B. The use of information flow labels C. The use of data flow diagrams D. The use of tokens Answer: A
Explanation: Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user
but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the
server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good
example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is
attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.
Information flow labels are usually associated with Mandatory Access Control (MAC). Data flow diagrams are most commonly used in
software development, not in rule-based access control. Tokens are usually used for authentication, a function which is important for any type of access control. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
2. Under MAC, which of the following is true? A. All that is not expressly permitted is forbidden B. All that is expressly permitted is forbidden C. All that is not expressly permitted is not forbidden D. No Answer is Correct Answer: A
Explanation: MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all
that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still
more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject
(user) and sensitivity (classification) of object (file). It requires labeling.
Under MAC, you define who is allowed to access objects, and if you haven't defined an access right, access is not permitted. So, it is
not the case that All that is expressly permitted is forbidden, or that All that is not expressly permitted is not forbidden.
& Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
3. In the Lattice Based Access Control model, controls are applied to: A. Models B. Factors C. Scripts D. Objects Answer: D
Explanation: Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area
was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from
one security class (also called security label) to another. These controls are applied to objects. An object is a container of information; an object can be a directory or file.
Controls are part of the Lattice Based Access Control (Mandatory Access Control) model, not applied to the model. Factors and scripts are not involved in the model. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
4. With Discretionary access controls, who determines who has access and what privilege they have? A. Resource owners B. End users
C. Only the administrators D. No Answer is Correct Answer: A
Explanation: Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects.
Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be
permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when
supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended
when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather
than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.
If the end users of resources had control of who had access and what privileges they have, they would be able to access any resource,
because they'd have the ability to change access controls at will. If only the administrators controlled access to resources, it would be a
major job duty (as well as a bureaucratic bottleneck for users) that would take time away from other administrative activities. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
5. A firewall can be classified as a: A. Rule based access control B. Lattice based access control C. Directory based access control D. ID based access control Answer: A
Explanation: Rule based access control is based on a specific profile for each user. Information can be easily changed for only one user
but this scheme may become a burden in a very large environment. A rule-based access control unit will intercept every request to the
server and compare the source specific access conditions with the rights of the user in order to make an access decision. A good
example could be a firewall. Here a set of rules defined by the network administrator is recorded in a file. Every time a connection is
attempted (incoming or outgoing), the firewall software checks the rules file to see if the connection is allowed. If it is not, the firewall closes the connection.
Lattice-based access control is associated with Mandatory Access Control (MAC). Directory based and ID based access controls are not relevant.
& Section 1.1: Access Control
6. What is the role of IKE within the IPsec protocol: A.) peer authentication and key exchange B.) data encryption C.) data signature
D.) enforcing quality of service Answer: A
In order to set up and manage Sas on the Internet, a standard format called the Internet Security Association
and Key Management Protocol (ISAKMP) was established. ISAKMP provides for secure key exchange and
data authentication. However, ISAKMP is independent of the authentication protocols, security protocols, and encryption algorithms. Strictly speaking, a combination of three protocols is used to define key management for IPSEC. These protocols are ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley. When combined and applied to IPSEC, these protocols are called the Internet Key Exchange (IKE) protocol.
7. To ensure that integrity is attainted through the Clark and Wilson model, certain rules are needed. These rules are:
A. Processing rules and enforcement rules. B. Integrity-bouncing rules.
C. Certification rules and enforcement rules.
D. Certification rules and general rules. Answer: C
Explanation: To ensure that integrity is attained and preserved, Clark and Wilson assert, certain integrity-monitoring and
integrity-preserving rules are needed. Integrity-monitoring rules are called certification rules, and integrity-preserving rules are called enforcement rules.
8. The ability to do something with a computer resource can be explicitly enabled or restricted through: A. Physical and system-based controls. B. Theoretical and system-based controls. C. Mental and system-based controls. D. Physical and trap-based controls. Answer: A
Explanation: Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means
by which the ability is explicitly enabled or
restricted in some way (Usually through physical and system-based controls). Computer-based access controls can prescribe not only
who or what process may have access to a specific system resource, but also the type of access that is permitted. These controls may
be implemented in the computer system or in external devices.
9. What is the best description for CHAP Challenge Handshake Authentication Protocol? A. Passwords are sent in clear text B. Passwords are not sent in clear text
C. Passwords are not used, a digital signature is sent D. It is substandard to PAP
E. It was used with PS2's and has been discontinued Answer: B
Explanation: Passwords are not sent in clear text. The server performing the authentication sends a challenge value and the user
types in the password. The password is used to encrypt the challenge value then is sent back to the authentication server.
10. Separation of duties is valuable in deterring: A. DoS
B.external intruder C.fraud D.trojan house Answer: C
Explanation: Separation of duties is considered valuable in deterring fraud since fraud can occur if an opportunity exists for collaboration between various jobs related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. The most commonly used examples are the separate transactions needed to initiate a payment and to
authorize a payment. No single individual should be capable of executing both transactions.
11. Which of the following are the valid categories of hand geometry scanning? A. Electrical and image-edge detection. B. Mechanical and image-edge detection. C. Logical and image-edge detection. D. Mechanical and image-ridge detection. Answer: B Explanation:
Hand geometry reading (scanning) devices usually fall into one of two categories: mechanical or image-edge detection. Both methods are used to measure specific characteristics of a person's hand such as length of fingers and thumb, widths, and depth.
12. One of the difficulties associated with network-based intrusion detection systems is: A Synchronizing the signature file with the firewall. B The steep learning curve associated with IDS.
C The high number of false negatives that must be eliminated. D The high number of false positives that must be eliminated. Answer:D
IDS is known for a high number of false positives that must be eliminated one by one. 13. What technology is being used to detect anomalies? A. IDS B. FRR C. Sniffing D. Capturing
Answer: A Explanation:
Intrusion Detection is a quickly evolving domain of expertise. In the past year we have seen giant steps forward in this area. We are
now seeing IDS engines that will detect anomalies, and that have some built-in intelligence. It is no longer a simple game of matching signatures in your network traffic.
14. Which of the following is a weakness of both statistical anomaly detection and pattern matching? A.Lack of ability to scale. B.Lack of learning model. C.Inability to run in real time.
D.Requirement to monitor every event. Answer: B
Explanation: Disadvantages of Knowledge-based ID systems: This system is resources-intensive; the knowledge database continually
needs maintenance and updates New, unique, or original attacks often go unnoticed.Disadvantages of Behavior-based ID systems:
The system is characterized by high false alarm rates. High positives are the most common failure of ID systems and can create data
noise that makes the system unusable. The activity and behavior of the users while in the networked system might not be static enough
to effectively implement a behavior-based ID system.
15. The Lattice Based Access Control model was developed to deal mainly with ___________ in computer systems. A.Access control B.Information flow C.Message routes D.Encryption Answer: B
Explanation: Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven
mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security
label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file.
16. Access controls that are not based on the policy are characterized as: A. Secret controls B. Mandatory controls C. Discretionary controls D. Corrective controls Answer: C
Explanation: Access controls that are not based on the policy are characterized as discretionary controls by the U.S. govern
ment and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an
item of data are precisely those whose tasks entail the need.
17. In which situation would TEMPEST risks and technologies be of MOST interest? A. Where high availability is vital.
B. Where the consequences of disclose are very high. C. Where countermeasures are easy to implement D. Where data base integrity is crucial Answer: B
Emanation eavesdropping. Receipt and display of information, which is resident on computers or terminals, through the interception of
radio frequency (RF) signals generated by those computers or terminals. The U.S. government established a program called
TEMPEST that addressed this problem by requiring a shielding and other emanation-reducing mechanisms to be employed on
computers processing sensitive and classified government information. .
18. All logs are kept on archive for a period of time. What determines this period of time?
A. Retention policies B. Administrator preferences C. MTTF D. MTTR Answer: A
Explanation: All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time,
called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits,
and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.
Administrator preference is often used to determine certain things like how long logs are retained ... but since these decisions can affect
the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.
MTTF and MTTR are not relevant to setting the time for which logs will be retained. MTTF (Mean Time To Failure, sometimes called
MTBF, Mean Time Before Failure) is related to the average amount of time a piece of equipment will be in service before it fails. MTTR
(Mean Time To Repair) is a measure of how long it will take to repair the equipment when it fails.
19. With _______________, access decisions are based on the roles that individual users have as part of an organization.
A. Role based access control B. Rule based access control C. Server based access control D. Token based access control Answer: A
Explanation: With role-based access control, access decisions are based on the roles that individual users have as part of an
organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a
thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
Most access control systems are rule-based -- that is, they use a preset list of rules when deciding whether or not a user should have
access to a resource; this is not specific to access control systems based on user role. Most networks use server-based access control
to control access to network resources, however, local resources are typically under the control of the local machine. Neither is
particularly unique to role-based access control. Some networks may use token-based access control, but that is not a requirement for role-based access control, either.
20. Under MAC, a clearance is a: A. Privilege B. Subject C. Sensitivity D. Object Answer: A
Explanation: MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all
that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still
more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject
(user) and sensitivity (classification) of object (file). It requires labeling.
In MAC, subjects (such as users) are each assigned a clearance (such as \"secret\" or \"top secret\"). Objects (containers for information,
such as files) are assigned a sensitivity (classification, similar to clearance). When determining whether or not to grant a subject access
to an object, the requesting subject's clearance is compared with the sensitivity of the object, and if the clearance is at or higher than
the object's sensitivity level, access is granted. Therefore, a clearance functions as a privilege. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
21. Access controls that are not based on the policy are characterized as: A. Mandatory controls B. Discretionary controls C. Secret controls D. Corrective controls Answer: B
Explanation: Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and
as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are
precisely those whose tasks entail the need.
Mandatory controls are based on policy. Secret controls and corrective controls are not related to access control.
& Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
22. DAC are characterized by many organizations as: A. Preventive controls
B. Mandatory adjustable controls C. Need-to-know controls D. No Answer is Correct Answer: C
Explanation: DAC is the acronym for Discretionary Access Controls. Access controls that are not based on the policy are characterized
as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least
privilege - those who may read an item of data are precisely those whose tasks entail the need. Preventive controls and mandatory adjustable controls do not characterize DAC. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
23. A password represents: A. Something you know B. Something you have C. Something you are D. No Answer is Correct Answer: A
Explanation: Authentication is accomplished through something you know, something you have and/or something you are. The
canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are
possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist
regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only.
If you forget the value, you may not be able to authenticate yourself to the system.
Something you have, would be a physical item you possess, such as a smartcard. Something you are, would be a personal
characteristic of you, not a piece of information you know. & Section 1.2: Authentication & Section 1.2.4: Username/Password 24. A smartcard represents: A. Something you know B. Something you have C. Something you are D. No Answer is Correct Answer: B
Explanation: Authentication is accomplished through something you know, something you have and/or something you are. One form of
authentication requires possession of something (\"something you have\") such as a key, a smart card, a disk, or some other device.
Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than
the one to which you are requesting access. Highly secure environments may require you to satisfy multiple authentication criteria to guarantee authenticity.
Something you know, would be a piece of data known only to you, such as a password. Something you are, would be a physical
characteristic of you, like your fingerprint. & Section 1.2: Authentication & Section 1.2.5: Tokens
25. Which of the following is NOT a good password deployment guideline? A. Passwords must not be the same as user id or login id.
B. Passwords must be changed at least once every 60 days, depending on your environment. C. Password aging must be enforced on all systems. D. Password must be easy to memorize. Answer: D
Explanation: Passwords should be easy to memorize, because that minimizes the chance that users will write the password down
somewhere that others could see it.
Passwords should not be the same as the user ID, because that is one of the common passwords that common \"password cracker\"
programs try, when attempting to discover passwords for accounts. Passwords must be changed at least once every 60 days
(depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the
password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or
the help desk. Password reuse is not allowed (rotating passwords). & Section 1.2.4: Username/Password
26. Which of the following is an effective measure against a certain type of brute force password attack? A. Password reuse is not allowed. B. Password history is used.
C. Any password used must not be word found in a dictionary. D. No Answer is Correct Answer: C
Explanation: A brute force password attack involves trying many possible password values, to see if any result in access to an account.
In order to help prevent dictionary-based attacks, in which the list of password values to try comes from a dictionary, it is useful to have
a policy that any password used must not be a word found in a dictionary.
\"Password reuse is not allowed\" (i.e., rotating passwords), is a good policy, but not the one most closely related to helping prevent brute
force password attacks. Password history must be used to prevent users from reusing passwords. For example, on many systems with
such a facility the last 12 passwords used will be kept in the history. But as with policies against password re-use, password history is
not as relevant to preventing brute force password attacks as is the policy against dictionary words. & Section 1.4.11.1: Brute Force
& Section 1.4.11.2: Dictionary
27. What type of attacks occurs when a rogue application has been planted on an unsuspecting user's workstation? A. Logical attacks B. Physical attacks C. Trojan Horse attacks D. Social Engineering attacks Answer: C
Explanation: Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting
user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the
private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their
private key was just used against their will.
Physical attacks involve physical access to hardware such as a network cable or keyboard. Social engineering attacks are based on
taking advantage of human interaction rather than technology itself. (Frequently, social engineering attacks don't even require access
to a computer.) There is no such thing as a \"logical\" attack, although many attacks do involve the use of logic to figure out how an
application works and where its security vulnerabilities may be. & Section 1.5.2: Trojan Horses
28. Which of the following attacks could be the most successful when the security technology is properly implemented and configured? A. Logical attacks B. Physical attacks C. Trojan Horse attacks D. Social Engineering attacks Answer: D
Explanation: Social Engineering attacks: in computer security systems, this type of attack is usually the most successful, especially
when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An
example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a
low-level employee and requests their password for network servicing purposes. When using smartcards instead of passwords, this
type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.
Logical, physical and Trojan horse attacks are often much less successful when security is properly
implemented on a network. & Section 1.4.9: Social Engineering & Section 1.6: Social Engineering & Section 5.1.2: Social Engineering
29. What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access
Server and a shared Authentication Server? A. RADIUS B. PPTP C. L2TP D. IPSec Answer: A
Explanation: RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access
Server, which desires to authenticate its links and a shared Authentication Server. RADIUS uses a centralized database for simplified
management. RADIUS is a standard published in RFC2138 as mentioned above.
The other protocols listed are network communication protocols, not authentication protocols responsible for carrying traffic between a NAS and an Authentication Server. & Section 2.1.3: RADIUS
30. In a RADIUS architecture, which of the following acts as a client? A. A Network Access Server B. The end user
C. The authentication server D. No Answer is Correct Answer: A
Explanation: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to
a designated RADIUS server, and then acting on the response, which is returned. Radius uses a centralized database, simplifying
password management. The end user's computer does not make the RADIUS request. The NAS makes the request after receiving the
network connection request from the end user. & Section 2.1.3: RADIUS
31. The majority of commercial intrusion detection systems are: A. Network-based B. Host-based C. Identity-based D. Signature-based Answer: A
Explanation: The majority of commercial intrusion detection systems are network-based. These IDSs
detect attacks by capturing and
analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting
multiple hosts that are connected to the network segment, thereby protecting those hosts.
Historically, IDS started out as host-based, which is the other major type of IDS. Identity-based and signature-based are not types of IDS.
& Section 2.3.3.3: Packet Sniffing
& Section 3.1.9: IDS (Intrusion Detection System) & Section 3.4: Intrusion Detection
& Section 3.4.1: Network Based (Intrusion Detection)
32. Which of the following is a drawback of Network-based IDSs? A. It cannot analyze encrypted information. B. It is very costly to set up. C. It is very costly to manage. D. It is not effective. Answer: A
Explanation: Network-based IDSs cannot analyze encrypted information. This problem is increasing as more organizations (and
attackers) use virtual private networks. Most network-based IDSs cannot tell whether or not an attack was successful; they can only
discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually
investigate each attacked host to determine whether it was indeed penetrated. & Section 2.3.3.3: Packet Sniffing
& Section 3.1.9: IDS (Intrusion Detection System) & Section 3.4: Intrusion Detection
& Section 3.4.1: Network Based (Intrusion Detection)
33. Which of the following will you consider as clear-text protocols? A. Telnet B. FTP C. POP
D. No Answer is Correct Answer: A, B, C
Explanation: There are many clear-text protocols still in use today. Telnet is still alive and well. FTP and POP email both use clear-text
protocols. Creating a server to emulate any of these services is trivial. Combining that and some DNS spoofing can cause \"normal\"
traffic to come to your fake servers where the usernames and passwords can be obtained. & Section 2.1.6: SSH
& Section 2.5.4: (File Transfer) Vulnerabilities
34. Microsoft supports the _______________ and ______standards for use in extranet. A. PPTP
B. IPSec C. CORBA D. DCOM Answer: A, B
Explanation: Netscape, Oracle, and Sun Microsystems have announced an alliance to ensure that their extranet products can work
together by standardizing on JavaScript and the Common Object Request Broker Architecture (CORBA). Microsoft supports the
Point-to-Point Tunneling Protocol (PPTP) and IPSec. CORBA and DCOM are programming technologies. & Section 2.1.2: VPN
35. To allow your Windows clients to connect to your Windows NT Server using the public network as a medium, what technology might you find useful? A. PPTP B. L2TP C. OSPF D. IPSEC Answer: A, D
Explanation: A protocol or set of communication rules called Point-to-Point Tunneling Protocol (PPTP) has been proposed that would
make it possible to create a virtual private network (VPN) through \"tunnels\" over the Internet. This would mean that companies would
no longer need their own leased lines for wide-area communication but could securely use the public networks. IPSec is more resource
intensive, and provides higher security. IPSec is available in Windows 2000 and XP/.Net Operating Systems.
L2TP is a successor to PPTP. Its development was done by an industry coalition, and it includes the best features of PPTP and L2F. OSPF is a routing protocol. & Section 2.1.5: L2TP/PPTP & Section 2.1.7: IPSec
36. What technology involves the use of electronic wallet? A. TLS B. SSL C. SHTTP D. SET Answer: D
Explanation: SET (Secure Electronic Transaction) is a system for ensuring the security of financial transactions on the Internet. It was
supported initially by MasterCard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital
certificate) and a transaction is conducted and verified using a combination of digital certificates and
digital signatures among the
purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Netscape's
Secure Sockets Layer (SSL (Secure Sockets Layer)), Microsoft's Secure Transaction Technology (STT), and Terisa System's Secure
Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (public key infrastructure).
TLS, SSL and SHTTP could all be used for this, but SET is specific to the financial services industry. & Section 2.3.1: SSL/TLS
37. With Java, what can be embedded in a web browser, allowing programs to be executed as they are downloaded from the World Wide Web? A. JVM B. Bytecode C. Interpreter
D. Just-in-time compiler Answer: B
Explanation: Java is a modern, object-oriented language that has a syntax similar to C++. It also has dynamic binding, garbage
collection, and a simple inheritance model. Java is a general-purpose computer language and is not limited to writing web applications.
References to java bytecode can be embedded in a web browser, allowing programs to be executed as they are downloaded from the
World Wide Web. The JVM on the user's machine can execute the Java bytecode using an interpreter, or use a just-in-time compiler to
convert the bytecode into native machine code. & Section 2.3.4.1: Java Script
38. ActiveX controls can be digitally signed using a technology called: A. Java Applet B. CGI C. Sandbox D. Authenticode Answer: D
Explanation: The ActiveX code is bundled into a single file called an ActiveX control. ActiveX controls can be digitally signed using
Microsoft's Authenticode technology. Internet Explorer can be configured to disregard any ActiveX control that isn't signed, to run only
ActiveX controls that have been signed by specific publishers, or to accept ActiveX controls signed by any registered software publisher.
ActiveX controls do not run in a sandbox. The burden is on the user to determine which ActiveX controls s/he feels are \"safe\" to run.
Applets and CGI are alternate types of content, and a sandbox refers to a protected area of the system in which web content runs. & Section 2.3.4.2: ActiveX
39. Which of the following represents code that is dormant until triggered by a predetermined event? A. Logic bomb B. Virus C. Worm D. Snort Answer: A
Explanation: A resident computer program that, when executed, checks for particular conditions or particular states of the system which,
when satisfied, triggers the perpetration of an unauthorized act.
A virus is a self-replicating program; a worm is a program capable of replicating across the network. Snort is a commonly-used utility program.
& Section 1.5.3: Logic Bomb
40. With IPSEC, in each encrypted session we can find ____________ SA(s) for EACH direction. A. One B. Two C. Four D. Eight Answer: A
Explanation: All implementations of IPSec must have a security association. The security association is a one-way connection that
affords security services to the traffic carried by it. This means that in an encrypted session, there are two security associations - one
for each direction. Security services are offered by either the Authentication Header (AH) or the Encapsulating Security Payload (ESP), but not both.
& Section 2.1.7: IPSec
41. Remote Access generally offers
A. The same rights and restrictions as are available on the LAN B. Some of the rights and restrictions as are available as on the LAN C. Different rights and restrictions as available on the LAN. D. No choice is correct. Answer: A
Explanation: Remote access frequently goes through a more stringent security procedure than local login. And if the account name
used for remote is the same as what is used locally, it has the identical rights and restrictions unless you've added a firewall between
your remote access server and your internal network. & Section 2.1: Remote Access
42. A centralized database of remote users for a multi-site network typically uses A. CHAP B. MS-CHAP
C. PAP D. RADIUS
E. No choice is correct Answer: D
Explanation: RADIUS (Remote Authentication Dial-In User Service) lowers administration costs and increases security by having a
centralized database for authenticating remote users. PAP is the simplest of authentication protocols, which uses clear text. & Section 2.1.3: RADIUS
43. TACACS+ is an update to TACACS and is backwards compatible. True/False A. True B. False Answer: B
Explanation: Despite the similarity of the Acronym's TACACS+ is NOT compatible with TACACS (Terminal Access Controller Access Control System)
& Section 2.1.4: TACACS/XTACACS/TACACS+
44. The SA (Security Association) for IPSec is managed by A. ISAKMP B. AH C. ESP D. SecurID E. AES Answer: A
Explanation: The Internet Security Association and Key Management Protocol (ISAKMP) define a framework for security association
management and cryptographic key establishment for the Internet.
AH and ESP are types of IPSec communications, but they do not manage SA's. AES is an encryption algorithm.
& Section 2.1.7: IPSec
45. WEP has security issues because: A. It was limited by export regulations
B. It uses RC4, a stream cipher. WEP needs an Initialization Vector for RC 4 to overcome the \"lossy\" nature of radio. The short key length of IV forces reuse. C. 802.11 was not meant to be secure D. All choices are correct E. No choice is correct Answer: B
Explanation: WEP uses RC4 (a shared-secret stream cipher). An IV is needed to overcome signal loss. The short key length forces the
IV key to re-use, a no-no in basic security concepts. & Section 2.1.8: (Remote Access) Vulnerabilities
46. SPAM carries what sort of costs (choose all that apply): A. Loss of productivity B. Loss of bandwidth
C. Revenue drain supporting un-wanted traffic D. Credit card fraud losses Answer: A, B, C
Explanation: Because it is cheap to purchase email addresses, there is a great deal of spam. The sheer volume of spam costs
productivity time deleting it, consumes bandwidth, requiring additional bandwidth to be purchased. Depending on the content of spam, a user subjected to it could suffer a credit card fraud loss, but that is not the main issue with Spam. & Section 2.2.3.1: Spam 47. Email hoaxes: A. Spread fear B. Cost productivity C. Improve a firm's image D. Have no impact Answer: A, B
Explanation: This one is obvious. Refer to the web links for sites to confirm hoaxes. & Section 2.2.3.2: Hoaxes
48. What technology is being used to detect anomalies? A. IDS B. FRR C. Sniffing D. Capturing Answer: A
Explanation: Intrusion Detection is a quickly evolving domain of expertise. In the past year we have seen giant steps forward in this
area. We are now seeing IDS engines that will detect anomalies, and that have some built-in intelligence. It is no longer a simple game
of matching signatures in your network traffic. & Section 2.3.3.3: Packet Sniffing
& Section 3.1.9: IDS (Intrusion Detection System) & Section 3.4: Intrusion Detection
49. IDSs can be described in terms of what fundamental functional components? A. Information Sources B. Analysis C. Response
D. No Answer is Correct Answer: A, B, C
Explanation: Many IDSs can be described in terms of three fundamental functional components: Information Sources: The different sources of event information used to determine whether an intrusion has taken place. These
sources can be drawn from different levels of the system, with network, host, and application monitoring most common.
Analysis: The part of intrusion detection systems that actually organizes and makes sense of the events derived from the information
sources, deciding when those events indicate that intrusions are occurring or have already taken place. The most common analysis
approaches are misuse detection and anomaly detection.
Response: The set of actions that the system takes once it detects intrusions. These are typically grouped into active and passive
measures, with active measures involving some automated intervention on the part of the system, and passive measures involving
reporting IDS findings to humans, who are then expected to take action based on those reports. & Section 2.3.3.3: Packet Sniffing
& Section 3.1.9: IDS (Intrusion Detection System) & Section 3.4: Intrusion Detection
50. Host-based IDSs normally utilize information from which of the following sources? A. Operating system audit trails and system logs B. Operating system audit trails and network packets C. Network packets and system logs D. Operating system alarms and system logs Answer: A
Explanation: Host-based IDSs normally utilize information sources of two types, operating system audit trails, and system logs.
Operating system audit trails are usually generated at the innermost (kernel) level of the operating system, and are therefore more
detailed and better protected than system logs. However, system logs are much less obtuse and much smaller than audit trails, and are
furthermore far easier to comprehend. Some host-based IDSs are designed to support a centralized IDS management and reporting
infrastructure that can allow a single management console to track many hosts. Others generate messages in formats that are
compatible with network management systems.
Host-based systems do not generally use network packets (although some may inspect all packets destined for the particular host in
question). Similarly, they traditionally rely on logs rather than on real-time alarms. & Section 2.3.3.3: Packet Sniffing
& Section 3.1.9: IDS (Intrusion Detection System) & Section 3.4: Intrusion Detection
& Section 3.4.2: Host Based (Intrusion Detection)
51. What is known as decoy system designed to lure a potential attacker away from critical systems? A. Vulnerability Analysis Systems B. Honey Pots C. Padded Cells
D. File Integrity Checker Answer: B
Explanation: Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems. Honey pots are designed to:
Divert an attacker from accessing critical systems,
Collect information about the attacker's activity, and encourage the attacker to stay on the system long enough for administrators to respond.
Vulnerability analysis systems measure a system or network's vulnerability to attack, not whether or not an attack has occurred. File
Integrity Checkers are used to see if system files have been altered by an attacker. & Section 3.4.3: Honey Pots
52. A simple firewall screening method is to screen requests and ensure that they come from: A. Acceptable domain name and IP addresses B. Acceptable domain name and IGMP addresses C. Acceptable domain name and phone numbers D. Acceptable IP addresses and CA Answer: A
Explanation: There is a number of firewall screening methods. A simple one is to screen requests to make sure they come from
acceptable (previously identified) domain name and Internet Protocol addresses. For mobile users, firewalls allow remote access in to
the private network by the use of secure logon procedures and authentication certificates.
IGMP is a routing protocol, not an addressing scheme. Phone numbers are not directly related to IP addresses.
& Section 3.1.1: Firewalls
53. An extranet can be viewed as part of a company's intranet that is extended to users: A. Outside the company B. Inside the company C. With administrator privileges D. With root privileges Answer: A
Explanation: An extranet is a private network that uses the Internet protocol and the public telecommunication system to securely share
part of a business's information or operations with suppliers, vendors, partners, customers, or other businesses. An extranet can be
viewed as part of a company's intranet that is extended to users outside the company. It has also been described as a \"state of mind\" in
which the Internet is perceived as a way to do business with other companies as well as to sell products to customers. The same
benefits that HTML, Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and other Internet technologies have
brought to the Internet and to corporate intranets now seem designed to accelerate business between businesses.
Typically the portion of a company's network inside the company is referred to as its intranet. Generally extranet users do not have administrator or root privileges.
& Section 3.1.8: VPN (Virtual Private Network) & Section 3.3.1.3: Extranet
54. Why is fiber optics a better transmission medium than copper wire? A. Carries more data
B. Less subject to electromagnetic interference C. More secure D. No Answer is Correct Answer: A,B,C
Explanation: Fiber optic (or \"optical fiber\") refers to the medium and the technology associated with the transmission of information as
light impulses along a glass or plastic wire or fiber. Fiber optic wire carries much more information than conventional copper wire and is
far less subject to electromagnetic interference. Most telephone company long-distance lines are now fiber optic.
& Section 3.2.3: Fiber
55. NAT functionality is frequently found in which of the following devices? A. Router B. Hub
C. Router and firewall D. File server and switch Answer: C
Explanation: NAT, or Network Address Translation, is included as part of a router and is often part of a corporate firewall. Network
administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in
conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses.
Typically hubs and switches work at lower levels of the IP protocol stack than NAT does. & Section 3.3.3: NAT (Network Address Translation)
56. A router operates on layer 3. This means a packet sniffer can access A. Can expose the entire network
B. Only the subnet that the packet sniffer exists on C. Only the host on which the packet sniffer is located D. No choice is correct Answer: B
Explanation: A router performs by directing IP traffic based on source and destination IP addresses. That would limit sniffing to the sub
network area. If the packet sniffer is at the router, it can monitor everything that moves through the router. (Of course, if a cracker can
manipulate the router to route additional traffic over to the subnet the cracker has compromised, that traffic can be seen as well. They
key is that the packets have to be passing through the subnet on which the sniffer is installed.) & Section 3.1.2: Routers
57. A subnet can be isolated from sniffing by what? A. Hub B. Switch C. Router D. Repeater Answer: C
Explanation: While a router will limit exposure via directed IP traffic, a switch will screen to the sub-net level by using MAC addresses.
Do be aware that deploying switches does not make you totally immune to sniffing, as switches were not designed to segment traffic for
security reasons, and many have at least one vulnerability that reduces their effectiveness for security. & Section 3.1.3: Switches
58. What can be installed to alert you that the network is either being compromised or at least an attempt is being made? A. Proxy B. SNMP trap C. IDS D. Firewall Answer: C
Explanation: The correct choice is IDS or Intrusion Detection System. A Proxy may have alerting or logging capabilities, however that is
an IDS feature that is built in to the proxy. The same can be said for a firewall. & Section 3.1.9: IDS (Intrusion Detection System)
59. To monitor all the traffic on a network and automate defensive measures you would install a A. Passive Network Based IDS B. Active Network Based IDS C. Passive Host Based IDS D. Active Host Based IDS Answer: B
Explanation: IDS is broken into host based or network based. A host based system monitors only a single host; a network based
system monitors all network traffic. From there, they are either passive or active. Active-based systems follow rule-based steps, such
as disconnecting a network connection. A passive system logs the event without taking any actions like paging the system administrator.
& Section 3.1.10: Network Monitoring / Diagnostics
60. Select the type of cable that is not prone to RFI or eavesdropping to EM A. Fiber B. Wireless C. UTP Answer: A
Explanation: Being driven by light, not electro-magnetic signals, fiber is not prone to the signal being snooped and is not affected by EM.
Both wireless and UTP involve the transmission of electrical signals and are thus vulnerable to RFI and eavesdropping. & Section 3.2.3: Fiber
61. When backing up using tape the administrator needs to A. Periodically confirm the tape is still valid B. Clean the tape drive
C. Store the tape off-site in a secured area D. All of these choices are correct E. No choices are correct Answer: D
Explanation: More than one company has found that storing tape in a high security area off site still needs to check the tapes. In one
case a freezer running in an adjoining security area erased the tapes. The motor running the compressor created enough EMI to erase the tapes in the adjoining area. & Section 3.2.4.1: Tape
62. The area between a public network such as the Internet and your LAN is frequently called a A. VPN B. MAN C. DMZ
D. No choice is correct Answer: C
Explanation: Users of the public network outside the company can access only the DMZ, or demilitarized zone, of a company's network.
Typically, internal users accessing the Internet make a request that the DMZ performs on the users behalf via a proxy server.
& Section 3.3.1.1: DMZ (Demilitarized Zone)
63. An internal (private) network that uses TCP/IP protocols and services is called a A. Internet B. Extranet C. Intranet
D. No choice is correct Answer: C
Explanation: Intranets are micro-versions of the Internet that use the same technologies as the Internet, simplifying installation and
maintenance. An extranet is an extension of a company's intranet to its business partners. An internet is
an Internetwork of networks,
generally one that is not controlled by any central authority. & Section 3.3.1.2: Intranet
64. Packet scanning a network for known attack signatures is called A. Network based IDS B. Host based IDS C. VPN D. IPSec Answer: A
Explanation: \"Monitors all network traffic passing on the segment where the agent is installed, reacting to any anomaly or signature
based suspicious activity. Basically this is a packet sniffer with attitude. They come in the guise of appliance-based products that you
just plug in and it goes, to software that installed on off the shelf computers. Depending on your LAN speeds they don't necessarily
have to be hi spec PCs. They analyze every packet for attack signatures, or look for anomalies within the protocol.\" --
networkintrusion.co.uk
Host-based IDS looks only at a single host, not the entire network's traffic. & Section 3.4.1: Network based (Intrusion Detection)
65. A active NIDS can do what that a passive system cannot A. Trigger events such as drop the connection B. Log the event C. Both are correct D. Neither choice is correct Answer: A
Explanation: An active NIDS can take rule-based actions. (And an attacker can make a poorly configured Active NIDS create a self-inflicted DoS)
Both active and passive NIDS can log events.
& Section 3.4.1.1: Active Detection (Network Based Intrustion Detection) 66. What is your 1st step if you suspect an illegal intrusion has occurred? A. Secure devices B. Shut down systems C. Alert senior management D. All choices are correct Answer: A
Explanation: Never turn a system off, if possible. Secure devices by disconnecting the network cable. Turning off a system can lose
valuable data in RAM. The next step is to notify senior management and get help. & Section 3.4.4: Incident Response 67. Classic ON/NOS hardening includes: A. Disabling unneeded protocols and services
B. Applying patches
C. Monitoring email and web sites for new issues D. All choices are correct E. Apply BIOS changes Answer: D
Explanation: This one is pretty self-explanatory. Some good web links for different operating systems & Section 3.5.1: OS/NOS hardening & Section 3.5.2: Network Hardening
68. What is true about hash functions? A. They are proprietary
B. They are more secure than digital signature algorithms C. They are faster than digital signature algorithms D. They require 128 bit computing Answer: C
Explanation: Since hash functions are generally faster than encryption or digital signature algorithms, it is typical to compute the digital
signature or integrity check to some document by applying cryptographic processing to the document's hash value, which is small compared to the document itself.
Hash functions do not require 128bit computing. Also, they are not typically more secure than the public key encryption used for digital
signatures, although digital signatures may use an encrypted hash value. Has functions are standardized, rather than proprietary.
Common hash functions include MD-5 and SHA-1. & Section 4.1.1: Hashing
69. What is true about digital digest?
A. It can be made public without revealing the contents of the original document B. It cannot be made public
C. It allows the revealing of the contents of the document from which it is derived D. It does not work well with time stamping service Answer: A
Explanation: A digest can be made public without revealing the contents of the document from which it is derived. This is important in
digital time stamping where, using hash functions, one can get a document time stamped without revealing its contents to the time stamping service. & Section 4.1.1: Hashing
70. To protect the data while in transit on a network, what is used to identify errors and omissions in the information? A. Hash total
B. Record sequence checking C. Transmission error correction D. Retransmission controls
Answer: A
Explanation: Hash totals - these identify errors and omissions in the information, A has algorithm provides a hexadecimal checksum of
the data. This is stored in a record prior to transmission, and then sent to the remote computer with the data. The remote system can
then compute the checksum, and if it agrees with the value that was calculated before transmission, the information arrived intact.
Record sequence checking would verify that records were received in the correct order, but not verify record contents. TCP-level
techniques do not protect against alteration of data during transmission, since packets could potentially be inserted with altered information.
& Section 4.1.1: Hashing
71. Hash total uses an algorithm that provides a checksum of the data in ___________ format: A. ASCII B. Numerical C. Unicode D. Hexadecimal Answer: D
Explanation: Hash totals - these identify errors and omissions in the information, A has algorithm provides a hexadecimal checksum of
the data. This is stored in a record prior to transmission, and then sent to the remote computer with the data. The remote system can
then compute the checksum, and if it agrees with the value that was calculated before transmission, the information arrived intact. & Section 4.1.1: Hashing
72. A digitally signed message offers A. Authentication of Origin B. Integrity of Data C. Non-Repudiation D. Confidentiality E. Access Control Answer: A
Explanation: Signing a message does not mean the message IS encrypted. It is possible, but not MANDATORY. Without encryption, confidentiality is not offered.
Diffie-Hellman -- \"The Diffie-Hellman variant described requires the recipient to have a certificate, but the originator may have a static
key pair (with the public key placed in a certificate) or an ephemeral key pair. -- RFC 2631 & Section 4.2: Concepts of Using Cryptography
73. If Bob wants to send Carol a message that is confidential what key would Bob use to encrypt the message?
A. Bob's private key
B. Carol's private key C. Bob's public key D. Carol's public key Answer: D
Explanation: A message encrypted with the recipient's public key that is listed in a directory can only be decrypted with the recipient's
private key. This ensures confidentiality. Conversely, the private key of the sender can be used to electronically sign documents. If the
signature can be decrypted using the sender's public key, the receiver is assured that the message is legitimate the sender alone
possesses the private key to encrypt the signature. & Section 4.2.1:.Confidentiality
74. The CA offers what type of key management? A. Centralized B. Decentralized Answer: A
Explanation: PGP is a web of trust (decentralized). For scalability, centralized models are used. & Section 4.3.3: Trust Models
& Section 4.5.1: Centralized vs. Decentralized (Key Management)
75. Select the protocol that is utilized for management and negotiation of SA's. A. ISAKMP B. RC3 C. MD5 D. IDEL Answer: A
Explanation: \"The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to
establish, negotiate, modify and delete Security Associations (SA).\" -- RFC 2048 & Section 4.4: (Cryptography).Standards and Protocols
76. A certificate should be renewed or a new certificate applied for before A. Expiration B. Deletion C. Suspension
D. All choices are correct E. No choice is correct Answer: A
Explanation: A certificate will not authenticate without error once it has expired. In order to prevent interruption of communications (and
even interruption of business, if your business relies on that certificate), be sure to renew your certificate or have a new one issued before it expires.
& Section 4.5.4: (Certificate) Expiration
77. If a private key is compromised the action step to take is A. Suspension B. Destruction C. Revocation
D. All choices are correct E. No choices are correct Answer: C
Explanation: \"There are many reasons why you might want to revoke a certificate long before it expires. For example, a user might
change organizations or lose his or her key pair, or an e-commerce site using SSL (Secure Sockets Layer) may close up shop. “Network Computing
You would suspend the certificate if you only suspect compromise and want to take some time to investigate if it really was
compromised, since once a certificate has been revoked, it can't be re-enabled (and must instead be fully replaced).
& Section 4.5.5: (Certificate) Revocation
78. Revocation of a certificate can be accomplished with (choose all that apply): A. CRL B. CRDP C. OCSP D. CRC Answer: A, B, C
Explanation: \"Revocation data can be published in a CRL (certificate revocation list), which is a signed list of certificate serial numbers;
a CRDP (certificate revocation distribution point), which consists of partitioned CRLs; or an OCSP (online certificate status protocol), a
client/server protocol used to query a VA (validation authority) for certificate status.\" -- Network Computing
A CRC is a checksum computation not involved in certificate revocation. & Section 4.5.5: (Certificate) Revocation
79. E-mail clients do a great job of checking the status of a digital certificate: A. True B. False Answer: B
Explanation: \"Software that verifies signatures (such as e-mail clients) should automatically check our Certificate Revocation List
before relying on the signature, but many software packages either don't do this very well or at all. So, it is good practice to do a check
yourself before relying on a certificate.\" -- Entrust
& Section 4.5.5.1: Status Checking (Certificate Revocation) & Section 4.5.6.1: Status Checking (Certificate Suspension)
80. If it seems possible a private key was compromised, while an investigation is under way, the first step
is to:
A. Revoke the certificate B. Suspend the certificate C. Re-issue a new certificate D. All choices are correct E. No choice is correct Answer: B
Explanation: \"An IA shall suspend a subordinate IA's certificate upon the request of a duly authorized representative of the subordinate
IA or of a person claiming to be the subordinate IA or a person in a position likely to know of a compromise of the subordinate IA's
private key, such as an agent or employee of the subordinate IA. Such suspension must be undertaken in accordance with the
suspension prerequisites.\" -- Eurotrust
Since suspension is not irreversible, but disables the use of the key just like revocation, it is a good intermediate step to take until you
are sure that the key has been compromised and can no longer be trusted. & Section 4.5.6: (Certificate) Suspension
81. When a private key is critical for recovery and protecting assets of a high enough value that no single person should be in
charge of the key the process is to (choose all that apply):
A. Guard the private key on hardware with a security guard in place B. Encrypt portions of the private key on numerous hardware tokens
C. Require a minimum number of secured hardware tokens come together to recreate the private key Answer: B, C
Explanation: \"Private key (n out of m) multi-person control. Access to cryptographic module containing the root CA requires the
insertion of cryptographic hardware tokens into the cryptographic signer. A minimum number of required hardware tokens out of the
total numbers of hardware tokens must be inserted one at a time to access the cryptographic module.\" -- http://www.comtrust.co.ae/Repository/cps/techsecuritycontrols.htm & Section 4.5.7.1: M of N Control (Key Recovery) 82. The issue of a single digital certificate: A. Identities a person, not roles.
B. Cannot be used for encryption if it is to also be used for a digital signature in a non-repudiation manner.
C. Both choices are correct D. Neither choice is correct E. One choice is correct Answer: C Explanation:
1. The same person may be simultaneously a patient, a doctor and a coroner.
2. Dual key pair support is critical for applications that utilize both encryption and digital signatures. An end user needs one key pair for
encryption and another for digital signing so that the encryption key pair can be backed up without compromising the integrity of the user's digital signatures.
& 4.5.10.1 Multiple Key Pairs (Single, Dual)
83. Which of the following should NOT be logged for performance problems? A. CPU load.
B. Percentage of idle time. C. Percentage of use. D. No Answer is Correct Answer: D
Explanation: The level of logging will be according to your company requirements. Below is a list of items that could be logged, please
note that some of the items may not be applicable to all operating systems. What is being logged depends on whether you are looking
for performance problems or security problems. However you have to be careful about performance problems that could affect your security.
& Section 1.7: Auditing
& Section 5.9.4: Logs and Inventories
84. Which of the following should be logged for security problems? A. Use of mount command. B. Percentage of idle time. C. Percentage of use. D. No Answer is Correct Answer: A
Explanation: The level of logging will be according to your company requirements. Below is a list of items that could be logged, please
note that some of the items may not be applicable to all operating systems. What is being logged depends on whether you are looking
for performance problems or security problems. However you have to be careful about performance problems that could affect your security.
Percentage of idle time and percentage of use might be useful in capacity planning, in which you determine what computing resources
you will need to handle future needs, but they are not generally related to security problems. & Section 1.7: Auditing
& Section 5.9.4: Logs and Inventories
85. Which of the following services should be logged for security purpose? A. bootp B. tftp C. sunrpc
D. No Answer is Correct Answer: A, B, C
Explanation: Requests for the following services should be logged on all systems: systat, bootp, tftp, sunrpc, snmp, snmp-trap, nfs. This
list is rather UNIX-centric, nevertheless, it's possible for many of those services to be running on Windows as well (if you're running them, log them!). & Section 1.7: Auditing
& Section 5.9.4: Logs and Inventories
86. The activity that consists of collecting information that will be used for monitoring is called: A. Logging B. Troubleshooting C. Auditing D. Inspecting Answer: A
Explanation: Logging is the activity that consists of collecting information that will be used for monitoring and auditing. Detailed logs
combined with active monitoring allow detection of security issues before they negatively affect your systems.
Troubleshooting is the activity of collecting information used for diagnosing a system or network problem, not for monitoring. Auditing is
the review of logs, configuration information, etc. for reasons including verifying compliance with security policies and identifying
potential issues. Inspecting is also a review of existing information, hardware or software. & Section 1.7: Auditing
& Section 5.9.4: Logs and Inventories 87. How often should logging be performed? A. Always B. Once a day C. Once every week D. During maintenance Answer: A
Explanation: Usually logging is done 24 hours per day, 7 days per week, on all available systems and services except during the
maintenance window where some of the systems and services may not be available while maintenance is being performed.
If you only perform logging at certain times, then any activities taking place at other times won't be logged, and can't be used for
auditing or forensic activities at a later date. This makes your network more vulnerable to undetected intrusions and thus a more attractive target for attackers. & Section 1.7: Auditing
& Section 5.9.4: Logs and Inventories
88. Under role based access control, access rights are grouped by:
A. Sensitivity label B. Role name C. Rules D. Policy name Answer: B
Explanation: With role-based access control, access rights are grouped by role name, and the use of resources is restricted to
individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to
perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.
Rules specify the individual access control decision criteria, not groupings of anything. Policy names are typically given to sets of rules
for access control and other security-related decisions. Sensitivity labels are used in Mandatory Access Control (MAC), rather than Role-based access control (RBAC). & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
89. Which of the following will you consider as a \"role\" under a role based access control system? A. Bank teller B. Bank computer C. Bank network D. Bank rules Answer: A
Explanation: With role-based access control, access rights are grouped by role name, and the use of resources is restricted to
individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to
perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.
Bank computer, network and rules are not job-related roles. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
90. The Lattice Based Access Control model was developed MAINLY to deal with: A. Affinity B. Integrity C. Confidentiality D. No Answer is Correct Answer: C
Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems.
Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done
around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one
security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and
an object can be a directory or file. In summary, this is a model that deals with confidentiality and to limited extent integrity.
Integrity based access control is related to mandatory access control, but it is not the primary use of the Lattice Based Access Control
model. Affinity is not primarily related to the Lattice Based Access Control model, and access control is not as concerned with integrity as it is with confidentiality. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
91. With the Lattice Based Access Control model, a security class is also called a: A. Control factor B. Security label C. Mandatory number D. Serial ID Answer: B
Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems.
Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done
around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one
security class (also called security label) to another. Some possible security labels would be \"secret\\"top secret\
are applied to objects. An object is a container of information; an object can be a directory or file. & Section 1.1: Access Control & Section 5.5.5: MAC/DAC/RBAC
92. What should you do to the user accounts as soon as employment is terminated? A. Disable the user accounts and have the data kept for a specified period of time B. Maintain the user accounts and have the data kept for a specified period of time C. Disable the user accounts and erase immediately the data kept D. No Answer is Correct Answer: A
Explanation: A record of user logins with time and date stamps must be kept to ensure that any unauthorized access that occurs can be
detected (although possibly after the fact). User accounts shall be disabled and data kept for a specified period of time as soon as
employment is terminated. All users must log on to gain network access.
If the user account is maintained, then the terminated employee can potentially access the network via dial-up or the Internet, and gain
access to company data and resources, so it is important that the account be disabled. It is a good idea to retain the former employee's
data for a period of time, until you think it will no longer be needed by the company. Although normally public directories are provided for
storing company documents spreadsheets, etc., it's fairly normal for much job-related data to end up in an employee's home directory as well.
& Section 5.4.1.9.1: Termination (HR Policy) 93. Preventive Technical Controls cannot: A. Protect the OS from unauthorized modification.
B. Protect confidential information from being disclosed to unauthorized persons. C. Protect the OS from unauthorized manipulation. D. Protect users from being monitored. Answer: D
Explanation: Preventive Technical Controls are the technical ways of restricting who or what can access system resources and what type of access is permitted. Its purpose is to protect the OS and other systems from unauthorized modification or manipulation. It is usually built into an operating system, or it can be a part of an application or program, or an add-on security package, or special components to regulate communication between computers. It also protects the integrity and availability by limiting the number of users and/or processes. These controls also protect confidential information from being disclosed to unauthorized persons.
94. What is the role of IKE within the IPsec protocol: A.) peer authentication and key exchange B.) data encryption C.) data signature
D.) enforcing quality of service Answer: A
In order to set up and manage Sas on the Internet, a standard format called the Internet Security Association
and Key Management Protocol (ISAKMP) was established. ISAKMP provides for secure key exchange and
data authentication. However, ISAKMP is independent of the authentication protocols, security protocols, and encryption algorithms. Strictly speaking, a combination of three protocols is used to define key management for IPSEC. These protocols are ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley. When combined and applied to IPSEC, these protocols are called the Internet Key Exchange (IKE) protocol.
95. Tape arrays use a large device with multiple (sometimes 32 or 64) tapes that are configured as a? A. Single array B. Dual array
C. Triple array D. Quadruple array Answer: A Explanation:
This is the function of a tape robot/changer working on a media library / jukebox. We can get as many as 32 / 64 or even more tapes
action as a single logical unit. You can have a robot that changes and retrieves the different tapes when they are needed, so you see
the whole bunch of tapes as it's a single logical storage solution for you. This kind of solutions are very expensive.
96. In a discretionary mode, which of the following entities is authorized to grant information access to other people? A. Manager B. Group leader C. Security manager D. User Answer: D Explanation:
Discretionary control is the most common type of access control mechanism implemented in computer systems today. The basis of this
kind of security is that an individual user, or program operating on the user's behalf, is allowed to specify explicitly the types of access
other users (or programs executing on their behalf) may have to information under the user's control. Discretionary security differs from
mandatory security in that it implements the access control decisions of the user. Mandatory controls are driven by the results of a
comparison between the user's trust level or clearance and the sensitivity designation of the information.
97. Within the realm of IT security, which of the following combinations best defines risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Vulnerability coupled with an attack. D. Threat coupled with a breach of security. Answer: B Explanation:
This is the main concept, when we talk about a possible risk we always have a possible vulnerability in the system attacked. This
vulnerability can make a threat to be successful. We can say that the level of risk can be measures through the level of vulnerabilities in
our current systems and the ability of the attackers to exploit them to make a threat successful 98. Which of the following would be the best reason for separating the test and development environments?
A. To restrict access to systems under test. B. To control the stability of the test environment.
C. To segregate user and development staff. D. To secure access to systems under development. Answer: B Explanation:
This is the right answer, with a separation of the two environments (Test and development),we can get a more stable and more “in
control” environment, Since we are making tests in the development environment, we don’t want our production processes there, we
don’t want to experiment things in our production processes. With a separation of the environments we can get a more risk free
production environment and more control and flexibility over the test environment for the developers 99. Which Orange book security rating introduces security labels? A. C2 B. B1 C. B2 D. B3 Answer: B Explanation:
Class (B1) or “Labeled Security Protection” systems require all the features required for class (C2). In addition, an informal statement of
the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. The
capability must exist for accurately labeling exported information. Any flaws identified by testing must be removed
100. A Business Impact Analysis (BIA) does not: A. Recommend the appropriate recovery solution.
B. Determine critical and necessary business functions and their resource dependencies. C. Identify critical computer applications and the associated outage tolerance. D. Estimate the financial impact of a disruption. Answer: A Explanation:
Remember that when we talk about a BIA (Business Impact Analysis), we are analyzing and identifying possible issues about our
infrastructure, in this kind of analysis we don’t make suggestions about what to do to recover from them. This is not an action plan, It’s
an analysis about the business, the process that it relays on, the level of the systems and a estimative of the financial impact, or in other
words, how much many we loose with our systems down.
因篇幅问题不能全部显示,请点此查看更多更全内容