Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
34 Cards in this Set
- Front
- Back
|
Your organization has signed a contract with the United States military. As part of this contract, all e-mail communication between your organization and the U.S. military must be protected. Which e-mail standard must you use for this communication? |
Message Security Protocol (MSP) |
|
|
Your organization has asked the security team to add terrorist attacks to the organization's business continuity plan. Which type of threat does this represent? |
politically motivated threat |
|
|
As a member of your organization's security team, you are examining all aspects of operations security for your network. You must determine the countermeasures that can be used in operations security. You have already examined the resources and information that must be protected. What is the third asset type that must be examined? |
hardware |
|
|
Which statement is true of the Rijndael algorithm? |
Rijndael uses variable block lengths and variable key lengths. |
|
|
Which function does start and stop bits provide? |
They mark the beginning and ending of asynchronous communication. |
|
|
You have been asked to monitor traffic on your network. While researching the different monitoring methods, you become concerned about monitoring that requires regular updates to ensure its effectiveness. Which type of monitoring requires that updates be regularly obtained to ensure its effectiveness? |
signature-based |
|
|
According to your organization's data backup policy, you must keep track of the number and location of backup versions of the organization's data. What is the main purpose of this activity? |
to ensure proper disposal of information
The main purpose of keeping track of the number and location of backup versions is to ensure proper disposal of information. |
|
|
|
logging off from or locking the computer whenever they leave their workstations |
|
|
What is an agent in a distributed computing environment? |
a program that performs services in one environment on behalf of a principal in another environment |
|
|
To which category of controls does system auditing and monitoring belong? |
technical control |
|
|
Your organization has several diskless computer kiosks that boot via optical media located in the office lobby. Recently, users reported that the diskless computers have been infected with a virus. What should you do to ensure the virus is removed? |
Reboot the diskless computers. |
|
|
In which situation does cross-site scripting (XSS) pose the most danger? |
A user accesses a financial organization's site using his or her login credentials.Cross-site scripting (XSS) poses the most danger when a user accesses a financial organization's site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the user's active session on the client. This will allow the hacker to gain information about the legitimate user that is not publicly available.
|
|
|
Which statement is true of an information processing facility? |
The doors and walls of an information processing facility should have the same fire rating, in conformance with safety codes and regulations. Fire extinguishers should be kept at known places in the information facility. Doors must resist forced entry to avoid theft or access to computer systems. |
|
|
A user in a small office environment explains to you that his office implements a small Microsoft workgroup. Users commonly share folders with each other. Which access control model is represented in this example? |
DAC |
|
|
You need to ensure that data types and rules are enforced in the database. Which type of integrity should be enforced? |
semantic integrity |
|
|
Users access your network using smart cards. Recently, hackers have uncovered the encryption key of a smart card using reverse engineering. Which smart card attack was used? |
fault generation |
|
|
Which Orange Book level is considered mandatory protections and is based on the Bell-LaPadula security model? |
(B) The Trusted Computer System Evaluation Criteria (TCSEC) classifies the systems into hierarchical divisions of security levels ranging from verified protection to minimal security. * B: Mandatory protection based on the Bell-LaPadula security model and enforced by the use of security labels.A B1 rating refers to labeled security, where each object has a classification label, and each subject has a security clearance level. To access the contents of the object, the subject should have an equal or higher level of security clearance than the object. A system compares the security clearance level of a subject with the object's classification to allow or deny access to the object. The B1 category offers process isolation, the use of device labels, the use of design specification and verification, and mandatory access controls. B1 systems are used to handle classified information. * A B2 rating refers to structured protection. A stringent authentication procedure should be used in B2-rated systems to enable a subject to access objects by using the trusted path without any backdoors. This level is the lowest level to implement trusted facility management; levels B3 and A1 implement it also. Additional requirements of a B2 rating include the separation of operator and administrator duties, sensitivity labels, and covert storage channel analysis. A B2 system is used in environments that contain highly sensitive information. Therefore, a B2 system should be resistant to penetration attempts. * A B3 rating refers to security domains. B3 systems should be able to perform a trusted recovery. A system evaluated against a B3 rating should have the role of the security administrator fully defined. A B3 system should provide the monitoring and auditing functionality. A B3 system is used in environments that contain highly sensitive information and should be resistant to penetration attempts. Another feature of B3 rating is covert timing channel analysis. This category specifies trusted recovery controls. * C: Discretionary protection based on discretionary access of subjects, objects, individuals, and groups.A C1 rating refers to discretionary security protection. To enable the rating process, subjects and objects should be separated from the auditing facility by using a clear identification and authentication process. A C1 rating system is suitable for environments in which users process the information at the same sensitivity level. A C1 rating system is appropriate for environments with low security concerns. * A C2 rating refers to controlled access protection. The authentication and auditing functionality in systems should be enabled for the rating process to occur. A system with a C2 rating provides resource protection and does not allow object reuse. Object reuse implies that an object should not have remnant data that can be used by a subject later. A C2 system provides granular access control and establishes a level of accountability when subjects access objects. A system with C2 rating is suitable for a commercial environment. * D: Minimal protection rating that is offered to systems that fail to meet the evaluation criteria A higher rating implies a higher degree of trust and assurance. For example, a B2 rating provides more assurance than a C2 rating. A higher rating includes the requirements of a lower rating. For example, a B2 rating includes the features and specifications of a C2 rating. |
|
|
You are developing a new software application for a customer. The customer is currently defining the application requirements. Which process is being completed? |
prototyping |
|
|
Your organization has decided to implement a virtual private network (VPN) so that remote employees can connect to the internal network. You decide to implement the VPN using Layer Two Tunneling Protocol (L2TP) over Internet Protocol Security (IPSec). Which statements are true of Internet Protocol Security (IPSec)? |
options a, b, and d |
|
|
Which type of incident is not usually addressed in a contingency plan? |
a hurricane |
|
|
You need to ensure that a set of users can access information regarding departmental expenses. However, each user should only be able to view the expenses for the department in which they work. Senior managers should be able to view the expenses for all departments. Which database security feature provides this granular access control? |
database view |
|
|
What is the best description of cache memory? |
memory used for high-speed transfer of data |
|
|
During a recent security audit of your company's network, contractors suggested that the operating systems on client computers are not sufficiently hardened. Which steps are crucial to ensure that an operating system is hardened? |
Disable unnecessary services. |
|
|
How many bits will be used for the host portion of this address? 157.175.12.10/22 |
10 |
|
|
You are designing the procedures for your company's user account review. Which two actions should you include as part of this review? a. Ensure that all accounts are active. |
options c and e only
When implementing user account reviews, you should ensure that all active user accounts have a password and that all user accounts conform to the principle of least privilege. |
|
|
To what could security negligence on behalf of an employee lead? |
computer crime
A computer crime can be the immediate result of the negligence of an employee. This is sometimes referred to as victim carelessness |
|
|
You are implementing asset identification and change control blueprints. In which phase of the security management life cycle are you engaged? |
Implement |
|
|
Your company has decided to allow users to dial into the network from remote locations. Because security is a major concern for your company, you must implement a system that provides centralized remote user authentication, authorization, and accounting. Which technology should you implement? |
RADIUS
You should implement Remote Authentication Dial-In User Service (RADIUS). RADIUS provides centralized remote user authentication, authorization, and accounting. Similar technologies include Terminal Access Controller Access Control System (TACACS), Extended TACACS, TACACS+, and Diameter.
A virtual private network (VPN) is a technology that allows users to access private network resources over a public network, such as the Internet. Tunneling techniques are used to protect the internal resources. |
|
|
Your organization uses the Clark-Wilson security model. Which statement is true of this model? |
The model provides data integrity.
The Clark-Wilson security model is an integrity model that provides integrity of data by preventing unauthorized modifications by unauthorized users and improper modifications by authorized users. The Clark-Wilson model maintains internal and external consistency. |
|
|
Ethernet Lan technology |
The Ethernet LAN technology does NOT use a multistation access unit (MAU) as its central device. This is the central device used in the Token Ring technology. Token Ring networks were defined by IEEE 802.5. Token Ring supports full duplex transmission using carrier sense multiple access with collision avoidance (CSMA/CA). |
|
|
Which security framework acts as a model for IT governance and focuses more on operational goals? |
CobiT
The Control Objectives for Information and related Technology (CobiT) is a security framework that acts as a model for IT governance and focuses more on operational goals. * Risk Assessment * Control Activities * Information and Communication * Monitoring * Information security policy for the organization * Creation of information security infrastructure * Asset classification and control * Personnel security * Physical and environmental security * Communications and operations management * Access control * System development and maintenance * Business continuity management * Compliance This standard shows security frameworks, such as CobiT and COSO, how to actually achieve the security goals through best practices. |
|
|
Which encryption algorithm is based on the Diffie-Hellman key agreement? |
ElGamal
ElGamal is an asymmetric public key encryption algorithm based on the Diffie-Hellman key agreement. It is used for digital signatures, encryption of data, and key exchange. The mathematical functions in the ElGamal algorithm calculate discrete logarithms in a finite field. |
|
|
Which security rating addresses the use of covert channel analysis? |
The B2 security rating addresses the use of covert channel analysis in a system. Covert channel analysis is an operational assurance requirement that is specified in the Orange Book. It is required for B2 class systems to protect against covert storage channels. It is required for B3 class systems to protect against both covert storage and covert timing channels. * B: Mandatory protection based on the Bell-LaPadula security model and enforced by the use of security labels.A B1 rating refers to labeled security, where each object has a classification label and each subject has a security clearance level. To access the contents of the object, the subject should have an equal or higher level of security clearance than the object. A system compares the security clearance level of a subject with the object's classification to allow or deny access to the object. The B1 category offers process isolation, the use of device labels, the use of design specification and verification, and mandatory access controls. B1 systems are used to handle classified information. * A B2 rating refers to structured protection. A stringent authentication procedure should be used in B2-rated systems to enable a subject to access objects by using the trusted path without any backdoors. This level is the lowest level to implement trusted facility management; levels B3 and A1 implement it also. Additional requirements of a B2 rating include the separation of operator and administrator duties, sensitivity labels, and covert storage channel analysis (but NOT covert timing analysis). A B2 system is used in environments that contain highly sensitive information. Therefore, a B2 system should be resistant to penetration attempts. * A B3 rating refers to security domains. B3 systems should be able to perform a trusted recovery. A system evaluated against a B3 rating should have the role of the security administrator fully defined. A B3 system should provide the monitoring and auditing functionality. A B3 system is used in environments that contain highly sensitive information and should be resistant to penetration attempts. Another feature of B3 rating is covert timing channel analysis. * C: Discretionary protection based on discretionary access of subjects, objects, individuals, and groups.A C1 rating refers to discretionary security protection. To enable the rating process, subjects and objects should be separated from the auditing facility by using a clear identification and authentication process. A C1 rating system is suitable for environments in which users process the information at the same sensitivity level. A C1 rating system is appropriate for environments with low security concerns. * A C2 rating refers to controlled access protection. The authentication and auditing functionality in systems should be enabled for the rating process to occur. A system with a C2 rating provides resource protection and does not allow object reuse. Object reuse implies that an object should not have remnant data that can be used by a subject later. A C2 system provides granular access control and establishes a level of accountability when subjects access objects. A system with C2 rating is suitable for a commercial environment. * D: Minimal protection rating that is offered to systems that fail to meet the evaluation criteria A higher rating implies a higher degree of trust and assurance. For example, a B2 rating provides more assurance than a C2 rating. A higher rating includes the requirements of a lower rating. For example, a B2 rating includes the features and specifications of a C2 rating. |
|
|
Which function is NOT included in the authority of a security administrator? |
authorizing user privileges
Authorizing users and their privileges is not included in the authority of a security administrator. An information owner performs the task of defining privileges for users. The information owner decides which user should have access to which set of resources in an organization. Supervisors or managers also have a part in this function because they must keep data owners and security administrators informed of any role changes. |
