Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

100 Cards in this Set

  • Front
  • Back
1. Following a disaster, while returning to the original site from an alternate site, the first process to resume-at the original site would be the:

A. least critical process
B. most critical process
C. process most expensive to maintain at an alternate site
D. process that has maximum visibility in the organization
Answer: A
2. Documenting change levels and revision information is most useful for:

A. theft tracking
B. security audits
C. disaster recovery
D. license enforcement
Answer: C
3. A recent audit shows that a user logged into a server with their user account and executed a program. The user then performed activities only available to an administrator. This is an example of what type of an attack?

A. Trojan horse
B. privilege escalation
C. subseven back door
D. security policy removal
Answer: B
4. Notable security organizations often recommend only essential services be provided by a particular hosts and any unnecessary services is disabled. Which of the following does NOT represent a reason supporting this recommendation?

A. Each additional service increases the risk of compromising the hosts, the-services that run on the hosts, and potential clients of these services.

B. Different services may require different hardware, software, or a different discipline of administration.
C. When fewer services and applications are running on a specific host fewer log entries and fewer interactions between different services are expected, which simplifies the analysis and maintenance of the system from a security point of view.
D. If a service is not using a well known port, firewalls will not be able to disable access to this ports and an administrator will not be able to restrict access to this service.
Answer: D
5. Which of the following is a technical solution that supports high availability?

A. UDP (User Datagram Protocol).
B. anti-virus solution.
C. RAID (Redundant Array of Independent Disks).
D. firewall.
Answer: C
6. In order for a user to obtain a certificate from a trusted CA (Certificate Authority), the user must present proof of identity and a:

A. private key.
B. public key.
C. password.
D. Kerberos key.
Answer: B
7. In the context of wireless networks, WEP (Wired Equivalent Privacy) was designed to:

A. provide the same level of security as a wired LAN (Local Area Network).
B. provide a collision preventive method of media access.
C. provide a wider access area than that of wired LANs (Local Area Network).
D. allow radio frequencies to penetrate walls.
8. A primary drawback to using shared storage clustering for high availability and disaster recovery is:

A. the creation of a single point of vulnerability.
B. the increased network latency between the host computers and the RAID (Redundant Array of Independent Disks) subsystem.
C. the asynchronous writes which must be used to flush the server cache.
D. the higher storage capacity required by the RAID (Redundant Array of Independent Disks) subsystem.
9. What are access decisions based on in a MAC (Mandatory Access Control) environment?

A. access control lists.
B. ownership.
C. group membership.
D. sensitivity labels.
10. Packet sniffing can be used to obtain usename and password information in clear text from which one of the following?

A. SSH (Secure Shell).
B. SSL (Secure Sockets Layer).
C. FTP (File Transfer Protocol).
D. H1TPS (Hypertext Transfer Protocol over Secure Sockets Layer).
11. When securing a FTP (File Transfer Protocol) server, what can be done to ensure that only authorized users can access the server?

A. allow blind authentication.
B. disable anonymous authentication.
C. redirect FTP (File Transfer Protocol) to another port.
D. only give the address to users that need access.
12. Asymmetric cryptography ensures that:
A. encryption and authentication can take place without sharing private keys.
B. encryption of the secret key is performed with the fastest algorithm available.
C. encryption occurs only when both parties have been authenticated.
D. encryption factoring is limited to the session key.
13. Which of the following media types is most immune to RF (Radio Frequency) eavesdropping?
A. coaxial cable.
B. fiber optic cable.
C. twisted pair wire.
D. unbounded.
14. Access controls that are created and administered by the data owner are considered.
A. MAC (Mandatory Access Control).
B. RBAC (Role Based Access Control).
C. LBACB (List Based Access Control).
D. DAC (Discretionary Access Control).
15. An administrator notices that an e-mail server is currently relaying e-mail (including spam) for an e-mail server requesting relaying. Upon further investigation the administrator notices the existence of/etc/mail relay domains. What modifications should the administrator make to the relay domains file to prevent relaying for non-explicitly named domains?

A. move the .* entry to the bottom of the relay domains file and restart the e-mail process.
B. move the .* entry to the top of the relay domains file and restart the e-mail process.
C. delete the .* entry in the relay domains file and restart the e-mail process.
D. delete the relay domains file from the /etc/mail folder and restart the e-mail process.
16. Providing false information about the source of an attack is known as:
A. aliasing.
B. spoofing.
C. flooding.
D. redirecting.
17. The term “due care” best relates to:

A. policies and procedures intended to reduce the likelihood of damage or injury.
B. scheduled activity in a comprehensive preventative maintenance program.
C. techniques and methods for secure shipment of equipment and supplies.
D. user responsibilities involved when sharing passwords in a secure environment.
18. A high profile company has been receiving a high volume of attacks on their public web site. The network administrator wants to be able to collect information on the attacker(s) so legal action can be taken. What should be implemented?

A. a DMZ (Demilitarized Zone).
B. a honey pot.
C. a firewall.
D. a new subnet.
19. Many intrusion detection systems look for known patterns or____ to aid in detecting attacks.

A. viruses.
B. signatures.
C. hackers.
D. malware.
20. After installing a new operating system, what configuration changes should be implemented?

A. create application user accounts.
B. rename the guest account.
C. rename the administrator account, disable the guest accounts.
D. create a secure administrator account.
21. In order to establish a secure connection between headquarters and a branch office over a public network, the router at each location should be configured to use IPSec (Intenet Protocol Security) in mode.

A. secure.
B. tunnel.
C. transport.
D. data link.
22. What type of authentication may be needed when a stored key and a memorized password are not strong enough and additional layers of security are needed?

A. mutual.
B. multi-factor.
C. biometric.
D. certificate.
23. What technology was originally designed to decrease broadcast traffic but is also beneficial in reducing the likelihood of having information compromised by sniffers?
A. VPN (Virtual Private Network).
B. DMZ (Demilitarized Zone).
C. VLAN (Virtual Local Area Network).
D. RADIUS (Remote Authentication Dial-in User Service).
24. A DMZ (Demilitarized Zone) typically contains:

A. a customer account database.
B. staff workstations.
C. a FTP (File Transfer Protocol) server.
D. a SQL (Structured Query Language) based database server.
25. What kind of attack are hashed passwords vulnerable to?

A. man in the middle.
B. dictionary or brute force.
C. reverse engineering. .
D. DoS (Denial of Service).
26. Controlling access to information systems and associated networks is necessary for the preservation of their:

A. authenticity, confidentiality,and availability.
B. integrity, availability and reliability.
C. confidentiality, integrity and availability.
D. authenticity, confidentiality and availability.
27. A collection of information that includes login, file access, other various activities, and actual or attempted legitimate and unauthorized security violations is a (n):

A. audit.
B. ACL (Access Control List).
C. audit trail.
D. syslog.
28. What transport protocol and port number does SSH (Secure Shell) use?
A. TCP (Transmission Control Protocol) port 22.
B. UDP (User Datagram Protocol) port 69.
C. TCP (Transmission Control Protocol) port 179.
D. UDP (User Datagram Protocol) port 17.
29. What statement is most true about viruses and hoaxes?
A. Hoaxes can create as much damage as a real virus.
B. Hoaxes are harmless pranks and should be ignored.
C. Hoaxes can help educate users about a virus.
D. Hoaxes carry a malicious payload and can be destructive.
30. What is the greatest benefit to be gained through the use of S/MIME (Secure Multipurpose Internet Mail Extensions)? The ability to:
A. encrypt and digitally sign e-mail messages.
B. send anonymous e-mails.
C. send e-mails with a return receipt.
D. expedite the delivery of e-mail.
31. Access control decisions are based on responsibilities that an individual user or process has in an organization. This best describes:

A. MAC (Mandatory Access Control).
B. RBAC (Role Based Access Control).
C. DAC (Discretionary Access Control).
D. none of the above.
32. Which of the following results in a domain name server resolving the domain name to a different and wrong IP (internet Protocol) address and thus misdirecting Internet traffic?

A. DoS (Denial of Service).
B. spoofing.
C. brute force attack. D. reverse DNS (Domain Name Service).
D. Non of the above.
33. When examining the server’s list of protocols that are bound and active on each network interface card, the network administrator notices a relatively large number of protocols. Which actions should be taken to ensure network security?

A. Unnecessary protocols do net pose a significant risk to the system and should be left intact for compatibility reasons.
B. There are no unneeded protocols on most systems because protocols are chosen during the installation.
C. Unnecessary protocols should be disabled on all server and client machines on a network as they pose great-risk.
D. Using port filtering ACL’s (Access Control List) at firewalls and routers is sufficient to stop malicious attacks on unused protocols.
34. If a private key becomes compromised before its certificate’s normal expiration date, X.509 defines a method requiring each CA (Certificate Authority) to periodically issue a signed data structure called a certificate:

A. enrollment list.
B. expiration list.
C. revocation list.
D. validation list.
35. DAC (Discretionary Access Control) systems operate following which guideline statement.

A. files that don’t have an owner CAN NOT be modified.
B. the administrator of the system is an owner of each object.
C. the operating system is an owner of each object.
D. each object has an owner, which has full control over the object.
36. An autonomous agent that copies itself into one or more host programs, then propagates when the host is run, is best described as a:

A. Trojan horse.
B. backdoor.
C. logic bomb.
D. virus.
37. The defacto IT (Information Technology) security evaluation criteria for the international community is called?

A. Common Criteria.
B. Global Criteria.
C. TCSEC (Trusted Computer System Evaluation Criteria).
D. 1TSEC (Information Technology Security Evaluation Criteria).
38. The best protection against the abuse of remote maintenance of a PBX (Private Branch Exchange) system is to:

A. keep maintenance features turned off until needed.
B. insist on strong authentication before allowing remote maintenance.
C. keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. check to see if the maintenance caller is on the list of approved maintenance personnel.
39. At what stage of an assessment would an auditor test systems for weaknesses and attempt to defeat existing encryption, passwords and access lists?

A. penetration.
B. control.
C. audit planning.
D. discovery.
40. Computer forensics experts collect and analyze data using which of the following guidelines so as to minimize data loss?

A. evidence.
B. chain of custody.
C. chain of command.
D. incident response.
41. Data integrity is best achieved using a (n):

A. asymmetric cipher.
B. digital certificate.
C. message digest.
D. symmetric cipher.
42. A program that can infect other programs by modifying them to include a version of itself is a:

A. replicator.
B. virus.
C. Trojan horse.
D. logic bomb.
43. Which of the following is an example of an asymmetric algorithm?

A. CAST (Carlisle Adams Stafford Tavares).
B. RC5 (Rivest Cipher 5).
C. RSA (Rivest Shamir Adelman).
D. SHA-l (Secure Hashing Algorithm 1).
44. When a user clicks to browse a secure page, the SSL (Secure Sockets Layer) enabled server will first:

A. use its digital certificate to establish its identity to the browser.
B. validate the user by checking the CRL (Certificate Revocation List).
C. request the user to produce the CRL (Certificate Revocation List).
D. display the requested page on the browser, then provide its (Internet Protocol) address for verification.
45. User A needs to send a private e-mail to User B. User A does not want anyone to have the ability to read the e-mail except for User B, thus retaining privacy. Which tenet of information security is User A concerned about?

A. authentication.
B. integrity.
C. confidentiality.
D. non-repudiation.
46. A company uses WEP (Wired Equivalent Privacy) for wireless security. Who may authenticate to the company’s access point?

A. only the administrator.
B. anyone can authenticate.
C. only users within the company.
D. only users with the correct WEP (Wired Equivalent Privacy) key.
47. Giving each user or group of users only the access they need to do their job is an example of which security principal:

A. least privilege
B. defense in depth
C. separation of duties
D. access control
48. The primary purpose of NAT (Network Address Translation) is to:

A. translate (internet Protocol) addresses into user friendly names.
B. hide internal hosts from the public network.
C. use one public IP (internet Protocol) address on the intimae network as a name server.
D. hide the public network from internal hosts.
49. The start of the LDAP (Lightweight Directory Access Protocol) directory is called the:

A. head
B. root
C. top
D. tree
50. The protection of data, against unauthorized access or disclosure is an example of what?

A. confidentiality
B. integrity
C. signing
D. hashing
51. Which of the following backup methods copies only modified files since the last full backup?

A. full.
B. differential.
C. incremental.
D. archive.
52. While connected from home to an ISP (Internet Service Provider), a network administrator performs sport scan against a corporate server and encounters four open TCP (Transmission Control Protocol) ports 25,110,143, and 389. Corporate users in the organization must be able to connect from home, send and receive messages on the Internet, read e-mail by means of the IMAPv.4 (Internet Message Access Protocol version 4) protocol, and search into a directory services database for user e-mail addresses, and digital certificates. All the e-mail related services, as well as the directory server, run on the scanned server. Which of the above ports can be filtered out to decrease unnecessary exposure without affecting functionality?

A. 25.
B. 110.
C. 143.
D. 389.
53. In a decentralized privilege management environment, user accounts and passwords are stored on:

A. One central authentication server.
B. each individual server.
C. no more than two servers.
D. One server configured for decentralized management.
54. A well defined business continuity plan must consist of risk analysis, business impact analysis, strategic planning and mitigation, training and awareness, maintenance and audit and:

A. security labeling and classification.
B. budgeting and acceptance.
C. documentation and security labeling.
D. integration and validation.
55. One way to limit hostile sniffing on a LAN (Local Area Network) is by installing:

A. an Ethernet switch.
B. an Ethernet hub.
C. a CSU/DSU (Channel Service Unit/Data Service Unit).
D. a firewall.
56. The WAP (Wireless Application Protocol) programming model is based on the following three elements:

A. client, original server, WEP (Wired Equivalent Privacy).
B. code design, code review, documentation.
C. client, original server, wireless interface card.
D. client, gateway, original server.
57. The first step in establishing a disaster recovery plan is to:

A. get budgetary approval for the plan.
B. agree on the objectives of the plan.
C. list possible alternative sites to be used in a disaster event.
D. prioritize processes requiring immediate attention in a disaster event.
58. When securing a DNS (Domain Name Service) server, and shutting down all unnecessary ports, which port should NOT be shut down?

A. 21
B. 23
C. 53
D. 55
59. What is the main advantage SSL (Secure Sockets Layer) has over HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)?

A. SSL (Secure Sockets Layer) offers full application security for HTTP (Hypertext Transfer Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
B. SSL (Secure Sockets Layer) supports additional application layer protocols such as FTP (File Transfer Protocol) and NNTP (Network News Transport Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
C. SSL (Secure Sockets Layer) and Https (Hypertext Transfer Protocol over Secure Sockets Layer) are transparent to the application.
D. SSL (Secure Sockets Layer) supports user authentication and HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
60. A sound security policy will define:

A. what is considered an organization’s assets.
B. what attacks are planned against the organization.
C. how an organization compares to others in security audits.
D. weaknesses in competitor’s systems.
61. What functionality should be disallowed between a DNS (Domain Name Service) server and untrusted node?

A. names resolutions.
B. reverse ARP (Address Resolution Protocol) requests.
C. system name resolutions.
D. zone transfers.
62. What is the most effective social engineering defensive strategy?
A. marking of documents.
B. escorting of guests.
C. badge security system.
D. training and awareness.
63. An IDS (Intrusion Detection System) is sending alerts that attacks are occurring which are not actually taking place. What is the IDS (Intrusion Detection System) registering?

A. false positives.
B. false negatives.
C. true negatives.
D. true positives.
64. When an employee is dismissed, the security administrator should:

A. allow the employee to backup computer files then disable network access.
B. change all network passwords.
C. disable the employee’s network access.
D. set rules to forward the employee’s e-mail to a home address.
65. How are honey pots used to collect information? Honey pots collect:

A. IP (Internet Protocol) addresses and identity of internal users.
B. data on the identity, access, and compromise methods used by the intruder.
C. data regarding and the identity of servers within the network.
D. IP (Internet Protocol) addresses and data of firewalls used within the network.
66. How must a firewall be configured to only allow employees within the company to download files from a FTP (File Transfer Protocol) server?

A. open port 119 to all inbound connections.
B. open port 119 to all outbound connections.
C. open port 20/21 to all inbound connections.
D. open port 20/21 to all outbound connections.
67. Administrators currently use telnet to remotely manage several servers. Security policy dictates that passwords and administrative activities must not be communicated in clear text. Which of the following is the best alterative to using telnet?

A. DES (Data Encryption Standard).
B. S-Telnet.
C. SSH (Secure Shell).
D. PKI (Public Key Infrastructure).
68. Which of the following provides privacy, data integrity and authentication for handheld devices in a wireless network environment?

A. WEP (Wired Equivalent Privacy).
B. WAP (Wireless Application Protocol).
C. WSET (Wireless Secure Electronic Transaction).
D. WTLS (Wireless Transport Layer Security).
69. Analyzing log files after an attack has started is an example of:

A. active detection.
B. overt detection.
C. covert detection.
D. passive detection.
70. How many characters should the minimum length of a password be to deter dictionary password cracks?

A. 6.
B. 8.
C. 10.
D. 12.
71. An acceptable use policy signed by an employee can be interpreted as an employee’s written______ for allowing an employer to search an employee’s workstation.

A. refusal.
B. policy.
C. guideline.
D. consent.
72. What protocol can be used to create a VPN (Virtual Private Network)?

A. PPP (Point-to-Point Protocol).
B. PPTP (Point-to-Point Tunneling Protocol).
C. SLIP (Serial Line Internet Protocol).
D. ESLIP (Encrypted Serial Line Internet Protocol).
73. An attack whereby two different messages using the same hash function produce a common message digest is also known as a:

A. man in the middle attack.
B. cipher text only attack.
C. birthday attack.
D. brute force attack.
74. A common algorithm used to verify the integrity of data from a remote user through the creation of a 128-bit hash from a data input is:

A. IPSec (Internet Protocol Security).
B. RSA (Rivest Shamir Adelman).
C. Blowfish.
D. MD5 (Message Digest).
75. In a RBAC (Role Based Access Control) contexts, which statement best describes the relation between users, roles and operations?

A. multiple users, single role and single operation.
B. multiple users, single role and multiple operations.
C. single user, single role and single operation.
D. multiple users, multiple roles and multiple operations.
76. An administrator is setting permissions on a file object in a network operating system which uses DAC (Discretionary Access Control). The ACL (Access Control List) of the file follows:

Owner: Read, Write, Execute; User. A: Read, Write, -; User B: -, -, - (None); Sales: Read,-, -; Marketing: -, Write,-; Other: Read, Write, -;

User "A" is the only owner of the file. User "B" is a member of the Sales group. What effective permissions does User "B" have on the file with the above access list?

A. User B has no permissions on the file.
B. User B has read permissions on the file.
C. User B has read and write permissions on the file.
D. User B has read, write and execute permissions on the file.
77. A user who has accessed an information system with a valid user ID and password combination is considered a (n):

A. manager
B. user
C. authenticated user
D. security officer
78. The use of embedded root certificates within web browsers is an example of which of the following trust models?

A. bridge.
B. mesh.
C. hierarchy.
D. trust list.
79. What is the most common method used by attackers to identify the presence of an 802.11b network?

A. war driving.
B. direct inward dialing.
C. war dialing.
D. packet driving.
80. The best way to harden an application that is developed in house is to:

A. use an industry recommended hardening tool.
B. ensure that security is given due considerations throughout the entire development process.
C. try attacking the application to detect vulnerabilities, then develop patches to fix any vulnerabilities found.
D. ensure that the auditing system is comprehensive enough to detect and log any possible intrusion, identifying existing vulnerabilities.
81. A security consideration that is introduced by a VPN (Virtual Private Network) is:

A. an intruder can intercept VPN (Virtual Private Network) traffic and create a man in the middle attack.
B. captured data is easily decrypted because there are a finite number of encryption keys.
C. tunneled data CAN NOT be authenticated, authorized or accounted for.
D. a firewall CAN NOT inspect encrypted traffic.
82. Which of the following would NOT be considered a method for managing the administration of accessibility?

A. DAC (Discretionary Access Control) list.
B. SAC (Subjective Access Control) list.
C. MAC (Mandatory Access Control) list.
D. RBAC (Role Based Access Control) list.
83. Which of the following is required to use S/MIME (Secure Multipurpose Internet Mail Extensions)?

A. digital certificate.
B. server side certificate.
C. SSL (Secure Sockets Layer) certificate.
D. public certificate.
84. Non-repudiation is generally used to:

A. protect the system from transmitting various viruses, worms and Trojan horses to other computers on the same network.
B. protect the system from DoS (Denial of Service) attacks.
C. prevent the sender or the receiver from denying that the communication between them has occurred.
D. ensure the confidentiality and integrity of the communication.
85. Which of the following hash functions generates a 160-bit output?

A. MD4 (Message Digest 4).
B. MD5 (Message Digest5).
C. UDES (Data Encryption Standard).
D. SHA-1 (Secure Hashing Algorithm 1).
86. Why are unique user IDs critical in the review of audit trails?

A. They CAN NOT be easily altered.
B. They establish individual accountability.
C. They show which files were changed.
D. They trigger corrective controls.
87. A DRP (Disaster Recovery Plan) typically includes which of the following:

A. penetration testing.
B. risk assessment.
C. DoS (Denial of Service) attack.
D. ACL (Access Control List).
88. An attacker can determine what network services are enabled on a target system by:

A. installing a rootkit on the target system.
B. checking the services file.
C. enabling logging on the target system.
D. running a port scan against the target system.
89. A police department has three types of employees: booking officers, investigators, and judges. Each group of employees is allowed different rights to files based on their need. The judges do not need access to the fingerprint database, the investigators need read access and the booking officers need read/write access. The booking officer would need no access to warrants, while an investigator would need read access and a judge would need read/write access. This is an example of:

A. DAC (Discretionary Access Control) level access control.
B. RBAC (Role Based Access Control) level access control.
C. MAC (Mandatory Access Control) level access control.
D. ACL (Access Control List) level access control.
90. Which of the following access control models introduces user security clearance and data classification?

A. RBAC (Role Based Access Control).
B. NDAC (Non-Discretionary Access Control).
C. MAC (Mandatory Access Control).
D. DAC (Discretionary Access Control).
91. A wireless network with three access points, two of which are used as repeaters, exists at a company. What step should be taken to secure the wireless network?

A. Ensure that employees use complex passwords.
B. Ensure that employees are only using issued wireless cards in their systems.
C. Ensure that WEP (Wired Equivalent Privacy) is being used.
D. Ensure that everyone is using adhoc mode.
92. Digital certificates can contain which of the following items:

A. the CA’s (Certificate Authority) private key.
B. the certificate holder’s private key.
C. the certificate’s revocation information.
D. the certificate’s validity period.
93. Which encryption key is used to verify a digital signature?

A. the signer’s public key.
B. the signer’s private key.
C. the recipient's public key.
D. the recipient's private key.
94. NetBus and Back Orifice are each considered an example of a (n):

A. virus.
B. illicit server.
C. spoofing tool.
D. allowable server.
95. The theft of network passwords without the use of software tools is an example of:

A. Trojan programs.
B. social engineering.
C. sniffing.
D. hacking.
96. An alternate site configured with necessary system hardware, supporting infrastructure and an on site staff able to respond to an activation of a contingency plan 24 hours a day, 7 days a week is a:

A. cold site.
B. warm site.
C. mirrored site.
D. hot site.
97. Security controls may become vulnerabilities in a system unless they are:

A. designed and implemented by the system vendor.
B. adequately tested.
C. implemented at the application layer in the system.
D. designed to use multiple factors of authentication.
98. Which of the following is likely to be found after enabling anonymous FTP (File Transfer Protocol) read/write access?

A. an upload and download directory for each user.
B. detailed logging information for each user.
C. storage and distribution of unlicensed software.
D. fewer server connections and less network bandwidth utilization.
99. LDAP (Lightweight Directory Access Protocol) directories are arranged as:

A. linked lists.
B. trees.
C. stacks.
D. queues.
100. An inherent flaw of DAC (Discretionary Access Control) relating to security is:

A. DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an account.
D. DAC (Discretionary Access Control) has no known security flaws.