore procedures are needed before, during, or after completion of certain tra
nsactions or events to ensure acceptable faultrecovery.
Checksum
A value automatically computed on data to detect error or manipulation during tr
ansmission. It is an errorchecking technique to ensure the accuracy of data tra
nsmission. The number of bits in a data unit is summed and transmitted along wit
h the data. The receiving computer then checks the sum and compares. Digits or b
its are summed according to arbitrary rules and used to verify the integrity of
data (that is, changes to data). This is a technical and detective control.
Chief information officer (CIO)
A senior official responsible for (1) providing advice and other assistance to t
he head of the organization and other senior management personnel of the organiz
ation to ensure that information technology is acquired and information resource
s are managed in a manner that is consistent with laws, executive orders, direct
ives, policies, regulations, and priorities established by the head of the organ
ization; (2) developing, maintaining, and facilitating the implementation of a s
ound and integrated information technology architecture for the organization; an
d (3) promoting the effective and efficient design and operation of all major in
formation resources management processes for the organization, including improve
ments to work processes of the organization.
Chokepoint
A chokepoint creates a bottleneck in a system, whether the system is a social, n
atural, civil, military, or computer system. For example, the installation of a
firewall in a computer system between a local network and the Internet creates a
chokepoint and makes it difficult for an attacker to come through that network
channel. In graph theory and network analysis, a chokepoint is any node in a net
work with a high centrality (Wikipedia).
Cipher
(1) A series of transformations that converts plaintext to ciphertext using the
cipher key. (2) A cipher block chainingmessage authentication code (CBCMAC) al
gorithm. (3) A secretkey blockcipher algorithm used to encrypt data and to gen
erate a MAC to provide assurance that the payload and the associated data are au
thentic.
Cipher key
Secret, cryptographic key that is used by the Key Expansion Routine to generate
a set of Round Keys; can be pictured as a rectangular array of bytes, having fou
r rows and NK columns.
Cipher suite
Negotiated algorithm identifiers, which are understandable in human readable for
m using a pneumonic code.
Ciphertext
(1) Data output from the cipher or input to the inverse cipher. (2) The result o
f transforming plaintext with an encryption algorithm. (3) It is the encrypted f
Click fraud
Deceptions and scams that inflate advertising bills with improper charge per cli
ck in an online advertisement on the Web.
Client (application)
A system entity, usually a computer process acting on behalf of a human user tha
t makes use of a service provided by a server.
Client/server architecture
An architecture consisting of server programs that await and fulfill requests fr
om client programs on the same or another computer.
Client/server authentication
The secure sockets layer (SSL) and transport layer security (TLS) provide client
and server authentication and encryption of Web communications.
Client/server model
The clientserver model states that a client (user), whether a person or a compu
ter program, may access authorized services from a server (host) connected anywh
ere on the distributed computer system. The services provided include database a
ccess, data transport, data processing, printing, graphics, electronic mail, wor
d processing, or any other service available on the system. These services may b
e provided by a remote mainframe using longhaul communications or within the us
ers workstation in realtime or delayed (batch) transaction mode. Such an open ac
cess model is required to permit true horizontal and vertical integration.
Clientside scripts
The clientside scripts such as JavaScript, JavaApplets, and ActiveX controls a
re used to generate dynamic Web pages.
Cloning
The practice of reprogramming a phone with a mobile identification number and a
n electronic serial number pair from another phone.
Closein attacks
They consist of a regular type of individual attaining close physical proximity
to networks, systems, or facilities for the purpose of modifying, gathering, or
denying access to information. Close physical proximity is achieved through surr
eptitious entry, open access, or both.
Closedcircuit television
Closedcircuit television (CCTV) can be used to record the movement of people in
and out of the data center or other sensitive work areas. The film taken by the
CCTV can be used as evidence in legal investigations.
Closed security environment
Refers to an environment providing sufficient assurance that applications and eq
uipment are protected against the introduction of malicious logic during an info
rmation system life cycle. Closed security is based upon a systems developers, op
erators, and maintenance personnel having sufficient clearances, authorization,
and configuration control.
Cloud computing
It is a model for enabling ubiquitous, convenient, ondemand network access to a
shared pool of configurable computing resources (e.g., networks, servers, stora
ge, applications, and services) that can be rapidly provisioned and released wit
h minimal management effort or service provider interaction. This cloud model pr
omotes availability and is composed of five essential characteristics (i.e., on
demand selfservice, broad network access, resource pooling, rapid elasticity, a
nd measured service), three service models (i.e., cloud software as a service, c
loud platform as a service, and cloud infrastructure as a service), and four dep
loyment models (i.e., private cloud, community cloud, public cloud, and hybrid c
loud).
Cluster computing
The use of failover clusters to provide high availability of computing services.
Failover means the system detects hardware/software faults and immediately rest
arts the application on another system without requiring human intervention. It
uses redundant computers or nodes and configures the nodes before starting the a
pplication on it. A minimum of two nodes is required to provide redundancy but i
n reality it uses more than two nodes. Variations in node configurations include
Computer forensics
The practice of gathering, retaining, and analyzing computerrelated data for in
vestigative purposes in a manner that maintains the integrity of the data.
Computer fraud
Computerrelated crimes involving deliberate misrepresentation, alteration, or d
isclosure of data in order to obtain something of value (usually for monetary ga
in). A computer system must have been involved in the perpetration or coverup o
f the act or series of acts. A computer system might have been involved through
improper manipulation of input data; output or results; applications programs; d
ata files; computer operations; communications; or computer hardware, systems so
ftware, or firmware.
Computer network
A complex consisting of two or more interconnected computers.
Computer security
Measures and controls that ensure confidentiality, integrity, and availability o
f IT assets, including hardware, software, firmware, and information being proce
ssed, stored, and communicated.
Computer security incident
A violation or imminent threat of violation of computer security policies, accep
table use policies, or standard computer security practices.
Computer security incident response team (CSIRT)
A capability set up for the purpose of assisting in responding to computer secur
ityrelated incidents; also called a computer incident response team (CIRT), a c
omputer incident response center (CIRC), or a computer incident response capabil
ity (CIRC).
Computer virus
A computer virus is similar to a Trojan horse because it is a program that conta
ins hidden code, which usually performs some unwanted function as a side effect.
The main difference between a virus and a Trojan horse is that the hidden code
in a computer virus can only replicate by attaching a copy of itself to other pr
ograms and may also include an additional payload that triggers when specific cond
itions are met.
Concentrators
Concentrators gather together several lines in one central location, and are the
foundation of a FDDI network and are attached directly to the FDDI dual ring.
Concept of operations
It is a computer operations plan consisting of only one document, where it will
describes the scope of entire operational activities.
Confidentiality
(1) Preserving authorized restrictions on information access and disclosure, inc
luding means for protecting personal privacy and proprietary information. (2) It
is the property that sensitive information is not disclosed to unauthorized ind
ividuals, entities, devices, or processes. (3) The secrecy of data that is trans
mitted in the clear. (4) Confidentiality covers data in storage, during processi
ng, and in transit.
Confidentiality mode
A mode that is used to encipher plaintext and decipher ciphertext. The confident
iality modes include electronic codebook (ECB), cipher block chaining (CBC), cip
her feedback (CFB), output feedback (OFB), and counter (CTR) modes.
Configuration
The relative or functional arrangement of components in a system.
Configuration accounting
The recording and reporting of configuration item descriptions and all departure
s from the baseline during design and production.
Configuration auditing
An independent review of computer software for the purpose of assessing complian
ce with established requirements, standards, and baseline.
Configuration control
The process for controlling modifications to hardware, firmware, software, and d
ocumentation to ensure that an information system is protected against improper
n.
Content delivery networks (CDNs)
Content delivery networks (CDNs) are used to deliver the contents of music, movi
es, games, and news providers from their websites to end users quickly with the
use of tools and techniques such as caching, replication, redirection, and a pro
xy content server to enhance the Web performance in terms of optimizing the disk
size and preload time.
Content filtering
The process of monitoring communications such as email and Web pages, analyzing
them for suspicious content, and preventing the delivery of suspicious content
to users.
Contingency plan
Management policy and procedures designed to maintain or restore business operat
ions, including computer operations, possibly at an alternate location, in the e
vent of emergencies, system failures, or disaster. Also called disaster recovery
plan, business resumption plan, or business continuity plan. This is a manageme
nt and recovery control and ensures the availability goal.
Continuity of operations plan
A predetermined set of instructions or procedures that describe how an organizat
ions essential functions will be sustained for up to 30 days as a result of a dis
aster event before returning to normal operations.
Continuity of support plan
The documentation of a predetermined set of instructions or procedures that desc
ribe how to sustain major applications and general support systems in the event
of a significant disruption.
Contradictory controls
Two or more controls are in conflict with each other. Installation of one contro
l does not fit well with the other controls due to incompatibility. This means t
hat implementation of one control can affect other, related controls negatively.
Examples include (1) installation of a new software patch that can undo or brea
k another related, existing software patch either in the same system or other re
lated systems. This incompatibility can be due to errors in the current patch or
previous patch or that the new patches and the previous patches were not fully
tested either by the software vendor or by the user organization and (2) telecom
muting work and organizations software piracy policies could be in conflict with
each other if noncompliant telecommuters implement such policies improperly and
in an unauthorized manner when they purchase and load unauthorized software on t
he home/work PC.
Control
Any protective action, device, procedure, technique, or other measure that reduc
es exposure. Controls can prevent, detect, or correct errors, and can minimize h
arm or loss. It is any action taken by management to enhance the likelihood that
established objectives and goals will be achieved.
Control frameworks
These provide overall guidance to user organizations as a frame of reference for
security governance and for implementation of securityrelated controls. Severa
l organizations within the U.S. and outside the U.S. provide such guidance.
Developed and promoted by the IT Governance Institute (ITGI), Control Objectives
for Information and related Technology (COBIT) starts from the premise that IT
must deliver the information that the enterprise needs to achieve its objectives
. In addition to promoting process focus and process ownership, COBIT looks at t
he fiduciary, quality, and security needs of enterprises and provides seven info
rmation criteria that can be used to generally define what the business requires
from IT: effectiveness, efficiency, availability, integrity, confidentiality, r
eliability, and compliance.
The Information Security Forums (ISFs) Standard of Good Practice for Information S
ecurity is based on research and the practical experience of its members. The st
andard divides security into five component areas: security management, critical
business applications, computer installations, networks, and system development
.
on. It may apply at the security modeltoformal specification level, at the for
mal specificationtohigher order language code level, at the compiler level, or
at the hardware level. For example, if a system has a verified design and imple
mentation, then its overall correctness rests with the correctness of the compil
er and hardware. When a system is proved correct, it can be expected to perform
as specified but not necessarily as anticipated if the specifications are incomp
lete or inappropriate. It is also known as proof of correctness.
Costbenefit
A criterion for comparing programs and alternatives when benefits can be valued
in dollars. Also referred to as benefit/cost ratio, which is a function of equiv
alent benefits and equivalent costs.
Costrisk analysis
The assessment of the costs of potential risk of loss or compromise without data
protection versus the cost of providing data protection.
Countermeasures
Actions, devices, procedures, techniques, or other measures that reduce the vuln
erability of an information system. Synonymous with security controls and safegu
ards.
Coupling
Coupling is the manner and degree of interdependence between software modules. I
t is a measure of the degree to which modules share data. A high degree of coupl
ing indicates a strong dependence among modules, which is not wanted. Data coupl
ing is the best type of coupling, and content coupling is the worst. Data coupli
ng is the sharing of data via parameter lists. With data coupling, only simple d
ata is passed between modules. Similar to data cohesion, components cover an abs
tract data type. With content coupling, one module directly affects the working
of another module as it occurs when a module changes another modules data or when
control is passed from one module to the middle of another module. A lower (wea
k) coupling value is better. Interfaces exhibiting strong cohesion and weak coup
ling are less error prone. If various modules exhibit strong internal cohesion,
the intermodule coupling tends to be minimal, and vice versa.
Coverage attribute
An attribute associated with an assessment method that addresses the scope or br
eadth of the assessment objects included in the assessment (for example, types o
f objects to be assessed and the number of objects to be assessed by type). The
values for the coverage attribute, hierarchically from less coverage to more cov
erage, are basic, focused, and comprehensive.
Covert channel
A communications channel that allows two cooperating processes to transfer infor
mation in a manner that violates a security policy but without violating the acc
ess control.
Covert storage channel
A covert channel that involves the direct or indirect writing of a storage locat
ion by one process and the direct or indirect reading of the storage location by
another process. Covert storage channels typically involve a finite resource sh
ared by two subjects at different security levels.
Covert timing channel
A covert channel in which one process signals information to another by modulati
ng its own use of system resources (e.g., CPU time) in such a way that this mani
pulation affects the real response time observed by the second process.
Cracking (password)
The process of an attacker recovering cryptographic password hashes and using va
rious analytical methods to attempt to identify a character string that will pro
duce one of those hashes.
Credential
An object that authoritatively binds an identity to a token possessed and contro
lled by a person. It is evidence attesting to ones right to credit or authority.
Credentials service provider (CSP)
A trusted entity that issues or registers subscriber tokens and issues electroni
c credentials to subscribers. The CSP may encompass Registration Authorities (RA
) and Verifiers that it operates. A CSP may be an independent third party or may
issue credentials for its own use.
Criminal law
Law covering all legal aspects of crime.
Criteria
Definitions of properties and constraints to be met by system functionality and
assurance.
Critical security parameter
Securityrelated information (e.g., secret and private cryptographic keys, and a
uthentication data such as passwords and PINs) whose disclosure or modification
can compromise the security of a cryptographic module or the security of the inf
ormation protected by the module.
Criticality
A measure of how important the correct and uninterrupted functioning of the syst
em is to the mission of a user organization. The degree to which the system perf
orms critical processing. A system is critical if any of its requirements are cr
itical.
Criticality level
Refers to the (consequences of) incorrect behavior of a system. The more serious
the expected direct and indirect effects of incorrect behavior, the higher the
criticality level.
Crosscertificate
A certificate used to establish a trust relationship between two Certification A
uthorities (CAs). In most cases, a relying party will want to process user certi
ficates that were signed by issuers other than a CA in its trust list. To suppor
t this goal, CAs issue crosscertificates that bind another issuers name to that
issuers public key. Crosscertificates are an assertion that a public key may be
used to verify signatures on other certificates.
Crossdomain solution
A form of controlled interface that provides the ability to manually and/or auto
matically access and/or transfer information between different security domains.
Crosssite request forgery (CSRF)
An attack in which a subscriber who is currently authenticated to a relying part
y and connected through a secure session, browsers to an attackers website which
causes the subscriber to unknowingly invoke unwanted actions at the relying part
y.
Crosssite scripting (XSS)
An attacker may use XML injection to perform the equivalent of a XSS, in which r
equesters of a valid Web service have their requests transparently rerouted to a
n attackercontrolled Web service that performs malicious operations.
Cryptanalysis
The operations performed in defeating cryptographic protection without an initia
l knowledge of the key employed in providing the protection.
Cryptanalytic attacks
Several attacks such as COA, KPA, CTA, CPA, ACPA, CCA, and ACCA are possible as
follows.
Ciphertext only attack (COA): An attacker has some ciphertext and he does not kn
ow the plaintext or the key. His goal is to find the corresponding plaintext. Th
is is the most common attack and the easiest to defend because the attacker has
the least amount of information (i.e., ciphertext only) to work with.
Known plaintext attack (KPA): An attacker is able to match the ciphertext with t
he known plaintext and the encryption algorithm but does not know the key to dec
ode the ciphertext. This attack is harder, but still common because the attacker
tries to deduce the key based on the known plaintext. This attack is similar to
brute force attack. The KPA works against data encryption standard (DES) in any
of its four operating modes (i.e., ECB, CBC, CFB, and OFB) with the same comple
xity. DES with any number of rounds fewer than 16 could be broken with a knownp
laintext attack more efficiently than by brute force attack.
Chosen text attack (CTA): Less common in occurrence and includes four types of a
Cryptographic algorithm
A welldefined computational procedure that takes variable inputs, including a c
ryptographic key, and produces an output. The cryptographic algorithms can be im
plemented in either hardware for speed or software for flexibility.
Cryptographic boundary
An explicitly defined continuous perimeter that establishes the physical bounds
of a cryptographic module and contains all the hardware, software, and/or firmwa
re components of a cryptographic module.
Cryptographic authentication
The use of encryptionrelated techniques to provide authentication.
Cryptographic checksum
A checksum computed by an algorithm that provides a unique value for each possib
le data value of the object.
Cryptographic function
A set of mathematical procedures that provide various algorithms for key generat
ion, random number generation, encryption, decryption, and message digesting.
Cryptographic hash function
A mathematical function that maps a bit string of arbitrary length to a fixed le
ngth bit string. The function satisfies the following properties: (1) it is comp
utationally infeasible to find any input which maps to any prespecified output
(oneway) and (2) it is computationally infeasible to find any two distinct inpu
ts that map to the same output (collision collisionresistant).
Cryptographic key
(1) A value used to control cryptographic operations, such as decryption, encryp
tion, signature generation, or signature verification. (2) A parameter used in c
onnection with a cryptographic algorithm that determines its operation in such a
way that an entity with knowledge of the key can reproduce or reverse the opera
tion, while an entity without knowledge of the key cannot. Seven examples includ
e (i) the transformation of plaintext data into ciphertext data, (ii) the transf
ormation of ciphertext data into plaintext data, (iii) the computation of a digi
tal signature from data, (iv) the verification of a digital signature, (v) the c
omputation of an authentication code from data, (vi) the verification of an auth
entication code from data and a received authentication code, and (vii) the comp
utation of a shared secret that is used to derive keying material.
Cryptographic key management system (CKMS)
A set of components that is designed to protect, manage, and distribute cryptogr
aphic keys and bound metadata.
Cryptographic module
The set of hardware, software, firmware, or some combination thereof that implem
ents approved security functions such as cryptographic logic or processes (inclu
ding cryptographic algorithms and key generation) and is contained within the cr
yptographic boundary of the module.
Cryptographic strength
A measure of the expected number of operations required to defeat a cryptographi
c mechanism. This term is defined to mean that breaking or reversing an operatio
n is at least as difficult computationally as finding the key of an 80bit block
cipher by key exhaustion that is it requires at least on the order of 279 opera
tions.
Cryptographic token
A token where the secret is a cryptographic key.
Cryptography
(1) The discipline that embodies the principles, means, and methods for the tran
sformation of data in order to hide their semantic content, prevent their unauth
orized use, or prevent their undetected modification. (2) The discipline that em
bodies principles, means, and methods for providing information security, includ
ing confidentiality, data integrity, nonrepudiation, and authenticity. (3) It c
reates a high degree of trust in the electronic world.
Cryptology
The field that encompasses both cryptography and cryptanalysis. The science that
deals with hidden, disguised, or encrypted communications. It includes communic
ations security and communications intelligence.
Cryptooperation
The functional application of cryptographic methods. (1) Offline encryption or
decryption performed as a selfcontained operation distinct from the transmissio
n of the encrypted text, as by hand or by machines not electrically connected to
a signal line. (2) Online the use of cryptoequipment that is directly connecte
d to a signal line, making continuous processes of encryption and transmission o
r reception and decryption.
Cryptoperiod
The time span during which a specific key is authorized for use or in which the
keys for a given system may remain in effect.
Cryptophthora
It is a degradation of secret key material resulting from the side channel leaka
ge where an attacker breaks down the operation of a cryptosystem to reveal the c
ontents of a cryptographic key.
Cryptosecurity
The security or protection resulting from the proper use of technically sound cr
yptosystems.
Cyber attack
An attack, via cyberspace, targeting an organizations use of cyberspace for the p
urpose of disrupting, disabling, destroying, or maliciously controlling a comput
ing infrastructure. This also includes destroying the integrity of the data or s
tealing controlled information.
Cyber infrastructure
The scope includes computer systems, control systems, networks (e.g., the Intern
et), and cyber services (e.g., managed security services).
Cyber security
The ability to protect or defend the use of cyberspace from cyber attacks.
Cyberspace
A global domain within the information environment consisting of the interdepend
ent network of information systems infrastructures including the Internet, telec
ommunications network, computer systems, and embedded processors and controllers
.
Cyclic redundancy check (CRC)
(1) A method to ensure data has not been altered after being sent through a comm
unication channel. It uses an algorithm for generating error detection bits in a
data link protocol. The receiving station performs the same calculation as done
by the transmitting station. If the results differ, then one or more bits are i
n error. (2) Error checking mechanism that verifies data integrity by computing
a polynomial algorithm based checksum. This is a technical and detective control
.
Cyclomatic complexity metrics
A program modules cohesion can be measured indirectly through McCabes and Halsteads
cyclomatic complexity metrics and Henri and Kafuras information flow complexity
metrics.
D
Daemon
A program associated with UNIX systems that perform a housekeeping or maintenanc
e utility function without being called by the user. A daemon sits in the backgr
ound and is activated only when needed.
Dashboards
Dashboards are one type of management metrics in which they consolidate and comm
unicate information relevant to the organizational security status in nearreal
time to security management stakeholders. These dashboards present information i
n a meaningful and easily understandable format to management. Some applications
of dashboards include implementation of separation of duties, security authoriz
ations, continuous system monitoring, security performance measures, risk manage
ment, and risk assessment.
Data
Programs, files, or other information stored in, or processed by a computer syst
em.
Data administrator (DA)
A person responsible for the planning, acquisition, and maintenance of database
management software, including the design, validation, and security of database
files. The DA is fully responsible for the data model and the data dictionary so
ftware.
Data architecture
Data compilation, including who creates and uses it and how. It presents a stabl
e basis for the processes and information used by the organization to accomplish
its mission.
Data at rest
Data at rest (data on the hard drive) address the confidentiality and integrity
of data in nonmobile devices and covers user information and system information.
File encryption or whole (full) disk encryption protects data in storage (data
at rest).
Data authentication code
The code is a mathematical function of both the data and a cryptographic key. Ap
plying the Data Authentication Algorithm (DAA) to data generates a data authenti
cation code. When data integrity is to be verified, the code is generated on the
current data and compared with the previously generated code. If the two values
are equal, data integrity (i.e., authenticity) is verified. The data authentica
tion code is also known as a message authentication code (MAC).
Data block
A sequence of bits whose length is the block size of the block cipher.
Data classification
From data security standpoint, all data records and files should be labeled as c
ritical, noncritical, classified, sensitive, secret, topsecret, or identified t
hrough some other means so that protective measures are taken according to the c
riticality of data.
Data cleansing
Includes activities for detecting and correcting data in a database or tradition
al file that are incorrect, incomplete, improperly formatted, or redundant. Also
known as data scrubbing.
Data communications
Information exchanged between endsystems in machinereadable form.
Data confidentiality
The state that exists when data is held in confidence and is protected from unau
thorized disclosure.
Data contamination
A deliberate or accidental process or act that results in a change in the integr
instead they are contained in one module. Abstraction helps to define the proce
dures, while data hiding defines access restrictions to procedures and local dat
a structures. The concept of data hiding is useful during program testing and so
ftware maintenance. Note that layering, abstraction, and data hiding are protect
ion mechanisms in security design architecture.
Data in transit
Data in transit (data on the wire) deals with protecting the integrity and confi
dentiality of transmitted information across internal and external networks. Lin
e encryption protects the data in transit and line encryption protects data in t
ransfer.
Data integrity
A property whereby data has not been altered in an unauthorized manner since it
was created, transmitted, or stored. Data integrity covers data in storage, duri
ng data processing, and while in transit.
Data key
A cryptographic key used to cryptographically process data (e.g., encrypt, decry
pt, and authenticate).
Data latency
A measure of the currency of securityrelated data or information. Data latency
refers to the time between when information is collected and when it is used. It
allows an organization to respond to where the threat or vulnerability is and wh
ere it is headed, instead of where it was. When responding to threats and/or vulner
abilities, this is an important data point that shortens a risk decision cycle.
Data level
Three levels of data are possible: Level 1 is classified data. Level 2 is unclas
sified data requiring special protection, for example, Privacy Act, for Official
Use Only, Technical Documents Restricted to Limited Distribution. Level 3 is al
l other unclassified data.
Data link layer
Provides security for the layer that handles communications on the physical netw
ork components of the ISO/OSI reference model.
Data link layer protocols
Data link layer protocols provide (1) error control to retransmit damaged or los
t frames and (2) flow control to prevent a fast sender from overpowering a slow
receiver. The sliding window mechanism is used to integrate error control and fl
ow control. In data link layer, various framing methods are used including chara
cter count, byte stuffing, and bit stuffing. Examples of data link layer protoco
ls and sliding window protocols include bitoriented protocols such as SDLC, HDL
C, ADCCP, or LAPB (Tanenbaum).
Data management
Providing or controlling access to data stored in a computer and the use of inpu
t/output devices.
Data mart
A data mart is a subset of a data warehouse with its goal to make the data avail
able to more decision makers.
Data minimization
A generalization of the principle of variable minimization, in which the standar
dized parts of a message or data are replaced by a much shorter code, thereby re
ducing the risk of erroneous actions or improper use.
Data mining
Data mining is the process of posing a series of queries to extract information
from a database, or data warehouse.
Data origin authentication
The corroboration that the source of data received is as claimed.
Data owner
The authority, individual, or organization who has original responsibility for t
he data by management directive or other. Compare with data custodian.
Data path
The physical or logical route over which data passes. Note that a physical data
path may be shared by multiple logical data paths.
Data privacy
It refers to restrictions to prevent unauthorized people having access to sensit
ive data and information stored on paper or magnetic media and to prevent interc
eption of data.
Data/record retention
Retention periods for all data records, paper, and electronic files should be de
fined to facilitate routine backup, periodic purging (deletion), and archiving o
f records. This practice will protects the organization from failure to comply w
ith external requirements and management guidelines and help it maximize the use
of storage space and magnetic media (e.g., tapes, disks, cassettes, and cartrid
ges).
Data reengineering
(1) A systemlevel process that purifies data definitions and values. This proce
ss establishes a meaningful and nonredundant data definitions and valid and cons
istent data values. (2) It is used to improve the quality of data within a compu
ter system. It examines and alters the data definitions, values, and the use of
data. Data definitions and flows are tracked through the system. This process re
veals hidden data models. Data names and definitions are examined and made consi
stent. Hardcoded parameters that are subject to change may be removed. This pro
cess is important because data problems are often deeply rooted within computer
systems.
Data regrade
Data is regraded when information is transferred from high to low network data a
nd users. Automated techniques such as processing, filtering, and blocking are u
sed during data regrading.
Data release
It is the process of returning all unused disk space to the system when a data s
et is closed at the end of processing.
Data remanence
The residual data that may be left over on a storage medium after it has been er
ased.
Data sanitization
Process to remove information from media such that information recovery is not p
ossible. It includes removing all labels, markings, and activity logs. It is the
changing of content information in order to meet the requirements of the sensit
ivity level of the network to which the information is being sent. It uses autom
atic techniques such as processing, filtering, and blocking during data sanitiza
tion.
Data security
The protection of data from unauthorized (accidental or intentional) modificatio
n, destruction, or disclosure.
Data storage methods
(1) Primary storage is the main generalpurpose storage region directly accessed
by the microprocessor. This storage is called random access memory (RAM), which
is a semiconductorbased memory that can be read by and written to by the CPU o
r other hardware devices. The storage locations can be accessed in any random or
der. The term RAM generally indicates volatile memory that can be written to as
well as read. It loses its contents when the power is turned off. (2) Secondary
storage is the amount of space available on disks and tapes, sometimes called ba
ckup storage. (3) Real storage is the amount of RAM memory in a system, as disti
nguished from virtual memory. Real storage is also called physical memory or phy
sical storage. (4) An application program sees virtual memory to be larger and m
ore uniform than it is. Virtual memory may be partially simulated by secondary s
torage such as a hard disk. Application programs access memory through virtual a
ddresses, which are translated by special hardware and software into physical ad
dresses. Virtual memory is also called disk memory.
Data warehouse
A data warehouse facilitates information retrieval and data analysis as it store
s precomputed, historical, descriptive, and numerical data.
Database administrator (DBA)
A person responsible for the daytoday control and monitoring of the databases,
including data warehouse and data mining activities. The DBA deals with the phy
sical design of the database while the data administrator deals with the logical
design.
Database server
A repository for event information recorded by sensors, agents, or management se
rvers.
Deactivated state
The cryptographic key life cycle state in which a key is not to be used to apply
cryptographic protection to data. Under certain circumstances, the key may be u
sed to process already protected data.
Decision tables
Tabular representation of the conditions, actions, and rules in making a decisio
n. Decision tables provide a clear and coherent analysis of complex logical comb
inations and relationships, and detect logic errors. Used in decisionintensive
and computational application systems.
Decision trees
Graphic representation of the conditions, actions, and rule of decision making.
Used in application systems to develop plans in order to reduce risks and exposu
res. They use probabilities for calculating outcomes.
Decrypt
To convert, by use of the appropriate key, encrypted (encoded or enciphered) tex
t into its equivalent plaintext through the use of a cryptographic algorithm. Th
e term decrypt covers the meanings of decipher and decode.
Decryption
(1) The process of changing ciphertext into plaintext using a cryptographic algo
rithm and key. (2) The process of a confidentiality mode that transforms encrypt
ed data into the original usable data.
Dedicated proxy server
A form of proxy server that has much more limited firewalling capabilities than
an applicationproxy gateway.
Defenseinbreadth
A planned, systematic set of multidisciplinary activities that seek to identify,
manage, and reduce risk of exploitable vulnerabilities at every stage of the sy
stem, network, or subcomponent life cycle (system, network, or product design a
nd development; manufacturing; packaging; assembly; system integration; distribu
tion; operations; maintenance; and retirement). It is a strategy dealing with sc
ope of protection coverage of a system. It is also called supply chain protectio
n control. It supports agile defense strategy.
Defenseindensity
A strategy requiring stronger security controls for high risk and complex system
s and vice versa.
Defenseindepth
(1) Information security strategy integrating people, technology, and operations
capabilities to establish variable barriers across multiple layers and dimensio
ns of information systems. (2) An approach for establishing an adequate informat
ion assurance (IA) posture whereby (i) IA solutions integrate people, technology
, and operations, (ii) IA solutions are layered within and among IT assets, and
(iii) IA solutions are selected based on their relative level of robustness. Imp
lementation of this approach recognizes that the highly interactive nature of in
formation systems and enclaves creates a shared risk environment; therefore, the
adequate assurance of any single asset is dependent upon the adequate assurance
of all interconnecting assets. (3) A strategy dealing with controls placed at m
ultiple levels and at multiple places in a given system. It supports agile defen
se strategy and is the same as securityindepth.
Defenseinintensity
A strategy dealing with a range of controls and protection mechanisms designed i
nto a system.
Defenseintechnology
A strategy dealing with diversity of information technologies used in the implem
depth attribute, hierarchically from less depth to more depth, are basic, focus
ed, and comprehensive.
Design verification
The use of verification techniques, usually computerassisted, to demonstrate a
mathematical correspondence between an abstract (security) model and a formal sy
stem specification.
Designated approving/accrediting authority
The individual selected by an authorizing official to act on their behalf in coo
rdinating and carrying out the necessary activities required during the security
certification and accreditation of an information system.
Desk check reviews
A review of programs by the program author to control and detect program logic e
rrors and misinterpretation of program requirements.
Desktop administrators
These identify changes in login scripts along with Windows Registry or file scan
s, and implement changes in login scripts.
Destroyed compromised state
The cryptographic key life cycle state that zeroizes a key so that it cannot be
recovered and it cannot be used and marks it as compromised, or that marks a des
troyed key as compromised. For record purposes, the identifier and other selecte
d metadata of a key may be retained.
Destroyed state
The cryptographic key life cycle state that zeroizes a key so that it cannot be
recovered and it cannot be used. For record purposes, the identifier and other s
elected metadata of a key may be retained.
Destruction
The result of actions taken to ensure that media cannot be reused as originally
intended and that information is virtually impossible to recover or prohibitivel
y expensive.
Detailed design
A process where technical specifications are translated into more detailed progr
amming specifications, from which computer programs are developed.
Detailed testing
A test methodology that assumes explicit and substantial knowledge of the intern
al structure and implementation detail of the assessment object. Also known as w
hite box testing.
Detective controls
These are actions taken to detect undesirable events and incidents that have occ
urred. Detective controls enhance security by monitoring the effectiveness of pr
eventive controls and by detecting security incidents where preventive controls
were circumvented.
Device communication modes
Three modes of communication between devices include simplex (oneway communicat
ion in one direction), halfduplex (oneway at a time in two directions), and fu
llduplex (twoway directions at the same time). The halfduplex is used when th
e computers are connected to a hub rather than a switch. A hub does not buffer i
ncoming frames. Instead, a hub connects all the lines internally and electronica
lly.
Dialback
Synonymous with callback. This is a technical and preventive control.
Dialup
The service whereby a computer terminal can use the telephone to initiate and ef
fect communication with a computer.
Dictionary attack
A form of guessing attack in which the attacker attempts to guess a password usi
ng a list of possible passwords that is not exhaustive.
Differential cryptanalysis attacks
A technique used to attack any block cipher. It works by beginning with a pair o
f plaintext blocks that differ in only a small number of bits. An attack begins
when some patterns are much more common than other patterns. In doing so, it loo
erson operation can be any authorized user, whereas the second user can be any a
uthorized user different from the first. Another type of DSOD is a historybased
separation of duty, which states that the same subject (role) cannot access the
same object for variable number of times. Popular DSOD policies are the Workflo
w and Chinese wall policies.
Dynamic subsystem
A subsystem that is not continually present during the execution phase of an inf
ormation system. Serviceoriented architectures and cloud computing architecture
s are examples of architectures that employ dynamic subsystems.
Dynamic Web documents
Dynamic Web documents (pages) are written in CGI, PHP, JSP, ASP, JavaScript, and
ActiveX Controls.
E
E2E
Exchangetoexchange (E2E) is an ecommerce model in which electronic exchanges
formally connect to one another for the purpose of exchanging information (e.g.,
stockbrokers/dealers with stock markets and vice versa).
Easter egg
An Easter egg is hidden functionality within an application program, which becom
es activated when an undocumented, and often convoluted, set of commands and key
strokes are entered. Easter eggs are typically used to display the credits given
for the application development team and are intended to be nonthreatening.
Eavesdropping
(1) Passively monitoring network communications for data and authentication cred
entials. (2) The unauthorized interception of informationbearing emanations thr
ough the use of methods other than wiretapping. (3) A passive attack in which an
attacker listens to a private communication. The best way to thwart this attack
is by making it very difficult for the attacker to make any sense of the commun
ication by encrypting all messages. Also known as packet snarfing.
Ebusiness patterns
Patterns for ebusiness are a group of proven reusable assets that can be used t
o increase the speed of developing and deploying netcentric applications, like
Webbased applications.
Education (information security)
Education integrates all of the security skills and competencies of the various
functional specialties into a common body of knowledge and strives to produce IT
security specialists and professionals capable of vision and proactive response
.
Egress filtering
(1) Filtering of outgoing network traffic. (2) Blocking outgoing packets that sh
ould not exit a network. (3) The process of blocking outgoing packets that use o
bviously false Internet Protocol (IP) addresses, such as source addresses from i
nternal networks.
El Gamal algorithm
A signature scheme derived from a modification of exponentiation ciphers. Expone
ntiation is a mathematical process where one number is raised to some power.
Electromagnetic emanation attack
An intelligencebearing signal, which, if intercepted and analyzed, potentially
discloses the information that is transmitted, received, handled, or otherwise p
rocessed by any informationprocessing equipment.
Electromagnetic emanations (EME)
Signals transmitted as radiation through the air and through conductors.
Electromagnetic interference
An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades
or limits the effective performance of electronic or electrical equipment.
Electronic auction (eauction)
Auctions conducted online in which (1) a seller invites consecutive bids from mu
ltiple buyers and the bidding price either increases or decreases sequentially (
forward auction), (2) a buyer invites bids and multiple sellers respond with the
price reduced sequentially, and the lowest bid wins (backward or reverse auctio
n), (3) multiple buyers propose biding prices and multiple sellers respond with
asking prices simultaneously and both prices are matched based on the quantities
of items on both sides (double auction) and (4) sellers and buyers interact in
one industry or for one commodity (vertical auction). Prices are determined dyna
mically through the bidding process. Usually, negotiations and bargaining power
can take place between one buyer and one seller due to supply and demand. Revers
e auction is practiced in B2B or G2B ecommerce. Limitations of eauctions inclu
de minimal security for C2C auctions (i.e., no encryption), possibility of fraud
(i.e., defective products), and limited buyer participation in terms of invitat
ion only or open to dealers only. B2B auctions are secure due to use of private
lines.
Electronic authentication
The process of establishing confidence in user identities electronically present
ed to an information system.
Electronic business XML (ebXML)
Sponsored by UN/CEFACT and OASIS, a modular suite of specifications that enable
enterprises of any size and in any geographical location to perform businessto
business (B2B) transactions using XML.
Electronic commerce (EC)
Using information technology to conduct the business functions such as electroni
c payments and document interchange. It is the process of buying, selling, or ex
changing products, services, or information via computer networks. EC models inc
lude B2B, B2B2C, B2C, B2E, C2B, C2C, and E2E. EC security risks arising from tec
hnical threats include DoS, zombies, phishing, Web server and Web page hijacking
, botnets, and malicious code (e.g., viruses, worms, and Trojan horses) and nont
echnical threats include pretexting and social engineering.
Electronic credentials
Digital documents used in authentication that bind an identity or an attribute t
o a subscribers token.
Electronic data interchange (EDI) system
The electronic transfer of specially formatted standard business documents (e.g.
, purchase orders, shipment instructions, invoices, payments, and confirmations)
sent between business partners. EDI is a direct computertocomputer exchange b
etween two organizations, and it can use either a valueadded network (VANEDI)
or the Internet (WebEDI) with XML standards.
Electronic evidence
Information and data of investigative value that is stored on or transmitted by
an electronic device.
Electronic funds transfer (EFT) system
Customers paying their bills electronically through electronic funds transfers f
rom banks to credit card companies and others.
Electronic mail header
The section of an email message that contains vital information about the messa
ge, including origination date, sender, recipient(s), delivery path, subject, an
d format information. The header is generally left in clear text even when the b
ody of the email message is encrypted. The body contains the actual message.
Electronic serial number (ESN)
(1) A number encoded in each cellular phone that uniquely identifies each cellul
ar telephone manufactured. (2) A unique 32bit number programmed into code divis
ion multiple access (CDMA) phones when they are manufactured.
Electronic signature
A method of signing an electronic message that (1) identifies and authenticates
a particular person as the source of the electronic message and (2) indicates su
ch persons approval of the information contained in the electronic message.
Electronic surveillance
The acquisition of a nonpublic communication by electronic means without the co
nsent of a person who is a party to an electronic communication. It does not inc
lude the use of radio directionfinding equipment solely to determine the locati
on of a transmitter.
Electronic vaulting
Enclave boundary
It is a point at which an enclaves internal network service layer connected to an
external networks service layer (i.e., to another enclave or to a widearea netw
ork).
Encrypt
(1) To convert plaintext into ciphertext, unintelligible forms, through the use
of a cryptographic algorithm. (2) A generic term encompassing encipher and encod
e.
Encrypted cookies
Some websites create encrypted cookies to protect the data from unauthorized acc
ess.
Encrypted file system (EFS)
In an encrypted file system (EFS), keys are used to encrypt a file or group of f
iles. It can either encrypt each file with a distinct symmetric key or encrypt a
set of files using the same symmetric key. The symmetric keys can be generated
from a password using public key cryptography standard (PKCS) and protected with
trusted platform module (TPM) chip through its key cache management. EFS, which
is based on publickey encryption, integrates tightly with the public key infra
structure (PKI) features that have been incorporated into Windows XP. The actual
logic that performs the encryption is a system service that cannot be shut down
. This program feature is designed to prevent unauthorized access, but has an ad
ded benefit of rendering the encryption process completely transparent to the us
er. Each file that a user may encrypt is encrypted using a randomly generated fi
le encryption key (FEK).
Encrypted key (ciphertext key)
A cryptographic key that has been encrypted using an approved security function
with a key encrypting key, a PIN, or a password to disguise the value of the und
erlying plaintext key.
Encrypted network
A network on which messages are encrypted (e.g., using DES, AES, or other approp
riate algorithms) to prevent reading by unauthorized parties.
Encryption
(1) Conversion of plaintext to ciphertext though the use of a cryptographic algo
rithm. (2) The process of changing plaintext into ciphertext for the purpose of
security or privacy.
Encryption algorithm
A set of mathematically expressed rules for rendering data unintelligible by exe
cuting a series of conversions controlled by a key.
Encryption certificate
A certificate containing a public key that is used to encrypt electronic message
s, files, documents, or data transmissions, or to establish or exchange a sessio
n key for these same purposes.
Encryption process
(1) The process of changing plaintext into ciphertext for the purpose of securit
y or privacy. (2) Encryption is the conversion of data into a form, called a cip
hertext, which cannot be easily understood by unauthorized people. (3) It is the
conversion of plaintext to ciphertext through the use of a cryptographic algori
thm. (4) The process of a confidentiality mode that transforms usable data into
an unreadable form.
Endpoint protection platform
It is safeguards implemented through software to protect enduser computers such
as workstations and laptops against attack (e.g., antivirus, antispyware, antia
dware, personal firewalls, and hotbased intrusion detection systems).
Endpoint security
Endpoint protection platforms require endpoint security products such as (1) u
se of antimalware software; if not available, use of rootkit detectors, (2) use
of personal firewalls, (3) use of hostbased intrusion detection and prevention
systems, (4) use of mobile code restrictively, (5) use of cryptography in file
encryption, full disk encryption, and VPN connections, (6) implementation of TLS
or XML gateways or firewalls, (7) placing remote access servers in internal DMZ
, and (8) use of diskless nodes and thin clients with minimal functionality.
Endtoend encryption
(1) Encryption of information at the origin within a communications network and
postponing decryption to the final destination point. (2) Communications encrypt
ion in which data is encrypted when being passed through a network, but routing,
addresses, headers, and trailer information are not encrypted (i.e., remains vi
sible). (3) It is encryption of information at its origin and decryption at its
intended destination without intermediate decryption. This is a technical and pr
eventive control.
Endtoend security
The safeguarding of information in a secure telecommunication system by cryptogr
aphic or protected distribution system means from point of origin to point of de
stination. This is a technical and preventive control.
Endtoend testing
A testing approach to verify that a defined set of interrelated systems that col
lectively support an organizational core business area or function interoperates
as intended in an operational environment. It is conducted when a major system
in the endtoend chain is modified or replaced.
Enduser device
A personal computer (e.g., desktop and laptop), consumer device (e.g., personal
digital assistant [PDA] and smart phone), or removable storage media (e.g., USB
flash drive, memory card, external hard drive, and writeable CD or DVD) that can
store information.
Enhanced messaging service (EMS)
An improved message system for global system for mobile communications (GSM) mob
ile phone allowing picture, sound, animation, and text elements to be conveyed t
hrough one or more concatenated short message service (SMS).
Enterprise architecture
The description of an enterprises entire set of information systems: how they are
configured, how they are integrated, how they interface to the external environ
ment at the enterprises boundary, how they are operated to support the enterprise
mission, and how they contribute to the enterprises overall security posture.
Entity
(1) Any participant in an authentication exchange; such a participant may be hum
an or nonhuman, and may take the role of the claimant and/or verifier. (2) It is
either a subject (an active element generally in the form of a person, process,
or device that causes information to flow among objects or changes the system s
tate) or an object (a passive element that contains or receives information). No
te: Access to an object potentially implies access to the information it contain
s. (3) It is an active element in an open system. (4) It is an individual (perso
n) or organization, device, or process. (5) A collection of information items co
nceptually grouped together and distinguished from their surroundings. An entity
(party) is described by its attributes, and entities can be linked or have rela
tionships to other entities (parties).
Entity integrity
A tuple in a relation cannot have a null value for any of the primary key attrib
utes.
Entityrelationshipattribute (ERA) diagram
Used for data intensive application systems and shows the relationships between
entities and attributes of a system.
Entrapment
The deliberate planting of apparent flaws in a system for the purpose of detecti
ng attempted penetrations.
Entropy
(1) The uncertainty of a random variable. (2) A measure of the amount of uncerta
inty that an attacker faces to determine the value of a secret. Entropy is usual
ly stated in bits.
Environmental failure protection
The use of features to protect against a compromise of the security of a cryptog
raphic module due to environmental conditions or fluctuations outside of the mod
(1) Placing an electronic cryptographic key and rules for its retrieval into a s
torage medium maintained by a rusted third party. (2) Something (e.g., a documen
t, software source code, or an encryption key) that is delivered to a third pers
on to be given to the grantee only upon the fulfillment of a condition or a cont
ract.
Ethernet
Ethernet is the most widely installed protocol for localarea network (LAN) tech
nology. It uses CSMA/CD for channel allocation. Older versions of Ethernet used
a thick coaxial original cable (classic Ethernet), which is obsolete now. Newer
versions of Ethernet use a thin coaxial cable with no hub needed, twistedpair w
ire (low cost), fiber optics (good between buildings), and switches. Because the
Internet Protocol (IP) is a connectionless protocol, it fits well with the conn
ectionless Ethernet protocol. Ethernet uses the bus topology. Ethernet is classi
fied as thick, thin, fast, switched, and gigabit Ethernet based on the cable use
d and the speed of service. Ethernet operates in the data link layer of the ISO/
OSI reference model based on the IEEE 802.3 standard and uses the 48bit address
ing scheme. The gigabit Ethernet supports both fullduplex and halfduplex commu
nication modes, and because no connection is possible, the CSMA/CD protocol is n
ot used.
Evaluation
The process of examining a computer product or system with respect to certain cr
iteria.
Evaluation assurance level (EAL)
One of seven increasingly rigorous packages of assurance requirements from Commo
n Criteria (CC) Part 3. Each numbered package represents a point on the CCs prede
fined assurance scale. An EAL can be considered a level of confidence in the sec
urity functions of an IT product or system.
Event
(1) Something that occurs within a system or network. (2) Any observable occurre
nce in a network or system.
Event aggregation
The consolidation of similar log entries into a single entry containing a count
of the number of occurrences of the event.
Event correlation
Finding relationships between two or more log entries.
Event normalization
Covering each log data field to a particular data representation and categorizin
g it consistently.
Event reduction
Removing unneeded data fields from all log entries to create a new log that is s
maller in size.
Evidence life cycle
The evidence life cycle starts with evidence collection and identification; anal
ysis; storage; preservation and transportation; presentation in court; and ends
when the evidence is returned to the victim (owner). The evidence life cycle is
connected with the chain of evidence.
Examine
A type of assessment method that is characterized by the process of checking, in
specting, reviewing, observing, studying, or analyzing one or more assessment ob
jects to facilitate understanding, achieve clarification, or obtain evidence, th
e results of which are used to support the determination of security control eff
ectiveness over time.
ExclusiveOR operation (XOR)
The bitwise addition, modulo 2, of two bit strings of equal length.
Exculpatory evidence
Evidence that tends to decrease the likelihood of fault or guilt.
Executive steering committee
Committees that manage the information portfolio of the organization.
Exhaustive search attack
Uses computer programs to search for a password for all possible combinations. A
A private network that uses web technology, permitting the sharing of portions o
f an enterprises information or operations with suppliers, vendors, partners, cus
tomers, or other enterprises.
F
Failover
(1) The capability to switch over automatically without human intervention or wa
rning to a redundant or standby information system upon the failure or abnormal
termination of the previously active system. (2) It is a backup concept in that
when the primary system fails, the backup system is automatically activated.
Failsafe
An automatic protection of programs and/or processing systems when hardware or s
oftware failure is detected in a computer system. It is a condition to avoid com
promise in the event of a failure or have no chance of failure. This is a techni
cal and corrective control.
Failsafe default
Asserts that access decisions should be based on permission rather than exclusio
n. This equates to the condition in which lack of access is the default, and the
protection scheme recognizes permissible actions rather than prohibited actions.
Also, failures due to flaws in exclusionbased systems tend to grant (unauthoriz
ed) permissions, whereas permissionbased systems tend to failsafe with permiss
ion denied.
Failsecure
The system preserves a secure condition during and after an identified failure.
Failsoft
A selective termination of affected nonessential processing when hardware or sof
tware failure is determined to be imminent in a computer system. A computer syst
em continues to function because of its resilience. Examples of its application
can be found in distributed data processing systems. This is a technical and cor
rective control.
Failstop processor
A processor that can constrain the failure rate and protects the integrity of da
ta. However, it is likely to be more vulnerable to denialofservice (DoS) attac
ks.
Failure
It is a discrepancy between external results of a programs operation and software
product requirements. A software failure is evidence of software faults.
Failure access
A type of incident in which unauthorized access to data results from hardware or
software failure.
Failure control
A methodology used to detect imminent hardware or software failure and provide f
ailsafe or failsoft recovery in a computer system (ANSI and IBM).
Failure rate
The number of times the hardware ceases to function in a given time period.
Fallback procedures
(1) In the event of a failure of transactions or the system, the ability to fall
back to the original or alternate method for continuation of processing. (2) The
ability to go back to the original or alternate method for continuation of comp
uter processing.
False acceptance
When a biometric system incorrectly identifies an individual or incorrectly veri
fies an impostor against a claimed identity.
False acceptance rate (FAR)
The probability that a biometric system will incorrectly identify an individual
or will fail to reject an impostor. The rate given normally assumes passive impo
stor attempts. The FAR is stated as the ratio of the number of false acceptances
divided by the number of identification attempts.
False match rate
Alternative to false acceptance rate. Used to avoid confusion in applications th
at reject the claimant if their biometric data matches that of an applicant.
False negative
(1) An instance of incorrectly classifying malicious activity or content as beni
gn. (2) An instance in which a security tool intended to detect a particular thr
eat fails to do so. (3) When a tool does not report a security weakness where on
e is present.
False nonmatch rate
Alternative to false rejection rate. Used to avoid confusion in applications tha
t reject the claimant if their biometric data matches that of an applicant.
False positive
(1) An instance in which a security tool incorrectly classifies benign activity
or content as malicious. (2) When a tool reports a security weakness where no we
akness is present. (3) An alert that incorrectly indicates that malicious activi
ty is occurring.
False positive rate
The number of false positives divided by the sum of the number of false positive
s and the number of true positives.
False rejection
When a biometric system fails to identify an applicant or fails to verify the le
gitimate claimed identity of an applicant.
False rejection rate (FRR)
The probability that a biometric system will fail to identify an applicant, or v
erify the legitimate claimed identity of an applicant. The FRR is stated as the
ratio of the number of false rejections divided by the number of identification
attempts.
Fault
A physical malfunction or abnormal pattern of behavior causing an outage, error,
or degradation of communications services on a communications network. Fault de
tection, error recovery, and failure recovery must be built into a computer syst
em to tolerate faults.
Fault injection testing
Unfiltered and invalid data are injected as input into an application program to
detect faults in resource operations and execution functions.
Fault management
The prevention, detection, reporting, diagnosis, and correction of faults and fa
ult conditions. Fault management includes alarm surveillance, trouble tracking,
fault diagnosis, and fault correction.
Faulttolerance mechanisms
The ability of a computer system to continue to perform its tasks after the occu
rrence of faults and operate correctly even though one or more of its component
parts are malfunctioning. Synonymous with resilience.
Fault tolerant controls
The ability of a processor to maintain effectiveness after some subsystems have
failed. These are hardware devices or software products such as disk mirroring o
r server mirroring aimed at reducing loss of data due to system failures or huma
n errors. It is the ability of a processor to maintain effectiveness after some
subsystems have failed. This is a technical and preventive control and ensures a
vailability control.
Faulttolerant programming
Fault tolerant programming is robust programming plus redundancy features, and i
s partially similar to Nversion programming.
Feature
An advantage attributed to a system.
Federated trust
Trust established within a federation, enabling each of the mutually trusting re
alms to share and use trust information (e.g., credentials) obtained from any of
the other mutually trusting realms.
Federation
A collection of realms (domains) that have established trust among themselves. T
he level of trust may vary, but typically include authentication and may include
authorization.
Fetch protection
A systemprovided restriction to prevent a program from accessing data in anothe
r users segment of storage. This is a technical and preventive control.
Fiberoptic cable
A method of transmitting light beams along optical fibers. A light beam, such as
that produced in a laser, can be modulated to carry information. A single fiber
optic channel can carry significantly more information than most other means of
information transmission. Optical fibers are thin strands of glass or other tra
nsparent material.
File
(1) A collection of related records. (2) A collection of information logically g
rouped into a single entity and referenced by a unique name, such as a filename.
File descriptor attacks
File descriptors are nonnegative integers that the system uses to keep track of
files rather than using specific filenames. Certain file descriptors have impli
ed uses. When a privileged program assigns an inappropriate file descriptor, it
exposes that file to compromise.
File encryption
The process of encrypting individual files on a storage medium and permitting ac
cess to the encrypted data only after proper authentication is provided.
File encryption key (FEK)
Each owners file is encrypted under a different randomly generated symmetric file
encryption key (FEK).
File infector virus
A virus that attaches itself to executable program files, such as word processor
s, spreadsheet applications, and computer games.
File integrity checker
Software that generates, stores, and compares message digests for files to detec
t changes to the files.
File protection
The aggregate of all processes and procedures in a system designed to inhibit un
authorized access, contamination, or deletion of a file.
File security
The means by which access to computer files is limited to authorized users only.
File server
Sends and receives data between workstation and the server.
File system
A mechanism for naming, storing, organizing, and accessing files stored on logic
al volumes.
File transfer protocol (FTP)
A means to exchange remote files across a TCP/IP network and requires an account
on the remote computer. Different versions of FTP include trivial FTP (not secu
re), secure FTP, and anonymous FTP using the username anonymous (not secure).
Finger table
Used for node lookup in peertopeer (P2P) networks. Each node maintains a finge
r table with entries, indexes, and node identifiers. Each node stores the IP add
resses of the other nodes.
Finite state machine (FSM) model
The finite state machine (FSM) model is used for protocol modeling to demonstrat
e the correctness of a protocol. Mathematical techniques are used in specifying
and verifying the protocol correctness. In FSM, each protocol machine of the sen
der or receiver is in a specific state, consisting of all the values of its vari
ables and the program counter. From each state, there are zero or more possible
transitions to other states. FSM is a mathematical model of a sequential machine
that is composed of a finite set of input events, a finite set of output events
, a finite set of states, a function that maps states and input to output, a fun
ction that maps states and inputs to states (a state transition function), and a
specification that describes the initial state. FSMs are used for realtime app
lication systems requiring better user interface mechanisms (menudriven systems
). In other words, FSM defines or implements the control structure of a system.
Firewall
(1) A process integrated with a computer operating system that detects and preve
nts undesirable applications and remote users from accessing or performing opera
tions on a secure computer; security domains are established which require autho
rization to enter. (2) A product that acts as a barrier to prevent unauthorized
or unwanted communications between sections of a computer network. (3) A device
or program that controls the flow of network traffic between networks or hosts t
hat employ differing security postures. (4) A gateway that limits access between
networks in accordance with local security policy. (5) A system designed to pre
vent unauthorized accesses to or from a private network. (6) Often used to preve
nt Internet users from accessing private networks connected to the Internet.
Firewall control proxy
The component that controls a firewalls handling of a call. The firewall control
proxy can instruct the firewall to open specific ports that are needed by a call
, and direct the firewall to close these ports at call termination.
Firewall environment
A firewall environment is a collection of systems at a point on a network that t
ogether constitute a firewall implementation. The environment could consist of o
ne device or many devices such as several firewalls, intrusion detection systems
, and proxy servers.
Firewall platform
A firewall platform is the system device upon which a firewall is implemented. A
n example of a firewall platform is a commercial operating system running on a p
ersonal computer.
Firewall rule set
A firewall rule set is a table of instructions that the firewall uses for determ
ining how packets should be routed between its interfaces. In routers, the rule
set can be a file that the router examines from top to bottom when making routin
g decisions.
Firmware
(1) Software permanently installed inside the computer as part of its main memor
y to provide protection from erasure or loss if electrical power is interrupted.
(2) The programs and data components of a cryptographic module that are stored
in hardware within the cryptographic boundary and cannot be dynamically written
or modified during execution.
Fitgap analysis
This analysis is a common technique, which can be applied to help define the nat
ure of the required service components. It examines the components within the co
ntext of requirements and makes a determination as to the suitability of the ser
vice component.
Flash ROM
Flash read only memory (ROM) is nonvolatile memory that is writable.
Flaw
An error of commission, omission, or oversight in a system that allows protectio
n mechanisms to be bypassed or disabled. Synonymous with loophole or fault.
Flawbased DoS attacks
These make use of software errors to consume resources. Patching and upgrading s
oftware can prevent the flawbased DoS attacks.
Flooding
Sending large numbers of messages to a host or network at a high rate.
Flooding attacks
Flooding attacks most often involve copying valid service requests and resending
them to a service provider. The attacker may issue repetitive SOAP/XML messages
in an attempt to overload the Web service. This type of activity may not be det
ected as an intrusion because the source IP address is valid, the network packer
behavior is valid, and the SOAP/XML message is well formed. But the business b
ehavior is not legitimate resulting in a DoS attack. Techniques for detecting an
d handling DoS can be applied against flooding attacks.
Flow
A particular network communication session occurring between hosts.
Flow control
A strategy for protecting the contents of information objects from being transfe
rred to objects at improper security levels. It is more restrictive than access
control.
Flowsensitive analysis
Analysis of a computer program that takes into account the flow of control.
Focused testing
A test methodology that assumes some knowledge of the internal structure and imp
lementation detail of the assessment object. Focused testing is also known as gr
ay box testing.
Folder
An organizational structure used by a file system to group files.
Folder encryption
The process of encrypting individual folders on a storage medium and permitting
access to the encrypted files within the folders only after proper authenticatio
n is provided.
Forensic computer
The practice of gathering, retaining, and analyzing computerrelated data for in
vestigative purposes in a manner that maintains the integrity of the data.
Forensic copy
An accurate bitforbit reproduction of the information contained on an electron
ic device or associated media, whose validity and integrity has been verified us
ing an accepted algorithm.
Forensic hash
It is used to maintain the integrity of an acquired data by computing a cryptogr
aphically strong, nonreversible hash value over the acquired data. A hash code
value is computed using several algorithms.
Forensic process
It is the process of collecting, examining, analyzing, and reporting of facts to
gain a better understanding of an event of interest.
Forensic specialist
A professional who locates, identifies, collects, analyzes, and examines data wh
ile preserving the data s integrity and maintaining a strict chain of custody of
information discovered.
Formal verification
The process of using formal proofs to demonstrate the consistency (design verifi
cation) between a formal specification of a system and a formal security policy
model or (implementation verification) between the formal specification and its
program implementation.
Forward cipher
One of the two functions of the block cipher algorithm that is selected by the c
ryptographic key.
Forward engineering
The traditional process of moving from highlevel abstractions and logical, impl
ementationindependent designs to the physical implementation of a system.
Frame relay
A type of fast packet technology using variable length packets called frames. By
contrast, a cellrelay system such as asynchronous transfer mode (ATM) transpor
ts user data in fixedsized cells.
Freeware
Software made available to the public at no cost. The author retains the copyrig
ht rights and can place restrictions on the programs use.
Frequency analysis attacks
A sequence of letters and words used in cryptographic keys, messages, and conver
sations between people when they are transforming the plaintext into ciphertext.
This transformation is of two types: substitution and permutation. Both substit
ution ciphers (shifts the letters and words used in the plaintext) and transposi
tion ciphers (permutes or scrambles the letters and words used in the plaintext)
are subject to frequency analysis attack. These ciphers can be simple or comple
x, where the former uses a short sequence of letters and words and the latter us
es a long sequence of letters and words. The goal of the attacker is to determin
e the cryptographic key used in the transformation of the plaintext into the cip
hertext to complete his attack.
Frontend processors (FEP)
A frontend processor (FEP) is a programmedlogic or storedprogram device that
interfaces data communication equipment with an input/output bus or the memory o
f a data processing computer.
Full disk encryption (FDE)
The process of encrypting all the data on the hard drive used to boot a computer
, including the computers operating system, and permitting access to the data onl
y after successful authentication with the full disk encryption product. FDE is
also called whole disk encryption.
Fullscale testing
Fullscale testing or fullinterruption testing is disruptive and costly to an o
rganizations business processes and operations as computer systems will not be av
ailable on a 247 schedule.
Full tunneling
A method that causes all network traffic to go through the tunnel to the organiz
ation.
Fully connected topology
Fully connected topology is a network topology in which there is a direct path (
branch) between any two nodes. With n nodes, there are n (n1) / 2 direct paths or
branches.
Functional design
A process in which the users needs are translated into a systems technical specifi
cations.
Functional testing
The portion of security testing in which the advertised security mechanisms of a
system are tested, under operational conditions, for correct operation. This is
a management and preventive control.
Functionality
Distinct from assurance, the functional behavior of a system. Functionality requ
irements include confidentiality, integrity, availability, authentication, and s
afety.
Fuzz testing
Similar to fault injection testing in that invalid data is input into the applic
ation via the environment, or input by one process into another process. Fuzz te
sting is implemented by tools called fuzzers, which are programs or script that
submit some combination of inputs to the test target to reveal how it responds.
Fuzzy logic
It uses set theory, which is a mathematical notion that an element may have part
ial membership in a set. Fuzzy logic is used in insurance and financial risk ass
essment application systems.
G
G2B
Governmenttobusiness (G2B) is an electronic government (egovernment) model wh
ere interactions are taking place between governments and businesses and vice ve
rsa. Examples of interactions include procurement and acquisition transactions w
ith business entities and payments to them (e.g., U.S. DoD doing business with D
efense Contractors). Reverse auction is practiced in B2B or G2B ecommerce.
G2C
Governmenttocitizens (G2C) is an electronic government model where interaction
s are taking place between a government and its citizens. Examples of interactio
ns include entitlement payments (e.g., retirement and Medicare benefits), tax re
ceipts, and refund payments.
G2E
Governmenttoemployees (G2E) is an electronic government model where interactio
ns are taking place between government agencies and their employees.
G2G
Governmenttogovernment (G2G) is an electronic government model where interacti
ons are taking place within a government agency and those between other governme
nt agencies.
Galois counter mode (GCM) algorithm
Provides authenticated encryption and authenticated decryption functions for bot
h confidential data and non confidential data. Each of these functions is relat
ively efficient and parallel; consequently, highthroughput implementations are
possible in both hardware and software. GCM provides stronger authentication ass
urance than a noncryptographic checksum or error detecting code; in particular,
GCM can detect both accidental modifications of the data and intentional, unaut
horized modifications. The GCM is constructed with a symmetric key block cipher
key a block size of 128 bits and a key size of at least 128 bits. The GCM is a m
ode of operation of the AES algorithm.
Galois message authentication code (GMAC)
Provides authenticated encryption and authenticated decryption for nonconfident
ial data only. GMAC is a specialized GCM when the GCM input is restricted to dat
a that is not be encrypted; and GMAC is simply an authentication mode on the inp
ut data.
Gateway
It is an interface between two networks and a means of communicating between net
works. It is designed to reduce the problems of interfacing different networks o
r devices. The networks involved may be any combination of local networks that e
mploy different level protocols or local and longhaul networks. It facilitates
compatibility between networks by converting transmission speeds, protocols, cod
es, or security measures. Gateways operate in the application layer and transpor
t layer of the ISO/OSI reference model.
General packet radio service (GPRS)
A packet switching enhancement to global system for mobile communications (GSM)
and time division multiple access (TDMA) wireless networks to increase data tran
smission speeds.
General support system (GSS)
An interconnected information resource under the same direct management controls
that share common functionality. It normally includes hardware, software, infor
mation, data, applications, communications, facilities, and people and provides
support for a variety of users and/or applications. Individual applications supp
ort different missionrelated functions. Users may be from the same or different
organizations.
Generalized testing
A test methodology that assumes no knowledge of the internal structure and imple
mentation detail of the assessment object. Also known as blackbox testing.
Global positioning system (GPS)
(1) A system for determining position by comparing radio signals from several sa
tellites. (2) A network of satellites providing precise location determination t
o receivers.
Global supply chain
A system of organizations, people, activities, information, and resources, inter
national in scope, involved in moving products or services from supplier/produce
r to consumer/customer.
Global system for mobile communications (GSM)
A set of standards for second generation cellular networks currently maintained
by the third generation partnership project (3GPP).
Gopher
A protocol designed to allow a user to transfer text or binary files among compu
ter hosts across networks.
Graduated security
A security system that provides several levels (e.g., low, moderate, or high) of
protection based on threats, risks, available technology, support services, tim
e, human concerns, and economics.
Granularity
(1) An expression of the relative size of a data object. (2) The degree to which
access to objects can be restricted. (3) Granularity can be applied to both the
Hacker
Any unauthorized user who gains, or attempts to gain, access to an information s
ystem, regardless of motivation.
Handler
A type of program used in distributed denialofservice (DDoS) attacks to contro
l agents distributed throughout a network. Also refers to an incident handler, w
hich refers to a person who performs computersecurity incident response work.
Handshake
Involves passing special characters (XON/XOFF) between two devices or between tw
o computers to control the flow of information. When the receiving computer cann
ot continue to receive data, it transmits an XOFF that tells the sending compute
r to stop transmitting. When transmission can resume, the receiving computer sig
nals the sending computer with an XON. Two types of handshake exist: hardware an
d software. The hardware handshake uses nondata wires for transmission and the
software handshake uses data wires as in modemtomodem communications over tele
phone lines.
Handshaking procedure
A dialogue between two entities (e.g., a user and a computer, a computer and ano
ther computer, or a program and another program) for the purpose of identifying
and authenticating the entities to one another.
Hardening
Configuring a hosts operating system and application systems to reduce the hosts s
ecurity weaknesses.
Hardware and software monitors
Hardware monitors work by attaching probes to processor circuits and detecting a
nd recording events at those probes. Software monitors are programs that execute
in a computer system to observe and report on the behavior of the system.
Hardware segmentation
The principle of hardware segmentation provides hardware transparency when hardw
are is designed in a modular fashion and when it is interconnected. A failure in
one module should not affect the operation of other modules. Similarly, a modul
e attacked by an intruder should not compromise the entire system. System archit
ecture should be arranged so that vulnerable networks or network segments can be
quickly isolated or taken offline in the event of an attack. Examples of hardw
are that need to be segmented includes network switches, physical circuits, and
power supply equipment.
Hardware tokens
Hardware tokens (also called hard tokens or eTokens) are devices with computing
capability integrated into the device.
Hash algorithm
Algorithm that creates a hash based on a message.
Hashbased message authentication code (HMAC)
(1) A symmetric key authentication method using hash function. (2) A message aut
hentication code (MAC) that uses a cryptographic key in conjunction with a hash
function. (3) A MAC that utilizes a keyed hash.
Hash code
The string of bits that is the output of a hash function.
Hash function
A function that maps a bit string of arbitrary length to a fixed length bit stri
ng. Approved hash functions satisfy the following properties: (1) oneway states
that it is computationally infeasible to find any input that maps to any presp
ecified output, and (2) collision resistant states that it is computationally in
feasible to find any two distinct inputs that map to the same output. The hash f
unction may be used to produce a checksum, called a hash value or message digest
, for a potentially long string or message.
Hash total
The use of specific mathematical formulae to produce a quantity (often appended
to and) used as a checksum or validation parameter for the data it protects. Thi
s is a technical and detective control.
Hash value
(1) The fixedlength bit string produced by a hash function. (2) The result of a
pplying a hash function to information. See message digest.
Hashing
The process of using a mathematical algorithm against data to produce a numeric
value that is representative of that data.
Hedging
Taking a position opposite to the exposure or risk. Because they reduce exposure
s and risks, risk mitigation techniques are examples of hedging.
High assurance guard
An enclave boundary protection device that controls access between a LAN that an
enterprise system has a requirement to protect, and an external network that is
outside the control of the enterprise system, with a high degree of assurance.
High availability
A failover feature to ensure availability during device or component interruptio
ns.
Highimpact system
An information system in which at least one security objective (i.e., confidenti
ality, integrity, or availability) is assigned a potential impact value of high.
Highlevel data link control (HDLC) protocol
HDLC is a bitoriented protocol with frame structure consisting of address, cont
rol, data, and checksum (cyclic redundancy code) fields (Tanenbaum).
Hijacking
An attack that occurs during an authenticated session with a database or system.
The attacker disables a users desktop system, intercepts responses from the appl
ication, and responds in ways that probe the session.
Holderofkey assertion
An assertion that contains a reference to a symmetric key or a public key (corre
sponding to a private key) possessed by the subscriber. The relying party may re
quire the subscriber to prove their identity.
Honeynet
A network of honeypots designed to attract hackers so that their intrusions can
be detected and analyzed, and to study the hackers behavior. Organizations should
consult their legal counsel before deploying a honeynet for any legal ramificat
ions of monitoring an attackers activity.
Honeypot
A fake production system designed with firewalls, routers, Web services, and dat
abase servers that looks like a real production system, but acts as a decoy and
is studied to see how attackers do their work. It is a host computer that is des
igned to collect data on suspicious activity and has no authorized users other t
han security administrators and attackers. Organizations should consult their le
gal counsel before deploying a honeypot for any legal ramifications of monitorin
g an attackers activity.
Host
(1) Any node that is not a router. (2) Any computerbased system connected to th
e network and containing the necessary protocol interpreter software to initiate
network access and carry out information exchange across the communications net
work. (3) The term can refer to almost any kind of computer, including a central
ized mainframe that is a host to its terminals, a server that is host to its cli
ents, or a desktop personal computer (PC) that is host to its peripherals. In ne
twork architectures, a client station (users machine) is also considered a host b
ecause it is a source of information to the network, in contrast to a device, su
ch as a router or switch that directs traffic. This definition encompasses typic
al mainframe computers and workstations connected directly to the communications
subnetwork and executing the intercomputer networking protocols. A terminal i
s not a host because it does not contain the protocol software needed to perform
information exchange. A router or switch is not a host either. A workstation is
a host because it does have such capability. Host platforms include operating s
ystems, file systems, and communications stacks.
Hostbased firewall
A softwarebased firewall installed on a server to monitor and control its incom
A security control that has the properties of both a common security control and
a systemspecific security control (i.e., one part of the control is deemed to
be common, whereas another part of the control is deemed to be systemspecific).
Hybrid topology
Hybrid topology is a combination of any two different basic network topologies (
e.g., combination of star topology and bus topology). The tree topology is an ex
ample of a hybrid topology where a linear bus backbone connects starconfigured
networks.
Hyperlink
An electronic link providing direct access from one distinctively marked place i
n a hypertext or hypermedia document to another in the same or a different docum
ent.
Hypertext markup language (HTML)
A markup language that is a subset of standard generalized markup language (SGML
) and is used to create hypertext and hypermedia documents on the Web incorporat
ing text, graphics, sound, video, and hyperlinks. It is a mechanism used to crea
te Web pages on the Internet.
Hypertext transfer protocol (HTTP)
(1) The native protocol of the Web, used to transfer hypertext documents on the
Internet. (2) A standard method for communication between clients and Web server
s.
Hypervisor
The hypervisor or virtual machine (VM) monitor is an additional layer of softwar
e between an operating system and hardware platform that is used to operate mult
itenant VMs in cloud services. Besides virtualized resources, the hypervisor nor
mally supports other application programming interfaces (APIs) to conduct admini
strative operations, such as launching, migrating, and terminating VM instances.
It is the virtualization component that manages the guest operating systems (OS
s) on a host and controls the flow of instructions between the guest OSs and the
physical hardware. Compared with a traditional nonvirtualized implementation,
the addition of a hypervisor causes an increase in the attack surface, which is
risky.
I
Identification
(1) The process of verifying the identity of a user, process, or device, usually
as a prerequisite for granting access to resources in an IT system. (2) The pro
cess of discovering the true identity (i.e., origin, initial history) of a perso
n or item from the entire collection of similar persons or items. Identification
comes before authentication.
Identifier
A unique data string used as a key in the biometric system to name a persons iden
tity and its associated attributes.
Identity
(1) A unique name of an individual person. Because the legal names of persons ar
e not necessarily unique, the identity of a person must include sufficient addit
ional information (for example, an address or some unique identifier such as an
employee or account number) to make the complete name unique. (2) It is informat
ion that is unique within a security domain and which is recognized as denoting
a particular entity within that domain. (3) The set of physical and behavioral c
haracteristics by which an individual is uniquely recognizable.
Identitybased access control (IBAC)
An access control mechanism based only on the identity of the subject and object
. An IBAC decision grants or denies a request based on the presence of an entity
on an access control list. IBAC and discretionary access control are considered
equivalent.
Identitybased security policy
A security policy based on the identities and/or attributes of the object (syste
m resource) being accessed and of the subject (e.g., user, group of users, proce
ss, or device) requesting access.
Identity binding
Information flow
The sequence, timing, and direction of how information proceeds through an organ
ization.
Information flow control
Access control based on restricting the information flow into an object (e.g., B
ell and La Padula model).
Information owner
An official with responsibility for establishing controls for information genera
tion, collection, processing, dissemination, and disposal.
Information portal
A single point of access through a Web browser to business information inside an
d/or outside an organization.
Information quality
Information quality is composed of three elements such as utility, integrity, an
d objectivity.
Information resources
Information and related resources, such as personnel, equipment, funds, and info
rmation technology.
Information rights
The rights that individuals and organizations have regarding information that pe
rtains to them.
Information security
The protection of information and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction in order to provide co
nfidentiality, integrity, and availability.
Information security architecture
An embedded, integral part of the enterprise architecture that describes the str
ucture and behavior for an enterprises security processes, information security s
ystems, personnel and organizational subunits, showing their alignment with the
enterprises mission and strategic plans.
Information security policy
Aggregate of directives, regulations, rules, and practices that prescribe how an
organization manages, protects, and distributes information.
Information security program plan
A formal document that provides an overview of the security requirements for an
organizationwide information security program and describes the program managem
ent controls and common controls in place or planned for meeting those requireme
nts.
Information system (IS)
A discrete set of information resources organized for the collection, processing
, maintenance, use, sharing, dissemination, or disposition of information.
Information system owner
An official responsible for the overall procurement, development, integration, m
odification, or operation and maintenance of an information system.
Information system resilience
The ability of an information system to continue to: (1) operate under adverse c
onditions or stress, even if in a degraded or debilitated state, while maintaini
ng essential operational capabilities; and (2) recover to an effective operation
al posture in a time frame consistent with mission needs. It supports agile defe
nse strategy and is the same as resilience.
Information system security officer (ISSO)
Individual assigned responsibility by the senior agency information security off
icer, authorizing official, management official, or information system owner for
ensuring the appropriate operational security posture is maintained for an info
rmation system or program.
Informationsystems (IS) security
The protection afforded to information systems in order to preserve the availabi
lity, integrity, and confidentiality of the systems and information contained wi
thin the systems. Such protection is the application of the combination of all s
ecurity disciplines that will, at a minimum, include communications security, em
it.
Input block
A data block that is an input to either the forward cipher function or the inver
se cipher function of the block cipher algorithm.
Insider attack
An attack originating from inside a protected network, either malicious or nonma
licious.
Instant messaging (IM)
A facility for exchanging messages in realtime with other people over the Inter
net and tracking the progress of the conversation.
Integrated services digital network (ISDN)
A worldwide digital communications network evolving from existing telephone serv
ices. The goal of ISDN is to replace the current analog telephone system with to
tally digital switching and transmission facilities capable of carrying data ran
ging from voice to computer transmission, music, and video. Computers and other
devices are connected to ISDN lines through simple, standardized interfaces. Whe
n fully implemented, ISDN is expected to provide users with faster, more extensi
ve communications services in data, video, and voice.
Integration test
A process to confirm that program units are linked together and that they interf
ace with files or databases correctly. This is a management and preventive contr
ol.
Integrity
(1) The property that protected and sensitive data has not been modified or dele
ted in an unauthorized and undetected manner. (2) Preservation of the original q
uality and accuracy of data in written or electronic form. (3) Guarding against
improper information modification or destruction, (4) Ensuring information nonre
pudiation and authenticity. (5) The ability to detect even minute changes in the
data.
Integrity level
A level of trustworthiness associated with a subject or object.
Intellectual property
Useful artistic, technical, and/or industrial information, knowledge or ideas th
at convey ownership and control of tangible or virtual usage and/or representati
on.
Intended signatory
An entity that intends to generate digital signatures in the future.
Interception
The process of slipping in between communications and hijacking communications c
hannels.
Interdiction
The act of impeding or denying the use of a computer system resource to a user.
Interface
The common boundary between independent systems or modules where communication t
akes place.
Interface profile
The subcomponent that provides the capability to customize the component for va
rious users. The interface profile can specify the business rules and workflow t
hat are to be executed when the component is initialized or it can be tailored t
o suit different deployment architectures and business rules. The profile can sp
ecify the architectural pattern that complements the service component.
Interfile analysis
Analysis of code residing in different files that have procedural, data, or othe
r interdependencies.
Internal border gateway protocol (IBGP)
A border gateway protocol operation communicating routing information within an
autonomous system.
Internal control
A process within an organization designed to provide reasonable assurance regard
ing the achievement of the following primary objectives (1) the reliability and
mmunications, and the level and type of security protections that will character
ize the VPN. The most widely used key management protocol is the Internet key ex
change (IKE) protocol. IPsec is a standard consisting of IPv6 security features
ported over to the current version of IPv4. IPsec security features provide conf
identiality, data integrity, and nonrepudiation services.
Internet service provider (ISP)
ISP is an entity providing a network connection to the global Internet.
Interoperability
(1) A measure of the ability of one set of entities to physically connect to and
logically communicate with another set of entities. (2) The ability of two or m
ore systems or components to exchange information and to use the information tha
t has been exchanged. (3) The capability of systems, subsystems, or components t
o communicate with one another, to exchange services, and to use information inc
luding content, format, and semantics.
Interoperability testing
Testing to ensure that two or more communications products (hosts or routers) ca
n interwork and exchange data.
Interpreted virus
A virus that is composed of source code that can be executed only by a particula
r application or service.
Interpreter
(1) A program that processes a script or other program expression and carries ou
t the requested action, in accordance with the language definition. (2) A suppor
t program that reads a single source statement, translates that statement to mac
hine language, executes those machinelevel instructions, and then moves on to t
he next source statement. An interpreter operates on a load and go method.
Interprocedural analysis
Analysis between calling and called procedures within a computer program.
Intranet
A private network that is employed within the confines of a given enterprise (e.
g., internal to a business or agency). An organizations intranet is usually prote
cted from external access by a firewall. An intranet is a network internal to an
organization but that runs the same protocols as the network external to the or
ganization (i.e., the Internet). Every organizational network that runs the TCP/
IP protocol suite is an Intranet.
Intrusion
Attacks or attempted attacks from outside the security perimeter of an informati
on system, thus bypassing the security mechanisms.
Intrusion detection
(1) Detection of breakins or breakin attempts either manually or via software
expert systems that operate on logs or other information available on the networ
k. (2) The process of monitoring the events occurring in a computer system or ne
twork and analyzing them for signs of possible incidents.
Intrusion detection and prevention system (IDPS)
Software that automates the process of monitoring the events occurring in a comp
uter system or network, and analyzing them for signs of possible incidents and a
ttempting to stop detected possible incidents.
Intrusion detection system (IDS)
Hardware or software product that gathers and analyzes information from various
areas within a computer or a network to identify possible security breaches, whi
ch include intrusions (attacks from outside the organization) and misuse (attack
s from within the organization).
Intrusion detection system load balancer
A device that aggregates and directs network traffic to monitoring systems, such
as intrusion detection and prevention sensors.
Intrusion prevention
The process of monitoring the events occurring in a computer system or network,
analyzing them for signs of possible incidents, and attempting to stop detected
possible incidents.
Intrusion prevention systems (IPS)
(1) Systems that can detect an intrusive activity and can also attempt to stop t
he activity, ideally before it reaches its targets. (2) Software that has all th
e capabilities of an intrusion detection system and can also attempt to stop pos
sible incidents.
Inverse cipher
(1) A series of transformations that converts ciphertext to plaintext, using the
cipher key. (2) The block cipher algorithm function that is the inverse of the
forward cipher function when the same cryptographic key is used.
Investigation process
Four phases exist in a computer security incident investigation process: initiat
ing the investigation (phase 1), testing and validating the incident hypothesis
(phase 2), analyzing the incident (phase 3), and presenting the evidence (phase
4). The correct order of the investigation process is: gather facts (phase 1); i
nterview witnesses (phase 1); develop incident hypothesis (phase 1); test and va
lidate the hypothesis (phase 2); analyze (phase 3); and report the results to ma
nagement and others (phase 4).
Inwardfacing
It refers to a system that is connected on the interior of a network behind a fi
rewall.
IP address
An Internet Protocol (IP) address is a unique number for a computer that is used
to determine where messages transmitted on the Internet should be delivered. Th
e IP address is analogous to a house number for ordinary postal mail.
IP payload compression (IPComp) protocol
Protocol used to perform lossless compression for packet payloads.
IP spoofing
Refers to sending a network packet that appears to come from a source other than
its actual source.
Isolation
The containment of subjects and objects in a system in such a way that they are
separated from one another, as well as from the protection controls of the opera
ting system.
ISO (International Organization for Standardization)
An organization established to develop and define data processing standards to b
e used throughout participating countries.
ITrelated risk
The net mission/business impact considering (1) the likelihood that a particular
threat source will exploit, or trigger, particular information system vulnerabi
lity, and (2) the resulting impact if this should occur. ITrelated risks arise
from legal liability or mission/business loss due to, but not limited to (i) una
uthorized (malicious, nonmalicious, or accidental) disclosure, modification, or
destruction of information, (ii) nonmalicious errors and omissions, (iii) IT dis
ruptions due to natural or manmade disasters, (iv) failure to exercise due care
and due diligence in the implementation and operation of the IT function.
IT security awareness and training program
Explains proper rules of behavior for the use of organizations IT systems and inf
ormation. The program communicates IT security policies and procedures that need
to be followed.
IT security education
IT security education seeks to integrate all of the security skills and competen
cies of the various functional specialists into a common body of knowledge, adds
a multidiscipline study of concepts, issues, and principles (technological and
social), and strives to produce IT security specialists and professionals capab
le of vision and proactive response.
IT security goal
The five security goals are confidentiality, availability, integrity, accountabi
lity, and assurance.
IT security investment
An IT application or system that is solely devoted to security. For instance, in
trusion detection system (IDS) and public key infrastructure (PKI) are examples
of IT security investments.
IT security metrics
Metrics based on IT security performance goals and objectives.
IT security policy
The documentation of IT security decisions in an organization. Three basic types
of policy exist (1) Program policy highlevel policy used to create an organiza
tions IT security program, define its scope within the organization, assign imple
mentation responsibilities, establish strategic direction, and assign resources
for implementation. (2) Issuespecific policies address specific issues of conce
rn to the organization, such as contingency planning, the use of a particular me
thodology for systems risk management, and implementation of new regulations or
law. These policies are likely to require more frequent revision as changes in t
echnology and related factors take place. (3) Systemspecific policies address i
ndividual systems, such as establishing an access control list or in training us
ers as to what system actions are permitted. These policies may vary from system
to system within the same organization. In addition, policy may refer to entire
ly different matters, such as the specific managerial decisions setting an organ
izations electronic mail policy or fax security policy.
IT security training
IT security training strives to produce relevant and needed security skills and
competencies by practitioners of functional specialties other than IT security (
e.g., management, systems design and development, acquisition, and auditing). Th
e most significant difference between training and awareness is that training se
eks to teach skills, which allow a person to perform a specific function, wherea
s awareness seeks to focus an individuals attention on an issue or set of issues.
The skills acquired during training are built upon the awareness foundation, an
d in particular, upon the security basics and literacy material.
J
Jamming
An attack in which a device is used to emit electromagnetic energy on a wireless
networks frequency to make it unusable by the network.
Java
A programming language invented by Sun Microsystems. It can be used as a general
purpose application programming language with builtin networking libraries. It
can also be used to write small applications called applets. The execution envi
ronment for Java applets is intended to be safe; executing an applet should not
modify anything outside the WWW browser. Java is an objectoriented language sim
ilar to C++ but simplified to eliminate language features that cause common prog
ramming errors. Java source code files (files with a Java extension) are compile
d into a format called bytecode (files with a .class extension), which can then
be executed by a Java interpreter. Compiled Java code can run on most computers
because Java interpreters and runtime environments, known as Java Virtual Machin
es (VMs), exist for most operating system, including UNIX, the Macintosh OS, and
Windows. Bytecode can also be converted directly into machine language instruct
ions by a justintime compiler.
JavaScript
A scripting language developed by Netscape to enable Web authors to design inter
active sites. Although it shares many of the features and structures of the full
Java language, it was developed independently. JavaScript can interact with HTM
L source code, enabling Web authors to spice up their sites with dynamic content
. JavaScript is endorsed by a number of software companies and is an open langua
ge that anyone can use without purchasing a license. Recent browsers from Netsca
pe and Microsoft support it, though Internet Explorer supports only a subset, wh
ich Microsoft calls Jscript.
Jitter
Nonuniform delays that can cause packets to arrive and be processed out of sequ
ence.
Job rotation
A method of reducing the risk associated with a subject performing a (sensitive)
task by limiting the amount of time the subject is assigned to perform the task
before being moved to a different task. Both job rotation and job vacation prac
tices make a person less vulnerable to fraud and abuse.
Joint photographic experts group (JPEG)
The JPEG is a multimedia standard for compressing continuoustone still pictures
or photographs. It is the result of joint efforts from ITU, ISO, and IEC.
Journal
It is an audit trail of system activities, which is useful for file/system recov
ery purposes. This is a technical and detective control.
K
Kerberos
Kerberos is an authentication tool used in local logins, remote authentication,
and clientserver requests. It is a means of verifying the identities of princip
als on an open network. Kerberos accomplishes this without relying on the authen
tication, trustworthiness, or physical security of hosts while assuming all pack
ets can be read, modified, and inserted at will. Kerberos uses a trust broker mo
del and symmetric cryptography to provide authentication and authorization of us
ers and systems on the network. In classic Kerberos, users share a secret passwo
rd with a key distribution center (KDC). The user, Alice, who wants to communica
te with another user, Bob, authenticates to the KDC and is furnished a ticket by
the KDC to use to authenticate with Bob. When Kerberos authentication is based
on passwords, the protocol is known to be vulnerable to offline dictionary atta
cks by eavesdroppers who capture the initial usertoKDC exchange.
Kernel
The hardware, firmware, and software elements of a trusted computing base (TCB)
that implements the reference monitor concept. It must mediate all accesses, be
protected from modification, and be verifiable as correct. It is the most truste
d portion of a system that enforces a fundamental property and on which the othe
r portions of the system depend.
Key
(1) A parameter used in conjunction with a cryptographic algorithm that determin
es its operation. Examples include the computation of a digital signature from d
ata and the verification of a digital signature. (2) A value used to control cry
ptographic operations, such as decryption, encryption, signature generation or s
ignature verification.
Key agreement
A key establishment procedure (either manual or electronic) where the resultant
keying material is a function of information contributed by two or more particip
ants, so that no party can predetermine the value of the keying material indepen
dent of the other partys contribution.
Key attack
(1) An attackers goal is to prevent a system users work simply by holding down the
ENTER or RETURN key on a terminal that has not been logged on. This action init
iates a very highpriority process that takes over the CPU in an attempt to comp
lete the logon process. This is a resource starvation attack in that it consumes
systems resources such as CPU utilization and memory. Legitimate users are depr
ived of their share of resources. (2) A data scavenging method, using resources
available to normal system users, which may include advanced software diagnostic
tools.
Key bundle
The three cryptographic keys (Key 1, Key 2, Key 3) that are used with a tripled
ata encryption algorithm (TDEA) mode.
Key confirmation
A procedure to provide assurance to one party (the key confirmation recipient) t
hat another party (the key conformation provider) actually possesses the correct
secret keying material and/or shared secret.
Key encrypting key
A cryptographic key that is used for the encryption or decryption of other keys.
Key entry
A process by which a key and its associated metadata is entered into a cryptogra
cryption functions are not inverse. It requires a high bandwidth and generally i
s insecure due to documented security breaches.
L
Label
(1) An explicit or implicit marking of a data structure or output media associat
ed with an information system representing the FIPS 199 security category, or di
stribution limitations or handling caveats of the information contained therein.
(2) A piece of information that represents the security level of an object and
that describes the sensitivity of the information in the object. Similar to secu
rity label.
Labeling
Process of assigning a representation of the sensitivity of a subject or object.
Laboratory attack
A data scavenging method through the aid of what could be precise or elaborate p
owerful equipment.
Latency
Measures the delay from first bit in to first bit out. It is the time delay of d
ata traffic through a network, switch, port, and link. Also, see data latency an
d packet latency.
Lattice
A partially ordered set for which every pair of elements has a greatest lower bo
und and a least upper bound.
Layered solution
The judicious placement of security protection and attack countermeasures that c
an provide an effective set of safeguards (controls) that are tailored to the un
ique needs of a customers situation. It is a part of securityindepth or defense
indepth strategy.
Layering
It uses multiple, overlapping protection mechanisms so that failure or circumven
tion of any individual protection approach will not leave the system unprotected
. It is a part of securityindepth or defenseindepth strategy.
Least functionality
The information system security function should configure the information system
to provide only essential capabilities and specifically prohibits or restricts
the use of risky (by default) and unnecessary functions, ports, protocols, and/o
r services. This is based on the principle of least functionality or minimal fun
ctionality.
Least privilege
(1) Offering only the required functionality to each authorized user so that no
one can use functions that are not necessary. (2) The security objective of gran
ting users only those accesses they need to perform their official duties.
Least significant bit(s)
The rightmost bit(s) of a bit string.
Legacy environment
It is a typical custom environment usually involving older systems or applicatio
ns.
Letter bomb
A logic bomb, contained in electronic mail, triggered when the mail is read.
Library
A collection of related data files or programs.
License
An agreement by a contractor to permit the use of copyrighted software under cer
tain terms and conditions.
Life cycle management
The process of administering an automated information system throughout its expe
cted life, with emphasis on strengthening early decisions that affect system cos
ts and utility throughout the systems life.
Lightweight directory access protocol (LDAP)
LDAP is a software protocol for enabling anyone to locate organizations, individ
uals, and other resources (e.g., files and devices in a network) whether on the
Internet or on a corporate intranet.
Line of defenses
A variety of security mechanisms deployed for limiting and controlling access to
and use of computer system resources. They exercise a directing or restraining
influence over the behavior of individuals and the content of computer systems.
The lineofdefenses form a core part of defenseindepth strategy or securityi
ndepth strategy. They can be grouped into four categoriesfirst, second, last, an
d multiple depending on their action priorities and needs. A first lineofdefen
se is always preferred over the second or the last. If the first lineofdefense
is not available for any reason, the second lineofdefense should be applied.
If the second lineofdefense is not available or does not work, then the last l
ineofdefense must be applied. Note that multiple linesofdefenses are stronge
r than a single lineofdefense, whether the single defense is first, second, or
last.
Linear cryptanalysis attacks
Uses pairs of known plaintext and corresponding ciphertext to generate keys.
Link control protocol (LCP)
One of the features of the pointtopoint protocol (PPP) used for bringing lines
up, testing them, and taking them down gracefully when they are not needed. It
supports synchronous and asynchronous circuits and byteoriented and bitoriente
d encodings (Tanenbaum).
Link encryption
Link encryption (online encryption) encrypts all of the data along a communicati
ons path (e.g., a satellite link, telephone circuit, or T3 line). Since link enc
ryption also encrypts routing data (i.e., headers, trailers, and addresses), com
munications nodes need to decrypt the data to continue routing so that all infor
mation passing over the link is encrypted in its entirety. It provides good prot
ection against external threats such as traffic analysis, packet sniffers, and e
avesdroppers. This is a technical and preventive control.
Listoriented protection system
A computer protection system in which each protected object has a list of all su
bjects authorized to access it. Compare with ticketoriented protection system.
Local access
Access to an organizational information system by a user (or an information syst
em) communicating through an internal organizationcontrolled network (e.g., loc
alarea network) or directly to a device without the use of a network.
Localarea network (LAN)
A group of computers and other devices dispersed over a relatively limited area
and connected by a communications link that enables a device to interact with an
y other on the network. A userowned, useroperated, highvolume data transmissi
on facility connecting a number of communicating devices (e.g., computers, termi
nals, word processors, printers, and mass storage units) within a single buildin
g or several buildings within a physical area. A LAN is a computer network that
spans a relatively small area. Most LANs are confined to a single building or gr
oup of buildings. However, one LAN can be connected to other LANs over any dista
nce via telephone lines and radio waves. A system of LANs connected in this way
is called a widearea network (WAN). Bridges and switches are used to interconne
ct different LANs. LANs and MANs are nonswitched networks, meaning they do not
use routers.
Local delivery agent (LDA)
A program running on a mail server that delivers messages between a sender and r
ecipient if their mailboxes are both on the same mail server. An LDA may also pr
ocess the message based on a predefined message filter before delivery.
Locationbased commerce (Lcommerce)
A mobilecommerce (mcommerce) application targeted to a customer whose location
, preferences, and needs are known in real time.
Lockandkey protection system
A protection system that involves matching a key or password with a specific acc
ess requirement.
Lockingbased attacks
Attacks that degrade a system performance and service. This attack is used to ho
ld a critical system locked most of the time, releasing it only briefly and occa
sionally. The result is a slow running browser. This results in a degradation of
service, a mild form of DoS. Countermeasures against lockingbased attacks incl
ude system backups and upgrading/patching software can help in maintaining a sys
tems integrity.
Locks
Locks are used to prevent concurrent updates to a record. Various types of locks
include pagelevel, rowlevel, arealevel, and recordlevel. This is a technica
l and preventive control.
Lockstep computing
Lockstep systems are redundant computing systems that run the same set of operat
ions at the same time in parallel. The output from lockstep operations can be co
mpared to determine if there has been a fault. The lockstep systems are set up t
o progress from one state to the next state, as they closely work together. When
a new set of inputs reaches the system, the system processes them, generates ne
w outputs, and updates its state. Lockstep systems provide redundancy against ha
rdware failures, not against software failures. Other redundant configurations i
nclude dual modular redundancy (DMR) systems and triple modular redundancy (TMR)
systems. In DMR, computing systems are duplicated. Unlike the lockstep systems,
there is a master/slave configuration in DMR where the slave is a hotstandby t
o the master. When the master fails at some point, the slave is ready to continu
e from the previous known good state. In TMR, computing systems are triplicated
as voting systems. If one units output disagrees with the other two, the unit is
detected as having failed. The matched output from the other two is treated as c
orrect. Similar to lockstep systems, DMR and TMR systems provide redundancy agai
nst hardware failures, not against software failures (Wikipedia).
Log
A record of the events occurring within an organizations systems and networks. Lo
g entries are individual records within a log.
Log analysis
Studying log entries to identify events of interest or suppress log entries for
insignificant events.
Log archival
Retaining logs for an extended period of time, preferably on removable media, a
storage area network (SAN), or a specialized log archival appliance or server.
Log clearing
Removing all entries from a log that precede certain date and time.
Log compression
Storing a log file in a way that reduces the amount of storage space needed for
the file without altering the meaning of its contents.
Log conversion
Parsing a log in one format and storing its entries in a second format.
Log correlation
Correlating events by matching multiple log entries from a single source or mult
iple sources based on logged values, such as timestamps, IP addresses, and event
types.
Log file integrity checking
Comparing the current message digest for a log file to the original message dige
st to determine if the log file has been modified.
Log filtering
The suppression of log entries from analysis, reporting, or longterm storage be
cause their characteristics indicate that they are unlikely to contain informati
on of interest.
Log management
The process for generating, transmitting, storing, analyzing, and disposing of l
og data.
Log management infrastructure
The hardware, software, networks, and media used to generate, transmit, store, a
he use of structured programming constructs because they are difficult and time
consuming to test.
Lowimpact system
An information system in which all three security objectives (i.e., confidential
ity, integrity, or availability) are assigned a potential impact value of low.
M
Machine types
(1) A real machine is the physical computer in a virtual machine environment. A
realtime system is a computer and/or software that reacts to events before the
events become obsolete. For example, airline collision avoidance systems must pr
ocess radar input, detect a possible collision, and warn air traffic controllers
or pilots while they still have time to react. (2) A virtual machine is a funct
ional simulation of a computer and its associated devices, including an operatin
g system. (3) Multiuser machines have at least two execution states or modes of
operation: privileged and unprivileged. The execution state must be maintained
in such a way that it is protected from the actions of untrusted users. Some com
mon privileged domains are those referred to as: executive, master, system, kern
el, or supervisor, modes; unprivileged domains are sometimes called user, applic
ation, or problem states. In a twostate machine, processes running in a privile
ged domain may execute any machine instruction and access any location in memory
. Processes running in the unprivileged domain are prevented from executing cert
ain machine instructions and accessing certain areas of memory. Examples of mach
ines include Turing, Mealy, and Moore machines.
Macro virus
(1) A specific type of computer virus that is encoded as a macro embedded in som
e document and activated when the document is handled. (2) A virus that attaches
itself to application documents, such as word processing files and spreadsheets
, and uses the applications macroprogramming language to execute and propagate.
Magnetic remanence
A measure of the magnetic flux density remaining after removal of the applied ma
gnetic force. It refers to any data remaining on magnetic storage media after re
moval of the electrical power.
Mail server
A host that provides electronic post office facilities. It stores incoming mail fo
r distribution to users and forwards outgoing mail. The term may refer to just t
he application that performs this service, which can reside on a machine with ot
her services. This term also refers to the entire host including the mail server
application, the host operating system, and the supporting hardware. Mail serve
r administrators are system architects responsible for the overall design and im
plementation of mail servers.
Mail transfer agent (MTA)
A program running on a mail server that receives messages from mail user agents
(MUAs) or other MTAs and either forwards them to another MTA or, if the recipien
t is on the MTA, delivers the message to the local delivery agent (LDA) for deli
very to the recipient (e.g., Microsoft Exchange).
Mail user agent (MUA)
A mail client application used by an end user to access a mail server to read, c
ompose, and send email messages (e.g., Microsoft Outlook).
Mailbombing
Flooding a site with enough mail to overwhelm its electronic mail (email) syste
m. Used to hide or prevent receipt of email during an attack, or as retaliation
against a website.
Main mode
Mode used in IPsec phase 1 to negotiate the establishment of an Internet key exc
hange security association (IKESA) through three pairs of messages.
Maintainability
The effort required locating and fixing an error in an operational program or th
e effort required to modify an operational program (flexibility).
Maintenance hook
Special instructions in software to allow easy maintenance and additional featur
e development. These are not clearly defined during access for design specificat
ion. Hooks frequently allow entry into the code at unusual points or without the
usual checks, so they are a serious security risk if they are not removed prior
to live implementation. Maintenance hooks are special types of trapdoors.
Major application
An application that requires special attention to security because of the risk a
nd magnitude of the harm resulting from the loss, misuse, or unauthorized access
to, or modification of, the information in the application. A breach in a major
application might comprise many individual application programs and hardware, s
oftware, and telecommunications components. Major applications can be either a m
ajor application system or a combination of hardware and software in which the o
nly purpose of the system is to support a specific missionrelated function.
Malicious code
(1) Software or firmware intended to perform an unauthorized process that will h
ave adverse impact on the confidentiality, integrity, or availability of an info
rmation system. (2) A program that is written intentionally to carry out annoyin
g or harmful actions, which includes viruses, worms, Trojan horses, or other cod
ebased entity that successfully infects a host. Same as malware.
Malicious code attacks
Malicious code attackers use an attackindepth strategy to carry out their goal
of attacking with programs written intentionally to cause harm or destruction.
Malicious mobile code
Software that is transmitted from a remote system to be executed on a local syst
em, typically without the users explicit instruction. It is growing with the incr
eased use of Web browsers. Many websites use mobile code to add legitimate funct
ionality, including Active X, JavaScript, and Java. Unfortunately, although it w
as initially designed to be secure, mobile code has vulnerabilities that allow e
ntities to create malicious programs. Users can infect their computers with mali
cious mobile code (e.g., a Trojan horse program that transmits information from
the users PC) just by visiting a website.
Malware
A computer program that is covertly placed onto a computer with the intent to co
mpromise the privacy, accuracy, confidentiality, integrity, availability, or rel
iability of the victims data, applications, or operating system, or otherwise ann
oying or disrupting the victim. Common types of malware threats include viruses,
worms, malicious mobile code, Trojan horses, rootkits, spyware, freeware, share
ware, and some forms of adware programs.
Malware signature
A set of characteristics of known malware instances that can be used to identify
known malware and some new variants of known malware.
Maninthemiddle (MitM) attack
(1) A type of attack that takes advantage of the storeandforward mechanism use
d by insecure networks such as the Internet (also called bucket brigade attack).
(2) Actively impersonating multiple legitimate parties, such as appearing as a
client to an access point and appearing as an access point to a client. This all
ows an attacker to intercept communications between an access point and a client
, thereby obtaining authentication credentials and data. (3) An attack on the au
thentication protocol run in which the attacker positions himself in between the
claimant and verifier so that he can intercept and alter data traveling between
them. (4) An attack against public key algorithms, where an attacker substitute
s his public key for the requested public key.
Managed or enterprise environment
An inwardfacing environment that is very structured and centrally managed.
Managed interfaces
Managed interfaces allow connections to external networks or information systems
consisting of boundary protection devices arranged according to an organizations
security architecture.
Managed interfaces employing boundary protection devices include proxies, gatewa
ys, routers, firewalls, software/hardware guards, or encrypted tunnels (e.g., ro
uters protecting firewalls and application gateways residing on a protected demi
litarized zone). Managed interfaces, along with controlled interfaces, use bound
ary protection devices. These devices prevent and detect malicious and other una
uthorized communications.
Management controls
The security controls (i.e., safeguards or countermeasures) for an information s
ystem that focus on the management of risk and the management of information sys
tem security. They include actions taken to manage the development, maintenance,
and use of the system, including systemspecific policies, procedures, rules of
behavior, individual roles and responsibilities, individual accountability, and
personnel security decisions.
Management message (WMAN/WiMAX)
A management message (MM) is a message used for communications between a BS and
SS/MS. These messages (e.g., establishing communication parameters, exchanging p
rivacy settings, and performing system registration events) are not encrypted an
d thus are susceptible to eavesdropping attacks.
Management network
A separate network strictly designed for security software management.
Management server
A centralized device that receives information from sensors or agents and manage
s them.
Mandatory access control
Access controls that are driven by the results of a comparison between the users
trustlevel/clearance and the sensitivity designation of the information. A mean
s of restricting access to objects (system resources) based on the sensitivity (
as represented by a label) of the information contained in the objects and the f
ormal authorization (i.e., clearance) of subjects (users) to access information
of such sensitivity.
Mandatory protection
The result of a system that preserves the sensitivity labels of major data struc
tures in the system and uses them to enforce mandatory access controls.
Mantraps
Mantraps provide additional security at the entrances to highrisk areas. For hi
ghly sensitive areas, mantraps require a biometric measure such as fingerprints
combined with the weight of the person entering the facility.
Market analysis
Useful in the supply chain activities employing the chainindepth concept. Mark
et analysis is conducted when the information system owner does not know who the
potential suppliers or integrators are or would like to discover alternative su
ppliers or integrators or the suppliers of the suppliers or integrators. The mar
ket analysis should identify which companies can provide the required items or m
ake suggestions for possible options. Some ways to gather information about pote
ntial suppliers or integrators include open sources (such as the press), Interne
t, periodicals, and feebased services.
Marking
The process of placing a sensitivity designator (e.g., confidential) with data s
uch that its sensitivity is communicated. Marking is not restricted to the physi
cal placement of a sensitivity designator, as might be done with a rubber stamp,
but can involve the use of headers for network messages, special fields in data
bases, and so on.
Markov models
They are graphical techniques used to model a system with regard to its failure
states in order to evaluate the reliability, safety, or availability of the syst
em.
Markup language
A system (as HTML or SGML) for marking or tagging a document that indicates its
logical structure (as paragraphs) and gives instructions for its layout on the p
age for electronic transmission and display.
Masquerading
(1) Impersonating an authorized user and gaining unauthorized privileges. (2) An
unauthorized agent claiming the identity of another agent. (3) An attempt to ga
nclude security assessment evidence from both automated and manual collection me
thods. A measure is the result of gathering data from the known sources.
Mechanisms
An assessment object that includes specific protectionrelated items (for exampl
e, hardware, software, or firmware) employed within or at the boundary of an inf
ormation system.
Media
Physical devices or writing surfaces including, but not limited to, magnetic tap
es, optical disks, magnetic disks, largescale integration (LSI) memory chips, f
lash ROM, and printouts (but not including display media) onto which information
is recorded, stored, or printed within an information system.
Media access control address
A hardware address that uniquely identifies each component of an IEEE 802based
standard. On networks that do not conform to the IEEE 802 standard but do confor
m to the ISO/OSI reference model, the node address is called the Data Link Contr
ol (DLC) address.
Media gateway
It is the interface between circuit switched networks and IP network. Media gate
way handles analog/digital conversion, call origination and reception, and quali
ty improvement functions such as compression or echo cancellation.
Media gateway control protocol (MGCP)
MGCP is a common protocol used with media gateways to provide network management
and control functions.
Media sanitization
A general term referring to the actions taken to render data written on media un
recoverable by both ordinary and extraordinary means.
Medium/media access control protocols
Protocols for the medium/media access control sublayer, which is the bottom part
of the data link layer of the ISO/OSI reference model, include carrier sense mu
ltiple access with collision avoidance and collision detection (CSMA/CA and CSMA
/CD), wavelength division multiple access (WDMA), Ethernet (thick, thin, fast, s
witched, and gigabit), logical link control (LLC), the 802.11 protocol stack for
wireless LANs, the 802.15 for Bluetooth, the 802.16 for Wireless MANs, and the
802.1Q for virtual LANs. These are examples of broadcast networks with multiacc
ess channels.
Meetinthemiddle (MIM) attack
Occurs when one end is encrypted and the other end is decrypted, and the results
are matched in the middle. MIM attack is made on block ciphers.
Melting
A physically destructive method of sanitizing media; to be changed from a solid
to a liquid state generally by the application of heat. Same as smelting.
Memorandum of understanding/agreement
A document established between two or more parties to define their respective ro
les and responsibilities in accomplishing a particular goal. Regarding IT, it de
fines the responsibilities of two or more organizations in establishing, operati
ng, and securing a system interconnection.
Memory cards
Memory cards are data storage devices used for personal authentication, access a
uthorization, card integrity, and application systems.
Memory protection
It is achieved through the use of system partitioning, nonmodifiable executable
programs, resource isolation, and domain separation.
Memory resident virus
A virus that stays in the memory of infected systems for an extended period of t
ime.
Memory scavenging
The collection of residual information from data storage.
Mesh computing
Provides application processing and load balancing capacity for Web servers usin
g the Internet cache. It pushes applications, data, and computing power away fro
ted data. A metric is designed to organize data into meaningful information to sup
port decision making (for example, dashboards).
Metropolitanarea network (MAN)
A network concept aimed at consolidating business operations and computers sprea
d out in a town or city. Wired MANs are mainly used by cable television networks
. MANs and LANs are nonswitched networks, meaning they do not use routers. The
scope of a MAN falls between a LAN and a WAN.
Middleware
Software that sits between two or more types of software and translates informat
ion between them. For example, it can sit between an application system and an o
perating system, a network operating system, or a database management system.
Migration
A term generally referring to the moving of data from an online storage device t
o an offline or lowpriority storage device, as determined by the system or as
requested by the system user.
Mimicking
An attempt to gain access to a computer system by posing as an authorized user.
Synonymous with impersonating, masquerading, and spoofing.
Minentropy
A measure of the difficulty that an attacker has to guess the most commonly chos
en password used in a system. It is the worstcase measure of uncertainty for a
random variable with the greatest lower bound. The attacker is assumed to know t
he most commonly used password(s).
Minimization
A riskreducing principle that supports integrity by containing the exposure of
data or limiting opportunities to violate integrity.
Minimizing target value
A riskreducing practice that stresses the reduction of potential losses incurre
d due to a successful attack and/or the reduction of benefits that an attacker m
ight receive in carrying out such an attack.
Minimum security controls
These controls include management, operational, and technical controls to protec
t the confidentiality, integrity, and availability objectives of an information
system. The tailored baseline controls become the minimum set of security contro
ls after adding supplementary controls based on gap analysis to achieve adequate
risk mitigation. Three sets of baseline controls (i.e., lowimpact, moderateim
pact, and highimpact) provide a minimum security control assurance.
Minor application
An application, other than a major application, that requires attention to secur
ity due to the risk and magnitude of harm resulting from the loss, misuse, or un
authorized access to or modification of the information in the application. Mino
r applications are typically included as part of a general support system.
Mirroring
Several mirroring methods include data mirroring, disk mirroring, and server mir
roring. They all provide backup mechanisms so if one disk fails, the data is ava
ilable from the other disks.
Misappropriation
Stealing or making unauthorized use of a service.
Mistakeproofing
It is a concept to prevent, detect, and correct inadvertent human or machine err
ors occurring in products and services. It is also called pokayoke (Japanese te
rm) and idiotproofing.
Mobile code
(1) A program (e.g., script, macro, or other portable instruction) that can be s
hipped unchanged to a heterogeneous collection of platforms and executed with id
entical semantics. (2) Software programs or parts of programs obtained from remo
te information systems, transmitted from a remote system or across a network, an
d executed on a local information system without the users explicit installation,
instruction, or execution. Java, JavaScript, ActiveX, and VBScript are example
s of mobile code technologies that provide the mechanisms for the production and
A Border Gateway Protocol (BGP) attribute used on external links to indicate pre
ferred entry or exit points (among many) for an autonomous system (AS). An AS is
one or more routers working under a single administration operating the same ro
uting policy.
Multidrop
Network stations connected to a multipoint channel at one location.
Multifactor authentication
Authentication using two or more factors to achieve the authentication goal. Fac
tors include (2) something you know (e.g., password/PIN), (2) something you have
(e.g., cryptographic identification device or token), or (3) something you are
(e.g., biometric).
Multihop problem
The security risks resulting from a mobile software agent visiting several platf
orms.
Multilevel secure
A class of system containing information with different sensitivities that simul
taneously permits access by users with different security clearances and needst
oknow but prevents users from obtaining access to information for which they la
ck authorization.
Multilevel security mode
A mode of operation that allows two or more classification levels of information
to be processed simultaneously within the same system when not all users have a
clearance or formal access approval for all data handled by a computer system.
Multimedia messaging service (MMS)
An accepted standard for messaging that lets users send and receive messages for
matted with text, graphics, photographs, audio, and video clips.
Multipartite virus
A virus that uses multiple infection methods, typically infecting both files and
boot sectors.
Multiple component incident
A single incident that encompasses two or more incidents.
Multiplexers
A multiplexer is a device for combining two or more information channels. Multip
lexing is the combining of two or more information channels onto a common transm
ission medium.
Multipoint
A network that enables two or more stations to communicate with a single system
on one communications line.
Multiprocessing
A computer consisting of several processors that may execute programs simultaneo
usly.
Multiprogramming
The concurrent execution of several programs. It is the same as multitasking.
Multipurpose Internet mail extension (MIME)
(1) A specification for formatting nonASCII messages so that they can be sent o
ver the Internet. MIME enables graphics, audio, and video files to be sent and r
eceived via the Internet mail system, using the SMTP protocol. In addition to e
mail applications, Web browsers also support various MIME types. This enables th
e browser to display or output various files that are not in HTML format. (2) A
protocol that makes use of the headers in an IETF RFC 2822 message to describe t
he structure of rich message content.
Multitasking
The concurrent execution of several programs. It is the same as multiprogramming
.
Multithreading
Program code that is designed to be available for servicing multiple tasks at on
ce, in particular by overlapping inputs and output.
Mutation analysis
The purpose of mutation analysis is to determine the thoroughness with which an
application program has been tested and, in the process, detect errors. A large
als and the results of health checks performed on the telework client device.
Network address translation (NAT)
(1) A routing technology used by many firewalls to hide internal system addresse
s from an external network through use of an addressing schema. (2) A mechanism
for mapping addresses on one network to addresses on another network, typically
private addresses to public addresses.
Network address translation (NAT) and port address translation (PAT)
Both NAT and PAT are used to hide internal system addresses from an external net
work by mapping internal addresses to external addresses, by mapping internal ad
dresses to a single external address or by using port numbers to link external s
ystem addresses with internal systems.
Network administrator
A person responsible for the overall design, implementation, and maintenance of
a network. The scope of responsibilities include overseeing network security, in
stalling new applications, distributing software upgrades, monitoring daily acti
vity, enforcing software licensing agreements, developing a storage management p
rogram, and providing for routine backups.
Network architecture
The philosophy and organizational concept for enabling communications among data
processing equipment at multiple locations. The network architecture specifies
the processors and terminals and defines the protocols and software used to acco
mplish accurate data communications. The set of layers and protocols (including
formats and standards) that define a network.
Networkbased intrusion detection systems (IDSs)
IDSs which detect attacks by capturing and analyzing network packets. Listening
on a network segment or switch, one networkbased IDS can monitor the network tr
affic affecting multiple hosts that are connected to the network segment.
Networkbased intrusion prevention system
A program that performs packet sniffing and analyzes network traffic to identify
and stop suspicious activity.
Networkbased threats
Examples include (1) Web spoofing attack, which allows an impostor to shadow not
only a single targeted server, but also every subsequent server accessed, (2) m
asquerading as a Web server using a maninthemiddle (MitM) attack, whereby req
uests and responses are conveyed via the imposter as a watchful intermediary, (3
) eavesdropping on messages in transit between a browser and server to glean inf
ormation at a level of protocol below HTTP, (4) modifying the DNS mechanisms use
d by a computer to direct it to a false website to divulge sensitive information
(i.e., pharming attack), (5) performing denialofservice (DoS) attacks through
available network interfaces, and (6) intercepting messages in transit and modi
fy their contents, substitute other contents, or simply replaying the transmissi
on dialogue later in an attempt to disrupt the synchronization or integrity of t
he information.
Network behavior analysis system
An intrusion detection and prevention system (IDPS) that examines network traffi
c to identify and stop threats that generate unusual traffic flows.
Network configuration
A specific set of network resources that form a communications network at any gi
ven point in time, the operating characteristics of these network resources, and
the physical and logical connections that have been defined between them.
Network congestion
Occurs when an excess traffic is sent through some part of the network, which is
more than its capacity to handle.
Network connection
Any logical or physical path from one host to another that makes possible the tr
ansmission of information from one host to the other. An example is a TCP connec
tion. Also, when a host transmits an IP datagram employing only the services of
its connectionless IP interpreter, there is a connection between the source and t
he destination hosts for this transaction.
Network control protocol (NCP)
Network Control Protocol (NCP) is one of the features of the PointtoPoint Prot
ocol (PPP) used to negotiate networklayer options independent of the network la
yer protocol used.
Network device
A device that is part of and can send or receive electronic transmissions across
a communications network. Network devices include endsystem devices such as co
mputers, terminals, or printers; intermediary devices such as bridges and router
s that connect different parts of the communications network; and link devices o
r transmission media.
Network interface card (NIC)
Network interface cards are circuit boards used to transmit and receive commands
and messages between a PC and a LAN. A NIC operates in the Data Link Layer of t
he ISO/OSI Reference model.
Network layer
Portion of an open system interconnection (OSI) system responsible for data tran
sfer across the network, independent of both the media comprising the underlying
subnetworks and the topology of those subnetworks.
Network layer security
Protects network communications at the layer that is responsible for routing pac
kets across networks.
Network management
The discipline that describes how to monitor and control the managed network to
ensure its operation and integrity and to ensure that communications services ar
e provided in an efficient manner. Network management consists of fault manageme
nt, configuration management, performance management, security management, and a
ccounting management.
Network management architecture
The distribution of responsibility for management of different parts of the comm
unications network among different managingsoftwareproducts. It describes the
organization of the management of a network. The three types of network manageme
nt architectures are the centralized, distributed, and distributed hierarchical
network management architectures.
Network management protocol
A protocol that conveys information pertaining to the management of the communic
ations network, including management operations from managers as well as respons
es to polling operations, notifications, and alarms from agents.
Network management software
Software that provides the capabilities for network and security monitoring and
managing the network infrastructure, allowing systems personnel to administer th
e network effectively from a central location.
Network overload
A network begins carrying an excessive number of border gateway protocol (BGP) m
essages, overloading the router control processors and reducing the bandwidth av
ailable for data traffic.
Network protection device
A product such as a firewall or intrusion detection device that selectively bloc
ks packet traffic based on configurable and emergent criteria.
Network protection testing
Testing that is applicable to network protection devices.
Network scanning tool
It involves using a port scanner to identify all hosts potentially connected to
an organizations network, the network services operating on those hosts (e.g., FT
P and HTTP), and specific applications. The goal is to identify all active hosts
and open ports.
Network security
The protection of networks and their services from all natural and humanmade ha
zards. This includes protection against unauthorized access, modification, or de
struction of data; denialof ofservice; or theft.
Network security layer
Protecting network communications at the layer of the TCP/IP model that is respo
(1) An identifier, a counter, a value, or a message number that is used only onc
e. These numbers are freshly generated random values. Nonce is a timevarying va
lue with a negligible chance of repeating (almost nonrepeating). (2) A nonce co
uld be a random value that is generated anew or each instance of a nonce, a time
stamp, a sequence number, or some combination of these. (3) A randomly generated
value used to defeat playback attacks in communication protocols. One party rando
mly generates a nonce and sends it to the other party. The receiver encrypts it
using the agreedupon secret key and returns it to the sender. Because the sende
r randomly generated the nonce, this defeats playback attacks because the replay
er cannot know in advance the nonce the sender will generate. The receiver denie
s connections that do not have the correctly encrypted nonce. (4) Nonce is a val
ue used in security protocols that is never repeated with the same key. For exam
ple, challenges used in challengeresponse authentication protocols generally mu
st not be repeated until authentication keys are changed, or there is a possibil
ity of a replay attack. Using a nonce as a challenge is a different requirement
than a random challenge because a nonce is not necessarily unpredictable.
Nonrepudiation
(1) An authentication that with high assurance can be asserted to be genuine and
that cannot subsequently be refuted. It is the security service by which the en
tities involved in a communication cannot deny having participated. Specifically
, the sending entity cannot deny having sent a message (nonrepudiation with proo
f of origin) and the receiving entity cannot deny having received a message (non
repudiation with proof of delivery). This service provides proof of the integrit
y and origin of data that can be verified by a third party. (2) Assurance that t
he sender of information is provided with proof of delivery and the recipient is
provided with proof of the senders identity, so neither can later deny having pr
ocessed the information. (3) A service that is used to provide assurance of the
integrity and origin of data in such a way that the integrity and origin can be
verified and validated by a third party as having originated from a specific ent
ity in possession of the private key (i.e., the signatory). (4) Protection again
st an individual falsely denying having performed a particular action. It provid
es the capability to determine whether a given individual took a particular acti
on such as creating information, sending a message, approving information, and r
eceiving a message.
Nonreversible action
A type of action that supports the principle of accountability by preventing the
reversal and/or concealment of activity associated with sensitive objects.
Nontechnical countermeasure
A security measure that is not directly part of the network information security
processing system, taken to help prevent system vulnerabilities. Nontechnical c
ountermeasures encompass a broad range of personal measures, procedures, and phy
sical facilities that can deter an adversary from exploiting a system (e.g., sec
urity guards, visitor escort, visitor badge, locked closets, and locked doors).
Nperson control
A method of controlling actions of subjects (people) by distributing a task amon
g more than one (N) subject.
Nversion programming
Nversion programming is based on design or version diversity. The different ver
sions are executed in parallel and the results are voted on.
O
Obfuscation technique
A way of constructing a virus to make it more difficult to detect.
Object
The basic unit of computation. An object has a set of operations and a state that re
members the effect of operations. Classes define object types. Typically, object
s are defined to represent the behavioral and structural aspects of realworld e
ntities. Object is a state, behavior, and identity; the terms instance and object ar
e interchangeable. A passive entity that contains or receives information. Acces
s to an object by a subject potentially implies access to the information it con
tains. Examples of objects include devices, records, blocks, tables, pages, segm
inputs that produce the same output. Such algorithms are an essential part of t
he process of producing fixedsize digital signatures that can both authenticate
the signer and provide for data integrity checking (detection of input modifica
tion after signature).
Online attack
An attack against an authentication protocol where the attacker either assumes t
he role of a claimant with a genuine verifier or actively alters the authenticat
ion channel. The goal of the attack may be to gain authenticated access or learn
authentication secrets.
Online certificate status protocol (OCSP)
An online protocol used to determine the status of a public key certificate betw
een a certificate authority (CA) and relying parties. OCSP responders should be
capable of processing both signed and unsigned requests and should be capable of
processing requests that either include or exclude the name of the relying part
y making the request. OCSP responders should support at least one algorithm such
as RSA with padding or ECDSA for digitally signing response messages.
Online guessing attack
An attack in which an attacker performs repeated logon trials by guessing possib
le values of the token authenticator. Examples of attacks include dictionary att
acks to guess passwords or guessing of secret tokens. A countermeasure is to use
tokens that generate high entropy authenticators.
Open design
The principle of open design stresses that design secrecy or the reliance on the
user ignorance is not a sound basis for secure systems. Open design allows for
open debate and inspection of the strengths, or origins of a lack of strength, o
f that particular design. Secrecy can be implemented through the use of password
s and cryptographic keys, instead of secrecy in design.
Open Pretty Good Privacy (OpenPGP)
A protocol defined in IETF RFC 2440 and 3156 for encrypting messages and creatin
g certificates using public key cryptography. Most mail clients do not support O
penPGP by default; instead, thirdparty plugins can be used in conjunction with
the mail clients. OpenPGP uses a Web of trust model for key management, which rel
ies on users for management and control, making it unsuitable for medium to lar
gescale implementations.
Open security environment (OSE)
An environment that includes systems in which one of the following conditions ho
lds true: (1) application developers (including maintainers) do not have suffici
ent clearance or authorization to provide an acceptable presumption that they ha
ve not introduced malicious logic and (2) configuration control does not provide
sufficient assurance that applications are protected against the introduction o
f malicious logic prior to and during the operation of application systems.
Open system interconnection (OSI)
A reference model of how messages should be transmitted between any two endpoin
ts of a telecommunication network. The process of communication is divided into
seven layers, with each layer adding its own set of special, related functions.
The seven layers are the application layer, presentation, session, transport, ne
twork, data link, and physical layer. Most telecommunication products tend to de
scribe themselves in relation to the OSI reference model. This model is a single
reference view of communication that provides a common ground for education and
discussion.
Open systems
Vendorindependent systems designed to readily connect with other vendors product
s. To be an open system, it should conform to a set of standards determined from
a consensus of interested participants rather than just one or two vendors. Ope
n systems allow interoperability among products from different vendors. Major be
nefits include portability, scalability, and interoperability.
Open Web application security project (OWASP)
A project dedicated to enabling organizations to develop, purchase, and maintain
applications that can be secured and trusted. In 2010, OWASP published a list o
f Top 10 application security risks. These include injection; crosssite scripti
ng; broken authentication and session management; insecure direct object referen
ces; crosssite request forgery; security misconfiguration; insecure cryptograph
ic storage; failure to restrict URL access; insufficient transport layer protect
ion; and unvalidated redirects and forwards.
Operating system (OS)
The software master control application that runs the computer. It is the first pr
ogram loaded when the computer is turned on, and its main component, the kernel,
resides in memory at all times. The operating system sets the standards for all
application programs (e.g., Web server and mail server) that run in the compute
r. The applications communicate with the operating system for most user interfac
e and file management operations.
Operating system fingerprinting
Analyzing characteristics of packets sent by a target, such as packet headers or
listening ports, to identity the operating system in use on the target.
Operating system log
Provides information on who used computer resources, for how long, and for what
purpose. Unauthorized actions can be detected by analyzing the operating system
log. This is a technical and detective control.
Operational controls
Daytoday procedures and mechanisms used to protect operational systems and app
lications. They include security controls (i.e., safeguards or countermeasures)
for an information system that are primarily implemented and executed by people,
as opposed to systems.
Operational environment
It includes standalone, managed or custom environments, where the latter is eith
er a specialized securitylimited functionality or a legacy environment.
Originator usage period (cryptoperiod)
The period of time in the cryptoperiod of a symmetric key during which cryptogr
aphic protection may be applied to data.
Outage
The period of time for which a communication service or an operation is unavaila
ble.
Output block
A data block that is an output of either the forward cipher function or the inve
rse cipher function of the block cipher algorithm.
Outwardfacing
Refers to a system that is directly connected to the Internet.
Overtheairkey distribution
Providing electronic key via overtheair rekeying, overtheair key transfer, o
r cooperative key generation.
Overtheair key transfer
Electronically distributing key without changing traffic encryption key used on
the secured communications path over which the transfer is accomplished.
Overtheair rekeying (OTAR)
Changing traffic encryption key or transmission security key in remote cryptogra
phic equipment by sending new key directly to the remote cryptographic equipment
over the communications path it secures. OTAR is a key management protocol spec
ified for digital mobile radios and designed for unclassified, sensitive communi
cations. OTAR performs key distribution and transfer functions. Three types of k
eys are used in OTAR: a keywrapping key, a trafficencryption key, and a messag
e authentication code (MAC).
Overt channel
A communication path within a computer system or network designed for the author
ized transfer of data. Compare with covert channel.
Overt testing
Security testing performed with the knowledge and consent of the organizations IT
staff.
Overwrite procedure
(1) A software process that replaces data previously stored on storage media wit
h a predetermined set of meaningless data or random patterns. (2) The obliterati
on of recorded data by recording different data on the same storage surface. (3)
Writing patterns of data on top of the data stored on a magnetic medium.
Outofband management
In outofband management, the communications device is accessed via a dialup c
ircuit with a modem, directly connected terminal device, or LANs dedicated to ma
naging traffic.
Owner of data
The individual or group that has responsibility for specific data types and that
is charged with the communication of the need for certain securityrelated hand
ling procedures to both the users and custodians of this data.
P
P2P
Free and easily accessible software that poses risks to individuals and organiza
tions.
P3P
According to the Platform for Privacy Preferences Project (P3P), users are given
more control over personal information gathered on websites they visit.
Pbox
Permutation box (Pbox) is used to effect a transposition on an 8bit input in a
product cipher. This transposition, which is implemented with simple electrical
circuits, is done so fast that it does not require any computation, just signal
propagation. The Pbox design, which is implemented in hardware for cryptograph
ic algorithm, follows Kerckhoffs principle (securitybyobscurity) in that an att
acker knows that the general method is permuting the bits, but he does not know
which bit goes where. Hence, there is no need to hide the permutation method. P
boxes and Sboxes are combined to form a product cipher, where wiring of the Pb
ox is placed inside the Sbox; the correct sequence is Sbox first and Pbox nex
t (Tanenbaum).
Packet
A piece of a message, usually containing the destination address, transmitted ov
er a network by communications software.
Packet churns
Rapid changes in packet forwarding disrupt packet delivery, possibly affecting c
ongestion control.
Packet filter
(1) A routing device that provides access control functionality for host address
es and communication sessions. (2) A type of firewall that examines each packet
and accepts or rejects it based on the security policy programmed into it in the
form of traffic rules. (3) A router to block or filter protocols and addresses.
Packet filtering specifies which types of traffic should be permitted or denied
and how permitted traffic should be protected, if at all.
Packet latency
The time delay in processing voice packets as in Voice over Internet Protocol (V
oIP).
Packet looping
Packets enter a looping path, so that the traffic is never delivered.
Packet replay
Refers to the recording and retransmission of message packets in the network. It
is frequently undetectable but can be prevented by using packet timestamping a
nd packetsequence counting.
Packet sniffer
Software that observes and records network traffic. It is a passive wiretapping.
Packet snarfing
Also known as eavesdropping.
Padded cell systems
An attacker is seamlessly transferred to a special padded cell host.
Padding
Meaningless data added to the start or end of messages. They are used to hide th
e length of the message or to add volume to a data structure that requires a fix
ed size.
Pairwise trust
Establishment of trust by two entities that have direct business agreements with
each other.
Parameters
Specific variables and their values used with a cryptographic algorithm to compu
te outputs useful to achieve specific security goals.
Paretos law
It is called the 80/20 rule, which can be applied to IT in that 80 percent of IT
related problems come from 20 percent of ITrelated causes or issues.
Parity
Bit(s) used to determine whether a block of data has been altered.
Parity bit
A bit indicating whether the sum of a previous series of bits is even or odd.
Parity checking
A hardware control that detects data errors during transmission. It compares the
sum of a previous set of bits with the parity bit to determine if an error in t
he transmission or receiving of the message has occurred. This is a technical an
d detective control.
Parkinsons law
Parkinsons law states that work expands to fill the time available for its comple
tion. Regarding IT, we can state an analogy that data expands to fill the bandwi
dth available for data transmission.
Partitioned security mode
Information system security mode of operation wherein all personnel have the cle
arance, but not necessarily formal access approved and needtoknow, for all inf
ormation handled by an information system.
Partitioning
The act of logically dividing a media into portions that function as physically
separate units.
Passive attack
(1) An attack against an authentication protocol where the attacker intercepts d
ata traveling along the network between the claimant and verifier, but does not
alter the data (i.e., eavesdropping). (2) An attack that does not alter systems
or data.
Passive fingerprinting
Analyzing packet headers for certain unusual characteristics or combinations of
characteristics that are exhibited by particular operating systems or applicatio
ns.
Passive security testing
Security testing that does not involve any direct interaction with the targets,
such as sending packets to a target.
Passive sensor
A sensor that is deployed so that it monitors a copy of the actual network traff
ic.
Passive testing
Nonintrusive security testing primarily involving reviews of documents such as p
olicies, procedures, security requirements, software code, system configurations
, and system logs.
Passive wiretapping
The monitoring or recording of data while data is transmitted over a communicati
ons link, without altering or affecting the data.
Passphrase
A relatively long password consisting of a series of words, such as a phrase or
full sentence.
Password
(1) A protected/private string of letters, numbers, and/or special characters us
ed to authenticate an identity or to authorize access to data and system resourc
es. (2) A secret that a claimant memorizes and uses to authenticate his identity
. (3) Passwords are typically character strings (e.g., letters, numbers, and oth
andard lifecycle functions. (5) The input data to the counter with cipherblock
chainingmessage authentication code (CCM) generationencryption process that i
s both authenticated and encrypted.
Peer review
A quality assurance method in which two or more programmers review and critique
each others work for accuracy and consistency with other parts of the system and
detect program errors. This is a management and detective control.
Peertopeer computing
See Mesh computing.
Peertopeer (P2P) file sharing program
Free and easily accessible software that poses risks to individuals and organiza
tions. It unknowingly enables users to copy private files, downloads material th
at is protected by the copyright laws, downloads a virus, or facilitates a secur
ity breach.
Peertopeer (P2P) network
Each networked host computer running both the client and server parts of an appl
ication system.
Perfective maintenance
All changes, insertions, deletions, modifications, extensions, and enhancements
made to a system to meet the users evolving or expanding needs.
Performance metrics
They provide the means for tying information security controls implementation, ef
ficiency, effectiveness, and impact levels.
Performance testing
A testing approach to assess how well a system meets its specified performance r
equirements.
Persistent cookie
A cookie stored on a computers hard drive indefinitely so that a website can iden
tify the user during subsequent visits. These cookies are set with expiration da
tes and are valid until the user deletes them.
Personal digital assistant (PDA)
A handheld computer that serves as a tool for reading and conveying documents, e
lectronic mail, and other electronic media over a communications link, and for o
rganizing personal information, such as a nameandaddress database, a todo lis
t, and an appointment calendar.
Personal identification number (PIN)
(1) A password consisting only of decimal digits. (2) A secret that a claimant m
emorizes and uses to authenticate his identity.
Personal identity verification (PIV) card
A physical artifact (e.g., identity card and smart card) issued to an individual
that contains stored identity credentials (e.g., photograph, cryptographic keys
, and digitized fingerprint representation) such that the claimed identity of th
e cardholder can be verified against the stored credentials by another person (h
uman readable and verifiable) or an automated process (computer readable and ver
ifiable).
Penetration
The successful act of bypassing the security mechanisms of a system.
Penetration signature
The characteristics or identifying marks produced by a penetration.
Penetration study
A study to determine the feasibility and methods for defeating system controls.
Penetration testing
(1) A test methodology in which assessors, using all available documentation (e.
g., system design, source code, and manuals) and working under specific constrai
nts, attempt to circumvent or defeat the security features of an information sys
tem. (2) Security testing in which evaluators mimic realworld attacks in an att
empt to identify ways to circumvent the security features of an application, sys
tem, or network. Penetration testing often involves issuing real attacks on real
systems and data, using the same tools and techniques used by actual attackers.
Most penetration tests involve looking for combinations of vulnerabilities on a
single system or multiple systems that can be used to gain more access than cou
ld be achieved through a single vulnerability.
Percall key
A unique traffic encryption key is generated automatically by certain secure tel
ecommunications systems to secure single voice or data transmissions.
Perfect forward secrecy
An option available during quick mode that causes a newshared secret to be crea
ted through a DiffieHellman exchange for each IPsec SA (security association).
Perimeter
A boundary within which security controls are applied to protect assets. A secur
ity perimeter typically includes a security kernel, some trustedcode facilities
, hardware, and possibly some communications channels.
Perimeterbased security
The technique of securing a network by controlling access to all entry and exit
points of the network.
Perimeter protection (logical)
The security controls such as email gateways, proxy servers, and firewalls prov
ide logical access perimeter security controls, and they act as the first lineo
fdefense.
Perimeter protection (physical)
The objective of physical perimeter or boundary protection is to deter trespassi
ng and to funnel employees, visitors, and the public to selected entrances. Gate
s and security guards provide the perimeter protection.
Permissions
A description of the type of authorized interactions (such as read, write, execu
te, add, modify, and delete) that a subject can have with an object.
Personalarea network (PAN)
It is used by an individual or in a homebased business connecting desktop PC, l
aptop PC, notebook PC, and PDA with a mouse, keyboard, and printer.
Personal computer (PC)
A desktop or laptop computer running a standard PC operating system (e.g., Windo
ws Vista, Windows XP, Linux/UNIX, and Mac OS X).
Personal firewall
A softwarebased firewall installed on a desktop or laptop computer to monitor a
nd control its incoming and outgoing network traffic, and which blocks communica
tions that are unwanted.
Personal firewall appliance
A device that performs functions similar to a personal firewall for a group of c
omputers on a home network.
Personnel screening
A protective measure applied to determine that an individuals access to sensitive
, unclassified automated information is admissible. The need for and extent of a
screening process are normally based on an assessment of risk, cost, benefit, a
nd feasibility as well as other protective measures in place. Effective screenin
g processes are applied in such a way as to allow a range of implementation, fro
m minimal procedures to more stringent procedures commensurate with the sensitiv
ity of the data to be accessed and the magnitude of harm or loss that could be c
aused by the individual. This is a management and preventive control.
Personnel security
It includes the procedures to ensure that access to classified and sensitive unc
lassified information is granted only after a determination has been made about
a persons trustworthiness and only if a valid needtoknow exists. It is the proc
edures established to ensure that all personnel who have access to sensitive inf
ormation have the required authority as well as appropriate clearances.
Petri net model
The Petri net model is used for protocol modeling to demonstrate the correctness
of a protocol. Mathematical techniques are used in specifying and verifying the
protocol correctness. A Petri net model has four basic elements, such as places
(states), transitions, arcs (input and output), and tokens. A transition is ena
bled if there is at least one input token in each of its input places (states).
Petri nets are a graphical technique used to model relevant aspects of the syste
m behavior and to assess and improve safety and operational requirements through
analysis and redesign. They are used for concurrent application systems that ne
ed data synchronization mechanisms and for analyzing thread interactions.
Pharming attack
(1) An attack in which an attacker corrupts an infrastructure service such as do
main name service (DNS) causing the subscriber to be misdirected to a forged ver
ifier/relying party, and revealing sensitive information, downloading harmful so
ftware, or contributing to a fraudulent act. (2) Using technical means (e.g., DN
S server software) to redirect users into accessing a fake website masquerading
as a legitimate one and divulging personal information.
Phishing attack
(1) An attack in which the subscriber is lured (usually through an email) to in
teract with a counterfeit verifier, and tricked into revealing information that
can be used to masquerade as that subscriber to the real verifier. (2) A digital
form of social engineering technique that uses authenticlooking but phony (bog
us) emails to request personal information from users or direct them to a fake
website that requests such information. (3) Tricking or deceiving individuals in
to disclosing sensitive personal information through deceptive computerbased me
ans.
Physical access controls
The controls over physical access to the elements of a system can include contro
lled areas, barriers that isolate each area, entry points in the barriers, and s
creening measures at each of the entry points.
Physical protection system
The primary functions of a physical protection system include detection, delay,
and response.
Physical security
(1) It includes controlling access to facilities that contain classified and sen
sitive unclassified information. (2) It also addresses the protection of the str
uctures that contain the computer equipment. (3) It is the application of physic
al barriers and control procedures as countermeasures against threats to resourc
es and sensitive information. (4) It is the use of locks, guards, badges, and si
milar administrative measures to control access to the computer and related equi
pment.
Piggybacking, data frames
Electronic piggybacking is a technique of temporarily delaying outgoing acknowle
dgements of data frames so that they can be attached to the next outgoing data f
rames.
Piggybacking entry
Unauthorized physical access gained to a facility or a computer system via anoth
er users legitimate entry or system connection. It is same as tailgating.
Pilot testing
Using a limited version of software in restricted conditions to discover if the
programs operate as intended.
PingofDeath attack
Sends a series of oversized packets via the ping command. The ping server reasse
mbles the packets at the host machine. The result is that the attack could hang,
crash, or reboot the system. This is an example of buffer overflow attack.
PIV issuer
An authorized identity card creator that procures blank identity cards, initiali
zes them with appropriate software and data elements for the requested identity
verification and access control application, personalizes the cards with the ide
ntity credentials of the authorized subjects, and delivers the personalized card
s to the authorized subjects along with appropriate instructions for protection
and use.
PIV registrar
An entity that establishes and vouches for the identity of an applicant to a PIV
issuer. The PIV registrar authenticates the applicants identity by checking iden
tity source documents and identity proofing, and ensures a proper background che
ox access protocol defined by IETF RFC 1939 and is one of the most commonly used
mailbox access protocols.
Potential impact
The loss of confidentiality, integrity, or availability could be expected to hav
e (1) a limited adverse effect (low), (2) a serious adverse effect (moderate), o
r (3) a severe or catastrophic adverse effect (high) on organizational operation
s, systems, assets, individuals, or other organizations.
Power monitoring attack
Uses varying levels of power consumption by the hardware during computations. It
is a general class of side channel attack (Wikipedia).
Preactivation state
A cryptographic key lifecycle state in which a key has not yet been authorized f
or use.
Preboot authentication (PBA)
The process of requiring a user to authenticate successfully before decrypting a
nd booting an operating system.
Precursor
(1) A sign that a malware attack may occur in the future. (2) A sign that an att
acker may be preparing to cause an incident.
Premessage secret number
A secret number that is generated prior to the generation of each digital signat
ure.
Presentation layer
Portion of an ISO/OSI reference model responsible for adding structure to data u
nits that are exchanged.
Preshared key
Single key used by multiple IPsec endpoints to authenticate endpoints to each ot
her.
Pretexting
Impersonating others to gain access to information that is restricted. Synonymou
s with social engineering.
Pretty Good Privacy (PGP)
(1) A standard program for securing email and file encryption on the Internet.
Its publickey cryptography system allows for the secure transmission of message
s and guarantees authenticity by adding digital signatures to messages. (2) A cr
yptographic software application for the protection of computer files and electr
onic mail. (3) It combines the convenience of the RivestShamirAdleman (RSA) pu
blickey algorithm with the speed of the secretkey IDEA algorithm, digital sign
ature, and key management.
Preventive controls
Actions taken to deter undesirable events and incidents from occurring in the fi
rst place.
Preventive maintenance
Computer hardware and related equipment maintained on a planned basis by the man
ufacturer, vendor, or third party to keep them in a continued operational condit
ion.
Prime number generation seed
A string of random bits that is used to determine a prime number with the requir
ed characteristics.
Principal
An entity whose identity can be authenticated.
Principle of least privilege
The granting of the minimum access authorization necessary for the performance o
f required tasks.
Privacy
(1) The right of an individual to selfdetermination as to the degree to which t
he individual is willing to share with others information about himself that may
be compromised by unauthorized exchange of such information among other individ
uals or organizations. (2) The right of individuals and organizations to control
the collection, storage, and dissemination of their information or information
Often used interchangeably with anomaly, although problem has a more negative co
nnotation, and implies that an error, fault, failure, or defect does exist.
Problem state
A state in which a computer is executing an application program with faults.
Procedural security
The management constraints; operational, administrative, and accountability proc
edures; and supplemental controls established to provide protection for sensitiv
e information. Synonymous with administrative security.
Process
Any specific combination of machines, tools, methods, materials, and/or people e
mployed to attain specific qualities in a product or service.
Process isolation
The principle of process isolation or separation is employed to preserve the obj
ects wholeness and subjects adherence to a code of behavior.
Process reengineering
A procedure that analyzes control flow. A program is examined to create overview
architecture with the purpose of transforming undesirable programming construct
s into more efficient ones. Program restructuring can play a major role in proce
ss reengineering.
Process separation
See process isolation.
Profiling
Measuring the characteristics of expected activity so that changes to it can be
more easily identified.
Proof carrying code
As a part of technical safeguards for active content, proof carrying code define
s properties that are conveyed with the code, which must be successfully verifie
d before the code is executed.
Proofbyknowledge
A claimant authenticates his identity to a verifier by the use of a password or
PIN that he has knowledge of. The proofbyknowledge applies to mobile device au
thentication and robust authentication.
Proofbypossession
A claimant authenticates his identity to a verifier by the use of a token or sma
rt card and an authentication protocol. The proofbypossession applies to mobil
e device authentication and robust authentication.
Proofbyproperty
A claimant authenticates his identity to a verifier by the use of a biometric su
ch as fingerprints. The proofbyproperty applies to mobile device authenticatio
n and robust authentication.
Proofofconcept
A new idea or modified idea is put to test by developing a prototype model to pr
ove whether the idea or the concept works.
Proofofcorrectness
Applies mathematical proofsofcorrectness to demonstrate that a computer progra
m conforms exactly to its specifications and to prove that the functions of the
computer programs are correct.
Proofofcorrespondence
The design of a cryptographic module is verified by a formal model and informal
proofofcorrespondence between the formal model and the functional specificatio
ns.
Proofoforigin
A proofoforigin is the basis to prove an assertion. For example, a private sig
nature key is used to generate digital signatures as a proofoforigin.
Proofofpossession
A verification process whereby it is proven that the owner of a key pair actuall
y has the private key associated with the public key. The owner demonstrates the
possession by using the private key in its intended manner.
Proofofpossession protocol
A protocol where a claimant proves to a verifier that he possesses and controls
Protocol entity
Entity that follows a set of rules and formats (semantic and syntactic) that det
ermines the communication behavior of other entities.
Protocol governance
A protocol is a set of rules and formats, semantic and syntactic, permitting inf
ormation systems to exchange data related to security functions. Organizations u
se several protocols for specific purposes (such as, encryption and authenticati
on mechanisms) in various systems. Some protocols are compatible with each other
while others are not, similar to negative interactions from prescription drugs.
Protocol governance requires selecting the right protocols for the right purpos
e and at the right time to minimize their incompatibility and ineffectiveness (t
hat is, not providing privacy and not protecting IT assets). It also requires a
constant and ongoing monitoring to determine the best time for a protocols eventu
al replacement or substitution with a better one.
In addition to selecting standard protocols that were approved by the standard s
etting bodies, protocols must be operationallyefficient and securityeffective.
Examples include (1) DES, which is weak in security and AES, which is strong in
security, and (2) WEP, which is weak in security and WPA, which is strong in se
curity.
Protocol machine
A finite state machine that implements a particular protocol.
Protocol run
An instance of the exchange of messages between a claimant and a verifier in a d
efined authentication protocol that results in the authentication (or authentica
tion failure) of the claimant.
Protocol tunneling
A method used to ensure confidentiality and integrity of data transmitted over t
he Internet, by encrypting data packets, sending them in packets across the Inte
rnet, and decrypting them at the destination address.
Proxy
(1) A program that receives a request from a client, and then sends a request on
the clients behalf to the desired destination. (2) An agent that acts on behalf
of a requester to relay a message between a requester agent and a provider agent
. The proxy appears to the provider agent Web service to be the requester. (3) A
n application or device acting on behalf of another in responding to protocol re
quests. (4) A proxy is an application that breaks the connection between client an
d server. (5) An intermediary device or program that provides communication and
other services between a client and server. The proxy accepts certain types of t
raffic entering or leaving a network, processes it, and forwards it. This effect
ively closes the straight path between the internal and external networks, makin
g it more difficult for an attacker to obtain internal addresses and other detai
ls of the organizations internal network.
Proxy agent
A proxy agent is a software application running on a firewall or on a dedicated
proxy server that is capable of filtering a protocol and routing it to between t
he interfaces of the device.
Proxy server
A server that sits between a client application, such as a Web browser, and a re
al server. It intercepts all requests to the real server to see if it can fulfil
l the requests itself. If not, it forwards the request to the real server. A dev
ice or product that provides network protection at the application level by usin
g custom programs for each protected application. These programs can act as both
a client and server and are proxies to the actual application. Proxy servers ar
e available for common Internet services; for example, a hypertext transfer prot
ocol (HTTP) proxy used for Web access and a simple mail transfer protocol (SMTP)
proxy used for email. Proxy servers are also called application gateway firewa
ll or proxy gateway.
Pseudonym
A subscriber name that has been chosen by the subscriber that is not verified as
meaningful by identity proofing.
The PSP deals with securityrelated public information (e.g., public key) whose
modification can compromise the security of a cryptographic module.
Public seed
A starting value for a pseudorandom number generator. The value produced by the
random number generator (RNG) may be made public. The public seed is often calle
d a salt.
Public switched telephone network (PSTN)
The PSTN is used in the traditional telephone lines. It uses high bandwidth and
has qualityrelated problems. However, the physical security of a PSTN is higher
. Voice over IP security (VoIP) is an alternative to the PSTN with reduced bandw
idth usage and quality superior to the conventional PSTN.
Pull technology
Products and services are pulled by companies based on customer orders.
Pulverization
A physically destructive method of sanitizing media; the act of grinding to a po
wder or dust.
Purging
(1) The orderly review of storage and removal of inactive or obsolete data files
. (2) The removal of obsolete data by erasure, by overwriting of storage, or by
resetting registers. (3) To render stored application, files, and other informat
ion on a system unrecoverable. (4) Rendering sanitized data unrecoverable by lab
oratory attack methods.
Push technology
Technology that allows users to sign up for automatic downloads of online conten
t, such as virus signature file updates, patches, news, and website updates, to
their email addresses or other designated directories on their computers. Produ
cts and services are pushed by companies to customers regardless of their orders
.
Q
Q.931
A protocol used for establishing and releasing telephone connections (the ITU st
andard).
Quality assurance (QA)
(1) All actions taken to ensure that standards and procedures are adhered to and
that delivered products or services meet performance requirements. (2) The plan
ned systematic activities necessary to ensure that a component, module, or syste
m conforms to established technical requirements. (3) The policies, procedures,
and systematic actions established in an enterprise for the purpose of providing
and maintaining a specified degree of confidence in data integrity and accuracy
throughout the lifecycle of the data, which includes input, update, manipulatio
n, and output.
Quality control (QC)
A management function whereby control of the quality of (1) raw materials, assem
blies, finished products, parts, and components, (2) services related to product
ion, and (3) management, production, and inspection processes is exercised for t
he purpose of preventing undetected production of defective materials or the ren
dering of faulty services.
Quality of protection (QoP)
The quality of protection (QoP) requires that overall performance of a system sh
ould be improved by prioritizing traffic and considering rate of failure or aver
age latency at the lower layer protocols. For Web services to truly support QoS,
existing QoS support must be extended so that the packets corresponding to indi
vidual Web service messages can be routed accordingly to achieve predictable per
formance. Two standards such as WSReliability and WSReliable Messaging provide
some level of QoS because both of these standards support guaranteed message de
livery and message ordering. Note that QoP is related to quality of service (QoS
) and DoS which, in turn, related to DoQ.
Quality of service (QoS)
The quality of service (QoS) is the handling capacity of a system or service. (1
) It is the time interval between request and delivery of a message, product, or
onments, a secret passphrase is shared between base stations and access points,
and the keys are derived from a passphrase that is shorter than 20 characters, w
hich are less secure and subject to dictionary and rainbow attacks.
Rainbow tables
Rainbow tables are lookup tables that contain precomputed password hashes, ofte
n used during password cracking. These tables allow an attacker to crack a passw
ord with minimal time and effort.
Random access memory (RAM)
A place in the central processing unit (CPU) of a computer where data and progra
ms are temporarily stored during computer processing.
Random number generator (RNG)
A process used to generate an unpredictable series of numbers. Each individual v
alue is called random if each of the values in the total population of values ha
s an equal probability of being selected.
Random numbers
Random numbers are used in the generation of cryptographic keys, nonces, and aut
hentication challenges.
Reachability analysis
Reachability analysis is helpful in detecting whether a protocol is correct. An
initial state corresponds to a system when it starts running. From the initial s
tate, the other states can be reached by a sequence of transitions. Based on the
graph theory, it is possible to determine which states are reachable and which
are not.
Readonly memory (ROM)
A place where parts of the operating system programs and language translator pro
grams are permanently stored in microcomputer.
Read/write exploits
Generally, a device connected by FireWire has full access to readandwrite data
on a computer memory. The FireWire is used by audio devices, printers, scanners
, cameras, and GPS. Potential security risks in using these devices include grab
bing and changing the screen contents; searching the memory for login ID and pas
swords; searching for cryptographic keys and keying material stored in RAM; inje
cting malicious code into a process; and introducing new processes into the syst
em.
Recipient usage period (cryptoperiod)
The period of time during the cryptoperiod of a symmetric key during which the
protected information is processed.
Reciprocal agreement
An agreement that allows two organizations to back up each other.
Reciprocity
A mutual agreement among participating organizations to accept each others securi
ty assessments in order to reuse information system resources and/or to accept e
ach others assessed security posture in order to share information.
Record retention
A management policy and procedure to save originals of business documents, recor
ds, and transactions for future retrieval and reference. This is a management an
d preventive control.
Records
The recordings (automated and/or manual) of evidence of activities performed or
results achieved (e.g., forms, reports, and test results), which serve as a basi
s for verifying that the organization and the information system are performing
as intended. Also used to refer to units of related data fields (i.e., groups of
data fields that can be accessed by a program and that contain the complete set
of information on particular items).
Recovery
Process of reconstituting a database to its correct and current state following
a partial or complete hardware, software, network, operational, or processing er
ror or failure.
Recovery controls
The actions necessary to restore a systems computational and processing capabilit
y and data files after a system failure or penetration. Recovery controls are re
lated to recovery point objective (RPO) and recovery time objective (RTO).
Recovery point objective (RPO)
The point in time in to which data must be recovered after an outage in order to
resume computer processing.
Recovery procedures
Actions necessary to restore data files of an information system and computation
al capability after a system failure.
Recovery time objective (RTO)
(1) The overall length of time an information systems components can be in the re
covery phase before negatively impacting the organizations mission or business fu
nctions. (2) The maximum acceptable length of time that elapses before the unava
ilability of the system severely affects the organization.
RED/BLACK concept
A separation of electrical and electronic circuits, components, equipment, and s
ystems that handle unencrypted information (RED) in electrical form from those t
hat handle encrypted information (BLACK) in the same form.
RED concept (encryption)
It is a designation applied to cryptographic systems when data/information or me
ssages that contains sensitive or classified information that is not encrypted.
Red team
(1) A group of people authorized and organized to emulate a potential adversarys
attack or exploitation capabilities against an enterprises security posture. The
red teams objective is to improve enterprise information assurance by demonstrati
ng the impacts of successful attacks and by demonstrating what works for the def
enders (i.e., the blue team) in an operational environment). (2) A test team tha
t performs penetration security testing using covert methods and without the kno
wledge and consent of the organizations IT staff, but with full knowledge and per
mission of upper management. The old name for the red team is tiger team.
Red team exercise
An exercise, reflecting realworld conditions, that is conducted as a simulated
adversarial attempt to compromise organizational missions and/or business proces
ses to provide a comprehensive assessment of the security capability of the info
rmation system and the organization itself.
Reduced signon (RSO)
The RSO is a technology that allows a user to authenticate once and then access
many, but not all, of the resources that the user is authorized to use.
Redundancy
(1) A concept that can constrain the failure rate and protects the integrity of
data. Redundancy makes a confidentiality goal harder to achieve. If there are mu
ltiple sites with backup data, then confidentiality could be broken if any of th
e sites gets compromised. Also, purging some of the data on a backup device coul
d be difficult to do. (2) It is the use of duplicate components to prevent failu
re of an entire system upon failure of a single component and the part of a mess
age that can be eliminated without loss of essential information. (3) It is a du
plication of system components (e.g., hard drives), information (e.g., backup an
d archived files), or personnel intended to increase the reliability of service
and/or decrease the risk of information loss.
Redundant array of independent disk (RAID)
A cluster of disks used to back up data onto multiple disk drives at the same ti
me, providing increased data reliability and increased input/output performance.
Seven classifications for RAID are numbered as RAID0 through RAID6. RAID stor
age units offer faulttolerant hardware with varying degrees. Nested or hybrid R
AID levels occur with two deep levels. A simple RAID configuration with six disk
s includes four data disks, one parity disk, and one hot spare disk. Problems wi
th RAID include correlated failures due to drive mechanical issues, atomic write
semantics (meaning that the write of the data either occurred in its entirety o
r did not occur at all), write cache reliability due to a power outage, hardware
incompatibility with software, data recovery in the event of a failed array, un
timely drive errors recovery algorithm, increasing recovery times due to increas
ed drive capacity, and operator skills in terms of correct replacement and rebui
ld of failed disks, and exposure to computer viruses (Wikipedia).
RAID0: A blocklevel striping without parity or mirroring and has no redundancy
, no faulttolerance, no error checking, and a greater risk of data loss. Howeve
r, because of its low overhead and parallel write strategy, it is the fastest in
performance for both reading and writing. As the data is written to the drive,
it is divided up into sequential blocks, and each block is written to the next a
vailable drive in the array. RAID0 parameters include a minimum of two disks. T
he space efficiency is 1 and it has a zero fault tolerance disk.
RAID1: Mirroring without parity or striping and offers the highest level of red
undancy because there are multiple complete copies of the data at all times (sup
ports disk shadowing and disk duplexing). Because it maintains identical copies
on separate drives, RAID1 is slow in write performance and fast read performanc
e, and it can survive multiple (N1) drive failures. This means, if N is three,
two drives could fail without incurring data loss. RAID1 parameters include a m
inimum of two disks. The space efficiency is 1/N, and it has a (N1) fault toler
ance disks.
RAID2: Bitlevel striping with dedicated hammingcode parity. RAID2 parameters
include a minimum of three disks; space efficiency is (1 1/N). Log2 (N1), and
recover from one disk failure. A minimum of three disks must be present for par
ity to be used for fault tolerance because the parity is an error protection sch
eme.
RAID3: Bytelevel striping with dedicated parity. RAID3 parameters include a m
inimum of three disks. The space efficiency is (1 1/N), and it has one fault to
lerance disk.
RAID4: A blocklevel striping with dedicated parity. RAID4 parameters include
a minimum of three disks. The space efficiency is (1 1/N), and one fault tolera
nce disk.
RAID5: A blocklevel striping with distributed parity. It combines the distribu
ted form of redundancy with parallel disk access. It provides high readandwrit
e performance, including protection against drive failures. The amount of storag
e space is reduced due to the parity information taking 1/N of the space, giving
a total disk space of (N1) drives where N is the number of drives. A single dr
ive failure in the set can result in reduced performance of the entire set until
the failed drive has been replaced and rebuilt. A data loss occurs in the event
of a second drive failure. RAID5 parameters include a minimum of three disks.
The space efficiency is (1 1/N) and it has one fault tolerance disk.
RAID6: A blocklevel striping with double distributed parity providing fault to
lerance from two drive failures and is useful for highavailability systems. Dou
ble parity gives time to rebuild the array without the data being at risk if a s
ingle additional drive fails before the rebuild is complete. RAID6 parameters i
nclude a minimum of four disks. The space efficiency is (1 2/N). It has two fau
lt tolerance disks and two parity disks.
Reference monitor
(1) A security engineering term for IT functionality that (i) controls all acces
s, (ii) is small, (iii) cannot be bypassed, (iv) is tamperresistant, and (v) pr
ovides confidence that the other four items are true. (2) The concept of an abst
ract machine that enforces Target of Evaluation (TOE) access control policies. (
3) Useful to any system providing multilevel secure computing facilities and con
trols.
Reference monitor concept
An access control concept referring to an abstract machine that mediates all acc
ess to objects (e.g., a file or program) by subjects (e.g., a user or process).
It is a design concept for an operating system to assure secrecy and integrity.
Reference validation mechanism
An implementation of the reference monitor concept. A security kernel is a type
of reference validation mechanism. To be effective in providing protection, the
implementation of a reference monitor must be (1) tamperproof, (2) always invok
ed, and (3) simple and small enough to support the analysis and tests leading to
a high degree of assurance that it is correct.
Referential integrity
A database has referential integrity if all foreign keys reference existing prim
ary keys.
Reflection attack
Occurs when authentication is based on a shared secret key and by breaking a cha
llengeresponse protocol with multiple sessions opened at the same time. A count
ermeasure against reflection attacks is to prove the user identity first so that
protocol is not subject to the reflection attack.
Reflector attack
A host sends many requests with a spoofed source address to a service on an inte
rmediate host. The service used is typically a user datagram protocol (UDP) base
d, which makes it easier to spoof the source address successfully. Attackers oft
en use spoofed source addresses because they hide the actual source of the attac
k. The host generates a reply to each request and sends these replies to the spo
ofed address. Because the intermediate host unwittingly performs the attack, tha
t host is known as a reflector. During a reflector attack, a DoS could occur to
the host at the spoofed address, the reflector itself, or both hosts.
Registration
The process through which a party applies to become a subscriber of a credential
service provider (CSP) and a registration authority (RA) validates the identity
of that party on behalf of the CSP.
Registration authority (RA)
A trusted entity that establishes and vouches for the identity of a subscriber t
o a credential service provider (CSP). The RAs organization is responsible for as
signment of unique identifiers to registered objects. The RA may be an integral
part of a CSP, or it may be independent of a CSP, but is has a relationship to t
he CSP(s).
Regrade
Data is regraded when information is transferred from high to low or from low to
high network data and users. Automated techniques such as processing, filtering
, and blocking are used during data regrading.
Regression testing
A method to ensure that changes to one part of the software system do not advers
ely impact other parts.
Rekey
The process used to replace a previously active cryptographic key with a new key
that was created completely and independently of the old key.
Relatedkey cryptanalysis attack
These attacks choose a relation between a pair of keys but do not choose the key
s themselves. These attacks are independent of the number of rounds of the crypt
ographic algorithm.
Relay station (WMAN/WiMAX)
A relay station (RS) is a subscriber station (SS) that is configured to forward
traffic to other stations in a multihop security zone.
Release
The process of moving a baseline configuration item between organizations, such
as from software vendor to customer. The process of returning all unused disk sp
ace to the system when a dataset is closed at the end of processing.
Reliability
(1)The extent to which a computer program can be expected to perform its intende
d function with the required precision on a consistent basis. (2) The probabilit
y of a given system performing its mission adequately for a specified period of
time under the expected operating conditions.
Relying party
An entity that relies upon the subscribers credentials or verifiers assertion of a
n identity, typically to process a transaction or grant access to information or
a system.
Remanence
The residual information that remains on a storage medium after erasure or clear
ing.
Remedial maintenance
Hardware and software maintenance activities conducted by individuals communicat
ing external to an information system security perimeter or through an external,
nonorganizationcontrolled network (for example, the Internet).
Remediation plan
A plan to perform the remediation of one or more threats or vulnerabilities faci
ng an organizations systems. The plan typically includes options to remove threat
s and vulnerabilities and priorities for performing the remediation.
Remote access
(1) Access to an organizational information system by a user or an information s
ystem communicating through an external, nonorganizationcontrolled network (e.
g., the Internet). (2) The ability for an organizations users to access its nonp
ublic computing resources from locations other than the organizations facilities.
Remote administration tool
A program installed on a system that allows remote attackers to gain access to t
he system as needed.
Remote journaling
Transaction logs or journals are transmitted to a remote location. If the server
needed to be recovered, the logs or journals could be used to recover transacti
ons, applications, or database changes that occurred after the last server backu
p. Remote journaling can either be conducted though batches or be communicated c
ontinuously using buffering software. Remote journaling and electronic vaulting
require a dedicated offsite location (that is, hotsite or offsite storage site)
to receive the transmissions and a connection with limited bandwidth.
Remote maintenance
Maintenance activities conducted by individuals communicating through an externa
l, nonorganizationcontrolled network (e.g., the Internet).
Remote maintenance attack
Some hardware and software vendors who have access to an organizations computer s
ystems for problem diagnosis and remote maintenance work can modify database con
tents or reconfigure network elements to their advantage.
Remote system control
Remotely using a computer at an organization from a telework computer.
Removable media
Portable electronic storage media such as magnetic, optical, and solidstate dev
ices, which can be inserted into and removed from a computing device, and are us
ed to store text, video, audio, and image information. Such devices have no inde
pendent processing capabilities. Examples of removable media include hard disks,
zip drives, compact disks, thumb drives, flash drives, pen drives, and similar
universal serial bus (USB) storage devices. Removable media are less risky than
the nonremovable media in terms of security breaches.
Repeater
A device to amplify the received signals and it operates in the physical layer o
f the ISO/OSI reference model.
Replay
One can eavesdrop upon anothers authentication exchange and learn enough to imper
sonate a user. It is used in conducting an impersonation attack.
Replay attack
(1) An attack that involves the capture of transmitted authentication or access
control information and its subsequent retransmission with the intent of produci
ng an unauthorized effect or gaining unauthorized access. (2) An attack in which
the attacker can replay previously captured messages (between a legitimate clai
mant and a verifier) to masquerade as that claimant to the verifier or vice vers
a.
Repository
A database containing information and data relating to certificates; may also be
referred to as a directory.
eing accessed and a user. RAdAC uses security metrics, such as the strength of t
he authentication method, the level of assurance of the session connection betwe
en the system and a user, and the physical location of a user, to make its risk
determination.
Risk analysis
The process of identifying the risks to system security and determining the like
lihood of occurrence, the resulting impact, and the additional safeguards (contr
ols) that mitigate this impact. It is a part of risk management and synonymous w
ith risk assessment.
Risk assessment
The process of identifying risks to organizational operations (including mission
, functions, image, or reputation), organizational assets, individuals, or other
organizations by determining the probability of occurrence, the resulting impac
t, and additional security controls that would mitigate this impact. Part of ris
k management, synonymous with risk analysis, incorporates threat and vulnerabili
ty analyses, and considers mitigations provided by planned or inplace security
controls.
Risk index
The difference between the minimum clearance/authorization of system users and t
he maximum sensitivity (e.g., classification and categories of data processed by
a system).
Risk management
The program and supporting processes to manage information security risk to orga
nizational operations (including mission, functions, image, or reputation), orga
nizational assets, individuals, or other organizations resulting from the operat
ion of an information system. It includes (1) establishing the context for risk
related activities, (2) assessing risk, (3) responding to risk once determined,
and (4) monitoring risk over time. The process considers effectiveness, efficien
cy, and constraints due to laws, directives, policies, or regulations. This is a
management and preventive control.
Risk Management = Risk Assessment + Risk Mitigation + Risk Evaluation.
Risk mitigation involves prioritizing, evaluating, and implementing the appropri
ate riskreducing controls and countermeasures recommended from the risk assessm
ent process.
Risk monitoring
Maintaining ongoing awareness of an organizations risk environment, risk manageme
nt program, and associated activities to support risk decisions.
Risk profile
Risk profiling is conducted on each data center or computer system to identify t
hreats and to develop controls and polices in order to manage risks.
Risk reduction
The features of reducing one or more of the factors of risk (e.g., value at risk
, vulnerability to attack, threat of attack, and protection from risk).
Risk response
Accepting, avoiding, mitigating, sharing, or transferring risk to organizational
operations and assets, individuals, or other organizations.
Risk tolerance
The level of risk an entity is willing to assume in order to achieve a potential
desired result.
RivestShamirAdelman (RSA) algorithm
A publickey algorithm used for key establishment and the generation and verific
ation of digital signatures, encrypt messages, and provide key management for th
e data encryption standard (DES) and other secret key algorithms.
Robust authentication
Requires a user to possess a token in addition to a password or PIN (i.e., twof
actor authentication). This type of authentication is applied when accessing an
internal computer systems and emails. Robust authentication can also create one
time passwords.
Robust programming
Robust programming, also called defensive programming, makes a system more relia
servers and FTP servers). It manages the domain name system (DNS) response to ad
dress requests from client computers according to a statistical model. It works
by responding to DNS requests not only with a single IP address, but also a list
of IP addresses of several servers that host identical services. The order in w
hich IP addresses from the list are returned is the basis for the term round rob
in. With each DNS response, the IP addresses sequence in the list is permuted. T
his is unlike the usual basic IP address handling methods based on network prior
ity and connection timeout (Wikipedia).
Route flapping
A situation in which Border Gateway Protocol (BGP) sessions are repeatedly dropp
ed and restarted, normally as a result of router problems or communication line
problems. Route flapping causes changes to the BGP routing tables.
Router
(1) A physical or logical entity that receives and transmits data packets or est
ablishes logical connections among a diverse set of communicating entities (usua
lly supports both hardwired and wireless communication devices simultaneously).
(2) A node that interconnects subnetworks by packet forwarding. (3) A device th
at connects two or more networks or network segments, and may use Internet Proto
col (IP) to route messages. (4) A device that keeps a record of network node add
resses and current network status, and it extends LANs. (5) A router operates in
the network layer of the ISO/OSI reference model.
Routerbased firewall
Security is implemented using screening routers as the primary means of protecti
ng the network.
Routine variation
A riskreducing principle that underlies techniques, reducing the ability of pot
ential attackers to anticipate scheduled events in order to minimize associated
vulnerabilities.
Rubberhose cryptanalysis
The extraction of cryptographic secrets (for example, the password to an encrypt
ed file) from a person by coercion or torture in contrast to a mathematical or t
echnical cryptanalytic attack. The term rubberhose refers to beating individual
s with a rubber hose until they cooperate in revealing cryptographic secrets. Ru
bberhose and social engineering attacks are not a general class of side channel
attack (Wikipedia).
Rulebased access control (RuBAC)
Access control based on specific rules relating to the nature of the subject and
object, beyond their identities such as security labels. A RuBAC decision requi
res authorization information and restriction information to compare before any
access is granted. RuBAC and MAC are considered equivalent.
Rulebased security policy
A security policy based on global rules imposed for all subjects. These rules us
ually rely on a comparison of the sensitivity of the objects being assessed and
the possession of corresponding attributes by the subjects requesting access.
Rules of behavior (ROB)
Rules established and implemented concerning use of, security in, and acceptable
level of risk of the system. Rules will clearly delineate responsibilities and
expected behavior of all individuals with access to the system. The organization
establishes and makes readily available to all information system users a set o
f rules that describes their responsibilities and expected behavior with regard
to information system usage.
Rules of engagement (ROE)
Detailed guidelines and constraints regarding the execution of information secur
ity testing. The white team establishes the ROE before the start of a security t
est. It gives the test team authority to conduct the defined activities without
the need for additional permissions.
Rules of evidence
The general rules of evidence require that the evidence must be sufficient to su
pport a finding, must be competent (reliable), must be relevant based on facts a
nd their applicability, and must be significant (material and substantive) to th
e issue at hand. The chain of custody should accommodate the rules of evidence a
nd the chain of evidence.
Ruleset
(1) A table of instructions used by a controlled (managed) interface to determin
e what data is allowable and how the data is handled between interconnected syst
ems. Rulesets govern access control functionality of a firewall. The firewall us
es these rulesets to determine how packets should be routed between its interfac
es. (2) A collection of rules or signatures that network traffic or system activ
ity is compared against to determine an action to take, such as forwarding or re
jecting a packet, creating an alert, or allowing a system event.
S
S/MIME
(1) A version of the multipurpose Internet mail extension (MIME) protocol that s
upports encrypted messages. (2) A set of specifications for securing electronic
mail. The basic security services offered by secure/MIME (S/MIME) are authentica
tion, nonrepudiation of origin, message integrity, and message privacy. Optional
security services by S/MIME include signed receipts, security labels, secure ma
iling lists, and an extended method of identifying the signers certificate(s). S/
MIME is based on RSAs publickey encryption technology.
Safe harbor principle
Principles that are intended to facilitate trade and commerce between the U.S. a
nd European Union for use solely by U.S. organizations receiving personal data f
rom the European Union. It is based on selfregulating policy and enforcement me
chanism where it meets the objectives of government regulations but does not inv
olve government enforcement.
Safeguards
Protective measures prescribed to meet the security requirements (i.e., confiden
tiality, integrity, and availability) specified for an information system and to
protect computational resources by eliminating or reducing the vulnerability or
risk to a system. Safeguards may include security features, management constrai
nts, personnel security, and security of physical structures, areas, and devices
to counter a specific threat or attack. Available safeguards include hardware a
nd software devices and mechanisms, policies, procedures, standards, guidelines,
management controls, technical controls, operational controls, personnel contro
ls, and physical controls. Synonymous with security controls and countermeasures
.
Salami technique
In data security, it pertains to fraud spread over a large number of individual
transactions (e.g., a program that does not round off figures but diverts the le
ftovers to a personal account).
Salt
A nonsecret value that is used in a cryptographic process, usually to ensure tha
t the results of computations for one instance cannot be reused by an attacker.
Salting (password)
The inclusion of a random value in the password hashing process that greatly dec
reases the likelihood of identical passwords returning the same hash.
Sandbox
A system that allows an untrusted application to run in a highly controlled envi
ronment where the applications permissions are restricted to an essential set of
computer permissions. In particular, an application in a sandbox is usually rest
ricted from accessing the file system or the network. A widely used example of a
pplications running inside a sandbox is a JavaApplet. A behavioral sandbox uses
runtime monitor for ensuring the execution of mobile code, conforming to the enf
orcement model.
Sandbox security model
Javas security model, in which applets can operate, creating a safe sandbox for a
pplet processing.
Sandboxing
(1) A method of isolating application modules into distinct fault domains enforc
ed by software. The technique allows untrusted programs written in an unsafe lan
guage, such as C, to be executed safely within the single virtual address space
of an application. Untrusted machine interpretable code modules are transformed
so that all memory accesses are confined to code and data segments within their
fault domain. Access to system resources can also be controlled through a unique
identifier associated with each domain. (2) New malicious code protection produ
cts introduce a sandbox technology allowing users the option to run programs such
as Java and ActiveX in quarantined subdirectories of systems. If malicious cod
e is detected in a quarantined program, the system removes the associated files,
protecting the rest of the system. (3) A method of isolating each guest operati
ng system from the others and restricting what resources they can access and wha
t privileges they can have (i.e., restrictions and privileges).
Sanding
The application of an abrasive substance to the medias physical recording surface
.
Sanitization
The changing of content information in order to meet the requirements of the sen
sitivity level of the network to which the information is being sent. It is a pr
ocess to remove information from media so that information recovery is not possi
ble. It includes removing all classified labels, markings, and activity logs. Sy
nonymous with scrubbing.
Sbox
Nonlinear substitution table boxes (Sboxes) used in several byte substitution t
ransformations and in the key expansion routine to perform a oneforone substit
ution of a byte value. This substitution, which is implemented with simple elect
rical circuits, is done so fast in that it does not require any computation, jus
t signal propagation. The Sbox design, which is implemented in hardware for cry
ptographic algorithm, follows Kerckhoffs principle (securitybyobscurity) in tha
t an attacker knows that the general method is substituting the bits, but he doe
s not know which bit goes where. Hence, there is no need to hide the substitutio
n method. Sboxes and Pboxes are combined to form a product cipher, where wirin
g of the Pbox is placed inside the Sbox. (that is, Sbox is first and Pbox is
next.) Sboxes are used in the advanced encryption standard (Tanenbaum).
Scalability
(1) A measure of the ease of changing the capability of a system. (2) The abilit
y to support more users, concurrent sessions, and throughput than a single SSLV
PN device can typically handle. (3) The ability to move application software sou
rce code and data into systems and environments that have a variety of performan
ce characteristics and capabilities without significant modification.
Scanning
(1) Sequentially going through combinations of numbers and letters to look for a
ccess to telephone numbers and secret passwords. (2) Sending packets or requests
to another system to gain information to be used in a subsequent attack.
Scavenging
Searching through object residue (file storage space) to acquire unauthorized da
ta.
Scenario analysis
An information system s vulnerability assessment technique in which various poss
ible attack methods are identified and the existing controls are examined in lig
ht of their ability to counter such attack methods.
Schema
A set of specifications that defines a database. Specifically, it includes entit
y names, sets, groups, data items, areas, sort sequences, access keys, and secur
ity locks.
Scoping guidance
Specific factors related to technology, infrastructure, public access, scalabili
ty, common security controls, and risk that can be considered by organizations i
n the applicability and implementation of individual security controls in the se
curity control baseline.
Screen scraper
A computer program that extracts data from websites. The program captures inform
ation from a computer display not intended for processing, captures the bitmap d
ata from a computer screen, or queries the graphical controls used in an applica
tion to obtain references to the underlying programming objects. Screen scrapers
can extract data from mobile devices (such as, PDAs and SmartPhones) and nonmo
bile devices. Regarding security threats, the screen scraper belongs to the malw
are family in that its similar to malware threats including keyloggers, spyware,
bad adware, rootkits, backdoors, and bots.
Screened host firewall
It combines a packetfiltering router with an application gateway located on the
protected subnet side of the router.
Screened subnet firewall
Conceptually, it is similar to a dualhomed gateway, except that an entire netwo
rk, rather than a single host is reachable from the outside. It can be used to l
ocate each component of the firewall on a separate system, thereby increasing th
roughput and flexibility.
Screening router
A router is used to implement part of a firewalls security by configuring it to s
electively permit or deny traffic at a network level.
Script
(1) A sequence of instructions, ranging from a simple list of operating system c
ommands to fullblown programming language statements, which can be executed aut
omatically by an interpreter. (2) A sequence of commands, often residing in a te
xt file, which can be interpreted and executed automatically. (3) Unlike compile
d programs, which execute directly on a computer processor, a script must be pro
cessed by another program that carries out the indicated actions.
Scripting language
A definition of the syntax and semantics for writing and interpreting scripts. T
ypically, scripting languages follow the conventions of a simple programming lan
guage, but they can also take on a more basic form such as a macro or a batch fi
le. JavaScript, VBScript, Tcl, PHP, and Perl are examples of scripting languages
.
Secrecy
Denial of access to information by unauthorized individuals.
Secret key
A cryptographic key that is used with a secret key (symmetric) cryptographic alg
orithm that is uniquely associated with one or more entities and is not being ma
de public. A key used by a symmetric algorithm to encrypt and decrypt data. The
use of the term secret in this context does not imply a classification level, but
rather implies the need to protect the key from disclosure or substitution.
Secret key (symmetric) cryptographic algorithm
A cryptographic algorithm that uses a single, secret key for both encryption and
decryption. This is the traditional method used for encryption. The same key is
used for both encryption and decryption. Only the party or parties that exchang
e secret messages know the secret key. The biggest problem with symmetric key en
cryption is securely distributing the keys. Public key techniques are now often
used to distribute the symmetric keys. An encryption algorithm that uses only se
cret keys. Also known as privatekey encryption.
Secure channel
An information path in which the set of all possible senders can be known to the
receivers or the set of all possible receivers can be known to the senders, or
both.
Secure communication protocol
A communication protocol that provides the appropriate confidentiality, authenti
cation, and content integrity protection.
Secure configuration management
The set of procedures appropriate for controlling changes to a systems hardware a
nd software structure for the purpose of ensuring that changes will do not lead
to violations of the systems security policy.
Secure erase
An overwrite technology using a firmwarebased process to overwrite a hard drive
Seeding model
A seeding model can be used as an indication of software reliability (i.e., erro
r detection power) of a set of test cases.
Seepage
The accidental flow to unauthorized individuals of data or information, access t
o which is presumed to be controlled by computer security safeguards.
Selfsigned certificate
A public key certificate whose digital signature may be verified by the public k
ey contained within the certificate. The signature on a selfsigned certificate
protects the integrity of the data, but does not guarantee authenticity of the i
nformation. The trust of selfsigned certificates is based on the secure procedu
res used to distribute them.
Sendmail attack
Involves sending thousands of email messages in a single day to unwitting emai
l receivers. It takes a long time to read through the subject lines to find the
desired email, thus wasting the receivers valuable time. This is a form of spamm
ing attack. Recent sendmail attacks fall into the categories of remote penetrati
on, local penetration, and remote DoS.
Sensitive data
Data that require a degree of protection due to the risk and magnitude of loss o
r harm which could result from inadvertent or deliberate disclosure, alteration,
or destruction of the data (e.g., personal or proprietary data). It includes bo
th classified and sensitive unclassified data.
Sensitive label
A piece of information that represents the security level of an object. It is th
e basis for mandatory access control decisions. Compare with security label.
Sensitive levels
A graduated system of marking (e.g., low, moderate, and high) information and in
formation processing systems based on threats and risks that result if a threat
is successfully conducted.
Sensitive security parameter (SSP)
Sensitive security parameter (SSP) contains both critical security parameter (CS
P) and public security parameter (PSP). In other words, SSP = CSP + PSP.
Sensitive system
A computer system that requires a degree of protection because it processes sens
itive data or because of the risk and magnitude of loss or harm that could resul
t from improper operation or deliberate manipulation of the application system.
Sensitivity analysis
Sensitivity analysis is based on a faultfailure model of software and is based
on the premise that software testability can predict the probability that failur
e will occur when a fault exists given a particular input distribution. A sensit
ive location is one in which faults cannot hide during testing. The internal sta
tes are perturbed to determine sensitivity. This technique requires instrumentat
ion of the code and produces a count of the total executions through an operatio
n, an infection rate estimate, and a propagation analysis.
Sensitivity and criticality
A method developed to describe the value of an information system by its owner b
y taking into account the cost, capability, and jeopardy to mission accomplishme
nt or human life associated with the system.
Sensor
An intrusion detection and prevention system (IDPS) component that monitors and
analyzes network activity and may also perform prevention actions.
Separation
An intervening space established by the act of setting or keeping apart.
Separation of duties
(1) A security principle that divides critical functions among different employe
es in an attempt to ensure that no one employee has enough information or access
privilege to perpetrate damaging fraud. (2) A principle of design that separate
s functions with differing requirements for security or integrity into separate
protection domains. Separation of duty is sometimes implemented as an authorizat
ion rule, specifying that two or more subjects are required to authorize an oper
ation. The goal is to ensure that no single individual (acting alone) can compro
mise an application systems features and its control functions. For example, secu
rity function is separated from security operations. This is a management and pr
eventive control.
Separation of name spaces
A technique of controlling access by precluding sharing; names given to objects
are only meaningful to a single subject and thus cannot be addressed by other su
bjects.
Separation of privileges
The principle of separation of privileges asserts that protection mechanisms whe
re two keys (held by different parties) are required for access are stronger mec
hanisms than those requiring only one key. The rationale behind this principle i
s that no single accident, deception, or breach of trust is sufficient to circumve
nt the mechanism. In computer systems the separation is often implemented as a r
equirement for multiple conditions (access rules) to be met before access is all
owed.
Serial line Internet Protocol (SLIP)
A protocol for carrying IP over an asynchronous serial communications line. Poin
ttoPoint Protocol (PPP) replaced the SLIP.
Server
(1) A host that provides one or more services for other hosts over a network as
a primary function. (2) A computer program that provides services to other compu
ter programs in the same or another computer. (3) A computer running a server pr
ogram is frequently referred to as a server, though it may also be running other
client (and server) programs.
Server administrator
A system architect responsible for the overall design, implementation, and maint
enance of a server.
Serverbased threats
These threats are due to poorly implemented sessiontracking, which may provide
an avenue of attack. Similarly, userprovided input might eventually be passed t
o an application interface that interprets the input as part of a command, such
as a Structured Query Language (SQL) command. Attackers may also inject custom c
ode into the website for subsequent browsers to process via crosssite scripting
(XSS). Subtle changes introduced into the Web server can radically change the s
ervers behavior (including turning a trusted entity into malicious one), the accu
racy of the computation (including changing computational algorithms to yield in
correct results), or the confidentiality of the information (e.g., disclosing co
llected information).
Server farm
A physical security control that uses a network configuration mechanism to monit
or theft or damage because all servers are kept in a single, secure location.
Server load balancing
Network traffic is distributed dynamically across groups of servers running a co
mmon application so that no one server is overwhelmed. Server load balancing inc
reases server availability and application system availability, and could be a v
iable contingency measure when it is implemented among different sites. In this
regard, the application system continues to operate as long as one or more sites
remain operational.
Server mirroring
The purpose is the same as the disk arrays. A file server is duplicated instead
of the disk. All information is written to both servers simultaneously. This is
a technical and recovery control, and ensures the availability goal.
Serverside scripts
The serverside scripts such as CGI, ASP, JSP, PHP, and Perl are used to generat
e dynamic Web pages.
Server software
Software that is run on a server to provide one or more services.
Service
sting layers of code on a host that intercepts data and analyzes it.
Short message service (SMS)
A cellular network facility that allows users to send and receive text messages
of up to 160 alphanumeric characters on their handset.
Shoulder surfing attack
Stealing passwords or personal identification numbers by looking over someones sh
oulder. It is also called a keyboard logging attack because a keyboard is used t
o enter passwords and identification numbers. Shoulder surfing attack can also b
e done at a distance using binoculars or other visionenhancing devices, and the
se attacks are common when using automated teller machines and pointofsale ter
minals. A simple and effective practice to avoid this attack is to shield the ke
ypad with one hand while entering the required data with the other hand.
Shred
A method of sanitizing media; the act of cutting or tearing into small particles
.
Shrinkwrapped software
Commercial software used outofthebox without change (i.e., customization). The
term derives from the plastic wrapping used to seal microcomputer software.
Side channel attacks
Side channel attacks result from the physical implementation of a cryptosystem.
Examples of these attacks include timing attacks, power monitoring attacks, TEMP
EST attacks, and thermal imaging attacks. Improper error handling in cryptograph
ic operation can also allow side channel attacks. In all these attacks, side cha
nnel leakage of information occurs during the physical operation of a cryptosyst
em through monitoring of sound from computations, observing from a distance, and
introducing faults into computations, thus revealing secrets such as the crypto
graphic key, systemstate information, initialization vectors, and plaintext. Si
de channel attacks are possible even when transmissions between a Web browser an
d server are encrypted. Note that side channel attacks are different from social
engineering attacks where the latter involves deceiving or coercing people who
have the legitimate access to a cryptosystem. In other words, the focus of side
channel attacks is on data and information, not on people. Countermeasures again
st the side channel attacks include implementing physical security over hardware
, jamming the emitted channel with noise (white noise), designing isochronous so
ftware so it runs in a constant amount of time independent of secret values, des
igning software so that it is PCsecure, building secure CPUs (asynchronous CPUs
) so they have no global timing reference, and retransmitting the failed (error
prone) transmission with a predetermined number of times.
Signoff
Functional users are requested and required to approve in writing their acceptan
ce of the system at various stages or phases of the system development life cycl
e (SDLC).
Signaltonoise ratio
It is the ratio of the amplitude of the desired signal to the amplitude of noise
signals at a given point in time in a telecommunications system. Usually, the s
ignaltonoise ratio is specified in terms of peaksignaltopeaknoise ratio, t
o avoid ambiguity. A low ratio at the receiver is preferred to prevent emanation
attack.
Signatory
The entity that generates a digital signature on data using a private key.
Signature
(1) A recognizable, distinguishing pattern associated with an attack, such as a
binary string in a virus or a particular set of keystrokes used to gain unauthor
ized access to a system. (2) A pattern that corresponds to a known threat. (3) T
he ability to trace the origin of the data.
Signaturebased detection
The process of comparing signatures against observed events to identify possible
incidents.
Signature certificate
A public key certificate that contains a public key intended for verifying digit
Sniffer attack
Software that observes and records network traffic. On a TCP/IP network, sniffer
s audit information packets. It is a networkmonitoring tool, usually running on
a PC.
Social engineering
(1) The act of deceiving an individual into revealing sensitive information by a
ssociating with the individual to gain confidence and trust. (2) A persons abilit
y to use personality, knowledge of human nature, and social skills (e.g., theft,
trickery, or coercion) to steal passwords, keys, tokens, or telephone toll call
s. (3) Subverting information system security by using nontechnical (social) mea
ns. (4) The process of attempting to trick someone into revealing information (e
.g., a password) that can be used to attack systems or networks. (5) An attack b
ased on deceiving users or administrators at the target site and is typically ca
rried out by an adversary telephoning users or operators and pretending to be an
authorized user, to attempt to gain illicit access to systems. (6) A general te
rm for attackers trying to trick people into revealing sensitive information or
performing certain actions, such as downloading and executing files that appear
to be benign but are actually malicious.
Social engineering for key discovery attacks
It is important for functional users to protect their private cryptographic keys
from unauthorized disclosure and from social engineering attacks. The latter at
tack can occur when users die or leave the company without revealing their passw
ords to the encrypted data. The attacker can get hold of these passwords using t
ricky means and access the encrypted data. Examples of otherrelated social engi
neering attacks include presenting a selfsigned certificate unknown to the user
, exploiting vulnerabilities in a Web browser, taking advantage of a crosssite
scripting (XSS) vulnerability on a legitimate website, and taking advantage of t
he certificate approval process to receive a valid certificate and apply it to t
he attackers own site.
SOCKS
(1) An Internet Protocol to allow client applications to form a circuitlevel ga
teway to a network firewall via a proxy service. (2) This protocol supports appl
icationlayer firewall traversal. The SOCKS protocol supports both reliable TCP
and UDP transport services by creating a shimlayer between the application and
the transport layers. The SOCKS protocol includes a negotiation step whereby the
server can dictate which authentication mechanism it supports. (3) A networking
proxy protocol that enables full access across the SOCKS server from one host t
o another without requiring direct IP reachability. (4) The SOCKS server authent
icates and authorizes the requests, establishes a proxy connection, and transmit
s the data. (5) SOCKS are commonly used as a network firewall that enables hosts
behind a SOCKS server to gain full access to the Internet, while preventing una
uthorized access from the Internet to the internal hosts. SOCKS is an abbreviati
on for SOCKetServer.
Softlifting
Illegal copying of licensed software for personal use.
Software
The computer programs and possibly associated data dynamically written and modif
ied.
Software assurance
Level of confidence that software is free from vulnerabilities, either intention
ally designed into the software or accidentally inserted at anytime during its l
ife cycle, and that the software functions in the intended manner.
Softwarebased fault isolation
A method of isolating application modules into distinct fault domains enforced b
y software. The technique allows untrusted programs written in an unsafe program
ming language (e.g., C) to be executed safely within the single virtual address
space of an application. Access to system resource can also be controlled throug
h a unique identifier associated with each domain.
Software cages
As a part of technical safeguards for active content, software cages constrain t
.
Spam
The abuse of electronic messaging systems to indiscriminately send unsolicited b
ulk commercial email messages and junk emails.
Spam filtering software
A computer program that analyzes emails to look for characteristics of spam, an
d typically places messages that appear to be spam in a separate email folder.
Spamming
Posting identical messages to multiple unrelated newsgroups on the Internet (e.g
., USENET). Often used as cheap advertising to promote pyramid schemes or simply
to annoy other people.
Spanning port
A switch port that can see all network traffic going through the switch.
Spanning tree
Multicast and broadcast routing is performed using spanning trees, which makes e
xcellent use of bandwidth where each router must know which of its lines belong
to the tree. The spanning tree is also used in conducting risk analysis, to buil
d plugandplay bridges, and to build Internet relay chat (IRC) server network s
o it routes messages according to a shortestpath algorithm.
Specialized security with limited functionality
An environment encompassing systems with specialized security requirements, in w
hich higher security needs typically result in more limited functionality.
Specification
(1) An assessment object that includes documentbased artifacts (e.g., policies,
procedures, plans, system security requirements, functional descriptions, and a
rchitectural designs) associated with an information system. (2) A technical des
cription of the desired behavior of a system, as derived from its requirements.
(3) A specification is used to develop and test an implementation of a system.
Split domain name system (DNS)
Implementation of split domain name system (DNS) requires a minimum of two physi
cal files (zone files) or views. One file or view should exclusively provide nam
e resolution for hosts located inside the firewall and for hosts outside the fir
ewall. The other file or view should provide name resolution only for hosts loca
ted outside the firewall on in the DMZ and not for any hosts inside the firewall
. In other words, split DNS requires one physical file for external clients and
one physical file for internal clients.
Split knowledge
(1) A process by which a cryptographic key is split into multiple key components
, individually sharing no knowledge of the original key, which can be subsequent
ly input into, or output from, a cryptographic module by separate entities and c
ombined to recreate the original cryptographic key. (2) The condition under whic
h two or more parties separately have part of the data, that, when combined, wil
l yield a security parameter or that will allow them to perform some sensitive f
unction. (3) The separation of data into two or more parts, with each part const
antly kept under control of separate authorized individuals or teams so that no
one individual will be knowledgeable of the total data involved.
Split tunneling
(1) A virtual private network (VPN) client feature that tunnels all communicatio
ns involving an organizations internal resources through the VPN, thus protecting
them, and excludes all other communications from going through the tunnel. (2)
A method that routes organizationspecific traffic through the SSL VPN tunnel, b
ut other traffic uses the remote users default gateway.
Spoofing attacks
Many spoofing attacks exist. An example is the Internet Protocol (IP) spoofing a
ttack, which refers to sending a network packet that appears to come from a sour
ce other than its actual source. It involves (1) the ability to receive a messag
e by masquerading as the legitimate receiving destination or (2) masquerading as
the sending machine and sending a message to a destination.
Spread spectrum
Uses a wide band of frequencies to send radio signals. Instead of transmitting a
signal on one channel, spread spectrum systems process the signal and spread it
across a wider range of frequencies.
Spyware
(1) It is malware intended to violate a users privacy. (2) It is a program embedd
ed within an application that collects information and periodically communicates
back to its home site, unbeknownst to the user. Spyware programs have been disc
overed with many shareware or freeware programs and even some commercial product
s, without notification of this hidden functionality in the license agreement or
elsewhere. Notification of this hidden functionality may not occur in the licen
se agreement. News reports have accused various spyware programs of inventorying
software on the users system, collecting or searching out private information, a
nd periodically shipping the information back to the home site. (3) It is softwa
re that is secretly or surreptitiously installed into an information system to g
ather information on individuals or organizations without their knowledge. It is
a type of malicious code and malware.
Spyware detection and removal utility
A program that monitors a computer to identify spyware and prevent or contain sp
yware incidents.
Stackguarding
Stackguarding technology makes it difficult for attackers to exploit buffer over
flows and to prevent worms from gaining control of lowprivilege accounts.
Standard
An established basis of performance used to determine quality and acceptability.
A published statement on a topic specifying characteristics, usually measurable
, that must be satisfied or achieved in order to comply with the standard.
Standalone system
A small office/home office (SOHO) environment.
Standard generalized markup language (SGML)
A markup language used to define the structure and to manage documents in electr
onic form.
Standard user account
A user account with limited privileges that will be used for general tasks such
as reading email and surfing the Web.
Star topology
Star topology is a network topology in which peripheral nodes are connected to a
central node (station) in that all stations are connected to a central switch o
r hub. An active star network has an active central node that usually has the me
ans to prevent echorelated problems.
State attacks
Asynchronous attacks that deal with timing differences and changing states. Exam
ples include timeofcheck to timeofuse (TOCTOU) attack and race conditions.
Stateful inspection
Packet filtering that also tracks the state of connections and blocks packets th
at deviate from the expected state.
Stateful protocol analysis
A firewalling capability that improves upon standard stateful inspection by addi
ng basic intrusion detection technology. This technology consists of an inspecti
on engine that analyzes protocols at the application layer to compare vendordev
eloped profiles of benign protocol activity against observed events to identify
deviations, allowing a firewall to allow or deny access based on how an applicat
ion is running over a network.
Stateless inspection
See Packet filtering.
State transition diagram (STD)
It shows how a system moves from one state to another, or as a matrix in which t
he dimensions are state and input. STDs detects errors such as incomplete requir
ements specifications and inconsistent requirements. STDs represent a sequential
, natural flow of business transactions. STD are used in realtime application s
ystems to express concurrency of tasks. They are also called state charts.
Static key
It is a key that is intended for use for a relatively long period of time and is
typically intended for use in many instances of a cryptographic key establishme
nt scheme. Static key is in contrast with an ephemeral key, where the latter is
used for a short period of time.
Static key agreement key pairs
Static key agreement key pairs are used to establish shared secrets between enti
ties, often in conjunction with ephemeral key pairs. Each entity uses their priv
ate key agreement key(s), the other entitys public key agreement key(s) and possi
bly their own public key agreement key(s) to determine the shared secret. The sh
ared secret is subsequently used to derive shared keying material. Note that in
some key agreement schemes, one or more of the entities may not have a static ke
y agreement pair.
Static separation of duty (SSOD)
As a security mechanism, SSOD addresses two separate but related problems: stati
c exclusivity and assurance principle.
Static exclusivity is the condition for which it is considered dangerous for any
user to gain authorization for conflicting sets of capabilities (e.g., a cashie
r and a cashier supervisor). The motivations for exclusivity relations include,
but are not limited to, reducing the likelihood of fraud or preventing the loss
of user objectivity.
Assurance principle is the potential for collusion where the greater the number
of individuals that are involved in the execution of a sensitive business functi
on, such as purchasing an item or executing a trade, the less likely any one use
r will commit fraud or that any few users will collude in committing fraud.
Separation of duties constraints may require that two roles be mutually exclusiv
e, because no user should have the privileges from both roles. Popular SSOD poli
cies are the RBAC and RuBAC.
Static Web documents
Static Web documents (pages) are written in HTML, XHTML, ASCII, JPEG, XML, and X
SL.
Stealth mode
Operating an intrusion detection and prevention sensor without IP addresses assi
gned to its monitoring network interfaces.
Steering committee
A group of management representatives from each user area of IT services that es
tablishes plans and priorities and reviews projects progress and problems for the
purpose of making management decisions.
Steganography
Deals with hiding messages and obscuring who is sending or receiving them. The a
rt and science of communicating in a way that hides the existence of the communi
cation. For example, a child pornography image can be hidden inside another grap
hic image file, audio file, or other file format.
Step restart
A restart that begins at the beginning of a job step. The restart may be automat
ic or deferred, where deferral involves resubmitting the job.
Storage security
The process of allowing only authorized parties to access stored information.
Stream attack
The process of ending transmission control protocol (TCP) packets to a series of
ports with random sequence numbers and random source Internet Protocol (IP) add
resses. The result is high CPU usage leading to resource starvation effect. Once
the attack subsided, the system returns to normal conditions.
Stream cipher algorithm
An algorithm that converts plaintext into ciphertext one bit at a time and its s
ecurity depends entirely on the insides of the keystream generator. Stream ciphe
rs are good for continuous streams of communication traffic.
Stress testing
Application programs tested with test data chosen for maximum, minimum, and triv
ial values, or parameters. The purpose is to analyze system behavior under incre
asingly heavy workloads and severe operating conditions, and, in particular, to
A method of disabling a system by sending more SYN packets than its networking c
ode can handle.
Synchronization protocols
Protocols that allow users to view, modify, and transfer or update data between
a cell phone or personal digital assistant (PDA) and a PC or vice versa. The two
most common synchronization protocols are Microsofts ActiveSync and Palms HotSync
.
Synchronous communication
The transmission of data at very high speeds using circuits in which the transfe
r of data is synchronized by electronic clock signals. Synchronous communication
is used within the computer and in highspeed mainframe computer networks.
Synchronous optical network (SONET)
A physical layer standard that provides an international specification for high
speed digital transmission via optical fiber. At the source interface, signals a
re converted from electrical to optical form. They are then converted back to el
ectrical form at the destination interface.
Synchronous transmission
The serial transmission of a bit stream in which each bit occurs at a fixed time
interval and the entire stream is preceded by a specific combination of bits th
at initiate the timing.
Syntax error
An error resulting from the expression of a command in a way that violates a pro
grams syntax rules. Syntax rules specify precisely how a command, statement, or i
nstruction must be given to the computer so that it can recognize and process th
e instruction correctly.
Syslog
A protocol that specifies a general log entry format and a log entry transport m
echanism. Log facility is the message type for a syslog message.
System
A discrete set of information resources organized for the collection, processing
, maintenance, use, sharing, dissemination, or disposition of information. A gen
eric term used for briefness to mean either a major/minor application (MA) or a
general support system (GSS).
System administrator
A person who manages a multiuser computer system, including its operating system
and applications, and whose responsibilities are similar to that of a network a
dministrator. A system administrator would perform systems programmer activities
with regard to the operating system and network control programs.
System availability
(1) A timely, reliable access to data, system, and information services for auth
orized users. (2) A measure of the amount of time that the system is actually ca
pable of accepting and performing a users work. (3) The availability of communica
tion ports and the amount or quantity of service received in a given period. (4)
Can be viewed as a component of system reliability. The availability of a compu
ter system can be expressed as a percentage in several ways, as follows:
Availability = (Uptime)/(Uptime + Downtime) 100
Availability = (Available time/Scheduled time) 100
Availability = [(MTTF)/(MTTF + MTTR)] 100
Availability = (MTTF/MTBF) 100
System confidentiality
Assurance that information is not disclosed to unauthorized individuals, process
es, or devices.
System development life cycle (SDLC)
A systematic process for planning, analyzing, designing, developing, implementin
g, operating, and maintaining a computerbased application system. The scope of
activities associated with a system, encompassing the systems initiation, develop
ment and acquisition, implementation, operation and maintenance, and ultimately
its disposal that instigates another system initiation.
System development methodologies
Methodologies developed through software engineering to manage the complexity of
A Common Criteria (CC) term for an IT product or system and its associated admin
istrator and user guidance documentation that is the subject of a security evalu
ation. A product that has been installed and is being operated according to its
guidance.
Target identification and analysis techniques
Information security testing techniques, mostly active and generally conducted u
sing automated tools, used to identify systems, ports, services, and potential v
ulnerabilities. These techniques include network discovery, network port and ser
vice identification, vulnerability scanning, wireless scanning, and application
security testing.
Target vulnerability validation techniques
Active information security testing techniques that corroborate the existence of
vulnerabilities. These techniques include password cracking, remote access test
ing, penetration testing, social engineering, and physical security testing.
TCP wrappers
Transmission control protocol (TCP) wrapper, a network security tool, allows the
administrator to log connections to TCP service. It can also restrict incoming
connections to these services from systems. These features are useful when track
ing or controlling unwanted network connection attempts.
Teardrop attack
This freezes vulnerable hosts by exploiting a bug in the fragmented packet reas
sembly routines. A countermeasure is to install software patches and upgrades.
Technical attack
An attack that can be perpetrated by circumventing or nullifying hardware and so
ftware protection mechanisms, rather than by subverting system personnel or othe
r users.
Technical controls
(1) An automated security control employed by the system. (2) The security contr
ols (i.e., safeguards or countermeasures) for an information system that are pri
marily implemented and executed by the information system through mechanisms con
tained in the hardware, software, or firmware components of the system.
Technical security
The set of hardware, firmware, software, and supporting controls that implement
security policy, accountability, assurance, and documentation.
Technical vulnerability
A hardware, firmware, communication, or software flaw that leaves a computer pro
cessing system open for potential exploitation, either externally or internally,
thereby resulting in risk for the owner, user, or manager of the system.
Technology convergence
It occurs when two or more specific and compatible technologies are combined to
work in harmony. For example, in a data center physical facility, physical secur
ity controls (keys, locks, and visitor escort), logical security controls (biome
trics and access controls), and environmental controls (heat and humidity) can b
e combined for effective implementation of controls. These controls can be based
on
Technology gap
A technology that is needed to mitigate a threat at a sufficient level but is no
t available.
Telecommuting
The ability for an organizations employees and contractors to conduct work from l
ocations other than the organizations facilities.
Telework
The ability for an organizations employees and contractors to conduct work from l
ocations other than the organizations facilities.
Telework device
A consumer device or PC used for performing telework.
Telnet
Protocol used for (possibly for remote) login to a computer host.
TEMPEST
A short name referring to investigation, study, and control of compromising eman
gers to a computer system, which may result in the interception, alteration, obs
truction, or destruction of computing resources, or in some other way disrupt th
e system. It is any circumstance or event with the potential to adversely impact
organization operations (including mission, functions, image or reputation), or
ganizational assets, individuals, and other organizations through an information
system via unauthorized access, destruction, disclosure, modification of inform
ation, and/or denial of service. Threat is the potential for a threatsource to
successfully exploit a particular information systems vulnerability. It is an act
ivity (deliberate or unintentional) with the potential for causing harm to an au
tomated information system and a potential violation of system security. Threats
arise from internal system failures, human errors, attacks, and natural catastr
ophes. Threats can be viewed in terms of categories and classes, as shown in the
following table:
Categories
Classes
Human categories
Intentional or unintentional
Environmental categories
Natural or manmade (fabricated)
Threat agent/source
The intent and method targeted at the intentional exploitation of vulnerability
or a situation and method that may accidentally trigger vulnerability. It is a m
ethod used to exploit vulnerability in a system, operation, or facility.
Threat analysis
The examination of threatsources against system vulnerabilities to determine th
e threats for a particular system in a particular operational environment. Threa
t is threatsource and vulnerability pair, which can be analyzed in parallel. Ho
wever, threat analysis cannot be performed until after vulnerability analysis ha
s been conducted because vulnerabilities lead to threats, which, in turn, lead t
o risks.
Threat assessment
A process of formally evaluating the degree of threat to an information system o
r enterprise and describing the nature of the threat.
Threat event
A catastrophic occurrence. Examples include fire, flood, power outage, and hardw
are/software failures.
Threat monitoring
The analysis, assessment, and review of audit trails and other data collected to
search out system events that may constitute violations or attempted violations
of system security.
Threatsource/agent
The intent and method targeted at the intentional exploitation of a vulnerabilit
y or a situation and method that may accidentally trigger a vulnerability. It is
a method used to exploit vulnerability in a system, operation, or facility.
Threshold
A value that sets the limit between normal and abnormal behavior.
Ticketoriented protection system
A computer protection system in which each subject maintains a list of unforgeab
le bit patterns, called tickets, one for each object the subject is authorized t
o access (e.g., Kerberos). Compare this with listoriented protection system.
Tiger team
Conducts penetration testing to attempt a system breakin. It is an old name to
discover system weaknesses and to recommend security controls. The new name is r
ed team.
Timebomb
A variant of the Trojan horse in which malicious code is inserted to be triggere
d later at a particular time. It is a resident computer program that triggers an
unauthorized act as a predefined time.
Timedependent password
A password that is valid only at a certain time of the day or during a specified
interval of time.
Time division multiple access (TDMA)
Form of multiple access where a single communication channel is shared by segmen
ting it by time. Each user is assigned a specific time slot. It is a technique t
o interweave multiple conversations into one transponder so as to appear to get
simultaneous conversations.
Timeouts for inactivity
The setting of time limits for either specific activities or for nonactivity.
Timestamping
The method of including an unforgeable time stamp with object structures, used f
or a variety of reasons such as sequencenumbering and expiration of data.
Timetoexploitation
The elapsed time between the vulnerability is discovered and the time it is expl
oited.
TimetoLive (TTL) hack
The TimeToLive (TTL) hack or hop count prevents IP packets from circulating en
dlessly in the Internet.
Timetorecover (TTR)
The time required for any computer resource to be recovered from disruptive even
ts, specifically, the time required to reestablish an activity from an emergency
or degraded mode to a normal mode. It is also defined as emergency response tim
e (EMRT).
Timing attack
A side channel attack in which the attacker attempts to compromise a cryptosyste
m by analyzing the time taken to execute cryptographic algorithms. Every logical
operation in a computer takes time to execute, and the time can differ based on
the input; with precise measurements of the time for each operation, an attacke
r can work backward to the input. Information can leak from a system through mea
surement of the time it takes to respond to certain queries. Timing attacks resu
lt from poor system/program design and implementation methods. Timing attacks an
d sidechannel attacks are useful in identifying or reverseengineering a cryptog
raphic algorithm used by some device. Other examples of timing attacks include (
1) a clock drift attack where it can be used to build random number generators,
(2) clock skew exploitation based on CPU heating, and (3) attackers who may find
fixed DiffieHellman exponents and RSA keys to break cryptosystems (Wikipedia).
TOCTOU attack
TOCTOU stands for Timeofcheck to timeofuse. An example of TOCTOU attack is
when one print job under one users name is exchanged with the print job for anot
cker.
Traffic load
The number of messages input to a network during a specific time period.
Traffic padding or flooding
A protection to conceal the presence of valid messages on a communications circu
it by causing the circuit to appear busy at all times. Unnecessary data are sent
through the circuit to keep it busy and to confuse the intruder. It is a counte
rmeasure against the threat of traffic analysis.
Transborder data flow
Deals with the movement and storage of data by automatic means across national o
r federal boundaries. It may require data encryption when data is flowing over s
ome borders.
Transaction
An activity or request to a computer. Purchase orders, changes, additions, and d
eletions are examples of transactions recorded in a business information environ
ment. A logical unit of work for an end user. Also, used to define a program or
a dialog in a computer system.
Transmission control protocol (TCP)
A reliable connection and byteoriented transport layer protocol within the TCP/
IP suite.
Transmission control protocol/Internet protocol (TCP/IP)
TCP/IP is the protocol suite used by the Internet. A protocol suite is the set o
f message types, their formats, and the rules that control how messages are proc
essed by computers on the network.
Transmission medium
The physical path between transmitters and receivers in a communication network.
A mechanism that supports propagation of digital signals. Examples of a transmi
ssion medium are cables such as leased lines from common commercial carriers, fi
ber optic cables, and satellite channels.
Transmittal list
A list, stored and transmitted with particular data items, which identifies the
data in that batch and can be used to verify that no data are missing.
Transport layer
Portion of an open system interconnection (OSI) system responsible for reliabili
ty and multiplexing of data across network to the level required by the applicat
ion.
Transportlayer security (TLS)
(1) An authentication and security protocol widely implemented in Web browsers a
nd Web servers. (2) Provides security at the layer responsible for endtoend co
mmunications. (3) Provides privacy and data integrity between two communicating
applications. (4) It is designed to encapsulate other protocols, such as HTTP. T
LS is new and SSL is old.
Transport mode
IPsec mode that does not create a new IP header for each protected packet.
Tranquility
A property applied to a set of (typically untrusted) controlled entities saying
that their security level may not change.
Tranquility principle
A request that changes to an objects access control attributes are prohibited as
long as any subject has access to the object.
Trap
A message indicating that a fault condition may exist or that a fault is likely
to occur. In computer crime investigations, trap and trace means the attackers ph
one call is trapped and traced.
Trapdoor
A hidden software or hardware mechanism that responds to a special input used to
circumvent the systems security controls. Synonymous with backdoor.
Tree topology
Tree topology is a network topology which resembles an interconnection of start
networks in that individual peripheral nodes are required to transmit to and rec
eive from one another node only toward a central node. The tree topology is not
required to act as repeaters or regenerators. The tree topology, which is a vari
ation of bus topology, is subject to a singlepoint of failure of a transmission
path to the node. The tree topology is an example of a hybrid topology where a
linear bus backbone connects starconfigured networks.
Triangulation
Identifying the physical location of a detected threat against a wireless networ
k by estimating the threats approximate distance from multiple wireless sensors b
y the strength of the threats signal received by each sensor, and then calculatin
g the physical location at which the threat would be the estimated distance from
each sensor.
Triple DES (3DES)
An implementation of the data encryption standard (DES) algorithm that uses thre
e passes of the DES algorithm instead of one as used in ordinary DES application
s. Triple DES provides much stronger encryption than ordinary DES but it is less
secure than AES.
Tripwire
Tripwire, a network security tool, monitors the permissions and checksums of imp
ortant system files to detect if they have been replaced or corrupted. Tripwire
can be configured to send an alert to the administrator should any files recomput
ed checksum fail to match its baseline, indicating that the file has been altere
d.
Trojan horse (aka Trojan)
(1) A useful or seemingly useful program that contains hidden code of a maliciou
s nature. When the program is invoked, so is the undesired function whose effect
s may not become immediately obvious. (2) It is a nonselfreplicating program th
at appears to have a useful purpose, but actually has a hidden malicious purpose
. The name stems from an ancient exploit of invaders gaining entry to the city o
f Troy by concealing themselves in the body of a hollow wooden horse, presumed t
o be left behind by the invaders as a gift to the city. (3) A computer program w
ith an apparent or actual useful function that contains additional (hidden) func
tions that surreptitiously exploit the legitimate authorizations of the invoking
process to the detriment of security or integrity. (4) It usually masquerades a
s a useful program that a user would wish to execute.
True negative
A tool reports a weakness when it is not present.
True positive
A tool reports a weakness when it is present.
Trust
(1) A characteristic of an entity (e.g., person, process, key, or algorithm) tha
t indicates its ability to perform certain functions or services correctly, fair
ly, and impartially, and that the entity and its identity are genuine. (2) A rel
ationship between two elements, a set of activities and a security policy in whi
ch element X trusts element Y if and only if X has confidence that Y will behave
in a welldefined way (with respect to the activities) that does not violate th
e given security policy. (3) It is a belief that a system meets its specificatio
ns. (4) The willingness to take actions expecting beneficial outcomes based on a
ssertions by other parties.
Trust anchor (public key)
(1) One or more trusted public keys that exist at the base of a tree of trust or
as the strongest link on a chain of trust and upon which a public key infrastru
cture (PKI) is constructed. (2) A public key and the name of a certification aut
hority (CA) that is used to validate the first certificate in a sequence of cert
ificates. (3) The trust anchor public key is used to verify the signature on a c
ertificate issued by a trust anchor CA. The security of the validation process d
epends upon the authenticity and integrity of the trust anchor. Trust anchors ar
e often distributed as selfsigned certificates.
Trust anchor (DNS)
A validating DNSSECaware resolver uses a public key or hash as a starting point
for building the authentication chain to a signed domain name system (DNS) resp
onse. In general, a validating resolver will need to obtain the initial values o
f its trust anchors via some secure or trusted means outside the DNS protocol. T
he presence of a trust anchor also implies that the resolver should expect the z
one to which the trust anchor points to be signed. This is sometimes referred to
as a secure entry point.
Trust anchor store
The location where trust anchors are stored. Here, store refers to placing elect
ronic data into a storage medium, which may be accessed and retrieved under norm
al operational circumstances by authorized entities.
Trust list
It is the collection of trusted certificates used by the relying parties to auth
enticate other certificates.
Trusted certificate
A certificate that is trusted by the relying party on the basis of secure and au
thenticated delivery. The public keys included in trusted certificates are used
to start certification paths. It is also known as a trust anchor.
Trusted channel
(1) A mechanism by which two trusted partitions can communicate directly. (2) A
trusted channel may be needed for the correct operation of other security mechan
isms. (3) A trusted channel cannot be initiated by untrusted software and it mai
ntains the integrity of information that is sent over it. (4) A channel where th
e endpoints are known and data integrity and/or data privacy is protected in tra
nsit using SSL, IPsec, and a secure physical connection. (5) A mechanism through
which a cryptographic module provides a trusted, safe, and discrete communicati
on pathway for sensitive security parameters (SSPs) and other critical informati
on between the cryptographic module and the modules intended communications endpo
int. A trusted channel exhibits a verification component that the operator or mo
dule may use to confirm that the trusted channel exists. A trusted channel prote
cts against eavesdropping, as well as physical or logical tampering by unwanted
operators/entities, processes, or other devices, both within the module and alon
g the modules communication link with the intended endpoint (e.g., the trusted ch
annel will not allow maninthemiddle (MitM) or replay types of attacks). A tru
sted channel may be realized in one or more of the following ways: (i) A communi
cation pathway between the cryptographic module and endpoints that are entirely
local, directly attached to the cryptographic module, and has no intervening sys
tems, and (ii) A mechanism that cryptographically protects SSPs during entry and
output and does not allow misuse of any transitory SSPs.
Trusted computer system
(1) A system that employs sufficient hardware and software assurance measures to
allow its use for processing simultaneously a range of sensitive or classified
information. (2) A system believed to enforce a given set of attributes to a sta
ted degree of assurance (confidence).
Trusted computing
Trusted computing helps network administrators to keep track of host computers o
n the network. This tracking and controlling mechanism ensures that all hosts ar
e properly patched up, the software version is current, and that they are protec
ted from malware exploitation. Trusted computing technologies are both hardware
based and softwarebased techniques to combat the threat of possible attacks. It
includes three technologies such as trusted platform module, trusted network co
nnect, and trusted computing software stack.
Trusted computing base (TCB)
The totality of protection mechanisms within a computer system, including hardwa
re, firmware, and software, where this combination is responsible for enforcing
a security policy. It provides a basic protection environment and provides addit
ional user services required for a trusted computer system. The capability of a
TCB to correctly enforce a security policy depends solely on the mechanisms with
in the TCB and on the correct input by system administrative personnel of parame
ters (e.g., a users clearance) related to the security policy.
Trusted distribution
A trusted method for distributing the trusted computing base (TCB) hardware, sof
tware, and firmware components, both originals and updates, that provides method
s for protecting the TCB from modification during distribution and for detection
of any changes to the TCB that may occur.
Trusted functionality
That which is determined to be correct with respect to some criteria, e.g., as e
stablished by a security policy. The functionality shall neither fall short of n
or exceed the criteria.
Trusted operating system (TOS)
A trusted operating system is part of a trusted computing base (TCB) that has be
en evaluated at an assurance level necessary to protect the data that will be pr
ocessed.
Trusted path
(1) A means by which an operator and a security function can communicate with th
e necessary confidence to support the security policy associated with the securi
ty function. (2) A mechanism by which a user (through an input device) can commu
nicate directly with the security functions of the information system with the n
ecessary confidence to support the system security policy. This mechanism can on
ly be activated by the user or the security functions of the information system
and cannot be imitated by untrusted software.
Trusted platform module (TPM) chip
A tamperresistant integrated circuit built into some computer motherboards that
can perform cryptographic operations (including key generation) and protect sma
ll amounts of sensitive information, such as passwords and cryptographic keys. T
PM chip, through its key cache management feature, protects the generated keys u
sed in encrypted file system (EFS).
Trusted relationships
Policies that govern how entities in differing domains honor each others authoriz
ations. An authority may be completely trusted for example, any statement from t
he authority will be accepted as a basis for action or there may be limited trus
t, in which case only statements in a specific range are accepted.
Trusted software
It is the software portion of a trusted computing base (TCB).
Trusted subject
A subject that is part of the trusted computing base (TCB). It has the ability t
o violate the security policy but is trusted not to actually do so. For example,
in the BellLaPadula model, a trusted subject is not constrained by the starpr
operty and thus has the capability to write sensitive information into an object
whose level is not dominated by the (maximum) level of the subject, but it is t
rusted to only write information into objects with a label appropriate for the a
ctual level of the information.
Trusted system
Employing sufficient integrity measures to allow its use for processing intellig
ence information involving sensitive intelligence sources and methods.
Trusted third party (TTP)
An entity other than the owner and verifier that is trusted by the owner or the
verifier or both. Sometimes shortened to trusted party.
Trustworthiness
(1) The attribute of a person or enterprise that provides confidence to others o
f the qualifications, capabilities, and reliability of that entity to perform sp
ecific tasks and fulfill assigned responsibilities. (2) A characteristic or prop
erty of an information system that expresses the degree to which the system can
be expected to preserve the confidentiality, integrity, and availability of the
information being processed, stored, or transmitted by the system.
Trustworthy system
Computer hardware, software, and procedures that (1) are reasonably secure from
intrusion and misuse, (2) provide a reasonable level of availability, reliabilit
y, and correct operation, (3) are reasonably suited to performing their intended
functions, and (4) adhere to generally accepted security principles.
Truth table
Computer logic blocks can use combinational logic (without memory) or sequential
logic (with memory). The combinational logic can be specified by defining the v
alues of the outputs for each possible set of input values using a truth table.
Each entry in the table specifies the value of all the outputs for that particul
ar input combination. Truth tables can grow in size quickly and may be difficult
to understand. After a truth table is constructed, it can be optimized by keepi
ng nonzero output values only.
Tuning
Altering the configuration of an intrusion detection and prevention system (IDPS
) to improve its detection accuracy.
Tunnel mode
IPsec mode that creates a new IP header for each protected packet.
Tunnel virtual private network (VPN)
A secure socket layer (SSL) connection that allows a wide variety of protocols a
nd applications to be run through it.
Tunneled password protocol
A protocol where a password is sent through a protected channel to a cryptograph
ically authenticated verifier. For example, the transport layer security (TLS) p
rotocol is often used with a verifiers public key certificate to (1) authenticate
the verifier to the claimant, (2) establish an encrypted session between the ve
rifier and claimant, and (3) transmit the claimants password to the verifier. The
encrypted TLS session protects the claimants password from eavesdroppers.
Tunneling
(1) It is a technology enabling one network to send its data via another networks
connections. Tunneling works by encapsulating a network protocol within packets
carried by the second network. (2) A highlevel remote access architecture that
provides a secure tunnel between a telework client device (a personal computer
used by a remote worker) and a tunneling server through which application system
traffic may pass. (3) A method of circumventing a firewall by hiding a message
that would be rejected by the firewall inside a second, acceptable message.
Tunneling attack
An attack that attempts to exploit a weakness in a system at a level of abstract
ion lower than that used by the developer to design and/or test the system.
Tunneling router
A router or system capable of routing traffic by encrypting it and encapsulating
it for transmission across an untrusted network, for eventual decryption and de
encapsulation.
Turnstiles
Turnstiles will decrease the everyday piggybacking or tailgating by forcing peop
le to go through a turnstile one person at a time. Turnstiles are used in data c
enters and office buildings.
Twistedpair wire
Twistedpair wire is the most commonly used media, and its application is limite
d to single building or a few buildings, and used for lower performance systems.
Twofactor authentication
A type of authentication that requires two independent methods to establish iden
tity and authorization to perform security services. The three most recognized f
actors are (1) something you are (e.g., biometrics), (2) something you know (e.g
., password), and (3) something you have (e.g., smart card).
Twopart code
It is a code consisting of an encoding section (first part) arranged in alphabet
ical or numeric order and a decoding section (second part) arranged in a separat
e alphabetical or numeric order.
Twoperson control
Continuous surveillance and monitoring of positive control material at all times
by a minimum of two authorized individuals, each capable of detecting incorrect
and unauthorized procedures with respect to the task being performed and each f
amiliar with established security and safety requirements.
Twoperson integrity
System of storage and handling designed to prohibit individual access by requiri
ng the presence of at least two authorized individuals, each capable of detectin
Users are assigned with specific roles and deroles based on their job duties an
d responsibilities
User capabilities are revoked from roles and as such are revoked from users
Objects can be assigned to object groups based on secrecy levels of the objects
Object groups are organized according to the business functions of an organizati
on
User ID
A unique symbol or character string used by a system to identify a specific user
.
User interface
A combination of menus, screen design, keyboard commands, command language, and
help screens that together create the way a user interacts with a computer. Hard
ware, such as a mouse or touch screen, is also included. Synonymous with graphic
al user interface (GUI).
User profile
Patterns of a users activity used to detect changes in normal routines.
Utility computing
Based on the concept of pay and use with regards to computing power in the form of
computations, storage, and Webbased services, similar to public utilities (suc
h as, gas, water, and electricity). Utility computing is provided through on dema
nd computing and supports cloud computing, grid computing, and distributed comput
ing (Wikipedia).
Utility program
(1) A computer program that supports the operation of a computer. Utility progra
ms provide file management capabilities, such as sorting, copying, archiving, co
mparing, listing, and searching, as well as diagnostic routines that check the h
ealth of the computer system. It also includes compilers or software that transl
ates a programming language into machine language. (2) A computer program or rou
tine that performs general data and systemrelated functions required by other a
pplication software, the operating system, or users. Examples include copy, sort
, or merge files. (3) It is a program that performs a specific task for an infor
mation system, such as managing a disk drive or printer.
V
Valid password
A personal password that authenticates the identity of an individual when presen
ted to a password system or an access password that allows the requested access
when presented to a password system.
Validation
(1) The performance of tests and evaluations in order to determine compliance wi
th security specifications and requirements. (2) The process of evaluating a sys
tem or component (including software) during or at the end of the development pr
ocess to determine whether it satisfies specified requirements. (3) The process
of demonstrating that the system under consideration meets all respects the spec
ification of that system.
Valueadded network (VAN)
A network of computers owned or controlled by a single entity used for data tran
smission (e.g., EDI and EFT), electronic mail, information retrieval, and other
functions by subscribers. EDI can be VANbased or Webbased.
Variable minimization
A method of reducing the number of variables which a subject has access, not exc
eeding the minimum required, thereby reducing the risk of malicious or erroneous
actions by that subject. This concept can be generalized to include data minimi
zation.
Vendor governance
Requires a vendor to establish written policies, procedures, standards, and guid
elines regarding how to deal with its customers or clients in a professional and
businesslike manner. It also requires establishing an oversight mechanism and
implementing best practices in the industry. Customer (user) organizations shoul
d consider the following criteria when selecting potential hardware, software, c
tions, program code, test plans, and test cases to detect omissions or errors an
d to eliminate misinterpretation of system or user requirements. System walkthro
ughs can also occur within and among colleagues in the IS and system user depart
ments. It costs less to correct omissions and errors in the early stages of syst
em development than it does later. This technique can be applied to both system
development and system maintenance.
War dialing
It involves calling a large group of phone numbers to detect active modems or PB
Xs.
War driving
When attackers and other malicious parties drive around office parks and neighbo
rhoods with laptop computers equipped with wireless network cards in an attempt
to connect to open network points is called war driving.
Warez
A term widely used by hackers to denote illegally copied and distributed commerc
ial software from which all copy protection has been removed. Warez often contai
ns viruses, Trojan horses, and other malicious code, and thus is very risky to d
ownload and use (legal issues notwithstanding).
Warm-site
An environmentally conditioned workspace that is partially equipped with IT info
rmation systems and telecommunications equipment to support relocated IT operati
ons in the event of a significant disruption.
Warm start
A restart that allows reuse of previously initialized input and output work queu
es. It is synonymous with system restart, initial program load, and quick start.
Waterfall model
A traditional system development model, which takes a linear and sequential view
of developing an application system. This model will not bring the operational
viewpoint to the requirements phase until the system is completely implemented.
Watermarking
A type of marking that embeds copyright information about the copyright owner.
Wavelength division multiple access (WDMA) protocol
The WDMA protocol is an example of medium/media access control (MAC) sublayer pr
otocol that contains two channels for each station. A narrow channel is provided
as a control channel to signal the station, and a wide channel is provided so t
hat the station can output data frames.
Weakly bound credentials
Weakly bound credentials (e.g., unencrypted password files) require additional i
ntegrity protection or access controls to ensure that unauthorized parties canno
t spoof and/or tamper with the binding of the identity to the token representati
on within the credential.
Weakness
A piece of code that may lead to vulnerability.
Weakness suppression system
A feature that permits the user to a flag a line of code not to be reported by t
he tool in subsequent scans.
Web 2.0
The second-generation of Internet-based services that let people collaborate and
create information online in new ways, such as social networking sites, wikis,
and communication tools.
Web administrator
The Web equivalent of a system administrator. Web administrators are system arch
itects responsible for the overall design, implementation, and maintenance of a
Web server. They may or may not be responsible for Web content, which is traditi
onally the purview of the Webmaster.
Web-based threats
Examples include security assertions markup language (SAML) threats and extensib
le markup language (XML) threats. Examples of SAML threats include assertion man
ufacture, modification, disclosure, repudiation, redirect, reuse, and substituti
on. Examples of XML threats include dictionary attacks, DoS attacks, SQL command
injection attacks, confidentiality and integrity attacks, and XML injection att
acks.
Web browser
Client software used to view Web content, which includes the graphical user inte
rface (GUI), MIME helper applications, language and byte code Java interpreters,
and other similar program components.
Web browser plug-in
A mechanism for displaying or executing certain types of content through a Web b
rowser.
Web bug
(1) A tiny image, invisible to a user, placed on Web pages in such a way to enab
le third parties to track use of Web servers and collect information about the u
ser, including IP address, host name, browser type and version, operating system
name and version, and Web browser cookies. (2) It is a tiny graphic on a websit
e that is referenced within the hypertext markup language (HTML) content of a We
b page or e-mail to collect information about the user viewing the HTML content.
Web content filtering software
A program that prevents access to undesirable websites, typically by comparing a
requested website address to a list of known bad websites with the help of blac
klists.
Web documents
Forms and interactive Web pages are created using hypertext markup language (HTM
L). XML can replace HTML.
Webmaster
A person responsible for the implementation of a website. Webmasters must be pro
ficient in hypertext markup language (HTML) and one or more scripting and interf
ace languages, such as JavaScript and Perl. They may or may not be responsible f
or the underlying server, which is traditionally the responsibility of the Web s
erver administrator.
Web mining
Data mining techniques for discovering and extracting information from Web docum
ents. Web mining explores both Web content and Web usage.
Web-oriented architecture (WOA)
A set of Web protocols (e.g., HTTP and plain XML) to provide dynamic, scalable,
and interoperable Web services.
Web portal
Provides a single point of entry into the service-oriented architecture (SOA) fo
r requester entities, enabling them to access Web services transparently from an
y device at virtually any location.
Web server
A computer that provides World Wide Web (WWW) services on the Internet. It inclu
des the hardware, operating system, Web server software, transmission control pr
otocol/Internet protocol (TCP/IP), and the website content (Web pages). If the W
eb server is used internally and not by the public, it may be known as an intrane
t server.
Web server administrator
The Web server equivalent of a system administrator. Web server administrators a
re system architects responsible for the overall design, implementation, and mai
ntenance of Web servers. They may or may not be responsible for Web content, whi
ch is traditionally the responsibility of the Webmaster.
Web service
A software component or system designed to support interoperable machine or appl
ication-oriented interaction over a network. A Web service has an interface desc
ribed in a machine-processable format (specifically services description languag
e WSDL). Other systems interact with the Web service in a manner prescribed by i
ts description using SOAP messages, typically conveyed using HTTP with an XML se
rialization in conjunction with other Web-related standards.
Web service interoperability (WS-I) basic profile
A set of standards and clarifications to standards that vendors must follow for
basic interoperability with SOAP products.
Wiki
A collaborative website where visitors can add, delete, or modify content, inclu
ding the work of previous authors.
WiMAX
A wireless standard (IEEE 802.16) for making broadband network connections over
a medium-sized area such as a city for wireless MANs. WiMAX stands for Worldwide
Interoperability for Microwave Access.
Wired Equivalent Privacy (WEP)
A security protocol for wireless local-area networks (WLANs) defined in the 802.
11b standard. WEP was intended to provide the same level of security as that of
a wired LAN. LANs are inherently more secure than WLANs because LANs have some o
r the entire network inside a building that can be protected from unauthorized a
ccess. WLANs, which are over radio waves, therefore are more vulnerable to tampe
ring. WEP attempted to provide security by encrypting data over radio waves so t
hat it is protected as it is transmitted from one endpoint to another. NOTE: WEP
has been broken and does not provide an effective security service against a kn
owledgeable attacker. Software to break WEP is freely available on the Internet.
Wireless Access Point (WAP)
It is a device that acts as a conduit to connect wireless communication devices
together to allow them to communicate and create a wireless network.
Wireless application protocol
A standard for providing cellular telephones, pagers, and other handheld devices
with secure access to e-mail and text-based Web pages. It is a standard that de
fines the way in which Internet communications and other advanced services are p
rovided on wireless mobile devices. It is a suite of network protocols designed
to enable different types of wireless devices to access files on an Internet-con
nected Web server.
Wireless fidelity (Wi-Fi)
Wi-Fi is a term describing a wireless local-area network (WLAN) that observes th
e IEEE 802.11 family of wireless networking standards.
Wireless intrusion detection and prevention system (WIDPS)
An intrusion detection and prevention system (IDPS) that monitors wireless netwo
rk traffic and analyzes its wireless networking protocols to identify and stop s
uspicious activity involving the protocols themselves.
Wireless local-area network (WLAN)
A type of local-area network that uses high-frequency radio waves rather than wi
res to communicate between nodes. WLAN uses the IEEE 802.11 standard. Specifical
ly, wireless LANs operate with transmission modes such as infrared, spread spect
rum schemes, a multichannel frequency division multiplexing (FDM) system, and CS
MA/CA. WLAN is a telecommunications network that enables users to make short-ran
ge wireless connections to the Internet or another network such as wireless MAN
or wireless WAN.
Wireless Markup Language (WML)
A scripting language used to create content in the wireless application protocol
(WAP) environment. WML is based on XML minus unnecessary content to increase sp
eed.
Wireless metropolitan-area network (WMAN)
Wireless MANs are broadband systems that use radio to replace the telephone conn
ections. WMAN is a telecommunications network that enables users to make mediumrange wireless connections to the Internet or another network such as wireless L
AN or wireless WAN. WMAN uses the IEEE 802.16 standard (WiMAX) and quality of se
rvice (QoS) is important.
Wireless personal-area networks (WPANs)
They are small-scale wireless networks that require no infrastructure to operate
(e.g., Bluetooth). They are typically used by a few devices in a single room to
communicate without the need to physically connect devices with cables. WPAN us
es the IEEE 802.15 standard.
Wireless Robust Security Network (RSN)
A robust security network (RSN) is defined as a wireless security network that a
llows the creation of RSN associations (RSNA) only. RSNAs are wireless connectio
ns that provide moderate to high levels of assurance against WLAN security threa
ts through the use of a variety of cryptographic techniques. Wireless RSN uses t
he IEEE 802.11i standard.
Wireless Sensor Network (WSN)
Wireless sensor network (WSN) is a collection of interconnected wireless devices
that are embedded into the physical environment to provide measurements of many
points over large space. The WSN can be used to establish building security per
imeters and to monitor environmental changes (e.g., temperature and power) in a
building.
Wireless wide-area network (WWAN)
A telecommunications network that offers wireless coverage over a large geograph
ical area, typically over a cellular phone network.
Wiretapping
(1) The collection of transmitted voice or data and the sending of that data to
a listening device. (2) Cutting in on a communications line to get information.
Two types of wiretapping exist: active and passive. Active wiretapping is the at
taching of an unauthorized device, such as a computer terminal, to a communicati
ons circuit for the purpose of obtaining access to data through the generation o
f false messages or control signals or by altering the communications of legitim
ate users. Passive wiretapping is the monitoring and/or recording of data transm
itted over a communication link.
Work factor
The amount of work necessary for an attacker to break the system or network shou
ld exceed the value that the attacker would gain from a successful compromise.
Workflow Management System (WFMS)
A computerized information system that is responsible for scheduling and synchro
nizing the various tasks within the workflow, in accordance with specified task
dependencies, and for sending each task to the respective processing entity (e.g
., Web server or database server). The data resources that a task uses are calle
d work items. WFMS is the basis for work flow policy access control system.
Workflow manager
The sub-component that enables one component to access services on other compone
nts to complete its own processing in a service-oriented architecture (SOA). The
workflow manager determines which external component services must be executed
and manages the order of service execution.
Workstation
(1) A piece of computer hardware operated by a user to perform an application. P
rovides users with access to the distributed information system or other dedicat
ed systems; input/output via a keyboard and video display terminal; or any metho
d that supplies the user with the required input/output capability. Computer pow
er embodied within the workstation may be used to furnish data processing capabi
lity at the user level. (2) A high-powered PC with multifunctions and connected
to the host computer.
World Wide Web (WWW)
A system of Internet hosts that support documents formatted in HTML, which conta
ins links to other documents (hyperlinks), and to audio and graphics images. Use
rs can access the Web with special applications called browsers (e.g., Netscape
and Internet Explorer).
Worm
A self-replicating and self-contained program that propagates (spreads) itself t
hrough a network into other computer systems without requiring a host program or
any user intervention to replicate.
Write
A fundamental operation that results only in the flow of information from a subj
ect to an object.
Write access
Permission to write an object.
Write blocker
A device that allows investigators to examine media while preventing data writes
from occurring on the subject media.
Write protection
Hardware or software methods of preventing data from being written to a disk or
other medium.
X
X3.93
Used for data encryption algorithm (All standards starting with X belong to Inte
rnational Organization for Standards ISO).
X9.9
Used for message authentication.
X9.17
Used for cryptographic key management (Financial Institution Key Management).
X9.30
Used for digital signature algorithm (DSA) and the secure hash algorithm (SHA-1)
.
X9.31
Used for rDSA signature algorithm.
X9.42
Used for agreement of symmetric keys using discrete logarithm cryptography.
X9.44
Used for the transport of symmetric algorithm keys using reversible public key c
ryptography.
X9.52
Used for triple data encryption algorithm (TDEA).
X9.62
Used for elliptic curve digital signature algorithm.
X9.63
Used for key agreement and key transport using elliptic curve-based cryptography
.
X9.66
Used for cryptography device security.
X12
Defines EDI standards for many U.S. industries (e.g., healthcare and insurance).
X.21
Defines the interface between terminal equipment and public data networks.
X.25
A standard for the network and data link levels of a communications network. It
is a WAN protocol.
X.75
A standard that defines ways of connecting two X.25 networks.
X.121
Network user address used in X.25 communications.
X.400
Used in e-mail as a message handling protocol for reformatting and sending e-mai
ls.
X.500
A standard protocol used in electronic directory services.
X.509
A standard protocol used in digital certificates and defines the format of a pub
lic key certificate.
X.800
Used as a network security standard.
X. 509 certificate
Two types of X.509 certificates exist: The X.509 public key certificate (most co
mmonly used) and The X.509 attribute certificate (less commonly used). The X.509
public key certificate is created with the public key for a user (or device) an
d a name for the user (or device), together with optional information, is render
ed unforgeable by the digital signature of the certification authority (CA) that
issued the certificate, and is encoded and formatted according to the X.509 sta
ndard. The X.509 public key certificate contains three nested elements: (1) the
tamper-evident envelope, which is digitally signed by the source, (2) the basic
certificate content (e.g., identifying information about a user or device and pu
blic key), and (3) extensions that contain optional certificate information.
XACML
Extensible access control markup language (XACML) combined with extensible marku
p language (XML) access control policy is a framework that provides a general-pu
rpose language for specifying distributed access control policies.
XDSL
Digital subscriber line is a group of broadband technology connecting home/busin
ess telephone lines to an Internet service providers (ISPs) central office. Severa
l variations of XDSL exist such as SDSL, ADSL, IDSL, and HDSL.
XHTML
Extended hypertext markup language (XHTML) is a unifying standard that brings th
e benefits of XML to those of HTML. XHTML is the new Web standard and should be
used for all new Web pages to achieve maximum portability across platforms and b
rowsers.
XML
Extensible markup language, which is a meta-language, is a flexible text format
designed to describe data for electronic publishing. The Web browser interprets
the XML, and the XML is taking over the HTML for creating dynamic Web documents.
XML encryption
A process/mechanism for encrypting and decrypting XML documents or parts of docu
ments.
XML gateways
XML gateways provide sophisticated authentication and authorization services, po
tentially improving the security of the Web service by having all simple object
access protocol (SOAP) messages pass through a hardened gateway before reaching
any of the custom-developed code. XML gateways can restrict access based on sour
ce, destination, or WS-Security authentication tokens.
XML schema
A language for describing and defining the structure, content, and semantics of
XML documents.
XML signature
A mechanism for ensuring the origin and integrity of XML documents. XML signatur
es provide integrity, message authentication, or signer authentication services
for data of any type, whether located within the XML that includes the signature
or elsewhere.
XOR
Exclusive OR, which is a Boolean operation, dealing with true or false condition
(that is, something is either true or false but not both). It is the bitwise ad
dition, modulo2, of two bit strings of equal length. For example, XOR is central
to how parity data in RAID levels is created and used within a disk array (that
is, yes parity or no parity). It is used for the protection of data and for the
recovery of missing data.
XOT
X.25 over transmission control protocol (TCP).
XPath
Used to define the parts of an XML document, using path expressions.
XQuery
Provides functionality to query an XML document.
XSL
Extensible style language (XSL) file is used in dynamic content generation where
Web pages can be written in XML and then converted to HTML.
Z
Zero-day attacks
A zero-day attack or threat is a computer threat that tries to exploit computer
application vulnerabilities that are unknown to others, undisclosed to the softw
are vendor, or for which no security fix is available. Zero-day attacks, exploit
s, and incidents are the same.
Zero-day backup
Similar to normal or full backup where it archives all selected files and marks
each as having been backed up. An advantage of this method is the fastest restor
e operation because it contains the most recent files. A disadvantage is that it
takes the longest time to perform the backup.
Zero-day exploits
Zero-day exploits (actual code that can use a security vulnerability to carry ou
t an attack) are used or shared by attackers before the software vendor knows ab
out the vulnerability. Zero-day attacks, exploits, and incidents are the same.
Zero-day incidents
Zero-day incidents are attacks through previously unknown weaknesses in computer
networks. Zero-day attacks, exploits, and incidents are the same.
Zero day warez
Zero day warez (negative day) refers to software, games, videos, music, or data
unlawfully released or obtained on the day of public release. Either a hacker or
an employee of the releasing company is involved in copying on the day of the o
fficial release.
Zero fill
To fill unused storage locations in an information system with the representatio
n of the character denoting 0.
Zero-knowledge proof
One party proving something to another without revealing any additional informat
ion. This proof has applications in public-key encryption and smart card impleme
ntations.
Zero-knowledge password protocol
A password based authentication protocol that allows a claimant to authenticate
to a verifier without revealing the password to the verifier. Examples of such p
rotocols include EKE, SPEKE, and SRP.
Zero quantum theory
Zero quantum theory is based on the principles of quantum-mechanics where eavesd
roppers can alter the quantum state of the cryptographic system.
Zeroize
To remove or eliminate the key from a cryptographic equipment or fill device.
Zeroization
A method of erasing electronically stored data, cryptographic keys, credentials
service providers (CSPs), and initialization vectors by altering or deleting the
contents of the data storage to prevent recovery of the data.
Zipfs law
Applicable to storage management using video servers, where videos can be stored
hierarchically in tape (low capacity) to DVD, magnetic disk, and RAM (high capa
city). The Zipfs law states that the most popular movie is seven times as popular
as the number seventh movie, which can help in planning the storage space. An a
lternative to tape is optical storage.
Zombie
A computer program that is installed on a system to cause it to attack other com
puter systems in a chain-like manner.
Zone drift error
A zone drift error results in incorrect zone data at the secondary name servers
when there is a mismatch of data between the primary and secondary name servers.
The zone drift error is a threat due to domain name system (DNS) data contents.
Zone file
The primary type of domain name system (DNS) data is zone file, which contains i
nformation about various resources in that zone.
Zone of control
Three-dimensional space (expressed in feet of radius) surrounding equipment that
processes classified and/or sensitive information within which TEMPEST exploita
tion is not considered practical. It also means legal authorities can identify a
nd remove a potential TEMPEST exploitation.
Control zone deals with physical security over sensitive equipment containing se
Guidelines on Firewalls and Firewall Policy (NIST SP 800-41 Revision 1), National
Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaith
ersburg, Maryland, September 2009.
Guidelines on Security and Privacy in Public Cloud Computing (NIST SP 800-144 Dra
ft), National Institute of Standards and Technology (NIST), U.S. Department of Co
mmerce, Gaithersburg, Maryland, January 2011.
Information Assurance Technical Framework (IATF), National Security Agency (NSA),
Release 3.1, Fort Meade, Maryland, September 2002.
Information Security Continuous Monitoring for Federal Information Systems and Or
ganizations (NIST SP800-137 Draft), National Institute of Standards and Technolog
y (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, December 2010.
The Institute of Electrical and Electronics Engineers, Inc., IEEE Standard 802-200
1, New York, New York, Copyright 2002.
Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaither
sburg, Maryland, June 2010.
Managing Information Security Risk (NIST SP800-39), National Institute of Standard
s and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, Ma
rch 2011.
Managing Risk from Information Systems: An Organizational Perspective (NIST SP800
-39), National Institute of Standards and Technology (NIST), U.S. Department of C
ommerce, Gaithersburg, Maryland, April 2008.
Piloting Supply Chain Risk Management Practices for Federal Information Systems (
NISTIR7622 Draft), National Institute of Standards and Technology (NIST), U.S. De
partment of Commerce, Gaithersburg, Maryland, June 2010.
Recommended Security Controls for Federal Information Systems and Organizations (
NIST SP800-53 R3), National Institute of Standards and Technology (NIST), U.S. De
partment of Commerce, Gaithersburg, Maryland, August 2009.
Service Component-Based Architectures, Version 2.0, CIO Council, June 2004 (www.ci
o.gov).
Tanenbaum, Andrew S. Computer Networks by Chapter 5, Fourth Edition, Prentice Ha
ll PTR, Upper Saddle River, New Jersey, Copyright 2003.
Technical Guide to Information Security Testing (NIST SP 800-115 Draft), National
Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaith
ersburg, Maryland, November 2007.
Telecommunications: Glossary of Telecommunication Terms, Federal Standard 1037C, U
.S. General Services Administration (GSA), Washington, DC, August 1996.
Users Guide to Securing External Devices for Telework and Remote Access (NIST SP 8
00-114), National Institute of Standards and Technology (NIST), U.S. Department o
f Commerce, Gaithersburg, Maryland, November 2007.
Wikipedia Encyclopedia, Definitions for certain terms were adapted from Wikipedia
(www.wikipedia.org).
Appendix B
CISSP Acronyms and Abbreviations 2012
This appendix consists of a list of selected information system and network secu
rity acronyms and abbreviations, along with their generally accepted definitions
. When there are multiple definitions for a single term, the acronym or abbrevia
tion is stacked next to each other.
Numeric
2TDEA
Two key triple DEA
3TDEA
Three key triple DEA
3DES
Three key triple data encryption standard
1G
First generation of analog wireless technology
2G
AVP
Attribute-value par
B
B2B
Business-to-business electronic commerce model
B2B2C
Business-to-business-to-consumer electronic commerce model
B2C
Business-to-consumer electronic commerce model
B2E
Business-to-employees electronic commerce model
BCP
Business continuity plan
BGP
Border gateway protocol
BIA
Business impact analysis
BIOS
Basic input/output system
BITS
Bump-in-the-stack
BOOTP
Bootstrap protocol
BPI
Business process improvement
BPR
Business process reengineering
BRP
Business recovery (resumption) plan
BS
Base station
BSS
Basic service set
C
C2B
Consumer-to-business electronic commerce model
C2C
Consumer-to-consumer electronic commerce model
C&A
Certification and accreditation
CA
Certification authority
CAC
Common access card
CAN
Campus-area network
CASE
Computer-aided software engineering
CBC
Cipher block chaining
CBC-MAC
Cipher block chaining-message authentication code
CC
Common Criteria
CCE
Common configuration enumeration
CCMP
Cipher block chaining message authentication code protocol
CCTV
Closed circuit television
CDMA
Code division multiple access
CDN
Content delivery network
CEO
Chief executive officer
CER
Crossover error rate (biometrics)
CERT
Computer emergency response team
CFB
Cipher feedback
CGI
Common gateway interface
CHAP
Challenge-handshake authentication protocol
CHIPS
Clearing house interbank payment system
CIDR
Classless inter-domain routing
CIO
Chief information officer
CIRC
Computer incident response center
CIRT
Computer incident response team
CISO
Corporate information security officer
CKMS
Cryptographic key management systems
CM
Configuration management
CMAC
Cipher-based method authentication code
CMM
Capability maturity model
CMS
Configuration management system
CMVP
Cryptographic module validation program
CONOP
Concept of operations (i.e., only one document)
COOP
Continuity of operations
COTS
Commercial off-the-shelf
CP
Certificate policy
CPE
Common platform enumeration
CPS
Certification practice statement
CPU
Central processing unit
CRAM
Challenge-response authentication mechanism
CRC
Cyclic redundancy check
CRL
Certificate revocation list
CRM
Customer relationship management
CS
Client/server
CSIRC
Computer security incident response capability
CSIRT
Computer security incident response team
CSMA/CA
Carrier sense multiple access with collision avoidance
CSMA/CD
Carrier sense multiple access with collision detection
CSRC
Computer security resource center
CSO
Chief security officer
CSP
Credentials service provider/critical security parameter
CTO
Chief technology officer
CTR
Counter mode encryption
CVE
Common vulnerabilities and exposures
CVSS
Common vulnerability scoring system
D
DA
Data administration/administrator/destination address
DAA
Designated approving authority/designated accrediting authority
DAC
Discretionary access control
DAD
Duplicate address detection
DASD
Direct access storage device
DBA
Database administrator
DBMS
Database management system
DC
Domain controller
DCE
Distributed computing environment/data circuit terminating equipment
DCL
Data control language
DD
Data dictionary
DDL
Data definition language
DDP
Distributed data processing
DDOS
Distributed denial-of-service
DEA
Data encryption algorithm
DES
Data encryption standard
DESX
ECP
Encryption control protocol
ECPA
Electronic communications privacy act
EDC
Error detection code
EDI
Electronic data interchange
EDIFACT
Electronic data interchange for administration, commerce, and transport
EDMS
Electronic document management system
EEPROM
Electronically erasable, programmable read-only memory
EES
Escrowed encryption standard
EFP
Environmental failure protection
EFS
Encrypted file system
EFT
Environmental failure testing
EFTS
Electronic funds transfer system
EGP
Exterior gateway protocol
EH
Extension header
EIDE
Enhanced IDE (integrated drive electronics)
EISA
Extended industry-standard architecture
EME
Electromagnetic emanation
EMRT
Emergency response time
EPICS
Electronic product code information services
ERD
Entity relationship diagram
ERP
Enterprise resource planning
ESN
Electronic serial number
ESP
Encapsulating security payload
EU
European Union
F
FAT
File allocation table
FDDI
Fiber distributed data interface
FDE
Full disk encryption
FDM
Frequency division multiplexing
FEK
File encryption key
FFC
IGMP
Internet group management protocol
IGRP
Interior gateway routing protocol
IGP
Interior Gateway Protocol
IKE
Internet key exchange
IM
Instant messaging
IMAP
Internet Message Access Protocol
IMM
Information management model
IOCE
International organization on computer evidence
IP
Internet Protocol
IPA
Initial privacy assessment
IPComp
Internet Protocol payload compression protocol
IPS
Intrusion prevention system
IPsec
Internet Protocol security
IPX
Internetwork packet exchange
IRC
Internet relay chat
IRTF
Internet research task force
IS
Information system
ISA
Industry-standard architecture
ISAKMP
Internet security association and key management protocol
ISATAP
Intra-site automatic tunnel addressing protocol
ISC2
International information systems security certification and consortium institut
e
ISDL
ISDN-based DSL
ISDN
Integrated services digital network
ISF
Information security forum
ISID
Industrial security incident database
ISLAN
Integrated services LAN
ISMAN
Integrated services MAN
ISO
International organization for standardization
ISP
Internet service provider
ISSA
LDA
Local delivery agent
LDAP
Lightweight directory access protocol
LM
LanManager
LMDS
Local multipoint distribution service
LMP
Link manager protocol
LOS
Line-of-sight
LRA
Local registration authority
L2TP
Layer 2 tunneling protocol
LTP
Lightweight transport protocol
M
MAC
Mandatory Access Control/Media Access Control/Medium Access Control/ message aut
hentication code
MAN
Metropolitan area network
MBR
Master boot record
MC
Mobile commerce
MD
Message digest
MGCP
Media gateway control protocol
MHS
Message handling system
MIC
Message integrity check/message integrity code/mandatory integrity control
MIDI
Musical instrument digital interface
MIM
Meet-in-the-middle (attack)
MIME
Multipurpose Internet mail extensions
MIN
Mobile identification number
MIP
Mobile Internet protocol
MitM
Man-in-the-middle (attack)
MIPS
Million instructions per second
MMS
Multimedia messaging service
MM
Management message
MOA
Memorandum of agreement
MOU
Memorandum of understanding
MPEG
Moving picture coding experts group
MS
Mobile subscriber
MSI
Module software interface
MSISDN
Mobile subscriber integrated services digital network
MSP
Message security protocol
MTBF
Mean-time-between-failures
MTBO
Mean-time-between-outages
MTD
Maximum tolerable downtime
MTM
Mobile trusted module
MTTDL
Mean-time-to-data loss
MTTF
Mean-time-to-failure
MTTR
Mean-time-to-recovery
Mean-time-to-repair
Mean-time-to-restore
N
NAC
Network Access Control
NAK
Negative acknowledgment
NAP
Network Access Protection
NAPT
Network address and port translation
NAS
Network access server
NAT
Network Address Translation
NBA
Network behavior analysis
NCP
Network Control Protocol
NDAC
Nondiscretionary access control
NetBIOS
Network Basic Input/Output System
NFAT
Network Forensic Analysis Tool
NFS
Network file system/network file sharing
NH
Next header
NIAC
National infrastructure advisory council
NIAP
National information assurance partnership
NIC
Network interface card
NID
Network interface device
NIPC
OVAL
Open vulnerability and assessment language
P
P2P
Peer-to-peer
P3P
Platform for privacy preferences project
PAC
Protected access credential/privilege attribute certificate
PAD
Packet assembly and disassembly/peer authorization database
PAN
Personal-Area Network
PAP
Password authentication protocol/policy access point
PAT
Port address translation
PATA
Parallel ATA (advanced technology attachment)
PBA
Pre-boot authentication
PBAC
Policy-Based Access Control
PBE
Pre-boot environment
PBX
Private branch exchange
PC
Personal computer
PCI
Payment card industry/personal identity verification card issuer
PCIDSS
Payment card industry data security standard
PCMCIA
Personal computer memory card international association
PCN
Process control network
PCP
IP payload compression protocol
PCS
Process control system
PDA
Personal digital assistant
PDF
Portable document format
PDP
Policy decision point
PDS
Protective distribution systems
PEAP
Protected Extensible Authentication Protocol
PEM
Privacy enhanced mail
PEP
Policy enforcement point
PERT
Program evaluation and review technique
PGP
Pretty Good Privacy
PHP
Registration authority
RAD
Rapid application development
RAdAC
Risk adaptive access control
RAD
Rapid application development
RADIUS
Remote Authentication Dial-In User Service
RAID
Redundant array of independent disks
RAM
Random access memory
RAP
Rapid application prototyping
RARP
Reverse Address Resolution Protocol
RAS
Remote Access Server/Registration, Admission, Status channel
RAT
Remote Administration Tool
RBAC
Role-based access control
RBG
Random bit generator
RC
Rivest cipher
RCP
Remote Copy Protocol
RDBMS
Relational database management system
RDP
Remote Desktop Protocol
RED
Random early detection
REP
Robots exclusion protocol
RF
Radio frequency
RFC
Request For Comment
RFI
Radio frequency interference/request for information
RFID
Radio frequency identification
RFP
Request for proposal
RFQ
Request for quote
RIB
Routing information base
RIP
Routing Information Protocol
RMF
Risk management framework
RNG
Random number generator
ROE
Rules of engagement
ROI
Return On Investment
ROM
Read-only memory
RPC
Remote procedure call
RPO
Recovery point objective
RR
Resource record
RS
Relay station
RSA
Rivest-Shamir-Adelman (algorithm)
RSBAC
Ruleset-based access control
RSN
Robust security network
RSO
Reduced sign-on
RSS
Really simple syndication
RSTP
Real-time streaming protocol
RSVP
Resource reservation protocol
RTCP
Real-time transport control protocol
RTF
Rich Text Format
RTO
Recovery time objective
RTP
Real-Time Transport Protocol
RuBAC
Rule-based access control
S
S/MIME
Secure/multipurpose (multipart) Internet mail extensions
SA
Security Association/source address
SACL
System access control list
SAD
Security association database
SAFER
Secure and fast encryption routine
SAML
Security assertion markup language
SAN
Storage area network
SAS
Statement on auditing standards
SATA
Serial ATA (advanced technology attachment)
S-BGP
Secure border gateway protocol
SC
Supply chain
SCAP
Security Content Automation Protocol
SCP
Secure Copy Protocol
SCM
Software configuration management
SCSI
Small Computer Systems Interface
SCTP
Stream Control Transmission Protocol
SD
Secure digital
SDLC
System development lifecycle/Synchronous DataLink Control
SDP
Service Discovery Protocol
SDSL
Symmetrical DSL
SEI
Software Engineering Institute
SEM
Security event management
SET
Secure electronic transaction
SFTP
Secure file transfer protocol
SHA
Secure hash algorithm
SHS
Secure hash standard
SIA
Security impact analysis
SID
Security Identifier
SIM
Subscriber identity module
SIP
Session Initiation Protocol
SKEME
Secure Key Exchange Mechanism
SKIP
Simple Key Management for Internet Protocol
SLA
Service-level agreement
SLIP
Serial Line Interface Protocol
SFTP
Secure file transfer protocol
SHTTP
Secure Hypertext Transfer Protocol
SRPC
Secure remote procedure call
SMDS
Switched Multimegabit Data Service
SME
Subject matter expert
SMS
Short message service/systems management server
SMTP
Simple Mail Transfer Protocol
SNA
System Network Architecture
SNMP
Simple Network Management Protocol
SNTP
Simple Network Time Protocol
SOA
Service-oriented architecture
SOAP
Simple Object Access Protocol/Service-oriented architecture protocol
SOCKS
Socket security
SOHO
Small office/home office
SOL
Single occurrence loss
SONET
Synchronous optical network
SOP
Standard operating procedure
SOW
Statement of work
SP
Service pack
SPA
Simple power analysis
SPI
Security Parameters Index
SPKI
Simple public key infrastructure
SPML
Service Provisioning Markup Language
SPX
Sequenced Packet Exchange
SQL
Structured Query Language
SRTP
Secure Real-Time Transport Protocol
SSDP
Simple Service Discovery Protocol
SSE-CMM
Systems Security Engineering Capability Maturity Model
SPX
Sequential packet exchange
SR
Service release
SS
Subscriber station
SSDP
Simple Service Discovery Protocol
SSH
Secure Shell
SSID
Service set identifier
SSL
Secure Sockets Layer
SSO
Single sign-on
SSP
Sensitive security parameter
ST
Security target
STD
State transition diagram
ST&E
Security test and evaluation
STIG
Security Technical Implementation Guide (by DISA for U.S. DoD)
STS
Security Token Service
SUID
Set-user-ID
SV&V
Software Verification and Validation
SVC
Switched Virtual Network
SWIFT
Society for Worldwide Interbank Financial Telecommunication
SYN
Synchronized
SZ
Security zone
T
TA
Timing analysis
TACACS
Terminal Access Controller Access Control System
TCB
Trusted computing base
TCG
Trusted computing group
TCP
Transmission Control Protocol
T/TCP
Transactional TCP
TCP/IP
Transmission Control Protocol/Internet Protocol
TCSEC
Trusted Computer System Evaluation Criteria
TDEA
Triple Data Encryption Algorithm (Triple DEA or Triple DES)
TDM
Time division multiplexing
TDMA
Time division multiple access
TEK
Traffic encryption key
TFTP
Trivial File Transfer Protocol
TGS
Ticket-granting service
TKIP
Temporal key integrity protocol
TLS
Transport layer security
TOC-TOU
Time-of-check to time-of-use
T&E
Test & evaluation
TOE
Target of evaluation
TOS
WS
Web services
WSDL
Web services description language
WS-I
Web service interoperability organization
WSP
Wireless Session Protocol
WTLS
Wireless transport layer security
WTP
Wireless transaction protocol
WWAN
Wireless wide-area network
WWW
World Wide Web
XYZ
XACL
XML Access Control Language
XACML
Extensible Access Control Markup Language
XCBC
XOR cipher block chaining
XCCDF
Extensible configuration checklist description format
XDSL
Digital Subscriber Line
XHTML
Extended hypertext markup language
XML
Extensible Markup Language
XOR
Exclusive OR
XP
Extreme programming
XrML
eXtensible Rights Markup Language
XSD
XML schema definition
XSL
Extensible style language
XSS
Cross-site scripting
ZSK
Zone Signing Key
Sources and References
Digital Signature Standard (NIST FIPS PUB 186-3), National Institute of Standards
and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June
2009.
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (NIST SP8
00-97), National Institute of Standards and Technology (NIST), U.S. Department of
Commerce, Gaithersburg, Maryland, February 2007.
Guide to Adopting and Using the Security Content Automation Protocol SCAP (NIST S
P800-117 Draft), National Institute of Standards and Technology (NIST), U.S. Depa
rtment of Commerce, Gaithersburg, Maryland, May 2009.
Guidelines on Cell Phone Forensics (NIST SP800-101), National Institute of Standar
ds and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, M
ay 2007.
Guidelines on Cell Phone and PDA Security (NIST SP800-124), National Institute of
Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Mary
CISSP Practice: 2,250 Questions, Answers, and Explanations for Passing the Test
Published by John Wiley & Sons, Inc. 10475 Crosspoint Boulevard Indianapolis, IN
46256 www.wiley.com
Copyright 2011 by S. Rao Vallabhaneni
Published simultaneously in Canada
ISBN: 978-1-118-10594-8
ISBN: 978-1-118-17612-2 (ebk)
ISBN: 978-1-118-17613-9 (ebk)
ISBN: 978-1-118-17614-6 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or t
ransmitted in any form or by any means, electronic, mechanical, photocopying, re
cording, scanning or otherwise, except as permitted under Sections 107 or 108 of
the 1976 United States Copyright Act, without either the prior written permissi
on of the Publisher, or authorization through payment of the appropriate per-cop
y fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923,
(978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission sho
uld be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 Riv
er Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at h
ttp://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no
representations or warranties with respect to the accuracy or completeness of th
e contents of this work and specifically disclaim all warranties, including with
out limitation warranties of fitness for a particular purpose. No warranty may b
e created or extended by sales or promotional materials. The advice and strategi
es contained herein may not be suitable for every situation. This work is sold w
ith the understanding that the publisher is not engaged in rendering legal, acco
unting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the pu
blisher nor the author shall be liable for damages arising herefrom. The fact th
at an organization or Web site is referred to in this work as a citation and/or
a potential source of further information does not mean that the author or the p
ublisher endorses the information the organization or website may provide or rec
ommendations it may make. Further, readers should be aware that Internet website
s listed in this work may have changed or disappeared between when this work was
written and when it is read.
For general information on our other products and services please contact our Cu
stomer Care Department within the United States at (877) 762-2974, outside the U
nited States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content
that appears in print may not be available in electronic books.
Library of Congress Control Number: 2011936911
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of
John Wiley & Sons, Inc. and/or its affiliates, in the United States and other co
untries, and may not be used without written permission. CISSP is a registered t
rademark of International Information Systems Security Certification Consortium,
Inc. All other trademarks are the property of their respective owners. John Wil
ey & Sons, Inc. is not associated with any product or vendor mentioned in this b
ook.
This book is dedicated to my parents who taught me from the beginning that educa
tion is the only thing that endures.
About the Author
S. RAO VALLABHANENI is an educator, author, publisher, consultant, and practitio
ner in the business field, with more than 30 years of management and teaching ex
perience in manufacturing, finance, accounting, auditing, and information techno
logy. He has authored more than 60 books, mostly study guides to help students p
repare for for several professional certification exams, in various business fun
ctions. He earned four masters degrees in management, accounting, industrial engi
neering, and chemical engineering, and holds 24 professional certifications in v
arious business disciplines. He is a graduate of the Advanced Management Develop
ment Program at the University of Chicagos Graduate School of Business.
He is the recipient of the 2004 Joseph J. Wasserman Memorial Award for the disti
nguished contribution to the Information Systems Audit field, conferred by the N
ew York Chapter of the Information Systems Audit and Control Association (ISACA)
. He is the first independent author and publisher in the CISSP Exam market to d
evelop a comprehensive two-volume (Practice and Theory) reviewing products to he
lp students prepare for the CISSP Exam in 2000. In addition to teaching undergra
duate and graduate courses in business schools, he taught the Certified Informat
ion Systems Auditor (CISA) Exam and the Certified Internal Auditor (CIA) Exam re
view courses to prepare for these exams.
About the Technical Editor
RONALD L. KRUTZ is a senior information system security consultant. He has over
30 years of experience in distributed computing systems, computer architectures,
real-time systems, information assurance methodologies, and information securit
y training. He holds B.S., M.S., and Ph.D. degrees in Electrical and Computer En
gineering and is the author of best-selling texts in the area of information sys
tem security. Dr. Krutz is a Certified Information Systems Security Professional
(CISSP) and Information Systems Security Engineering Professional (ISSEP).
He coauthored the CISSP Prep Guide for John Wiley & Sons and is coauthor of the
Wiley Advanced CISSP Prep Guide; CISSP Prep Guide, Gold Edition; Security +Certi
fication Guide; CISM Prep Guide; CISSP Prep Guide, 2nd Edition: Mastering CISSP
and ISSEP; Network Security Bible, CISSP and CAP Prep Guide, Platinum Edition: M
astering CISSP and CAP; Certified Ethical Hacker (CEH) Prep Guide; Certified Sec
ure Software Lifecycle Prep Guide, Cloud Security, and Web Commerce Security.
He is also the author of Securing SCADA Systems and of three textbooks in the ar
eas of microcomputer system design, computer interfacing, and computer architect
ure. Dr. Krutz has seven patents in the area of digital systems and has publishe
d over 40 technical papers. Dr. Krutz is a Registered Professional Engineer in P
ennsylvania.
Acknowledgments
I want to thank the following organizations and institutions for enabling me to
use their publications and reports. They were valuable and authoritative resourc
es for developing the practice questions, answers, and explanations.
ISC2, Inc., for the use of its Common Body of Knowledge described in the CISSP Ca
ndidate Information Bulletin, January 1, 2012.
National Institute of Standards and Technology (NIST), U.S. Department of Commer
ce, Gaithersburg, Maryland, for the use of various IT-related publications (FIPS
, NISTIR, SP 500 series, SP 800 series).
National Communications System (NCS) and the U.S. Department of Defense (DOD) fo
r their selected IT-related publications.
U.S. Government Accountability Office (GAO), formerly known as General Accountin
g Office, Washington, DC, for various IT-related reports and staff studies.
Office of Technology Assessment (OTA), U.S. Congress, Washington, DC, for variou
s publications in IT security and privacy in network technology.
Office of Management and Budget (OMB), Washington, DC, for selected publications
in IT security and privacy.
Federal Trade Commission (FTC), Washington, DC, at www.ftc.gov.
Chief Information Officer (CIO) council, Washington, DC at www.cio.gov.
Information Assurance Technical Framework (IATF), Release 3.1, National Security
Agency (NSA), Fort Meade, Maryland, September 2002.
Security Technical Implementation Guides (STIGs) by Defense Information Systems
Agency (DISA) developed for the U.S. Department of Defense (DOD).
I want to thank the following individuals for helping me to improve the content,
quality, and completeness of this book:
Dean Bushmiller, of Austin, Texas, for grouping the authors questions and making
them into scenario-based questions and answers. Dean teaches the CISSP Exam and
CISM Exam review classes to prepare for the exams.
Carol A. Long, executive acquisitions editor at Wiley Publishing, Inc., for publ
ishing this book.
Ronald Krutz (technical editor), Apostrophe Editing Services (copy editor) and a
ll the people at Wiley who made this book possible.
Credits
Executive Editor
Carol Long
Project Editor
Maureen Spears
Technical Editor
Ronald Krutz
Senior Production Editor
Debra Banninger
Copy Editor
Apostrophe Editing Services
Editorial Manager
Mary Beth Wakefield
Freelancer Editorial Manager
Rosemarie Graham
Marketing Manager
Ashley Zurcher
Production Manager
Tim Tate
Vice President and Executive Group Publisher
Richard Swadley
Vice President and Executive Publisher
Neil Edde
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Katie Crocker
Compositor
Preface
The purpose of CISSP Practice: 2,250 Questions, Answers, and Explanations for Pa
ssing the Test is to help the Certified Information Systems Security Professiona
l (CISSP) examination candidates prepare for the exam by studying and practicing
the sample test questions with the goal to succeed on the exam.
A total of 2,250 traditional multiple-choice (M/C) questions, answers, and expla
nations are presented in this book. In addition, a total of 82 scenario-based M/
C questions, answers, and explanations are taken from the traditional 2,250 ques
tions and grouped into the scenario-based format to give a flavor to the scenari
o questions. Traditional questions contain one stem followed by one question set
with four choices of a., b., c., and d., and scenario questions contain one ste
m followed by several question sets with four choices of a., b., c., and d. The
scenario-based questions can focus on more than one domain to test the comprehen
sive application of the subject matter in an integrated manner whereas the tradi
tional questions focus on a single domain.
These 2,250 sample test practice questions are not duplicate questions and are n
ot taken from the ISC2 or from anywhere else. The author developed these unique
M/C questions for each domain based on the current CISSP Exam content specificat
ions (see the Description of the CISSP Examination later in this preface). Each un
ique and insightful question focuses on a specific and necessary depth and bread
th of the subject matter covered in the CISSP Exam.
The author sincerely believes that the more questions you practice, the better p
repared you are to take the CISSP Exam with greater confidence because the real
exam includes 250 questions. The total number of 2,250 questions represents nine
times the number of questions tested on the exam, thus providing a great value
to the CISSP Exam candidate. This value is in the form of increasing the chances
to pass the CISSP Exam.
Because ISC2 did not publish the percentage-weights for ten domains, the author
has assigned the following percentage-weights for each domain (for example, Doma
in 1 = 15%) based on what he thinks is important to the CISSP Exam candidate. Th
ese assigned weights are based on the authors assumption that all the ten domains
cannot receive equal weight in the exam due to the differences in relative impo
rtance of these domains. These weights are assigned as a systematic way to distr
ibute the 2,250 questions among the ten domains, as follows:
Domain
Domain
Domain
Domain
Domain
Domain
Domain
Domain
Domain
Domain
The following table presents the number of traditional questions and scenario qu
Domain
Traditional Questions
Scenario Questions
1
338 (2,250 x 15%)
9
2
338
7
3
225
9
4
225
11
5
225
7
6
225
12
7
225
8
8
112
7
9
225
5
10
112
Totals
2,250
82
The real CISSP Exam consists of 250 M/C questions with four choices of a., b., c
., and d. for each question. There can be some scenario-based questions in addit
ion to most of traditional questions. Regardless of the type of questions on the
exam, there is only one correct answer (choice). You must complete the entire C
ISSP Exam in one six-hour session. The scope of the CISSP Exam consists of the s
ubject matter covered in ten domains of this book, which is in accordance with t
he description of the CISSP Exam (content specifications) as defined in the ISC2s
CISSP Candidate Information Bulletin with an effective date of January 1, 2012. N
ote that these practice questions are also good for the CISSP Exam with an effec
tive date of January 1, 2009 because we accommodated both effective dates (Janua
ry 2009 and January 2012) due to their minor differences in the content specific
ations.
With no bias intended and for the sake of simplicity, the pronoun he has been used
throughout the book rather than he/she or she.
S. Rao VallabhaneniChicago, IllinoisAugust 2011
How to Study for the CISSP Exam
To study for the CISSP Exam, follow these guidelines:
Read the official description of the CISSP Exam at the end of this section.
Read the glossary terms and acronyms found in Appendixes A and B at the back of
this book to become familiar with the technical terms and acronyms.
Take the sample practice tests for each of the ten domains.
If you score less than 75 percent for each domain, study the glossary terms agai
n until you master the subject matter or score higher than 75 percent.
Complete the scenario-based practice questions to integrate your learning and th
ought processes.
The types of questions a candidate can expect to see on the CISSP Exam are mostl
y objective and traditional multiple-choice questions and some scenario-based mu
ltiple-choice questions with only one choice as the correct answer. Answering th
ese multiple-choice questions requires a significant amount of practice and effo
rt.
The following tips and techniques are helpful for answering the multiple-choice
questions:
Stay with your first impression of the correct choice.
Know the subject area or topic. Dont read too much into the question.
Remember that all questions are independent of specific countries, products, pra
ctices, vendors, hardware, software, or industries.
Read the last sentence of the question first, followed by all the choicesthen re
ad the body of the question. Underline or circle the key words.
Read the question twice (or read the underlined or circled key words twice) and
watch for tip-off words such as not, except, all, every, always, never, least, o
edures to support the policies; security training to make employees aware of the
importance of information security, its significance, and the specific security
-related requirements relative to their position; the importance of confidential
ity, proprietary, and private information; third party management and service le
vel agreements related to information security; employment agreements; employee
hiring and termination practices; and risk management practices and tools to ide
ntify, rate, and reduce the risk to specific resources.
Key Areas of Knowledge
Understand and align security function to goals, mission, and objectives of the
organization.
Understand and apply security governance.
1. Organizational processes such as acquisitions, divestitures, and governance c
ommittees
2. Security roles and responsibilities
3. Legislative and regulatory compliance
4. Privacy requirements compliance
5. Control frameworks
6. Due care
7. Due diligence
Understand and apply concepts of confidentiality, integrity, and availability.
Develop and implement security policy.
1. Security policies
2. Standards/baselines
3. Procedures
4. Guidelines
5. Documentation
Manage the information life cycle such as classification, categorization, and ow
nership.
Manage third-party governance such as onsite assessment, document exchange and r
eview, and process/poly review.
Understand and apply risk management concepts.
1. Identify threats and vulnerabilities
2. Risk assessments/analysis such as qualitative, quantitative, and hybrid
3. Risk assignment/acceptance
4. Countermeasure selection
5. Tangible and intangible asset valuation
Manage personnel security.
1. Employment candidate screening such as reference checks, education, and verif
ication
2. Employment agreements and policies
3. Employee termination processes
4. Vendor, consultant, and contractor controls
Software development security domain refers to the controls that are included wi
thin systems and applications software and the steps used in their development.
Software refers to system software (operating systems) and application programs
(agents, applets, software, databases, data warehouses, and knowledge-based syst
ems). These applications may be used in distributed or centralized environments.
The candidate should fully understand the security and controls of the systems d
evelopment process, system life cycle, application controls, change controls, da
ta warehousing, data mining, knowledge-based systems, program interfaces, and co
ncepts used to ensure data and application integrity, security, and availability
.
Key Areas of Knowledge
Understand and apply security in the software development life cycle.
1. Development life cycle
2. Maturity models
3. Operation and maintenance
4. Change management
Understand the environment and security controls.
1. Security of the software environment
2. Security issues of programming languages
3. Security issues in source code such as buffer overflow, escalation of privile
ge, and backdoor
4. Configuration management
3.
4.
5.
6.
Asymmetric cryptography
Hybrid cryptography
Message digests
Hashing