53 Ade 06-14 CISSP practice
Terms in this set (100)
Which layer is not part of the OSI model?
Which of the following is NOT associated with the access control principles?
Which of the following categories of access control implementation includes implementing security services such as smart cards, biometrics, access control lists, firewalls, and intrusion detection systems?
Logical Access Control
List the token-based authentication steps in the correct order.
Challenge>Response> Token Device Challenge>Valid Certificate >Authentication
Single sign-on (SSO) benefits do NOT include which the following?
Single point of failure
Which of the following uses a Key Distribution Center (KDC) to authenticate a principle?
What two cryptographic implementations does Kerberos use?
DES and RC4
Which intrusion detection system's efficiency decreases with encryption?
Attempting to crack a password by using common words from a text file is known as what kind of attack?
Modifying identifying information so as to make communication appear to come from a trusted source is known as:
Protection practices that can be used to prevent man-in-the-middle attacks include?
All of the above
Place the attack methodology in the correct order.
Target analysis> Target acquisition >Target access>Target appropriation>Target ownership
Which network topology's use of tokens allows prediction of node transmission delay and can be used as LAN or network backbone?
Which cable has a relatively low-speed transmission medium consisting of two insulated wires that are arranged in a regular spiral pattern?
Wireless transmission technologies include all of the following except?
Code division single access
Which of the following layers of the OSI model offer non-repudiation services?
What protocol solicits MAC address from devices on the network without requiring authentication?
Network information services (NIS) are used for what processes?
Manage user credentials across a group of machines in a UNIX environment
"Which protocol offers native encryption capability, for both authentication and data transfer?"
Weaknesses of TELNET include which of the following? (SELECT ALL THAT APPLY)
Limited to UserID/password authentication, No encryption, Usernames/passwords can be brute forced
What is the correct order in which the ISC2 Code of Ethics should be upheld?
"Protect society, the commonwealth, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; Advance and protect the profession."
Which software development model releases multiple beta versions and solicits frequent user feedback?
The software development model that is designed for large mainframe systems and requires an environment where developers work directly with users is:
The trait in object-oriented technology and programming that allows data to be stored in different objects at different levels is:
Which of the following is a software protection mechanism where all references to information and all changes to authorizations must pass through a small portion of the operating system?
Which of the following is NOT an information assurance strategy?
None of the above
Which of the following describes a virus which often resides on a machine by infecting a template and can cross platform boundaries as long as the application is present?
"When malware infects a host and allows it to be used in a "botnet" for DDoS attacks, the host is said to be a _________ host."
Which of the following describes the type of anti-virus software that looks for suspicious sections of code generally found in malware?
Which of the following is not one of the four typical elements of a DBMS?
None of the above
Encryption is converting a message from ciphertext to plaintext.
Asynchronous encrypt and decrypt requests are processed immediately.
All of the following describes link encryption except:
Performed by the end-user
"Polyalphabetic encryption techniques use multiple alphabets for each successive character replacement, making analysis much more difficult."
Which does NOT describe one-time pads?
May or may not be visible; may affect quality of the original
Which symmetric cipher is a Feistal-type block cipher with 64-128 bit blocks?
"Which describes the symmetric cipher ""Blowfish""?"
"Extremely fast, and uses very little memory"
Which symmetric cipher is used in Bluetooth?
"With public key cryptography, confidential messages with proof of origin are encrypted with the sender's private key and the public key of the recipient."
An employee believes their password was compromised while at work by a visitor shoulder surfing in the employee's workspace. Which of the following has been violated?
"Which of the following attacks allow bypassing access control lists on routers, and aids an aggressor in identity hiding?"
MAC Spoofing Attack
"Of the following plans, which is designed to protect critical business processes from natural or man-made failures or disasters and the consequential loss of capital due to the unavailability of normal business operations?"
Business Continuity Plan
Which of the following terms refers to a mechanism which proves that the sender really sent a specific message?
Which of the following layers of the OSI model offers reliability of transmission services?
Which of the following forms of attack can be used to disrupt even the best physical and logical security mechanism to gain access to a system?
Social Engineering Attack
"To authenticate the remote computer, which of the following protocols uses public-key cryptography?"
Which of the following does NOT describe a State machine model?
Creates one-to-one relationships between subjects and objects
Information flow models help ensure that high-level actions (inputs) do not affect what low-level users can see (outputs).
"Which security model describes strict layers of subjects and objects (active and passive parties, respectively), and defines clear rules of interaction between them?"
Multilevel lattice models
Which one of the following describes the Information Technology Security Evaluation Criteria (ITSEC)?
All of the above
"Which one of the following tests the system's hardware, software, and configuration in an environment like its eventual operational setting?"
"To maintain the security architecture, of the following, which is true?"
All of the above
Which one is a benefit of a enterprise security architecture?
All of the above
Defining technology security architecture in relationship with other technology domains is a benefit of the enterprise security architecture.
"In defining and maintaining the enterprise security architecture, which aspect describes the creating of catalog of inputs?"
Document current technology positions
"In defining and maintaining the enterprise security architecture, the gap analysis describes the security functionality in terms of generic components, component flows, and nodes."
Which one of the following is a common system component in the system security architecture?
All of the above
Which one of the following is NOT a common security service in the system security architecture?
Groups and protection services
Which of the following activities is NOT an example of a technical control?
A customer requests to connect their LAN to the internet. Which of the following devices do you recommend using to meet this goal?
You are building a personal e-commerce site and seek a simple security solution which does not require each customer to have an individual key. Which of the following encryption method below is your best solution?
"Which of the following incident handling process phases is responsible for defining rules, collaborating personnel workforce, creating a backup plan, and testing the plans for an enterprise?"
Information will not be disclosed to any unauthorized person on a local network via which of the following cryptographic system services?
An organization is seeking to implement a hot site and wants to sustain a live database server at the alternate site. Which of the following solutions will be the best for the organization?
What is the best protection measure against unauthorized access to personal privacy information records in an area where systems are accessed by multiple employees?
The use of smart cards
Which of the following disaster recovery testing plans is the most cost-effective and efficient way to identify areas of overlap in the plan before conducting more demanding training exercises?
Structured walk-through test
"Which of the following plans is a comprehensive statement of consistent actions to be taken before, during, and after a disruptive event that causes a significant loss of information systems resources?"
Disaster recovery plan
"You are advising a non-profit organization on disaster recovery plans. In case a disaster affects the main IT centers for the organization, they will need to be able to operate from an alternate location. Budget for the solution is limited, but the organization can tolerate some downtime during a crisis. Which of the following is most appropriate for this type of client?"
Which of the following is responsible for maintaining certificates in a public key infrastructure (PKI)?
Copyright conveys exclusive rights to the owner of markings the public uses to identify that owner's goods and products.
All of the following is true about 'trade secrets' EXCEPT:
Registered with a government registrar
Which of the following is the technology of indoor environmental comfort?
Which of the following is NOT a natural environmental threat that an organization faces?
Which of the following refers to a location away from the computer center where document copies and backup media are kept?
Which of the following statements about incremental backup are true? (CHECK ALL THAT APPLY)
It is the fastest method of backing up data, It backs up only the files changed since the most recent backup and clears the archive bit, "A full restoration of data will be slower, since all increments must be restored"
"In which of the following alternative site configurations is the backup facility maintained in a constant order, with a full complement of servers, workstations, and communication links ready to assume the primary operations responsibility?"
Which of the following approaches for identifying appropriate BIA interviewees' includes reviewing the enterprise's functional positions?
Organizational chart reviews
You have been assigned the task of selecting a hash algorithm for your organization to be specifically used to ensure the integrity of certain sensitive files. It must use a 128-bit hash value. Which of the following is your best selection?
You are required to implement a hashing method in your organization's enterprise that can resist forgery and is not susceptible to a man-in-the-middle attack. Which of the following methods will you use to achieve the task?
A ___ analysis emphasizes the formal study of what your organization is doing currently and where it will be in the future.
Which of the following processes identifies the threats that can impact the business continuity of operations?
Business impact analysis
Which type of law is derived from court decisions and codification of British law dating back to the 12th century?
"Administrative law is concerned with confining government power, curtailing governmental abuses, ensuring procedural adherence, and ensuring performance of statutory duties."
Which one of the following is a characteristic of tort law?
"Damages usually entail monetary restitution, which can be compensatory, punitive, or statutory"
Which one of the following is true about the criminal law?
Punishments may include loss of personal freedom (to include death) or monetary fines
Which one best describes the religious law?
Punishments may take any and all forms
Which one of the following is designed to protect the goodwill and reputation a merchant or vendor invests in its products?
The security concept of operation is developed from whose perspective?
The_________________ risk is the risk that remains after the implementation of new or enhanced controls.
"As an operational system engineer, you are responsible for verifying that a software build meets its data requirements, and correctly generates projected displays and reports. Which type of testing is best used to achieve your goals?"
"Many organizations purchase insurance policies, to provide various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques are being employed?"
Which phase of the incident response process is triggered by awareness?
Which security operation control enables checks and balances to reduce fraud?
Separation of duties
"In managing security services effectively, incident management handles which of the following (check all that apply):"
Which of the following are considered biometric access control systems? (check all that apply)
Iris pattern, Vascular patterns, Keystroke dynamics
Which of the following is true about maintaining the chain of custody of a digital investigation?
"Keep a log of every person who had physical custody of the evidence, documenting the actions that they performed on the evidence and at what time"
"The Investigative phase of the incident response process includes detection, identification, and notification."
Management should decide when a system should be returned to operational status in which phase of the incident response process?
Which of the following is best described as small changes in an algorithm or key that will result in massive changes to the message?
Substitution is mixing the location of plaintext throughout the ciphertext adding a level of complexity to the process.