(isc)2 cissp exam bundle · a syn flood is when an attacker sends a victim several syn packets with...

(ISC)2 CISSP Exam Bundle

Number: CISSPPassing Score: 800Time Limit: 120 minFile Version: 34.4

http://www.gratisexam.com/

(ISC)2 CISSP Exam Bundle

Exam Name: (ISC)2 Certified Information Systems Security Professional

For Full Set of Questions please visit: http://www.visualexams.com/CISSP.htm

Exam A

QUESTION 1Diane, Kris, and Kathy are IT managers who all report to the division VP, Marge.Diane’s group handles all firewall administration tasks. Kris’s group handles useraccounts, and Kathy’s group manages help desk support. No one from Diane’s group can do the tasks that Krisand Kathy’s groups do. The same can be said for Kris andKathy’s people. What security control is Marge enforcing?

A. Job rotationB. Mandatory vacationsC. Separation of dutiesD. Dual control

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Marge’s IT division has several critical departments and functions. For example,entering user account information and configuring firewalls are two important anddifferent tasks that if handled by the same person could create a hugevulnerability. By dividing the group into different functioning units, Marge haseffectively implemented a separation of duties security control.

QUESTION 2Chrissy is a new employee at a coffee shop. She meets three other co-workers onher first day. Since they all work different shifts, sometimes opening the store andsometimes closing the store, they have been given the store security code. Chrissyasks her boss if she will get the code, and her boss says "No, you won’t need itbecause you’re working the mid-day shift." What security principle is the coffeeshop manager implementing?

A. Physical controlB. Least privilegeC. Separation of dutiesD. Collusion

Correct Answer: BSection: (none)Explanation

Explanation/Reference:The least privilege principle dictates that users should only be given the lowestlevel of access permissions required to do their job. Because Chrissy will not beopening or closing the store, she does not need to know the security code for thestore’s alarm system.

QUESTION 3Recently passed over for an executive promotion, Carol is anxious to hear abouta major company announcement which will most likely reveal the new hire. Knowingthat the PR department does not regularly shred documents, she snoops around thehallways after hours, and finds a memo next to the printer that gives her theinformation that will be released to the public next week. What kind of attack hasCarol committed?

A. Social engineering

B. EavesdroppingC. Passive attackingD. Dumpster diving

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Dumpster diving is the act of sorting through trash bins and taking documentswithout permission. By taking the private memo from a printer station, Carol isguilty of dumpster diving, which is an active attack.

QUESTION 4Jan needs to be able to structure the company's network resources in ahierarchical manner so that all users can access them after being properlyauthenticated. Which of the following arranges objects in a hierarchical structure?

A. X.509 directoryB. X.500 directoryC. X.300 directoryD. X.309 directory


Explanation/Reference:Most directories follow a hierarchical database format, based on the X.500 standard.The primary concept of X.500 is that there is a single Directory Information Tree(DIT), a hierarchical organization of entries which is distributed across one ormore servers, called Directory System Agents (DSA).

QUESTION 5Kevin changes his e-mail header so that Kim thinks his message is coming from anIT administrator who is asking for her private account information. This attackcould be characterized as all of the following except:

A. SpoofingB. PassiveC. MasqueradingD. Social engineering


Explanation/Reference:Kevin's actions are all of the listed types of attacks except passive. This was anactive attack because he was actually doing and manipulating something. Examples ofpassive attacks are eavesdropping or wiretapping versus actively changing the headerof a message.

QUESTION 6Charlie is a hacker who has managed to plant a software agent on Steve’scomputer and has uninterrupted access to it. He is using Steve’s computer to inflict

malicious code throughout the internal network. What term could be used to describe Steve’s computer?

A. ZombieB. TrapdoorC. MasterD. Threat agent

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Attackers commonly gain access to many zombie computers by fooling the users toinstall zombie software. The zombie software can be spread through e-mailattachments, spyware, or Trojan horses. The zombie software commonly lays dormantuntil it is called upon by the attacker to attack a victim. Many users' systems arebeing used to attack others without the users being aware of this activity.

QUESTION 7An attack that changes the source IP address of a ICMP ECHO request packet so itappears as though it came from the victim and is broadcasted to an amplifyingnetwork can be called all of the following except:


A. SmurfB. ICMP stormC. DoSD. Tunneling


Explanation/Reference:Tunneling is an attack that utilizes low-level functionality to infiltrate a system.A smurf attack is a denial-of-service attack. The attacker changes an ICMP ECHOrequest packet's source IP address to that of the victim. The attacker thenbroadcasts the ICMP packets to an amplifying network. Each computer will respond andsend an ICMP ECHO reply to the victim. The goal is to overwhelm the victim.

QUESTION 8Which exploit builds its attack around "half-open" connections?

A. Ping floodingB. SYN floodingC. Trojan horsesD. Worms

Correct Answer: B

Section: (none)Explanation

Explanation/Reference:A SYN flood is when an attacker sends a victim several SYN packets with spoofedsource addresses. Each time the victim receives a SYN packet, it will set upresources for a connection. The connections are never fully built because the victimnever receives the ACK packets from the attacker. This is why it is referred to as a"half-open" connection attack.

QUESTION 9Which of the following is not a physical access control?

A. TurnstilesB. FencingC. Host-based IDSD. Exterior lighting


Explanation/Reference:Host-based intrusion detection systems (IDS) are considered technical or logicalcontrols because they exist within computer systems and monitor activities. Theother controls all exist to provide some type of physical protection.

QUESTION 10Since 9/11, airport parking garages now keep cars further away from the terminalentrance. What is this an example of?

A. An administrative controlB. A technical controlC. An environmental controlD. A physical control


Explanation/Reference:Bollards are often used to protect buildings from traffic or simply as a deterrentfrom anything getting too close to the building. Since 9/11, many airports have putbollards in the parking spaces that used to possess cars and trucks. Now, a portionof the lots close to the terminal are left vacant to protect the building and peoplefrom potential terrorist attacks.

QUESTION 11Because identification is critical to the issue of accountability, companiesshould follow strict guidelines. Which would not be considered a good practice inimplementing identification access control?

A. Enforce naming standardsB. IDs should be uniqueC. IDs should be job descriptiveD. IDs must be easily validated


Explanation/Reference:Identification should never be job descriptive. Giving the attacker a tip as to whatthe user does can be advantageous to him. This information can give the attacker anidea of the type of access this user would have and this data could be used insocial engineering attacks. IDs should be generic in this regard so that its namedoes not give away what the user does within the organization.

QUESTION 12"Something you know, something you have, and something you are" represents thethree possible factors of ___________.

A. IdentificationB. AuthenticationC. AuthorizationD. Availability


Explanation/Reference:The three possible ways that a person can be authenticated are by "something youknow, something you have, and something you are". There are various authenticationtechnologies that can be used to authenticate users by forcing them to prove one ormore of these things.

QUESTION 13Single sign-on systems have a main strength and a main weakness. Choose the bestanswer exposing this strength and weakness.

A. Users do not need to remember multiple passwords, but access to many systems canbe obtained by cracking only one password, making it less secure.

B. They allow the user to make use of very simple passwords; it puts undue burdenon IT to administer the system.

C. They force the user to make use of stronger passwords; it makes it easier forusers but encourages little attention to security policies.

D. They remove the burden of remembering multiple passwords from users; users needto type the same password when confronted with authentication requests for differentresources.


Explanation/Reference:Users do not need to remember multiple passwords, but access to many systems can beobtained by cracking only one password, making it less secure. If an attacker wasable to uncover one credential set, he would have access to every resource withinthe environment that the compromised account has access to. This is certainly true,but one of the goals is that if a user only has to remember one password, and notten, then a more robust password policy can be enforced. If the user has just onepassword to remember, then it can be more complicated and secure because he does not

have nine other ones to remember also.

QUESTION 14How can logging play a role in stopping security breaches in a system?

A. Logging is the activity of collecting system information that will be used formonitoring and auditing to enable early detection of security problems.

B. Logging is the cataloging of performance issues to fight intruders.C. Logging plays a very minimal role in system security; it is used more as a

housekeeping measure than as a factor in an effective security policy.D. Logging is the process of identifying user errors and not security breaches.


Explanation/Reference:Logging is the activity of collecting system information that will be used formonitoring and auditing to enable early detection of security problems.Accountability is tracked by recording user, system, and application activities.This recording is done through auditing functions and mechanisms within an operatingsystem or application. Audit trails contain information about operating systemactivities, application events, and user actions.

QUESTION 15Which of the following best describes the architecture of a Kerberosauthentication system?

A. An architecture with a central server that issues tickets to allow one principal(for instance, a user) to authenticate themselves to another (such as a server).

B. A peer-to-peer system where peers authenticate themselves directly with otherpeer machines.

C. A centralized system where all password information and authentication logic arestored on a centralized machine.

D. A single sign-on architecture used for remote dial-in users to authenticate to adomain controller.


Explanation/Reference:Kerberos is made up of a key distribution center (KDC), a realm of principals(users, services, applications, and devices), an authentication service, tickets,and a ticket granting service. It provides an architecture with a central serverthat issues tickets to allow one principal (for instance, a user) to authenticatethemselves to another (such as a server).

QUESTION 16Your office is implementing an access control policy based on decentralizedadministration, which is controlled directly by the owners and creators of files.What is the major advantage and disadvantage of such an approach?

A. It puts access control into the hands of those most accountable for theinformation, but requires security labels for enforcement.

B. It puts access control into the hands of those most accountable for theinformation, but leads to inconsistencies in procedures and criteria.

C. It puts access control into the hands of IT administrators, but leads toprocedures and criteria that are too rigid and inflexible.

D. It puts access control into the hands of IT administrators, but forces them tooverly rely upon the file owners to implement the access controls IT puts in place.


Explanation/Reference:A decentralized access control administration method gives control of access to thepeople closer to the resources-the people who may better understand who should andshould not have access to certain files, data, and resources. In this approach, itis often the functional manager who assigns access control rights to employees. Anorganization may choose to use a decentralized model if its managers have betterjudgment regarding which users should be able to access different resources, andthere is no business requirement that dictates strict control through a centralizedbody is necessary.

QUESTION 17What is access control?

A. A method of ensuring that a subject (user, program, or process) is the entity itclaims to be

B. Requiring the subject to provide a second piece to the credential set, as in apassword, passphrase, cryptographic key, or token

C. Security features that control how users and systems communicate and interactwith other systems and resources

D. Controlling how an active object accesses a passive subject


Explanation/Reference:Access controls are security features that control how users and systems communicateand interact with other systems and resources. They protect the systems andresources from unauthorized access and can be components that participate indetermining the level of authorization after an authentication procedure hassuccessfully completed. Access is the flow of information between a subject and anobject. A subject is an active entity that requests access to an object or the datawithin an object. A subject can be a user, program, or process that accesses anobject to accomplish a task. When a program accesses a file, the program is thesubject and the file is the object. An object is a passive entity that containsinformation.

QUESTION 18An accurate picture of the use and acceptance of biometrics is:

A. Relatively inexpensive, well received by society, and highly accurateB. Very expensive, moderately received by society, and moderately accurateC. Very expensive, very well received by society, and highly accurateD. Very expensive, not well received by society, and highly accurate


Explanation/Reference:Biometrics verifies an individual's identity by analyzing a unique personalattribute or behavior, which is one of the most effective and accurate methods ofverifying identification. Biometrics is a very sophisticated technology; thus, it ismuch more expensive and complex than the other types of identity verificationprocesses. A biometric system can make authentication decisions based on anindividual's behavior, as in signature dynamics, but these can change over time andpossibly be forged. Biometric systems that base authentication decisions on physicalattributes (such as iris, retina, or fingerprint) provide more accuracy, becausephysical attributes typically don't change, absent some disfiguring injury, and areharder to impersonate.

QUESTION 19Your biometric system has been known to accept imposters. This is known as whichtype of error?

A. CERB. Bio-acceptance errorC. Type ID. Type II


Explanation/Reference:When a biometric system rejects an authorized individual, it is called a Type Ierror (false rejection rate). When the system accepts impostors who should berejected, it is called a Type II error (false acceptance rate). The goal is toobtain low numbers for each type of error, but Type II errors are the most dangerousand thus the most important to avoid.

QUESTION 20What type of operating parameter can an administrator set that would lock out auser after so many failed attempts at logon?

A. Clipping LevelB. Password checkerC. Account expiryD. Password History


Explanation/Reference:Companies can set predefined thresholds for the number of certain types of errorsthat will be allowed before the activity is considered suspicious. The threshold isa baseline for violation activities that may be normal for a user to commit beforealarms are raised. This baseline is referred to as a clipping level. Once thisclipping level has been exceeded, further violations are recorded for review. Mostof the time, IDS software is used to track these activities and behavior patterns,because it would be too overwhelming for an individual to continually monitor stacksof audit logs and properly identify certain activity patterns. Once the clippinglevel is exceeded, the IDS can e-mail a message to the network administrator, send amessage to his phone, or just add this information to the logs, depending on how the

IDS software is configured.IDS software is configured.

QUESTION 21The type of token device that employs a challenge response mechanism is which ofthe following?

A. One-time password generatorB. Token generatorC. SynchronousD. Asynchronous


Explanation/Reference:A token device using an asynchronous token-generating method employs achallenge/response scheme to authenticate the user. In this situation, theauthentication server sends the user a challenge, a random value also called anonce. The user enters this random value into the token device, which encrypts itand returns a value the user uses as a one-time password. The user sends this value,along with a username, to the authentication server. If the authentication servercan decrypt the value and it is the same challenge value sent earlier, the user isauthenticated.

QUESTION 22What would be a common access control technique used in firewalls and routersfor processing packets?

A. Role-based Access ControlB. Rule-based Access ControlC. Time-based access controlD. Context access control rules


Explanation/Reference:Rule-based access control uses specific rules that indicate what can and cannothappen between a subject and an object. It is based on the simple concept of"if X then Y" programming rules, which can be used to providefiner-grained access control to resources. Before a subject can access an object ina certain circumstance, it must meet a set of predefined rules. Many routers andfirewalls use rules to determine which types of packets are allowed into a networkand which are rejected. Rule-based access control is a type of compulsory control,because the administrator sets the rules and the users cannot modify these controls.

QUESTION 23A digital identity is made up of attributes, entitlements, and traits. Which ofthe following has the incorrect mapping when considering these identitycharacteristics?

A. Attributes = department, role in company, shift time, clearanceB. Entitlements = resources available to user, authoritative rights in the companyC. Traits = biometric information, height, sex

D. None of the above


Explanation/Reference:A user's identity can be a collection of her attributes (department, role incompany, shift time, clearance, and others), her entitlements (resources availableto her, authoritative rights in the company, and so on) and her traits (biometricinformation, height, sex, and so forth). So if a user requests access to a databasethat contains sensitive employee information, am IdM solution could need to pulltogether the necessary identity information and her supplied credentials before sheis authorized access. If the user is a senior manager (attribute), with a Secretclearance (attribute), and has access to the database (entitlement)-she is grantedthe permissions Read and Write to certain records in the database Monday throughFriday, 8 A.M. to 5 P.M. (attribute).

QUESTION 24Which of the following is not a result of a penetration test?

A. Modify access control permissionsB. Identify network vulnerabilitiesC. Evaluate IDS effectivenessD. Evaluate incident response procedures


Explanation/Reference:Penetration testing does not involve making any changes or modifications within anetwork. Instead it involves determining what vulnerabilities exist so that changescan be made after the fact. Some penetration tests are stealthy in nature so thatnot only are vulnerabilities identified, but the detection and reaction capabilitiesof the company's IDS and security incident response team.

QUESTION 25Most operating systems and applications allow for administrators to configure thedata that will be captured in audit logs for security purposes. Which of thefollowing is the least important item to be captured in audit logs?

A. System performance output dataB. Last user who accessed the deviceC. Number of unsuccessful access attemptsD. Number of successful access attempts


Explanation/Reference:For security purposes it can be important to capture the user's identity of whorecently accessed a device and the number of successful and unsuccessful accessattempts. Although logs are commonly used to track a system's performance and fortroubleshooting, this question requested which was least important to be capturedfor security purposes.

QUESTION 26What is the difference between a pharming attack and a phishing attack?

A. Pharming involves DNS poisoning and phishing involves social engineeringB. Phishing involves DNS poisoning and pharming involves social engineeringC. Pharming involves DNSSEC and phishing involves TOC\\TOUD. Pharming involves DNSSEC and phishing involves social engineering


Explanation/Reference:Phishing is a type of social engineering with the goal of obtaining personalinformation, credentials, credit card number, or financial data. The attackers lure,or fish, for sensitive data through various different methods. A similar type ofattack is called pharming, which redirects a victim to a seemingly legitimate, yetfake, web site. In this type of attack, the attacker carries out something calledDNS poisoning, in which a DNS server resolves a host name into an incorrect IPaddress.

QUESTION 27What would be a good reason for the use of thin clients for a company that wantsto implement stronger access control?

A. Limits user to the functions and capabilities of a secured operating systemB. Fewer desktops to purchaseC. User training reducedD. Programs become more readily available to users


Explanation/Reference:From a security perspective, thin clients can be effective because they restrictusers to the operating system of a server that the administrator can control. Thinclients are called "thin" because they have a limited operating system oftheir own. The other answers all provide benefits of using thin clients but they arenot security benefits.

QUESTION 28When determining what biometric access control system to buy, which factor shouldbe given the least amount of weight?

A. User acceptanceB. Accuracy of the controlC. Processing speed of the controlD. Reporting capabilities


Explanation/Reference:

The primary considerations that should be put into the purchasing and implementationof biometric access controls are user acceptance, accuracy, and processing speed.Although reporting capabilities can be useful, it is the most insignificant of thelist.

QUESTION 29Microprobing is an attack that would most likely be targeted towards which of thefollowing?

A. Smart cardB. RAS algorithmC. Cipher lockD. Password-protected laptop


Explanation/Reference:Microprobing is an invasive attack used on smart cards where the card’s surface isexploited in order to alter the integrated circuit. The protective coating on thecard's circuits is stripped away and the attacker taps directly into the circuit.

QUESTION 30Which of the following has an incorrect definition?

A. Deterrent - Intended to discourage a potential attackerB. Preventive - Intended to avoid an incident from occurringC. Corrective - Fixes components or systems after an incident has occurredD. Recovery - Intended to bring controls back to regular operations

Detective - Helps authorize an incident's activitiesCompensating - Controls that provide for an alternative measure of controlDirective - Mandatory controls that have been put in place due to regulationsor environmental requirements


Explanation/Reference:Each control works at a different level of granularity, but it can also performdifferent functionalities. The different functionalities of access controls arepreventive, detective, corrective, deterrent, recovery, compensating, and directive.Detective controls help identify incident activities, not authorize them.

Exam B

QUESTION 1Monica is the IT director of a large printing press. She has been made aware ofseveral attempts of brute force password attacks within the past weeks. Which ofthe following reactions would suit Monica best?

A. Reduce the clipping levelB. Find a more effective encryption mechanismC. Increase employee awareness through warning banners and trainingD. Implement spyware protection that is integrated into the current antivirus

product


Explanation/Reference:The best method to prevent this type of attack is to reduce the clipping level. Theclipping level in this case would be the number of failed login attempts that areallowed. With this tactic, Monica could set specific target accounts to lock outafter two or three failed attempts. This would allow the authorized users tocontinue using their normal accounts, but stop the brute-force guessing attemptsfrom being successful.

QUESTION 2Writing company security policy is what type of control?

A. TechnicalB. PhysicalC. AdministrativeD. Detective


Explanation/Reference:Administrative controls are management-driven actions that usually reveal themselvesin the form of policies, directives, advisories, and procedures. Security policies,awareness training, and incident response planning are all examples ofadministrative controls.

QUESTION 3Which of the following attacks requires the least amount of skill?

A. DictionaryB. Shoulder surfingC. Social engineeringD. Birthday



Shoulder surfing is the simplest form of snooping. The most novice of computer userscould look over the shoulder of her neighbor and obtain some type of sensitiveinformation. This is the reason that most applications and operating systems presentasterisks while a user is typing in his password: so that no one can easily obtainit through shoulder surfing.

QUESTION 4Which of the following is not a true statement about viruses?

A. Exist in disguise usually through a common program or fileB. Number one objective is to take up system resourcesC. Usually initiates after a user action, such as opening an attachmentD. Requires a host application


Explanation/Reference:Viruses require host applications to replicate. They commonly attempt to hide theirexistence, and are many times activated after a specific user activity. Althoughsome viruses are developed specifically to carry out a denial of service attack byusing up available resources, this is not the number one objective for all viruses.The number one objective is usually to spread itself from one host to another hostand execute its payload.

QUESTION 5An old laptop used by a network technician has many device configuration files,passwords, and text strings on it even though the data has been erased. What is thistype of information known as?

A. Sanitized dataB. Data remanenceC. Degaussed dataD. Data mining


Explanation/Reference:Data remanence is a security vulnerability that exists when used computing devicesare not properly sanitized. A person or group should be designated to performsanitization on all devices that will be reused by others, so that private orsensitive data is not placed into the wrong hands.

QUESTION 6Companies that practice "separation of duties" force two or more employees tocarry out __________ in order to carry out fraud.

A. CollisionB. CollusionC. Dual controlD. Job rotation

Correct Answer: B


Explanation/Reference:Collusion is two or more people working together to carry out a crime or fraudulentactivities. By separating critical job functions, companies effectively forceemployees to have to work together to commit fraud. The chances of this happeningare far less than one person deciding on her own to commit fraud.

QUESTION 7Traditional access control process uses all but which of the following?

A. Access control listsB. Directory servicesC. ProvisioningD. Profiles


Explanation/Reference:The traditional identity management process has been manual, using directoryservices with permissions, access control lists (ACLs), and profiles. This approachhas proven incapable of keeping up with complex demands and thus has been replacedwith automated applications rich in functionality that work together to create anidentity management infrastructure. Provisioning refers to the creation,maintenance, and deactivation of user objects and attributes as they exist in one ormore systems, directories, or applications, in response to business processes.

QUESTION 8Why are biometric systems considered more accurate than many of the other typesof authentication technologies in use today?

A. They are less accurateB. They are harder to circumvent than other mechanismsC. Biometric systems achieve high CER valuesD. They have less Type I errors than Type II errors


Explanation/Reference:Biometrics verifies an individual's identity by analyzing a unique personalattribute or behavior, which is one of the most effective and accurate methods ofverifying identification. Biometrics is a very sophisticated technology; thus, it ismuch more expensive and complex than the other types of identity verificationprocesses. A biometric system can make authentication decisions based on anindividual's behavior, as in signature dynamics, but these can change over time andpossibly be forged. Biometric systems that base authentication decisions on physicalattributes (such as iris, retina, or fingerprint) provide more accuracy, becausephysical attributes typically don't change, absent some disfiguring injury, and areharder to impersonate.CER and Type I and II errors pertain only to biometric systems and not to any otherauthentication technologies.uthentication technologies.

QUESTION 9Choose the following answer that has the correct definitions for False RejectionRate and False Acceptance Rate.

A. False Acceptance Rate is a Type I error and False Rejection Rate is a Type IIerror.

B. False Acceptance Rate is the value of authorized individuals who were improperlyrejected and False Rejection Rate is a Type I error.

C. False Rejection Rate is a Type I error and False Acceptance Rate is the numberof imposters who were rejected.

D. False Rejection Rate is the amount of authorized users who were improperlyrejected and the False Acceptance Rate is a Type II error.


Explanation/Reference:A False Acceptance Rate is a Type II error and is when an imposter is authenticated.False Rejection Rate is a Type I error and is when a user who should beauthenticated is rejected. These errors are used to measure the accuracy ofbiometric systems.

QUESTION 10If John books his flight on Southwest, the web site asks him if he wants to alsobook a hotel room. If he clicks "Yes," he could then be brought to the Hilton website, which provides him with information on the closest hotel to the airport he isflying into. Now, to book a room he does not have to log in again. What type offunctionality are these websites using?

A. Federated identityB. HTTP state managementC. Identity managementD. HTTP splitting


Explanation/Reference:A federated identity is a portable identity, and its associated entitlements, thatcan be used across business boundaries. It allows a user to be authenticated acrossmultiple IT systems and enterprises. Identity federation is based upon linking auser's otherwise distinct identities at two or more locations without the need tosynchronize or consolidate directory information. Federated identity offersbusinesses and consumers a more convenient way of accessing distributed resourcesand is a key component of e-commerce. It is essentially when one organization agreesto trust another organization's authentication of a user, and provide them a degreeof access based on that authentication.

QUESTION 11There are different types of biometric systems in the industry today. Some makeauthentication decisions based on behavior and some make authentication decisionsbased on physical attributes. Which of the following is the best description oftheir differences?

A. A system that uses physical attributes provides more accuracy than one that usesbehavior attributes.

B. A system that uses behavior attributes provides more accuracy than one that usesphysical attributes.

C. A fingerprint system is an example of a physical attribute and an iris system isan example of a behavior system.

D. A voice print system is an example of a behavior and signature dynamics is anexample of a physical attribute.


Explanation/Reference:A biometric system can make authentication decisions based on an individual’sbehavior, as in signature dynamics and voice prints, but these can change over timeand possibly be forged. Biometric systems that base authentication decisions onphysical attributes (iris, retina, fingerprint) provide more accuracy, because theydo not change as often and are harder to impersonate.

QUESTION 12What is a salt and what is it used for in a Linux or Unix system?

A. A salt is a value that is used to encrypt passwords before they are stored inthe registry.

B. A salt is a value that adds randomness to the process of encrypting passwords.C. A salt is also called a shadow file, and is not readable by all users.D. A salt is the utility that is used to encrypt and hash passwords.


Explanation/Reference:UNIX and Linux systems, do not use registries and SAM databases, but contain theiruser passwords in a file called /etc/passwd. A password is used to encrypt a blockof bits with a one-way function and the resulting value is stored in this file.Salts are random values that are added to the encryption process to add morerandomness. The more randomness to the encryption process, the harder it is forattackers to decrypt and uncover your password.

QUESTION 13Todd has been asked by the security officer to purchase a counter-basedauthentication system. Which of the following best describes what this type ofsystem is?

A. A biometric system that bases authentication decisions on physical attributesB. An authentication system that creates one-time passwords that are encrypted with

secret keysC. A biometric system that bases authentication decisions on behavioral attributesD. An authentication system that uses passphrases that are converted into virtual

passwords


Explanation/Reference:There are two main types of synchronized token one-time password generators,counter-based and time-based. If the token device and authentication service usecounter-synchronization, the user will need to initiate the logon sequence on thecomputer and push a button on the token device. This causes the token device and theauthentication service to advance to the next authentication value. This value and abase secret are hashed and displayed to the user. This is the user’s one-timepassword. Counter-based is also referred to as event-based.

QUESTION 14A passphrase is turned into a virtual password, but what exactly is a virtualpassword?

A. The length and format that is required for a specific system or applicationB. When a passphrase is turned into an encryption keyC. A hashed version of the passphraseD. An encrypted version of the passphrase


Explanation/Reference:A virtual password is the length and format that is required by the application. Theapplication could have a memory segment of 128 bits to store your virtual passwordwhile another application may have a memory segment of 256 bits. The virtualpassword is just the result of your passphrase after it has been hashed or encryptedand converted into the format that is required for a specific application.

QUESTION 15Which of the following is a true statement pertaining to the different type ofsmart cards and their characteristics?

A. A contact smart card has its own power supply and communicates to a readerthrough an interface.

B. A contactless smart card has an antenna and communicates to the reader throughradio waves.

C. A contact smart card contains a combi chip, which supplies it with a powersupply.

D. A contactless smart card and a contact smart card are the same, except thecontact smart card has its own power supply and the contactless card does not.


Explanation/Reference:Two general categories of smart cards are the contact and the contactless types.When this card is fully inserted into a card reader, electrical fingers wipe againstthe card, in the exact position that the chip contacts are located. This will supplypower and data I/O to the chip for authentication purposes. The contactless smartcard has an antenna wire that surrounds the perimeter of the card. When this cardcomes within an electromagnetic field, the antenna within the card generates enoughenergy to power the internal chip. Neither card type has its own power supply.

QUESTION 16

Which matches the following definition, "The use of needles to remove the outerprotective material on the card’s circuits, by using ultrasonic vibration. Once thisis completed then data can be accessed and manipulated by directly tapping into thecard’s ROM chips"?

A. MicroprobingB. Differential power analysisC. Electromagnetic analysisD. Software attacks


Explanation/Reference:Microprobing uses needles to remove the outer protective material on the card’scircuits, by using ultrasonic vibration. Once this is completed data can be accessedand manipulated by directly tapping into the card’s ROM chips. This is considered aninvasive attack that can be used against smart cards.

QUESTION 17What is authorization creep and what is the best defense against it?

A. Employees continually being given more rights and permissions. The bestcountermeasure is to continue to review employees’ need to know.

B. Employees continually being given less rights and permissions. The bestcountermeasure is to continue to review employees’ need to know.

C. Employees continually being given more rights and permissions. The bestcountermeasure is to continue to review employees’ job performance.

D. Employees continually being given less rights and permissions. The bestcountermeasure is to continue to review employees’ collusion possibilities.


Explanation/Reference:Authorization creep is when individuals are giving more and more access rights overtime. It can be a large risk for a company, because too many users have too muchprivileged access to company assets. Users’ access needs and rights should beperiodically reviewed to ensure that users only have access to the resources theyneed to complete their tasks.

QUESTION 18Which of the following is not true of Kerberos?

A. It is not based on symmetric cryptography.B. It is a proprietary protocolC. It is an authentication protocol.D. Its security relies on the integrity of the KDC.



Kerberos is an open authentication protocol (not a proprietary one) that is based onsymmetric cryptography. It is used because the individual principals do not trusteach other enough to communicate directly. The KDC holds all of the secret keys andit vouches for the identity of the other principals, and has to be completelyprotected from corruption.

QUESTION 19The ACME tile company needs to allow its partner companies to interface and passservice requests through its web services to allow for provisioning of theseservices. What markup language should it employ?

A. Generalized Markup LanguageB. Standard Generalized Markup LanguageC. Extensible Markup LanguageD. Service Provisioning Markup Language


Explanation/Reference:The markup language that can provide this type of functionality is the ServiceProvisioning Markup Language (SPML). This language allows company interfaces to passservice requests, and the receiving company provisions (allows) access to theseservices. Since both the sending and receiving companies are following one standard(XML), this type of interoperability can take place.

QUESTION 20Most Kerberos implementations use an authenticator. What is an authenticator andwhat is its purpose?

A. Principal identification and a time stamp encrypted with a shared secret key. Itis used to authenticate the requesting principal and is a countermeasure againstreplay attacks.

B. Principal identification and a time stamp encrypted with a shared session key.It is used to authenticate the requesting principal and is a countermeasure againstdictionary attacks.

C. TGS identification and a time stamp encrypted with a shared session key. It isused to authenticate the requesting principal and is a countermeasure against replayattacks.

D. Principal identification and a time stamp encrypted with a shared session key.It is used to authenticate the requesting principal and is a countermeasure againstreplay attacks.


Explanation/Reference:If a Kerberos implementation is configured to use an authenticator, the user willsend the network resource her identification information and a time stamp encryptedwith the session key they share. The resource will decrypt this information andcompare it with the identification data the KDC sent to it about this requestinguser. If the data is the same, the resource allows the user to communicate with it.The time stamp is used to help fight against replay attacks. The resource willcompare the sent time stamp with its own internal time. This will help determine ifthe ticket had been sniffed and copied by an attacker and submitted at a later timein hope of impersonating the legitimate user and gain unauthorized access.

QUESTION 21What is the reason that Kerberos and SESAME, among other products, can beaccessible through GSSAPI?

A. InteroperabilityB. FunctionalityC. RedundancyD. Fault tolerance


Explanation/Reference:Kerberos and SESAME can be accessed through a Generic Security Services ApplicationProgramming Interface (GSSAPI), which is a generic API for client to serverauthentication. Using standard APIs allows for vendors to be able to communicatewith and use each other functionality and security. By using a standard API productscan intercommunicate, which is interoperability, because they know how to "talk to"each other products.

QUESTION 22One of the following is not an example of a domain. Choose the correct answer.

A. Memory, pagefile, processesB. Services, processes, hard drive spaceC. ACLs, firewalls, security kernelD. Printers, computers, file servers


Explanation/Reference:A domain is really just a set of resources that are available to a subject. Rememberthat a subject can be a user, process, or application. Within an operating system aprocess has a domain, which is the system resources that are available to theprocess to carry out its tasks. These resources can be memory segments, hard drivespace, operating system services, and other processes. In a physical networkenvironment a domain is a set of physical and logical resources that are available,as in computer, file servers, FTP service, Web servers, etc. ACLs, firewalls, andsecurity kernels are security agents that are used to enforce the boundaries ofdomains.

QUESTION 23Which of the following is the best definition of a security domain?

A. A domain that is managed by the same group using two different securitypolicies.

B. A set of resources available to a subject in a secure manner.C. A domain that is managed by the same group using the same security policy.D. A set of resources available to a subject that are protected through a layered

approach.

Correct Answer: C


Explanation/Reference:A security domain just builds upon the definition of domain by adding that theresources within this logical structure (domain) is working under the same securitypolicy and managed by the same group. A domain is a set of resources that areavailable to a subject.

QUESTION 24Security domains are critical constructs in a physical network and within alogical environment, as in an operating system. Which of the following bestdescribes how addressing allows for isolation?

A. In a network domains are isolated by using IP ranges and in an operating systemdomains can be isolated by using MAC addresses.

B. In a network domains are isolated by using subnet masks and in an operatingsystem domains can be isolated by using memory addresses.

C. Addressing is a way to implement ACLs, which enforce domain access attempts andboundaries

D. Addressing creates virtual machines, which creates isolated domains.


Explanation/Reference:Addressing is a way to enforce, "if you don’t have this address you don’t belonghere." In network domains we use IP ranges and subnet masks to control how networksegments communicate to each other. Within software processes can only communicate to the address spacethat the security kernel will allow. Addressing is one way to enforce domain access and its boundaries.

QUESTION 25"Subjects can access resources in domains of equal or lower trust levels." Thisis an easy sentence, but a difficult concept for many people to really understand.Which of the following is not an example of this concept?

A. The security officer can access over 80% of the files within a company.B. A contractor is only given access to three files on one file server.C. A security kernel process can access all processes within an operating system.D. A Guest account has access to all administrator accounts in the domain.


Explanation/Reference:A subject can be a user, application, process or service - any active entity that isattempting to access a passive entity (object). Each of the answers providedexamples of how the more trusted subjects were given access to resources (a domain)that corresponded with its trust level. A Guest account does not have the trustlevel to access all administrator accounts.

QUESTION 26Tim is purchasing a smart card solution for his company. He needs to be aware ofthe various attacks that can take place against smart cards. Which of the followingis not an example of a side-channel attack?

A. Differential power analysisB. Electromagnetic emissionC. CorruptiveD. Timing


Explanation/Reference:Some examples of side-channel attacks that have been carried out on smart cards aredifferential power analysis (examining the power emissions released duringprocessing), electromagnetic analysis (examining the frequencies emitted), andtiming (how long a specific process takes to complete). These types of attacks areused to uncover sensitive information about how a component works without trying tocompromise any type of flaw or weakness. They are commonly used for data collection.

QUESTION 27Which of the following is not a characteristic of a counter-based token device?

A. Generates a one-time passwordB. It shares a secret key with the authentication serviceC. It is based on time synchronizationD. It is a type of synchronous authentication scheme


Explanation/Reference:There are two types of synchronous-based token devices, counter-based and timebased. Counter-based means that the authentication service and the token share thesame list of access codes and secret key. The secret key is used to encrypt theaccess code, which is the one-time password the user enters for authentication.

QUESTION 28Paul has been asked to evaluate implementing soft tokens across the enterprise.What exactly are soft tokens?

A. One-time password generators that reside in softwareB. Synchronous cognitive passwords generated in softwareC. Components that are required in SESAME implementations that provide the

single-sign on componentD. The authenticator portion of Kerberos


Explanation/Reference:One-time passwords can be generated in software, instead of requiring a piece ofhardware as in a token device. These are referred to as soft tokens and require thatthe authentication service and application contain the same base secrets, which areused to generate the one-time passwords.

QUESTION 29Acme Inc. has the choice of rolling out products that are based on DAC, MAC, orRBAC models. Their security policy indicates that authentication will be identitybased, so which of the following would be the best model to use?

A. MACB. DACC. Rule-basedD. BAC


Explanation/Reference:DAC systems grant or deny access based on the identity of the subject. The identitycan be a user identity or group membership. MAC models make access decisions basedon classification, clearance, and need to know. Rule-based is a set of rules thatare applied to all subjects, no matter what their identity is. DAC is always anidentity-based model. BAC is a distracter.

QUESTION 30Windows and most Linux and Unix systems are based on the DAC model. Which of the following is not truepertaining to the permissions that can be granted?

A. Read allows a user to read, but make no changesB. Change allows a user to read and write onlyC. Full control allows a user to read, write, execute, and delete onlyD. Change will not allow a non-data owner to modify the object’s ACLs


Explanation/Reference:DACs can be applied to both the directory tree structure, and the files theycontain. In the PC world, we have access permissions of ‘No Access’, Read (r), Write(w), Execute (x), Delete (d), Change (c) and ‘Full Control’. The Read attribute willallow you to read the file, but not make changes. The Change attribute will allowyou read, write, execute and delete the file, but will not allow you to change theACLs and/or owner of the files. Obviously, the attribute of ‘Full Control’ allowsany changes to be made to the file and its permissions and ownership.

QUESTION 31There has been more of a movement towards role-based access controls inproducts. This model gained acceptance in the 1990s and has recently been integrated into products morebecause of which of the following?

A. It is difficult to assign each and every user the exact level of accessB. Environments are experiencing more turnover than everC. MAC has been seen as too weakD. Higher performance and throughput


Explanation/Reference:As the number of objects and users grow within an environment, users are bound to be granted access toobjects that is unnecessary under the DAC model, thus increasing the risk to the company by not practicing theleast privilege rule. The RBACapproach simplifies access control administration by allowing permissions to bemanaged in terms of user job roles. RBAC can correlate to the model of the companyin a way that DAC cannot.

QUESTION 32Under which of the following models are rights implicitly assigned?

A. RBACB. DACC. MACD. Rule-based


Explanation/Reference:Introducing roles also introduces the difference between rights being assignedexplicitly and implicitly. If rights and permissions are assigned explicitly, itindicates that they are assigned to a specific individual. If they are assignedimplicitly, it indicates that they are assigned to a role or group and the userinherits those attributes.

QUESTION 33What component of Kerberos helps mitigate replay attacks?

A. Key Distribution CenterB. AuthenticatorC. Asymmetric cryptographyD. Realms


Explanation/Reference:If a Kerberos implementation is configured to use an authenticator, the user sendsto a resource her identification information and a timestamp and sequence numberencrypted with the session key they share. The resource decrypts this informationand compares it with the identification data the KDC sent to it about thisrequesting user. If the data is the same, the resource believes it is communicatingwith the authentic user. The timestamp is used to help fight against replay attacks.The resource compares the sent timestamp with its own internal time, which helpsdetermine if the ticket has been sniffed and copied by an attacker, and thensubmitted at a later time in hopes of impersonating the legitimate user and gainingunauthorized access. The resource checks the sequence number to make sure that this ticket has not beensubmitted previously. This is another countermeasure to protect against replay attacks.

QUESTION 34Which of the following is UNTRUE of a database directory based on the X.500standard?

A. The directory has a tree structure to organize the entries using a parent-childconfiguration.

B. Each entry has a unique name made up of attributes of a specific object.C. The attributes used in the directory are dictated by the defined schema.D. The unique identifiers are called fully qualified names.


Explanation/Reference: In a database directory based on the X.500 standard, the followingrules are used for object organization:- The directory has a tree structure to organize the entries using a parent-childconfiguration.- Each entry has a unique name made up of attributes of a specific object.- The attributes used in the directory are dictated by the defined schema.- The unique identifiers are called distinguished names.

Exam C

QUESTION 1Which of the following best describes the difference between content and contextaccess control?

A. Content access control is based on the sensitivity of the data and contextaccess control is based on the prior operations.

B. Content access control is based on the prior operations and context accesscontrol is based on the sensitivity of the data.

C. Context pertains to the use of database views and content access controlpertains to tracking the requestor’s previous access requests.

D. Context pertains to the use of the DAC model and content pertains to the use ofthe MAC model.


Explanation/Reference:Context-dependent is different from content because context-dependent accesscontrols make access decisions based on a collection of information, instead of thesensitivity of the data. A system that is using context-dependent access is"reviewing the situation" and then making a decision. Commonly context-dependentaccess control decisions are based on the previous access requests of the requestor.

QUESTION 2Which of the following is not considered an AAA protocol?

A. DiameterB. RADIUSC. TACACS+D. SESAME


Explanation/Reference:Diameter, RADIUS, TACACS+ are referred to as AAA protocols, which stands forauthentication, authorization, and auditing. (Some resources have the last ‘A’ standfor accounting, but it is the same functionality - just a different name.) AAAprotocols are developed to work in a client/server model, where the client can be ahome user or a road warrior and the server is the central database that contains theusers’ credentials and authorization profiles. Diameter works in a peer-to-peermodel, but is still considered an AAA protocol. SESAME is an authentication protocolsimilar to Kerberos.

QUESTION 3The Kerberos technology has some issues that need to be understood beforeimplementation. Which of the following are issues pertaining to Kerberos?i. The KDC can be a single point of failure. If the KDC goes down, no one canaccess needed resources. Redundancy is necessary for the KDC.ii. The KDC must be able to handle the number of requests it receives in a timelymanner. It must be scalable.iii. Secret keys are temporarily stored on the users' workstations, which means itis possible for an intruder to obtain these cryptographic keys.

iv. Session keys are decrypted and reside on the users' workstations, either in acache or in a key table. Again, an intruder can capture these keys.

A. i, ii, ivB. i, iii, ivC. i, ii, iii, ivD. ii, iii


Explanation/Reference:The following are some of the potential weaknesses of Kerberos:- The KDC can be a single point of failure. If the KDC goes down, no one can accessneeded resources. Redundancy is necessary for the KDC.- The KDC must be able to handle the number of requests it receives in a timelymanner. It must be scalable.- Secret keys are temporarily stored on the users' workstations, which means it ispossible for an intruder to obtain these cryptographic keys.- Session keys are decrypted and reside on the users' workstations, either in acache or in a key table. Again, an intruder can capture these keys.

QUESTION 4How does RADIUS allow companies to centrally control remote user access?

A. Once a user is authenticated a profile is generated based on his security token,which outlines what he is authorized to do within the network.

B. Once a user is authenticated a pre-configured profile is assigned to him, whichoutlines what he is authorized to do within the network.

C. Once the RADIUS client authenticates the user, the RADIUS server assigns him apre-configured profile.

D. Once the RADIUS client authenticates the user, the client assigns the user apre-configured profile.


Explanation/Reference:RADIUS allows companies to maintain user profiles in a central database. When a user dials in and is properlyauthenticated, then a pre-configured profile is assigned tohim to control what resources he can and cannot access. The RADIUS client cannotauthenticate or assign profiles, this is the RADIUS server’s job.

QUESTION 5RADIUS is considered an open protocol, which means what?

A. RADIUS is now a standard that is outlined in RFC 2138 and RFC 2139. Any vendorcan follow these standards and develop the protocol to work within their product.

B. RADIUS is open-source, which means that any vendor can contact Cisco and receivethe code for free.

C. RADIUS is not an open protocol, but a de facto standard.D. RADIUS is a proprietary protocol, but open to any vendor who pays the fee to use

it.


Explanation/Reference:RADIUS is a standard and is described in RFC 2138 and RFC 2139. Any vendor who wants to develop anddeploy RADIUS can just follow these standards. RADIUS is notproprietary (meaning owned by a specific company) and an open protocol.

QUESTION 6Which of the following is a true statement pertaining to TACACS, XTACACS, andTACACS+?

A. TACACS separates authentication and authorizationB. TACACS+ allows for two-factor authentication and dynamic passwordsC. XTACACS combines authentication, authorization, and auditingD. TACACS+ combines authentication, authorization, and auditing


Explanation/Reference:TACACS combines its authentication and authorization processes, XTACACS separates authentication,authorization, and accounting processes, and TACACS+ is XTACACS with extended two-factor userauthentication. TACACS uses fixed passwords for authentication and TACACS+ allows users to use dynamic(one-time) passwords, which provides more protection.

QUESTION 7What needs to take place for an environment using XTACACS to be compatible withan environment using TACACS+?

A. The use of RADIUS will allow for this conversion to take place.B. The use of Diameter will allow for this conversion to take place.C. They are backwards compatible, so no conversion is necessary.D. There is no interoperability between them. They are two totally different

protocols.


Explanation/Reference:TACACS+ is really not a new generation of TACACS and XTACACS, it is a brand newprotocol that provides similar functionality and shares the same naming scheme.Because it is a totally different protocol it is not backwards compatible withTACACS or XTACACS.

QUESTION 8RADIUS and TACAS+ have several different characteristics from each other. Whichof the follow answers best describes theses?

A. RADIUS uses TCP and only encrypts the user’s password.B. TACACS+ uses UDP and does not encrypt the user’s password.C. TACACS+ uses TCP and encrypts all data between the client and server.D. RADIUS uses UDP and encrypts all data between the client and the server.


Explanation/Reference:TACACS+ uses the TCP transport protocol. RADIUS only encrypts the user's password as it is beingtransmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting,and authorized services, are passed in cleartext. TACACS+ encrypts all of this information between the clientand the server and uses the UDP protocol.

QUESTION 9What are the purposes of Attribute Value Pairs and how do they different fromRADIUS and Diameter?

A. AVPs are the constructs that outline how two entities will communicate. Diameterhas many more AVPs, which allow for the protocol to have more capabilities thanRADIUS.

B. AVPs are the protocol parameters used between communicating entities. Diameterhas less AVPs, which allow for the protocol to have more capabilities than RADIUS.

C. AVPs are the security mechanisms that provide confidentiality and integrity fordata being passed back and forth between entities. Diameter has many more AVPs,which allow for the protocol to have more security capabilities than RADIUS.

D. AVPs are part of the TCP protocol. Diameter uses AVPs, because it uses TCP andRADIUS uses UDP.


Explanation/Reference:AVPs are constructs that outline how communication will take place betweencommunicating entities. The more AVPs that are present in a protocol, the morefunctionality and capabilities that protocol has. Diameter has many more AVPs thanRADIUS, which is why it can authenticate devices in many different ways and havemore functionality through its peer to peer model.

QUESTION 10Diane has to brief her CIO on the best product and protocol to use for thecompany’s centralized remote access control technology. Which of the following aretrue statements pertaining to the more appropriate use of TACACS+ versus RADIUS?


A. TACACS+ is best if an environment only needs simplistic username/passwordauthentication and RADIUS is better for environments that require more complex andtighter control.

B. TACACS+ has replaced RADIUS and RADIUS is being phased out.C. RADIUS is best if an environment only needs simplistic username/password

authentication and TACACS+ is better for environments that require more complex andtighter control.

D. TACACS+ allows for a peer to peer relationship between the client and server,and RADIUS works in a purely client/server model.


Explanation/Reference:RADIUS is the appropriate protocol when simplistic username/password authenticationcan take place and users only need an "accept" or "deny" forobtaining access, as in ISPs. TACACS+ is the better choice for environments thatrequire more sophisticated authentication steps and tighter control over morecomplex authorization activities, as in corporate networks.

QUESTION 11RADIUS and TACACS+ work in a client/server model and Diameter works in a peer topeer model. What is the benefit of using this peer to peer model?

A. Allows for the server to request another credential set from the userB. Allows the client to integrate 802.1x port authenticationC. Allows for the server to provide a universal profile for all usersD. Allows the user to access resources in several domains without needing to

authenticate.


Explanation/Reference:RADIUS and TACACS+ are client/server protocols, which means that the server portion cannot sendunsolicited commands to the client portion. The server portion can only speak when spoken to. Diameter is apeer-based protocol that allows either end toinitiate communication. This functionality allows the Diameter server to send amessage to the access server asking for the user to provide another authenticationcredential if attempting to access a secure resource or possibly disconnect the userfor one reason or another.

QUESTION 12How does the Diameter protocol provide more security than RADIUS?

A. For interoperability issues, the both provide the same level of security.B. Diameter has been developed to work directly with TLS and IPSec.C. Diameter works within the S/MIME standard.D. RADIUS only encrypts the username.


Explanation/Reference:Diameter provides end-to-end security through the use of IPSec or TLS,which is not available in RADIUS.

QUESTION 13Joe is a member of both the Cashier and Cashier Supervisor roles. If he logs inas a Cashier, the Supervisor role is unavailable to him during that session. If helogs in as Cashier Supervisor, the Cashier role is unavailable to him during that

session. What type of RBAC is being employed in this example?

A. Dynamic separation of dutyB. Static separation of dutyC. LimitedD. Hybrid


Explanation/Reference:- Static Separation of Duty (SSD) Relations through RBAC This would be used to deter fraud by constrainingthe combination of privileges (such as, the user cannot be a member of both the Cashier and AccountsReceivable groups).- Dynamic Separation of Duties (DSD) Relations through RBAC This would be used todeter fraud by constraining the combination of privileges that can be activated inany session (for instance, the user cannot be in both the Cashier and CashierSupervisor roles at the same time, but the user can be a member of both). This oneis a little more confusing. It means Joe is a member of both the Cashier and CashierSupervisor. If he logs in as a Cashier, the Supervisor role is unavailable to himduring that session. If he logs in as Cashier Supervisor, the Cashier role isunavailable to him during that session- Limited RBAC Users are mapped to multiple roles and mapped directly to other typesof applications that do not have role-based access functionality.- Hybrid RBAC Users are mapped to multi-application roles with only selected rightsassigned to those roles.

QUESTION 14What is a Land attack and what type of IDS can identify it based on its patternand not behavior?

A. Header has the same source and destination address and can be identified by astatistical anomaly-based IDS.

B. Header has no source and destination addresses and can be identified by asignature-based IDS.

C. Header has the same source and destination address and can be identified by atraffic-based IDS.

D. Header has the same source and destination address and can be identified by asignature-based IDS.


Explanation/Reference:In a Land attack, a hacker modifies the packet header so that when areceiving system responds to the packet it is responding to its own address. Oncethis type of attack was discovered, the signature-based IDS vendors wrote asignature that looks specifically for packets that contain the same source anddestination addresses. Statistical anomaly-based IDS uses behavioral characteristicsand traffic-based is a type of statistical IDS.

QUESTION 15George is responsible for setting and tuning the thresholds for his company’sbehavior-based IDS. Which of the following outlines the possibilities of not doingthis activity properly?

A. If the threshold is set too low, non-intrusive activities are considered attacks(false positives). If the threshold is set too high, then malicious activities arenot identified (false negatives).

B. If the threshold is set too low, non-intrusive activities are considered attacks(false negatives). If the threshold is set too high, then malicious activities arenot identified (false positives).

C. If the threshold is set too high, non-intrusive activities are consideredattacks (false positives). If the threshold is set too low, then maliciousactivities are not identified (false negatives).

D. If the threshold is set too high, non-intrusive activities are consideredattacks (false positives). If the threshold is set too high, then maliciousactivities are not identified (false negatives).


Explanation/Reference:Determining the proper thresholds for statistically significantdeviations is really the key for the successful use of a behavior-based IDS. If thethreshold is set too low, non-intrusive activities are considered attacks (falsepositives). If the threshold is set too high, then malicious activities are notidentified (false negatives).

QUESTION 16Which of the following is a proper match for the type of IDS and the type ofattack it is best suited to uncover?

A. Signature-based IDS - "0 day" attackB. Signature-based IDS - user logging in at an unusual timeC. Traffic anomaly IDS - Land attackD. Protocol anomaly IDS - brand new service on the network


Explanation/Reference:A protocol anomaly pertains to the format and behavior of a protocol.The IDS builds a model (or profile) of each protocol’s "normal" usage. A protocolanomaly could be a new use for a protocol, improperly formatted protocol header, ora new service on the network. Signature-based IDS can only detect known attacks andcannot detect behavior changes. Traffic-based IDS just uncovers different patternsin traffic activity.

QUESTION 17A rule-based IDS is a newer and more sophisticated IDS. Which of the following isnot a characteristic of this type of security mechanism?

A. Usually based on an expert system, with a knowledge base, inference engine, andrule-based programming

B. Allows for complex rules and situations to be laid out to define attackscenarios in a granular approach

C. Works with if/then scenariosD. Knowledge is represented as data and facts are used to analyze the data


Explanation/Reference: Rule-based IDS is commonly associated with the use of an expertsystem. An expert system is made up of a knowledge base, inference engine, andrule-based programming. Knowledge is represented as rules and the data that is to beanalyzed is referred to as facts. The knowledge of the system is written inrule-based programming (IF situation THEN action). These rules are applied to thefacts, the data that comes in from a sensor or a system that is being monitored.

QUESTION 18What is the relationship between an IDS event generator, sensor, and responsemodule?

A. The event generator receives raw data from a sensor and compares the values tothe response module.

B. The sensor receives raw data from the event generator, compares it to adatabase, and the response module dictates the response activity.

C. The sensor receives raw data from the event generator and compares the values tothe response module.

D. The response module contains the configurations for the event generator and thesensor.


Explanation/Reference: The sensor receives raw data from an event generator and compares itto a signature database, profile, or model, depending upon the type of IDS. If thereis some type of a match, which indicates suspicious activity, the sensor works withthe response module to know what type of alert to send out (instant messaging, page,e-mail, firewall reconfiguration, and so on).

QUESTION 19John is moving his company’s network from a traditional configuration to aswitched environment. How does this affect the company’s IDS?

A. Network IDS sensors cannot access traffic on port to port communication.B. John will need to tear down the spanning port so the IDS can "listen" to all

traffic.C. John no longer needs sensors on each and every network segment.D. Broadcast data will now be available to all IDS sensors.


Explanation/Reference: A monitoring console monitors all sensors and supplies the networkstaff with an overview of the activities of all of the sensors in the network. Adifficulty arises in a switched environment, where traffic is forwarded throughvirtual private connection, and is not re-broadcast to all the ports. The switchshould have a management port, where all traffic on that switch can be mirrored to

one port where the sensor is placed. (This is also referred to as a spanning port,where all traffic from all ports can be mirrored to one port.)

QUESTION 20What is the main difference between IDS and IPS?

A. In-line versus distributedB. Preventative versus detectiveC. Defense-in-depth versus a layered approachD. Stateful versus non-stateful


Explanation/Reference: Traditional IDS only detects that something bad may be taking placeand send an alert. The goal of IPS is to detect this activity and not allow thetraffic into gain access to the target in the first place. So IPS is a preventiveand proactive technology, where IDS is a detective and after-the-fact technology.Although some IPS products are in-line, this is not the main difference betweenthese approaches.

QUESTION 21What is the difference between separation of duties compared to rotation ofduties?

A. Separation of duties is a preventive control, and rotation of duties is adetective control

B. Separation of duties is a detective control, and rotation of duties is apreventive control

C. Separation of duties is an administrative-technical control, and rotation ofduties is an administrative-detective control

D. Separation of duties is an administrative-detective control, and rotation ofduties is an administrative-preventive control


Explanation/Reference:Separation of duties is a preventive control, because a company istrying to prevent fraudulent activities by splitting up a critical task. Rotation ofduties is a detective control, because a company is trying to uncover fraudulentactivities by moving a new employee in a position.. They are both administrativecontrols.

QUESTION 22Choose which of the following has an incorrect mapping.

A. Corrective - Mitigate damage and restore controlsB. Preventive - Avoid security incidentC. Detective - Identify security incidentD. Recovery - Restore conditions to unusual

Compensating - Alternative controlDeterrent - Discourage incident


Explanation/Reference:Preventive - A control type that attempts to avoid a security incident from takingplace.Detective - A control type that identifies a security incident after it takes place.Corrective - A control type that reduces damages or remedies the situation andrestore controls.Compensating - A control type that provides an alternate for another control type.Deterrent - A control type that discourages security incident attempts.Recovery - A control type that brings the system or environment back to a normalworking environment.nullIncorrect.Preventive - A control type that attempts to avoid a security incident from takingplace.Detective - A control type that identifies a security incident after it takes place.Corrective - A control type that reduces damages or remedies the situation andrestore controls.Compensating - A control type that provides an alternate for another control type.Deterrent - A control type that discourages security incident attempts.Recovery - A control type that brings the system or environment back to a normalworking environment.nullIncorrect.Preventive - A control type that attempts to avoid a security incident from takingplace.Detective - A control type that identifies a security incident after it takes place.Corrective - A control type that reduces damages or remedies the situation andrestore controls.Compensating - A control type that provides an alternate for another control type.Deterrent - A control type that discourages security incident attempts.Recovery - A control type that brings the system or environment back to a normalworking environment.

QUESTION 23Which of the following is not an important characteristic of creating andmaintaining user identification information?

A. Information should be unique to ensure accountabilityB. Identification information should be non-descriptive of the employees’ job

functionsC. Use the first initial of the first name and all of the last name for

accountabilityD. Process should be documented and standardized


Explanation/Reference:A company can come up with their own naming scheme, but it isimportant that it is standardized, documented, and non-descriptive of job functions.

QUESTION 24Although terms within access control are sometimes used interchangeably, thisdoes not mean that the right word is being used in the right context. Which of thefollowing is the incorrect definition of the associated word?

A. Identification = Value that asserts a user’s identityB. Authentication = Verifies a user’s identityC. Authorization = Verifies a user’s identity and authenticationD. Accountability = Tracks an individual’s activity


Explanation/Reference:All of the other definitions are correct except authorization, whichmeans to control what an authorized user can and cannot do within the environment.

QUESTION 25Watchdog functionality can be used in AAA protocols. Which of the following bestdescribes its purpose?

A. Detects specific attack typesB. Detects process failureC. Detects man-in-the-middle attacksD. Detects packet corruption


Explanation/Reference:Watchdog timers are commonly used to detect software fault, such as aprocess ending abnormally or hanging. The watchdog functionality sends out a type of"heartbeat" packet and if a service is not responding, the process can be terminatedor reset. This guards against software deadlocks, infinite loops, and processprioritization problems. This functionality can be used in AAA protocols to know ifpackets need to be resent and if connections that are experiencing problems need tobe closed and reopened.

QUESTION 26Tom needs a AAA solution that ensures that he does not need to maintain a remoteaccess server database of remote user credentials and a database within ActiveDirectory for local users. What technology should Tom implement within hisenvironment?

A. CHAPB. EAPC. RADIUSD. Shadow Passwords


Explanation/Reference:The RADIUS AAA protocol will allow remote users to authenticate to an internalActive Directory, or any other user account database without the need for a separateuser accounts database just for remote user authentication.

QUESTION 27What is derived from a passphrase?

A. Personal passwordB. Virtual passwordC. User IDD. Valid password


Explanation/Reference:Most systems do not use the actual passphrase or password the userenters. Instead it puts this value through some time of encryption or hashingfunction to come up with another format of that value, referred to as a virtualpassword.

QUESTION 28Which of the following statements correctly describes passwords?

A. They are the least expensive and most secure.B. They are the most expensive and least secure.C. They are the least expensive and least secure.D. They are the most expensive and most secure.


Explanation/Reference:Passwords provides the least amount of protection, but are thecheapest because they do not require extra readers, which are for smart and memorycards, they do not require devices, as in biometrics, and they do not require a lotof overhead in processing, as in cryptography. Passwords are the most common type of authentication methodused today.

QUESTION 29Sarah is the security officer for her organization and must be concerned aboutthe many types of threats that exist. She has been told that there have beenattempts by external entities to access resources in an unauthorized manner throughthe organization's legacy modems. Which of the following controls should Sarahensure that her team implements?i. Perform brute force wardialing attacks to find weaknesses and hanging modems.ii. Make sure only necessary phone numbers are made public.iii. Provide stringent access control methods that would make brute force attacksless successful.iv. Set lockout thresholds.

A. i, ii, iii, ivB. i, iiC. iii, ivD. i, iii, iv

Correct Answer: ASection: (none)

Explanation

Explanation/Reference:These attacks are also used in wardialing efforts, in which thewardialer inserts a long list of phone numbers into a wardialing program in hopes offinding a modem that can be exploited to gain unauthorized access.

QUESTION 30Which of the following is not a logical access control?

A. EncryptionB. Network architectureC. ID badgeD. Access control matrix


Explanation/Reference:A logical control is the same thing as a technical control. All of theanswers were logical in nature except an ID badge. Badges are used for physicalsecurity and are considered physical controls.

QUESTION 31Which access control policy is enforced when an environment uses groups?

A. Rule-basedB. Role-basedC. Identity-basedD. Mandatory


Explanation/Reference:Groups and roles work as containers for users. The administrator orsecurity professional creates the roles or groups and assigns rights to them andthen assigns users to the container. The users then inherit the permissions andrights from the containers (roles and groups), which is how implicit permissions areobtained.

QUESTION 32John has noticed some unusual activities in his company's logs. There have beenseveral outgoing authentication attempts in the format of "[email protected]".What type of activity could this indicate?

A. PharmingB. PhishingC. Identity theftD. Hijacking


Explanation/Reference:Phishing is a type of social engineering with the goal of obtainingpersonal information, credentials, credit card number, or financial data. Theattackers lure, or fish, for sensitive data through various different methods.Nefarious web sites not only have the look and feel of the legitimate web site, butattackers would provide URLs with domain names that look very similar to thelegitimate site's address. For example, www.amazon.com might become www.amzaon.com.Or use a specially placed @ symbol. For example, [email protected] wouldactually take the victim to the web site notmsn.com and provide the username ofwww.msn.com to this web site. The username www.msn.com would not be a valid usernamefor notmsn.com, so the victim would just be shown the home page of notmsn.com. Now,notmsn.com is a nefarious site and created to look and feel just like www.msn.com.The victim feels comfortable he is at a legitimate site and logs in with hiscredentials.

QUESTION 33Which item is not part of a Kerberos authentication implementation?

A. Message Authentication CodeB. Ticket granting serviceC. Authentication serviceD. Users, programs, and services


Explanation/Reference:Message Authentication Code (MAC) is a cryptographic function and isnot a key component of Kerberos. Kerberos is made up of a KDC, a realm of principals (users, services,applications, devices), an authentication service, tickets, and a ticket granting service.

Exam D

QUESTION 1Which implements mainly access control matrices?

A. MandatoryB. CentralizedC. DecentralizedD. Discretionary


Explanation/Reference:DAC is implemented and enforce through the use of access control lists(ACLs), which are held in a matrix. MAC is implemented and enforced through the useof security labels.

QUESTION 2Bob has been concerned about potential phishing attacks that he has recentlyread about. One countermeasure he makes sure to take is to always make sure the URLof the website he is visiting matches the name of the site. What could still betaking place that allows a phishing attack to be successful?

A. Execution of .NETB. Execution of JavaScriptC. Execution of cookiesD. Execution of DCOM objects


Explanation/Reference:Some JavaScript commands are designed to show the victim an incorrectweb address. So let's say Bob is a suspicious and vigilant kind of a guy. Before heinputs his username and password to authenticate and gain access to his online bankaccount, he always checks the URL values in the address bar of his browser. Eventhough he closely inspects it to make sure he is not getting duped, there could be aJavaScript replacing the URL www.citibank.com withwww.evilandwilltakeallyourmoney.com so he thinks things are safe and life is good.

QUESTION 3What does authentication mean?

A. Registering a userB. Identifying a userC. Validating a userD. Authorizing a user



Authentication means to validate the identity of a user. In mostsystems the user must submit some type of public information (username, accountnumber) and a second credential is needed to prove that this identity is reallybound to this person. The second piece of the credential set is private and shouldnot be shared.

QUESTION 4If a company has a high turnover rate, which access control structure is best?

A. Role-basedB. DecentralizedC. Rule-basedD. Discretionary


Explanation/Reference:It is easier on the administrator if she only has to create one roleand assign all of the necessary rights and permissions to that role and plug a userinto that role when needed. Otherwise she would need to assign and extractpermissions and rights as each individual came and left the company.

QUESTION 5The process of mutual authentication involves __________.

A. A user authenticating to a system and the system authenticating to the userB. A user authenticating to two systems at the same timeC. A user authenticating to a server and then to a processD. A user authenticating, receiving a ticket, and then authenticating to a service


Explanation/Reference:Mutual authentication means that it is happening in both directions.Instead of just the user having to authenticate to server, the server also has toauthenticate to the user.

QUESTION 6John has been told that he needs to implement host IDS software to ensure thatthe hosts files on systems are not modified. What type of attack would this beattempting to thwart?

A. PhishingB. WardialingC. PharmingD. Dictionary



Pharming is a hacker's attack aiming to redirect a website's traffic toanother, bogus website. Pharming can be conducted either by changing the hosts fileon a victim's computer or by exploitation of a vulnerability in DNS server software.

QUESTION 7In discretionary access control security, who has delegation authority to grantaccess to data?

A. UserB. Security officeC. Security policyD. Owner


Explanation/Reference:This question may seem a little confusing if you were stuck betweenuser and owner. Only the data owner can decide who can access the resources sheowns. She may be a user and she may not. A user is not necessarily the owner of theresource. Only the actual owner of the resource can dictate what subjects canactually access the resource.

QUESTION 8Which could be considered a single point of failure within a single sign-onimplementation?

A. Authentication serverB. User’s workstationC. Logon credentialsD. RADIUS


Explanation/Reference:In a single sign-on technology all users are authenticating to onesource and if that source goes down, authentication requests cannot be processed.

QUESTION 9What type of attack attempts all possible solutions?

A. DictionaryB. Brute ForceC. Man-in-the-middleD. Spoofing


Explanation/Reference:A brute force attack tries a combination of characters in the attemptto discover the correct sequence that represents the captured password or whatever

the goal of the task is. It is an exhaustive attack, meaning the attacker will tryover and over again until she is successful.

QUESTION 10Which of the following is not an advantage of a centralized access controladministration?

A. FlexibilityB. StandardizationC. Higher level of securityD. No need for different interpretations of a necessary security level


Explanation/Reference:A centralized approach does not provide as much flexibility as adecentralized access control administration because one entity is making all thedecisions instead of several entities that are closer to the resources. Acentralized approach is more structured in nature, which means that there is lessflexibility.

QUESTION 11Which of the following is the best approach to validate the continued need for auser to have privileged access to system resources?

A. Periodic review of data classifications and system controlsB. Periodic review and re-certification of privileged user needsC. Periodic review of audit logs and access attempts by all usersD. Revoke processes used to grant these types of access


Explanation/Reference:A periodic review of the rights and permissions granted to all users(especially ones with privilege access) and how it maps to their needs to completetheir tasks best validates the reasons for access given. A user may not still needfull control to specific resources and files and a company would not uncover thiswithout reviewing the actual needs of this user.

QUESTION 12Which of the following is not a single sign-on access approach?

A. ScriptsB. Thin clientsC. KerberosD. Discretionary



Companies can use scripts to hold user credentials, thin clients toaccess servers or mainframes, or Kerberos to provide a single sign-on environment.Discretionary does not have anything to do with single sign-on approaches.

QUESTION 13Which of the following is least important to be included on a log that capturessecurity violations?

A. User IDB. Type of violationC. Date and time of violationD. Access control in place


Explanation/Reference:The first three items should be included for each security violationdetected. Systems can have several access controls in place, thus not easily logged.Plus the type of access control should not be in this type of documentation.

QUESTION 14Which of the following is not included in the classic ways of authenticating auser?

A. Something you knowB. Something you haveC. Something you controlD. Something you are


Explanation/Reference:Authentication is based on something that you know (password, PIN),something that you are (biometrics), and something that you have (memory or smartcard or token device).

QUESTION 15Which of the following does not describe a synchronous token device?

A. Challenge-basedB. One-time password generatorC. Time-basedD. Authentication mechanism


Explanation/Reference:A synchronous token device is driven by time or events to authenticateusers. An asynchronous token device uses a challenge-based mechanism during itsauthentication process. Both are types of token devices used to create one-time

passwords.

QUESTION 16Larry is in a management role within his organization. He has to decide on thetype of information that will be collected and maintained about their customers. Hissecurity officer has warned him about obtaining combinations of data such asdriver's license numbers and addresses. What type of threat is his security officerconcerned with?

A. PhishingB. PharmingC. PhattingD. Identity theft


Explanation/Reference:Identity theft refers to a situation where someone obtains key piecesof personal information such as a driver's license number, bank account number,credentials, or Social Security number, and then uses that information toimpersonate someone else.

QUESTION 17TACACS+ provides what type of access control administration?

A. CentralizedB. MandatoryC. DiscretionaryD. Decentralized


Explanation/Reference:TACACS+ is a client/server protocol used in remote access centralizedenvironments. Centralized access control administration has one entity or group thatimplements and maintains access decisions based upon the organization's securitypolicy.

QUESTION 18What is another name for a dynamic password?

A. One-time passwordB. PassphraseC. Virtual passwordD. Cognitive password


Explanation/Reference:One-time or dynamic passwords are good for only one session and are

used in environments that require more security than static password. If thesepasswords are intercepted by an attacker, they are only good for a small window oftime, thus there is a smaller chance of replay attacks being successful.

QUESTION 19John is an engineer within company ACME. He has been told by his boss, thesecurity officer, that he must implement a tool that he can use to perform deepanalysis on captured network traffic that has been flagged as suspicious. What typeof tool should John put into place?

A. SnifferB. Protocol analyzerC. War dialerD. Firewall


Explanation/Reference: A packet or network sniffer is a general term for programs or devicesable to examine traffic on a LAN segment. Traffic that is being transferred over anetwork medium is transmitted as electrical signals, encoded in binaryrepresentation. The sniffer has to have a protocol-analysis capability to recognizethe different protocol values to properly interpret their meaning.

QUESTION 20Tim is a member of management and has just been notified that two sniffer toolshave been identified on the network. The software tools were installed on twodifferent systems that were maintained by a security engineer who has recently beenfired. What should Tim understand about this situation?

A. The tools were probably installed to identify suspicious activities by theengineer and should not be a concern.

B. The tools were probably installed by the engineer to identify legitimatelysuspicious activities, but should be a concern.

C. The tools were installed as part of the company's IPS rollout and should be aconcern

D. The tools were installed as part of the company's IPS rollout and should not bea concern.


Explanation/Reference: Network sniffers are used by the people in the white hats(administrators and security professionals) usually to try and track down a recentproblem with the network. But the guys in the black hats (attackers and crackers)can use them to learn about what type of data is passed over a specific networksegment and to modify data in an unauthorized manner. Black hats usually usesniffers to obtain credentials as they pass over the network medium. The companydoes not know who installed them and this should be a concern.

QUESTION 21Access controls that give subjects and objects a range of upper and lower boundcapabilities are called:

A. Security labelsB. Lattice-basedC. MandatoryD. Task-based


Explanation/Reference: Lattice-based access controls provide an upper and lower bounds ofaccess for a subject pertaining to a specific object. When a subject makes an accessattempt, the system will first see if it is allowed, and then determine the range ofaccess the subject actually has. A subject maybe able to Read but not Write to thatobject, thus Write is outside of its lattice bounds.

QUESTION 22Which of the following is an example of a preventive-physical access control?

A. Implementing pre-employment background checksB. Conducting security awareness trainingC. Configuring access control lists on routersD. Locking laptop docking stations


Explanation/Reference: Locking laptop docking stations represents a physical access controland is considered preventive in nature. Background checks and awareness training arepreventive-administrative, and access controls on routers are technical in nature.

QUESTION 23The process of identifying an individual by the unique blood-vessel pattern onthe back of his eyeball is called?

A. Retina scanB. Iris scanC. Facial scanD. Blood scan


Explanation/Reference: Retina scans offer an effective way of identifying individuals byprojecting a beam into the eye to distinguish between different blood-vesselpatterns.

QUESTION 24What type of control is auditing?

A. Preventive

B. AdministrativeC. TechnicalD. Physical


Explanation/Reference: Auditing is an important technical control that can be used to trackthe activities of systems, networks, or users. This is not talking about an auditorevaluating a company and its procedures, but logs that are generated by operatingsystems and applications.

QUESTION 25What important variable is used when evaluating the effectiveness of biometricsystems?

A. Type I errorsB. Acceptance by societyC. Type II errorsD. CER


Explanation/Reference: The crossover error rate (CER) is the point at which Type I errors andType II errors are equal and represents the best way of measuring biometricseffectiveness. A system with a lower CER value provides more accuracy than a systemwith a higher CER value.

QUESTION 26Jane is responsible for rolling out her company's IDS product. She has to makesure to place the IDS sensors in the correct location and ensure that the sensorsare capturing data correctly. One of her engineers has told her that one networksegment will require three sensors, but she is concerned because this will put herover her budget. What issue could Jane be faced with?

A. Incompatibility of sensorsB. Improper communication between sensorsC. Overwhelmed sensorsD. Improper communication between the sensors and the management console


Explanation/Reference: If the network traffic volume exceeds the IDS system's threshold,attacks may go unnoticed. Each vendor's IDS product has its own threshold, and youshould know and understand that threshold before you purchase and implement the IDS.In very high-traffic environments, multiple sensors should be in place to ensure allpackets are investigated. If necessary to optimize network bandwidth and speed,different sensors can be set up to analyze each packet for different signatures.

That way, the analysis load can be broken up over different points.

QUESTION 27Which of the following is not a weakness of Kerberos?

A. Secret keys are vulnerable when they are temporarily stored on the users'workstations.

B. Network traffic is not protected if encryption is not enabled.C. More and more products are beginning to support it.D. The KDC is a single point of failure.


Explanation/Reference: Kerberos is an authentication protocol that allows principals toauthenticate to each other. The KDC can be a single point of failure, keys aretemporarily stored on users' workstations, which can be compromised, and ifencryption is not enabled then network traffic is not protected from eavesdropping.Kerberos is also vulnerable to dictionary attacks.

QUESTION 28Capability tables are bound to what?

A. ObjectsB. UsersC. SubjectsD. Models


Explanation/Reference: A capability table is a list of the objects a subject is able to accessalong with the operations the subject can carry out on those objects. A capabilitytable is bound to a subject and an access control list is bound to an object.Together they make up an access control matrix, the capability table being a row andaccess control list being a column.

QUESTION 29Doug, the security officer, has been told by his manager that people should notbe accessing the company's servers during the weekend. What type of solution shouldDoug implement?

A. Anomaly-based IDSB. Signature -based IDSC. Restricted interfacesD. Role-based access control



A signature-based IDS is very straightforward. For example, if asignature-based IDS detects a packet that has all of its TCP header flags with thebit value of 1, it knows that an xmas attack is under way-so it sends an alert. Astatistical anomaly-based IDS works differently. For example, if Bob has logged onto his computer at 6 A.M. and the profile indicates this is abnormal, the IDS sendsan alert, because this is seen as an activity that needs to be investigated.

QUESTION 30Determining what a user can access based on the data, not the subject'sidentity, is called:

A. Content-basedB. Role-basedC. Rule-basedD. Capability table


Explanation/Reference: Content-based access controls look at the sensitivity of the data todetermine if a subject can access it or not. Content-dependent access control,access to objects is determined by the content within the object. Content-dependentfiltering is used when corporations employ e-mail filters that look for specificstrings, such as "confidential," "social security number,""top secret," and any other types of words the company deems suspicious.

QUESTION 31All of the following are technical controls except:

A. AuditingB. TestingC. Network architectureD. Encryption


Explanation/Reference: Testing is an example of an administrative control. Although it seemsthat testing may be a technical control, it is management's responsibility to ensurethat proper testing takes place. Auditing pertains to software collecting data aboutthe events that take place within a system and is a technical control.

QUESTION 32The study and control of spurious electrical signals that are emitted byelectrical equipment is called:

A. IDSB. ZonesC. White noiseD. TEMPEST

Correct Answer: D


Explanation/Reference: TEMPEST was developed in the 1950s by the U.S. government to addresselectromagnetic radiation being emitted from electrical equipment. Data can becaptured via electrical signals and reconstructed, which threatens theconfidentiality of sensitive data.

QUESTION 33It was uncovered that several attacks on a company's network have beensuccessful. The manager was told that this is because anomaly scores were setimproperly and most likely too low. What does this information pertain to?

A. The behavioral IDS system was not properly tunedB. The IPS was not properly configuredC. The host-based IDS was not properly configuredD. The firewall was not properly configured


Explanation/Reference: A statistical anomaly-based IDS is a behavioral-based system.Behavioral-based IDS products do not use predefined signatures, but rather are putin a learning mode to build a profile of an environment's "normal"activities. This profile is built by continually sampling the environment'sactivities. The longer the IDS is put in a learning mode, in most instances, themore accurate a profile it will build and the better protection it will provide.After this profile is built, all future traffic and activities are compared to it.The same type of sampling that was used to build the profile takes place, so thesame type of data is being compared. Anything that does not match the profile isseen as an attack, in response to which the IDS sends an alert. With the use ofcomplex statistical algorithms, the IDS looks for anomalies in the network trafficor user activity. Each packet is given an anomaly score, which indicates its degreeof irregularity. If the score is higher than the established threshold of"normal" behavior, then the preconfigured action will take place. Ifanomaly scores are set too low, malicious activity can go unnoticed.

Exam E

QUESTION 1Buffer overflows happen because:

A. Buffers can only contain a certain amount of data.B. The length of the data is not checked at time of input.C. Buffers are weak and easy to exploit.D. The system’s memory is insufficient.


Explanation/Reference: Buffer overflows happen if inputted data is not checked. This cancorrupt memory when more data is entered, causing extra instructions to be executedby the CPU.

QUESTION 2Passwords serve many purposes. What is their primary purpose?

A. Allow file accessB. Identify usersC. Authenticate usersD. Separate different users’ access permissions


Explanation/Reference: Passwords are the most commonly used authentication mechanisms, theyare also considered one of the weakest security mechanisms available.

QUESTION 3If a company needs to ensure it detects all known attacks, what technologyshould it implement?

A. Behavioral IDSB. Signature-based IDSC. Rule-based IDSD. Expert IDS


Explanation/Reference: Knowledge is accumulated by the IDS vendors about specific attacks andhow they are carried out. Models of how the attacks are carried out are developedand called signatures. Each identified attack has a signature, which is used todetect an attack in progress or determine if one has occurred within the network.Any action that is not recognized as an attack is considered acceptable.Knowledge-based IDS, also known as signature-based, can detect only known attacks.Anomaly-based IDS can detect new attacks that have no signatures yet.

QUESTION 4Of the following choices, which is not a denial-of-service attack?

A. Zone transferB. SmurfC. Syn floodD. TearDrop


Explanation/Reference: A zone transfer is when the contents of the primary domain name server(DNS) transfers the zone file to a secondary DNS server. It is normally notconsidered an attack, but provides important information on the network structure.

QUESTION 5Which of the following are correct characteristics of anomaly-based IDSes?i. Pattern matchingii. Stateful matchingiii. Protocol anomaly-basediv. Traffic anomaly-basedv. Rule or Heuristic - based

A. i, iiB. i, iii, ivC. iii, iv, vD. i, ii, iii, iv


Explanation/Reference: The following are characteristics of signature-based versusbehavioral-based IDSes;- Signature-based- Pattern matching- Stateful matching- Anomaly-based- Statistical anomaly-based- Protocol anomaly-based- Traffic anomaly-based- Rule or Heuristic - based

QUESTION 6One way to limit connections to a system is by calling back the number of apreviously authorized location. This type of access protection system is called a:

A. Sendback systemB. Callback forward systemC. Callback systemD. Sendback forward system


Explanation/Reference: Callback systems provide access protection by calling back the numberof a previously authorized location. This control can be compromised by callforwarding, however.

QUESTION 7The XYZ company was attacked by an entity who was authorized to access systemresources but who used them in a way not approved by those who granted theauthorization. This is an example of:

A. An active attackB. An outside attackC. An inside attackD. A passive attack


Explanation/Reference: An inside attack is initiated by an entity inside the securityperimeter who is authorized to access system resources but uses them in a way notapproved by those who granted the authorization. An outside attack is initiated fromoutside the perimeter by an unauthorized or illegitimate user of the system. Anactive attack attempts to alter system resources to affect their operation. Apassive attack attempts to learn or make use of the information from the system butdoes not affect system resources.

QUESTION 8Which of the following issues deal with reassigning to a subject media thatpreviously contained one or more objects?

A. Browsing attackB. Object reuseC. Media optimizationD. Address reassignment


Explanation/Reference: Object reuse issues pertain to reassigning to a subject media thatpreviously contained one or more objects. This means before someone uses a harddrive, USB drive, or tape, it should be cleared of any residual information still onit. This concept also applies to objects reused by computer processes, such asmemory locations, variables, and registers. Any sensitive information that may beleft by a process should be securely cleared before allowing another process theopportunity to access the object.

QUESTION 9Of the following choices, which would be the best password?

A. kitty360B. DianaLynnC. t1me4phUnD. psswd


Explanation/Reference: The best passwords are both easy to remember and hard to crack using adictionary attack. The best way to create passwords that fulfill both criteria is touse small unrelated words or phonemes, ideally with a special character or number.Common names, date of birth, family names, phone numbers, words found indictionaries, or system defaults (such as psswd) should not be used.

QUESTION 10Of the following choices, which one is something that intrusion detection (ID)and response is not?

A. A preventive controlB. A detective controlC. A monitoring controlD. A reactive control


Explanation/Reference: Intrusion detection (ID) and response is the act of monitoring systemsfor evidence of an intrusion or inappropriate usage. It is a detective not apreventive control.

QUESTION 11To properly enforce access control within environment, which of the followingshould be carried out?i. Deny access to systems by undefined users or anonymous accounts.ii. Allow unlimited usage of administrator and other powerful accounts.iii. Suspend or delay access capability after a specific number of unsuccessfullogon attempts.iv. Remove obsolete user accounts as soon as the user leaves the company.v. Activate inactive accounts after 30 to 60 days.

A. i, iii, ivB. i, ii, iii, iv, vC. i, ii, iiiD. i, iv, v


Explanation/Reference: The following should be practiced when enforcing access control withinan environment

- Deny access to systems by undefined users or anonymous accounts.- Limit and monitor the usage of administrator and other powerful accounts.- Suspend or delay access capability after a specific number of unsuccessful logonattempts.- Remove obsolete user accounts as soon as the user leaves the company.- Suspend inactive accounts after 30 to 60 days.

QUESTION 12Jack has submitted his physical security program solutions to management forapproval. One of the responses to his submission was that the company could notafford to employ security guards as he recommended. What type of control should Jack look at implementing?

A. DirectiveB. PhysicalC. CompensatingD. Administrative


Explanation/Reference:Any control can really end up being a compensating control. Anorganization would choose a compensating control if another control is too expensivebut protection is still needed. For example, a company can't afford a security guardstaff, so they erect fences, which would be the compensating control. Another reasonto use a compensating control is business needs. If the security team recommendsclosing a specific port on a firewall, but the business requires that service to beavailable to external users, then the compensating control could be to implement anintrusion prevention system (IPS) that would closely monitor the traffic coming infrom that port.

QUESTION 13Password management could be classified as a:

A. Compensating controlB. Detective controlC. Preventive controlD. Technical control


Explanation/Reference:Password management is an example of preventive control, preventingunauthorized users from accessing a system.

QUESTION 14Of the following access control models, which one requires definingclassification for objects?

A. Role-based access controlB. Discretionary access controlC. Identity-based access controlD. Mandatory access control


Explanation/Reference: With mandatory access control (MAC), the authorization of a subject’saccess to an object depends upon labels that indicate the subject’s clearance andclassification of objects.

QUESTION 15Steven's staff has asked for funding to implement technology that provides MobileIP. Which of the following would be a reason for employing this type of technology?

A. Employees can move from one network to anotherB. Peer-to-peer networks would not be allowedC. Security staff could carry out sniffingD. Users would not be allowed to move their wireless devices and still stay

connected to the network


Explanation/Reference: This technology allows a user to move from one network to another andstill use the same IP address. It is an improvement upon the IP protocol because itallows a user to have a home IP address, associated with his home network, and acare-of address. The care-of address changes as he moves from one network to theother. All traffic that is addressed to his home IP address is forwarded to hiscare-of address.

QUESTION 16Which of the following choices is not a two-factor authentication?

A. Something you know and something you haveB. A password and something you doC. Something you do and something you areD. A password and something you know


Explanation/Reference: A two-factor authentication relies on two different kinds of evidence.A password is an example of something you know. Strong authentication contains twoout of these three methods: something a person knows, has, or is. Whateveridentification system is used, for strong authentication to be in the process, itmust include two out of the three categories. This is also referred to as two-factorauthentication.

QUESTION 17Tom's environment has RADIUS servers that authenticate remote users before beingallowed access to network resources. He has been asked for a solution to allow forauthentication of the employee's smart phones, which cannot work with RADIUS. Tomneeds a AAA protocol that is designed for cell phone usage. What type of solution

should Tom suggest?

A. TACACSB. TACACS+C. DiameterD. SESAME


Explanation/Reference: Diameter is an AAA protocol that provides the same type offunctionality as RADIUS and TACACS+ but also provides more flexibility andcapabilities to meet the new demands of today's complex and diverse networks. It canallow wireless devices and smart phones to be able to authenticate themselves to acompany network.

QUESTION 18Batch files and scripts should be stored in a protected area. Why is this?

A. Because of least privilegeB. So they cannot be accessed by operatorsC. They may contain credentialsD. Because of need-to-know


Explanation/Reference: Because scripts contain credentials, they should be stored in aprotected area and their transmission dealt with carefully.

QUESTION 19What is the purpose of clipping levels?

A. To set allowable thresholds on a reported activityB. To limit access to top management staffC. To set personnel authority limits on a need-to-know basisD. To encrypt data


Explanation/Reference: Using clipping levels refers to setting allowable thresholds on areported activity. For example, a clipping level of 3 can be set for reportinglog-on attempts at a workstation. Three or fewer failed log-on attempts by anindividual at a workstation will not be reported.

QUESTION 20Which of the following are used in an attack detected by an IDS?

A. An event-based ID or a statistical anomaly-based ID

B. A discrete anomaly-based ID or a signature-based IDC. A signature-based ID or a statistical anomaly-based IDD. A signature-based ID or an event-based ID


Explanation/Reference: An IDS detects an attack through a signature-based ID or a statisticalanomaly-based ID. Signature-based IDS are the most popular IDS products today, andtheir effectiveness depends upon regularly updating the software with newsignatures, as with antivirus software. A statistical anomaly-based IDS is abehavioral-based system. Behavioral-based IDS products do not use predefinedsignatures, but rather are put in a learning mode to build a profile of anenvironment's "normal" activities.

QUESTION 21Which of the following describes the discrepancies in the following statement?"In a TCP connection, the sender sends an SYN packet, the receiver sends an ACK, andthen the sender acknowledges that packet with an ACK packet."

A. The sender sends a SYN\\ACKB. The sender sends an ACKC. This describes a UDP connectionD. The receiver sends a SYN\\ACK


Explanation/Reference: In a TCP connection, the sender sends an SYN packet, the receiver sendsan SYN/ACK, and then the sender acknowledges that packet with an ACK packet.

QUESTION 22Dan is a senior manager within the security department of his company. He needsto make a purchasing decision of the type of access control products that should beimplemented. The product that is purchased needs to ensure that managers can accessa portion of a file or folder, but not others. What type of access control does thisrefer to?

A. DACB. PARBC. MACD. RBAC


Explanation/Reference: The privacy of many different types of data needs to be protected,which is why many organizations have privacy officers and privacy policies today.The current access control models (MAC, DAC, RBAC) do not lend themselves toprotecting data of a given sensitivity level, but instead limit the functions that

the users can carry out. For example, managers may be able to access a Privacyfolder, but there needs to be more detailed access control that indicates, forexample, that they can access customers' home addresses but not Social Securitynumbers. This is referred to as Privacy Aware Role Based (PARB) access control.

QUESTION 23Bob needs to implement role-based access control (RBAC) within his company. Hehas learned that there are several approaches to RBAC. He needs to ensure that users are mapped to multipleroles and mapped directly to other types of applications that do not have role-based access functionality. Whichof the following should Bob chose to implement?

A. Non-RBACB. Limited RBACC. Hybrid RBACD. Full RBAC


Explanation/Reference: The types of RBAC are outlined below;- Non-RBAC Users are mapped directly to applications and no roles are used.- Limited RBAC Users are mapped to multiple roles and mapped directly to other typesof applications that do not have role-based access functionality.- Hybrid RBAC Users are mapped to multi-application roles with only selected rightsassigned to those roles.- Full RBAC Users are mapped to enterprise roles.

QUESTION 24Joe is the manager of the network administration group. He has been told thatone of the systems working in dedicated security mode has been configured to allowsensitive information to pass to a system working in multilevel security mode. Whatsolution should he offer his team to implement?

A. GuardsB. IDSC. IPSD. RBAC


Explanation/Reference: Software and hardware guards allow the exchange of data between trusted(high assurance) and less trusted (low assurance) systems and environments. Forinstance, if you were working on a MAC system (working in dedicated security mode ofsecret) and you needed it to communicate to a MAC database (working in multilevelsecurity mode, which goes up to top secret), the two systems would provide differentlevels of protection. If a system with lower assurance can directly communicate witha system of high assurance, then security vulnerabilities and compromises could beintroduced. A software guard is really just a front-end product that allowsinterconnectivity between systems working at different security levels.

QUESTION 25Which of the following biometric technologies is considered the most accurate?

A. RetinaB. IrisC. SignatureD. Facial


Explanation/Reference: The iris is the colored portion of the eye that surrounds the pupil.The iris has unique patterns, rifts, colors, rings, coronas, and furrows. Theuniqueness of each of these characteristics within the iris is captured by a cameraand compared with the information gathered during the enrollment phase. Of thebiometric systems, iris scans are the most accurate. The iris remains constantthrough adulthood, which reduces the type of errors that can happen during theauthentication process. Sampling the iris offers more reference coordinates than anyother type of biometric. Mathematically, this means it has a higher accuracypotential than any other type of biometric.

QUESTION 26Which of the following term describes the creation, maintenance, anddeactivation of user objects and attributes as they exist in one or more systems,directories, or applications, in response to business processes?

A. Federated identificationB. Discretionary provisioningC. Mandatory system identification and provisioningD. User provisioning


Explanation/Reference: User provisioning refers to the creation, maintenance, and deactivationof user objects and attributes as they exist in one or more systems, directories, orapplications, in response to business processes.

QUESTION 27What is the difference between a session and a permanent cookie?

A. Permanent cookies are stored in memory and session cookies are stored on theB. Session cookies are stored in memory and permanent cookies are stored on the

hard driveC. Sensitive information should be held in permanent cookies, not sessionD. Session cookies are not erased when a computer is shut down


Explanation/Reference: A cookie can be in the format of a text file stored on the user's harddrive (permanent) or it can be only held in memory (session). If the cookie contains

any type of sensitive information, then it should only be held in memory and beerased once the session has completed.


(isc)2 cissp exam bundle · a syn flood is when an attacker sends a victim several syn packets with...

Documents