Flashcards in Exam SET A Deck (195)
Which of the following items is NOT used to determine the types of
access controls to be applied in an organization?
A. Separation of duties
B. Organizational policies
C. Least privilege
D. Relational categories
Explanation: The item, relational categories, is a distracter. The other options are important determinants of access control implementations in an organization
Which choice below is NOT a generally accepted benefit of security awareness, training, and education?
A. A security awareness and training program can help an organization reduce the number and severity of errors and omissions.
B. A security awareness and training program will help prevent natural disasters from occurring.
C. A security awareness program can help operators understand the value of the information.
D. A security education program can help system administrators recognize unauthorized intrusion attempts.
Explanation: An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security awareness and training program should encompass the following seven steps:
1. Identify program scope, goals, and objectives.
2 Identify training staff.
3. Identify target audiences.
4. Motivate management and employees.
5. Administer the program.
6. Maintain the program.
7. Evaluate the program.
Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.
In biometrics, a one-to-one search to verify an individual's claim of an
identity is called:
A. Audit trail review.
Explanation: The correct answer is Authentication. Answer "Audit trail review." is a review of audit system data, usually done after the fact. Answer "Accountability" is holding individuals responsible for their actions, and answer d is obtaining higher-sensitivity information from a number of pieces of information of lower sensitivity.
Which one of the following statements is TRUE concerning the Terminal
Access Controller Access Control System (TACACS) and TACACS+?
A. TACACS supports prompting for a password change.
B. TACACS+ employs a user ID and static password.
C. TACACS+ employs tokens for two-factor, dynamic password authentication.
D. TACACS employs tokens for two-factor, dynamic password authentication.
Explanation: The correct answer is "TACACS+ employs tokens for two-factor, dynamic password authentication". TACACS employs a user ID and static password and does not support prompting for password change or the use of dynamic password tokens.
Which statement below is NOT correct about safeguard selection in the
risk analysis process?
A. The most commonly considered criteria is the cost effectiveness of the safeguard.
B. The best possible safeguard should always be implemented, regardless of cost.
C. Maintenance costs need to be included in determining the total cost of the safeguard.
D. Many elements need to be considered in determining the total cost of the safeguard.
Explanation: The correct answer is "The best possible safeguard should always be implemented, regardless of cost.". Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily outweigh the value of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, auditability, and the level of manual operations needed to maintain or operate the safeguard.
Which answer below is the BEST description of a Single Loss Expectancy (SLE)?
A. An algorithm that determines the expected annual loss to an organization from a threat
B. An algorithm that represents the magnitude of a loss to an asset from a threat
C. An algorithm used to determine the monetary impact of each occurrence of a threat
D. An algorithm that expresses the annual frequency with which a threat is expected to occur
Explanation: The correct answer is "An algorithm used to determine the monetary impact of each occurrence of a threat". The Single Loss Expectancy (or Exposure) figure may be created as a result of a Business Impact Assessment (BIA). The SLE represents only the estimated monetary loss of a single occurrence of a specified threat event. The SLE is determined by multiplying the value of the asset by its exposure factor. This gives the expected loss the threat will cause for one occurrence. Answer a describes the Exposure Factor (EF). The EF is expressed as a percentile of the expected value or functionality of the asset to be lost due to the realized threat event. This figure is used to calculate the SLE, above.
Answer "An algorithm that expresses the annual frequency with which a threat is expected to occur" describes the Annualized Rate of Occurrence (ARO). This is an estimate of how often a given threat event may occur annually. For example, a threat expected to occur weekly would have an ARO of 52. A threat expected to occur once every five years has an ARO of 1/5 or .2. This figure is used to determine the ALE. Answer d describes the Annualized Loss Expectancy (ALE). The ALE is derived by multiplying the SLE by its ARO. This value represents the expected risk factor of an annual threat event. This figure is then integrated into the risk management process.
Which of the following is NOT a type of data network?
Explanation: The correct answer is d. GAN does not exist. LAN stands for Local Area Network, WAN stands for Wide Area Network, and MAN stands for Metropolitan Area Network
Which choice below is NOT a concern of policy development at the high level?
A. Identifying the key business resources
B. Defining roles in the organization
C. Determining the capability and functionality of each role
D. Identifying the type of firewalls to be used for perimeter security
Explanation: The other options are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer "Determining the capability and functionality of each role" is the final step in the policy creation process and combines steps a and "Defining roles in the organization". It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity. Source: Surviving Security: How to Integrate People, Process, and Technology by Mandy Andress (Sams Publishing, 2001).
Which is NOT a standard type of DSL?
Explanation: The correct answer is FDSL. FDSL does not exist
A back door into a network refers to what?
A. Mechanisms created by hackers to gain network access at a later time
B. Monitoring programs implemented on dummy applications to lure intruders
C. Undocumented instructions used by programmers to debug applications
D. Socially engineering passwords from a subject
Explanation: Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications. * social engineering is a technique used to manipulate users into revealing information like passwords. * Answer "Undocumented instructions used by programmers to debug applications"refers to a trap door, which are undocumented hooks into an application to assist programmers with debugging. Although intended innocently, these can be exploited by intruders. * "Monitoring programs implemented on dummy applications to lure intruders" is a honey pot or padded cell. A honey pot uses a dummy server with bogus applications as a decoy for intruders. Source: Fighting Computer Crime by Donn B. Parker (Wiley, 1998).
A type of access control that supports the management of access rights for groups of subjects is:
Explanation: Role-based access control assigns identical privileges to groups of users. This approach simplifies the management of access rights, particularly when members of the group change. Thus, access rights are assigned to a role, not to an individual. Individuals are entered as members of specific groups and are assigned the access privileges of that group. In answer Discretionary, the access rights to an object are assigned by the owner at the owner's discretion. For large numbers of people whose duties and participation may change frequently, this type of access control can become unwieldy. Mandatory access control, answer c, uses security labels or classifications assigned to data items and clearances assigned to users. A user has access rights to data items with a classification equal to or less than the user's clearance. Another restriction is that the user has to have a need-to-know the information; this requirement is identical to the principle of least privilege. Answer 'rule-based access control' assigns access rights based on stated rules. An example of a rule is Access to trade-secret data is restricted to corporate officers, the data owner and the legal department.
Which of the following is NOT a property of CSMA?
A. The workstation continuously monitors the line.
B. Workstations are not permitted to transmit until they are given permission from the primary host.
C. It does not have a feature to avoid the problem of one workstation dominating the conversation.
D. The workstation transmits the data packet when it thinks that the line is free.
Explanation: The correct answer is "Workstations are not permitted to transmit until they are given permission from the primary host". The polling transmission type uses primary and secondary hosts, and the secondary must wait for permission from the primary before transmitting.
Which choice below is NOT one of NIST's 33 IT security principles?
A. Assume that external systems are insecure.
B. Minimize the system elements to be trusted.
C. Implement least privilege.
D. Totally eliminate any level of risk.
Explanation: Risk can never be totally eliminated. NIST IT security principle #4 states: Reduce risk to an acceptable level. The National Institute of Standards and Technology's (NIST) Information Technology Laboratory (ITL) released NIST Special Publication (SP) 800-27, Engineering Principles for Information Technology Security (EP-ITS) in June 2001 to assist in the secure design, development, deployment, and life-cycle of information systems. It presents 33 security principles which start at the design phase of the information system or application and continue until the system's retirement and secure disposal. Some of the other 33 principles are: Principle 1. Establish a sound security policy as the foundation for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.
Principle 7. Implement layered security (ensure no single point of vulnerability).
Principle 11. Minimize the system elements to be trusted.
Principle 16. Isolate public access systems from mission critical resources (e.g., data, processes, etc.).
Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.
Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Principle 23. Use unique identities to ensure accountability.
Principle 24. Implement least privilege.
Source: NIST Special Publication 800-27, Engineering Principles for Infor- mation Technology Security (A Baseline for Achieving Security), and Federal Systems Level Guidance for Securing Information Systems, James Corrie, August 16, 2001 .
What is probing used for?
A. To induce a user into taking an incorrect action
B. To use up all of a target's resources
C. To covertly listen to transmissions
D. To give an attacker a road map of the network
Explanation: The correct answer is "To give an attacker a road map of the network". Probing is a procedure whereby the intruder runs programs that scan the network to create a network map for later intrusion.
Answer "To induce a user into taking an incorrect action" is spoofing, c is the objective of a DoS attack, and d is passive eavesdropping.
Clipping levels are used to:
A. Reduce the amount of data to be evaluated in audit logs.
B. Limit errors in callback systems.
C. Limit the number of letters in a password.
D. Set thresholds for voltage variations.
Explanation: The correct answer is reducing the amount of data to be evaluated by definition. Answer "Limit the number of letters in a password" is incorrect because clipping levels do not relate to letters in a password. Answer "Set thresholds for voltage variations" is incorrect because clipping levels in this context have nothing to do with controlling voltage levels. Answer "Limit errors in callback syste" is incorrect because they are not used to limit callback errors.
An attack that can be perpetrated against a remote user's callback access
B. Call forwarding.
C. A maintenance hook.
D. A Trojan horse.
Explanation: The correct answer is Call forwarding. A cracker can have a person's call forwarded to another number to foil the callback system. Answer "A Trojan horse" is incorrect because it is an example of malicious code embedded in useful code. Answer "A maintenance hook" is incorrect because it might enable bypassing controls of a system through a means used for debugging or maintenance. Answer Redialing is incorrect because it is a distracter.
The definition of CHAP is:
A. Confidential Hash Authentication Protocol.
B. Challenge Handshake Approval Protocol.
C. Confidential Handshake Approval Protocol.
D. Challenge Handshake Authentication Protocol.
Which of the following is NOT a remote computing technology?
Explanation: The correct answer is PGP. PGP stands for Pretty Good Privacy, an email encryption technology.
A relational database can provide security through view relations. Views enforce what information security principle?
A. Least privilege
D. Separation of duties
Explanation: The principle of least privilege states that a subject is permitted to have access to the minimum amount of information required to perform an authorized task. When related to government security clearances, it is referred to as need-to-know. * aggregation, is defined as assembling or compiling units of information at one sensitivity level and having the resultant totality of data being of a higher sensitivity level than the individual components. *Separation of duties requires that two or more subjects are necessary to authorize an activity or task. *inference, refers to the ability of a subject to deduce information that is not authorized to be accessed by that subject from information that is authorized to that subject.
Which statement below is accurate about the reasons to implement a
layered security architecture?
A. A layered approach doesn't really improve the security posture of the organization.
B. A layered security approach is intended to increase the work-factor for an attacker.
C. A good packet-filtering router will eliminate the need to implement a layered security architecture.
D. A layered security approach is not necessary when using COTS products.
Explanation: Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. The need for layered protections is important when commercialoff- the-shelf (COTS) products are used. The current state-of-the-art for security quality in COTS products do not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals. Source: NIST Special Publication 800-27, Engineering Principles for Infor- mation Technology Security (A Baseline for Achieving Security).
Which of the choices below is NOT an OSI reference model Session Layer protocol, standard, or interface?
B. DNA SCP
Explanation: The Musical Instrument Digital Interface (MIDI) standard is a Presentation Layer standard for digitized music. The other answers are all Session layer protocols or standards. SQL refers to the Structured Query Language database standard originally developed by IBM.
Answer RPC refers to the Remote Procedure Call redirection mechanism for remote clients. ASP is the AppleTalk Session Protocol. DNA SCP refers to DECnet's Digital Network Architecture Session Control Protocol. Source: Introduction to Cisco Router Configuration edited by Laura Chappell (Cisco Press, 1999).
An acceptable biometric throughput rate is:
A. One subject per two minutes.
B. Five subjects per minute.
C. Ten subjects per minute.
D. Two subjects per minute.
A. Not accomplished through the use of a password.
B. The presentation of a user's ID to the system.
C. The verification that the claimed identity is valid.
D. Only applied to remote users.
Explanation: The correct answer is "The verification that the claimed identity is valid.". Answer "The presentation of a user's ID to the system" is incorrect because it is an identification act. Answer c is incorrect because authentication can be accomplished through the use of a password. Answer "Only applied to remote users" is incorrect because authentication is applied to local and remote users.
Which statement about a VPN tunnel below is incorrect?
A. It can be created by implementing node authentication systems.
B. It can be created by implementing IPSec devices only.
C. It can be created by implementing key and certificate exchange systems.
D. It can be created by installing software or hardware agents on the client or network.
Explanation: The correct answer is "It can be created by implementing IPSec devices only". IPSec-compatible and non-IPSec compatible devices are used to create VPNs. The other three answers are all ways in which VPNs can be created.
What is NOT true of a star-wired topology?
A. It has more resiliency than a BUS topology.
B. 10BaseT Ethernet is star-wired.
C. Cabling termination errors can crash the entire network.
D. The network nodes are connected to a central LAN device.
Explanation: The correct answer is "Cabling termination errors can crash the entire network". Cabling termination errors are an inherent issue with bus topology networks.
What are the detailed instructions on how to perform or implement a
Which category of UTP wiring is rated for 100BaseT Ethernet networks?
A. Category 5
B. Category 1
C. Category 2
D. Category 3
E. Category 4
Explanation: Category 5 unshielded twisted-pair (UTP) wire is rated for transmissions of up to 100 Mbps and can be used in 100BaseT Ethernet networks. It is the most commonly installed type of UTP at this time. See Table.
Category 1 twisted-pair wire was used for early analog telephone communications and is not suitable for data.
Category 2 twisted-pair wire, was used in AS/400 and IBM 3270 networks. Derived from IBM Type 3 cable specification. Category 3 twisted-pair wire, is rated for 10 Mbps and was used in 802.3 10Base-T Ethernet
networks, and 4 Mbps Token Ring networks. Category 4 twisted-pair wire, is rated for 16 Mbps and is used in 4/16 Mbps Token Ring LANs. Source: The Electrical Industry Alliance (EIA/TIA-568).
How is an SLE derived?
A. ARO × EF
B. AV × EF
C. (Cost - benefit) × (% of Asset Value)
D. % of AV - implementation cost
Explanation: The correct answer is AV × Ef. A Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor. The other answers do not exist.
The Simple Security Property and the Star Property are key principles in which type of access control?
Explanation: Two properties define fundamental principles of mandatory access control. These properties are: Simple Security Property. A user at one clearance level cannot read data from a higher classification level. Star Property. A user at one clearance level cannot write data to a lower classification level