Bookmark and Share

Front Back
1. Which of the following best describes operations security? A. Continual vigilance about hacker activity and possible vulnerabilities B. Enforcing access control and physical security C. Taking steps to make sure an environment, and the things within it, stay at a certain level of protection D. Doing strategy planning to develop a secure environment and then implementing it properly
1. C. All of these are necessary security activities and procedures—they just don’t all fall under the operations umbrella. Operations is about keeping production up and running in a healthy and secure manner. Operations is not usually the entity that carries out strategic planning. It works at an operational, day-to-day level, not at the higher strategic level.
2. Which of the following describes why operations security is important? A. An environment continually changes and has the potential of lowering its level of protection. B. It helps an environment be functionally sound and productive. C. It ensures there will be no unauthorized access to the facility or its resources. D. It continually raises a company’s level of protection.
2. A. This is the best answer because operations has the goal of keeping everything running smoothly each and every day. Operations implements new software and hardware and carries out the necessary security tasks passed down to it. As the environment changes and security is kept in the loop with these changes, there is a smaller likelihood of opening up vulnerabilities.
3. What is the difference between due care and due diligence? A. Due care is the continual effort of ensuring that the right thing takes place, and due diligence is the continual effort to stay compliant to regulations. B. Due care and due diligence are in contrast to the “prudent person” concept. C. They mean the same thing. D. Due diligence involves investigating the risks, while due care involves carrying out the necessary steps to mitigate these risks.
3. D. Due care and due diligence are legal terms that do not just pertain to security. Due diligence involves going through the necessary steps to know what a company’s or individual’s actual risks are, while due care involves carrying out responsible actions to reduce those risks. These concepts correspond with the “prudent person” concept.
4. Why should employers make sure employees take their vacations? A. They have a legal obligation. B. It is part of due diligence. C. It is a way for fraud to be uncovered. D. To ensure the employee does not get burnt out.
4. C. Many times, employees who are carrying out fraudulent activities do not take the vacation they have earned because they do not want anyone to find out what they have been doing. Forcing employees to take vacations means that someone else has to do that person’s job and possibly uncover any misdeeds.
5. Which of the following best describes separation of duties and job rotation? A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone. B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position. C. They are the same thing, but with different titles. D. They are administrative controls that enforce access control and protect the company’s resources.
5. B. Rotation of duties enables a company to have more than one person trained in a position and can uncover fraudulent activities. Separation of duties is put into place to ensure that one entity cannot carry out a critical task alone.
6. If a programmer is restricted from updating and modifying production code, what is this an example of? A. Rotation of duties B. Due diligence C. Separation of duties D. Controlling input values
6. C. This is just one of several examples of separation of duties. A system must be set up for proper code maintenance to take place when necessary, instead of allowing a programmer to make changes arbitrarily. These types of changes should go through a change control process and should have more entities involved than just one programmer.
7. Why is it important to control and audit input and output values? A. Incorrect values can cause mistakes in data processing and be evidence of fraud. B. Incorrect values can be the fault of the programmer and do not comply with the due care clause. C. Incorrect values can be caused by brute force attacks. D. Incorrect values are not security issues.
7. A. There should be controls in place to make sure the data input into a system and the results generated are in the proper format and have expected values. Improper data being put into an application or system could cause bad output and security issues, such as buffer overflows.
8. What is the difference between least privilege and need to know? A. A user should have least privilege that restricts her need to know. B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources. C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know. D. They are two different terms for the same issue.
8. C. Users should be able to access only the resources they need to fulfill the duties of their positions. They also should only have the level of permissions and rights for those resources that is required to carry out the exact operations they need for their jobs and no more. This second concept is more granular than the first, but they have a symbiotic relationship.
9. Which of the following would not require updated documentation? A. An antivirus signature update B. Reconfiguration of a server C. A change in security policy D. The installation of a patch to a production server
9. A. Documentation is very important for data processing and networked environments. This task often gets pushed to the back burner or is totally ignored. If things are not properly documented, employees will forget what actually took place with each device. If the environment needs to be rebuilt, for example, it may be done incorrectly if the procedure was poorly or improperly documented. When new changes need to be implemented, the current infrastructure may not be totally understood. Continually documenting when virus signatures are updated would be overkill. The other answers contain events that certainly require documentation.
10. If sensitive data are stored on a CD-ROM and are no longer needed, which would be the proper way of disposing of the data? A. Degaussing B. Erasing C. Purging D. Physical destruction
10. D. One cannot properly erase data held on a CD-ROM. If the data are sensitive and you need to ensure no one has access to the same, the media should be physically destroyed.
11. If SSL is being used to encrypt messages that are transmitted over the network, what is a major concern of the security professional? A. The network segments that have systems that use different versions of SSL. B. The user may have encrypted the message with an application layer product that is incompatible with SSL. C. Network tapping and wiretapping. D. The networks that the message will travel that the company does not control.
11. D. This is not a great question, but could be something that you run into on the exam. Let’s look at the answers. Different SSL versions are usually not a concern, because the two communicating systems will negotiate and agree upon the necessary version. There is no security violation issue here. SSL works at the transport layer; thus, it will not be affected by what the user does, as stated in answer B. SSL protects against network tapping and wiretapping. Answer D talks about the network segments the company does not own. You do not know at what point the other company will decrypt the SSL connection because you do not have control of that environment. Your data could be traveling unencrypted and unprotected on another network.
12. What is the purpose of SMTP? A. To enable users to decrypt mail messages from a server B. To enable users to view and modify mail messages from a server C. To transmit mail messages from the client to the mail server D. To encrypt mail messages before being transmitted
12. C. Simple Mail Transfer Protocol (SMTP) is the protocol used to allow clients to send e-mail messages to each other. It lets different mail servers exchange messages.
13. If a company has been contacted because its mail server has been used to spread spam, what is most likely the problem? A. The internal mail server has been compromised by an internal hacker. B. The mail server in the DMZ has private and public resource records. C. The mail server has e-mail relaying misconfigured. D. The mail server has SMTP enabled.
13. C. Spammers will identify the mail servers on the Internet that have relaying enabled and are “wide open,” meaning the server will forward any e-mail messages it receives. These servers can be put on a black list, which means other mail servers will not accept mail from them.
14. Which of the following is not a reason fax servers are used in many companies? A. They save money by not needing individual fax devices and the constant use of fax paper. B. They provide a secure way of faxing instead of having faxed papers sitting in bins waiting to be picked up. C. Faxes can be routed to employees’ electronic mailboxes. D. They increase the need for other communication security mechanisms.
14. D. The other three answers provide reasons why fax servers would be used instead of individual fax machines: ease of use, they provide more protection, and their supplies may be cheaper.
15. If a company wants to protect fax data while it is in transmission, which of the following are valid mechanisms? A. PGP and MIME B. PEM and TSL C. Data link encryption or fax encryptor D. Data link encryption and MIME
15. C. This is the best answer for this question. The other components could provide different levels of protection, but a fax encryptor (which is a data link encryptor) provides a higher level of protection across the board because everything is encrypted. Even if a user does not choose to encrypt something, it will be encrypted anyway before it is sent out the fax server.
16. What is the purpose of TCP wrappers? A. Monitor requests for certain ports and control access to sensitive files. B. Monitor requests for certain services and control access to password files. C. Monitor requests for certain services and control access to those services. D. Monitor requests to system files and ensure they are not modified.
16. C. This is a technology that wraps the different services available on a system. What this means is that if a remote user makes a request to access a service, this product will intercept this request and determine whether it is valid and legal before allowing the interaction to take place.
17. How do network sniffers work? A. They probe systems on a network segment. B. They listen for ARP requests and ICMP packets. C. They require an extra NIC to be installed and configured. D. They put the NIC into promiscuous mode.
17. D. A sniffer is a device or software component that puts the NIC in promiscuous mode, meaning the NIC will pick up all frames it “sees” instead of just the frames addressed to that individual computer. The sniffer then shows the output to the user. It can have capture and filtering capabilities.
18. Which of the following is not an attack against operations? A. Brute force B. Denial-of-Service C. Buffer overflow D. ICMP Sting
18. D. The first three choices are attacks that can directly affect security operations. There is no such attack as an ICMP Sting.
19. Why should user IDs be included in data captured by auditing procedures? A. They show what files were attacked. B. They establish individual accountability. C. They are needed to detect a Denial-of-Service attack. D. They activate corrective measures.
19. B. For auditing purposes, the procedure should capture the user ID, time of event, type of event, and the source workstation. Capturing the user ID allows the company to hold individuals accountable for their actions.
20. Which of the following controls requires separate entities, operating together, to complete a task? A. Least privilege B. Data hiding C. Dual control D. Administrative
20. C. Dual control requires two or more entities working together to complete a task. An example is key recovery. If a key must be recovered, and key recovery requires two or more people to authenticate to a system, the act of them coming together and carrying out these activities is known as dual control. This reduces the possibility of fraud.
21. Which of the following would not be considered an operations media control task? A. Compressing and decompressing storage materials B. Erasing data when its retention period is over C. Storing backup information in a protected area D. Controlling access to media and logging activities
21. A. The last three tasks fall under the job functions of an individual or department responsible for controlling access to media. Compressing and decompressing data does not.
22. How is the use of clipping levels a way to track violations? A. They set a baseline for normal user errors, and any violations that exceed that threshold should be recorded and reviewed to understand why they are happening. B. They enable the administrator to view all reduction levels that have been made to user codes, which have incurred violations. C. They disallow the administrator to customize the audit trail to record only those violations deemed security related. D. They enable the administrator to customize the audit trail to capture only access violations and Denial-of-Service attacks.
22. A. Clipping levels are thresholds of acceptable user errors and suspicious activities. If the threshold is exceeded, it should be logged and the administrator should decide if malicious activities are taking place or if the user needs more training.
23. Tape library management is an example of operations security through which of the following? A. Archival retention B. The review of clipping levels C. Resource protection D. Change management
23. C. The reason to have tape library management is to have a centralized and standard way of protecting how media is stored, accessed, and destroyed.
24. A device that generates coercive magnetic force for the purpose of reducing magnetic flux density to zero on media is called: A. Magnetic saturation B. Magnetic field C. Physical destruction D. Degausser
24. D. A degausser is a device that generates a magnetic field (coercive magnetic force) that changes the orientation of the bits held on the media (reducing magnetic flux density to zero).
25. Which of the following controls might force a person in operations into collusion with personnel assigned organizationally within a different function for the sole purpose of gaining access to data he is not authorized to access? A. Limiting the local access of operations personnel B. Enforcing auditing C. Enforcing job rotation D. Limiting control of management personnel
25. A. If operations personnel are limited in what they can access, they would need to collude with someone who actually has access to the resource. This question is not very clear, but it is very close to the way many CISSP exam questions are formatted.
x of y cards