1 Qa

DOMAIN 1
1. Which of the following security-focused protocols has confidentiality services operating at a

layer different from the others?
A. Sequenced Packet Exchange (SPX)
B. FTP Secure (FTPS)
C. Secure HTTP (S-HTTP)
D. Secure Socket Layer (SSL)
All the previous protocols operate at the transport layer except for Secure HTTP (SHTTP), which
operates at the application layer. S-HTTP has been replaced by SSL and TLS. As it is very well
explained in the Shon Harris book:
The transport layer receives data from many different applications and resembles the data into
a stream to be properly transmitted over the network. The main protocols that work at this layer
are TCP, UDP, Secure Sockets Layer (SSL) and Sequenced Packet Exchanged (SPX).
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.526)
2. STRIDE is often used in relation to assessing threats against applications or operating systems.
Which of the following is not an element of STRIDE?
A. Spoofing
B. Elevation of Privilege
C. Repudiation
D. Disclosure
Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering,
repudiation, information disclosure, denial of service, and elevation of privilege.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.30-31)
3. If a security mechanism offers availability, then it offers a high level of assurance that
authorized subjects can _________________________ the data, objects, and resources.
A. Control
B. Audit
C. Access
D. Repudiate
Accessibility of data, objects, and resources is the goal of availability. If a security mechanism
offers availability, then it is highly likely that the data, objects, and resources are accessible to
authorized subjects.
4. If an organization contracts with outside entities to provide key business functions or services,
such as account or technical support, what is the process called that is used to ensure that
these entities support sufficient security?
A. Asset identification
B. Third-party governance
C. Exit interview
D. Qualitative analysis
Third-party governance is the application of security oversight on third parties that your
organization relies on.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.59)
5. While performing a risk analysis, you identify a threat of fire and a vulnerability because there
are no fire extinguishers. Based on this information, which of the following is a possible risk?
A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information
The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage
to equipment.
6. You’ve performed a basic quantitative risk analysis on a specific threat/ vulnerability/ risk
relation. You select a possible countermeasure. When performing the calculations again,
which of the following factors will change?
A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence
A countermeasure directly affects the annualized rate of occurrence, primarily because the
countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency
per year.
7. You are concerned about the risk that a hurricane poses to your corporate headquarters in
South Florida. The building itself is valued at $ 15 million. After consulting with the National
Weather Service, you determine that there is a 10 percent likelihood that a hurricane will
strike over the course of a year. You hired a team of architects and engineers who determined
that the average hurricane would destroy approximately 50 percent of the building. What is
the annualized loss expectancy (ALE)?
A. $ 750,000
B. $ 1.5 million
C. $ 7.5 million
D. $ 15 million
This problem requires you to compute the ALE, which is the product of the SLE and ARO. From
the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you
know that the SLE is $ 7.5 million. This yields an SLE of $ 750,000.
8. In which business continuity planning task would you actually design procedures and
mechanisms to mitigate risks deemed unacceptable by the BCP team?
A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization
In the provisions and processes phase, the BCP team actually designs the procedures and
mechanisms to mitigate risks that were deemed unacceptable during the strategy development
phase.
9. Of the individuals listed, who would provide the best endorsement for a business continuity
plan’s statement of importance?
A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager
You should strive to have the highest-ranking person possible sign the BCP’s statement of
importance. Of the choices given, the chief executive officer is the highest ranking.
10. Matthew recently authored an innovative algorithm for solving a mathematical problem, and
he wants to share it with the world. However, prior to publishing the software code in a
technical journal, he wants to obtain some sort of intellectual property protection. Which
type of protection is best suited to his needs?
A. Copyright
B. Trademark
C. Patent
D. Trade secret
Copyright law is the only type of intellectual property protection available to Matthew. It covers
only the specific software code that Matthew used. It does not cover the process or ideas behind
the software. Trademark protection is not appropriate for this type of situation. Patent
protection does not apply to mathematical algorithms. Matthew can’t seek trade secret
protection because he plans to publish the algorithm in a public technical journal.
11. What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act?
A. Health care
B. Banking
C. Law enforcement
D. Defense contractors
The Gramm-Leach-Bliley Act provides, among other things, regulations regarding the way
financial institutions can handle private information belonging to their customers.
12. What compliance obligation relates to the processing of credit card information?
A. SOX
B. HIPAA
C. PCI DSS
D. FERPA
The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in
the storage, transmission, and processing of credit card information.
13. What act updated the privacy and security requirements of the Health Insurance Portability
and Accountability Act (HIPAA)?
A. HITECH
B. CALEA
C. CFAA
D. CCCA
The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
amended the privacy and security requirements of HIPAA.
14. Under intellectual property law what would you call information that companies keep secret
to give them an advantage over their competitors?
A. Copyright
B. Patent
C. Trademark
D. Trade Secrets
Trade Secrets are information that companies keep secret to give them an advantage over their
competitors.
Example: The formula for Coca-Cola is the most famous trade secret.
15. Stationary and removable media storage volumes all carry an expected life span rating from
the manufacturer. What property might you examine to realize this life expectancy rating?
A. Mean time between errors

B. Spindle speed
C. Mean time between failures
D. Life expectancy rating
The mean time between failures (MTBF) rating on storage drives specifies the expected life span
(or average failure rate for any drive in a given batch) for a given medium.
16. Which statement below most accurately describes the difference between security
awareness, security training, and security education?
A. Security training teaches the skills that will help employees to perform their jobs more
securely.
B. Security education is required for all system operators.
C. Security awareness is not necessary for high-level senior executives.
D. Security training is more in depth than security education.
Awareness is used to reinforce the fact that security supports the mission of the organization by
protecting valuable resources. The purpose of training is to teach people the skills that will enable
them to perform their jobs more securely. Security education is more in depth than security
training and is targeted for security professionals and those whose jobs require expertise in
security. Management commitment is necessary because of the resources used in developing
and implementing the program and also because the program affects their staff.
Reference: National Institute of Standards and Technology, An Introduction to Computer
Security: The NIST Handbook Special Publication 800-12.
17. Once you have established the risk and the potential loss, you purchase insurance to reduce
the risk. Which of the answers describes this act?
A. Risk Assessment
B. Risk Transfer
C. Risk Rejecting
D. The Game of Risk
Purchasing insurance to help mitigate risk is a means of transferring that risk to a third party,
making the remaining risk acceptable.
18. In the movie "Office Space", a software programmer writes a program that deducts money
from the company's account and deposits it into a personal account. His coworker loads the
program onto the mainframe operating system. This type of teamwork is called _________.
A. Separation of Duties
B. Collusion
C. Collision
D. Phreaking
Collusion is the act of more than one individual working together to carry out fraudulent
activities. Controls such as job rotation and separation of duties help to prevent and identify
collusion attempts.
19. Anne is a senior-level account executive who has come under scrutiny by upper management
for possibly revealing proprietary company information to customers. Anne's superiors have
put several controls in place in order to learn more about her behavior. Which of the actions
below is not a viable and ethical option for them?
A. Inform all employees that monitoring can take place before actually monitoring Anne's
activities.
B. Place monitoring devices on Anne's computer and phone without notifying her.
C. Place her on probation while the matter is under investigation.
D. Institute the job rotation principle by allowing her coworker Joan to take over the account.
This is a dicey situation for companies. Extreme care and due care must be taken to ensure that
the company is not later held liable for invading someone's privacy. In this example, the only
action that could get the company into trouble is monitoring Anne's activity without notice. Most
companies avoid this problem by issuing a company-wide notification that all employees are
subject to monitoring. In this example though, the company would be in violation of Anne's
privacy if her computer and telephone activity were suddenly monitored without her first being
warned of the possibility.
20. Dean is asked to identify a more statistically oriented approached than the Total Quality
Management (TQM) provided back in the 1980s. Which of the following would be the best
choice for Dean?
A. Six Sigma
B. TQS
C. TQL
D. ITIL
Six Sigma is a process improvement methodology. It is the "new and improved" Total Quality
Management (TQM) that hit the business sector in the 1980s. Its goal is to improve process
quality by using statistical methods of measuring operational efficiency and reducing variation,
defects and waste.
21. Michael is a security professional in charge of enforcing security policies within his company.
For the last 18 months he has recommended acquiring a closed-circuit TV monitoring system
for their general office buildings in order to prevent and detect employee theft. Finally, after
countless cost-benefit debates and thousands of dollars lost to theft, the senior leadership
team agrees and instructs Michael to purchase the system. The leadership team has done
what?
A. Transferred the risk
B. Reduced the risk
C. Accepted the risk
D. Rejected the risk
Reducing the risk is the act of employing a countermeasure in order to mitigate the risk. This is
common in companies. They try to live with the threat until it becomes too expensive. Then, a
countermeasure is put into place to reduce the expense and risk.
22. Denial-of-Service (DoS) attacks are geared at which leg of the CIA triad?
A. Integrity
B. Availability
C. Confidentiality
D. Collision
Denial-of-Service attacks overwhelm their victims with traffic, negatively affecting a computer or
using an environment's bandwidth. When a system freezes, crashes, or reboots, it can become
unavailable.
23. A policy is written and communicated in order to instruct individuals on what to do or what
not to do. Nearly everyone at one time or another has been given a stated policy to follow.
For example, Therese is a pharmaceutical representative who works with customers and
insurance providers. One of her stated policies reads, "Under no circumstances can you
divulge a customer's medical information without completing a three-step identification
process. Divulging this information improperly will result in swift termination procedures and
potential legal action." What type of policy is this?
A. Advisory
B. Ramification
C. Informative
D. Regulatory
A regulatory policy is regulated by law and is written to ensure that the organization is following
standards set by a specific industry. This policy is detailed in nature and specific to a type of
industry. Regulatory policies are used in financial institutions, health care facilities, and public
utilities.
24. Alvin and Chris have not carried out proper project sizing and they are halfway through their
risk analysis. What is the danger of not doing this?
A. This step outlines the steps for mapping regulations and laws to an organization's risk profile.
The team will not be able to assess if the correct level of risk acceptance has been applied.
B. The team will not know if they have secured funding for this project and may put the company
into debt.
C. The right team members have not been gathered for the risk analysis project and the team
must start all over.
D. The scope of the project is not defined, so the project may run out of money and still not meet
its objectives.
It is important to determine the scope of a project before beginning. Anyone who has worked on
a project without a properly defined scope can attest to this. Before starting an assessment and
analysis, the team needs to carry out project sizing. This means understanding what assets and
risks are to be evaluated.
25. Which choice below represents an application or system demonstrating a need for a high
level of confidentiality protection and controls?
A. Unavailability of the system could result in inability to meet payroll obligations and could cause
work stoppage and failure of user organizations to meet critical mission requirements. The
system requires 24-hour access.
B. The application contains proprietary business information and other financial information,
which if disclosed to unauthorized sources, could cause an unfair advantage for vendors,
contractors, or individuals and could result in financial loss or adverse legal action to user
organizations.
C. Destruction of the information would require significant expenditures of time and effort to
replace. Although corrupted information would present an inconvenience to the staff, most
information, and all vital information, is backed up by either paper documentation or on disk.
D. The mission of this system is to produce local weather forecast information that is made
available to the news media forecasters and the general public at all times. None of the
information requires protection against disclosure.
Although elements of all of the systems described could require specific controls for
confidentiality, given the descriptions above, system b fits the definition most closely of a system
requiring a very high level of confidentiality.
26. What type of alternate processing facility contains a full complement of computing
equipment in working order with copies of data ready to go?
A. Hot site
B. Warm site
C. Cold site
D. Cloud site
Hot sites are ready to assume full operational capacity at a moment’s notice.
27. A risk analysis has determined that a knowledge base server has a value of $138,000 and an
exposure factor of a specific threat of 45%. The Annualized Rate of Occurrence (ARO) for this
threat is one in ten years. Based on this information what is the Annual Loss Expectancy (ALE)
for the asset?
A. $1800
B. $62,100
C. $140,000
D. $6210
Annual Loss Expectancy (ALE) determines the loss a company can incur if a specific threat is
realized. In this example, the Single Loss Expectancy (SLE) for the knowledge base server is
$62,100. The Annualize Rate of Occurrence (ARO) is 0.1
SLE x ARO = ALE

$62100 x 0.1 = $6210
28. Your CEO has hinted that security audits may be implemented next year. As a result, your
director has become serious about performing some form of risk assessment. You are
delegated the task of determining which type of risk assessment to perform. The director
wants to learn more about the type of risk assessment that involves a team of internal
business managers and technical staff. He does not want the assessment to place dollar
amounts on identified risks. He wants the group to assign one of 26 common controls to each
threat as it is identified. Which type of risk assessment does your manager want?
A. Delphi
B. Delegated
C. Quantitative
D. FRAP
Facilitated Risk Analysis Process (FRAP) is designed to be performed by a team of business
managers and technical staff from within the organization. The team’s goal is to brainstorm and
identify risk. As the FRAP team identifies risk, they apply a group of 26 common controls designed
to categorize each type of risk. Delphi requires answers to be submitted in written form.
Delegated is not a valid form of risk assessment. Quantitative risk assessment seeks to apply an
objective numeric value.
29. Your consulting firm has won a contract for a small, yet growing, technology firm. The CEO
has wisely decided that the firm’s proprietary technology is worth protecting. Which of the
following is not a reason why this organization should develop information classification?
A. Information classification should be implemented to demonstrate the organization’s
commitment to good security practices.
B. Information classification should be implemented to ensure successful prosecution of
intellectual property violators.
C. Information classification identifies which level of protection should be applied to the
organization’s data.
D. Information classification should be implemented to meet regulatory and industry standards.
Information classification demonstrates the commitment to good security practices, helps
identify what information is worth protecting, and should be pursued to meet all federal, state,
local or industry regulations. Information classification may not help prosecute intellectual
property violators located in third-world countries, because enforcement laws are inconsistent.
30. Your company has brought in a group of contract programmers. Although management feels
it is important to track these users’ activities, they also want to make sure that any changes
to program code or data can be tied to a specific individual. Which of the following best
describes the means by which an individual cannot deny having performed an action or
caused an event?
A. Identification
B. Auditing
C. Logging
D. Nonrepudiation
Nonrepudiation is used to verify that an individual has performed an action or event. Transaction
logs, digital certificates, and access control mechanisms are some of the ways in which
nonrepudiation can be established.
31. Christine has been given network access to pilot engineering design documents. Although she
can view the documents, she cannot print them or make changes. Which of the following
does she lack?
A. Identification
B. Authorization
C. Authentication
D. Validation
Although you may be identified and authenticated into a computer system or network, that does
not mean you are authorized or that an item is required to do your job functions. Authorization
is more of a gray area because each user typically is limited in his or her rights and privileges
within the network. Working under the principle of least privilege, a user should have no more
access than what is required. Therefore, although Christine may need access to the engineering
documents, she does not have the right to print or make changes to them.
32. Zac overhears someone say that Bryce is planning to attack John’s computer network. What
type of evidence would a court consider this testimony?
A. Best evidence
B. Hearsay
C. Conclusive
D. Admissible
Hearsay evidence is defined as information that is not based on personal firsthand knowledge
but was obtained through third parties. As such, it may not be admissible in court. Best evidence
is recorded, written, or photographed. Conclusive evidence is irrefutable. Admissible evidence is
any evidence that can be allowed in court.
33. During which step of the BIA do implementers ensure that all critical business processes are
identified and ranked?
A. Criticality prioritization
B. Defining the continuity strategy
C. Resource requirements
D. Downtime estimation
Performing the BIA is no easy task. It requires not only knowledge of business processes but also
a thorough understanding of the organization itself. Criticality prioritization is the portion of the
BIA that identifies and prioritizes all critical business processes. It also is used to analyze the
impact a disruption would have on services or processes.
34. Greg, your eccentric brother-in-law, has cashed out his 401(k) plan. He claims to have come
up with a great business idea. He has purchased several large tractor-trailer rigs that have
been retrofitted with backup power, computers, networking equipment, satellite Internet
connectivity, work area, and HVAC. He has hired a sales team to sign contracts with local
companies because he claims to offer a full backup alternative that’s functional during almost
any kind of organizational disaster. What is the best description for his new business venture?
A. Cold site
B. Warm site
C. Rolling hot site
D. Mobile backup site
Rolling hot sites are tractor-trailer rigs or portable buildings that can be quickly brought to a
disaster area and used as a network center or data processing facility. Rolling hot sites usually
are converted tractor trailer rigs that have been converted into data processing centers. They
contain all the necessary equipment and can be transported to a business location quickly. These
can be chained together to provide space for data processing and can provide communication
capabilities. They are a good choice for areas where no recovery facilities exist.
35. Your organization performed a full backup on Monday. On Tuesday and Wednesday,
incremental backups were performed. Then, on Thursday morning, a hardware failure
destroyed all data on the server. Which of the following represents the proper restore
method?
A. Monday’s full backup
B. Monday’s full backup and Wednesday’s incremental backup
C. Monday’s full backup and Tuesday’s and Wednesday’s incremental backups
D. Wednesday’s incremental backup
An incremental backup makes a copy of all the files that were changed since the last backup. This
means that for the organization to fully restore the lost data, Monday’s full backup and Tuesday’s
and Wednesday’s incremental backups must be performed. Incremental backups use
substantially less storage media than full backups but require more work and time to restore.
DOMAIN 2
1. Regarding media sanitization, degaussing is not effective for which of the following?
A. Nonmagnetic media
B. Damaged media
C. Media with large storage capacity
D. Quickly purging diskettes
Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the
recorded magnetic domains. It is not effective for purging nonmagnetic media (i.e., optical
media), such as compact discs (CD) and digital versatile discs (DVD). However, degaussing can be
an effective method for purging damaged media, for purging media with exceptionally large
storage capacities, or for quickly purging diskettes.
Reference: Official (ISC)2 Guide to the CISSP CBK 4th Ed, Adam Gordon (p.204)
2. An employee retained access to sensitive data from previous job assignments. Investigators
later caught him selling some of this sensitive data to competitors. What could have
prevented the employee from stealing and selling the secret data?
A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. User entitlement audit
A user entitlement audit can detect when employees have excessive privileges. Asset valuation
identifies the value of assets. Threat modeling identifies threats to valuable assets. Vulnerability
analysis detects vulnerabilities or weaknesses that can be exploited by threats.
3. Your lab manager is preparing to buy all the equipment that has been budgeted for next year.
While reviewing the specifications for several pieces of equipment, he notices that each
device has a Mean Time To Repair (MTTR) rating. He asks you what this means. Which of the
following is the best response?
A. The MTTR is used to determine the expected time before the repair can be completed. Higher
numbers are better.
B. The MTTR is used to determine the expected time before the repair can be completed. Lower
numbers are better.
C. The MTTR is used to determine the expected time between failures. Higher numbers are
better.
D. The MTTR is used to determine the expected time between failures. Lower numbers are
better.
Mean Time To Repair (MTTR) is a value used to calculate the average time to bring a device back
up to operating standards. Lower numbers mean reduced downtime.
4. Which choice below is NOT a recommendation for records and materials storage in the
computer room, for fire safety?
A. Green bar printing paper for printers should be stored in the computer room.
B. Abandoned cables shall not be allowed to accumulate.
C. Space beneath the raised floor shall not be used for storage purposes.
D. Only minimum records required for essential and efficient operation.
The NFPA recommends that only the absolute minimum essential records, paper stock, inks,
unused recording media, or other combustibles be housed in the computer room. Because of the
threat of fire, these combustibles should not be stored in the computer room or under raised
flooring, including old, unused cabling. Underfloor abandoned cables can interfere with airflow
and extinguishing systems. Cables that are not intended to be used should be removed from the
room. It also recommends that tape libraries and record storage rooms be protected by an
extinguishing system and separated from the computer room by wall construction fire-resistant
rated for not less than one hour.
5. Due to some recent after-hours altercations in a nearby parking lot, Kim's company is
installing new lights at the location to improve security. Kim is in charge of physical security
and has done the research on lighting requirements in critical areas. One of the requirements
Kim found was something called 2ft-candles. What does this mean?
A. Lights must be placed 2ft apart.
B. The area being lit must be illuminated 2ft high and 2ft out.
C. This is an illumination metric used for lighting.
D. Each lit area must be within 2ft of the next lit area.
The National Institute of Standards and Technology (NIST) standard pertaining to perimeter
protection states that critical areas should be illuminated 8ft high and use 2ft-candles, which is a
unit that represents the illumination power of an individual light.
6. Which one of the following identifies the primary purpose of information classification
processes?
A. Define the requirements for protecting sensitive data.
B. Define the requirements for backing up data.
C. Define the requirements for storing data.
D. Define the requirements for transmitting data.
A primary purpose of information classification processes is to identify security classifications for
sensitive data and define the requirements to protect sensitive data. Information classification
processes will typically include requirements to protect sensitive data at rest (in backups and
stored on media), but not requirements for backing up and storing any data. Similarly,
information classification processes will typically include requirements to protect sensitive data
in transit, but not any data.
7. When determining the classification of data, which one of the following is the most important
consideration?
A. Processing system
B. Value
C. Storage media
D. Accessibility
Data is classified based on its value to the organization. In some cases, it is classified based on
the potential negative impact if unauthorized personnel can access it, which represents a
negative value. It is not classified based on the processing system, but the processing system is
classified based on the data it processes. Similarly, the storage media is classified based on the
data classification, but the data is not classified based on where it is stored. Accessibility is
affected by the classification, but the accessibility does not determine the classification.
Personnel implement controls to limit accessibility of sensitive data.
8. Which of the following answers would not be included as sensitive data? A. Personally
identifiable information (PII)
B. Protected health information (PHI)
C. Proprietary data
D. Data posted on a website
Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.
9. From a security perspective, which of the following is the most important portion of media
control labeling?
A. The date of creation
B. The volume name and version
C. The classification
D. The individual who created it
The classification of the data is the most important aspect, because it can tell people how the
data should be handled. Media control labeling includes the date of creation, the volume name
and version, the classification, the individual who created it, and the retention period.
10. CISSP candidates are required to understand change control management and data
classification. Which data classifications are valid for marking documents that have gone
through change control?
A. Residential and government
B. Government and commercial
C. Commercial and private
D. International and national
Two commonly used schemes are government and commercial (business). Each uses various
labels, such as top-secret, secret, private, and confidential, to identify the handling and value of
the information to the organization.
11. Which tape backup method is known as grandfather, father, son?
A. This scheme uses one tape for every day of the week and then repeats the next week. One
tape can be for Mondays, one for Tuesdays, and so on. You add a set of new tapes each month
and then archive the monthly sets.
B. This scheme includes four tapes for weekly backups, one tape for monthly backups, and four
tapes for daily backups.
C. This scheme involves using five sets of tapes, each set labeled A through E. D. This scheme uses
only one set of tapes. After a predetermined number of months, you need the newest set of
tapes.
Grandfather, father, son uses four tapes for weekly backups, one tape for monthly backups, and
four tapes for daily backups. A simple tape scheme uses one tape for every day of the week and
then repeats the next week. One tape can be for Mondays, one for Tuesdays, and so on. You add
a set of new tapes each month and then archive the monthly sets. Tower of Hanoi uses five sets
of tapes, each set labeled A through E.
12. When you’re classifying critical systems, which category can be described as follows? “These
functions are important and can be performed by a backup manual process but not for a long
period of time.”
A. Vital
B. Sensitive
C. Critical
D. Driven by demand
Items that are considered vital meet the description of functions that are important and that can
be performed by a backup manual process but not for a long period of time.
13. Company A is asked to implement a backup plan that can be used to restore data after a
disaster or incident that results in a loss of data. Company B is asked to examine what
methods of data destruction are acceptable when old hard drives are retired and no longer
needed. If you were asked to assist company B, which of the following methods would you
recommend as being the best choice of data destruction regardless of whether the data was
kept onsite or offsite?
A. Manual erase of all files
B. Formatting
C. Zeroization
D. Seven pass drive wipe
A seven pass drive wipe is the best choice of all the options shown.
14. Which method of data erasure magnetically scrambles the patterns on a hard drive so that it
is unrecoverable?
A. Zeroization
B. Degaussing
C. Shredding
D. Drive wiping
Degaussing is a method of magnetically scrambling the patterns on a hard drive so that they are
unrecoverable. Degaussing, which can be performed by either AC or DC current, creates a large
magnetic field. The result is that the information is practically unrecoverable. Zeroization works
by zeroing all data on the drive. The pattern of 1s and 0s used makes it very difficult to recover
the data. Shredding is a form of physical destruction. As such, it is impossible to recover the
information. High-security information stored on disk drives usually is destroyed using this
method. Drive wiping is similar to zeroization in that a pattern of 1s and 0s is written to the drive.
These passes of 1s and 0s may be done three times, seven times, or more.
15. Which would an administrator do to classified media before reusing it in a less secure
environment?
A. Erasing
B. Clearing
C. Purging
D. Overwriting
Purging media removes all data by writing over existing data multiple times to ensure that the
data is not recoverable using any known methods. Purged media can then be reused in less
secure environments. Erasing the media performs a delete, but the data remains and can easily
be restored. Clearing, or overwriting, writes unclassified data over existing data, but some
sophisticated forensics techniques may be able to recover the original data, so this method
should not be used to reduce the classification of media.
16. Which of the following statements correctly identifies a problem with sanitization methods?
A. Methods are not available to remove data ensuring that unauthorized personnel cannot
retrieve data.
B. Even fully incinerated media can offer extractable data.
C. Personnel can perform sanitization steps improperly.
D. Stored data is physically etched into the media.
Sanitization can be unreliable because personnel can perform the purging, degaussing, or other
processes improperly. When done properly, purged data is not recoverable using any known
methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically
etched into the media.
17. Which of the following choices is the most reliable method of destroying data on a solid state
drive?
A. Erasing
B. Degaussing
C. Deleting
D. Purging
Purging is the most reliable method of the given choices. Purging overwrites the media with
random bits multiple times and includes additional steps to ensure data is removed. While not
an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting
processes rarely remove the data from media, but instead mark it for deletion. Solid state drives
(SSDs) do not have magnetic flux so degaussing an SSD doesn’t destroy data.
18. Which of the following is the most secure method of deleting data on a DVD?
A. Formatting
B. Deleting
C. Destruction
D. Degaussing
Physical destruction is the most secure method of deleting data on optical media such as a DVD.
Formatting and deleting processes rarely remove the data from any media. DVDs do not have
magnetic flux so degaussing a DVD doesn’t destroy data.
19. Which one of the following is based on Blowfish and helps protect against rainbow table
attacks?
A. 3DES
B. AES
C. Bcrypt
D. SCP
Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128
additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard
(AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is
based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy
(SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.
20. Which one of the following would administrators use to connect to a remote server securely
for administration?
A. Telnet
B. Secure File Transfer Protocol (SFTP)
C. Secure Copy (SCP)
D. Secure Shell (SSH)
SSH is a secure alternative to Telnet because it encrypts data transmitted over a network. In
contrast, Telnet transmits data in cleartext. SFTP and SCP are good methods for transmitting
sensitive data over a network, but not for administration purposes.
21. Which one of the following tasks would a custodian most likely perform?
A. Access the data
B. Classify the data
C. Assign permissions to the data
D. Back up data
A data custodian performs day to day tasks to protect the integrity security of data and this
includes backing it up. Users access the data. Owners classify the data. Administrators assign
permissions to the data.
22. Which one of the following data roles is most likely to assign permissions to grant users access
to data?
A. Administrator
B. Custodian
C. Owner
D. User
The administrator assigns permissions based on the principles of least privilege and need to
know. A custodian protects the integrity and security of the data. Owners have ultimate
responsibility for the data and ensure that it is classified properly, and owners provide guidance
to administrators on who can have access, but owners do not assign permissions. Users simply
access the data.
23. Which of the following best defines “rules of behavior” established by a data owner?
A. Ensuring users are granted access to only what they need
B. Determining who has access to a system
C. Identifying appropriate use and protection of data
D. Applying security controls to a system
The rules of behavior identify the rules for appropriate use and protection of data. Least privilege
ensures users are granted access to only what they need. A data owner determines who has
access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems
or security controls.
24. Within the context of the European Union (EU) Data Protection law, what is a data processor?
A. The entity that processes personal data on behalf of the data controller
B. The entity that controls processing of data
C. The computing system that processes data
D. The network that processes data
The EU Data Protection law defines a data processor as “a natural or legal person which processes
personal data solely on behalf of the data controller.” The data controller is the entity that
controls processing of the data and directs the data processor. Within the context of the EU Data
Protection law, the data processor is not a computing system or network.
25. What do the principles of notice, choice, onward transfer, and access closely apply to?
A. Privacy
B. Identification
C. Retention
D. Classification
These are the first four principles in the Safe Harbor principles and they apply to maintaining the
privacy of data. They do not address identification or retention of data. They primarily refer to
privacy data such as personally identifiable information (PII), and while that may be considered
a classification, classification isn’t the primary purpose of the seven Safe Harbor principles.
26. An organization is implementing a preselected baseline of security controls, but finds not all
of the controls apply. What should they do?
A. Implement all of the controls anyway.
B. Identify another baseline.
C. Re-create a baseline.
D. Tailor the baseline to their needs.
Scoping and tailoring processes allow an organization to tailor security baselines to its needs.
There is no need to implement security controls that do not apply, and it is not necessary to
identify or re-create a different baseline.
27. An organization has a datacenter manned 24 hours a day that processes highly sensitive
information. The datacenter includes email servers, and administrators purge email older
than six months to comply with the organization’s security policy. Access to the datacenter is
controlled, and all systems that process sensitive information are marked. Administrators
routinely back up data processed in the datacenter. They keep a copy of the backups on site
and send an unmarked copy to one of the company warehouses. Warehouse workers
organize the media by date, and they have backups from the last 20 years. Employees work
at the warehouse during the day and lock it when they leave at night and over the weekends.
Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later,
copies of their data, including sensitive emails from years ago, began appearing on Internet
sites, exposing the organization’s internal sensitive data.
Which of the following administrator actions might have prevented this incident?
A. Mark the tapes before sending them to the warehouse.
B. Purge the tapes before backing up data to them.
C. Degauss the tapes before backing up data to them.
D. Add the tapes to an asset management database.
If the tapes were marked before they left the datacenter, employees would recognize their value
and it is more likely someone would challenge their storage in an unmanned warehouse. Purging
or degaussing the tapes before using them will erase previously held data but won’t help if
sensitive information is backed up to the tapes after they are purged or degaussed. Adding the
tapes to an asset management database will help track them but wouldn’t prevent this incident.
28. QA/QC mechanisms are designed to prevent data contamination, which occurs when a
process or event introduces either of which two fundamental types of errors into a dataset:
(Choose TWO)
A. Errors of commission
B. Errors of insertion
C. Errors of omission
D. Errors of creation
QA/QC mechanisms are designed to prevent data contamination, which occurs when a process
or event introduces either of two fundamental types of errors into a dataset:
Errors of commission include those caused by data entry or transcription, or by malfunctioning

equipment. These are common, fairly easy to identify, and can be effectively reduced up front
with appropriate QA mechanisms built into the data acquisition process, as well as QC procedures
applied after the data has been acquired.
Errors of omission often include insufficient documentation of legitimate data values, which
could affect the interpretation of those values. These errors maybe harder to detect and correct,
but many of these errors should be revealed by rigorous QC procedures.
29. Which of the following BEST determines the employment suitability of an individual?
A. Job rank or title
B. Partnership with the security team
C. Role
D. Background investigation
A background investigation relevant to the role, job or access is the best approach for minimal
security problems. While a background investigation will not guarantee the integrity or honesty
of an individual it will give the organization a glimpse into the history of an individual and
references.
30. Which of the following processes is concerned with not only identifying the root cause but
also addressing the underlying issue?
A. Incident management
B. Problem management
C. Change management
D. Configuration management
While incident management is concerned primarily with managing an adverse event, problem
management is concerned with tracking that event back to a root cause and addressing the
underlying problem. Maintaining system integrity is accomplished through the process of change
control management. Configuration management is a process of identifying and documenting
hardware components, software, and the associated settings.
DOMAIN 3
1. Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.
Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication
protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source
but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to
encrypt and decrypt the keys.
2. In which of the following security models is the subject's clearance compared to the object's
classification such that specific rules can be applied to control how the subject-to-object
interactions take place?
A. Bell-LaPadula model
B. Biba model
C. Access Matrix model
D. Take-Grant model
Developed by the US Military in the 1970s. The Bell-LaPadula model is also called a multilevel
security system because users with different clearances use the system and the system process
data with different classification levels. The level at which information is classified determines
the handling procedures that should be used. The Bell-LaPadula model is a state machine model
that enforces the confidentiality aspects of access control. A matrix and security levels are used
to determine if subjects can access different objects. The subject's clearance is compared to the
object's classification and then specific rules are applied to control how subject-to-object
interactions can take place.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.369)\
3. Which of the following is NOT a true statement regarding the implementation of the 3DES
modes?
A. DES-EEE1 uses one key
B. DES-EEE2 uses two keys
C. DES-EEE3 uses three keys
D. DES-EDE2 uses two keys
There is no DES mode call DES-EEE1. It does not exist.
The following are the correct modes for triple-DES (3DES):
DES-EEE3 uses three different keys for encryption and the data are encrypted, encrypted,
encrypted.
DES-EDE3 uses three different keys for encryption and the data are encrypted, decrypted and
encrypted.
DES-EEE2 the same as DES-EEE3, but uses only two keys, and the first and third encryption
processes use the same key.
DES-EDE2 the same as DES-EDE3, but uses only two keys, and the first and third encryption
processes use the same key.
4. What would you call a microchip installed on the motherboard of modern computers and is
dedicated to carrying out security functions that involve the storage and processing of
symmetric and asymmetric keys, hashes and digital certificates.
A. Trusted Platform Module (TPM)
B. Trusted BIOS Module (TBM)
C. Central Processing Unit (CPU)
D. Arithmetic Logic Unit (ALU)
The Trusted Platform Module (TPM) was devised by the Trusted Computing Group (TCG), an
organization that promotes open standards to help strengthen computing platforms against
security weaknesses and attacks.
The TPM is essentially a securely designed microcontroller with added modules to perform
cryptographic functions. These modules allow for accelerated and storage processing of
cryptographic keys, hash values and pseudonumber sequences.
The TPM's internal storage is based on nonvolatile random access memory, which retains its
information when power is turned off and is therefore termed as nonvolatile. The TPM is used to
deter any attempts to tamper with a systems configurations.
5. Brad uses Telnet to connect to several open ports on a victim computer and capture the
banner information. What is the purpose of his activity?
A. Scanning
B. Fingerprinting
C. Attempting a DoS
D. Privilege escalation
Fingerprinting is the act of service and OS identification. Fingerprinting allows an attacker to
formulate a plan of system attack.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.1287-1288)
6. Public Key Infrastructure (PKI) uses asymmetric key encryption between parties. The
originator encrypts information using the intended recipient's "public" key in order to get
confidentiality of the data being sent. The recipients use their own "private" key to decrypt
the information. The "Infrastructure" of this methodology ensures that:
A. The sender and recipient have reached a mutual agreement on the encryption key exchange
that they will use.
B. The channels through which the information flows are secure.
C. The recipient's identity can be positively verified by the sender.
D. The sender of the message is the only other person with access to the recipient's private key.
Through the use of Public Key Infrastructure (PKI) the recipient's identity can be positively verified
by the sender.
The sender of the message knows he is using a Public Key that belongs to a specific user. He can
validate through the Certification Authority (CA) that a public key is in fact the valid public key of
the receiver and the receiver is really who he claims to be. By using the public key of the recipient,
only the recipient using the matching private key will be able to decrypt the message. When you
wish to achieve confidentiality, you encrypt the message with the recipient public key.
If the sender would wish to prove to the recipient that he is really who he claims to be then the
sender would apply a digital signature on the message before encrypting it with the public key of
the receiver. This would provide Confidentiality and Authenticity of the message. A PKI (Public
Key Infrastructure) enables users of an insecure public network, such as the Internet, to securely
and privately exchange data through the use of public key-pairs that are obtained and shared
through a trusted authority, usually referred to as a Certificate Authority.
The PKI provides for digital certificates that can vouch for the identity of individuals or
organizations, and for directory services that can store, and when necessary, revoke those digital
certificates. A PKI is the underlying technology that addresses the issue of trust in a normally
untrusted environment.
7. In a relational database, what type of key is used to uniquely identify a record in a table and
can have multiple instances per table?
A. Candidate key
B. Primary key
C. Unique key
D. Foreign key
A candidate key is a subset of attributes that can be used to uniquely identify any record in a
table. No two records in the same table will ever contain the same values for all attributes
composing a candidate key. Each table may have one or more candidate keys, which are chosen
from column headings.
8. Which of the following would NOT be a component of a general enterprise security
architecture model for an organization?
A. Information and resources to ensure the appropriate level of risk management
B. Consideration of all the items that comprise information security, including distributed
systems, software, hardware, communications systems, and networks
C. A systematic and unified approach for evaluating the organization’s information systems
security infrastructure and defining approaches to implementation and deployment of
information security controls
D. IT system auditing
The auditing component of the IT system should be independent and distinct from the
information system security architecture for a system.
9. In order to recognize the practical aspects of multilevel security in which, for example, an
unclassified paragraph in a Secret document has to be moved to an Unclassified document,
the Bell-LaPadula model introduces the concept of a:
A. Simple security property
B. Secure exchange
C. Data flow
D. Trusted subject
The model permits a trusted subject to violate the *-property but to comply with the intent of
the *-property. Thus, a person who is a trusted subject could move unclassified data from a
classified document to an unclassified document without violating the intent of the *-property.
Another example would be for a trusted subject to downgrade the classification of material when
it has been determined that the downgrade would not harm national or organizational security
and would not violate the intent of the *-property. The simple security property (ss-property),
states that a subject cleared for one classification cannot read data from a higher classification.
This property is also known as the no read up property.
10. The minimum information necessary on a digital certificate is:
A. Name, expiration date, digital signature of the certifier
B. Name, expiration date, public key
C. Name, serial number, private key
D. Name, public key, digital signature of the certifier
The name of the individual is certified and bound to his/her public key. This certification is
validated by the digital signature of the certifying agent.
11. An iterated block cipher encrypts by breaking the plaintext block into two halves and, with a
subkey, applying a •roundŽ transformation to one of the halves. Then, the output of this
transformation is XORed with the remaining half. The round is completed by swapping the
two halves. This type of cipher is known as:
A. RC4
B. Diffie-Hellman
C. RC6
D. Feistel
The question stem describes one round of a Feistel cipher. This algorithm was developed by an
IBM team led by Horst Feistel. The algorithm was called Lucifer and was the basis for the Data
Encryption Standard (DES).
12. Which of the following DES modes is typically used when small amounts of data are
encrypted, such as in ATM PIN numbers?
A. OFB
B. ECB
C. CFB
D. CBC
Electronic Code Book (ECB) mode does not use any chaining. This means that the same plaintext
will create the same ciphertext every time it is encrypted with the same key. The other DES modes
use chaining, which means some of the previously encrypted data is used in the encryption
process. These modes do not provide patterns as the ECB mode does.
13. An attacker has infiltrated a company's network and is using a network mapping tool to learn
about different devices. The tool sends out multiple ping commands and port scans and waits
for responses from all of the devices. The tool then analyzes the responses to identify the
operating system type, services running and ports that are open. What is the process called?
A. Fingerprinting
B. Port scanning
C. TCP wrapping
D. Ping evaluations
Network mapping tools performs fingerprinting functions within networks. The responses
received from ping commands and port scans can help provide useful information to the
requester, such as clarifying what type of device it is connected to. The attacker can also learn
what operating system software and applications are running.
14. What does AES use S-boxes for during the encryption process?
A. Chaining
B. Key exchange
C. Substitution
D. Key generation
S-boxs (susbstitution boxes) hold the mathematics and logic that will be performed on the
different blocks of data. These S-boxes are used by the algorithm to carry out the substitution
and transposition functions.
15. Which algorithm did NIST choose to become the Advanced Encryption Standard (AES)
replacing DES?
A. DEA
B. Rijndael
C. Twofish
D. IDEA
Rijndael is the algorithm in place today for protecting sensitive but unclassified US government
information. DES was finally broken and needed to be replaced by a stronger algorithm that
provided larger key sizes.
16. When correctly implemented, what is the only cryptosystem known to be unbreakable?
A. Transposition cipher
B. Substitution cipher
C. Advanced Encryption Standard
D. One-time pad
Assuming that it is used properly, the one-time pad is the only known cryptosystem that is not
vulnerable to attacks.
17. In the 1940s, a team of cryptanalysts from the United States successfully broke a Soviet code
based on a one-time pad in a project known as VENONA. What rule did the Soviets break that
caused this failure?
A. Key values must be random.
B. Key values must be the same length as the message.
C. Key values must be used only once.
D. Key values must be protected from physical disclosure.
The cryptanalysts from the United States discovered a pattern in the method the Soviets used to
generate their one-time pads. After this pattern was discovered, much of the code was eventually
broken.
18. Which one of the following cipher types operates on large pieces of a message rather than
individual characters or bits of a message?
A. Stream cipher
B. Caesar cipher
C. Block cipher
D. ROT3 cipher
Block ciphers operate on message “chunks” rather than on individual characters or bits. The other
ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of
a message.
19. Raven is developing a key escrow system that requires multiple people to retrieve a key but
does not depend on every participant being present. What type of technique is he using?
A. Split knowledge
B. M of N Control
C. Work function
D. Zero-knowledge proof
M of N Control requires that a minimum number of agents (M) out of the total number of agents
(N) work together to perform high-security tasks.
20. If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which
key does he use to encrypt the message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
Richard must encrypt the message using Sue’s public key so that Sue can decrypt it using her
private key. If he encrypted the message with his own public key, the recipient would need to
know Richard’s private key to decrypt the message. If he encrypted it with his own private key,
any user could decrypt the message using Richard’s freely available public key. Richard could not
encrypt the message using Sue’s private key because he does not have access to it. If he did, any
user could decrypt it using Sue’s freely available public key.
21. Lawrence wants to produce a message digest of a 2,048-byte message he plans to send to
Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this
particular message be?
A. 160 bits
B. 512 bit
C. 1,024 bits
D. 2,048 bits
The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of
the input message. In fact, this fixed-length output is a requirement of any secure hashing
algorithm.
22. What cryptosystem provides the encryption/ decryption technology for the commercial
version of Phil Zimmerman’s Pretty Good Privacy secure email system?
A. ROT13
B. IDEA
C. ECC
D. ElGamal
Pretty Good Privacy uses a “web of trust” system of digital signature verification. The encryption
technology is based on the IDEA private key cryptosystem.
23. When a trusted subject violates the star property of Bell-LaPadula in order to write an object
into a lower level, what valid operation could be taking place?
A. Perturbation
B. Polyinstantiation
C. Aggregation
D. Declassification
Declassification is the process of moving an object into a lower level of classification once it is
determined that it no longer justifies being placed at a higher level. Only a trusted subject can
perform declassification because this action is a violation of the verbiage of the star property of
Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.
24. What security model has a feature that in theory has one name or label, but when
implemented into a solution, takes on the name or label of the security kernel?
A. Graham-Denning model
B. Deployment modes
C. Trusted computing base
D. Chinese Wall
The trusted computing base (TCB) has a component known as the reference monitor in theory,
which becomes the security kernel in implementation.
25. You have three applications running on a single-core single-processor system that supports
multitasking. One of those applications is a word processing program that is managing two
threads simultaneously. The other two applications are using only one thread of execution.
How many application threads are running on the processor at any given time?
A. One
B. Two
C. Three
D. Four
A single-processor system can operate on only one thread at a time. There would be a total of
four application threads (ignoring any threads created by the operating system), but the
operating system would be responsible for deciding which single thread is running on the
processor at any given time.
26. Which type of memory chip can be erased only when it is removed from the computer and
exposed to a special type of ultraviolet light?
A. ROM
B. PROM
C. EPROM
D. EEPROM
EPROMs may be erased through exposure to high-intensity ultraviolet light. ROM and PROM
chips do not provide erasure functionality. EEPROM chips may be erased through the application
of electrical currents to the chip pins and do not require removal from the computer prior to
erasure.
27. The most commonly overlooked aspect of mobile phone eavesdropping is related to which
of the following?
A. Storage device encryption
B. Screen locks
C. Overhearing conversations
D. Wireless networking
The most commonly overlooked aspect of mobile phone eavesdropping is related to people in
the vicinity overhearing conversations (at least one side of them). Organizations frequently
consider and address issues of wireless networking, storage device encryption, and screen locks.
28. What type of addressing scheme supplies the CPU with a location that contains the memory
address of the actual operand?
A. Direct addressing
B. Immediate addressing
C. Base + offset addressing
D. Indirect addressing
In indirect addressing, the location provided to the CPU contains a memory address. The CPU
retrieves the operand by reading it from the memory address provided (which is why it’s called
indirect).
29. What security principle helps prevent users from accessing memory spaces assigned to
applications being run by other users?
A. Separation of privilege
B. Layering
C. Process isolation
D. Least privilege
Process isolation provides separate memory spaces to each process running on a system. This
prevents processes from overwriting each other’s data and ensures that a process can’t read data
from another process.
30. Which of the following is a double set of doors that is often protected by a guard and is used
to contain a subject until their identity and authentication is verified?
A. Gate
B. Turnstile
C. Mantrap
D. Proximity detector
A mantrap is a double set of doors that is often protected by a guard and used to contain a subject
until their identity and authentication is verified.
31. Which of the following is not a typical type of alarm that can be triggered for physical
security?
A. Preventive
B. Deterrent
C. Repellant
D. Notification
There is no such thing as a preventive alarm. Alarms are always triggered in response to a
detected intrusion or attack.
32. No matter what form of physical access control is used, a security guard or other monitoring
system must be deployed to prevent all but which of the following?
A. Piggybacking
B. Espionage
C. Masquerading
D. Abuse
No matter what form of physical access control is used, a security guard or other monitoring
system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot
be prevented by physical access controls.
33. What is the best type of water-based fire suppression system for a computer facility?
A. Wet pipe system
B. Dry pipe system
C. Preaction system
D. Deluge system
A preaction system is the best type of water-based fire suppression system for a computer
facility.
34. Your manager asks you to use a hashing algorithm to verify the integrity of a software
program he received from the R&D branch in Hyderabad, India. Which of the following would
you recommend?
A. IDEA
B. MD5
C. AES
D. DES
MD5 is a one-way hashing algorithm that is often used to check file integrity. The creator of a file
or message can use MD5 to create an MD5 checksum. Then, when the message or program is
received, a new MD5 checksum can be created. If the two checksums match, the data is
unchanged. Programs such as Tripwire automate this process.
35. Amanda, a member of the web development group, is preparing to load a demo version of
the company’s new software onto the updated website. She wants to know which of the
following message authentication algorithms can be used to validate the demo software as
authentic. Which of the following would you not recommend?
A. HAVAL
B. SHA
C. PEM
D. MD5
SHA, MD5, and HAVAL are three hashing algorithms that can be used for file integrity and
authentication. Each produces a message digest that cannot be reversed. Message digests are
produced using one-way hashing functions. They are not intended to be used to reproduce the
data. The purpose of a digest is to verify the integrity of data and messages. PEM is the correct
answer because it is not a hashing algorithm.
DOMAIN 4
1. Securing networked computers is a critical task. Many organizations choose to place some
services such as web or email in an area of the network that is neither fully internal nor fully
external to the organization. These services are placed behind an Internet-facing router, but
in front of a firewall or another device that protects the internal network. What is the area in
which these services are deployed called?
A. Dual-homed gateway
B. Intranet
C. Demilitarized zone (DMZ)
D. Extranet
DMZs offer several advantages to security professionals. They allow an organization to distance
critical internal services from the Internet and web services. They enable the organization to
design a network that has a layered defense. This design allows some filtering of traffic before
Internet users can reach web-based services. Traffic attempting to proceed deeper into the
network must pass this inspection.
2. An attacker located at IP address 12.8.0.1 wants to launch a smurf attack on a victim machine
located at IP address 129.74.15.12 utilizing a third-party network located at 141.190.0.0/16.
What would be the source IP address on the single packet the attacker transmits?
A. 12.8.0.1
B. 129.74.15.12
C. 141.190.0.0
D. 141.190.255.255
In a smurf attack, the attacker sends a single forged packet bearing a source address
corresponding to the victim machine.
3. _____________ employs a digital multicarrier modulation scheme that allows for a more
tightly compacted transmission. The modulated signals are perpendicular and thus do not
cause interference with each other.
A. DSSS
B. OCSP
C. OFDM
D. CCMP
OFDM employs a digital multicarrier modulation scheme that allows for a more tightly
compacted transmission. The modulated signals are perpendicular (orthogonal) and thus do not
cause interference with each other.
4. What is the IEEE standard for Bluetooth?
A. 802.3
B. 802.11
C. 802.20
D. 802.15
IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines Ethernet, 802.11 defines wireless
networking, and 802.20 defines LTE.
5. What means of transmission involves the use of a discontinuous electrical signal and a state
change or on‐off pulses?
A. Asynchronous communications
B. Digital signals
C. Broadband connections
D. Half‐duplex links
Digital signals are a means of transmission that involves the use of a discontinuous electrical
signal and a state change or on‐off pulses. Asynchronous communications, broadband
connections, and half‐duplex links can be digital or analog.
6. Which part of the 48-bit, 12-digit hexadecimal number known as the Media Access Control
(MAC) address identifies the manufacturer of the network device?
A. The first three bytes
B. The first two bytes
C. The second half of the MAC address
D. The last three bytes
The first three bytes (or first half) of the six-byte MAC address is the manufacturer’s identifier
(see Table A.6). This can be a good troubleshooting aid if a network device is acting up, as it will
isolate the brand of the failing device. The other answers are distracters.
7. Which statement is correct about ISDN Basic Rate Interface?
A. It offers 23 B channels and 1 D channel.
B. It offers 2 B channels and 1 D channel.
C. It offers 30 B channels and 1 D channel.
D. It offers 1 B channel and 2 D channels.
Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) offers two B channels which
carry user data at 64 Kbps each, and one control and signaling D channel operating at 16 Kbps.
8. The data transmission method in which data is sent continuously and doesn’t use either an
internal clocking source or start/stop bits for timing is known as:
A. Asynchronous
B. Synchronous
C. Isochronous
D. Pleisiochronous
Isochronous data is synchronous data transmitting without a clocking source, with the bits sent
continuously and no start or stop bits. All bits are of equal importance and are anticipated to
occur at regular time intervals.
9. If you are the victim of a bluejacking attack, what was compromised?
A. Your firewall
B. Your switch
C. Your cell phone
D. Your web cookies
A bluejacking attack is a wireless attack on Bluetooth, and the most common device
compromised in a bluejacking attack is a cell phone.
10. Which networking technology is based on the IEEE 802.3 standard?
A. Ethernet
B. Token Ring
C. FDDI
D. HDLC
Ethernet is based on the IEEE 802.3 standard.
11. What is both a benefit and a potentially harmful implication of multilayer protocols?
A. Throughput
B. Encapsulation
C. Hash integrity checking
D. Logical addressing
Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols.
12. By examining the source and destination addresses, the application usage, the source of
origin, and the relationship between current packets with the previous packets of the same
session, ____________ firewalls are able to grant a broader range of access for authorized
users and activities and actively watch for and block unauthorized users and activities.
A. Static packet-filtering
B. Application-level gateway
C. Stateful inspection
D. Circuit-level gateway
Stateful inspection firewalls are able to grant a broader range of access for authorized users and
activities and actively watch for and block unauthorized users and activities.
13. A ____________ is an intelligent hub because it knows the addresses of the systems
connected on each outbound port. Instead of repeating traffic on every outbound port, it
repeats traffic only out of the port on which the destination is known to exist.
A. Repeater
B. Switch
C. Bridge
D. Router
A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of
the systems connected on each outbound port.
14. What security concept encourages administrators to install firewalls, malware scanners, and
an IDS on every host?
A. Endpoint security
B. Network access control (NAC)
C. VLAN
D. RADIUS
Endpoint security is the security concept that encourages administrators to install firewalls,
malware scanners, and an IDS on every host.
15. ______________ is a standards-based mechanism for providing encryption for point-to-point
TCP/ IP traffic.
A. UDP
B. IDEA
C. IPSec
D. SDLC
IPSec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point
TCP/ IP traffic.
16. Which of the following VPN protocols do not offer native data encryption? (Choose all that
apply.)
A. L2F
B. L2TP
C. IPSec
D. PPTP
L2F, L2TP, and PPTP all lack native data encryption. Only IPSec includes native data encryption.
17. Which of the following is not defined in RFC 1918 as one of the private IP address ranges that
are not routed on the Internet?
A. 169.172.0.0– 169.191.255.255
B. 192.168.0.0– 192.168.255.255
C. 10.0.0.0– 10.255.255.255
D. 172.16.0.0– 172.31.255.255
The address range 169.172.0.0– 169.191.255.255 is not listed in RFC 1918 as a private IP address
range. It is, in fact, a public IP address range.
18. In addition to maintaining an updated system and controlling physical access, which of the
following is the most effective countermeasure against PBX fraud and abuse?
A. Encrypting communications
B. Changing default passwords
C. Using transmission logs
D. Taping and archiving all conversations
Changing default passwords on PBX systems provides the most effective increase in security.
19. Which of the following can be used to bypass even the best physical and logical security
mechanisms to gain access to a system?
A. Brute-force attacks
B. Denial of service
C. Social engineering
D. Port scanning
Social engineering can often be used to bypass even the most effective physical and logical
controls. Whatever activity the attacker convinces the victim to perform, it is usually directed
toward opening a back door that the attacker can use to gain access to the network.
20. What authentication protocol offers no encryption or protection for logon credentials?
A. PAP
B. CHAP
C. SSL
D. RADIUS
Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP
transmits usernames and passwords in the clear. It offers no form of encryption. It simply
provides a means to transport the logon credentials from the client to the authentication server.
21. Because some of your organization’s employees use fax machines to send and receive
confidential information, you have become concerned about their level of security. Which of
the following is the most effective security measure to protect against unauthorized
disclosure?
A. Activity logs
B. Exception reports
C. Confidential cover pages
D. Removing fax machines from insecure areas
Although fax usage is declining, it is still in use and as such offers a service that may be vulnerable
to attack. To improve the security of fax transmissions, these machines can be moved from
insecure areas to locations where access can be controlled. Activity logs and exception reports
are useful in detecting misuse or possible attack. Other useful items for the protection of fax
machines and their transmissions include fax encryptors and link encryption. Fax over IP and VoIP
are also becoming security issues.
22. An IP protocol field of 0x06 indicates that IP is carrying what as its payload?
A. TCP
B. ICMP
C. UDP
D. IGRP
The protocol field carries the ID number of the next-higher-layer protocol. These values allow IP
to demultiplex the data packet as it progresses up the stack. Common protocol numbers include
0x01 (ICMP), 0x06 (TCP), 0x11 (UDP), and 0x58 (IGRP). FTP resides at the application layer and is
addressed by TCP port 21. FTP also uses TCP port 20 for data transfer.
23. Your firm has just hired a newly certified CISSP named Dan as an intern. He wants to learn
more about detection-based security systems. He asks you to explain intrusion detection.
Which of the following is one of the two types of intrusion detection engines?
A. Host
B. Signature
C. Network
D. Hybrid
The two primary types of intrusion detection engines are signature and anomaly. Signature-
based intrusion detection systems work much like virus scanners in that they have databases of
known attacks. Although these systems work well, they are vulnerable to new exploits or those
not yet added to the systems’ database. Anomaly-based intrusion detection systems look for a
deviation from normal behavior. For example, these systems would quickly send an alert if
someone who worked the day shift attempted multiple logins at 3 a.m.
24. The e-commerce branch of your parent company’s organization has become increasingly
worried about attacks against the network that is hosting its web servers. The department
head has asked you to explain what a smurf attack is and how it might affect the web server.
How will you respond?
A. A smurf attack uses ICMP packets of a rather large size. These packets overwhelm the receiving
device, causing a denial of service for legitimate devices attempting legitimate connections.
B. Smurf targets the TCP session setup. As such, a large number of spoofed SYN packets are
launched against the target device. As the queue of illegitimate connections grows, the system
slows down, finally reaching the point where no users can obtain access.
C. A smurf attack uses ICMP packets with forged source and target addresses. The packets are
addressed to the local broadcast address. The attack eventually chokes the web server.
D. Smurf attacks work by changing the length and fragmentation field of the IP header. This
causes a system to slow down or hang.
A smurf attack uses ICMP packets with forged source and target addresses. The packets are
addressed to the local broadcast address, and the source address is pointed toward the device
to be attacked. The result is that all devices on the broadcast network respond to this spoofed
ICMP ping packet. This floods the target device, thereby preventing legitimate traffic.
25. Securing networked computers is a critical task. Many organizations choose to place some
services such as web or email in an area of the network that is neither fully internal nor fully
external to the organization. These services are placed behind an Internet-facing router, but
in front of a firewall or another device that protects the internal network. What is the area in
which these services are deployed called?
A. Dual-homed gateway
B. Intranet
C. Demilitarized zone (DMZ)
D. Extranet
This is commonly called a DMZ (demilitarized zone). DMZs offer several advantages to security
professionals. They allow an organization to distance critical internal services from the Internet
and web services. They enable the organization to design a network that has a layered defense.
This design allows some filtering of traffic before Internet users can reach web-based services.
Traffic attempting to proceed deeper into the network must pass this inspection. Intranets are
internal to an organization, and extranets are external; typically they may be shared with a
business partner.
26. You are the security administrator for a large medical device company. You are asked to
determine whether NAT should be used at your organization for Internet connectivity. Which
of the following is not one of the three types of NAT?
A. PAT
B. Dynamic NAT
C. DAT
D. Static NAT
DAT is not a form of NAT. NAT (network address translation) allows organizations connected to
the Internet to use private addresses. These same private addresses can be used by many
different organizations because they are nonroutable and are hidden to the direct Internet.
These are the three primary types of NAT:

PAT: Port address translation permits only outbound sessions and allows one public address to
be used by many internal, private addresses.
Dynamic NAT: This method of translation allows an external address to be mapped directly to an
internal address. This method is useful when an organization has a pool of external IP addresses
that must be shared among many internal devices.
Static NAT: This method of NAT allows one internal address to be permanently mapped to a
specific external address.
27. VPNs have become very popular as a way to connect users to corporate networks by means
of the Internet. Which of the following is not a VPN protocol?
A. SLIP
B. PPTP
C. L2TP
D. L2F
Serial Line Internet Protocol (SLIP) is a very old protocol that was used to connect systems by
means of a modem. SLIP offers no secure services. Protocols used for VPNs include PPTP (Point-
to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol), and L2F (Layer 2 Forwarding
Protocol). When properly configured, these protocols allow users to establish a secure tunnel
through the Internet.
28. Your manager, Ed, has decided that passwords are too easily broken to be used to
authenticate remote users. Ed wants you to implement some type of RAS authentication that
uses some type of token card. Which system meets this critical requirement?
A. PAP
B. EAP
C. CHAP
D. PPP
Extensible Authentication Protocol (EAP) is the method of choice because it can work with more
than just passwords as authentication. EAP can use token cards, MD5 challenge, and digital
certificates as possible authentication mechanisms. Although Password Authentication Protocol
(PAP) is used for RAS, it sends passwords in clear text. Challenge Handshake Authentication
Protocol (CHAP) uses an MD5 challenge.
29. The product design group of the corporation you work for has requested the installation of
802.11g wireless access points secured with WEP. The request cites ease of network access
and enhanced mobile computing as the reasons why they need this technology. You are the
senior IT security officer; what should your response be?
A. Wireless offers good security, so you should approve the request.
B. If the wireless systems implement WEP, you will have no problem approving the request,
because WEP is highly secure.
C. Because many cordless phones are used in the design area, wireless would be a poor choice,
because interference would be high.
D. Wireless is not a good choice because the design area maintains critical information, and
802.11g has some known vulnerabilities when WEP is used.
Although wireless is very popular, you must be careful when installing a wireless system. Some
cordless phones do operate on the same frequencies, but this should not be the driving
consideration in this decision. WEP has been shown to be vulnerable. Originally the Wired
Equivalent Privacy (WEP) protocol was developed to address this issue. It was designed to provide
the same privacy that a user would have on a wired network. WEP is based on the RC4 symmetric
encryption standard and uses either 64-bit or 128-bit keys. However, the keys are not really this
many bits, because a 24-bit initialization vector (IV) is used to provide randomness. So the “real”
key is actually 40 or 104 bits long. WEP has been surpassed by WPA and WPA2. Other controls,
such as PEAP and LEAP (and the v2 versions of both), are also used to protect wireless
communication. Encryption is now provided by AES.
30. Randall has more than 100 workstations at his site. He is looking for a method of centralized
management. Which of the following is his best choice?
A. APIPA
B. RARP
C. DHCP
D. Host tables
DHCP (Dynamic Host Configuration Protocol) is an effective method of centralized management.
IP addresses can be managed from one location. This can ease administration and make changes
easier. DHCP has four steps: discover, offer, request, and acknowledgment. APIPA is an automatic
address scheme that is used when no address server can be found. RARP resolves MAC addresses
to IP addresses. Host tables do not provide IP addressing services.
31. You are asked to configure the border routers to block ICMP messages and prevent the return
of any error messages to external networks. Which of the following will accomplish this task?
A. Drop
B. Filter
C. Reject
D. Bounce
The two primary ways in which routers can deal with ICMP messages are reject and drop. Reject
allows failed traffic to create an ICMP error message and return it to the sending device. Drop
silently discards any traffic that is not allowed into the network or that creates an ICMP error
message.
32. The protection of employees’ health and welfare is of critical importance to an organization’s
security officer. Therefore, it is critical that the proper type of networking cable be chosen for
each task. What type of network cabling should be used in drop ceilings or areas that might
be exposed to fire?
A. Plenum grade
B. A1 fire-rated cable
C. Polyvinyl chloride-coated cable
D. Nonpressurized conduit-rated cable
Plenum-grade cabling is required to meet fire codes and protect the organization’s employees.
Nonplenumgrade cables, such as those coated with PVC (polyvinyl chloride), can give off noxious
gas when burned or exposed to high heat. Proper consideration should be given when choosing
a network cable type and location. Loose cables present a potential trip hazard. There is no such
standard as A1 fire-rated.
33. Your lead technician has been reviewing the marketing materials of several network switch
manufacturers. She wants to know what the spec sheet means when it says, “The switch is a
‘cut-through’ design.”
A. This terminology applies only to the board design of the switch.
B. It means that the switch can support port spanning.
C. It means that the switch can prioritize traffic for QoS, thereby increasing switching speed.
D. It means that the switch is designed to examine only a portion of the frame, thereby increasing
throughput.
Switches typically come in two designs: cut-through and store-and-forward. Cut-through
switches examine only a portion of the frame that contains the destination MAC address, thereby
increasing throughput. The term does not apply to the board design or provide QoS. Port
spanning is the ability to mirror traffic from one port to the next.
34. Robert, one of your help-desk technicians, wants to learn more about long-haul data
transmission technologies. You kindly take a few minutes to explain wide area networks
(WANs). WANs can be either circuit-switched or packet switched. Which of the following is
an example of circuit switching?
A. Frame Relay
B. DDS
C. X.25
D. ATM
DDS (Digital Data Service) is an example of a circuit-switched technology. DDS was developed in
the 1970s and was one of the first digital services used by telephone companies. It has a
maximum data rate of 56 KB. Frame Relay, X.25, and ATM are all examples of packet-switched
technologies.
35. Felix does not want to pretend to be a valid user; he wants to become that user. With that in
mind, why would James want to alter the relationship between the IP address and MAC
address in one of your ARP table entries?
A. Spoofing
B. Hijacking
C. ICMP redirect
D. Backscatter
Hijacking is the process of poisoning someone’s ARP table with bogus ARP responses. Because
ARP is a trusting protocol, no verification is used to ensure that received ARP replies match a
previous ARP request. This allows the attacker to issue bogus ARP responses that can be used to
poison the ARP table. This poisoned ARP table allows the attacker to redirect communication and
attempt a man-in-the-middle attack. Hunt, Cain and Abel, and ETTERCAP are several of the tools
commonly used for this type of attack.
DOMAIN 5
1. A potential problem related to the physical installation of the Iris Scanner in regards to the
usage of the iris pattern within a biometric system is:
A. Concern that the laser beam may cause eye damage.
B. The iris pattern changes as a person grows older.
C. There is a relatively high rate of false accepts.
D. The optical unit must be positioned so that the sun does not shine into the aperture.
Because the optical unit utilizes a camera and infrared light to create the images, sun light can
impact the aperture so it must not be positioned in direct light of any type. Because the subject
does not need to have direct contact with the optical reader, direct light can impact the reader.
2. In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item's classification
B. The item's classification and category set
C. The item's category
D. The item’s need to know
Category set and compartment set are synonyms, they mean the same thing. The sensitivity label
must contain at least one classification and at least one category. It is common in some
environments for a single item to belong to multiple categories. The list of all the categories to
which an item belongs is called a compartment set or category set.
3. In discretionary access environments, which of the following entities is authorized to grant

information access to other people?
A. Manager
B. Group Leader
C. Security Manager
D. Data Owner
In Discretionary Access Control (DAC) environments, the user who creates a file is also considered
the owner and has full control over the file including the ability to set permissions for that file.
4. When a biometric system is used, which error type deals with the possibility of GRANTING
access to impostors who should be REJECTED?
A. Type I error
B. Type II error
C. Type III error
D. Crossover error
When the biometric system accepts impostors who should have been rejected, it is called a Type
II error or False Acceptance Rate or False Accept Rate (FAR).
Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior,
which is one of the most effective and accurate methods of verifying identification. Biometrics is
a very sophisticated technology; thus, it is much more expensive and complex than the other
types of identity verification processes. A biometric system can make authentication decisions
based on an individual's behavior, as in signature dynamics, but these can change over time and
possibly be forged.
Biometric systems that base authentication decisions on physical attributes (iris, retina,
fingerprint) provide more accuracy, because physical attributes typically don't change much,
absent some disfiguring injury, and are harder to impersonate.
When a biometric system rejects an authorized individual, it is called a Type I error or False
Rejection Rate or False Reject Rate (FRR).
When the system accepts impostors who should be rejected, it is called a Type II error or False
Acceptance Rate or False Accept Rate (FAR). Type II errors are the most dangerous and thus the
most important to avoid.
The goal is to obtain low numbers for each type of error, but when comparing different biometric
systems, many different variables are used but one of the most important metrics is the
Crossover Error Rate (CER).
The accuracy of any biometric method is measured in terms of Failed Acceptance Rate (FAR) and
Failed Rejection Rate (FRR). Both are expressed as percentages. The FAR is the rate at which
attempts by unauthorized users are incorrectly accepted as valid. The FRR is just the opposite. It
measures the rate at which authorized users are denied access.
The FRR (Type I) is inversely proportional to FAR (Type II), as one rate increases the other
decreases. The Crossover Error Rate (CER) is sometimes considered a good indicator of the overall
accuracy of a biometric system. This is the point at which the FRR and the FAR have the same
value. Solutions with a lower CER are typically more accurate.
Reference CISSP All-in-One 6th Ed, Shon Harris (p.188-189)
5. What security model implies a central authority that define rules and sometimes global rules,
dictating what subjects can have access to what objects?
A. Flow Model
B. Discretionary Access Control
C. Mandatory Access Control
D. Non-discretionary Access Control
Answer: D
As a security administrator you might configure user profiles so that users cannot change the
system's time, alter system configuration files, access a command prompt, to install unapproved
applications. This type of access control is referred to as non-discretionary, meaning the access
decisions are not made at the discretion of the user. Non-discretionary Access Controls are put
into place by an authorative entity (usually a security administrator) with the goal of protecting
the organization’s most critical assets.
Non-discretionary Access Control is when a central authority determines what subjects can have
access to what objects based on the organizational security policy. Centralized access control is
not an existing security model. Both Rule Based Access Control and Role Based Access Control
falls into this category.
6. An employee retained access to sensitive data from previous job assignments. Investigators
later caught him selling some of this sensitive data to competitors. What could have
prevented the employee from stealing and selling the secret data?
A. Asset valuation
B. Threat modeling
D. User entitlement audit
A user entitlement audit can detect when employees have excessive privileges. Asset valuation
identifies the value of assets. Threat modeling identifies threats to valuable assets. Vulnerability
analysis detects vulnerabilities or weaknesses that can be exploited by threats.
7. Which of the following can detect outgoing sensitive data based on specific data patterns?
A. Anti‐malware software
B. Data loss prevention systems
C. Security Information and Event Management systems
D. Intrusion prevention systems
Network‐based data loss prevention (DLP) systems can scan outgoing data and look for specific
keywords and/or data patterns. DLP systems can block these outgoing transmissions. Anti‐
malware software detects malware. Security Information and Event Management (SIEM) provide
real‐time analysis of events occurring on systems throughout an organization but don’t
necessarily scan outgoing traffic. Intrusion prevention systems (IPS) scan incoming traffic to
prevent unauthorized intrusions.
8. When logging on to a workstation, the log-on process should:
A. Validate the log-on only after all input data has been supplied.
B. Provide a Help mechanism that provides log-on assistance.
C. Place no limits on the time allotted for log-on or on the number of unsuccessful log-on
attempts.
D. Not provide information on the previous successful log-on and on previous unsuccessful log-
on attempts.
This approach is necessary to ensure that all the information required for a log-on has been
submitted and to avoid providing information that would aid a cracker in trying to gain
unauthorized access to the workstation or network. If a log-on attempt fails, information as to
which part of the requested log-on information was incorrect should not be supplied to the user.
9. A persistent collection of data items that form relations among each other is called a:
A. Database management system (DBMS)
B. Data description language (DDL)
C. Schema
D. Database
For a database to be viable, the data items must be stored on nonvolatile media and be protected
from unauthorized modification.
10. A protection mechanism to limit inferencing of information in statistical database queries is:
A. Specifying a maximum query set size
B. Specifying a minimum query set size
C. Specifying a minimum query set size, but prohibiting the querying of all but one of the records
in the database
D. Specifying a maximum query set size, but prohibiting the querying of all but one of the records
in the database
When querying a database for statistical information, individually identifiable information should
be protected. Thus, requiring a minimum size for the query set (greater than one) offers
protection against gathering information on one individual. However, an attack may consist of
gathering statistics on a query set size M, equal to or greater than the minimum query set size,
and then requesting the same statistics on a query set size of M + 1. The second query set would
be designed to include the individual whose information is being sought surreptitiously.
11. A distributed system using passwords as the authentication means can use a number of
techniques to make the password system stronger. Which of the following is NOT one of
these techniques?
a. Password generators
b. Regular password reuse
c. Password file protection
d. Limiting the number or frequency of log-on attempt
Passwords should never be reused after the time limit on their use has expired.
12. Your company has just opened a call center in India to handle nighttime operations, and you
are asked to review the site’s security controls. Specifically, you are asked which of the
following is the strongest form of authentication.
A. Something you know
B. Something you are
C. Passwords
D. Tokens
Authentication can take one of three forms: something you know, something you have, or
something you are. Something you are, such as biometrics, is by far the strongest form of
authentication. Systems such as retina and iris scans have high levels of accuracy. The accuracy
of a biometric device can be assessed by means of the crossover error rate. Remember that, on
the exam, questions are sometimes vague, and you will be asked to pick the best available
answer.
13. Your organization has become worried about recent attempts to gain unauthorized access to
the R&D facility. Therefore, you are asked to implement a system that will require individuals
to present a password and enter a PIN at the security gate before gaining access. What is this
type of system called?
A. Authorization
B. Two-factor authentication
C. Authentication
D. Three-factor authentication
The question states that a password and PIN are required. Both passwords and PINs are examples
of something you know. Authentication is something you know, something you have, or
something you are. Therefore, this is an example of authentication.
14. Today, you are meeting with a coworker who is proposing that the number of logins and
passwords be reduced. Another coworker has suggested that you investigate single sign-on
technologies and make a recommendation at the next scheduled meeting. Which of the
following is a type of single sign-on system?
A. Kerberos
B. RBAC
C. DAC
D. RADIUS
Kerberos is a single sign-on system for distributed systems. It is unlike authentication systems
such as NTLM that perform only one-way authentication. It provides mutual authentication for
both parties involved in the communication process. Kerberos operates under the assumption
that there is no trusted party; therefore, both client and server must be authenticated. After
mutual authentication occurs, Kerberos makes use of a ticket stored on the client machine to
access network resources.
15. Which style of authentication is not susceptible to a dictionary attack?
A. CHAP
B. LEAP
C. WPA-PSK
D. PAP
Only PAP is not susceptible to a dictionary attack; no attack is needed because the password is
transmitted in clear text.
16. Your organization has decided to use a biometric system to authenticate users. If the FAR is
high, what happens?
A. Legitimate users are denied access to the organization’s resources.
B. Illegitimate users are granted access to the organization’s resources.
C. Legitimate users are granted access to the organization’s resources.
D. Illegitimate users are denied access to the organization’s resources.
FAR (False Acceptance Rate) is the percentage of illegitimate users who are granted access to the
organization’s resources. Keeping this number low is important to keeping unauthorized
individuals out of the company’s resources.
17. Your company is building a research facility in Singapore and is concerned about technologies
that can be used to pick up stray radiation from monitors and other devices. Specifically, your
boss wants copper shielding installed. Which technology does your boss want to know more
about?
A. Radon
B. Waveguard
C. Tempest
D. Van Allen
Tempest is the standard for electromagnetic shielding of computer equipment.
18. As the newly appointed security officer for your corporation, you suggest replacing the
password-based authentication system with RSA tokens. Elsa, your CTO, denies your request,
citing budgetary constraints. As a temporary solution, Elsa asks that you find ways to increase
password security. Which of the following will accomplish this goal?
A. Disabling password-protected screensavers
B. Enabling account lockout controls
C. Enforcing a password policy that requires noncomplex passwords
D. Enabling users to use the same password on more than one system
Password-based authentication systems can be made more secure if complex passwords are
used, account lockouts are put in place, and tools such as Passprop are implemented. Passprop
places remote lockout restrictions on the administrator account. Passprop is Microsoft-specific,
and the test will not quiz you on that level of detail. Just understand that tools are available on
both Windows and *NIX platforms to accomplish this task. Many routers, switches, and network
gear also support varying degrees of lockout (usually tied to RADIUS). Disabling password-
protected screensavers would decrease security, as would allowing users to reuse passwords.
19. A hacker submits a malicious URL request for a help page from an unpatched Apache server
that supports an Oracle9i Application Server. This causes a denial of service. Which of the
following would have best protected the corporation from this attack?
A. HIDS
B. NIPS
C. HIPS
D. NIDS
A Network Intrusion Prevention System (NIPS) provides protective/reactive responses to a
network. This malicious attack was submitted via port 80 HTTP service and is identified by
network monitoring.
20. Your manager asks you to set up a fake network to identify contractors who may be poking
around the network without authorization. What is this type of system called?
A. Trap-and-trace
B. Honeypot
C. Snare
D. Prison
Honeypots, which also have been expanded into honeynets, are network decoys or entire
networks that are closely monitored systems. These devices allow security personnel to monitor
when the systems are being attacked or probed. They can also provide advance warning of a
pending attack and act as a jail until you have decided how to respond to the intruder.
21. Your manager persists in asking you to set up a fake network to identify contractors who may
be poking around the network without authorization. What is the largest legal issue with
these devices?
A. Enticement
B. Federal Statute 1029
C. Entrapment
D. Liability
Some of the issues surrounding honeypots include entrapment and enticement. Although liability
could be an issue if the honeypot is compromised and then used to attack an outside
organization, entrapment is illegal and unethical, and ISC2-certified professionals are bound by a
code of ethics. Statute 1029 is related to hacking and is not the primary concern of honeypots.
22. During a weekly staff meeting, your boss reveals that some employees have been allowing
other employees to use their passwords. He is determined to put a stop to this and wants
you to install biometric access control systems. He has asked about some basic attributes,
such as type 1 errors, type II errors, and the CER. What’s so important about the CER? How
do you respond?
A. Speed typically is determined by calculating the CER.
B. The CER has to do with the customer acceptance rate, because some systems are more user-
friendly than others.
C. Accuracy typically is determined by calculating the CER.
D. The CER has to do with the cost per employee, because some biometric access control systems
are very good, but also very expensive.
The CER (Crossover Error Rate) is used to determine the device’s accuracy. A lower CER means
that the device is more accurate. The CER is determined by mapping the point at which the FAR
(False Acceptance Rate) and the FRR (False Rejection Rate) meet. The CER does not determine
speed, customer acceptance, or cost per employee.
23. Kerberos has some features that make it a good choice for access control and authentication.
One of these items is a ticket. What is a ticket used for?
A. A ticket is a block of data that allows users to prove their identity to an authentication server.
B. A ticket is a block of data that allows users to prove their identity to a service.
C. A ticket is a block of data that allows users to prove their identity to a ticket-granting server.
D. A ticket is a block of data that allows users to prove their identity to the Kerberos server.
Kerberos is a network authentication protocol that provides single sign-on service for
client/server networks. A ticket is a block of data that allows users to prove their identity to a
service. The ticket is valid only for a limited amount of time. Allowing tickets to expire helps raise
the barrier for possible attackers, because the ticket becomes invalid after a fixed period.
24. You have a homogeneous environment with multiple application servers. Your users are
having difficulty remembering all their passwords as they complete their daily activities. What
would be the best solution?
A. Lower the passwords’ complexity requirements
B. Implement harsher penalties
C. Add assisted user reset capabilities
D. Use single sign-on
Single sign-on (SSO) can be difficult in a heterogeneous environment, where not all
manufacturers may support the same authentication method. But it is a great solution in a
homogeneous environment, where all vendors support the same mechanism. But the password
must be complex, or you’ve given a malicious hacker a single point where he can breach your
network.
25. You are asked to work on a project where users need to share credentials across multiple
domains without forcing them to log in more than once. What technologies might meet this
business need?
A. Cookies
B. Unique X.509 certificates
C. Web access management
D. Separate usernames and passwords
Web-access management allows web users to share user credentials across multiple domains
without having to log into each site. Cookies will not work because they are domain-specific, and
a unique certificate for each domain would not address the problems.
26. Your organization issues devices to employees. These devices generate one time passwords
every 60 seconds. A server hosted within the organization knows what this password is at any
given time. What type of device is this?
A. Synchronous token
B. Asynchronous token
C. Smartcard
D. Common access card
A synchronous token generates and displays one-time passwords, which are synchronized with
an authentication server. An asynchronous token uses a challenge-response process to generate
the one-time password. Smartcards do not generate one-time passwords, and common access
cards are a version of a smartcard that includes a picture of the user.
27. A biometric system has falsely rejected a valid user, indicating that the user is not recognized.
What type of error is this?
A. Type 1 error
B. Type 2 error
C. Crossover error rate
D. Equal error rate
A Type 1 error (false rejection or false negative) occurs when a valid subject is not authenticated.
A Type 2 error (false acceptance or false positive) occurs when an invalid subject is authenticated.
The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type
2 errors and provides a measurement of the accuracy of the biometric system.
28. An administrator has been working within an organization for over 10 years. He has moved
between different IT divisions within the company and has retained privileges from each of
the jobs that he’s had during his tenure. Recently, supervisors admonished him for making
unauthorized changes to systems. He once again made an unauthorized change that resulted
in an unexpected outage and management decided to terminate his employment at the
company. He came back to work the following day to clean out his desk and belongings, and
during this time he installed a malicious script that was scheduled to run as a logic bomb on
the first day of the following month. The script will change administrator passwords, delete
files, and shut down over 100 servers in the datacenter. What could have discovered
problems with this user’s account while he was employed?
A. Policy requiring strong authentication
B. Multifactor authentication
C. Logging
D. Account review
Account review can discover when users have more privileges than they need and could have
been used to discover that this employee had permissions from several positions. Strong
authentication methods (including multifactor authentication) would not have prevented the
problems in this scenario. Logging could have recorded activity, but a review is necessary to
discover the problems.
29. What is an attack that attempts to detect flaws in smartcards?
A. Whaling
B. Side-channel attack
C. Brute-force
D. Rainbow table attack
A side-channel attack is a passive, noninvasive attack to observe the operation of a device, and
can be used against some smartcards. Methods include power monitoring, timing, and fault
analysis attacks. Whaling is a type of phishing attack that targets high-level executives. A brute-
force attack attempts to discover passwords by using all possible character combinations. A
rainbow table attack is used to crack passwords.
30. An organization has recently suffered a series of security breaches that have significantly
damaged its reputation. Several successful attacks have resulted in compromised customer
database files accessible via one of the company’s web servers. Additionally, an employee
had access to secret data from previous job assignments. This employee made copies of the
data and sold it to competitors. The organization has hired a security consultant to help them
reduce their risk from future attacks. What would need to be completed to ensure that the
consultant has the correct focus?
A. Asset valuation
B. Threat modeling
D. Creation of audit trails
Asset valuation identifies the actual value of assets so that they can be prioritized. This will ensure
that the consultant focuses on high-value assets. Threat modeling identifies threats, but asset
valuation should be done first so that the focus is on threats to high-value assets. Vulnerability
analysis identifies weaknesses but should be focused on high value assets. Audit trails are useful
to re-create events leading up to an incident, but if they aren’t already created, creating them
now won’t help unless the organization is attacked again.
DOMAIN 6
1. Which one of the following tools is used primarily to perform network discovery scans?
A. Nmap
B. Nessus
C. Metasploit
D. lsof
Nmap is a network discovery scanning tool that reports the open ports on a remote system.
2. Chris recently ran a network port scan of a web server running in his organization. He ran the
scan from an external network to get an attacker’s perspective on the scan. Which one of the
following results is the greatest cause for alarm?
A. 80/ open
B. 22/ filtered
C. 443/ open
D. 1433/ open
Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to
be open on a web server. Port 1433 is a database port and should never be exposed to an external
network.
3. Which one of the following factors should not be taken into consideration when planning a
security testing schedule for a particular system?
A. Sensitivity of the information stored on the system
B. Difficulty of performing the test
C. Desire to experiment with new testing tools
D. Desirability of the system to attackers
The sensitivity of information stored on the system, difficulty of performing the test, and
likelihood of an attacker targeting the system are all valid considerations when planning a
security testing schedule. The desire to experiment with new testing tools should not influence
the production testing schedule.
4. Which one of the following is not normally included in a security assessment?
A. Vulnerability scan
B. Risk assessment
C. Mitigation of vulnerabilities
D. Threat assessment
Security assessments include many types of tests designed to identify vulnerabilities, and the
assessment report normally includes recommendations for mitigation. The assessment does not,
however, include actual mitigation of those vulnerabilities.
5. Who is the intended audience for a security assessment report?
A. Management
B. Security auditor
C. Security professional
D. Customers
Security assessment reports should be addressed to the organization’s management. For this
reason, they should be written in plain English and avoid technical jargon.
6. Riz would like to run an nmap scan against all of the systems on her organization’s private
network. These include systems in the 10.0.0.0 private address space. She would like to scan
this entire private address space because she is not certain what subnets are used. What
network address should Riz specify as the target of her scan?
A. 10.0.0.0/0
B. 10.0.0.0/8
C. 10.0.0.0/16
D. 10.0.0.0/24
The use of an 8-bit subnet mask means that the first octet of the IP address represents the
network address. In this case, that means 10.0.0.0/ 8 will scan any IP address beginning with 10.
7. Luke ran an nmap scan against a server and determined that port 80 is open on the server.
What tool would likely provide him the best additional information about the server’s
purpose and the identity of the server’s operator?
A. SSH
B. Web browser
C. telnet
D. ping
The server is likely running a website on port 80. Using a web browser to access the site may
provide important information about the site’s purpose.
8. What port is typically used to accept administrative connections using the SSH utility?
A. 20
B. 22
C. 25
D. 80
The SSH protocol uses port 22 to accept administrative connections to a server.
9. Which one of the following tests provides the most accurate and detailed information about
the security state of a server?
A. Unauthenticated scan
B. Port scan
C. Half-open scan
D. Authenticated scan
Authenticated scans can read configuration information from the target system and reduce the
instances of false positive and false negative reports.
10. What type of network discovery scan only follows the first two steps of the TCP handshake?
A. TCP connect scan
B. Xmas scan
C. TCP SYN scan
D. TCP ACK scan
The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not
send the final ACK required to complete the three-way handshake.
11. Andrew would like to test systems on his network for SQL injection vulnerabilities. Which one
of the following tools would be best suited to this task?
A. Port scanner
B. Network vulnerability scanner
C. Network discovery scanner
D. Web vulnerability scanner
SQL injection attacks are web vulnerabilities, and Andrew would be best served by a web
vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but
the web vulnerability scanner is specifically designed for the task and more likely to be successful.
12. Shinwa Industries runs a web application that processes e-commerce orders and handles
credit card transactions. As such, it is subject to the Payment Card Industry Data Security
Standard (PCI DSS). The company recently performed a web vulnerability scan of the
application and it had no unsatisfactory findings. How often must Shinwa rescan the
application?
A. Only if the application changes
B. At least monthly
C. At least annually
D. There is no rescanning requirement.
PCI DSS requires that Shinwa rescan the application at least annually and after any change in the
application.
13. Loraine is performing a penetration test against a client’s network and would like to use a
tool to assist in automatically executing common exploits. Which one of the following security
tools will best meet her needs?
A. nmap
B. Metasploit
C. Nessus
D. Snort
Metasploit is an automated exploit tool that allows attackers to easily execute common attack
techniques.
14. Harry would like to test his application against slightly modified versions of previously used
input. What type of test does Harry intend to perform?
A. Code review
B. Application vulnerability review
C. Mutation fuzzing
D. Generational fuzzing
Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a
program in an attempt to detect software flaws.
15. Users of a banking application may try to withdraw funds that don’t exist from their account.
Developers are aware of this threat and implemented code to protect against it. What type
of software testing would most likely catch this type of vulnerability if the developers have
not already remediated it?
A. Misuse case testing
B. SQL injection testing
C. Fuzzing
D. Code review
Misuse case testing identifies known ways that an attacker might exploit a system and tests
explicitly to see if those attacks are possible in the proposed code.
16. What type of interface testing would identify flaws in a program’s command-line interface?
A. Application programming interface testing
B. User interface testing
C. Physical interface testing
D. Security interface testing
User interface testing includes assessments of both graphical user interfaces (GUIs) and
command-line interfaces (CLIs) for a software program.
17. During what type of penetration test does the tester always have access to system
configuration information?
A. Black box penetration test
B. White box penetration test
C. Gray box penetration test
D. Red box penetration test
During a white box penetration test, the testers have access to detailed configuration information
about the system being tested.
18. What port is typically open on a system that runs an unencrypted HTTP server?
A. 22
B. 80
C. 143
D. 443
Unencrypted HTTP communications take place over TCP port 80 by default.
19. Which one of the following is the final step of the Fagin inspection process?
A. Inspection
B. Rework
C. Follow-up
D. None of the above
The Fagin inspection process concludes with the follow-up phase.
20. What information security management task ensures that the organization’s data protection
requirements are met effectively?
A. Account management
B. Backup verification
C. Log review
D. Key performance indicators
The backup verification process ensures that backups are running properly and thus meeting the
organization’s data protection objectives.
21. TCSEC provides levels of security that are classified in a hierarchical manner. Each level has a
corresponding set of security requirements that must be met. Which of the following does
Level A correspond to?
A. Mandatory protection
B. Required protection
C. Verified protection
D. Validated protection
The TCSEC (Trusted Computer System Evaluation Criteria), also known as the Orange Book, was
originally developed for the military to classify its computer systems. It is now widely used
throughout the computer industry. It ranks security in categories ranging from A to D. A is verified
protection, B is mandatory protection, C is discretionary protection, and D is minimal security.
22. What process is used to transfer portions of an active program between an I/O device and
main memory?
A. Paging
B. Scatter-gather
C. Multitasking
D. Multiprocessing
Paging is the process that makes it seem that a computer can hold much more information in
memory than is possible. It accomplishes this by transferring data between an I/O device, such
as a hard drive, and memory (RAM).
23. Your boss has questions about ports and protocols that must be allowed through the firewall.
He is concerned about egress from inside the firewall to outside, as well as ingress from
outside to inside. He also wants to know how attackers may use resources in a way not
intended, or a possible attack in which a resource may be modulated to signal unauthorized
information. Which of the following best describes this possible method of attack?
A. Data pipe
B. Backdoor
C. Tunneling
D. Covert channel
A covert channel is any method used to pass information that is not for legitimate
communication. For example, an organization may allow ICMP ping traffic. If an attacker can
redirect other traffic onto this communication path, he or she would be able to use this channel
as an illicit communication path.
24. In a discussion of rings of protection, if ring 0 is the innermost ring and ring 4 is the outermost
ring, which would be considered the most secure?
A. 4
B. 2
C. 1
D. 0
Rings of protection are one form of security mechanism. As the ring number increases, the
security level decreases. The innermost ring is the most secure and protects the operating system
security kernel. Correctly designing rings of protection can improve security by preventing
programs at a lower level of access from misusing resources at a higher level of access.
25. Which of the following does the security kernel implement?
A. Core dump
B. Reference monitor
C. Process manager
D. Security control
The reference monitor is the primary component that enforces access control on data and
devices and is implemented by the security kernel. The security kernel must also control all
access, must be protected from modification or change, and must be verified and tested to be
correct.
26. A TOC/TOU (Time of Check to Time of Use) attack is best described by which of the following?
A. A type of session hijack
B. An asynchronous attack
C. A buffer overflow
D. A spoofing attack
An asynchronous attack exploits the timing difference between when a security control is applied
and when the authorized service is used.
27. Mela has sat down to log onto a computer so that she can complete a customer order form.
She has not yet typed anything. The cursor is flashing in the field following a prompt asking
for her username. Assuming that the computer is running properly, and all is as it appears,
what state is the login process in?
A. New state
B. Running state
C. Ready state
D. Blocked state
A process is in a blocked state when it is waiting for user input. It is in a ready state when it is
waiting to send instructions to the CPU. It is in a running state while the CPU is executing those
instructions. The process is in a new state before it has been loaded into memory.
28. A host intrusion detection program has logged a process that continually wakes up to access
a file and update the file’s timestamp and then goes back to sleep. The process has been
waking and sleeping on an erratic but consistent schedule. The alert has documented the
event as suspicious covert activity. What minimum certification level specifies a security
requirement to ensure that no covert activity will occur?
A. A1
B. B1
C. C1
D. D1
The lowest division and class that accounts for covert channels is B2, which is not one of the
possible answers. So B2, B3, and A1 (B2 or higher) all satisfy the stipulated requirement.
29. Bret is at a low level of security. Josh, Bret’s boss, is at a high level of security. Bret is
responsible for preparing a weekly report for Josh and has embedded a hidden macro in it.
Bret has told Josh not to worry about any macros, because they are just there for formatting.
However, the macro actually writes top-secret information to a shared network folder to
which Bret has access. What type of attack has Bret launched?
A. Maintenance hook
B. Backdoor
C. Covert channel
D. TOC/TOU attack
Bret is attempting to launch a covert channel attack. He is using Josh’s level of access to write
data to a lower level of security.
30. Which cloud-based service would handle support functions during the SDLC process?
A. MaaS
B. IaaS
C. SaaS
D. PaaS
PaaS provides a platform for your use. Services provided by this model can help during all phases
of system development life cycle (SDLC) and can use application program interfaces (API),
website portals, or gateway software.
DOMAIN 7
1. The end result of implementing the principle of least privilege means which of the following?
A. Users would get access to only the info for which they have a need to know
B. Users can access all systems.
C. Users get new privileges added when they change positions.
D. Authorization creep.
The principle of least privilege refers to allowing users to have only the access they need and not
anything more. Thus, certain users may have no need to access any of the files on specific
systems.
2. Which method of encryption was reported to have been used by al Qaeda before 9/11 and
functions by hiding information inside a picture or graphic?
A. Port Redirection
B. Stealthography
C. Steganography
D. Tunneling
Steganographic programs take a piece of information and hide it within another. Steganography
can use pictures, graphics, or sound files.
3. An audit trail record should include sufficient information to trace a user’s actions and events.
Which of the following information in the audit trail record can help determine if the user
was a masquerader or the actual person specified?
A. The user identification associated with the event
B. The date and time associated with the event
C. The program used to initiate the event
D. The command used to initiate the event
An audit trail should include sufficient information to establish what events occurred and who
(or what) caused them. In general, an event record should specify when the event occurred, the
user ID associated with the event, the program or command used to initiate the event, and the
result. Date and timestamps can help determine if the user were a masquerader or the actual
person specified.
Reference: The CISSP Prep Guide:Gold Edition, Ronald Krutz & Russel Vines (p.319-320)
4. Attackers are always looking for ways to identify systems. One such method is to send a TCP SYN to a
targeted port. What would an attacker expect to receive in response to indicate an open port?
A. SYN
B. SYN ACK
C. ACK
D. ACK FIN
TCP is a connection-oriented protocol. As such, it attempts to complete a three-step handshake at the

beginning of a communication session. The three steps are as follows:
SYN
SYN ACK
ACK
5. Mark uses Telnet to connect to several open ports on a victim computer and capture the banner
information. What is the purpose of his activity?
A. Scanning
B. Fingerprinting
C. Attempting a DoS
D. Privilege escalation
Fingerprinting is the act of service and OS identification. Fingerprinting allows an attacker to formulate a
plan of system attack. Scanning is the act of identifying open ports. DoS is a denial of service. Privilege
escalation requires an active connection or system access.
6. The attacker waits until his victim establishes a connection to the organization’s FTP server. Then, he
executes a program that allows him to take over the established session. What type of attack has
taken place?
A. Password attack
B. Spoofing
C. Session hijack
D. ARP redirection
A session hijack is the process of taking over an established legitimate session. This type of attack gives an
attacker an authenticated connection into a network.
7. Which form of information gathering is considered very low tech but can enable attackers to gather
usernames, passwords, account information, customer information, and more?
A. Fingerprinting
B. Scavenging
C. Port scanning
D. Dumpster diving
Although dumpster diving is considered very low-tech, it can be a very successful way to gather
information about an organization and its customers. The best defense against dumpster diving is to make
sure that all sensitive information is cross-shredded and properly destroyed before being disposed of.
8. You ask your new intern to harden a system that will be used as a web server. Which of the following
is the best way to perform this process?
A. Install the OS and software, configure IP routing, connect the system to the Internet and download
patches and fixes, configure packet filtering, test the system, and phase the system into operation.
B. Install the OS and software, configure IP routing, configure packet filtering, connect the system to the
Internet and download patches and fixes, test the system, and phase the system into operation.
C. Install the OS and software, download patches and fixes, configure IP routing, configure packet filtering,
test the system, and connect the system to the Internet.
D. Install the OS and software, configure IP routing, configure packet filtering, connect the system to the
Internet, and test the system.
This is the proper order: install the OS and software, download patches and fixes, configure IP routing,
configure packet filtering, test the system, and connect the system to the Internet. Not until the system
is fully hardened and configured should it be connected to the Internet.
9. CCP, Inc., is preparing to implement auditing. To meet this goal, May has been asked to review all
company security policies and examine the types of normal activity on the network. What has she
been asked to do?
A. Look for vulnerabilities
B. Develop a baseline
C. Determine network utilization
D. Search for security violations
Before you can determine what inappropriate activity is, you must determine what is appropriate. This
process is known as baselining, and it involves the following two tasks:
Analysis of company policy: This helps determine what constitutes a potential security incident or event
within your organization.
Examination of current network and system activity: Reviewing audit logs gives you a better
understanding of normal usage patterns and what should and should not be happening.
10. Lance has installed a root kit on a networked Linux computer. What is its purpose?
A. To serve as a backdoor
B. For administrative control
C. For penetration testing
D. For vulnerability mapping
Root kits are additional programs that may take the place of legitimate programs (such as ls, cat, and pwd
in UNIX and Linux). They can give attackers unauthenticated access. After one of these programs has been
installed, the attacker can return to the computer later and access it without providing login credentials
or without going through any type of authentication process.
11. Simon’s new position includes responsibility for the day-to-day security of the network. The previous
employee who held this job configured the network to be default open. Now, Simon has decided that
he should go through critical systems, reload the OS, and verify that unneeded programs and services
are not installed. What is Simon doing?
A. Vulnerability scanning
B. Hardening
C. Bastioning
D. Configuring the devices to the principle of full privilege
Hardening is the process of identifying what a specific machine will be used for and removing or disabling
all system components, programs, and services that are not necessary for that function. This vastly
increases the system’s security.
12. You are hired by a small software firm to test its security systems and to look for potential ways to
bypass authentication controls on Linux servers. You are asked to see whether it is possible to get root
access on the Apache web server. What type of testing have you been hired to do?
A. Vulnerability
B. Penetration
C. Scanning
D. Mapping
Penetration testing is the process of testing a network’s defenses and attempting to bypass its security
controls. The goal is to understand the organization’s vulnerability to attack. These types of tests are
performed with written consent of the network’s owner and may be attempted by internal employees or
external consultants.
13. Keff has been investigating the purchase of a new operations security software package. One vendor
asked him about clipping levels. What are clipping levels used for?
A. To reduce the amount of data to be evaluated
B. To set password length and maximum age
C. To set local and remote login attempts
D. To configure SNMP traps
Setting clipping levels refers to determining the trip point at which activity is logged or flagged. For
example, a clipping level of three failed remote login attempts may be set before the failed login attempt
is recorded as a violation. This also prevents brute-force attacks. This reduces the amount of data to be
evaluated and makes it easier to search for true anomalies.
14. Your consulting firm has been asked to help a medium-sized firm secure its servers and domain
controllers. Which of the following is not a requirement for a secure computing room?
A. Controlled access
B. Dropped ceilings
C. Raised floors
D. Log files or CCTV to verify who enters or leaves the room

Controlled access, log files, and raised floors are just a few of the items that should be built into a secure
computing room. It should not have dropped ceilings or hollow-core doors, because these items make it
easier for attackers to bypass operations security.
15. Patrick is continuing his process of OS hardening. Because he usually does not work with Linux, he
comes to you with a question: On Windows machines you find network “services” running. What are
such network applications called in Linux?
A. Services
B. Applets
C. Daemons
D. PIDs
Daemons are processes or applications that run on UNIX or Linux computer systems that provide network
services. A network application in the Windows world is called a service. An applet is a program designed
to be executed from within another application. A PID is a process ID. Even though these concepts might
not be covered on the exam, they still are important for you to understand.
16. Ralph has discovered some strange chalk markings outside the front door of his business. He has also
noticed that people with laptops have been hanging around since the markings were made. What has
Ralph discovered?
A. Graffiti
B. War driving
C. Vulnerability marking
D. War chalking
War chalking is the process of identifying a wireless network. It originated from hobo code of the 1930s
and 1940s. Sometime around 2002, it began being applied to wireless networks. Common war chalking
symbols include a closed circle to indicate a closed network, two back-to-back half circles to identify an
open network, and a circle with a W in it to indicate a network with WEP encryption.
17. Which type of operations security control gives the IS department enough time to audit an individual’s
activities and may deter him or her from performing prohibited acts?
A. Terminations
B. Mandatory vacations
C. Background checks
D. Change control management
Mandatory vacations give the IS department enough time to audit an individual’s activities and may deter
that person from performing prohibited acts. The idea is that the employee will not be allowed to work
or access the network while on vacation. Terminations usually are reserved as a last resort. Background
checks help validate potential employees. Change control management is used to control hardware and
software processes that are used in the production environment.
18. Kelly Investment, Inc., has decided that its policies need to ensure that no one person can act alone
to make a financial distribution or disbursement of funds. Which of the following has the company
implemented?
A. Separation of duties
B. Job rotation
C. Mandatory vacations
D. Job classification
Separation of duties is the principle that one person acting alone should not be able to compromise an
organization’s security in any way. Job rotation and mandatory vacations are two ways in which this
principle can be enforced.
19. Doris is concerned about keeping the network free of computer viruses. Without implementing new
technical controls, which of the following is one of the most effective means to prevent the spread of
viruses?
A. Employee training
B. Network design
C. Advise users to respond to spam, requesting that their addresses no longer be used or solicited
D. Egress filtering
The most effective nontechnical control of computer viruses is through employee education. Advising
users to respond to spam not only will increase the amount of mail received, but also could increase their
risk of infection from computer viruses.
20. Which protocol do clients use to download emails to their local computer from server-based inboxes?
A. SMTP
B. SNMP
C. IMAP
D. POP3
POP3 (Post Office Protocol Version 3) is a widely used protocol that allows clients to retrieve their emails
from server-based inboxes. SMTP is an email transport protocol. SNMP is used for network management.
IMAP typically leaves messages on the server.
21. You are contacted by a rather large ISP. The ISP has accused you of sending its customers large
amounts of spam. What is the most likely explanation for this occurrence?
A. SMTP has been left enabled.

B. POP3 has been left enabled.
C. Relaying has been left enabled.
D. Your IMAP server has been hacked.
The most likely explanation of this occurrence is that a mail relay has been left enabled. Spammers find
open relays by port scanning wide ranges of IP addresses. After spammers find a mail server, they attempt
to use it to send mail to a third party. If successful, they use this system to spew their junk email. This
widely used technique allows spammers to hide their true IP address and victimize an innocent third party.
22. Black Hat Daisy has placed a sniffer on the network and is attempting to perform traffic analysis.
Which of the following is not an effective countermeasure against traffic analysis?
A. Packet padding
B. Noise transmission
C. Covert channel analysis
D. ARP redirection
Packet padding, noise transmission, and covert channels are considered effective countermeasures
against traffic analysis. Attackers use ARP redirection to redirect traffic on switched networks.
23. During orientation training at your new company, you ask if you are allowed to sell your vacation time
back to the company. You are informed that not only must you take your vacation, but you also must
take it in one block, and that other employees are already trained to rotate in and assume your job
during your absence. Why would the company refuse to buy back your vacation?
A. To ensure survival. A company is weakened if it relies too heavily on one employee.
B. To receive industry certification. When employees have multiple skill sets, a company can be certified
under ISO 27001:2005.
C. To minimize fraud. Fraudulent activities can more easily be detected when employees are rotated
periodically.
D. To lower healthcare costs. Health insurance providers are rewarding companies that encourage
preventive healthcare, such as mandatory vacations.
Mandatory vacations and job rotation help identify fraud. ISO 27001:2005 certification is awarded for
quality information security management systems and requires more checks than just demonstrated
fraud controls.
24. A maintenance hook is found during a parallel test of your new product. The programming team is
small, and the programmer is available and can quickly take out the maintenance hook so that testing
can continue. What action should you take?
A. Permit the code change, and then update the change control documentation as soon as possible.
B. Delay the modification until the change control documentation can be submitted, processed, and
approved.
C. Permit the code change. Because the product has not yet been released to production, change control
has not been initiated.
D. Prevent any changes, because the maintenance hook will be a feature of the new product.
A maintenance hook is a backdoor into an application that is sometimes used during the development
process. These hooks need to be removed before a product is released. A parallel test is performed on a
product that is deemed ready to release. This hook needs to be removed as soon as possible, and then
the change control documentation needs to be completed to record the change in the software’s
operation.
25. Several coworkers are installing an IDS, and you are asked to make an initial review. One of the
installers asks you which of the following is the worst condition for an IDS. What is your response?
A. Positive
B. Negative
C. False positive
D. False negative
The worst state for an IDS is a false negative. A false negative means that an event occurred but no alarm
was triggered.
26. While troubleshooting a network problem, a technician realized it could be resolved by opening a port
on a firewall. The technician opened the port and verified the system was now working. However, an
attacker accessed this port and launched a successful attack. What could have prevented this
problem? A. Patch management processes
B. Vulnerability management processes
C. Configuration management processes
D. Change management processes
Change management processes would ensure that changes are evaluated before being implemented to
prevent unintended outages or needlessly weakening security. Patch management ensures systems are
up-to-date, vulnerability management checks systems for known vulnerabilities, and configuration
management ensures that system are deployed similarly, but these other processes wouldn’t prevent an
unauthorized change.
27. What would an administrator use to check systems for known issues that attackers may use to exploit
the systems?
A. Versioning tracker
B. Vulnerability scanner
C. Security audit
D. Security review
Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability
management program. Versioning is used to track software versions and is unrelated to detecting
vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but
wouldn’t directly check systems for vulnerabilities.
28. An organization has an incident response plan that requires reporting incidents after verifying them.
For security purposes, the organization has not published the plan. Only members of the incident
response team know about the plan and its contents. Recently, a server administrator noticed that a
web server he manages was running slower than normal. After a quick investigation, he realized an
attack was coming from a specific IP address. He immediately rebooted the web server to reset the
connection and stop the attack. He then used a utility he found on the Internet to launch a protracted
attack against this IP address for several hours. Because attacks from this IP address stopped, he didn’t
report the incident. What should have been done before rebooting the web server?
A. Review the incident
B. Perform remediation steps
C. Take recovery steps
D. Gather evidence
Security personnel should have gathered evidence for possible prosecution of the attacker. The first
response after detecting and verifying an incident is to contain the incident, but it could have been
contained without rebooting the server. The lessons learned stage includes review, and it is the last stage.
Remediation includes a root cause analysis to determine what allowed the incident, but this is done late
in the process. In this scenario, rebooting the server performed the recovery.
29. What combination of backup strategies provides the fastest backup creation time?
A. Full backups and differential backups
B. Partial backups and incremental backups
C. Full backups and incremental backups
D. Incremental backups and differential backups
Any backup strategy must include full backups at some point in the process. Incremental backups are
created faster than differential backups because of the number of files it is necessary to back up each
time.
30. What type of incident is characterized by obtaining an increased level of privilege?
A. Compromise
B. Denial of service
C. Malicious code
D. Scanning
Any time an attacker exceeds their authority, the incident is classified as a system compromise. This
includes valid users who exceed their authority as well as invalid users who gain access through the use
of a valid user ID.
DOMAIN 8
1. Which of the following best describes the Waterfall model?
A. The Waterfall model states that development is built one stage at a time, at which point the results
flow to the next stage.
B. The Waterfall model states that development should progress in a parallel fashion, with a strong change
control process being used to validate the process.
C. The Waterfall model states that the development process proceeds in a series of discrete steps, each
completed before proceeding to the next.
D. the Waterfall model states that all the various phases of software development should proceed at the
same time.
The Waterfall model states that the development process proceeds in a series of discrete steps, each
completed before proceeding to the next.
2. Jerry has top-secret access to a database and can see that the USS Yorktown has left for Iraq. Ted has
only public access to the same database. He can see that the ship has left port. However, the record
shows that it is bound for Spain. What is this called?
A. Polyinstantiation
B. Tuple
C. Schema
D. Knowledgebase system
Polyinstantiation allows different versions of the same information to exist at different classification levels
within a database. This permits a security model that can have multiple views of the same information,
depending on your clearance level.
3. Which of the following phases of Software Development Life Cycle normally addresses Due Care and
Due Diligence?
A. Implementation
B. System Feasibility
C. Product Design
D. Software Plans and Requirements
The software plans and requirements phase addresses threats, vulnerabilities, security requirements,
reasonable care, due diligence, legal liabilities, cost/benefit analysis, level of protection desired and test
plans.
Reference: The CISSP Prep Guide:Gold Edition, Ronald Krutz & Russel Vines (p.346)
4. During which stage of the software development life cycle should security be implemented?
A. Development
B. Project initiation
C. Deployment
D. Installation
Security should be implemented at the initiation of a project. When security is added during the project
initiation phase, substantial amounts of money can be saved.
5. Which of the software development life cycle phases is the point at which new systems need to be
configured and steps need to be taken to make sure that security features are being used in the
intended way?
A. System Design Specifications
B. Operation and Maintenance
C. Functional Design Analysis and Planning
D. Installation and Implementation
The Operation and Maintenance phase of the SDLC is the point at which new systems need to be
configured and steps need to be taken to make sure that no new vulnerabilities or security compromises
take place. It is also at this step that if major changes are made to the system, network, or environment,
the certification and accreditation process may need to be repeated.
6. Alex is building your company’s new data warehouse. In a meeting, he said, “Data in the data
warehouse needs to be normalized.” What does this mean?
A. Data is divided by a common value.
B. Data is restricted to a range of values.
C. Data is averaged.
D. Redundant data is removed.
Normalization is the process of removing redundant data. It speeds the analysis process. Normalization is
not the process of dividing by a common value, restricting to a range of values, or averaging the data.
7. Java-enabled web browsers allow Java code to be embedded in a web page, downloaded across the
Net, and run on a local computer. This makes the security of the local computer a big concern. With
this in mind, how does the Java runtime system ensure secure execution of the Java code?
A. Digital certificates
B. Sandbox
C. Applet boundaries
D. Defense-in-depth
The sandbox is a set of security rules that are put in place to prevent Java from having unlimited access to
memory and OS resources. It creates an environment in which there are strict limitations on what the Java
code can request or do.
8. Which of the following technologies establishes a trust relationship between the client and the server
by using digital certificates to guarantee that the server is trusted?
A. ActiveX
B. Java
C. Proxy
D. Agent
ActiveX establishes a trust relationship between the client and server by using digital certificates to
guarantee that the server is trusted. The shortcoming of ActiveX is that security is really left to the end
user. Users are prompted if any problems are found with a certificate. Therefore, even if the certificate is
invalid, a user can override good policy by simply accepting the possibly tainted code.
9. Rick just downloaded a game from a peer-to-peer network. Although the game seemed to install OK,
his computer now is acting strangely. The mouse cursor moves by itself, URLs are opening on their
own, and his web camera keeps turning itself on. What has happened?
A. A logic bomb was installed.
B. A RAT (Remote-Access Trojan) was installed.
C. A DDoS client was installed.
D. An email virus was installed
It is very likely that the game Boyd installed was bundled with a RAT (Remote-Access Trojan). The
executable seems accessible, but after installation is performed, the Trojan program is loaded into the
victim’s computer. RATs can control programs because backdoors turn on hardware, open CD-ROM
drives, and perform other malicious and ill-willed acts.
10. Which language, when used for development of your company’s front-end application, results in a
program that is least likely to have vulnerable code?
A. Machine code
B. Assembler code
C. C code
D. SQL code
The higher the level of language you use when programming, the less likely it is that the code will have
unintended flaws that can be attacked. Instead of using C, you should use C++, but both of these are third-
generation languages (3GL). SQL is a fourth-generation language (4GL).
11. Expert systems use forward and reverse chaining that is based on what?
A. The inference engine
B. Certainty factors
C. The rulebase
D. Neural structures
The inference engine creates the forward and reverse chains. Certainty factors reflect a confidence level
that permits the chaining to occur. The rulebase describes what is known. Neural structures belong in
artificial neural networks, not expert systems.
12. What is the most common problem related to audit logs?
A. Audit logs can be examined only by auditors.
B. Audit logs use parsing tools that distort the true record of events.
C. Audit logs are not backed up.
D. Audit logs are collected but not analyzed.
One of the most common problems with audit logs is that they are collected but not analyzed. Often, no
one is interested in the audit logs until someone reports a problem. Even though it isn’t a technical
problem, this is an administrative and policy issue, because no analysis takes place.
13. When you’re dealing with mobile code and wireless devices, many security issues can arise. For
example, when you’re working with wireless devices that are using Wireless Application Protocol
(WAP), which of the following is the primary security concern?
A. WAP is not a secure protocol.
B. The web server that the wireless device is communicating with via SSL may have vulnerabilities.
C. The wireless device may have vulnerabilities in its OS.
D. The WAP gateway can be targeted by attackers.
The primary vulnerability is the WAP gateway. WAP requires some type of conversion, and this conversion
is performed on the gateway. This means that, for a short period of time, the data is in a clear format
while being converted from WAP to SSL, TLS, or another encrypted format. This makes the gateway an
attractive target.
14. Which type of database combines related records and fields into a logical tree structure?
A. Relational
B. Hierarchical
C. Object-oriented
D. Network
A hierarchical database combines related records and fields into a logical tree structure. A relational
database uses columns and rows to organize the information. An object-oriented database is considered
much more dynamic than earlier designs because it can handle not only data but also audio, images, and
other file formats. A network database is unique in that it supports multiple parent or child records.
15. How can referential integrity best be defined?
A. Structural and semantic rules are enforced.
B. Semantic rules are enforced.
C. Structural rules are enforced.
D. All foreign keys reference existing primary keys.
Referential integrity ensures that all foreign keys reference existing primary keys.
16. While browsing the company directory, you notice that your address is incorrect. To rectify the
situation, you decide to modify the database that holds this information. Although the change seems
to work, you notice later that the information has reverted to the previous, incorrect information.
What do you believe is the source of the problem?
A. The user does not have modification rights.
B. The schema does not allow changes from the user’s machine.
C. Someone in personnel has put a lock on the cell.
D. Replication integrity is inaccurate due to mismatched times.
The most likely cause of the problem is invalid time synchronization. In a distributed environment, this
can cause a server to overwrite newer data.
17. Ian’s new job at the headquarters of a major grocery store has him examining buyer trends. He uses
the database to find a relationship between beer and diapers. He discovers that men over 20 are the
primary buyers of these two items together after 10 p.m. What best describes Ian’s actions?
A. Data warehousing
B. Metadata
C. Data mining
D. Atomicity
Ian is data mining—searching for unseen relationships. A data warehouse is used for data storage and can
combine data from multiple sources. Metadata is used to discover the unseen relationships between data.
Atomicity is used to divide work into units that are processed completely or not at all.
18. Your application developer has created a new module for a customer-tracking system. This module
will result in greater productivity. The application has been examined and tested by a second person
in the development group. A summary of the test shows no problems. Based on the results, which of
the following is not a recommended best practice?
A. The new code should be passed to quality assurance personnel so that they can certify the application.
B. The application should be placed into operations and implemented.
C. An accrediting official should wait for the results of certification.
D. All changes must be logged in the change management database (CMDB).
Before this significant change is made, the module should be technically tested (certification) and
administratively approved (accreditation).
19. Jason has become concerned that a citizen programmer in the group has developed code for others
in the department. What should be your primary concern?
A. That the programs are tested by others in the department
B. That the programs have not been certified and verified
C. That a copy of the code is held in a library
D. That the code is adequately commented
Citizen (casual) programmers are people who can code but who do so from outside the SDLC process. The
concern here is that they are writing programs and allowing others within the department to use them
without any type of certification process. These programs have not been shown to work effectively or
produce repeatable results. Lack of certification and review is a real problem.
20. With regard to database operations, canceling a set of changes and restoring the database to its prior
state is called what?
A. Savepoint
B. Commit
C. Rollback
D. Audit point
A commit completes the transaction. A savepoint is designed to allow the system to return to a certain
point should an error occur. A rollback is similar, except that it is used when changes need to be canceled.
An audit point is used as a control point to verify input, process, or output data.
21. With a relational database management system, you can constrain what a particular application or
user sees by using what?
A. Schema
B. Device media control language (DMCL)
C. Data mine
D. Database view
A database view allows the database administrator to control what a specific user at a specific level of
access can see. For example, an HR employee may be able to see department payroll totals but not
individual employee salaries. A schema is the structure of the database. DMCL is unrelated to databases.
Data mining is the process of analyzing metadata.
22. You are asked to develop an advanced program that will interact with users. You are asked to look at
knowledge-based systems. As such, expert systems use what type of information to make a decision?
A. if...then statements
B. Weighted computations
C. A process similar to that used by the human brain (reasoning)
D. Weighted computations based on previous results
An expert system is unique in that it contains a knowledge base of information and mathematical
algorithms that use a series of if...then statements to infer facts from data.
23. Which of the following is a project-development method that uses pairs of programmers who work
off of detailed specifications?
A. Waterfall
B. Spiral
C. Extreme
D. RAD
Extreme programming, which is an off-shoot of agile, uses pairs of programmers who work from detailed
specifications.
24. Tom is using a commercial program that is free to use without pay with only limited functionality. This
is most correctly called what?
A. Commercial software
B. Freeware
C. Shareware
D. Crippleware
Crippleware, or trialware, is software that is partially functioning proprietary software that can be used
without payment.
25. Which of the following allows objects written with different OOP languages to communicate?
A. OOA
B. COM
C. OOD
D. CORBA
COM enables objects written in different languages to communicate. OOA and OOD are software design
methodologies, and CORBA is vendor-neutral middleware.
26. Walter built a database table consisting of the names, telephone numbers, and customer IDs for his
business. The table contains information on 30 customers. What is the degree of this table?
A. Two
B. Three
C. Thirty
D. Undefined
The cardinality of a table refers to the number of rows in the table while the degree of a table is the
number of columns.
27. Which one of the following types of attacks relies on the difference between the timing of two events?
A. Smurf
B. TOCTTOU
C. Land
D. Fraggle
The time-of-check-to-time-of-use (TOCTTOU) attack relies on the timing of the execution of two events.
28. What file is instrumental in preventing dictionary attacks against Unix systems?
A. /etc/passwd
B. /etc/shadow
C. /etc/security
D. /etc/pwlog
Shadow password files move encrypted password information from the publicly readable /etc/passwd file
to the protected /etc/shadow file.
29. What database technology, if implemented for web forms, can limit the potential for SQL injection
attacks?
A. Triggers
B. Stored procedures
C. Column encryption
D. Concurrency control
Developers of web applications should leverage database stored procedures to limit the application’s
ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database
server and may only be modified by database administrators.
30. Ren’s system was infected by malicious code that modified the operating system to allow the
malicious code author to gain access to his files. What type of exploit did this attacker engage in?
A. Escalation of privilege
B. Back door
C. Rootkit
D. Buffer overflow
Back doors are undocumented command sequences that allow individuals with knowledge of the back
door to bypass normal access restrictions.

1 Qa

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

1 Qa

Hochgeladen von

Copyright:

Verfügbare Formate

DOMAIN 1

1. Which of the following security-focused protocols has confidentiality services operating at a

A. Mean time between errors

SLE x ARO = ALE

Errors of commission include those caused by data entry or transcription, or by malfunctioning

These are the three primary types of NAT:

3. In discretionary access environments, which of the following entities is authorized to grant

TCP is a connection-oriented protocol. As such, it attempts to complete a three-step handshake at the

A. Look for vulnerabilities

C. Determine network utilization

D. Search for security violations

B. For administrative control

C. For penetration testing

D. For vulnerability mapping

D. Configuring the devices to the principle of full privilege

A. To reduce the amount of data to be evaluated

B. To set password length and maximum age

C. To set local and remote login attempts

D. To configure SNMP traps

D. Log files or CCTV to verify who enters or leaves the room

D. Change control management

A. SMTP has been left enabled.

C. Relaying has been left enabled.

D. Your IMAP server has been hacked.

C. Covert channel analysis

A. To ensure survival. A company is weakened if it relies too heavily on one employee.

B. Vulnerability management processes

C. Configuration management processes

D. Change management processes

A. Review the incident

B. Perform remediation steps

C. Take recovery steps

A. Full backups and differential backups

B. Partial backups and incremental backups

C. Full backups and incremental backups

D. Incremental backups and differential backups

30. What type of incident is characterized by obtaining an increased level of privilege?

Reference: CISSP All-in-One 6th Ed, Shon Harris (p.1112)

Reference: CISSP All-in-One 6th Ed, Shon Harris (p.1186-1187)

D. Software Plans and Requirements

A. System Design Specifications

B. Operation and Maintenance

C. Functional Design Analysis and Planning

D. Installation and Implementation

A. Data is divided by a common value.

B. Data is restricted to a range of values.

D. Redundant data is removed.

A. A logic bomb was installed.

B. A RAT (Remote-Access Trojan) was installed.

C. A DDoS client was installed.

D. An email virus was installed

A. The inference engine

12. What is the most common problem related to audit logs?

A. Audit logs can be examined only by auditors.

C. Audit logs are not backed up.

D. Audit logs are collected but not analyzed.

A. WAP is not a secure protocol.

C. The wireless device may have vulnerabilities in its OS.

D. The WAP gateway can be targeted by attackers.

15. How can referential integrity best be defined?

A. Structural and semantic rules are enforced.

B. Semantic rules are enforced.

C. Structural rules are enforced.