Access Control Question 1 Bob enrolls with a fingerprint reader and is able to authenticate for a number of weeks using

the system. One day, Bob cuts his finger and finds he can no longer authenticate and receives a Type 1 error. What is most likely the problem? a) The system does not examine enough information to assess that it is Bob b) Fingerprint readers are not very good at handling type 1 errors by nature since these are very dynamic metrics c) Fingerprint readers are not very good at handling type 1 errors by nature since they have high cross-over error rates d) The system examines too much information and needs to be configured to be less sensitive Question 2 If a complex password, stored in a system that uses the full entropy of the Extended ASCII key set (8 bits per character), can be cracked in one week, what is the maximum time it would it take to crack it if one more character is added? a) 256 weeks b) 2 weeks c) 1 week and 1 day d) 10.5 days Question 3 A small number of sales people share an office with marketing. Rather than purchase a separate printer, management has requested that the sales people use the marketing printer. Which of the following is the most appropriate way to grant authorization for these users?

a) Add the sales people names to the printer ACL b) Add the sales people names to the marketing group c) Create a new group for these users and add the group to the printers ACL d) Advise against it as it is a possible conflict of interest Question 4 To validate a claimed identity, which of the following best describes authentication tokens? a) Time-based access control b) Sensitivity labels c) Access control lists d) Credentials Question 5 An Intrusion Detection System (IDS) has detected an ACK storm. What does this mean? a) An intruder is sending unsolicited acknowledgements to scan the network b) An intruder is sending unsolicited acknowledgements to perform a denial of service c) An intruder is attempting to spoof the host to hijack a session d) There is a bridging loop Application Security Question 1 At what phase of the system development life cycle are the customer-specific requirements determined? a) Functional design b) System design c) Validations d) Project initiation

Question 2 Which statement is true? a) In a relational database parents can have only one child b) In a relational database a child can have only one parent c) In a hierarchical database a parent can have only one child d) In a hierarchical database a child can have only one parent Question 3 A change is planned to an application to address a specific problem. After the change however it appears that other modules that should not have been affected appear to be broken. What is the likely cause? a) The changed module had low cohesion b) The changed module had high cohesion c) The changed module was tightly coupled d) The changed module was loosely coupled Question 4 A user complains that his phone number in the employee database is not accurate. Each time the user makes a change to the number it seems to take but then reverts back to the old number by the end of the day. Which of the following is the most likely cause? a) The user does not have modification rights b) The schema does not allow changes from the users machine c) Someone in personnel has put a lock on the cell d) Replication integrity is inaccurate due to mismatched times Question 5 A person in Applications Development writes a new module for a production customer tracking system. This module may increase productivity significantly for the organization, leading to

substantial savings over time. Another person in Development has tested the module and has found no problem with the code. Which of the following is NOT recommended? a) The new code should be implemented as soon as Quality Assurance personnel certify the module b) The module should go to operations for implementation c) An accrediting official should wait for the results of certification d) All changes must be logged in the change management database (CMDB) Business Continuity and Disaster Recovery Planning Question 1 Bob is charged with creating disaster recovery plans for his group. He is very concerned that paper-based tests are not realistic enough but is very concerned with risking downtime of production systems. What test type is most appropriate in this situation? a) Structured walkthrough b) Warm c) Simulation d) Parallel Question 2 A company provides outsourced help desk service to a number of clients worldwide. Currently they are equipped to handle over a thousand calls a day, with an average call length of 10 minutes. If they need to move to an alternate facility in the event of some disaster or disruption, management wants to be able to provide at least 80 percent of the current capacity. What metric would need to be determined in the Business Impact Analysis (BIA)? a) Recovery time objectives b) Service level objectives

c) Maximum tolerable downtime d) Recovery point objectives Question 3 Griffin Space Tech, a space development company experiences a fire requiring relocation to an off-site location. An operator, a key person on the recovery team, fails to show up at the site. When contacted, the operator claims he was not clear on his role and did not realize he was named in the plan. Which document type would explain the specific names of the teams involved? a) Reconstitution plans b) Recovery procedures c) Service level agreement d) Memorandum of understanding (MOA) Question 4 The senior network administrator responsible for managing perimeter security devices is named in the disaster recovery plan as the primary person to perform recovery of the firewall at an alternate site in an event requiring relocation. However, this administrator may move to another department and may no longer be available for this role. What plan should be used to prepare for such situations? a) Business impact analysis b) Succession c) Personnel migration d) Restructuring Question 5 Critical systems are migrated to a hot site after a disaster. The backup operator from the recovery team receives a call from a user complaining that the data that have been restored for their system are too old to be of any use. The operator checks the tape that was

used for the restore and confirms it was indeed the most recent backup and that the tape was created only the night before. What is the most likely cause of the problem? a) The user is looking at a cached copy b) The data was restored to the wrong directory c) There is a network latency issue d) Recovery point objectives are very short Cryptography Question 1 Which of the following statements is incorrect? a) To ensure the integrity of data create a message digest b) To ensure privacy, encrypt the data with a symmetric key and the symmetric key with the receivers private key c) To validate the sender, encrypt the message digest with the senders private key d) To obtain the fastest method to encrypt data use a symmetric, shared secret key Question 2 What is the most trusted way to ensure only the intended recipient obtains the key in a purely symmetric system? a) Manager hand-delivers the key b) Encrypt the key with the receivers public key c) Encrypt the key with a passphrase d) Encrypt the key with the senders private key Question 3 Alice gives a copy of her private key to the crypto admin, Bob for backup. Which problem below would most likely affect the accountability of the system?

a) Bob could sign documents as Alice b) Bob could read documents destined for Alice c) Bob could leave the company and her backup could be unavailable d) Bob could update the CRL claiming Alices key was lost Question 4 Alice works in customer service for a large manufacturing corporation and is responsible for working with customers time sensitive orders. One of her customers, Bob, sends her a signed and encrypted email and requests a signed receipt. Bob receives a receipt from Alice and becomes concerned when she does not follow through with his order and calls her on the phone a few days later. Alice claims she did not receive the email. Which of the following could explain the situation? a) The email is stuck in her servers inbound queue b) Bobs private key has been compromised c) The CA has issued a duplicate certificate d) Alices private key has been compromised Question 5 Bob connects to an SSL server daily to check his email over an encrypted channel. His company-issued laptop is upgraded to meet new client standards. He receives an error message stating that he is about to download a certificate that has not been signed by a trusted 3rd party. What is the most likely cause? a) The admin forgot to copy his private key to the new system b) The new laptop has the wrong network address c) The public key of the CA is not on his machine d) His session key needs to be recreated Information Security and Risk Management Question 1

To address a contract agreement with a new client, management is required to select stronger encryption algorithms. What document needs to be modified to define the specifications for these new algorithms? a) Policies b) Standards c) Procedures d) Baselines Question 2 Which of the following is out of place? a) High, medium, low rankings b) Subjective intuition c) Objective opinions d) Value Question 3 Management requires that all employees with a company laptop keep their virus signatures up to date and run a full system scan at least weekly. It is suggested however that they update signatures every night if possible. In what document type would such suggestions likely be made? a) Policies b) Procedures c) Guidelines d) Standards Question 4 Which of the following is the most logical order for risk management?

a) Asset valuation, threat analysis, control analysis, mitigation, policy creation, awareness b) Threat analysis, control recommendation, asset valuation, mitigation c) Policy creation, risk mitigation, control evaluation, training d) Test, recommend, acquire/create, control, valuation Legal, Regulations, Compliance and Investigations Question 1 You are working in Philadelphia using a VPN to connect to a network in Singapore for a China-based company. Some of the laws differ across these jurisdictions. According to the ISC2 Code of Ethics, what is the proper action(s) to take? a) Avoid conflicts of interest b) Follow the most restrictive laws c) China laws take precedence since this is the where corporate headquarters is located d) Philadelphia laws take precedence since this is where you are rendering service. Question 2 Alice is asked by a potential customer if she can provide service for an intrusion detection system (IDS) to assess the rule-set currently configured on the system, and make recommendations for improvement, to comply with a new regulation pertaining to the customers line of business. Though Alice has an interest in working with intrusion detection systems she has no hands-on experience. What ISC2 code of ethics requirement may force Alice to decline the primary role for such an assignment? a) Render only those services for which you are fully competent and qualified b) Thou shall not make false claims c) Provide only services in your area of expertise

d) Where compliance is paramount, service personnel require appropriate certification Question 3 Alice is aggressively trying to increase personnel to meet market demands and tries to recruit Bob, a colleague, by offering 5% ownership to the entire enterprise and agreeing to put this in writing soon. For expedience, they agree on a start date before the lawyers approve the contract regarding the 5% ownership. Nine months pass and Alice fails to provide the agreement in writing and changes her mind. According to the ISC2 Code of Ethics, what can be said of the situation? a) Alice is at fault for Conflict of Interest b) Bob is at fault for failing To ensure proper documentation c) Alice is at fault for failure to Observe all contracts and agreements, express or implied d) There is no violation of the ISC2 Code of Ethics Question 4 Due to new laws governing the actions taken by companies when customer-identifiable information is collected, a senior manager directs internal auditors to analyze the companys exposure to the new regulations. The results of the audit identify a number of potential violations. What is the most appropriate action to take? a) Consult outside advice to ensure that the audit is accurate b) Conduct a gap analysis to prioritize ways to close the gaps c) Review the companys privacy policy and determine the necessary changes d) Take steps to encrypt the sensitive data to protect the information Question 5 Which of the following is not an example of civil law?

a) Contract b) Property c) Tort d) Regulatory Operations Security Question 1 What RAID level is primarily associated with fastest writes but not necessarily reads a) 0 b) 1 c) 3 d) 5 Question 2 Which of the following control is more likely to provide confidentiality protection? a) Rotation of Duties b) Segregation of Duties c) Dual Control d) Quality assurance Question 3 Bob is hired to perform a penetration test for Griffin Space Tech, a leading space exploration company. Alice is nearly killed when her navigation system is interrupted by what turned out to be a test on a system that was not supposed to be part of the test. What document, if defined and understood, most likely may have prevented such a problem? a) Rules of engagement b) Concept of operations

c) Statement of work d) Exception reports Question 4 A critical server is scheduled to have a service pack installed. Departmental management requests that the change is tested on a spare server first before being applied to the production server. To ensure that the spare server is configured exactly as the production server, operations plan to make an unscheduled backup of the production server. Which backup method is most appropriate? a) Full b) Incremental c) Differential d) Copy Question 5 A user in your organization habitually surfs inappropriate websites. You are responsible for desktop support and notice these sites in the history log. What is the best way to ensure the company is not held accountable by other users complaints about this user? a) Block access to these sites with an approved filter b) Nothing as you are not in security c) Inform law enforcement d) Report your findings to management Physical (Environmental) Security Question 1 What is the purpose of a strike plate? a) To prevent damage to a door in a loading dock b) It is part of a locking mechanism c) To allow egress traffic in the event of an emergency evacuation

d) To prevent damage to a door from moving equipment Question 2 Measuring light output and sensitivity to light is an important concept for physical security. Lux ratings refer to lumens per square meter. What rating refers to lumens per square foot? a) LPSF b) Luminescence c) Joules d) Foot-Candles Question 3 Which of the following is not an advantage to using security dogs? a) Olfactory sensitivity b) Work in a power failure c) Can cover a large area d) Will prevent intruders from entering the premises Question 4 Closed circuit television (CCTV) is an important detective control. Which of the following is most likely to be a common application for CCTV? a) To be used after a crime in event correlation b) To enable guards to extend their vision to detect suspicious activity before a crime can be committed c) To allow police to monitor sensitive areas d) To allow management to monitor employee behavior Question 5 What is the purpose of emergency lighting?

a) To allow rescue teams to search for distressed personnel after a power failure b) Illumination of evacuation routes c) To assist in CCTV controls during a threatening situation d) They act as a deterrent as criminals fear detection Security Architecture and Design Question 1 A system engineer would like to design a backup system that allows an operator to perform backups on all system data without giving the operator file system rights. What should the engineer consider? a) The Clark Wilson model b) A SANS device c) RBAC d) Least privilege and need to know. In this case the operator by nature must have read access only. Question 2 What is the purpose of the *_property in the Bell-Lapadula model? a) To prevent an unauthenticated user from leaking secrets b) To prevent an unauthenticated user from accessing sensitive data c) To prevent an authenticated user from leaking secrets d) To prevent an authenticated user from accessing sensitive data Question 3 A remote database user maliciously enters a command in a user input dialog box, and manages to execute a command to upgrade his rights in the system. Which recommended remediation method is least likely to mitigate this risk?

a) The system should check for input length b) The system should check for input type c) The system should block data control language from remote locations d) The system should implement a mandatory access control Question 4 When determining whether to use a product in your environment you are asked to consult the product for certification per the Common Criteria. The category for this product does not contain a protection profile (PP). Which of the following is true? a) An exception report may be created to allow this product, provided local testing can certify a build of the system. b) The system may grandfather an existing rating from the TCSEC c) The product can still be rated against the security target (ST) d) Review other products to see if there is a viable alternative Question 5 Which of the following is an example of the reference monitor? a) Requiring users to provide proof of identification b) Account lockouts c) Log files d) Directory attributes Telecommunications and Network Security Question 1 Why is it advisable to prevent packets from leaving your network where the source address is not from your network or a private (RFC 1918) address? a) To prevent your perimeter or edge devices from being attacked with a denial of service attack.

b) To prevent your internal devices from being attacked with a denial of service attack. c) To prevent your systems from being used to attack others d) To prevent your systems from a reconnaissance attack. Question 2 Bob is attempting to use the hotel wireless network to connect to his companys email server. He is told by the hotel staff that the SSID is HOTELX (where X equals his floor number). After gaining connection it is discovered that his email has been posted to some hacker website. Which of the following would have most likely prevented this problem? a) RADIUS b) Mutual authentication c) Two factor authentication d) Extensible Authentication Protocol Question 2 In what layer of the OSI model are electrical signals turned into binary addressing information? a) Host to host b) Biba c) Datalink d) Physical Question 3 The firewall administrator notices that an IP address on the inside is attempting to open ports to an unknown host in a foreign country. What is the most appropriate action to take? a) Block the port until the host can be authenticated b) Perform a violation analysis

c) Run a virus scan on the machine that is attempting the connection as it may be infected d) Interview the user of the machine to determine his intention. Question 4 Which VPN method is less likely to work through NAT? a) IPSec transport mode b) IPSec tunnel with AH c) IPSec tunnel with ESP d) PPTP Question 5 With regards to an intrusion detection system, what is meant by an insertion attack? a) Enabling attackers to insert themselves into a system without detection b) Injecting false data to mislead an IDS c) Adding additional rules to misclassify an attack d) Code injection attacks Question 6 Which of the following attacks does not take advantage of systems that do not check for unsolicited replies? a) Arp poisoning b) DNS cache poisoning c) OS Fingerprinting d) Fragmenting

Questions & Answers Access Control

Question 1 Bob enrolls with a fingerprint reader and is able to authenticate for a number of weeks using the system. One day, Bob cuts his finger and finds he can no longer authenticate and receives a Type 1 error. What is most likely the problem? e) The system does not examine enough information to assess that it is Bob f) Fingerprint readers are not very good at handling type 1 errors by nature since these are very dynamic metrics g) Fingerprint readers are not very good at handling type 1 errors by nature since they have high cross-over error rates h) The system examines too much information and needs to be configured to be less sensitive Answer: d Explanation: A biometric system cannot examine all the detail in an object or they are prone to false rejects (type 1 errors). If they however do not examine enough information about an object they are prone to false accepts (type 2 errors). Fingerprints are fairly static metrics and some systems are very accurate. Question 2 If a complex password, stored in a system that uses the full entropy of the Extended ASCII key set (8 bits per character), can be cracked in one week, what is the maximum time it would it take to crack it if one more character is added? e) 256 weeks f) 2 weeks g) 1 week and 1 day h) 10.5 days

Answer: a Explanation: By adding one character or 8 bits the strength is raised by 28 Question 3 A small number of sales people share an office with marketing. Rather than purchase a separate printer, management has requested that the sales people use the marketing printer. Which of the following is the most appropriate way to grant authorization for these users? e) Add the sales people names to the printer ACL f) Add the sales people names to the marketing group g) Create a new group for these users and add the group to the printers ACL h) Advise against it as it is a possible conflict of interest Answer: c Explanation: Adding each user to the group, makes explicit access control difficult to manage. Adding the sales people names to the marketing group may grant more privileges to some resources. Marketing and sales typically are not mutually exclusive groups. Question 4 To validate a claimed identity, which of the following best describes authentication tokens? e) Time-based access control f) Sensitivity labels g) Access control lists h) Credentials Answer: d Explanation: Tokens are typically something a user has. Credentials give credit to a claim. The other answers are methods.

Question 5 An Intrusion Detection System (IDS) has detected an ACK storm. What does this mean? e) An intruder is sending unsolicited acknowledgements to scan the network f) An intruder is sending unsolicited acknowledgements to perform a denial of service g) An intruder is attempting to spoof the host to hijack a session h) There is a bridging loop Answer: c Explanation: If someone spoofs an IP address (source) and sends a TCP SYN to a server (in an attempt to hijack a session) the server will reply with a SYN/ACK to the spoofed host. The spoofed host will reply with an ACK/RST to the server since the spoofed host is not really listening for the SYN/ACK. The server will assume there was a communication problem and retry. This results in what is known as an ACK storm. Application Security Question 1 At what phase of the system development life cycle are the customer-specific requirements determined? e) Functional design f) System design g) Validations h) Project initiation Answer: a Explanation: Functional design is where the customer- specific requirements are determined, a very detailed what the system must do. System design is more associated with how the

specifications are determined; project initiation is not very detailed; and Validations is a distracter. Question 2 Which statement is true? e) In a relational database parents can have only one child f) In a relational database a child can have only one parent g) In a hierarchical database a parent can have only one child h) In a hierarchical database a child can have only one parent Answer: d Explanation: One of the benefits of the relational database over the hierarchical database is that a number of different relations can be defined including overcoming the limitation of hierarchical databases that allow for a child to have only one parent. Question 3 A change is planned to an application to address a specific problem. After the change however it appears that other modules that should not have been affected appear to be broken. What is the likely cause? e) The changed module had low cohesion f) The changed module had high cohesion g) The changed module was tightly coupled h) The changed module was loosely coupled Answer: a Explanation: A module is cohesive when it performs only a single precise task. Coupling refers to the measure of interaction. Both can have a significant affect on change management. It is usually desirable to have high cohesion and loose coupling. Question 4

A user complains that his phone number in the employee database is not accurate. Each time the user makes a change to the number it seems to take but then reverts back to the old number by the end of the day. Which of the following is the most likely cause? e) The user does not have modification rights f) The schema does not allow changes from the users machine g) Someone in personnel has put a lock on the cell h) Replication integrity is inaccurate due to mismatched times Answer: d Explanation: In a distributed environment, invalid time synchronization can cause a server to overwrite newer data. If the change took hold for a while, it is unlikely to be a rights issue and c is not likely. Question 5 A person in Applications Development writes a new module for a production customer tracking system. This module may increase productivity significantly for the organization, leading to substantial savings over time. Another person in Development has tested the module and has found no problem with the code. Which of the following is NOT recommended? e) The new code should be implemented as soon as Quality Assurance personnel certify the module f) The module should go to operations for implementation g) An accrediting official should wait for the results of certification h) All changes must be logged in the change management database (CMDB)

Answer: a Explanation: Before making this significant change, the module should be technically tested (certification) and administratively approved (accreditation) Note: This question generated a bit of discussion. To further clarify my answer I posted the following comments in http://groups.yahoo.com/group/cyberkungfu/message/898 In this question I am trying to lead you to B but here is why I believe A is the "more correct" answer. Providing separation of duties to ensure trusted change management, it is recommended that developers cannot approve code or interface with production software, changes to applications should: 1) Be tested by a test group QA/QC 2) Be accredited by management 3) Go to operations for implementation 4) Logged in a CMDB While B may look like I am bypassing 1&2 if you read carefully I only say The module should go to operations for implementation. I did not say anything about ignoring the other phases. A says The new code should be implemented as soon as Quality Assurance personnel certify the module. This wording does indeed suggest that accreditation is ignored. This is the type of question that messes me up in tests because I start to add in my head words I think the author meant to say, and then wonder if the author omitted the words on purpose as I did in this question. Business Continuity and Disaster Recovery Planning Question 1

Bob is charged with creating disaster recovery plans for his group. He is very concerned that paper-based tests are not realistic enough but is very concerned with risking downtime of production systems. What test type is most appropriate in this situation? e) Structured walkthrough f) Warm g) Simulation h) Parallel Answer: c Explanation: In a simulation test, the system may be tested on test hardware and software. This is likely to be more accurate than either the checklist or structured walkthrough, which are paper-based only. In the parallel test some subset of production systems are indeed involved and run at the alternate site. Warm test is a distracter Question 2 A company provides outsourced help desk service to a number of clients worldwide. Currently they are equipped to handle over a thousand calls a day, with an average call length of 10 minutes. If they need to move to an alternate facility in the event of some disaster or disruption, management wants to be able to provide at least 80 percent of the current capacity. What metric would need to be determined in the Business Impact Analysis (BIA)? e) Recovery time objectives f) Service level objectives g) Maximum tolerable downtime h) Recovery point objectives Answer: b Explanation: In a disaster it may be cost prohibitive to attempt recovery to full capacity, so service level objectives are set to

determine the required service levels to protect the business. Answers a and c are the same thing and refer to the time needed to bring a service or department up and running. Answer d refers to the data point required to recover and is mostly associated with data backup schedules and methods. Question 3 Griffin Space Tech, a space development company experiences a fire requiring relocation to an off-site location. An operator, a key person on the recovery team, fails to show up at the site. When contacted, the operator claims he was not clear on his role and did not realize he was named in the plan. Which document type would explain the specific names of the teams involved? e) Reconstitution plans f) Recovery procedures g) Service level agreement h) Memorandum of understanding (MOA) Answer: d Explanation: MOAs are documents maintained to identify the people and their roles in a business continuity plan. These are critical to keep current and must be tied to HR to ensure that the people named are still operating in the planned capacity Question 4 The senior network administrator responsible for managing perimeter security devices is named in the disaster recovery plan as the primary person to perform recovery of the firewall at an alternate site in an event requiring relocation. However, this administrator may move to another department and may no longer be available for this role. What plan should be used to prepare for such situations? e) Business impact analysis

f) Succession g) Personnel migration h) Restructuring Answer: b Explanation: Succession plans are maintained to prepare for changes in personnel. Question 5 Critical systems are migrated to a hot site after a disaster. The backup operator from the recovery team receives a call from a user complaining that the data that have been restored for their system are too old to be of any use. The operator checks the tape that was used for the restore and confirms it was indeed the most recent backup and that the tape was created only the night before. What is the most likely cause of the problem? e) The user is looking at a cached copy f) The data was restored to the wrong directory g) There is a network latency issue h) Recovery point objectives are very short Answer: d Explanation: Recovery Point Objectives (RPOs) relate to the data that must be recovered and the desired age of the data. If the RPO is less then 24 hours, the nightly backups are not frequent enough and perhaps remote journaling, electronic vaulting or restoring from a shadow file should be considered. Cryptography Question 1 Which of the following statements is incorrect? e) To ensure the integrity of data create a message digest

f) To ensure privacy, encrypt the data with a symmetric key and the symmetric key with the receivers private key g) To validate the sender, encrypt the message digest with the senders private key h) To obtain the fastest method to encrypt data use a symmetric, shared secret key Answer: b Explanation: The second part of the sentence should have read with the receivers public key Question 2 What is the most trusted way to ensure only the intended recipient obtains the key in a purely symmetric system? e) Manager hand-delivers the key f) Encrypt the key with the receivers public key g) Encrypt the key with a passphrase h) Encrypt the key with the senders private key Answer: a Explanation: One major challenge in a purely symmetric system is how to share the secret key. Encrypting the key with a passphrase is out of place here, since we still have the fundamental problem of sharing the passphrase. Answers b and d refer to asymmetric cryptography. Question 3 Alice gives a copy of her private key to the crypto admin, Bob for backup. Which problem below would most likely affect the accountability of the system? e) Bob could sign documents as Alice f) Bob could read documents destined for Alice

g) Bob could leave the company and her backup could be unavailable h) Bob could update the CRL claiming Alices key was lost Answer A Explanation: While Answers a,b & c could be problems, Answer a is mostly associated with accountability. Question 4 Alice works in customer service for a large manufacturing corporation and is responsible for working with customers time sensitive orders. One of her customers, Bob, sends her a signed and encrypted email and requests a signed receipt. Bob receives a receipt from Alice and becomes concerned when she does not follow through with his order and calls her on the phone a few days later. Alice claims she did not receive the email. Which of the following could explain the situation? e) The email is stuck in her servers inbound queue f) Bobs private key has been compromised g) The CA has issued a duplicate certificate h) Alices private key has been compromised Answer: d Explanation: Alices private key would have been used to create the signature on the receipt that Bob received. If Alice did not send the receipt, then her private key must have been compromised. Question 5 Bob connects to an SSL server daily to check his email over an encrypted channel. His company-issued laptop is upgraded to meet new client standards. He receives an error message stating that he is about to download a certificate that has not been signed by a trusted 3rd party. What is the most likely cause?

e) The admin forgot to copy his private key to the new system f) The new laptop has the wrong network address g) The public key of the CA is not on his machine h) His session key needs to be recreated Answer: c To validate the server certificate, the issuing CA (the certificate authority) must be trusted by the client. This is a common problem for companies that use private certificate authorities. Information Security and Risk Management Question 1 To address a contract agreement with a new client, management is required to select stronger encryption algorithms. What document needs to be modified to define the specifications for these new algorithms? e) Policies f) Standards g) Procedures h) Baselines Answer: b Explanation: While it is possible that all of these documents would have to be modified, specifications are typically defined in Standards. Policies are more associated with basic requirements; procedures are step-by-step instructions and Baselines define the acceptable (and unacceptable) risk levels. Question 2 Which of the following is out of place? e) High, medium, low rankings f) Subjective intuition g) Objective opinions

h) Value Answer: c Explanation: Opinions are by nature, subjective. Answers a, b & d are all examples of qualitative reasoning. Question 3 Management requires that all employees with a company laptop keep their virus signatures up to date and run a full system scan at least weekly. It is suggested however that they update signatures every night if possible. In what document type would such suggestions likely be made? e) Policies f) Procedures g) Guidelines h) Standards Answer: c Explanation: Guidelines are defined as non-binding suggestions only. Question 4 Which of the following is the most logical order for risk management? e) Asset valuation, threat analysis, control analysis, mitigation, policy creation, awareness f) Threat analysis, control recommendation, asset valuation, mitigation g) Policy creation, risk mitigation, control evaluation, training h) Test, recommend, acquire/create, control, valuation Answer A

Explanation: Of the answers only a does not contain an out of order step. Answer b places control recommendation before asset valuation, c places mitigation before control evaluation, and d is just a distracter. Legal, Regulations, Compliance and Investigations Question 1 You are working in Philadelphia using a VPN to connect to a network in Singapore for a China-based company. Some of the laws differ across these jurisdictions. According to the ISC2 Code of Ethics, what is the proper action(s) to take? e) Avoid conflicts of interest f) Follow the most restrictive laws g) China laws take precedence since this is the where corporate headquarters is located h) Philadelphia laws take precedence since this is where you are rendering service. Answer: d Explanation: The ISC2 Code of Ethics specifically states When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service. This is still a very difficult question as the Code of Ethics also mentions Avoid conflicts of interest or the appearance thereof though d is a more direct match to this situation. Answer b is a good answer but it is not addressed in the ISC2 Code of Ethics. Question 2 Alice is asked by a potential customer if she can provide service for an intrusion detection system (IDS) to assess the rule-set currently configured on the system, and make recommendations for improvement, to comply with a new regulation pertaining to the customers line of business. Though Alice has an interest in working with intrusion detection systems she has no hands-on

experience. What ISC2 code of ethics requirement may force Alice to decline the primary role for such an assignment? e) Render only those services for which you are fully competent and qualified f) Thou shall not make false claims g) Provide only services in your area of expertise h) Where compliance is paramount, service personnel require appropriate certification Answer A Explanation: Only a is addressed in the ISC2 Code of Ethics Question 3 Alice is aggressively trying to increase personnel to meet market demands and tries to recruit Bob, a colleague, by offering 5% ownership to the entire enterprise and agreeing to put this in writing soon. For expedience, they agree on a start date before the lawyers approve the contract regarding the 5% ownership. Nine months pass and Alice fails to provide the agreement in writing and changes her mind. According to the ISC2 Code of Ethics, what can be said of the situation? e) Alice is at fault for Conflict of Interest f) Bob is at fault for failing To ensure proper documentation g) Alice is at fault for failure to Observe all contracts and agreements, express or implied h) There is no violation of the ISC2 Code of Ethics Answer: c Explanation: Answer a does not apply here, b is a distracter. Answer c is a very important issue and a requirement of a CISSP Question 4

Due to new laws governing the actions taken by companies when customer-identifiable information is collected, a senior manager directs internal auditors to analyze the companys exposure to the new regulations. The results of the audit identify a number of potential violations. What is the most appropriate action to take? e) Consult outside advice to ensure that the audit is accurate f) Conduct a gap analysis to prioritize ways to close the gaps g) Review the companys privacy policy and determine the necessary changes h) Take steps to encrypt the sensitive data to protect the information Answer: b Explanation: After an audit reports differences between a current position and a desired position, gap analysis is performed to determine the best ways to reconcile the differences. Question 5 Which of the following is not an example of civil law? e) Contract f) Property g) Tort h) Regulatory Answer: d Explanation: Regulatory also known as administrative or business law is a separate branch of law and violations can entail jail time. Contract, property and tort law are types of civil law and the only penalties are financial. Operations Security Question 1

What RAID level is primarily associated with fastest writes but not necessarily reads e) 0 f) 1 g) 3 h) 5 Answer: a Explanation: RAID level 0 should probably be called AID as there is no redundancy. The benefit of this system is very fast writes as data are written (striped) across many drives. Reads may be more complicated as all drives must be positioned to the proper place. RAID 1 is mirroring, where all data are redundantly written to two drives. This may make for slower writes as the data must be written twice and may be faster on reads because in some systems the drive that is closer to the data can read the data. RAID 3 and 5 stripe as does level 0 but requires extra time to write the recovery data. Question 2 Which of the following control is more likely to provide confidentiality protection? e) Rotation of Duties f) Segregation of Duties g) Dual Control h) Quality assurance Answer: b Explanation: By segregating (or separating) the duties required to perform a function, no one person is required to have all knowledge. The other answers, while good controls, do not address confidentiality

Question 3 Bob is hired to perform a penetration test for Griffin Space Tech, a leading space exploration company. Alice is nearly killed when her navigation system is interrupted by what turned out to be a test on a system that was not supposed to be part of the test. What document, if defined and understood, most likely may have prevented such a problem? e) Rules of engagement f) Concept of operations g) Statement of work h) Exception reports Answer: a Explanation: One very important administrative control when planning a penetration test is the creation of a Rules of Engagement document, which addresses what systems are to be tested, and the accepted testing techniques. Performing a test entails risk and care must be taken to ensure the least amount of disruption. Question 4 A critical server is scheduled to have a service pack installed. Departmental management requests that the change is tested on a spare server first before being applied to the production server. To ensure that the spare server is configured exactly as the production server, operations plan to make an unscheduled backup of the production server. Which backup method is most appropriate? e) Full f) Incremental g) Differential h) Copy Answer: d

Explanation: Only the full and the copy are likely to backup all the data on the server. Since a full backup modifies the archive bit, it is not appropriate in this situation as it would affect the normal backup schedule Question 5 A user in your organization habitually surfs inappropriate websites. You are responsible for desktop support and notice these sites in the history log. What is the best way to ensure the company is not held accountable by other users complaints about this user? e) Block access to these sites with an approved filter f) Nothing as you are not in security g) Inform law enforcement h) Report your findings to management Answer: d Explanation: The decision to take disciplinary action is a management responsibility. Physical (Environmental) Security Question 1 What is the purpose of a strike plate? e) To prevent damage to a door in a loading dock f) It is part of a locking mechanism g) To allow egress traffic in the event of an emergency evacuation h) To prevent damage to a door from moving equipment Answer: b Explanation: The strike plate or door catch is part of the locking system. It is a common weakness in physical security, as no matter how strong a lock is, if the strike plate is weak, the door can be breached

Question 2 Measuring light output and sensitivity to light is an important concept for physical security. Lux ratings refer to lumens per square meter. What rating refers to lumens per square foot? e) LPSF f) Luminescence g) Joules h) Foot-Candles Answer D Explanation: a foot-candle is an older standard from the British Standards Institute. Question 3 Which of the following is not an advantage to using security dogs? e) Olfactory sensitivity f) Work in a power failure g) Can cover a large area h) Will prevent intruders from entering the premises Answer: d Explanation: Dogs are primarily used as detective controls not preventive. Armed intruders can easily injure a dog Question 4 Closed circuit television (CCTV) is an important detective control. Which of the following is most likely to be a common application for CCTV? e) To be used after a crime in event correlation f) To enable guards to extend their vision to detect suspicious activity before a crime can be committed

g) To allow police to monitor sensitive areas h) To allow management to monitor employee behavior Answer: a Explanation: While CCTV can be used to catch events in real time it is not likely. CCTV controls include: cameras, monitors, lights, recording devices and trained guards. After a crime is committed, authorities can use the recordings to gather evidence. All the other answers are applications but a is the common use Question 5 What is the purpose of emergency lighting? e) To allow rescue teams to search for distressed personnel after a power failure f) Illumination of evacuation routes g) To assist in CCTV controls during a threatening situation h) They act as a deterrent as criminals fear detection Answer: b To prevent loss of life in an emergency including a power failure, personnel may need to evacuate the premises. Emergency lights must be available to assist the people in finding the way out of the building. Security Architecture and Design Question 1 A system engineer would like to design a backup system that allows an operator to perform backups on all system data without giving the operator file system rights. What should the engineer consider? e) The Clark Wilson model f) A SANS device g) RBAC

h) Least privilege and need to know. In this case the operator by nature must have read access only. Answer: a Explanation: In the Clark Wilson model, subjects must not have direct access to objects. In this case the engineer could give access privileges (to the file system) to the backup program and the operator access to the backup program. Outside of the backup system the operator would have no rights to the file system Question 2 What is the purpose of the *_property in the Bell-Lapadula model? e) To prevent an unauthenticated user from leaking secrets f) To prevent an unauthenticated user from accessing sensitive data g) To prevent an authenticated user from leaking secrets h) To prevent an authenticated user from accessing sensitive data Answer: c Explanation: The *_property, no write down, is used to prevent spillage of information, i.e. to prevent someone with high clearance writing data to a lower classification. Question 3 A remote database user maliciously enters a command in a user input dialog box, and manages to execute a command to upgrade his rights in the system. Which recommended remediation method is least likely to mitigate this risk? e) The system should check for input length f) The system should check for input type g) The system should block data control language from remote locations

h) The system should implement a mandatory access control Answer: d Explanation: Mandatory Access Control (MAC) refers to a systems functionality policy but not necessarily the assurance provided. Even in a discretionary model this should not happen by policy. The other answers are all good ways to mitigate code injection. Question 4 When determining whether to use a product in your environment you are asked to consult the product for certification per the Common Criteria. The category for this product does not contain a protection profile (PP). Which of the following is true? e) An exception report may be created to allow this product, provided local testing can certify a build of the system. f) The system may grandfather an existing rating from the TCSEC g) The product can still be rated against the security target (ST) h) Review other products to see if there is a viable alternative Answer: c Explanation: All Common Criteria certifications require a vendor provided security target. While it is desirable to also rate a system against a vendor neutral protection profile, it is not required. Question 5 Which of the following is an example of the reference monitor? e) Requiring users to provide proof of identification f) Account lockouts g) Log files h) Directory attributes

Answer: a Explanation: The reference monitor is the policy of an operating system, enforced by the security kernel. Answers b, c & d are examples of policy enforcement technologies. Telecommunications and Network Security Question 1 Why is it advisable to prevent packets from leaving your network where the source address is not from your network or a private (RFC 1918) address? e) To prevent your perimeter or edge devices from being attacked with a denial of service attack. f) To prevent your internal devices from being attacked with a denial of service attack. g) To prevent your systems from being used to attack others h) To prevent your systems from a reconnaissance attack. Answer: c Explanation: The most likely answer is to prevent your systems from being used to attack others in a distributed denial of service attack (DDoS). Many so called zombies are configured to send packets with spoofed source addresses as in Smurf and Fraggle Question 2 Bob is attempting to use the hotel wireless network to connect to his companys email server. He is told by the hotel staff that the SSID is HOTELX (where X equals his floor number). After gaining connection it is discovered that his email has been posted to some hacker website. Which of the following would have most likely prevented this problem? e) RADIUS f) Mutual authentication g) Two factor authentication

h) Extensible Authentication Protocol Answer: b Explanation: It is likely that Bob connected to a rouge access point. Mutual authentication refers to authentication at both ends of a connection. Question 2 In what layer of the OSI model are electrical signals turned into binary addressing information? Host to host Biba Datalink Physical Answer: c Explanation: The datalink layer receives electrical signals from the physical layer and turns these into bits and bytes. A major component to the datalink layer is the MAC sub-layer responsible for media access including determining MAC addresses. Host to host is associated with the DoD model and Biba is a distracter. Question 3 The firewall administrator notices that an IP address on the inside is attempting to open ports to an unknown host in a foreign country. What is the most appropriate action to take? e) Block the port until the host can be authenticated f) Perform a violation analysis g) Run a virus scan on the machine that is attempting the connection as it may be infected h) Interview the user of the machine to determine his intention. Answer: b

Explanation: When there is a violation of what has been deemed normal, then a violation analysis is conducted to determine the cause. While this may be the result of an attack, it may be just a new service, or perhaps something else. This may include running a virus scan and interviewing users Question 4 Which VPN method is less likely to work through NAT? e) IPSec transport mode f) IPSec tunnel with AH g) IPSec tunnel with ESP h) PPTP Answer: b Explanation: Authentication Header (AH) checks the integrity of an IP address and is intrinsically incompatible with Network Address Translation (NAT) Question 5 With regards to an intrusion detection system, what is meant by an insertion attack? a) Enabling attackers to insert themselves into a system without detection b) Injecting false data to mislead an IDS c) Adding additional rules to misclassify an attack d) Code injection attacks Answer: b Explanation: If an attacker knows the rules of an IDS, they may be able to mislead the IDS by injecting false data making an attack sneak through because it did not exactly match the rules for a given attack. Similar to this is sending in an attack that contains

signatures for both a low risk and high risk attack to direct the IDS to misclassify an attack Question 6 Which of the following attacks does not take advantage of systems that do not check for unsolicited replies? e) Arp poisoning f) DNS cache poisoning g) OS Fingerprinting h) Fragmenting Answer: d Explanation: Fragmenting of packets has been used to create denial of service attacks, elude IDS and create covert channels, by breaking packets up into smaller pieces. The other attacks are classic examples of sending unsolicited replies, which could be described as an answer to a question that wasnt asked.