by marc22


keywords:
Bookmark and Share



Front Back
Which of the following would be an example of a policy statement?
A.
Protect PII by hardening servers.
B. Harden Windows 7 by first installing the pre-hardened OS image.
C. You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols.
D. Download the CISecurity Windows benchmark and apply it.
Correct Answer:
A. Policy is high-level and avoids technology specifics.
Explanation:
B is a procedural statement.
C is a guideline.
D is a baseline.
Which of the following describes the money saved by implementing a security control?
A.
 Total Cost of Ownership
B. Asset Value
C. Return on Investment
D. Control Savings
Correct Answer:
C. Return on Investment (ROI) is the amount of money saved by protecting an asset with a security control. 
Explanation:
A. TCO is the cost of implementing a security control.
B. AV is the value of the protected asset.
C. Control Savings is a bogus term.
Which of the following is an example of program policy?
A. Establish the information security program. B. Email Policy
C. Application development policy
D. Server policy 
Correct Answer:
A. The program policy establishes the information security program.
Explanation: Email policy and application development policy are issue-specific policies. Server policy is system-specific policy.
Which of the folowing proves an identity claim?
A. Authentication
B. Authorization C. Accountability
D. Auditing 
Correct Answer:
A. Authentication proves an identity claim.
Explanation: B. Authorization describes the actions a subject is allowed to take.
C. Accountability holds users accountable by providing audit data.
D. Auditing verifies compliance with an information security framework. 
Which of the following protects against unauthorized changes to data?
A. Confidentiality B. Integrity
C. Availability
D. Alteration 
Correct Answer:
B. Integrity protects against unauthorized changes to data.
Explanation: A. Confidentiality protects against unauthorized disclosure of data.
C. Availability ensures systems are available for normal business use.
D. Alteration is unauthorized changes to data - the opposite of integrity. 
Your company sells a product online and has suffered many denial of service (DoS) attacks. Your company makes an average of $20,000 profit per week and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.
What is the Annual Rate of Occurance in the above scenario?
A. $20,000 B. 40%
C. 7
D. $10,000 
Correct Answer:
C. The Annual Rate of Occurance (ARO) is the number of attacks per year.
Explanation: A. $20,000 is the Asset Value (AV)
B. 40% is the Exposure Factor (EF)
D. $10,000 is the monthly cost of the DoS mitigation (used to calculate the TCO) 
Your company sells a product online and has suffered many denial of service (DoS) attacks. Your company makes an average of $20,000 profit per week and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.
What is the annualized loss expectancy (ALE) of lost sales due to the DoS attacks?
A. $20,000 B. $8000
C. $84,000
D. $56,000
Correct Answer:
D. Annualized Loss Expectancy (ALE) is
Single Loss Expectancy (SLE) × Asset Value (AV)
Explanation: $20,000 is the Asset Value (AV)
$8000 is the Single Loss Expectancy (SLE)
Your company sells a product online and has suffered many denial of service (DoS) attacks. Your company makes an average of $20,000 profit per week and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.
Is the DoS mitigation service a good investment?
A. Yes, it will pay for itself. B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy.
C. No, the annual Total Cost of Ownership is higher than the Annualized Loss Expectancy.
D. No, the annual Total Cost of Ownership is lower than the Annualized Loss Expectancy. 
Correct Answer:
C. The Total Cost of Ownership (TCO) of the DoS mitigation service is higher than the Annualized Loss Expectancy (ALE) of lost sales due to the DoS attacks, meaning it's less expensive to accept the risk of DoS attacks than to purchase the mitigation for $10,000.
Which of the following steps would be taken while conducting a Qualitative Risk Analysis?
A. Calculate the Asset Value
B. Calculate the Return on Investment
C. Complete the Risk Analysis Matrix
D. Complete the Annualized Loss Expectancy 
Correct Answer:
C. The Risk Analysis Matrix uses approximate values from 1 through 5 to qualitatively analyze risks according to likelihood and consequences.
Explanation:
A, B, and D are all quantitative Risk Analysis steps. 
Which of the following describes a duty of the Data Owner?
A. Patch systems
B. Report suspicious activity
C. Ensure their files are backed up
D. Ensure data has proper security labels 
Correct Answer:
D. The Data Owner ensures that data has proper security labels.
Explanation:
A. Custodians patch systems.
B. Users should be aware and report suspicious activity.
C. Ensuring files are backed up is a weaker answer for a Data Owner duty; not as strong as D
Which control framework has 34 processes across four domains?
A. COSO
B. COBIT
C. ITIL
D. OCTAVE 
Correct Answer:
B. COBIT has 34 Information Technology processes across four domains.
Explanation:
A, C, and D are all audit or control frameworks, but only COBIT has 34 processes across four domains. 
What is the difference between a standard and a guideline?
A. Standards are compulsory and guidelines are mandatory.
B. Standards are recommendations and guidelines are requirements.
C. Standards are requirements and guidelines are recommendations.
D. Standards are recommendations and guidelines are optional. 
Correct Answer:
C. Standards are requirements (mandatory) and guidelines are recommendations.
Explanation:
A. Guidelines are recommendations (compulsory and mandatory are synonyms).
B. has the recommendations and requirements flipped.
D. Standards are mandatory, not recommendations. 
Which phase of OCTAVE identifies vulnerabilities and evaluates safeguards?
A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4 
Correct Answer:
B. Phase 2 identifies vulnerabilities and evaluates safeguards.
Explanation:
Phase 1: identify staff knowledge, assets, and threats.
Phase 3: conduct the Risk Analysis and develop the risk mititgation strategy.
Phase 4: There is no Phase 4. 
What was ISO 17799 renamed as?
A. BS 7799-1
B. ISO 27000
C. ISO 27001
D. ISO 27002 
Correct Answer:
D. ISO 17799 was renamed as ISO 27002.
Explanation:
A. BS 7799-1 was the precursor to ISO 17799.
B. ISO 27000 is a series of information security standards documents.
C. ISO 27001 is another 27000 series document to support auditing. 
Which of the following ethical actions is the most important?
A. Act legally
B. Protect society
C. Advance and protect the profession
D. Provide diligent service 
Correct Answer:
B. Protecting society is part of the first canon of the (ISC)2 © Code of Ethics.
Explanation:
All other answers are ethical, but are from later canons of the (ISC)2 © Code of Ethics.
What type of password cracking attack will always be successful?
A. Brute Force
B. Dictionary
C. Hybrid
D. Rainbow Table 
Correct Answer:
A. Brute force attacks are always successful, given enough time.
Explanation:
B. Dictionary attacks will only crack passwords that exist in a dictionary or word list.
C. Hybrid attacks append, prepend, or alter characters in words froma dictionary.
D. Rainbow tables are used for pre-computed hashes. Not all rainbow tables are complete.  Rainbow tables are less effective against salted hashes. 
What is the difference between password cracking and password guessing?
A. They are the same.
B. Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash.
C. Password guessing uses salts, password cracking does not.
D. Password cracking risks account lockout, password guessing does not.
Correct Answer:
B. Password cracking relies on cracking the hash of a password; password guessing attempts to log into a system.
Explanation:
A. Password cracking and guessing are not the same thing.
C. Salts are a password cracking issue, not a password guessing issue.
D. Password guessing risks account lockout. 
The most insidious part of phishing and spear phishing attacks comes from which part of the attack anatomy?
A. Each phishing and spear phishing attack is socialy engineered to trick the user into providing information to the attacker.
B. Phishing and spear phishing attacks always have malicious code downloaded onto the user's computer.
C. Phishing and spear phishing attacks are always poorly written.
D. Phishing and spear phishing attacks are rarely successful. 
Correct Answer:
A. In order for a phishing or spear phishing attack to be successful, the victim must provide information to the attacker — there is always a component of social engineering that causes the victim to provide that information.
Explanation:
B. Some phishing attacks are simply looking for information and contain no malicious code.
C. Some spear phishing attacks are very well written.
D. Some phishing attacks are very successful. 
What is the term used for describing when an attacker, through a command and control network, controls hundreds, thousands, or even tens of thousands of computers and instructs all of these computers to perform actions all at once?
A. Flooding
B. Spamming
C. Phishing
D. Botnets 
Correct Answer:
D. The term used to describe this activity is a botnet.
Explanation:
A. Flooding is an incorrect term for this case.
B. Spamming is sending unsolicited email.
C. Phishing describes a different concept, which may use botnets as part of the attack. 
What are the main differences between retina scans and iris scans?
A. Retina scans are not invasive and iris scans are.
B. Iris scans invade a person's privacy and retina scans do not.
C. Iris scans change depending upon the person's health, retina scans are stable.
D. Retina scans change depending upon the person's health, iris scans are stable.
Correct Answer:
D. The blood vessels in the retina may change depending upon certain health conditions.
Explanation:
A. Retina scans are invasive — they can relay user health information.
B. Iris scans are not invasive.
C. Iris scans remain (comparatively) stable regarding the general health of the user attempting access. 
What is the most important decision an organization needs to make when implementing Role Based Access Control (RBAC)?
A. Each user's security clearance needs to be finalized.
B. The roles users have on the system need to be clearly defined.
C. Users' data need to be clearly defined.
D. Users must be segregated from one another on the IT system to prevent spillage of sensitive data. 
Correct Answer:
B. In Role Based Access Control (RBAC), users' roles must be clearly defined so access to data based upon those roles can be limited according to organization policy.
A. In RBAC, users' clearances are not considered.
C. MAC labels every object and compares it to a subject's clearance, not RBAC.
D. In RBAC, users are not segregated from one another. 
What access control method weighs additional factors such as time of attempted access before granting access?
A. Content-dependent access control
B. Context-dependent access control
C. Role-based access control
D. Task-based access control 
Correct Answer:
B. Context-dependent access control adds additional factors beyond username and password, such as the time of attempted access.
Explanation:
A. Content-dependent access control uses the content (such as file contents) as an additional factor.
C. Role-based control is based upon the subject's role.
D. Task-based access control is based upon the tasks the subject needs to perform. 
An attacker sees a building is protected by security guards and attacks a building next door with no guards. What control combination are the security guards?
A. Physical / Compensating
B. Physical / Detective
C. Physical / Deterrent
D. Physical / Preventive 
Correct Answer:
C. The guards' primary control is physical security, but in this example, the guards also deterred the attack.
Explanation:
In a different scenario, a guard could be any of the choices.  Given this scenario, C is the only valid answer.  Compensating control compensate for a weakness in another control.  Detective controls detect a successful attack during or after it has occurred.  Preventive controls prevent attempts from becoming successful.
A type II biometric is also known as what?
A. Crossover Error Rate (CER)
B. Equal Error Rate (EER)
C. Falce Accept Rate (FAR)
D. False Reject Rate (FRR) 
Correct Answer:
C. The False Accept Rate (FAR) is known as a type II error.
Explanation:
A & B. Crossover Error Rate (CER) and Equal Error Rate (EER) are synonyms used to gauge the accuracy of a biometric system.
D. False Reject Rate (FRR) is a type I error. 
Within Kerberos, which part is the single point of failure?
A. The Ticket Granting Ticket
B. The Realm
C. The Key Distribution Center
D. The Client-Server session key
Correct Answer:
C. The Key Distribution Center (KDC) is the only service within Kerberos that can authenticate subjects.  If the KDC becomes unavailable, ticket granting tickets will not be issued and no new authentications may take place.
Explanation:
A. The Ticket Granting Ticket (TGT) is received by the subject from the KDC.
B. The realm is a Kerberos network that shares authentication.
D. New client-server session keys can be issued.
Your company has hired a third party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:
(1) The test will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
(2) The company wants the most in-depth test possible.
What kind of test should be recommended?
A. Zero knowledge
B. Partial knowledge
C. Full knowledge
D. Vulnerability testing 
Correct Answer:
C. The customer wants a full evaluation but is worried of the importance of the network. Because the customer wants as full of an evaluation as possible but does not want the network in any kind of jeopardy, a full knowledge assessment is necessary because only a full knowledge assessment will allow for the most in-depth analysis with the least amount of risk to the network.
Explanation:
A. A zero knowledge test will not produce the most in-depth assessment of the network.
B. A partial knowledge test, although better than a zero knowledge assessment, still will not produce the necessary assessment.
D. Vulnerability testing does not exploit systems, which is a requirement for the test. 
Your company has hired a third party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:
(1) The test will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
(2) The company wants the most in-depth test possible.
While conducting the penetration test, the tester discovers a critical business system is currently compromised. What should the tester do?
A. Note the results in the penetration testing report.
B. Immediately end the penetration test and call the CIO.
C. Remove the malware.
D. Shut the system down. 
Correct Answer:
B. When discovering a live malicious intrusion, the penetration tester should immediately end the penetration test and notify the client of the intrusion.
Explanation:
A. Noting the results is not enough to protect system integrity, data integrity, and data confidentiality: immediate action is required.
C. Removing the malware may cause more damage and/or alert the attackers to the penetration tester's presence.  Attackers may become malicious if they believe they have been discovered.
D. Shutting down the system down will harm availability (and possible integrity), and will destroy any evidence that exists in memory. 
What group launches the most attacks against a system?
A. Insiders
B. Outsiders
C. Hacktivists
D. Script Kiddies 
Correct Answer:
B. Outsiders launch the most attacks (though most fail).
Explanation:
Insiders may launch the most successful attacks that cause the highest impact, but most attacks are launched from the outside. Hacktivists and script kiddies are usually subsets of outsiders, making outsiders the best answer.
A policy that states a user must have a business requirement to view data before attempting to do so is an example of enforcing what?
A. Least privilege
B. Need to know
C. Rotation of duties
D. Separation of duties 
Correct Answer:
B. Need to know means the user must have a need to access a specific object before doing so.
Explanation:
A. Least privilege is less granular than need to know: users have the least amount of privilege to do their jobs, but objects are still typically grouped together (such as allowing access to all backup tapes for a backup administrator).
C. Rotation of duties is designed to mitigate collusion.
D. Separation of duties is designed to divide sensitive tasks among multiple subjects.
What technique would raise the False Accept Rate (FAR) and lower the False Reject Rate (FRR) in a fingerprint scanning system?
A. Decrease the amount of minutiae that is verified
B. Increase the amount of minutiae that is verified
C. Lengthen the enrollment time
D. Lower the throughput time 
Correct Answer:
A. Decreasing the amount of minutiae will make the accuracy of the system lower, which will lower false rejects (false negatives), but will raise false accepts (false positives)
Explanation:
B. Increasing the amount of minutiae will make the system more accurate, increasing the FRR and lowering the FAR.
C & D. Enrollment and throughput are not directly associated with FAR and FRR. 
The RSA algorithm is based on which one-way function?
A. Elliptic curves
B. Discrete logarithm
C. Frequency distribution
D. Factoring composite numbers into their primes 
Correct Answer:
D. RSA is based on the difficulty of factoring large composite numbers into their primes.
Explanation:
A & B. Elliptic curves and discrete logarithms are other types of one-way functions.
C. Frequency distribution is a way to perform cryptanalysis 
Which of the following cryptographic methods is a monoalphabetic cipher?
A. Caesar Cipher
B. Vernam Cipher
C. Vigenère Cipher
D. Jefferson Disks 
Correct Answer:
A. The Caesar Cipher is a monoalphabetic rotation cipher that shifts each character forward by 3.
Explanation:
B. The Vernam Cipher is a one-time pad.
C. The Vigenère Cipher is the first polyalphabetic cipher.
D. Jefferson disks used many disks, each with its own alphabet, and is therefore polyalphabetic. 
What type of encryption is proven to be unbreakable?
A. AES
B. ECC
C. One-time pad
D. RSA 
Correct Answer:
C. A one-time pad is unbreakable if the pad is truly random, the confidentiality of the pad is maintained, and the pad is never reused.
Explanation:
AES, ECC, and RSA can all be broken via brute-force attacks.  It may take a long time (perhaps thousands of years or more using current technology), but it is possible.
Which AES function provides confusion by replacing one byte of the State with another?
A. AddRoundKey
B. MixColumns
C. ShiftRows
D. SubBytes 
Correct Answer:
D. SubBytes substitutes one byte of the State with another.
Explanation:
A. AddRoundKey XORs the State with the key.
B. MixColumns mixes the columns of the state via finite field mathematics.
C. ShiftRows shifts the rows of the State. 
Which mode of DES is the weakest?
A. Cipher Feedback (CFB)
B. Output Feedback (OFB)
C. Electronic Code Book (ECB)
D. Cipher Block Chaining (CBC)
Correct Answer:
C. ECB is Electronic Code Book, the simplest form of DES.
Explanation:
Cipher Feedback, Output Feedback, and Cipher Block Chaining all use initialization vectors and chaining or feedback.
Which of the following cryptographic methods is primarily used to assure integrity?
A. One-way function
B. One-way hash
C. Diffusion
D. Confusion 
Correct Answer:
B. A one-way hash is encryption without a key.
Explanation:
A. One-way functions are used in asymmetric encryption.
C & D. Diffusion and confusion are cornerstone cryptographic concepts embodied in all types of cryptography.
Cryptography does not directly provide what?
A. Authentication
B. Confidentiality
C. Integrity
D. Availability 
Correct Answer:
D. Cryptography does not directly provide availability.
Explanation:
A. Cryptography can authenticate an identity claim (such as signing a document using a private key).
B. Ciphers also protect confidentiality so that secrets remain secret.
C. Ciphers also protect integrity by preventing unauthorized data alteration.
The Wassenaar Arrangement replaced what?
A. CPCOM
B. COCOM
C. CUCOM
D. CACOM 
Correct Answer:
B. COCOM is the Coordinating Committee for Multilateral Export Controls, in effect from 1947 - 1994.
Explanation:
All other answers are distracter answers similar to COCOM.
Nonrepudiation is best described as what?
A. Proving a user performed a transaction
B. Proving a transaction did not change
C. Authenticating a transaction
D. Proving a user performed a transaction that did not change. 
Correct Answer:
D. Nonrepudiation is proof that a user performed a transaction and proof that it did not change.
Explanation:
A & B. Proving a user performed a transaction is only half of nonrepudiation, proving the transaction did not change is the other half. Nonrepudiation requires both.
C. Authenticating a transaction is another way of saying a user performed the transaction, and is still only half of nonrepudiation.
Which of the following is true for digital signatures?
A. The sender encrypts the hash with a public key.
B. The sender encrypts the hash with a private key.
C. The sender encrypts the plaintext with a public key.
D. The sender encrypts the plaintext with a private key.
Correct Answer:
B. The sender generates a hash of the plaintext and encrypts the hash with a private key. The recipient decrypts the hash with a public key, performs a hash of the plaintext, and then compares the two hashes to validate the integrity of the plaintext.
Explanation:
The sender encrypts the hash (not the plaintext — eliminates D) with a private key, not a public key (eliminates A & C).
Which algorithm should you use for a low-power device that must employ digital signatures?
A. AES
B. RSA
C. ECC
D. ElGamal 
Correct Answer:
C. Digital signatures require asymmetric encryption. Elliptic Curve Cryptography (ECC) is the strongest asymmetric algorithm per bit of key length. This allows shorter key lengths which require less CPU resources.
Explanation:
A. AES is a symmetric cipher; symmetric ciphers are not used in digital signatures.
B. RSA is based on factoring composite numbers into their primes, and is far weaker per bit than ECC.
D. ElGamal is based upon discrete logarithms, and is far weaker per bit than ECC. 
Which of the following is not required for a one-time pad to be unbreakable?
A. The characters must be truly random
B. The pads must be secure
C. The pads must not be reused
D. Each pad must be unique
Correct Answer:
D. One-time pads are created as pairs of unique pads. If each individual pad was unique, there would be no way to decrypt a message.
Explanation:
All three of the other answers are required for a one-time pad to be unbreakable. 
Which of the following attacks analyzes large amounts of plaintext/ciphertext pairs created with the same key?
A. Known plaintext attack
B. Differential cryptanalysis
C. Linear cryptanalysis
D. Chosen plaintext attack 
Correct Answer:
C. Linear cryptanalysis analyzes large amounts of plaintext/ciphertext pairs created with the same key, trying to deduce information about the key.
Explanation:
A. Linear cryptanalysis is a type of known plaintext attack, but the question references linear cryptanalysis specifically, making A an incorrect answer.
B. Differential cryptanalysis seeks to find the difference between related plaintexts that are encrypted.
C. A cryptanalyst chooses the plaintext to be encrypted during a chosen plaintext attack.
What is a Hashed Message Authentication Code (HMAC)?
A. Encrypting a hash with a symmetric cipher
B. Encrypting a has with an asymmetric cipher
C. A message digest
D. A checksum
Correct Answer:
A. A Hashed Message Authentication Code (HMAC) is a hash encrypted with a preshared symmetric key.
Explanation:
B. A digital signature encrypts a hash with an asymmetric key.
C. A message digest is another name for a hash.
D. A checksum is a simple hash.
Which of the following was not an AES finalist?
A. MARS
B. RC6
C. Serpent
D. Blowfish 
Correct Answer:
D. Blowfish was not an AES finalist. Twofish, which was based upon Blowfish, was.
Explanation:
MARS, RC6, and Serpent were all AES finalists.
Low humidity in a data center can cause what problem?
A. Corrosion
B. Airborne contaminants
C. Heat
D. Static electricity 
Correct Answer:
D. Low humidity can cause buildup of static electricity. Static discharge can damage data and equipment.
Explanation:
A. Corrosion can be caused by high humidity.
B. Airborne contaminants are caused by improper filtration.
C. Heat is caused by improper cooling. 
What should not be used to extinguish a class C (United States) fire?
A. Soda Acid
B. CO2
C. Inergen
D. FE-13 
Correct Answer:
A. Class C fires are electrical fires ("C" for conductive). Soda acid contains water, which is an electrical conductor, and should not be used to extinguish a class C fire.
Explanation:
CO2, Inergen, and FE-13 are all gases, which will not conduct electricity.  CO2 gas starves the fire of oxygen.
Inergen and FE-13 are Halon substitutes, which chemically interrupt the fire. 
What is the primary drawback to using dogs as a perimeter control?
A. Training
B. Cost
C. Liability
D. Appearance 
Correct Answer:
C. Liability is the primary drawback to using dogs as a security control. Dogs may mistakenly attack a person who accidentally enters a controlled area.
Explanation:
The remaining answers are all valid concerns, but are significantly less concerning than liability and personal safety.
What type of network cable should be used to eliminate the chance of crosstalk?
A. Shielded Twisted Pair (STP)
B. Unshielded Twisted Pair (UTP)
C. Coaxial
D. Fiber optic 
Correct Answer:
D. Fiber optic cable uses light instead of electricity and is not subject to electromagnetic interference (EMI) issues such as crosstalk.
Explanation:
Unshielded twisted pair is susceptible to EMI when improperly routed. Shielded twisted pair and coaxial cable are better choices for avoiding crosstalk, but they still carry electricity, and could have EMI issues under certain circumstances. 
Which of the following is an administrative control?
A. Locks
B. Asset Tracking
C. Biometrics
D. Fire Alarms 
Correct Answer:
B. Asset tracking is an administrative control. Administrative controls include policies, procedures, and practices.
Explanation:
Locks and fire alarms are both physical controls. Biometrics are a technical control. 
x of y cards Next > >> >|