keywords:
Bookmark and Share



Front Back
What access control methodology facilitates frequent changes to data permissions for user groups?
(A)       Rule-based
(B)       List-based
(C)       Role-based
(D)       Ticket-based
(C)       Role-based
Which of the following is a means of restricting access to objects based on the identity of the subject to which they belong?
(A)       Mandatory access control (B)       Group access control
(C)       Discretionary access control (D)       User access control
(C)       Discretionary access control
Which one of the following is associated with a one-time password scheme?  
(A)       Something you are
(B)       Something you have
(C)       Something you emulate (D)       Something you embed
(B)       Something you have
Which of the following is considered a point of failure within single sign-on? (A)       User's workstation
(B)       Authentication server
(C)       Application server
(D)       Firewall device
(B)       Authentication server
Which of the following mechanisms could bypass logical access controls? (A)       Virus
(B)       Pseudo Flaw
(C)       Trusted Path
(D)       Trap Door
(D)       Trap Door
In a vulnerability assessment, a gap analysis is usually performed between (A)       Mitigation and remediation. (B)       Defining and designing. (C)       Scanning and remediation. (D)       Maintaining and monitoring.
(C)       Scanning and remediation.
What key components are required to develop a threat matrix?
(A)       Confidentiality and Integrity (B)       Integrity and Availability (C)       Risk and Oversight
(D)       Impact and Probability
(D)       Impact and Probability
Which one of the following refers to a series of characters used to verify a user’s identity?
(A)       Token serial number
(B)       UserID
(C)       Password
(D)       Security ticket
(C)       Password
Satellite communications are easily intercepted because  
(A)       Transmissions are continuous 24 hours per day.
(B)       All channels on a satellite can be monitored.
(C)       A satellite footprint is very large.
(D)       Satellite signals often use weak encryption.
(C)       A satellite footprint is very large.
To support legacy applications that rely on risky protocols (e.g., plain text passwords), which one of the following can be implemented to mitigate the risks on a corporate network?  
(A)      Implement strong, centrally-generated passwords to control use of the vulnerable applications
(B)       Implement a Virtual Private Network (VPN) with controls on workstations joining the VPN
(C)       Use physical access controls to ensure that only authorized, trained users have access to workstations
(D)      Ensure audit logging is enabled on all hosts and applications with frequent log reviews
(B)       Implement a Virtual Private Network (VPN) with controls on workstations joining the VPN
What technique is used to prevent eavesdropping of digital cellular telephone conversations?  
(A)       Encryption
(B)       Authentication
(C)       Call detail suppression (D)       Time-division multiplexing
(A)       Encryption
Which one of the following is NOT a firewall technology?  
(A)       Dual-homed host
(B)       Dual-gateway host
(C)       Screened-host
(D)       Screened-subnet
(B)       Dual-gateway host
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for the routing of information packets across multiple networks?  
(A)       Application Layer
(B)       Transport Layer
(C)       Network Layer
(D)       Data-Link Layer
(C)       Network Layer
Security measures that protect message traffic independently on each communication path are called   (A)       Link oriented.
(B)       Procedure oriented.
(C)       Pass-through oriented. (D)       End-to-end oriented.
(A)       Link oriented.
Why are packet filtering routers NOT effective against mail bomb attacks?   (A)       The bomb code is obscured by the message encoding algorithm. (B)       Mail bombs are polymorphic and present no consistent signature to filter on.
(C)       Filters do not examine the data portion of a packet.
(D)       The bomb code is hidden in the header and appears as a normal routing information.
(C)       Filters do not examine the data portion of a packet.
Which one of the following is the MOST solid defense against interception of a network transmission?  
(A)       Frequency hopping
(B)       Optical fiber
(C)       Alternate routing
(D)       Encryption
(D)       Encryption
Although Password Authentication Protocol (PAP) is a widely implemented technology, its PRIMARY limitation is that the client  
(A)       Responds with a value that's calculated via the Message Digest 5 (MD5) one-way hash function.
(B)       Exchanges “magic numbers” with the server at the beginning of each session which increases bandwidth consumption and delays data transmission.
(C)       Sends username and password information in clear text across  transmission paths.
(D)       Must be configured prior to transmission attempts with the server’s Internet Protocol (IP) address, username, and password.
(C)       Sends username and password information in clear text across  transmission paths.
Secure Sockets Layer-Virtual Private Networks (SSL-VPN) utilizes what layer of the Open System Interconnect (OSI) model?  
(A)       Network  
(B)       Transport
(C)       Session
(D)       Data
(B)       Transport
Which of the following remote access protocols would be the BEST where trust can be an issue but easy access is also important?  
(A)       Multi-layer Session Security (MLSS) protocol
(B)       Password Authentication Protocol (PAP)     
(C)       Challenge Handshake Authentication Protocol (CHAP) (D)       Secure Sockets Layer – Virtual Private Network (SSL-VPN) protocol
(D)       Secure Sockets Layer – Virtual Private Network (SSL-VPN) protocol
Which of the following could BEST be utilized to validate the continued need for access to system resources?              
(A)       Periodically review and recertify privileged users             (B)       Periodically review audit and access logs            
(C)       Periodically review processes that grant access            
(D)       Periodically review data classifications by management
(A)       Periodically review and recertify privileged users
An information security policy requires that communications test equipment be      controlled because the equipment              
(A)       Can be susceptible to physical damage.            
(B)       Can be used to browse information passing on a network.            
(C)       Must be available for replacement if necessary.             (D)       Can be used to reconfigure the network multiplexers.
(B)       Can be used to browse information passing on a network.
How should a request by an auditor for access to programs and data which are protected by logical access control software be treated?  
(A)       Approve the use via a guest user-id and password
(B)       Provide access to audit logs only
(C)       Submit in writing and receive written approval
(D)       Refused based on the principal of least privilege
(C)       Submit in writing and receive written approval
Non-binding statements on how to achieve compliance with protective standards are called  
(A)             Policies
(B)              Standards
(C)              Guidelines
(D)             Procedures
(C)      Guidelines
All of the following are basic components of a security policy EXCEPT the            
(A)       Definition of the issue being addressed and relevant terms.
(B)       Statement of roles and responsibilities.
(C)       Statement of applicability and compliance requirements.
(D)       Statement of performance characteristics and requirements.
(D)       Statement of performance characteristics and requirements.
Which of the following provides for an effective security program?  
(A)       A hierarchical definition of security policies, standards, and procedures
(B)       The identification, assessment, and mitigation of vulnerabilities
(C)       A definition of program modules and procedures for data structures
(D)       The identification of organizational, procedural, and administrative weaknesses
(A)       A hierarchical definition of security policies, standards, and procedures
In which one of the following documents is the assignment of individual roles and responsibilities MOST appropriately defined?   (A)       Security policy
(B)       Enforcement guidelines (C)       Acceptable use policy
(D)       Program manual
(A)       Security policy
Annualized Loss Expectancy (ALE) value is derived from an algorithm of the product of annual rate of occurrence and  
(A)       Cost of all losses expected. (B)       Previous year's actual loss. (C)       Average of previous losses. (D)       Single loss expectancy.
(D)       Single loss expectancy.
Which one of the following risk analysis terms characterizes the absence or weakness of a risk-reducing safeguard?  
(A)       Threat
(B)       Probability
(C)       Vulnerability
(D)       Loss expectancy
(C)       Vulnerability
When conducting a risk assessment, which one of the following is NOT an acceptable social engineering practice?  
(A)       Shoulder surfing
(B)       Misrepresentation
(C)       Subversion
(D)       Dumpster diving
(C)       Subversion
Which risk management methodology uses the exposure factor multiplied by the asset value to determine its outcome?  
(A)       Annualized Loss Expectancy (B)       Single Loss Expectancy (C)       Annualized Rate of Occurrence
(D)       Information Risk Management
(B)       Single Loss Expectancy
Risk is commonly expressed as a function of the              
(A)       Systems vulnerabilities and the cost to mitigate.
(B)       Types of countermeasures needed and the system's vulnerabilities.
(C)       Likelihood that the harm will occur and its potential impact. (D)       Computer system-related assets and their costs.
(C)       Likelihood that the harm will occur and its potential impact.
An example of an individual point of verification in a computerized application is              
(A)       An inference check.             (B)       A boundary protection.            
(C)       A sensitive transaction.            
(D)       A check digit.
(D)       A check digit.
Removing unnecessary processes, segregating inter-process communications, and reducing executing privileges to increase system security is commonly called   (A)       Hardening.
(B)       Segmenting.
(C)       Aggregating.
(D)       Kerneling.
(A)       Hardening.
How is polyinstantiation used to secure a multilevel database?   (A)       It prevents low-level database users from inferring the existence of higher level data.
(B)       It confirms that all constrained data items within the system conform to integrity specifications.
(C)       It ensures that all mechanisms in a system are responsible for enforcing the database security policy.
(D)       Two operations at the same layer will conflict if they operate on the same data item and at least one of them is an update.
(A)       It prevents low-level database users from inferring the existence of higher level data.
What security concern is related to applications created with third party software tools?  
(A)       They may not supply adequate support in a disaster. (B)       They operate in privileged mode.
(C)       Their source code cannot always be verified.
(D)       They bypass key security functions.
(C)       Their source code cannot always be verified.
Which one of the following traits allows macro viruses to spread more effectively than other types?   (A)       They infect macro systems as well as micro computers. (B)       They attach to executable and batch applications. (C)       They can be transported between different operating systems. (D)       They spread in distributed systems without detection.
(C)       They can be transported between different operating systems.
Which of the following describes a crytographic one-way function?   (A)       A mathematical process that involves the transformation of data, usually with encryption related routines, into a quantity that cannot then be used to recover the original data.
(B)       An iterative process that computes a value from a particular data unit in a manner that manipulation of the data is detectable.
(C)       A value computed on data to ensure transmission is undetected. (D)       A mathematical process which scrambles cleartext so that ciphertext cannot be decoded without knowledge of the key.
(A)       A mathematical process that involves the transformation of data, usually with encryption related routines, into a quantity that cannot then be used to recover the original data.
What type of key distribution system allows two parties to establish a secure session without exchanging any secret key?  
(A)       Key exchange
(B)       Public key
(C)       Session key
(D)       Key negotiation
(B)       Public key
The fact that it is easier to find prime numbers than to factor the product of two prime numbers is fundamental to what kind of algorithm?  
(A)       Symmetric key
(B)       Asymmetric key
(C)       Secret key
(D)       Stochastic key
(B)       Asymmetric key
Which of the following terms describes the phenomenon when two different encryption keys can generate the same ciphertext from the same plaintext?  
(A)       Weak keys
(B)       Key clustering
(C)       Digital signature
(D)       MAC code
(B)       Key clustering
Which of the following is a public key cipher for commercial data that is based on the products of prime numbers?  
(A)       Data Encryption Algorithm (B)       Message Authentication Code (C)       Rivest, Shamir, Adleman Algorithm
(D)       Cipher Block Chaining
(C)       Rivest, Shamir, Adleman Algorithm
Which of the following is used to create a digital signature?  
(A)       The sender's Data Encryption Standard (DES) key
(B)       The recipient’s Data Encryption Standard (DES) key (C)       The recipient's public key (D)       The sender's private key
(D)       The sender's private key
Digital signature protocols are often implemented with one-way hash functions to  
(A)       Use less storage space. (B)       Save time.
(C)       Resist attack.
(D)       Prevent reverse processing.
(B)       Save time.
Which of the following is the BEST way to protect the confidentiality of an e-mail message?  
(A)       Delete the message when sent
(B)       Encrypt the message
(C)       Hash the message
(D)       Sign the message
(B)       Encrypt the message
Which security model allows the data custodian to grant access privileges to other users?  
(A)       Mandatory
(B)       Bell-LaPadula
(C)       Discretionary
(D)       Clark-Wilson
(C)       Discretionary
Which one of the following access control models associates every resource and every user of a resource with one of an ordered set of classes?  
(A)       Take-Grant model
(B)       Brewer/Nash model
(C)       Lattice model
(D)       Clark-Wilson model
(C)       Lattice model
Within environmental engineering security design, which of the following spaces would be considered semi-private?  
(A)       Loading docks
(B)       Network Operations Centers (C)       Photocopier and Office Supply rooms
(D)       Utility closets
(C)       Photocopier and Office Supply rooms
What is a PRIMARY reason for designing the security kernel to be as small as possible?   (A)       The operating system cannot be easily penetrated by users. (B)       Changes to the kernel are not required as frequently. (C)       Due to its compactness, the kernel is easier to formally verify. (D)       System performance and execution are enhanced.
(C)       Due to its compactness, the kernel is easier to formally verify.
What are the two types of covert channels?  
(A)             Storage and transmission (B)             Storage and timing (C)             High and low bandwidth (D)             Timing and performance
(B)       Storage and timing
In what way could the use of "cookies" violate a person's privacy?   (A)       When they are used to tie together a set of unconnected requests for web pages to cause an electronic map of where one has been (B)       When they are used to keep logs of who is using an anonymizer to access a site instead of their regular userid
(C)       When the e-mail addresses of users that have registered to access the web site are sold to marketing firms
(D)       When they capture the word used in search engines to associate negative activity with a user or corporation
(A)       When they are used to tie together a set of unconnected requests for web pages to cause an electronic map of where one has been
x of y cards Next > >|