Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
146 Cards in this Set
- Front
- Back
|
Intrusion Detection are complemented by:
|
Padded Cell systems, honey pots, and vulnerability analysis.
|
|
|
An organization that is experiencing an excessive turnover of employees. what access control technique will work best?
|
Role-based access control.
|
|
|
A strait forward way of granting or denying access for a specified users?
|
An Access control list.
|
|
|
Password management is a and example of what type of control?
|
Preventive.
|
|
|
Spoofing is the unauthorized use of legitimate identification and authentication.
|
Spoofing is the unauthorized use of legitimate identification and authentication.
|
|
|
A discretionary access control model uses access control matrix where it places the name of users (subjects ) in each row and the name of objects (files or programs) in each column on a matrix
|
A discretionary access control model uses access control matrix where it places the name of users (subjects ) in each row and the name of objects (files or programs) in each column on a matrix
|
|
|
(MAC) mandatory access control restricts access to objects based on the sensitivity of the information contained in the objects and the formal authorization (I.E., Clearances of the subjects to access information of such sensitivity.
|
(MAC) mandatory access control restricts access to objects based on the sensitivity of the information contained in the objects and the formal authorization (I.E., Clearances of the subjects to access information of such sensitivity.
|
|
|
Discretionary Access control mechanism allows users to grant revoke access to any of the objects therefor each user is the same.
|
Discretionary Access control mechanism allows users to grant revoke access to any of the objects therefor each user is the same.
|
|
|
sniffing precedes?
|
Spoofing.
|
|
|
spoofing is an active attack.
|
spoofing is an active attack.
|
|
|
Whic of the follwoing is not an example of attacks on data and information?
Hidden code inference spoofing traffic analysis |
spoofing.
|
|
|
Access control mechanisms include?
|
Logical, physical, and administrative controls.
|
|
|
Honey pot systems do not contain
event triggers sensitive monitors sensitive data event loggers |
Sensitive data.
|
|
|
Passwords and personal identification numbers are examples of?
Procedural access controls physical access controls logical access controls administrative access controls |
Logical access controls.
|
|
|
Lattiece security model is an exmaple of wich of the following acces control models?
DAC Non-DAC MAC Non-MAC |
Non-DAC
|
|
|
Intrusion detection systems look at security policy violations
statically dynamically linearly non-linearly |
Dynamic.
|
|
|
Three branches of common law?
|
Criminal law, tort law, and administrative law.
|
|
|
criminal law can be based on common law, statutory law, or a commbination of both.
|
criminal law can be based on common law, statutory law, or a commbination of both.
|
|
|
Tort law deals with civil wrongs agianst an individual or buisness entity.
|
Tort law deals with civil wrongs agianst an individual or buisness entity.
|
|
|
administrative law is concerned with the governace of public bodies and the designation of power to administrative agencies, commissions, boards, and profesonal associations.
|
administrative law is concerned with the governace of public bodies and the designation of power to administrative agencies, commissions, boards, and profesonal associations.
|
|
|
wich is an example of symmetric key encryption.
MD5 DES RSA MD4 |
DES
|
|
|
which of the following is a hash algorithim?
DES IDEA 3DES MD5 |
MD5
|
|
|
Zero-knowledge proof is used in which of the following applications?
Public - key encryption process zeriozation process degaussing operation data remanence operation |
Public-key encryption process
|
|
|
IPSEC uses wich of the follwing for negotiation to take place?
Diffie-Hellman Exchange IPSEC SA ISAKMP SA RSA exchange |
ISAKMP
Internet security association and key management protocol |
|
|
The key length of secure hash algorithm (SHA-1) is wich of the following?
112 bits 128 bits 160 bits 256 bits |
160 bits.
The key length of SHA-1 is 160 bits. The SHA-1 is used to generate a condensed representation of a message called a message digest. SHA-1 is a technical revision of SHA. |
|
|
a birthday attack is targeted at wich of the following?
MD5 SSL SLIP SET |
MD5
The attack is based on probabilities where it finds two messages that hash to the same value and then exploits it to attack. |
|
|
Key management provides the foundation for the secure generation, storage,
distribution, and translation of cryptographic keys |
Key management provides the foundation for the secure generation, storage,
distribution, and translation of cryptographic keys |
|
|
10. A fundamental principle for protecting cryptographic keys includes which of the following?
a. Zeroization and total knowledge b. Split knowledge and dual control c. Single control and formal proof d. Zero-knowledge proof and triple control |
split knowledge and duel control
|
|
|
11. Which of the following is not a critical component of cryptographic key management system?
a. A point-to-point environment b. A key distribution center environment c. A key translation center environment d. A key disclosure center environment |
A key disclosure center envirment
A cryptographic key management system must have three components to operate: a point-to-point environment (choice a), a key distribution center environment (choice b), and a key translation center environment |
|
|
The freeware product, Tripwire is which of the following?
a. It is a file integrity checker b. It is a file confidentiality checker c. It is a file availability checker d. It is a file damage checker |
a file integrity checker.
|
|
|
18. Which of the following plays a critical role in ensuring the integrity of public keys in the commercial sector
PKI? a. Registration authority, RA b. Access Certification for Electronic Services, ACES c. Federal Technology Services, FTS d. Certification authority, CA |
Certification Authority
|
|
|
19. Which of the following provides the level of "trust" required for the digital certificates to reliably complete a transaction?
a. Certificate policy, CP b. Certification practices statement, CPS c. Identity proofing d. Outsourcing |
Identity proofing
|
|
|
20. Which of the following is good practice for organizations issuing digital certificates?
a. Develop a consulting agreement b. Develop an employment agreement c. Develop a subscriber agreement d. Develop a security agreement |
Develop a subscriber agreement
|
|
|
22. Which of the following is required to accept digital certificates from multiple vendor certification
authorities? a. The application must be PKI-enabled b. The application must be PKI-aware c. The application must use X.509 Version 3 d. The application must use PKI-vendor "plug-ins" |
x.509 version 3
|
|
|
25. Which of the following will mitigate threat to integrity when private key cryptography is used?
a. Message authentication code b. Message identifier c. Message header d. Message trailer |
Message Authentication code
|
|
|
26. Which of the following will mitigate threat to integrity when public key cryptography is used?
a. Data checksums and secure hashes b. Public key signatures and secure hashes c. Cyclic redundancy checks and secure hashes d. Simple checksums and secure hashes |
Public key cryptography
|
|
|
27. Which of the following will mitigate threat to non-repudiation?
a. Secure hashes b. Message digest 4 c. Message digest 5 d. Digital signatures and certificates |
Digital signatures and certificates
|
|
|
28. Which one of the following certificate authorities (CA) is subordinate to another CA and has a CA
subordinate to itself? a. Root CA b. Superior CA c. Intermediate CA d. Subordinate CA |
Intermediate CA
|
|
|
29. The Advanced Encryption Standard (AES) algorithms are:
a. Very slow and very strong b. Very fast and very weak c. Very fast and very strong d. Very slow and very weak |
Very fast and very strong
|
|
|
30. Which of the following is not a valid PKI architecture?
a. Gateway architecture b. Hierarchical architecture c. Mesh architecture d. Bridge architecture |
Gateway architecture
|
|
|
31. Which of the following protect the X.509 public key certificate?
a. DSA and SHA-1 b. DES and SHA c. 3DES and MD4 d. IDEA and MD5 |
DSA and SHA-1
|
|
|
32. Which of the following provides a unique user ID for a digital certificate?
a. User name b. User organization c. User e-mail d. User message digest |
User message digest
|
|
|
33. Which of the following is not included in the digital signature standard (DSS)?
a. Digital signature algorithm, DSA b. Data encryption standard, DES c. Rivest, Shamir, Adelman algorithm, RSA d. Elliptic curve digital signature algorithm, ECDSA |
Data encryption standard, DES
|
|
|
34. The major components of IPSEC include which of the following?
a. SPI, FH, and SPE b. SPI, AH, and ESP c. SPI, RH, and PSE d. SPI, KH, and EPS |
SPI, AH, and ESP
A security parameter index (SPI), authentication header (AH), and encapsulating security payload (ESP) are the major components of IPSEC. |
|
|
39. Which of the following is an example of public-key cryptographic systems?
a. MAC and DAC b. DES and 3DES c. RSA and IDEA d. RSA and DSS |
RSA and DSS
|
|
|
Elliptic curve systems are which of the following?
1. Asymmetric algorithms 2. Symmetric algorithms 3. Public-key systems 4. Private-key systems |
Asymmetric algorithms
Public-key systems |
|
|
Data encryption standard (DES) cannot provide which of the following security services?
a. Encryption b. Access control c. Integrity d. Authentication |
Authentication
DES provides encryption, access control, integrity, and key management standards. It cannot provide authentication services. |
|
|
The elliptic curve system uses which of the following to create digital signatures?
a. A hash algorithm b. A prime algorithm c. An inversion algorithm d. A linear algorithm |
A hash algorithm
|
|
|
The key exchange algorithm (KEA) requires which of the following?
a. A 256-bit prime modulus b. A 512-bit prime modulus c. A 768-bit prime modulus d. A 1024-bit prime modulus |
A 1024-bit prime modulus
|
|
|
Which of the following is not true about one-time pad?
a. It is breakable b. Each key is used only once c. It is unbreakable d. Each key is used for only one message |
It is breakable
|
|
|
Which one of the following uses a private-key system?
a. RSA algorithm b. Knapsack algorithm c. Rijndael algorithm d. El Gamal algorithm |
Rijndael algorithm
Rijndael algorithm is a symmetric block cipher using a private-key system that can process data blocks of 128 bit |
|
|
The Rijndael algorithm uses which of the following?
a. Advanced encryption standard, AES b. Data encryption standard, DES c. Digital signature standard, DSS d. Key exchange algorithm, KEA |
Advanced encryption standard, AES
The National Institute of Standards and Technology (NIST) selected the Rijndael algorithm as the advanced encryption standard (AES). |
|
|
The key length of the Rijndael algorithm is which of the following?
a. Fixed b. Variable c. Semi-fixed d. Semi-variable |
Variable
For flexibility and strength, the Rijndael algorithm uses variable key lengths of 128 to 256 bits. |
|
|
Cryptographic key management is a difficult problem for which of the following?
a. Symmetric-key algorithms b. Asymmetric-key algorithms c. Hybrid-key algorithms d. Hash-key algorithms |
Symmetric-key algorithms
|
|
|
The advanced encryption standard (AES) algorithm is currently not capable of using which of the
following? a. 128 bits b. 192 bits c. 256 bits d. 320 bits |
320 bits
|
|
|
The National Institute of Standards and Technology (NIST) selected which of the following as the
advanced encryption standard (AES)? a. MARS algorithm b. Serpent algorithm c. Rijndael algorithm d. Twofish algorithm |
Rijndael algorithm
|
|
|
The SHA and HMAC provide the basis for which of the following?
a. Data integrity b. Confidentiality c. Authentication d. Non-repudiation |
Data integrity
The secure hash algorithm (SHA) and hash-based message authentication code (HMAC) provide the basis for data integrity in electronic communications. They do not provide confidentiality and are a weak tool for authentication or non-repudiation. |
|
|
Which of the following is not part of PKI data structures?
a. Public key certificate b. Certificate revocation lists c. Attribute certificate d. Subject certificate |
Subject certificate
CAs must also issue and process CRLs, which are lists of certificates that have been revoked. The X.509 attribute certificate binds attributes to an attribute certificate holder. This definition is being profiled for use in Internet applications. Subject certificate is meaningless here. |
|
|
Which of the following is an example of asymmetric encryption algorithm?
a. Diffie-Hellman b. DES c. 3DES d. IDEA |
Diffie-Hellman
The concept of public-key cryptography (asymmetric encryption algorithm) was introduced by Diffie-Hellman in order to solve the key management problem with symmetric algorithm. Choices (b), (c), and (d) are examples of symmetric encryption algorithms |
|
|
Which of the following are examples of cryptographic hash functions?
a. SHA and 3DES b. DES and CBC c. MD5 and SHA-1 d. DAC and MAC |
MD5 and SHA-1
|
|
|
MD5 and SHA-1 execute much faster
and use less system resources than typical encryption algorithms. |
MD5 and SHA-1 execute much faster
and use less system resources than typical encryption algorithms. |
|
|
Which of the following statement is true about hash functions?
a. They produce a large message digest than the original message b. They produce a much smaller message digest than the original message c. They produce the same size message digest as the original message d. They produce a very large message digest than the original message |
They produce a much smaller message digest than the original message
|
|
|
Which of the following is the best technique to detect duplicate transactions?
a. ECDSA and SHA b. ECDSA and SHA-1 c. ECDSA and MID d. ECDSA and MD5 |
ECDSA and MID
When the Elliptic Curve Digital Signature Algorithm (ECDSA) is used in conjunction with a message identifier (MID), it provides the capability of detecting duplicate transactions. The MID operates on checking the sequence number of transactions. |
|
|
Countermeasures against replay attacks do not include which of the following?
a. Time-stamps b. Protocols c. Nonces d. Kerberos |
Protocols
|
|
|
. A cryptographic module is undergoing testing. Which of the following provides the highest level of testing?
a. At the algorithm level b. At the module level c. At the application level d. At the product level |
At the application level
|
|
|
Which of the following should be used to prevent an eavesdropping attack from remote access to firewalls?
a. File encryption b. Bulk encryption c. Session encryption d. Stream encryption |
Session encryption
|
|
|
X.509 Version 3 standard, compared to previous versions, provide which of the following?
a. Authentication b. Encryption c. Interoperability d. Digital signature |
Interoperability
|
|
|
"A communication channel that allows a process to transfer information in a manner that violates thesystem's security policy" is called a(n):
a. Communication channel b. Covert channel c. Exploitable channel d. Overt channel |
B. Covert channel
This is the definition of a covert channel. A communication channel is the physical media and device that provides the means for transmitting information from one component of a network to other components (choice a). An exploitable channel is usable or detectable by subjects external to the Trusted Computing Base, TCB (choice c). An overt channel is a path within a network designed for the authorized transfer of data (choice d). This is in contrast to a covert channel. |
|
|
There are four rating divisions from A through
|
There are four rating divisions from A through
|
|
|
Which of the following is an example of asynchronous attack?
a. Data diddling attack b. Time diddling attack c. TOC/TOU attack d. Salami attack |
In a time-of-check to time-of-use (TOC/TOU) attack, a print job under one user's name is exchanged with a print job for another user. Asynchronous attacks use time differentials.
|
|
|
"All users must have formal access approval" is required by which of the following?
a. Compartment ed security mode b. System-high security mode c. Controlled mode d. Limited access mode |
system-high security modes.
The system-high security mode requires that if the system processes special access information, all users must have formal access approval. |
|
|
Which of the following contains a security Kernel, some trusted-code facilities, hardware, and some
communication channels? a. Security domain b. Security model c. Security perimeter d. Security parameters |
security perimeter
A security perimeter is a boundary within which security controls are applied to protect information assets. The security domain (choice a) is a set of elements, a security policy, an authority, and a set of relevant activities. The security model (choice b) is a formal presentation of the security policy enforced by the system. Examples of security parameters (choice d) include passwords and encryption keys. |
|
|
The totality of protection mechanisms used for enforcing a security policy is which of the following?
a. Trusted computing base b. Trusted path c. Trusted software d. Trusted subject |
Trusted computing base.
The Trusted Computing Base (TCB) is the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. |
|
|
Which of the following TCSEC Orange Book divisions enforce mandatory access control rules?
a. Division A b. Division B c. Division C d. Division D |
Division B.
. A major requirement of the Division B is to preserve the integrity of sensitivity labels and using them to enforce a set of mandatory access control rules. |
|
|
Which of the following fits the description "A system that employs sufficient hardware and software
integrity measures to allow its use for processing simultaneously a range of sensitive or classified information"? a. Boundary system b. Trusted system c. Open system d. Closed system |
trusted system.
. An open system is a vendor-independent system designed to readily connect with other vendors' products. A closed system is opposite of open system. Boundary system is meaningless here. |
|
|
A factor favoring acceptability of a covert channel is which of the following?
a. High bandwidth b. Low bandwidth c. Narrow bandwidth d. Broad bandwidth |
low bandwidth
Factors favoring acceptability of a covert channel include low bandwidth and the absence of application software that can exploit covert channels. |
|
|
Which of the following creates a covert channel?
a. Use of fixed labels b. Use of variable labels c. Use of floating labels d. Use of non-floating labels |
use of floating labels
The covert channel problem resulting from the use of floating labels can lead to erroneous information labels but cannot be used to violate the access control policy enforced by the fixed labels. A fixed label contains a "sensitivity" level and is the only label used for access control. The floating label contains an "information" level that consists of a second sensitivity level and additional security markings. |
|
|
Which of the following are used to perform data inferences?
a. Memory and CPU channels b. Exploitable and detectable channels c. Storage and timing channels d. Buffer and overt channels |
storage and timing channels.
Sensitive information can be inferred by correlating data on storage media or observing timing effects of certain operations. Storage and timing channels are part of covert channel, where unauthorized communications path is used to transfer information in a manner that violates a security policy. |
|
|
The operationally Critical threat, Asses, and Vulnerability evaluation (OCTAVE)
|
self guided assessment developed by Carnegie Mellon university.
octave phases: 1. Identify critical assess and corresponding threats 2. identify vulnerabilities exposing the threats 3. develop protection strategy. |
|
|
The Federal Information Technology Security Assessment Framework (FITSAF)
|
NIST standard. can be used inside and out side the govement.
FITSAF has five levels. called the capability maturity model. 1. documented 2.completed 3.implemented 4. measured 5. pervasive the expectation is that agencies are to achieve level 4 and ultimately level 5. |
|
|
Infosec Assessment Methodology (IAM)
General uses level one only. |
Developed buy NSA. Detailed process for examining information system vulnerabilities.
Level 1: Non intrusive baseline analysis Level 2: Hamds-on evaluation level 3: Penetration testing (red team) Phases: 1. pre-assessment phase 2. On-site phase 3. Post -assessment phase |
|
|
The Reference Monitor concept is which of the following?
a. It is a system access control concept b. It is a system penetration concept c. It is a system security concept d. It is a system monitoring concept |
Its a system accesses control concept.
The Reference Monitor concept is an access control concept that refers to an abstract computer mediating all accesses to objects by subjects. It is useful to any system providing multilevel secure computing facilities and controls. |
|
|
Which of the following is a malicious code that replicates using a host program?
a. Boot sector virus b. Worm c. Multi-partite virus d. Common virus |
Common virus.
A common virus is a code that plants a version of itself in any program it can modify. It is a self-replicating code segment attached to a host executable. The boot sector virus works during computer booting, where the master boot sector and boot sector code are read and executed. A worm is a selfreplicating program that is self-contained and does not require a host program. A multi-partite virus combines both sector and file infector viruses. |
|
|
Which of the following is not an example of built-in security features?
a. Authentication controls were designed during a system development process b. Fail-soft security features were installed c. Least-privilege principles were installed during the post-implementation period d. Fail-safe security features were implemented |
least-privilege principles where installed during the post-implementation period
Built-in security means that security features are designed into the system during its development, not after. Any feature that is installed during post-implementation of a system is an example of built-on security, not built-in. Security and control features must be built in from a cost/ benefit perspective. |
|
|
An effective defense against computer viruses does not include which of the following?
a. Program change controls b. Virus scanning programs c. Integrity checking d. System isolation |
Virus scanning programs
Computer virus defenses are expensive to use, ineffective over time, and ineffective against serious attackers. Virus scanning programs are effective against viruses that have been reported and ineffective against new viruses or viruses written to attack a specific organization. Program change controls limit the introduction of unauthorized changes. Redundancy can often be used to facilitate integrity. Integrity checking with cryptographic checksums in integrity shells is important. System or equipment isolation to limit the spread of viruses is good too. |
|
|
A system assurance is which of the following?
a. Discrete and fixed b. Continuum and fixed c. Continuum and variable d. Discrete and variable |
continuum and variable
System assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes. Assurance is essential; without it the security objectives such as availability, integrity, confidentiality, and accountability are not met. However, assurance is a continuum; the amount of assurance needed varies between systems. |
|
|
Which of the following artificial neural networks is faster than the others?
a. Feedforward networks b. Feedback networks c. Competitive learning networks d. Optical neural networks |
Optical neural networks
Since optical neural networks use optical signals, the computers using them are much faster than others. Feedforward networks (choice a) transform patterns of input signals into patterns of output signals. In feedback networks (choice b), output from any unit goes to all the other units, which process it and in turn send back their output or feed it back to the first unit. Ultimately, all the units become stabilized. In competitive learning networks (choice c), some input nodes learn from other input nodes in an unsupervised learning mode. The input values can be zero, one, or any real number, positive or negative. These three networks mentioned in choices (a), (b), and (c) use electronic transmission of signals while choice (d) uses optical signals. |
|
|
Which of the following is an example of both preventive and detective control?
a. Audit trails b. Antivirus software c. Policies and procedures d. Contingency plans |
Anti-virus software
Antivirus software is a preventive control in that it will stop known virus getting into a computer system. It is also a detective control since it will notify a known virus. Audit trails are detective controls; policies and procedures are directive controls, while contingency plans are an example of recovery controls. |
|
|
Which of the following loses its contents when the power is turned off?
a. Real storage b. Primary storage c. Secondary storage d. Volatile storage |
Volatile storage
Random access memory (RAM) is semiconductor-based memory that can be read by and written to by the CPU or other hardware devices. The term RAM generally indicates volatile memory that can be written to as well as read. It loses its contents when the power is turned off. Real storage is the amount of RAM memory in a system. Primary storage is the main general-purpose storage. Secondary storage is the amount of space available in disks and tapes. |
|
|
Structured Query Language (SQL) security threats include which of the following?
a. Data retrieval and manipulation b. Aggregation and inference c. Schema definition and manipulation d. Transaction and diagnostic management |
Aggression and interference.
Aggregation is the result of assembling or combining distinct units of date when handling sensitive information. Aggregation of data at one sensitivity level may result in all of the data being designated at a higher sensitivity level. Inference is derivation of new information from known information. The inference problem refers to the fact that the derived information may be classified at a level for which the user is not cleared. Items included in the choices (a), (c), and (d) are functions and features of a SQL. |
|
|
A data dictionary is which of the following?
a. It is a central catalog of programs b. It is a central catalog of processes c. It is a central catalog of data d. It is a central catalog of objects |
central catalog of data
A data dictionary is a tool to help organizations control their data assets by providing a central catalog of data. The data dictionary requires security protection |
|
|
Which of the following is not a risk by itself for a Structured Query Language (SQL) server?
a. Concurrent transactions b. Dead lock c. Denial of service d. Loss of data integrity |
current transactions
Choices (b), (c), and (d) are risks resulting from handling concurrent transactions. The SQL server must ensure orderly access to data when concurrent transactions attempt to access and modify the same data. The SQL server must provide appropriate transaction management features to ensure that tables and elements within the tables are synchronized. |
|
|
A database relation containing multiple rows with the same primary key is called a(n):
a. Polyinstantiation b. Polymorphism c. Inference d. Aggregation |
polyinstantiation
Polyinstantiation allows a relation to contain multiple rows with the same primary key. The multiple instances are distinguished by their security levels. In polymorphism, a name may denote objects of many different classes that are related by some common superclass. Inference is derivation of new information from known information. Aggregation is the result of assembling distinct units of data when handling sensitive information. |
|
|
A data warehouse contains which of the following?
a. Raw data b. Massaged data c. Source data d. Transaction |
Massage data
|
|
|
Security controls and audit trails should be built into computer systems in which of the following system
development life cycle (SDLC) phases? a. System initiation phase b. System development phase c. System implementation phase d. System operation phase |
System development phase?
During the system development phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During this phase, functional users in conjunction with system/security administrators will develop system controls and audit trails used during the operational phase. |
|
|
Which of the following levels of Software Capability Maturity Model (SCMM) deal with security
requirements? a. Initial level b. Repeatable level c. Defined level d. Optimizing level |
Repeatable level
In the repeatability level, system requirements are defined; these include security, performance, quality, and delivery dates. The purpose is to establish a common understanding between the customer and the software development project team. |
|
|
Which of the following is not a method to conduct data leakage attacks?
a. Trojan horse b. Asynchronous attacks c. Logic bombs d. Scavenging methods |
Asynchronous attacks
Data leakage is removal of data from a system by covert means. Data leakage might be conducted through the use of Trojan horse, logic bomb, or scavenging methods. Asynchronous attacks are indirect attacks on a computer program that act by altering legitimate data or codes at a time when the program is idle, then causing the changes to be added to the target program at later execution. |
|
|
Inference attacks are based on which of the following?
a. Hardware and software b. Firmware and freeware c. Data and information d. Middleware and courseware |
Data and information attack
An inference attack is where a user or an intruder is able to deduce information to which he had no privilege from information to which he has privilege |
|
|
Which of the following infects both boot sectors and file infectors?
a. Worm b. Link virus c. Multi-partite d. Macro |
multi-partie
Multi-partite viruses are a combination of both sector and file infector viruses, which can be spread by both methods. A worm is a self-replicating, self-contained program and does not require a host program. Link viruses manipulate the directory structure of the media on which they are stored, pointing the operating system to virus code instead of legitimate code. Macro viruses are stored in a spreadsheet or word processing document. |
|
|
Which of the following tools is most useful in detecting security intrusions?
a. Data mining tools b. Data optimization tools c. Data reorganization tools d. Data access tools |
data mining tools
Data mining is a set of automated tools that convert the data in the data warehouse to some useful information. It selects and reports information deemed significant from a data warehouse or database. Data mining techniques can also be used for intrusion detection, fraud detection, and auditing the databases. One may apply data mining tools to detect abnormal patterns in data, which can provide clues to fraud. Data optimization tools improve database performance. Data reorganization tools help relocate the data to facilitate faster access. Data access tools help in reaching the desired data |
|
|
Countermeasures against hidden code attacks include which of the following?
1. Use war dialing software 2. Use firewalls 3. Use layered protections 4. Disable active-content cod |
use layerd protections and disable active-content code
Hidden code attacks are based on data and information. Using layered protections and disabling active-content code (e.g., Active-X and JavaScript) from the Web browser are effective controls against such attacks. War dialing software is good against trap door attacks and firewalls are effective against spoofing attacks. |
|
|
Countermeasures against time-of-check to time-of-use (TOC/TOU) attacks include which of the following?
1. Use traffic padding techniques 2. Apply task sequence rules 3. Apply encryption tools 4. Implement strong access controls |
apply task sequence rules and apply encryption tools.
TOC/TOU attack is an example of asynchronous attacks where it takes advantage of timing differences between two events. Applying task sequence rules combined with encryption tools are effective against such attacks. Traffic padding technique is effective against traffic analysis attack and access controls are good against data inference attacks. |
|
|
Polyinstantiation approach is designed to solve which of the following problems?
a. Lack of tranquility b. Lack of reflexivity c. Lack of transitivity d. Lack of duality |
lack of tranquility
Lack of tranquility exposes what has been called the "multiple update conflict" problem. Polyinstantiation approach is the solution to this problem. Tranquility is a property applied to a set of controlled entities saying that their security level may not change. The principle behind the tranquility is that changes to an object’s access control attributes be prohibited as long as any subject has access to the object. Reflexivity and transitivity are two basic information flow properties. Duality is a relationship between nondisclosure and integrity. |
|
|
Which of the following viruses had the maximum number of encounters?
a. JavaScript b. VisualBasic Script c. Macro d. File infector |
Macro virus
According to the ISCA survey, macro viruses have the maximum number of encounters per 1000 PCs per month. |
|
|
How is a Common Gateway Interface (CGI) script vulnerable?
a. Because it can be interpreted b. Because it gives root access c. Because it accepts checked input d. Because it can be precompiled |
it can be interperted
The CGI Scripts are interpreted, not precompiled. As such, there is a risk that a script can be modified in transit and not perform its original actions. CGI scripts should not accept unchecked input. |
|
|
Identify the vulnerability which searches the network for idle computing resources and executes the
program in small segments? a. Computer viruses b. Trojan horses c. Worms d. Asynchronous attacks |
worms
Worms fit the description. Choice (a) is incorrect because a computer virus "reproduces" by making copies of itself and inserting them into other programs. Choice (b) is incorrect because a Trojan horse is a program that looks "normal" but contains harmful program code within it. Choice (d) is incorrect because asynchronous attacks perform indirect attacks on the program by altering legitimate data or codes at a time when the program is idle, then causing the changes to be added to the target program at later execution. |
|
|
What is the name of the malicious act of a computer program looking normal but containing harmful code?
a. Trap door b. Trojan horse c. Worm d. Time bomb |
Trojan horse.
|
|
|
Computer viruses continue to pose a threat to the following computer services except:
a. Integrity b. Availability c. Confidentiality d. Usability |
confidentiality
Confidentiality is not affected by the presence of computer viruses in computer systems since confidentiality is ensuring that data is disclosed only to authorized subjects. However, computer viruses affect integrity, availability, and usability. Computer programs can be deleted or modified thus losing their integrity (choice a), the computer system may not be available due to disruption or denial of computer services (choice b), and end users may not be able to use the system due to loss of files or disruption of services (choice d). |
|
|
Which of the following anti-virus methods is used the most?
a. Anti-virus software scans hard drives at every login b. Users check diskettes and downloads for viruses c. Anti-virus software scans full-time in the background d. Anti-virus software scans every boot-up |
d
|
|
|
Programmers frequently create entry points into a program for debugging purposes and/or insertion of new
program codes at a later date. These entry points are called: a. Logic bombs b. Worms c. Trap doors d. Trojan horses |
Trap doors
Trap doors are also called hooks and back doors. Choice (a) is incorrect because a logic bomb is a program that triggers an unauthorized, malicious act when some predefined condition occurs. Choice (b) is incorrect because the worm searches the network for idle computing resources and uses them to execute the program in small segments. Choice (d) is incorrect because a Trojan horse is a production program that has access to otherwise unavailable files and is changed by adding extra, unauthorized instructions. It disguises computer viruses. |
|
un an
|
a year (always used for age)
|
|
|
A macro virus is most difficult to:
a. Prevent b. Detect c. Correct d. Attach |
Detect.
|
|
|
Which of the following is most vulnerable to Trojan horse attacks?
a. Discretionary access control b. Mandatory access control c. Access control list d. Logical access control |
Discretionary access control
Because the discretionary access control system restricts access based on identity, it carries with it an inherent flaw that makes it vulnerable to Trojan horse attacks. Most programs that run on behalf of a user inherit the discretionary access control rights of that user. |
|
|
Which of the following is the best place to check for computer viruses?
a. At each computer b. At each workstation c. At the e-mail server d. At each network |
ath the e-mail server
Virus checkers monitor computers and look for malicious code. A problem is that virus-checking programs need to be installed at each computer, workstation, or network thus duplicating the software at extra cost. The best place to use the virus-checking programs is to scan e-mail attachments at the e-mail server. This way, the majority of viruses are stopped before ever reaching the users. |
|
|
Which of the following is a Trojan horse in a Windows operating system environment?
a. ICQ b. IMAP c. Back Orifice d. WinNuke |
Back orifice
Back Orifice is a Trojan horse that allows a user to control remotely a Windows 95/98 host with an easy-to-use graphical user interface (GUI). ICQ is a sophisticated chat program that stands for "I-Seek-You." The Internet message access protocol (IMAP) allows users to download their email from a server. WinNuke freezes a Windows 95 host by sending it out-of-band TCP data. |
|
|
A polymorphic virus uses which of the following?
a. An inference engine b. A heuristic engine c. A mutation engine d. A search engine |
a mutation engine
Virus writers use a mutation engine to transform simple viruses into polymorphic ones for proliferation purposes. |
|
|
With respect to computer viruses, a major confusion with the term "Remove" is which of the following?
a. Remove means deletion of the virus from an infected file b. Remove requires re-installation of the operating system c. Remove means deletion of files d. "Remove" and "Clean" are used interchangeably |
remove and clean are used interchaneabley
To remove or clean a virus means to eliminate all traces of it, returning the infected items to its original, uninfected state. Nearly all viruses are theoretically removable by reversing the process by which they infected. However, any virus that damages the item it has infected by destroying one or more bytes is not removable, and the item needs to be deleted and restored from backups in order for the system to be restored to its original, uninfected state. There is a gap between theory and practice. In practice, a removable virus is one that the antivirus product knows how to remove. The term "clean" is sometimes used for remove and sometimes used to refer to the destruction of viruses by any method. Thus deleting a file that is infected might be considered cleaning the system. This is not an appropriate use of the term "clean." [ICSA] |
|
|
Which of the following is true about a stealth virus?
a. It is very easy to detect b. It is a resident virus c. It will reveal file size increase d. It need not be active to show stealth qualities |
it is a resident virus.
A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. An active stealth file virus will typically not reveal any size increase in infected files, and it must be active to exhibit its stealth qualities. |
|
|
Certification and accreditation needs must be considered in all of the following stages of system
development except: a. Validation b. Verification c. Testing d. Maintenance |
maintainace.
|
|
|
A security evaluation report and an accreditation statement are produced in which of the following phases
of the system development life cycle? a. Requirements definition phase b. Design phase c. Development phase d. Testing phase |
testing phase.
Major outputs from the testing phase include the security evaluation report and accreditation statement. The purpose of the testing phase is to perform various tests (unit, integration, system, acceptance). Security is tested to see if it works and is then certified. |
|
|
Which of the following phases of a system development life cycle should not be compressed for the proper
development of a prototype? a. System initiation b. System definition c. System testing d. System design |
system testing
System testing is important to determine whether internal controls and security controls are operating as designed and are in accordance with established policies and procedures. In the prototyping environment, there is a tendency to compress system initiation, definition, design, programming, and training phases. However, the testing phase should not be compressed for quality reasons |
|
|
The activity that would be different between a prototype development approach and the traditional system
development approach is: a. How activities are to be accomplished b. What users need from the system c. What a project plan should contain d. How individual responsibilities are defined |
how activities are to be accomplished
Managers still need to define what they want from the system, some assessment of costs/benefits is still needed, and a plan to proceed with individual responsibilities are still required. The difference may be in the way activities are accomplished. The tools, techniques, methods, and approaches used in the prototype development project and traditional system development project are different. |
|
|
A general testing strategy for conducting an application software regression testing includes which of the
following sequence of tasks? a. Read, insert, and delete b. Precompile, link, and compile c. Prepare, execute, and delete d. Test, debug, and log |
prepare execute and delete.
Each test program involves preparing the executable program, executing it, and deleting it. This saves space on mass storage, and it generates a complete log. This approach is recommended for debugging and validating purposes. Read, insert, and delete include the transfer of all rows from Table A to Table B in that a table is read, inserted, and deleted. A source program is precompiled, linked, and compiled to become an object or executable program. |
|
|
In the software capability maturity model (SCMM), continuous process improvement takes place in which
of the following levels? a. Managed level b. Optimizing level c. Defined level d. Repeatable level |
optimizing level.
|
|
|
Which of the following is a prerequisite to developing a disaster recovery plan?
Chapter 8: Business Continuity Planning & Disaster Recovery Planning CISSP Examination Textbooks - Practice 467 a. Business impact analysis d. Cost-benefit analysis c. Risk analysis d. Management commitment |
Cost-benifit analisys
Management commitment and involvement are always needed for any major programs, and developing a disaster recovery plan is no exception. Better commitment leads to greater funding and support. All the other choices come after management commitment |
|
|
Which of the following uses both qualitative and quantitative tools?
a. Anecdotal analysis b. Business impact analysis c. Descriptive analysis d. Narrative analysis |
business impact analisys.
The purpose of business impact analysis (BIA) is to identify critical functions, resources, and vital records necessary for an organization to continue its critical functions. In this process, the BIA uses both quantitative and qualitative tools. Choices (a, c, and d) are examples that use qualitative tools. Anecdotal records constitute a description or narrative of a specific situation or condition. |
|
|
With respect to BCP/DRP, risk analysis is part of which of the following?
a. Cost-benefit analysis b. Business impact analysis c. Backup analysis d. Recovery analysis |
Buissnes impact analysis
The risk analysis is usually part of the business impact analysis. It estimates both the functional and financial impact of a risk occurrence to the organization and identifies the costs to reduce the risks to an acceptable level through the establishment of effective controls. Choices (a), (c) and (d) are part of choice (b). |
|
|
With respect to BCP/DRP, single point of failure means which of the following?
a. No production exists b. No vendor exists c. No redundancy exists d. No maintenance exists |
no redundency exist.
|
|
|
With respect to BCP/DRP, business impact analysis (BIA) identifies which of the following?
a. Threats and risks b. Costs and impacts c. Exposures and functions d. Events and operations |
Theat and risk.
BIA is the process of identifying an organization’s exposure to the sudden loss of selected business functions and/or the supporting resources (threats) and analyzing the potential disruptive impact of those exposures (risks) on key business functions and critical business operations. Th |
|
|
Which of the following disaster recovery plan testing approaches is not recommended?
a. Desk-checking b. Simulations c. End-to-end testing d. Full-interruption testing |
full interuption testing.
seniror manager The senior manager of a business unit or division should have ownership for its business continuity plan because of his broad role and responsibility in the organization. The parties mentioned in other choices do not have the same authority and power to make things happen. |
|
|
What is the purpose of a business continuity plan?
a. To sustain business operations b. To recover from a disaster c. To test the business continuity plan d. To develop the business continuity plan |
to sustain buinsess operatations
Continuity planning involves more than planning for a move off-site after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small. This broader perspective on continuity planning is based on the distribution of computer use and support throughout an organization. The goal is to sustain business operations. |
|
|
What is an alternate processing site that is equipped with telecommunications but not computers?
a. Cold site b. Hot site c. Warm site d. Redundant site |
A warm site
a war site has telecommunications ready to be utilized but does not have computers. A cold site is an empty building for housing computer processors later but equipped with environmental controls (e.g., heat, air conditioning) in place. A hot site is a fully equipped building ready to operate quickly. A redundant site is configured exactly like the primary site. |
|
|
The business impact analysis should critically examine the business processes and which of the
following? a. Composition b. Priorities c. Dependencies d. Service levels |
dendicies
The business impact analysis examines business processes composition and priorities, business or operating cycles, service levels, and, most importantly, the business process dependency on mission-critical information systems. |
|
|
The main body of a contingency or disaster recovery plan document should not address which of the
following? a. What b. When c. How d. Who |
how
The plan document contains only the why, what, when, where, and who, not how. The "how" deals with detailed procedures and information required to carry out the actions identified and assigned to a specific recovery team. This information should not be in the formal plan as it is too detailed and should be included in the detail reference materials as an appendix to the plan. The "why" describes the need for recovery, the "what" describes the critical processes and resource requirements, the "when" deals with critical time frames, the "where" describes recovery strategy, and the "who" indicates the recovery team members and support organizations. Keeping the "how" information in the plan document confuses people, making it hard to understand and creating a maintenance nightmare. |
|
|
Which of the following contingency plan test results is most meaningful?
a. Tests met all planned objectives in restoring all database files b. Tests met all planned objectives in using the latest version of the operating systems software c. Tests met all planned objectives using files recovered from backups d. Tests met all planned objectives using the correct version of access control systems softwa |
Tests met all planned objectives using files recovered from backups
The purpose of frequent disaster recovery tests is to ensure recoverability. Review of test results should show that the tests conducted met all planned objectives using files recovered from the backup copies only. This is because of the "no backup, no recovery" principle. Recovery from backup also shows that the backup schedule has been followed regularly. Storing files at a secondary location (off-site) is preferable to the primary location (on-site) because it ensures continuity of business operations if the primary location is destroyed or inaccessible |
|
|
If the disaster recovery plan is being tested for the first time, which of the following testing options can
be combined? a. Checklist testing and simulation testing b. Simulation testing and full-interruption testing c. Checklist testing and structured walk-through testing d. Checklist testing and full-interruption testing |
Checklist testing and structured walk-through testing.
The checklist testing will ensure that all the items on the checklists have been reviewed and considered. During structured walk-through testing the team members meet and walk through the specific steps of each component of the disaster recovery process and find gaps and overlaps. Simulation testing simulates a disaster during nonbusiness hours so normal operations will not be interrupted. Fullinterruption testing is not recommended since it activates the total disaster recovery plan. This test is costly and disruptive to normal operations and requires senior management’s special approval. |
|
|
In disaster recovery plan testing, parallel testing can be performed in conjunction with which of the
Chapter 8: Business Continuity Planning & Disaster Recovery Planning following testing options? a. Checklist testing b. Dry run testing c. Full-interruption testing d. Structured walk-through testing |
Checklist testing
A parallel test can be performed in conjunction with the checklist test or simulation test. All reports produced at the alternate site should agree with those reports produced at the primary site. A checklist can be used to make sure that all steps are performed. The other three choices do not work well with parallel tests. |
|
|
All of the following are misconceptions about a disaster recovery plan except:
a. It is an organization’s assurance to survive b. It is a key insurance policy c. It manages the impact of LAN failures d. It manages the impact of natural disasters |
its an orginazitions assurance to survive.
surprises and survival. In today’s environment, a LAN failure can be as catastrophic as a natural disaster, such as a tornado. Insurance does not cover every loss. Choices (b), (c), and (d) are misconceptions. What is important is to focus on the major unexpected events and implement modifications to the plan so that it is necessary to reclaim control over the business. The key is to ensure survival in the long run. |
|
|
Which of the following recovery plan test results would be most useful to management?
a. Elapsed time to perform various activities b. Amount of work completed c. List of successful and unsuccessful activities d. Description of each activity |
list of successful and unseccessful activites
Management is interested to find out what worked (successful) and what did not (unsuccessful) after a recovery from a disaster. The idea is to learn from experience. |
|
|
Which of the following is not an example of procedure-oriented disaster prevention activity?
a. Backing up current data and program files b. Performing preventive maintenance on computer equipment c. Testing the disaster recovery plan d. Housing computers in a fire-resistant area |
housing computers in a fire resistant area.
Housing computers in a fire-resistant area is an example of a physicallyoriented disaster prevention category while the other three choices are examples of procedure-oriented activities. Procedure-oriented actions relate to tasks performed on a day-to-day, month-to-month, or annual basis or otherwise performed regularly. Housing computers in a fire-resistant area with a noncombustible or charged sprinkler area is not regular work. It is part of a computer center building construction plan that happens once in a great while |
|
|
Which of the following statements is true about contingency planning tests?
a. The results of a test should be viewed as either pass or fail b. The results of a test should be viewed as practice for a real emergency c. The results of a test should be used to assess whether the plan worked or did not work d. The results of a test should be used to improve the plan |
The results of a test should be used to improve the plan
In the case of contingency planning, a test should be used to improve the plan. If organizations do not use this approach, flaws in the plan may remain hidden or uncorrected. |
|
|
The major threats that a contingency plan should address include:
a. Physical threats, software threats, and environmental threats b. Physical threats and environmental threats c. Software threats and environmental threats d. Hardware threats and logical threats |
Physical threats and environmental threats
Physical and environmental controls help prevent contingencies. Although many of the other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing breaks, or natural disasters. |
|
|
. Risks in the use of cellular radio and telephone networks during a disaster include:
a. Security and switching office b. Security and redundancy c. Redundancy and backup power systems d. Backup power systems and switching office |
Security and switching office
The airwaves are not secure and a mobile telephone switching office can be lost during a disaster. The cellular company may need a diverse route from the cell site to another mobile switching office. |
|
|
Which of the following computer backup alternative sites is the least expensive method and the most
difficult to test? a. Non-mobile hot site b. Mobile hot site c. Warm site d. Cold site |
cold site.
A cold site is an environmentally protected computer room equipped with air conditioning, wiring, and humidity control for continued processing when the equipment is shipped to the location. The cold site is the least expensive method of backup site, but the most difficult and expensive to test. |
|
|
Which of the following pair of phrases is the best example of operating watchwords to remember in
developing computer contingency plans? a. No policy, no procedure b. No ring, no write c. No backup, no recovery d. No security, no protection |
No backup, no recovery
It is a fact that there is no recovery without a backup. A procedure is linked to a policy. There is no protection without security controls. No backup, no recovery is applicable to a contingency plan. |
|
|
Physical disaster prevention and preparedness begins when:
a. a data center site is constructed b. new equipment is added c. a new operating system is installed d. a new room is added to existing computer center facilities |
a data center site is constructed
The data center should be constructed in such a way as to minimize exposure to fire, water damage, heat, or smoke from adjoining areas. Other considerations include raised floors, sprinklers, or fire detection and extinguishing systems and furniture made of noncombustible materials. All these considerations should be taken into account in a cost effective manner at the time the data (computer) center is originally built. Add-ons will not only be disruptive but also costly. |
