Beruflich Dokumente
Kultur Dokumente
A. Control
B. Audit
C. Access
D. Repudiate
Accessibility of data, objects, and resources is the goal of availability. If a security mechanism
offers availability, then it is highly likely that the data, objects, and resources are accessible to
authorized subjects.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.6-7)
4. If an organization contracts with outside entities to provide key business functions or services,
such as account or technical support, what is the process called that is used to ensure that
these entities support sufficient security?
A. Asset identification
B. Third-party governance
C. Exit interview
D. Qualitative analysis
Third-party governance is the application of security oversight on third parties that your
organization relies on.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.59)
5. While performing a risk analysis, you identify a threat of fire and a vulnerability because there
are no fire extinguishers. Based on this information, which of the following is a possible risk?
A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information
The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage
to equipment.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.63-64)
6. You’ve performed a basic quantitative risk analysis on a specific threat/ vulnerability/ risk
relation. You select a possible countermeasure. When performing the calculations again,
which of the following factors will change?
A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence
A countermeasure directly affects the annualized rate of occurrence, primarily because the
countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency
per year.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.65-67)
7. You are concerned about the risk that a hurricane poses to your corporate headquarters in
South Florida. The building itself is valued at $ 15 million. After consulting with the National
Weather Service, you determine that there is a 10 percent likelihood that a hurricane will
strike over the course of a year. You hired a team of architects and engineers who determined
that the average hurricane would destroy approximately 50 percent of the building. What is
the annualized loss expectancy (ALE)?
A. $ 750,000
B. $ 1.5 million
C. $ 7.5 million
D. $ 15 million
This problem requires you to compute the ALE, which is the product of the SLE and ARO. From
the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you
know that the SLE is $ 7.5 million. This yields an SLE of $ 750,000.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.65-69)
8. In which business continuity planning task would you actually design procedures and
mechanisms to mitigate risks deemed unacceptable by the BCP team?
A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization
In the provisions and processes phase, the BCP team actually designs the procedures and
mechanisms to mitigate risks that were deemed unacceptable during the strategy development
phase.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.116)
9. Of the individuals listed, who would provide the best endorsement for a business continuity
plan’s statement of importance?
A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager
You should strive to have the highest-ranking person possible sign the BCP’s statement of
importance. Of the choices given, the chief executive officer is the highest ranking.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.109)
10. Matthew recently authored an innovative algorithm for solving a mathematical problem, and
he wants to share it with the world. However, prior to publishing the software code in a
technical journal, he wants to obtain some sort of intellectual property protection. Which
type of protection is best suited to his needs?
A. Copyright
B. Trademark
C. Patent
D. Trade secret
Copyright law is the only type of intellectual property protection available to Matthew. It covers
only the specific software code that Matthew used. It does not cover the process or ideas behind
the software. Trademark protection is not appropriate for this type of situation. Patent
protection does not apply to mathematical algorithms. Matthew can’t seek trade secret
protection because he plans to publish the algorithm in a public technical journal.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.133)
11. What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act?
A. Health care
B. Banking
C. Law enforcement
D. Defense contractors
The Gramm-Leach-Bliley Act provides, among other things, regulations regarding the way
financial institutions can handle private information belonging to their customers.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.143)
12. What compliance obligation relates to the processing of credit card information?
A. SOX
B. HIPAA
C. PCI DSS
D. FERPA
The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in
the storage, transmission, and processing of credit card information.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.180)
13. What act updated the privacy and security requirements of the Health Insurance Portability
and Accountability Act (HIPAA)?
A. HITECH
B. CALEA
C. CFAA
D. CCCA
The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009
amended the privacy and security requirements of HIPAA.
Reference: CISSP Study Guide 7th Ed, James Stewart | Mike Chapple | Darril Gibson (p.141)
14. Under intellectual property law what would you call information that companies keep secret
to give them an advantage over their competitors?
A. Copyright
B. Patent
C. Trademark
D. Trade Secrets
Trade Secrets are information that companies keep secret to give them an advantage over their
competitors.
Example: The formula for Coca-Cola is the most famous trade secret.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.999)
15. Stationary and removable media storage volumes all carry an expected life span rating from
the manufacturer. What property might you examine to realize this life expectancy rating?
Although elements of all of the systems described could require specific controls for
confidentiality, given the descriptions above, system b fits the definition most closely of a system
requiring a very high level of confidentiality.
26. What type of alternate processing facility contains a full complement of computing
equipment in working order with copies of data ready to go?
A. Hot site
B. Warm site
C. Cold site
D. Cloud site
Hot sites are ready to assume full operational capacity at a moment’s notice.
27. A risk analysis has determined that a knowledge base server has a value of $138,000 and an
exposure factor of a specific threat of 45%. The Annualized Rate of Occurrence (ARO) for this
threat is one in ten years. Based on this information what is the Annual Loss Expectancy (ALE)
for the asset?
A. $1800
B. $62,100
C. $140,000
D. $6210
Annual Loss Expectancy (ALE) determines the loss a company can incur if a specific threat is
realized. In this example, the Single Loss Expectancy (SLE) for the knowledge base server is
$62,100. The Annualize Rate of Occurrence (ARO) is 0.1
Errors of omission often include insufficient documentation of legitimate data values, which
could affect the interpretation of those values. These errors maybe harder to detect and correct,
but many of these errors should be revealed by rigorous QC procedures.
29. Which of the following BEST determines the employment suitability of an individual?
A. Job rank or title
B. Partnership with the security team
C. Role
D. Background investigation
A background investigation relevant to the role, job or access is the best approach for minimal
security problems. While a background investigation will not guarantee the integrity or honesty
of an individual it will give the organization a glimpse into the history of an individual and
references.
30. Which of the following processes is concerned with not only identifying the root cause but
also addressing the underlying issue?
A. Incident management
B. Problem management
C. Change management
D. Configuration management
While incident management is concerned primarily with managing an adverse event, problem
management is concerned with tracking that event back to a root cause and addressing the
underlying problem. Maintaining system integrity is accomplished through the process of change
control management. Configuration management is a process of identifying and documenting
hardware components, software, and the associated settings.
DOMAIN 3
1. Which of the following is true about Kerberos?
A. It utilizes public key cryptography.
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers.
D. It is a second party authentication system.
Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication
protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source
but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to
encrypt and decrypt the keys.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.209)
2. In which of the following security models is the subject's clearance compared to the object's
classification such that specific rules can be applied to control how the subject-to-object
interactions take place?
A. Bell-LaPadula model
B. Biba model
C. Access Matrix model
D. Take-Grant model
Developed by the US Military in the 1970s. The Bell-LaPadula model is also called a multilevel
security system because users with different clearances use the system and the system process
data with different classification levels. The level at which information is classified determines
the handling procedures that should be used. The Bell-LaPadula model is a state machine model
that enforces the confidentiality aspects of access control. A matrix and security levels are used
to determine if subjects can access different objects. The subject's clearance is compared to the
object's classification and then specific rules are applied to control how subject-to-object
interactions can take place.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.369)\
3. Which of the following is NOT a true statement regarding the implementation of the 3DES
modes?
A. DES-EEE1 uses one key
B. DES-EEE2 uses two keys
C. DES-EEE3 uses three keys
D. DES-EDE2 uses two keys
There is no DES mode call DES-EEE1. It does not exist.
The following are the correct modes for triple-DES (3DES):
DES-EEE3 uses three different keys for encryption and the data are encrypted, encrypted,
encrypted.
DES-EDE3 uses three different keys for encryption and the data are encrypted, decrypted and
encrypted.
DES-EEE2 the same as DES-EEE3, but uses only two keys, and the first and third encryption
processes use the same key.
DES-EDE2 the same as DES-EDE3, but uses only two keys, and the first and third encryption
processes use the same key.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.808)
4. What would you call a microchip installed on the motherboard of modern computers and is
dedicated to carrying out security functions that involve the storage and processing of
symmetric and asymmetric keys, hashes and digital certificates.
A. Trusted Platform Module (TPM)
B. Trusted BIOS Module (TBM)
C. Central Processing Unit (CPU)
D. Arithmetic Logic Unit (ALU)
The Trusted Platform Module (TPM) was devised by the Trusted Computing Group (TCG), an
organization that promotes open standards to help strengthen computing platforms against
security weaknesses and attacks.
The TPM is essentially a securely designed microcontroller with added modules to perform
cryptographic functions. These modules allow for accelerated and storage processing of
cryptographic keys, hash values and pseudonumber sequences.
The TPM's internal storage is based on nonvolatile random access memory, which retains its
information when power is turned off and is therefore termed as nonvolatile. The TPM is used to
deter any attempts to tamper with a systems configurations.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.843)
5. Brad uses Telnet to connect to several open ports on a victim computer and capture the
banner information. What is the purpose of his activity?
A. Scanning
B. Fingerprinting
C. Attempting a DoS
D. Privilege escalation
Fingerprinting is the act of service and OS identification. Fingerprinting allows an attacker to
formulate a plan of system attack.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.1287-1288)
6. Public Key Infrastructure (PKI) uses asymmetric key encryption between parties. The
originator encrypts information using the intended recipient's "public" key in order to get
confidentiality of the data being sent. The recipients use their own "private" key to decrypt
the information. The "Infrastructure" of this methodology ensures that:
A. The sender and recipient have reached a mutual agreement on the encryption key exchange
that they will use.
B. The channels through which the information flows are secure.
C. The recipient's identity can be positively verified by the sender.
D. The sender of the message is the only other person with access to the recipient's private key.
Through the use of Public Key Infrastructure (PKI) the recipient's identity can be positively verified
by the sender.
The sender of the message knows he is using a Public Key that belongs to a specific user. He can
validate through the Certification Authority (CA) that a public key is in fact the valid public key of
the receiver and the receiver is really who he claims to be. By using the public key of the recipient,
only the recipient using the matching private key will be able to decrypt the message. When you
wish to achieve confidentiality, you encrypt the message with the recipient public key.
If the sender would wish to prove to the recipient that he is really who he claims to be then the
sender would apply a digital signature on the message before encrypting it with the public key of
the receiver. This would provide Confidentiality and Authenticity of the message. A PKI (Public
Key Infrastructure) enables users of an insecure public network, such as the Internet, to securely
and privately exchange data through the use of public key-pairs that are obtained and shared
through a trusted authority, usually referred to as a Certificate Authority.
The PKI provides for digital certificates that can vouch for the identity of individuals or
organizations, and for directory services that can store, and when necessary, revoke those digital
certificates. A PKI is the underlying technology that addresses the issue of trust in a normally
untrusted environment.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.833-834)
7. In a relational database, what type of key is used to uniquely identify a record in a table and
can have multiple instances per table?
A. Candidate key
B. Primary key
C. Unique key
D. Foreign key
A candidate key is a subset of attributes that can be used to uniquely identify any record in a
table. No two records in the same table will ever contain the same values for all attributes
composing a candidate key. Each table may have one or more candidate keys, which are chosen
from column headings.
8. Which of the following would NOT be a component of a general enterprise security
architecture model for an organization?
A. Information and resources to ensure the appropriate level of risk management
B. Consideration of all the items that comprise information security, including distributed
systems, software, hardware, communications systems, and networks
C. A systematic and unified approach for evaluating the organization’s information systems
security infrastructure and defining approaches to implementation and deployment of
information security controls
D. IT system auditing
The auditing component of the IT system should be independent and distinct from the
information system security architecture for a system.
9. In order to recognize the practical aspects of multilevel security in which, for example, an
unclassified paragraph in a Secret document has to be moved to an Unclassified document,
the Bell-LaPadula model introduces the concept of a:
A. Simple security property
B. Secure exchange
C. Data flow
D. Trusted subject
The model permits a trusted subject to violate the *-property but to comply with the intent of
the *-property. Thus, a person who is a trusted subject could move unclassified data from a
classified document to an unclassified document without violating the intent of the *-property.
Another example would be for a trusted subject to downgrade the classification of material when
it has been determined that the downgrade would not harm national or organizational security
and would not violate the intent of the *-property. The simple security property (ss-property),
states that a subject cleared for one classification cannot read data from a higher classification.
This property is also known as the no read up property.
10. The minimum information necessary on a digital certificate is:
A. Name, expiration date, digital signature of the certifier
B. Name, expiration date, public key
C. Name, serial number, private key
D. Name, public key, digital signature of the certifier
The name of the individual is certified and bound to his/her public key. This certification is
validated by the digital signature of the certifying agent.
11. An iterated block cipher encrypts by breaking the plaintext block into two halves and, with a
subkey, applying a •roundŽ transformation to one of the halves. Then, the output of this
transformation is XORed with the remaining half. The round is completed by swapping the
two halves. This type of cipher is known as:
A. RC4
B. Diffie-Hellman
C. RC6
D. Feistel
The question stem describes one round of a Feistel cipher. This algorithm was developed by an
IBM team led by Horst Feistel. The algorithm was called Lucifer and was the basis for the Data
Encryption Standard (DES).
12. Which of the following DES modes is typically used when small amounts of data are
encrypted, such as in ATM PIN numbers?
A. OFB
B. ECB
C. CFB
D. CBC
Electronic Code Book (ECB) mode does not use any chaining. This means that the same plaintext
will create the same ciphertext every time it is encrypted with the same key. The other DES modes
use chaining, which means some of the previously encrypted data is used in the encryption
process. These modes do not provide patterns as the ECB mode does.
13. An attacker has infiltrated a company's network and is using a network mapping tool to learn
about different devices. The tool sends out multiple ping commands and port scans and waits
for responses from all of the devices. The tool then analyzes the responses to identify the
operating system type, services running and ports that are open. What is the process called?
A. Fingerprinting
B. Port scanning
C. TCP wrapping
D. Ping evaluations
Network mapping tools performs fingerprinting functions within networks. The responses
received from ping commands and port scans can help provide useful information to the
requester, such as clarifying what type of device it is connected to. The attacker can also learn
what operating system software and applications are running.
14. What does AES use S-boxes for during the encryption process?
A. Chaining
B. Key exchange
C. Substitution
D. Key generation
S-boxs (susbstitution boxes) hold the mathematics and logic that will be performed on the
different blocks of data. These S-boxes are used by the algorithm to carry out the substitution
and transposition functions.
15. Which algorithm did NIST choose to become the Advanced Encryption Standard (AES)
replacing DES?
A. DEA
B. Rijndael
C. Twofish
D. IDEA
Rijndael is the algorithm in place today for protecting sensitive but unclassified US government
information. DES was finally broken and needed to be replaced by a stronger algorithm that
provided larger key sizes.
16. When correctly implemented, what is the only cryptosystem known to be unbreakable?
A. Transposition cipher
B. Substitution cipher
C. Advanced Encryption Standard
D. One-time pad
Assuming that it is used properly, the one-time pad is the only known cryptosystem that is not
vulnerable to attacks.
17. In the 1940s, a team of cryptanalysts from the United States successfully broke a Soviet code
based on a one-time pad in a project known as VENONA. What rule did the Soviets break that
caused this failure?
A. Key values must be random.
B. Key values must be the same length as the message.
C. Key values must be used only once.
D. Key values must be protected from physical disclosure.
The cryptanalysts from the United States discovered a pattern in the method the Soviets used to
generate their one-time pads. After this pattern was discovered, much of the code was eventually
broken.
18. Which one of the following cipher types operates on large pieces of a message rather than
individual characters or bits of a message?
A. Stream cipher
B. Caesar cipher
C. Block cipher
D. ROT3 cipher
Block ciphers operate on message “chunks” rather than on individual characters or bits. The other
ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of
a message.
19. Raven is developing a key escrow system that requires multiple people to retrieve a key but
does not depend on every participant being present. What type of technique is he using?
A. Split knowledge
B. M of N Control
C. Work function
D. Zero-knowledge proof
M of N Control requires that a minimum number of agents (M) out of the total number of agents
(N) work together to perform high-security tasks.
20. If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which
key does he use to encrypt the message?
A. Richard’s public key
B. Richard’s private key
C. Sue’s public key
D. Sue’s private key
Richard must encrypt the message using Sue’s public key so that Sue can decrypt it using her
private key. If he encrypted the message with his own public key, the recipient would need to
know Richard’s private key to decrypt the message. If he encrypted it with his own private key,
any user could decrypt the message using Richard’s freely available public key. Richard could not
encrypt the message using Sue’s private key because he does not have access to it. If he did, any
user could decrypt it using Sue’s freely available public key.
21. Lawrence wants to produce a message digest of a 2,048-byte message he plans to send to
Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this
particular message be?
A. 160 bits
B. 512 bit
C. 1,024 bits
D. 2,048 bits
The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of
the input message. In fact, this fixed-length output is a requirement of any secure hashing
algorithm.
22. What cryptosystem provides the encryption/ decryption technology for the commercial
version of Phil Zimmerman’s Pretty Good Privacy secure email system?
A. ROT13
B. IDEA
C. ECC
D. ElGamal
Pretty Good Privacy uses a “web of trust” system of digital signature verification. The encryption
technology is based on the IDEA private key cryptosystem.
23. When a trusted subject violates the star property of Bell-LaPadula in order to write an object
into a lower level, what valid operation could be taking place?
A. Perturbation
B. Polyinstantiation
C. Aggregation
D. Declassification
Declassification is the process of moving an object into a lower level of classification once it is
determined that it no longer justifies being placed at a higher level. Only a trusted subject can
perform declassification because this action is a violation of the verbiage of the star property of
Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.
24. What security model has a feature that in theory has one name or label, but when
implemented into a solution, takes on the name or label of the security kernel?
A. Graham-Denning model
B. Deployment modes
C. Trusted computing base
D. Chinese Wall
The trusted computing base (TCB) has a component known as the reference monitor in theory,
which becomes the security kernel in implementation.
25. You have three applications running on a single-core single-processor system that supports
multitasking. One of those applications is a word processing program that is managing two
threads simultaneously. The other two applications are using only one thread of execution.
How many application threads are running on the processor at any given time?
A. One
B. Two
C. Three
D. Four
A single-processor system can operate on only one thread at a time. There would be a total of
four application threads (ignoring any threads created by the operating system), but the
operating system would be responsible for deciding which single thread is running on the
processor at any given time.
26. Which type of memory chip can be erased only when it is removed from the computer and
exposed to a special type of ultraviolet light?
A. ROM
B. PROM
C. EPROM
D. EEPROM
EPROMs may be erased through exposure to high-intensity ultraviolet light. ROM and PROM
chips do not provide erasure functionality. EEPROM chips may be erased through the application
of electrical currents to the chip pins and do not require removal from the computer prior to
erasure.
27. The most commonly overlooked aspect of mobile phone eavesdropping is related to which
of the following?
A. Storage device encryption
B. Screen locks
C. Overhearing conversations
D. Wireless networking
The most commonly overlooked aspect of mobile phone eavesdropping is related to people in
the vicinity overhearing conversations (at least one side of them). Organizations frequently
consider and address issues of wireless networking, storage device encryption, and screen locks.
28. What type of addressing scheme supplies the CPU with a location that contains the memory
address of the actual operand?
A. Direct addressing
B. Immediate addressing
C. Base + offset addressing
D. Indirect addressing
In indirect addressing, the location provided to the CPU contains a memory address. The CPU
retrieves the operand by reading it from the memory address provided (which is why it’s called
indirect).
29. What security principle helps prevent users from accessing memory spaces assigned to
applications being run by other users?
A. Separation of privilege
B. Layering
C. Process isolation
D. Least privilege
Process isolation provides separate memory spaces to each process running on a system. This
prevents processes from overwriting each other’s data and ensures that a process can’t read data
from another process.
30. Which of the following is a double set of doors that is often protected by a guard and is used
to contain a subject until their identity and authentication is verified?
A. Gate
B. Turnstile
C. Mantrap
D. Proximity detector
A mantrap is a double set of doors that is often protected by a guard and used to contain a subject
until their identity and authentication is verified.
31. Which of the following is not a typical type of alarm that can be triggered for physical
security?
A. Preventive
B. Deterrent
C. Repellant
D. Notification
There is no such thing as a preventive alarm. Alarms are always triggered in response to a
detected intrusion or attack.
32. No matter what form of physical access control is used, a security guard or other monitoring
system must be deployed to prevent all but which of the following?
A. Piggybacking
B. Espionage
C. Masquerading
D. Abuse
No matter what form of physical access control is used, a security guard or other monitoring
system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot
be prevented by physical access controls.
33. What is the best type of water-based fire suppression system for a computer facility?
A. Wet pipe system
B. Dry pipe system
C. Preaction system
D. Deluge system
A preaction system is the best type of water-based fire suppression system for a computer
facility.
34. Your manager asks you to use a hashing algorithm to verify the integrity of a software
program he received from the R&D branch in Hyderabad, India. Which of the following would
you recommend?
A. IDEA
B. MD5
C. AES
D. DES
MD5 is a one-way hashing algorithm that is often used to check file integrity. The creator of a file
or message can use MD5 to create an MD5 checksum. Then, when the message or program is
received, a new MD5 checksum can be created. If the two checksums match, the data is
unchanged. Programs such as Tripwire automate this process.
35. Amanda, a member of the web development group, is preparing to load a demo version of
the company’s new software onto the updated website. She wants to know which of the
following message authentication algorithms can be used to validate the demo software as
authentic. Which of the following would you not recommend?
A. HAVAL
B. SHA
C. PEM
D. MD5
SHA, MD5, and HAVAL are three hashing algorithms that can be used for file integrity and
authentication. Each produces a message digest that cannot be reversed. Message digests are
produced using one-way hashing functions. They are not intended to be used to reproduce the
data. The purpose of a digest is to verify the integrity of data and messages. PEM is the correct
answer because it is not a hashing algorithm.
DOMAIN 4
1. Securing networked computers is a critical task. Many organizations choose to place some
services such as web or email in an area of the network that is neither fully internal nor fully
external to the organization. These services are placed behind an Internet-facing router, but
in front of a firewall or another device that protects the internal network. What is the area in
which these services are deployed called?
A. Dual-homed gateway
B. Intranet
C. Demilitarized zone (DMZ)
D. Extranet
DMZs offer several advantages to security professionals. They allow an organization to distance
critical internal services from the Internet and web services. They enable the organization to
design a network that has a layered defense. This design allows some filtering of traffic before
Internet users can reach web-based services. Traffic attempting to proceed deeper into the
network must pass this inspection.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.628-629)
2. An attacker located at IP address 12.8.0.1 wants to launch a smurf attack on a victim machine
located at IP address 129.74.15.12 utilizing a third-party network located at 141.190.0.0/16.
What would be the source IP address on the single packet the attacker transmits?
A. 12.8.0.1
B. 129.74.15.12
C. 141.190.0.0
D. 141.190.255.255
In a smurf attack, the attacker sends a single forged packet bearing a source address
corresponding to the victim machine.
3. _____________ employs a digital multicarrier modulation scheme that allows for a more
tightly compacted transmission. The modulated signals are perpendicular and thus do not
cause interference with each other.
A. DSSS
B. OCSP
C. OFDM
D. CCMP
OFDM employs a digital multicarrier modulation scheme that allows for a more tightly
compacted transmission. The modulated signals are perpendicular (orthogonal) and thus do not
cause interference with each other.
4. What is the IEEE standard for Bluetooth?
A. 802.3
B. 802.11
C. 802.20
D. 802.15
IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines Ethernet, 802.11 defines wireless
networking, and 802.20 defines LTE.
5. What means of transmission involves the use of a discontinuous electrical signal and a state
change or on‐off pulses?
A. Asynchronous communications
B. Digital signals
C. Broadband connections
D. Half‐duplex links
Digital signals are a means of transmission that involves the use of a discontinuous electrical
signal and a state change or on‐off pulses. Asynchronous communications, broadband
connections, and half‐duplex links can be digital or analog.
6. Which part of the 48-bit, 12-digit hexadecimal number known as the Media Access Control
(MAC) address identifies the manufacturer of the network device?
A. The first three bytes
B. The first two bytes
C. The second half of the MAC address
D. The last three bytes
The first three bytes (or first half) of the six-byte MAC address is the manufacturer’s identifier
(see Table A.6). This can be a good troubleshooting aid if a network device is acting up, as it will
isolate the brand of the failing device. The other answers are distracters.
7. Which statement is correct about ISDN Basic Rate Interface?
A. It offers 23 B channels and 1 D channel.
B. It offers 2 B channels and 1 D channel.
C. It offers 30 B channels and 1 D channel.
D. It offers 1 B channel and 2 D channels.
Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) offers two B channels which
carry user data at 64 Kbps each, and one control and signaling D channel operating at 16 Kbps.
8. The data transmission method in which data is sent continuously and doesn’t use either an
internal clocking source or start/stop bits for timing is known as:
A. Asynchronous
B. Synchronous
C. Isochronous
D. Pleisiochronous
Isochronous data is synchronous data transmitting without a clocking source, with the bits sent
continuously and no start or stop bits. All bits are of equal importance and are anticipated to
occur at regular time intervals.
9. If you are the victim of a bluejacking attack, what was compromised?
A. Your firewall
B. Your switch
C. Your cell phone
D. Your web cookies
A bluejacking attack is a wireless attack on Bluetooth, and the most common device
compromised in a bluejacking attack is a cell phone.
10. Which networking technology is based on the IEEE 802.3 standard?
A. Ethernet
B. Token Ring
C. FDDI
D. HDLC
Ethernet is based on the IEEE 802.3 standard.
11. What is both a benefit and a potentially harmful implication of multilayer protocols?
A. Throughput
B. Encapsulation
C. Hash integrity checking
D. Logical addressing
Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols.
12. By examining the source and destination addresses, the application usage, the source of
origin, and the relationship between current packets with the previous packets of the same
session, ____________ firewalls are able to grant a broader range of access for authorized
users and activities and actively watch for and block unauthorized users and activities.
A. Static packet-filtering
B. Application-level gateway
C. Stateful inspection
D. Circuit-level gateway
Stateful inspection firewalls are able to grant a broader range of access for authorized users and
activities and actively watch for and block unauthorized users and activities.
13. A ____________ is an intelligent hub because it knows the addresses of the systems
connected on each outbound port. Instead of repeating traffic on every outbound port, it
repeats traffic only out of the port on which the destination is known to exist.
A. Repeater
B. Switch
C. Bridge
D. Router
A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of
the systems connected on each outbound port.
14. What security concept encourages administrators to install firewalls, malware scanners, and
an IDS on every host?
A. Endpoint security
B. Network access control (NAC)
C. VLAN
D. RADIUS
Endpoint security is the security concept that encourages administrators to install firewalls,
malware scanners, and an IDS on every host.
15. ______________ is a standards-based mechanism for providing encryption for point-to-point
TCP/ IP traffic.
A. UDP
B. IDEA
C. IPSec
D. SDLC
IPSec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point
TCP/ IP traffic.
16. Which of the following VPN protocols do not offer native data encryption? (Choose all that
apply.)
A. L2F
B. L2TP
C. IPSec
D. PPTP
L2F, L2TP, and PPTP all lack native data encryption. Only IPSec includes native data encryption.
17. Which of the following is not defined in RFC 1918 as one of the private IP address ranges that
are not routed on the Internet?
A. 169.172.0.0– 169.191.255.255
B. 192.168.0.0– 192.168.255.255
C. 10.0.0.0– 10.255.255.255
D. 172.16.0.0– 172.31.255.255
The address range 169.172.0.0– 169.191.255.255 is not listed in RFC 1918 as a private IP address
range. It is, in fact, a public IP address range.
18. In addition to maintaining an updated system and controlling physical access, which of the
following is the most effective countermeasure against PBX fraud and abuse?
A. Encrypting communications
B. Changing default passwords
C. Using transmission logs
D. Taping and archiving all conversations
Changing default passwords on PBX systems provides the most effective increase in security.
19. Which of the following can be used to bypass even the best physical and logical security
mechanisms to gain access to a system?
A. Brute-force attacks
B. Denial of service
C. Social engineering
D. Port scanning
Social engineering can often be used to bypass even the most effective physical and logical
controls. Whatever activity the attacker convinces the victim to perform, it is usually directed
toward opening a back door that the attacker can use to gain access to the network.
20. What authentication protocol offers no encryption or protection for logon credentials?
A. PAP
B. CHAP
C. SSL
D. RADIUS
Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP
transmits usernames and passwords in the clear. It offers no form of encryption. It simply
provides a means to transport the logon credentials from the client to the authentication server.
21. Because some of your organization’s employees use fax machines to send and receive
confidential information, you have become concerned about their level of security. Which of
the following is the most effective security measure to protect against unauthorized
disclosure?
A. Activity logs
B. Exception reports
C. Confidential cover pages
D. Removing fax machines from insecure areas
Although fax usage is declining, it is still in use and as such offers a service that may be vulnerable
to attack. To improve the security of fax transmissions, these machines can be moved from
insecure areas to locations where access can be controlled. Activity logs and exception reports
are useful in detecting misuse or possible attack. Other useful items for the protection of fax
machines and their transmissions include fax encryptors and link encryption. Fax over IP and VoIP
are also becoming security issues.
22. An IP protocol field of 0x06 indicates that IP is carrying what as its payload?
A. TCP
B. ICMP
C. UDP
D. IGRP
The protocol field carries the ID number of the next-higher-layer protocol. These values allow IP
to demultiplex the data packet as it progresses up the stack. Common protocol numbers include
0x01 (ICMP), 0x06 (TCP), 0x11 (UDP), and 0x58 (IGRP). FTP resides at the application layer and is
addressed by TCP port 21. FTP also uses TCP port 20 for data transfer.
23. Your firm has just hired a newly certified CISSP named Dan as an intern. He wants to learn
more about detection-based security systems. He asks you to explain intrusion detection.
Which of the following is one of the two types of intrusion detection engines?
A. Host
B. Signature
C. Network
D. Hybrid
The two primary types of intrusion detection engines are signature and anomaly. Signature-
based intrusion detection systems work much like virus scanners in that they have databases of
known attacks. Although these systems work well, they are vulnerable to new exploits or those
not yet added to the systems’ database. Anomaly-based intrusion detection systems look for a
deviation from normal behavior. For example, these systems would quickly send an alert if
someone who worked the day shift attempted multiple logins at 3 a.m.
24. The e-commerce branch of your parent company’s organization has become increasingly
worried about attacks against the network that is hosting its web servers. The department
head has asked you to explain what a smurf attack is and how it might affect the web server.
How will you respond?
A. A smurf attack uses ICMP packets of a rather large size. These packets overwhelm the receiving
device, causing a denial of service for legitimate devices attempting legitimate connections.
B. Smurf targets the TCP session setup. As such, a large number of spoofed SYN packets are
launched against the target device. As the queue of illegitimate connections grows, the system
slows down, finally reaching the point where no users can obtain access.
C. A smurf attack uses ICMP packets with forged source and target addresses. The packets are
addressed to the local broadcast address. The attack eventually chokes the web server.
D. Smurf attacks work by changing the length and fragmentation field of the IP header. This
causes a system to slow down or hang.
A smurf attack uses ICMP packets with forged source and target addresses. The packets are
addressed to the local broadcast address, and the source address is pointed toward the device
to be attacked. The result is that all devices on the broadcast network respond to this spoofed
ICMP ping packet. This floods the target device, thereby preventing legitimate traffic.
25. Securing networked computers is a critical task. Many organizations choose to place some
services such as web or email in an area of the network that is neither fully internal nor fully
external to the organization. These services are placed behind an Internet-facing router, but
in front of a firewall or another device that protects the internal network. What is the area in
which these services are deployed called?
A. Dual-homed gateway
B. Intranet
C. Demilitarized zone (DMZ)
D. Extranet
This is commonly called a DMZ (demilitarized zone). DMZs offer several advantages to security
professionals. They allow an organization to distance critical internal services from the Internet
and web services. They enable the organization to design a network that has a layered defense.
This design allows some filtering of traffic before Internet users can reach web-based services.
Traffic attempting to proceed deeper into the network must pass this inspection. Intranets are
internal to an organization, and extranets are external; typically they may be shared with a
business partner.
26. You are the security administrator for a large medical device company. You are asked to
determine whether NAT should be used at your organization for Internet connectivity. Which
of the following is not one of the three types of NAT?
A. PAT
B. Dynamic NAT
C. DAT
D. Static NAT
DAT is not a form of NAT. NAT (network address translation) allows organizations connected to
the Internet to use private addresses. These same private addresses can be used by many
different organizations because they are nonroutable and are hidden to the direct Internet.
Dynamic NAT: This method of translation allows an external address to be mapped directly to an
internal address. This method is useful when an organization has a pool of external IP addresses
that must be shared among many internal devices.
Static NAT: This method of NAT allows one internal address to be permanently mapped to a
specific external address.
27. VPNs have become very popular as a way to connect users to corporate networks by means
of the Internet. Which of the following is not a VPN protocol?
A. SLIP
B. PPTP
C. L2TP
D. L2F
Serial Line Internet Protocol (SLIP) is a very old protocol that was used to connect systems by
means of a modem. SLIP offers no secure services. Protocols used for VPNs include PPTP (Point-
to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol), and L2F (Layer 2 Forwarding
Protocol). When properly configured, these protocols allow users to establish a secure tunnel
through the Internet.
28. Your manager, Ed, has decided that passwords are too easily broken to be used to
authenticate remote users. Ed wants you to implement some type of RAS authentication that
uses some type of token card. Which system meets this critical requirement?
A. PAP
B. EAP
C. CHAP
D. PPP
Extensible Authentication Protocol (EAP) is the method of choice because it can work with more
than just passwords as authentication. EAP can use token cards, MD5 challenge, and digital
certificates as possible authentication mechanisms. Although Password Authentication Protocol
(PAP) is used for RAS, it sends passwords in clear text. Challenge Handshake Authentication
Protocol (CHAP) uses an MD5 challenge.
29. The product design group of the corporation you work for has requested the installation of
802.11g wireless access points secured with WEP. The request cites ease of network access
and enhanced mobile computing as the reasons why they need this technology. You are the
senior IT security officer; what should your response be?
A. Wireless offers good security, so you should approve the request.
B. If the wireless systems implement WEP, you will have no problem approving the request,
because WEP is highly secure.
C. Because many cordless phones are used in the design area, wireless would be a poor choice,
because interference would be high.
D. Wireless is not a good choice because the design area maintains critical information, and
802.11g has some known vulnerabilities when WEP is used.
Although wireless is very popular, you must be careful when installing a wireless system. Some
cordless phones do operate on the same frequencies, but this should not be the driving
consideration in this decision. WEP has been shown to be vulnerable. Originally the Wired
Equivalent Privacy (WEP) protocol was developed to address this issue. It was designed to provide
the same privacy that a user would have on a wired network. WEP is based on the RC4 symmetric
encryption standard and uses either 64-bit or 128-bit keys. However, the keys are not really this
many bits, because a 24-bit initialization vector (IV) is used to provide randomness. So the “real”
key is actually 40 or 104 bits long. WEP has been surpassed by WPA and WPA2. Other controls,
such as PEAP and LEAP (and the v2 versions of both), are also used to protect wireless
communication. Encryption is now provided by AES.
30. Randall has more than 100 workstations at his site. He is looking for a method of centralized
management. Which of the following is his best choice?
A. APIPA
B. RARP
C. DHCP
D. Host tables
DHCP (Dynamic Host Configuration Protocol) is an effective method of centralized management.
IP addresses can be managed from one location. This can ease administration and make changes
easier. DHCP has four steps: discover, offer, request, and acknowledgment. APIPA is an automatic
address scheme that is used when no address server can be found. RARP resolves MAC addresses
to IP addresses. Host tables do not provide IP addressing services.
31. You are asked to configure the border routers to block ICMP messages and prevent the return
of any error messages to external networks. Which of the following will accomplish this task?
A. Drop
B. Filter
C. Reject
D. Bounce
The two primary ways in which routers can deal with ICMP messages are reject and drop. Reject
allows failed traffic to create an ICMP error message and return it to the sending device. Drop
silently discards any traffic that is not allowed into the network or that creates an ICMP error
message.
32. The protection of employees’ health and welfare is of critical importance to an organization’s
security officer. Therefore, it is critical that the proper type of networking cable be chosen for
each task. What type of network cabling should be used in drop ceilings or areas that might
be exposed to fire?
A. Plenum grade
B. A1 fire-rated cable
C. Polyvinyl chloride-coated cable
D. Nonpressurized conduit-rated cable
Plenum-grade cabling is required to meet fire codes and protect the organization’s employees.
Nonplenumgrade cables, such as those coated with PVC (polyvinyl chloride), can give off noxious
gas when burned or exposed to high heat. Proper consideration should be given when choosing
a network cable type and location. Loose cables present a potential trip hazard. There is no such
standard as A1 fire-rated.
33. Your lead technician has been reviewing the marketing materials of several network switch
manufacturers. She wants to know what the spec sheet means when it says, “The switch is a
‘cut-through’ design.”
A. This terminology applies only to the board design of the switch.
B. It means that the switch can support port spanning.
C. It means that the switch can prioritize traffic for QoS, thereby increasing switching speed.
D. It means that the switch is designed to examine only a portion of the frame, thereby increasing
throughput.
Switches typically come in two designs: cut-through and store-and-forward. Cut-through
switches examine only a portion of the frame that contains the destination MAC address, thereby
increasing throughput. The term does not apply to the board design or provide QoS. Port
spanning is the ability to mirror traffic from one port to the next.
34. Robert, one of your help-desk technicians, wants to learn more about long-haul data
transmission technologies. You kindly take a few minutes to explain wide area networks
(WANs). WANs can be either circuit-switched or packet switched. Which of the following is
an example of circuit switching?
A. Frame Relay
B. DDS
C. X.25
D. ATM
DDS (Digital Data Service) is an example of a circuit-switched technology. DDS was developed in
the 1970s and was one of the first digital services used by telephone companies. It has a
maximum data rate of 56 KB. Frame Relay, X.25, and ATM are all examples of packet-switched
technologies.
35. Felix does not want to pretend to be a valid user; he wants to become that user. With that in
mind, why would James want to alter the relationship between the IP address and MAC
address in one of your ARP table entries?
A. Spoofing
B. Hijacking
C. ICMP redirect
D. Backscatter
Hijacking is the process of poisoning someone’s ARP table with bogus ARP responses. Because
ARP is a trusting protocol, no verification is used to ensure that received ARP replies match a
previous ARP request. This allows the attacker to issue bogus ARP responses that can be used to
poison the ARP table. This poisoned ARP table allows the attacker to redirect communication and
attempt a man-in-the-middle attack. Hunt, Cain and Abel, and ETTERCAP are several of the tools
commonly used for this type of attack.
DOMAIN 5
1. A potential problem related to the physical installation of the Iris Scanner in regards to the
usage of the iris pattern within a biometric system is:
A. Concern that the laser beam may cause eye damage.
B. The iris pattern changes as a person grows older.
C. There is a relatively high rate of false accepts.
D. The optical unit must be positioned so that the sun does not shine into the aperture.
Because the optical unit utilizes a camera and infrared light to create the images, sun light can
impact the aperture so it must not be positioned in direct light of any type. Because the subject
does not need to have direct contact with the optical reader, direct light can impact the reader.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.191)
2. In Mandatory Access Control, sensitivity labels attached to object contain what information?
A. The item's classification
B. The item's classification and category set
C. The item's category
D. The item’s need to know
Category set and compartment set are synonyms, they mean the same thing. The sensitivity label
must contain at least one classification and at least one category. It is common in some
environments for a single item to belong to multiple categories. The list of all the categories to
which an item belongs is called a compartment set or category set.
Reference: CISSP All-in-One 6th Ed, Shon Harris (p.221-223)
4. Attackers are always looking for ways to identify systems. One such method is to send a TCP SYN to a
targeted port. What would an attacker expect to receive in response to indicate an open port?
A. SYN
B. SYN ACK
C. ACK
D. ACK FIN
SYN
SYN ACK
ACK
5. Mark uses Telnet to connect to several open ports on a victim computer and capture the banner
information. What is the purpose of his activity?
A. Scanning
B. Fingerprinting
C. Attempting a DoS
D. Privilege escalation
Fingerprinting is the act of service and OS identification. Fingerprinting allows an attacker to formulate a
plan of system attack. Scanning is the act of identifying open ports. DoS is a denial of service. Privilege
escalation requires an active connection or system access.
6. The attacker waits until his victim establishes a connection to the organization’s FTP server. Then, he
executes a program that allows him to take over the established session. What type of attack has
taken place?
A. Password attack
B. Spoofing
C. Session hijack
D. ARP redirection
A session hijack is the process of taking over an established legitimate session. This type of attack gives an
attacker an authenticated connection into a network.
7. Which form of information gathering is considered very low tech but can enable attackers to gather
usernames, passwords, account information, customer information, and more?
A. Fingerprinting
B. Scavenging
C. Port scanning
D. Dumpster diving
Although dumpster diving is considered very low-tech, it can be a very successful way to gather
information about an organization and its customers. The best defense against dumpster diving is to make
sure that all sensitive information is cross-shredded and properly destroyed before being disposed of.
8. You ask your new intern to harden a system that will be used as a web server. Which of the following
is the best way to perform this process?
A. Install the OS and software, configure IP routing, connect the system to the Internet and download
patches and fixes, configure packet filtering, test the system, and phase the system into operation.
B. Install the OS and software, configure IP routing, configure packet filtering, connect the system to the
Internet and download patches and fixes, test the system, and phase the system into operation.
C. Install the OS and software, download patches and fixes, configure IP routing, configure packet filtering,
test the system, and connect the system to the Internet.
D. Install the OS and software, configure IP routing, configure packet filtering, connect the system to the
Internet, and test the system.
This is the proper order: install the OS and software, download patches and fixes, configure IP routing,
configure packet filtering, test the system, and connect the system to the Internet. Not until the system
is fully hardened and configured should it be connected to the Internet.
9. CCP, Inc., is preparing to implement auditing. To meet this goal, May has been asked to review all
company security policies and examine the types of normal activity on the network. What has she
been asked to do?
B. Develop a baseline
Before you can determine what inappropriate activity is, you must determine what is appropriate. This
process is known as baselining, and it involves the following two tasks:
Analysis of company policy: This helps determine what constitutes a potential security incident or event
within your organization.
Examination of current network and system activity: Reviewing audit logs gives you a better
understanding of normal usage patterns and what should and should not be happening.
10. Lance has installed a root kit on a networked Linux computer. What is its purpose?
A. To serve as a backdoor
Root kits are additional programs that may take the place of legitimate programs (such as ls, cat, and pwd
in UNIX and Linux). They can give attackers unauthenticated access. After one of these programs has been
installed, the attacker can return to the computer later and access it without providing login credentials
or without going through any type of authentication process.
11. Simon’s new position includes responsibility for the day-to-day security of the network. The previous
employee who held this job configured the network to be default open. Now, Simon has decided that
he should go through critical systems, reload the OS, and verify that unneeded programs and services
are not installed. What is Simon doing?
A. Vulnerability scanning
B. Hardening
C. Bastioning
Hardening is the process of identifying what a specific machine will be used for and removing or disabling
all system components, programs, and services that are not necessary for that function. This vastly
increases the system’s security.
12. You are hired by a small software firm to test its security systems and to look for potential ways to
bypass authentication controls on Linux servers. You are asked to see whether it is possible to get root
access on the Apache web server. What type of testing have you been hired to do?
A. Vulnerability
B. Penetration
C. Scanning
D. Mapping
Penetration testing is the process of testing a network’s defenses and attempting to bypass its security
controls. The goal is to understand the organization’s vulnerability to attack. These types of tests are
performed with written consent of the network’s owner and may be attempted by internal employees or
external consultants.
13. Keff has been investigating the purchase of a new operations security software package. One vendor
asked him about clipping levels. What are clipping levels used for?
Setting clipping levels refers to determining the trip point at which activity is logged or flagged. For
example, a clipping level of three failed remote login attempts may be set before the failed login attempt
is recorded as a violation. This also prevents brute-force attacks. This reduces the amount of data to be
evaluated and makes it easier to search for true anomalies.
14. Your consulting firm has been asked to help a medium-sized firm secure its servers and domain
controllers. Which of the following is not a requirement for a secure computing room?
A. Controlled access
B. Dropped ceilings
C. Raised floors
15. Patrick is continuing his process of OS hardening. Because he usually does not work with Linux, he
comes to you with a question: On Windows machines you find network “services” running. What are
such network applications called in Linux?
A. Services
B. Applets
C. Daemons
D. PIDs
Daemons are processes or applications that run on UNIX or Linux computer systems that provide network
services. A network application in the Windows world is called a service. An applet is a program designed
to be executed from within another application. A PID is a process ID. Even though these concepts might
not be covered on the exam, they still are important for you to understand.
16. Ralph has discovered some strange chalk markings outside the front door of his business. He has also
noticed that people with laptops have been hanging around since the markings were made. What has
Ralph discovered?
A. Graffiti
B. War driving
C. Vulnerability marking
D. War chalking
War chalking is the process of identifying a wireless network. It originated from hobo code of the 1930s
and 1940s. Sometime around 2002, it began being applied to wireless networks. Common war chalking
symbols include a closed circle to indicate a closed network, two back-to-back half circles to identify an
open network, and a circle with a W in it to indicate a network with WEP encryption.
17. Which type of operations security control gives the IS department enough time to audit an individual’s
activities and may deter him or her from performing prohibited acts?
A. Terminations
B. Mandatory vacations
C. Background checks
Mandatory vacations give the IS department enough time to audit an individual’s activities and may deter
that person from performing prohibited acts. The idea is that the employee will not be allowed to work
or access the network while on vacation. Terminations usually are reserved as a last resort. Background
checks help validate potential employees. Change control management is used to control hardware and
software processes that are used in the production environment.
18. Kelly Investment, Inc., has decided that its policies need to ensure that no one person can act alone
to make a financial distribution or disbursement of funds. Which of the following has the company
implemented?
A. Separation of duties
B. Job rotation
C. Mandatory vacations
D. Job classification
Separation of duties is the principle that one person acting alone should not be able to compromise an
organization’s security in any way. Job rotation and mandatory vacations are two ways in which this
principle can be enforced.
19. Doris is concerned about keeping the network free of computer viruses. Without implementing new
technical controls, which of the following is one of the most effective means to prevent the spread of
viruses?
A. Employee training
B. Network design
C. Advise users to respond to spam, requesting that their addresses no longer be used or solicited
D. Egress filtering
The most effective nontechnical control of computer viruses is through employee education. Advising
users to respond to spam not only will increase the amount of mail received, but also could increase their
risk of infection from computer viruses.
20. Which protocol do clients use to download emails to their local computer from server-based inboxes?
A. SMTP
B. SNMP
C. IMAP
D. POP3
POP3 (Post Office Protocol Version 3) is a widely used protocol that allows clients to retrieve their emails
from server-based inboxes. SMTP is an email transport protocol. SNMP is used for network management.
IMAP typically leaves messages on the server.
21. You are contacted by a rather large ISP. The ISP has accused you of sending its customers large
amounts of spam. What is the most likely explanation for this occurrence?
The most likely explanation of this occurrence is that a mail relay has been left enabled. Spammers find
open relays by port scanning wide ranges of IP addresses. After spammers find a mail server, they attempt
to use it to send mail to a third party. If successful, they use this system to spew their junk email. This
widely used technique allows spammers to hide their true IP address and victimize an innocent third party.
22. Black Hat Daisy has placed a sniffer on the network and is attempting to perform traffic analysis.
Which of the following is not an effective countermeasure against traffic analysis?
A. Packet padding
B. Noise transmission
D. ARP redirection
Packet padding, noise transmission, and covert channels are considered effective countermeasures
against traffic analysis. Attackers use ARP redirection to redirect traffic on switched networks.
23. During orientation training at your new company, you ask if you are allowed to sell your vacation time
back to the company. You are informed that not only must you take your vacation, but you also must
take it in one block, and that other employees are already trained to rotate in and assume your job
during your absence. Why would the company refuse to buy back your vacation?
B. To receive industry certification. When employees have multiple skill sets, a company can be certified
under ISO 27001:2005.
C. To minimize fraud. Fraudulent activities can more easily be detected when employees are rotated
periodically.
D. To lower healthcare costs. Health insurance providers are rewarding companies that encourage
preventive healthcare, such as mandatory vacations.
Mandatory vacations and job rotation help identify fraud. ISO 27001:2005 certification is awarded for
quality information security management systems and requires more checks than just demonstrated
fraud controls.
24. A maintenance hook is found during a parallel test of your new product. The programming team is
small, and the programmer is available and can quickly take out the maintenance hook so that testing
can continue. What action should you take?
A. Permit the code change, and then update the change control documentation as soon as possible.
B. Delay the modification until the change control documentation can be submitted, processed, and
approved.
C. Permit the code change. Because the product has not yet been released to production, change control
has not been initiated.
D. Prevent any changes, because the maintenance hook will be a feature of the new product.
A maintenance hook is a backdoor into an application that is sometimes used during the development
process. These hooks need to be removed before a product is released. A parallel test is performed on a
product that is deemed ready to release. This hook needs to be removed as soon as possible, and then
the change control documentation needs to be completed to record the change in the software’s
operation.
25. Several coworkers are installing an IDS, and you are asked to make an initial review. One of the
installers asks you which of the following is the worst condition for an IDS. What is your response?
A. Positive
B. Negative
C. False positive
D. False negative
The worst state for an IDS is a false negative. A false negative means that an event occurred but no alarm
was triggered.
26. While troubleshooting a network problem, a technician realized it could be resolved by opening a port
on a firewall. The technician opened the port and verified the system was now working. However, an
attacker accessed this port and launched a successful attack. What could have prevented this
problem? A. Patch management processes
Change management processes would ensure that changes are evaluated before being implemented to
prevent unintended outages or needlessly weakening security. Patch management ensures systems are
up-to-date, vulnerability management checks systems for known vulnerabilities, and configuration
management ensures that system are deployed similarly, but these other processes wouldn’t prevent an
unauthorized change.
27. What would an administrator use to check systems for known issues that attackers may use to exploit
the systems?
A. Versioning tracker
B. Vulnerability scanner
C. Security audit
D. Security review
Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability
management program. Versioning is used to track software versions and is unrelated to detecting
vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but
wouldn’t directly check systems for vulnerabilities.
28. An organization has an incident response plan that requires reporting incidents after verifying them.
For security purposes, the organization has not published the plan. Only members of the incident
response team know about the plan and its contents. Recently, a server administrator noticed that a
web server he manages was running slower than normal. After a quick investigation, he realized an
attack was coming from a specific IP address. He immediately rebooted the web server to reset the
connection and stop the attack. He then used a utility he found on the Internet to launch a protracted
attack against this IP address for several hours. Because attacks from this IP address stopped, he didn’t
report the incident. What should have been done before rebooting the web server?
D. Gather evidence
Security personnel should have gathered evidence for possible prosecution of the attacker. The first
response after detecting and verifying an incident is to contain the incident, but it could have been
contained without rebooting the server. The lessons learned stage includes review, and it is the last stage.
Remediation includes a root cause analysis to determine what allowed the incident, but this is done late
in the process. In this scenario, rebooting the server performed the recovery.
29. What combination of backup strategies provides the fastest backup creation time?
Any backup strategy must include full backups at some point in the process. Incremental backups are
created faster than differential backups because of the number of files it is necessary to back up each
time.
A. Compromise
B. Denial of service
C. Malicious code
D. Scanning
Any time an attacker exceeds their authority, the incident is classified as a system compromise. This
includes valid users who exceed their authority as well as invalid users who gain access through the use
of a valid user ID.
DOMAIN 8
1. Which of the following best describes the Waterfall model?
A. The Waterfall model states that development is built one stage at a time, at which point the results
flow to the next stage.
B. The Waterfall model states that development should progress in a parallel fashion, with a strong change
control process being used to validate the process.
C. The Waterfall model states that the development process proceeds in a series of discrete steps, each
completed before proceeding to the next.
D. the Waterfall model states that all the various phases of software development should proceed at the
same time.
The Waterfall model states that the development process proceeds in a series of discrete steps, each
completed before proceeding to the next.
2. Jerry has top-secret access to a database and can see that the USS Yorktown has left for Iraq. Ted has
only public access to the same database. He can see that the ship has left port. However, the record
shows that it is bound for Spain. What is this called?
A. Polyinstantiation
B. Tuple
C. Schema
D. Knowledgebase system
Polyinstantiation allows different versions of the same information to exist at different classification levels
within a database. This permits a security model that can have multiple views of the same information,
depending on your clearance level.
3. Which of the following phases of Software Development Life Cycle normally addresses Due Care and
Due Diligence?
A. Implementation
B. System Feasibility
C. Product Design
The software plans and requirements phase addresses threats, vulnerabilities, security requirements,
reasonable care, due diligence, legal liabilities, cost/benefit analysis, level of protection desired and test
plans.
Reference: The CISSP Prep Guide:Gold Edition, Ronald Krutz & Russel Vines (p.346)
4. During which stage of the software development life cycle should security be implemented?
A. Development
B. Project initiation
C. Deployment
D. Installation
Security should be implemented at the initiation of a project. When security is added during the project
initiation phase, substantial amounts of money can be saved.
5. Which of the software development life cycle phases is the point at which new systems need to be
configured and steps need to be taken to make sure that security features are being used in the
intended way?
The Operation and Maintenance phase of the SDLC is the point at which new systems need to be
configured and steps need to be taken to make sure that no new vulnerabilities or security compromises
take place. It is also at this step that if major changes are made to the system, network, or environment,
the certification and accreditation process may need to be repeated.
6. Alex is building your company’s new data warehouse. In a meeting, he said, “Data in the data
warehouse needs to be normalized.” What does this mean?
C. Data is averaged.
Normalization is the process of removing redundant data. It speeds the analysis process. Normalization is
not the process of dividing by a common value, restricting to a range of values, or averaging the data.
7. Java-enabled web browsers allow Java code to be embedded in a web page, downloaded across the
Net, and run on a local computer. This makes the security of the local computer a big concern. With
this in mind, how does the Java runtime system ensure secure execution of the Java code?
A. Digital certificates
B. Sandbox
C. Applet boundaries
D. Defense-in-depth
The sandbox is a set of security rules that are put in place to prevent Java from having unlimited access to
memory and OS resources. It creates an environment in which there are strict limitations on what the Java
code can request or do.
8. Which of the following technologies establishes a trust relationship between the client and the server
by using digital certificates to guarantee that the server is trusted?
A. ActiveX
B. Java
C. Proxy
D. Agent
ActiveX establishes a trust relationship between the client and server by using digital certificates to
guarantee that the server is trusted. The shortcoming of ActiveX is that security is really left to the end
user. Users are prompted if any problems are found with a certificate. Therefore, even if the certificate is
invalid, a user can override good policy by simply accepting the possibly tainted code.
9. Rick just downloaded a game from a peer-to-peer network. Although the game seemed to install OK,
his computer now is acting strangely. The mouse cursor moves by itself, URLs are opening on their
own, and his web camera keeps turning itself on. What has happened?
It is very likely that the game Boyd installed was bundled with a RAT (Remote-Access Trojan). The
executable seems accessible, but after installation is performed, the Trojan program is loaded into the
victim’s computer. RATs can control programs because backdoors turn on hardware, open CD-ROM
drives, and perform other malicious and ill-willed acts.
10. Which language, when used for development of your company’s front-end application, results in a
program that is least likely to have vulnerable code?
A. Machine code
B. Assembler code
C. C code
D. SQL code
The higher the level of language you use when programming, the less likely it is that the code will have
unintended flaws that can be attacked. Instead of using C, you should use C++, but both of these are third-
generation languages (3GL). SQL is a fourth-generation language (4GL).
11. Expert systems use forward and reverse chaining that is based on what?
B. Certainty factors
C. The rulebase
D. Neural structures
The inference engine creates the forward and reverse chains. Certainty factors reflect a confidence level
that permits the chaining to occur. The rulebase describes what is known. Neural structures belong in
artificial neural networks, not expert systems.
B. Audit logs use parsing tools that distort the true record of events.
One of the most common problems with audit logs is that they are collected but not analyzed. Often, no
one is interested in the audit logs until someone reports a problem. Even though it isn’t a technical
problem, this is an administrative and policy issue, because no analysis takes place.
13. When you’re dealing with mobile code and wireless devices, many security issues can arise. For
example, when you’re working with wireless devices that are using Wireless Application Protocol
(WAP), which of the following is the primary security concern?
B. The web server that the wireless device is communicating with via SSL may have vulnerabilities.
The primary vulnerability is the WAP gateway. WAP requires some type of conversion, and this conversion
is performed on the gateway. This means that, for a short period of time, the data is in a clear format
while being converted from WAP to SSL, TLS, or another encrypted format. This makes the gateway an
attractive target.
14. Which type of database combines related records and fields into a logical tree structure?
A. Relational
B. Hierarchical
C. Object-oriented
D. Network
A hierarchical database combines related records and fields into a logical tree structure. A relational
database uses columns and rows to organize the information. An object-oriented database is considered
much more dynamic than earlier designs because it can handle not only data but also audio, images, and
other file formats. A network database is unique in that it supports multiple parent or child records.
Referential integrity ensures that all foreign keys reference existing primary keys.
16. While browsing the company directory, you notice that your address is incorrect. To rectify the
situation, you decide to modify the database that holds this information. Although the change seems
to work, you notice later that the information has reverted to the previous, incorrect information.
What do you believe is the source of the problem?
B. The schema does not allow changes from the user’s machine.
The most likely cause of the problem is invalid time synchronization. In a distributed environment, this
can cause a server to overwrite newer data.
17. Ian’s new job at the headquarters of a major grocery store has him examining buyer trends. He uses
the database to find a relationship between beer and diapers. He discovers that men over 20 are the
primary buyers of these two items together after 10 p.m. What best describes Ian’s actions?
A. Data warehousing
B. Metadata
C. Data mining
D. Atomicity
Ian is data mining—searching for unseen relationships. A data warehouse is used for data storage and can
combine data from multiple sources. Metadata is used to discover the unseen relationships between data.
Atomicity is used to divide work into units that are processed completely or not at all.
18. Your application developer has created a new module for a customer-tracking system. This module
will result in greater productivity. The application has been examined and tested by a second person
in the development group. A summary of the test shows no problems. Based on the results, which of
the following is not a recommended best practice?
A. The new code should be passed to quality assurance personnel so that they can certify the application.
Before this significant change is made, the module should be technically tested (certification) and
administratively approved (accreditation).
19. Jason has become concerned that a citizen programmer in the group has developed code for others
in the department. What should be your primary concern?
Citizen (casual) programmers are people who can code but who do so from outside the SDLC process. The
concern here is that they are writing programs and allowing others within the department to use them
without any type of certification process. These programs have not been shown to work effectively or
produce repeatable results. Lack of certification and review is a real problem.
20. With regard to database operations, canceling a set of changes and restoring the database to its prior
state is called what?
A. Savepoint
B. Commit
C. Rollback
D. Audit point
A commit completes the transaction. A savepoint is designed to allow the system to return to a certain
point should an error occur. A rollback is similar, except that it is used when changes need to be canceled.
An audit point is used as a control point to verify input, process, or output data.
21. With a relational database management system, you can constrain what a particular application or
user sees by using what?
A. Schema
C. Data mine
D. Database view
A database view allows the database administrator to control what a specific user at a specific level of
access can see. For example, an HR employee may be able to see department payroll totals but not
individual employee salaries. A schema is the structure of the database. DMCL is unrelated to databases.
Data mining is the process of analyzing metadata.
22. You are asked to develop an advanced program that will interact with users. You are asked to look at
knowledge-based systems. As such, expert systems use what type of information to make a decision?
A. if...then statements
B. Weighted computations
An expert system is unique in that it contains a knowledge base of information and mathematical
algorithms that use a series of if...then statements to infer facts from data.
23. Which of the following is a project-development method that uses pairs of programmers who work
off of detailed specifications?
A. Waterfall
B. Spiral
C. Extreme
D. RAD
Extreme programming, which is an off-shoot of agile, uses pairs of programmers who work from detailed
specifications.
24. Tom is using a commercial program that is free to use without pay with only limited functionality. This
is most correctly called what?
A. Commercial software
B. Freeware
C. Shareware
D. Crippleware
Crippleware, or trialware, is software that is partially functioning proprietary software that can be used
without payment.
25. Which of the following allows objects written with different OOP languages to communicate?
A. OOA
B. COM
C. OOD
D. CORBA
COM enables objects written in different languages to communicate. OOA and OOD are software design
methodologies, and CORBA is vendor-neutral middleware.
26. Walter built a database table consisting of the names, telephone numbers, and customer IDs for his
business. The table contains information on 30 customers. What is the degree of this table?
A. Two
B. Three
C. Thirty
D. Undefined
The cardinality of a table refers to the number of rows in the table while the degree of a table is the
number of columns.
27. Which one of the following types of attacks relies on the difference between the timing of two events?
A. Smurf
B. TOCTTOU
C. Land
D. Fraggle
The time-of-check-to-time-of-use (TOCTTOU) attack relies on the timing of the execution of two events.
28. What file is instrumental in preventing dictionary attacks against Unix systems?
A. /etc/passwd
B. /etc/shadow
C. /etc/security
D. /etc/pwlog
Shadow password files move encrypted password information from the publicly readable /etc/passwd file
to the protected /etc/shadow file.
29. What database technology, if implemented for web forms, can limit the potential for SQL injection
attacks?
A. Triggers
B. Stored procedures
C. Column encryption
D. Concurrency control
Developers of web applications should leverage database stored procedures to limit the application’s
ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database
server and may only be modified by database administrators.
30. Ren’s system was infected by malicious code that modified the operating system to allow the
malicious code author to gain access to his files. What type of exploit did this attacker engage in?
A. Escalation of privilege
B. Back door
C. Rootkit
D. Buffer overflow
Back doors are undocumented command sequences that allow individuals with knowledge of the back
door to bypass normal access restrictions.