questions and answers - ctc traincanada · pdf filequestions and answers certified information...
TRANSCRIPT
Get certified! Sit for the ISSO exam. (Visit www.mile2.com/exams.html)
© Copyright – mile2
All materials, including pages, documents, software and graphics where applicable are the property of mile2 and are protected by federal and international copyright laws. No part of these materials may be reproduced, re-used or redistributed for any commercial purpose whatsoever, or distributed to a third party for such purpose, without express written permission from mile2. This Student Guide and Reference Materials are licensed solely for single use by mile2 students in classes officially sanctioned by mile2 (see www.mile2.com to confirm your event is on our public schedule). * CISSP, SSCP and CBK are registered certification marks and CAP is a service mark of (ISC)², Inc.
Questions
and
Answers
Certified
Information Systems Security
Officer
CISSO Study Materials
Domain One – Risk Management
What to know:
Definitions – threat, vulnerability, asset, exposure, likelihood, consequence (impact), SLE, ARO, ALE,
residual risk, quantitative, qualitative, Delphi technique
1) When an organization has very little history of previous attacks or is uncertain of the impact or
likelihood of risk scenarios, which is a better risk assessment approach?
a. Quantitative
b. Hybrid
c. Failure Modes and Effects (FMEA)
d. Qualitative
Answer D – A qualitative approach uses the expert input of all stakeholders to rank the level
(degree) of impact an incident would have on the business ‐ often through a Delphi method of
data gathering.
A hybrid model is what most organizations use – a combination of quantitative and qualitative
since neither approach is sufficient on its own.
Failure modes and effects is the risk model based on manufacturing. When an adverse event
happens on an assembly line – the impact will then ripple down through the rest of the line.
2) What is the primary deliverable of a risk analysis effort?
a. Risk Register
b. Risk Assessment Report
c. Business Impact Analysis
d. Risk mitigation strategy
Answer B The primary deliverable of a risk assessment should be a risk assessment report. This
report outlines the identified risk, the severity of the risk, and suggestions for risk response. This
information will guide the risk response effort in the next phase of risk management.
The risk register is an important document that tracks the risk that an organization has identified
and the plans and schedule for addressing the risk. It should be updated with the status of all
risk – not just the new risk from the risk assessment.
Business Impact Analysis looks at what impact (quantitative and qualitative) an incident may
have on the business. This is a part of Business Continuity Management not Risk Assessment.
The Risk mitigation strategy examines how an organization plans to respond to identified risk,
including the priorities, schedule and resources required.
3) Total Risk – Control Effectiveness = ?
a. Risk Likelihood
b. Risk Acceptance
c. Residual Risk
d. Cost/benefit analysis
Answer C ‐ This is a formula that will help determine the cost benefit of a risk mitigation
strategy as well as determine whether the amount of risk that remains after implementing a
control is within acceptable limits.
Risk likelihood (or probability) is the chance that an adverse event may occur.
Risk Acceptance is the level of risk that senior management is willing to tolerate or “live with”.
This is based on the value of the asset being protected and the cost of reducing the risk further.
Cost/benefit analysis is based on the principle that one should never pay more to protect an
asset than it is worth. When the cost of the control or safeguard exceeds the value obtained,
then management will usually decide not to implement the safeguard.
4) Jason has to decide the best way to respond to an identified risk to a critical product or service.
What is the best alternative if the cost of reducing the risk would exceed the benefit obtained?
a. Risk Avoidance
b. Risk Transference
c. Risk Acceptance
d. Risk Reduction
Answer C – if the cost to protect an asset exceeds the benefit then it would not be
recommended to implement the protection.
Risk Avoidance is the act of ceasing an activity if the risk is too great and cannot be adequately
mitigated.
Risk transference is the action of passing a risk to another party – such as purchasing insurance
to cover the costs of an incident should it happen.
Risk reduction is the process of decreasing the level of risk through the implementation of a
control or controls. A control will usually either reduce the likelihood of an adverse event
occurring or it will reduce the level of impact should an unwanted incident occur.
5) The SLE is $1,000,000 and the ARO is the likelihood of one incident every ten years. What is the
ALE?
a. $10,000
b. $100,000
c. $10,000,000
d. Impossible to determine since not enough data is available
Answer B – the formula for SLE (Single Loss Expectancy is Asset Value * Exposure Factor (the
amount of damage or loss to the asset)). The formula for ARO (Annual Rate of Occurrence) is
number of incidents per year. The formula for ALE (Annualized Loss Expectancy) is SLE*ARO. The
answer to this question would be:
ALE = SLE * ARO
100,000 = 1,000,000 * 1/10
The other answers would not solve the equation correctly, and sufficient information has been
provided to enable the calculation of ALE.
Domain Two ‐ Security Management
What to know:
Policy, procedures, baselines, standards, guidelines, roles and responsibility, training, employee
development
1) What is the role of the Information Owner?
a. Ensure the protection of data they own at all times, on all systems
b. Protect information in their department
c. Safeguard information on the systems they own
d. Determine the correct way to back‐up their information
Answer A – the role of the information owner is to be responsible for the protection of information
at all points during the information lifecycle – from the time the information is first received,
through all the processing, storage and communication of the information until the time when the
information is discarded. Not all information has to be protected to the same level – some
information is much more sensitive than other information. The information owner must be a senior
manager with the authority to require that all system owners and administrators that handle
information “owned” by the information owner enforce the policy and procedures mandated by the
information owner.
B is not correct since the authority of the information owner is enterprise wide, or at least will most
often span several departments. The owner is responsible for the information sent to other
departments or even to business partners.
C is not correct since the information owner may also be a system owner and therefore would be
responsible for protecting information on their system, but they also have responsibility outside of
their systems or department.
D is not correct. Part of the responsibility of the information owner is to ensure that information will
be available when required – through access controls and backups. But this is only one part of the
role of the information owner and is therefore not a complete answer.
2) What is the role of Senior Management?
a. Set out the proper procedures for handling information
b. Determine the appropriate baseline controls for systems components
c. Be ultimately accountable for information security
d. Lead any investigations into security breaches
Answer C – Senior management is ultimately accountable for all the assets of the organization
including the information security program.
Answer A, B and D are incorrect since these are the roles of systems and security administrators
not senior management.
3) What is the best treatment for the problem of social engineering?
a. Strict disciplinary policy
b. Awareness training
c. Prompt investigation of all incidents
d. Follow‐up and evaluation of policy
Answer B – awareness training may be the only effective way to treat the problem of social
engineering. There is no technical solution that will address the threat of social engineering
properly.
Answers A, C and D are all a part of incident investigation and may help deter social engineering
but are not as effective as awareness training.
4) What is the intent and objective of policy
a. Create consistent steps for security activity
b. Provide direction for all employees
c. Define the best configuration for network devices
d. Comply with laws and regulations
Answer B – the purpose of policy is to provide direction for the employees, set out
accountability and responsibility, authority, and set out the culture of the organization.
Answer A is incorrect since that would be the definition of a procedure.
Answer C would refer to the baseline configuration of network devices.
Answer D is incorrect since a policy must comply with laws but that is not the objective of the
policy.
5) Andrew wants to encourage all employees and students to choose good passwords. What would
he use to encourage this behavior, if he cannot mandate or force strong password rules?
a. Recommendations and guidelines
b. Procedures and policy
c. Baseline controls and settings
d. Hardware and software standards
Answer ‐ recommendations are a way to encourage and set expectations for proper password
management.
All of the other answers refer to mandatory actions and are not just ways to encourage proper
behavior.
Domain Three – Authentication
What to know:
User versus node authentication, types of authentication – what you know, have, are, where you are,
single sign on, biometrics
1) The point at which False Acceptance and False Reject Errors intersect on a biometric device
is known as:
a. The equal crossover rate
b. The crossover error rate
c. The False error rate
d. The minimum error rate
Answer B.
The other answers are not correct terms and were only made up as distractors.
2) A smartcard would be an example of which type of authentication?
a. What you have
b. What you are
c. What you know
d. Node authentication
Answer A – a smartcard is something a user would possess in order to validate their identity.
Answer B refers to a biometric device, answer C to a password or PIN, and answer D to
authentication of a location (IP or MAC address for example)
3) The purpose of a token is to generate
a. A static password value
b. A challenge value
c. A digital signature
d. A one‐time password
Answer D – a token generates a one time or dynamic password. Tokens may be synchronous or
asynchronous, event or time based.
Answer A is incorrect – a regular password that does not change for a set amount of time is
“something you know” and is subject to a replay attack.
Answer B is used by asynchronous tokens as a challenge or nonce value which the user must
respond to with the correct value.
Answer C is incorrect – a digital signature validates the source and integrity of a message but is
not a token.
4) An advantage of single sign on is
a. Centralized administration
b. Multiple layers of authentication
c. Enforcement of secure password rules for all passwords
d. Two factor authentication
Answer A ‐ There are many advantages to single sign on including a single point of
administration and consistent application of rules.
A single sign on solution is not in itself a layered defense tools and may not require two factor
authentication.
The single sign on solution should require the selection of a strong password but many single
sign on solutions use back end scripts that will use weak, static passwords.
5) Authentication is:
a. Uniquely identifying each user and process
b. Ensuring that all users have the correct level of access
c. Tracking all activity to the correct user
d. Validating that the identity is owned by the person presenting it
Answer D – this is the definition of authentication.
Answer A refers to Identification; answer B to Authorization; answer C to Accounting or Auditing
Domain Four – Access Controls
What to know:
Identification, authentication, authorization, accounting, information classification, reference monitor,
types of controls, rule based, role based, RADIUS, TACACS+
1) Who is responsible for the classification of information?
a. User
b. Senior Management
c. Information owner
d. Security department
Answer C – the information owner is responsible for the classification of information
Answers A, B and D are incorrect – these people are not responsible for information
classification. The information owner is a member of the Senior Management team however the
role of owner must be given to a specific individual not to a group.
2) Mandatory Access Control is based on:
a. Policy, owner, and labels
b. Procedures, rules, and roles
c. Security, standards, and baselines
d. Subject, objects and reference monitor
Answer A – mandatory access control (MAC) is based on the mandates of policy, ownership and
clearance and classification labels.
The other answers are not applicable to mandatory access control.
3) The security kernel enforces access rules and is an implementation of the concept of:
a. Role based access control
b. Separation of duties
c. Reference monitor
d. Security policy
Answer C – the security kernel is an implementation of the reference monitor concept of access
control. The reference monitor refers to the concept that all access must be mediated, the
access rules should be protected from modification and the system must be testable and the
implementation of rules that enforce security between subjects (the active entity) and objects
(the passive entity).
Role based access control (RBAC) may be a method of implementing the reference monitor.
Separation of duties divides a job into several sub‐tasks which must be executed by different
people thus providing protection from fraud or error. Security policy mandates how access is
granted but policy is a mandatory document not a concept.
4) Which protocol does TACACS+ use for network communications?
a. ICMP
b. DNS
c. UDP
d. TCP
Answer D ‐ TACACS+ uses TCP and encrypts the entire authentication process.
ICMP is used by system and network administrators to test connectivity, DNS is the translation
of Web site names to IP addresses and UDP is used by RADIUS. RADIUS only encrypts the
password not the entire authentication process.
Domain 5 – Security Models
What to know:
Layering, ring protection, Bell LaPadula, Biba, Clark Wilson, Graham Denning, Brewer Nash, Information
flow, state, Common Criteria, Certification and accreditation
1) The security kernel runs at which level of the ring protection model?
a. Ring 0
b. Ring 3
c. Reference core
d. Privileged ring
Answer A – the security kernel runs at Ring 0 – the innermost ring. Users and applications run at
Ring 3, I/O devices at Ring 1, and Utilities and Drivers at Ring 2.
Answers C and D are made up distractors.
2) Encapsulation is a property of:
a. Mutual exclusivity
b. HTTP
c. Hashing
d. OSI
Answer D – encapsulation and layering are two of the fundamental features of the OSI (Open
Systems Interconnect (ISO748)) model.
Hypertext transfer protocol (HTTP) is used for transferring web pages, hashing is used for message
integrity and mutual exclusivity is the concept of ensuring separation of duties and restrictions
based on not allowing a user or process to execute multiple competing or conflicting actions.
3) The Chinese wall is also known as :
a. Bell LaPadula
b. Clark Wilson
c. Brewer Nash
d. Common Criteria
Answer C – Brewer Nash which was written for audit firms to ensure that personnel engaged in
work for one client would not be able to access data about competing clients.
Bell LaPadula was based on confidentiality and was the implementation of the Orange Book
(TCSEC) for the US DoD.
Clark Wilson is the model that enforced the three goals of integrity – unauthorized users cannot
make modifications, authorized users cannot make improper modifications, and maintain
internal and external consistency. It accomplished this through the enforcement of well‐formed
transactions, the access triple (subject – program – object), and separation of duties.
The common Criteria (ISO 15408) is a process for evaluating security products.
4) The Protection Profile (PP) refers to:
a. Devices that provide a certain type of security
b. The evaluated level of performance
c. The security function of an evaluated product
d. The secure configuration of a device
Answer A – The Protection Profile refers to the category of products that provide a certain type
of security.
The evaluation level of performance is measured by the Evaluated Assurance Level (EAL).
The security function of the evaluated product is a combination of the Protection Profile and the
Security Target (ST). It refers to what security the device will provide and under which operating
conditions.
The secure configuration of the device would be the security baseline that would enable the
required security functionality.
Domain Six – Operations Security
What to know:
RAID, Operational Assurance, Change control, Trusted recovery, Penetration testing
1) The first step in a penetration test is:
a. Gaining Access
b. Covering tracks
c. Enumeration
d. Exploitation
Answer C – the first step in a penetration test is to learn about the target network – devices,
addresses, layout, operating systems, etc., This is the process of fingerprinting, scanning or
enumeration.
The other steps listed here in sequence are Gaining Access or exploitation, and covering tracks.
2) RAID3 uses:
a. Byte level parity
b. Interleaved parity
c. Mirroring
d. Striping and mirroring
Answer A – RAID3 uses striping with byte level parity on a dedicated parity drive. RAID4 uses striping
with block level parity on a dedicated parity drive and RAID5 uses striping with block level parity
interleaved across all drives.
RAID 1 uses mirroring. RAID 10 and 0+1 use striping and mirroring.
3) The primary purpose of change control is:
a. To ensure that all changes are scheduled with 5 days’ notice
b. To protect the organization from unauthorized changes
c. To document all changes
d. To review the effect of changes on the users
Answer B – the purpose of a change control process is to manage change and protect the
organization from unmanaged or unauthorized changes to configurations, hardware, projects or
software.
Answer A is incorrect – some changes will be scheduled long in advance depending on the ability of
the organization to shut down critical systems for a time period, or they may be emergency changes
that must be done very quickly to repair disabled systems.
Answers C and D are both part of change control but are not the primary purpose of change control.
4) Shahid has been hibernating his machine every day for several weeks and notices that its
performance is very slow. The best solution for this condition is:
a. Emergency restart
b. Cold booting
c. System reboot
d. Trusted recovery
Answer C – due to memory leakage – caused by applications that do not release memory when
they shut down (a process sometimes referred to as ‘garbage collection’), the best cure for a
slow machine is often a managed system reboot – being turned off and then on again by the
administrator.
An emergency system restart is an uncontrolled failure (blue screen of death) that requires the
machine to be restarted – and often requires the user to clean up files that did not close
properly.
A Cold Boot is the catastrophic failure of a system that requires rebuilding and reinstalling of
operating system components.
A trusted recovery is the secure recovery of a system often through single user mode that will
not allow any users onto the system until the security features are enabled and the system is
stable.
Module 7 and 8 – Symmetric Cryptography and Hashing, Asymmetric Cryptography and Public Key
What to know:
Symmetric and Asymmetric algorithms, advantages and disadvantages of symmetric versus asymmetric
algorithms, message integrity, digital signatures, certificates and PKI, attacks
1) Muhammad needs to transmit a large confidential file to Carol. Which type of algorithm should
Muhammad use for that? Why?
_symmetric algorithm since it provides for confidential transmission of sensitive data and is
computationally fast ________________________________________
2) What are the advantages of symmetric algorithms?
_confidentiality, some integrity (through CBC‐MAC or HMAC), speed, freely available
Disadvantages are key management (distribution (out of band), scalability), limited security
(does not support non‐repudiation, authentication or access control)________
3) What is the purpose of a hash?
_a value calculated on the entire message to prove message integrity___
__examples are MD5, SHA ‐1 HAVAL, RIPEMD‐160______________________________________
4) What are the benefits of a digital signature
__proves message origin and integrity______
_calculated by encrypting (signing) a hash of the message with the private key of the originator
5) List five symmetric algorithms:
_DES, 3DES, IDEA, SAFER, MARS, AES (Rijndael), Serpent, RC5, RC6, Blowfish, Twofish, CAST_
__RC4 is also symmetric but it is a stream – all of the above are block ciphers______
6) List three asymmetric algorithms:
_RSA, Diffie‐Hellman, ECC (Elliptic Curve Cryptography)
_____________________________________
7) What are the two most important fields in a public key certificate?
_The name of the certificate owner and the owner’s public key – this is because the purpose of a
certificate is link a public with its rightful owner____
Module 9 – Network Connections
What to know:
Network topologies (ring, star, bus etc.); CSMA; cabling, WAN technologies (X.25, Frame Relay,
ATM, MPLS); PVC, circuit versus packet switching
1) A disadvantage of using a leased line instead of a packet switched network to connect two
offices together is:
a. Shared services may mean inconsistent service levels.
b. Single point of failure for network failure.
c. Inability to encrypt data on a leased line
d. Lack of secure protocols available for communication
Answer B – a disadvantage of using a leased line is that it is a single point of failure – a broken
network connection at any point in the line will cause a network outage. A packet switched
network will route traffic around a single network failure (it will not help to have a packet
switched network if the entire network goes down or the network failure is between the
organization and the connection to the telco).
Packet switched networks are more susceptible to inconsistent services levels. Data can be
encrypted on either type of network and there are secure protocols available for
communications.
2) If a backbone network operates as a logical ring, it is better able to handle nearly full traffic
flows due to :
a. It uses CSMA/CD for traffic management
b. It deploys two countermanding rings to allow for failure
c. Its traffic management is deterministic
d. It is scalable and allows the connection of multiple devices to the same network
Answer C – Ring topologies are deterministic and work well even under nearly 100% utilization.
Each device knows that it will have the opportunity to communicate without collisions.
Ethernet is an example of a system that uses Carrier Sense Multiple Access with Collision
detection (CSMA/CD) for communicating over an Ethernet network. It is a collision based system
and its performance deteriorates dramatically as network usage increases.
Backbone Rings frequently use two rings to speed up communications and accommodate failure
of one ring. However this does not apply to the question about traffic volumes.
Scalability is also not related to the question about traffic volumes.
3) The Publicly Switched Telephone Network (PSTN) was traditionally:
a. A bus topology
b. Packet switched
c. A ring topology
d. Circuit switched
The PSTN or Plain Old Telephone System (POTS) was originally circuit switched. Once a call was
established the routing of that call would remain fixed throughout the duration of the call.
Today, most of the PSTN is VOIP.
Cable TV and mainframes were traditionally based on bus type topologies.
Token ring, FDDI and SONET are examples of ring topologies.
X.25, frame relay and ATM are packet switched topologies.
4) X.25 was an ideal packet switching technology for its time because:
a. It was cheaper than Frame Relay
b. It did error correcting to allow operation on voice grade cabling
c. It always transmitted data in fixed 53 byte cells
d. It supported label switching for better quality of service
Answer B‐ X.25 was ideal for packet switching in the 70’s since it did error correcting at each
node and was suitable for sending data over voice grade cable.
Answer A ‐ cost was not the reason for choice of X.25 over Frame Relay – frame relay was a later
technology
Answer C refers to ATM (Asynchronous Transfer Mode) which transmitted data in fixed size
cells.
Answer D refers to MPLS (Multi‐Protocol Label Switching) which uses label to manage data
transfer.
Module 10 – Network Protocols and Module 11 – Telephony, VPNs and Wireless
What to know:
OSI, network devices (switch, router, firewalls, bastion host, etc.), IDS/IPS, NAT. protocols (
SNMP, SMTP, etc), IPSEC, WIFI, ARP, DDOS, network attacks
1) An organization is under a DDOS attack based on a SYN flood. This attack is based on
which protocol?
a. ICMP
b. UDP
c. TCP
d. SMTP
Answer C – a SYN flood DDOS attack is created by many machines sending SYN packets to a
target. This can be alleviated through extra bandwidth, a SYN proxy, and reducing the half
open connection time.
ICMP is used in attacks for SMURF flooding or the old ping of death attack.
UDP is used in Fraggle attacks of UDP floods.
SMTP is Simple Mail Transfer Protocol used to send email between different mail clients.
2) One problem with the use of SNMP v1 is:
a. It send the community string in cleartext
b. It cannot be used over an IP network
c. It does not allow administrator level access
d. It consumes too much bandwidth
Answer A – versions 1 and 2 of SNMP send the community string in cleartext. Version 3 is
fine but many older devices still do not support Version 3.
The other answers are incorrect because SNMP is designed to allow administrator level
access, does not consume too much bandwidth and can be used over an IP network.
3) The purpose of the authentication header in IPSEC is:
a. Message confidentiality
b. Routing confidentiality
c. Proof of delivery
d. Header integrity
Answer D – Authentication Header authenticates the header of a packet – which validates
the sender and the integrity of the packet.
Authentication header does NOT provide for routing, or message confidentiality or non‐
repudiation of delivery.
4) An organization’s web site should be installed on a:
a. Extranet
b. Bastion host
c. Proxy firewall
d. Database server
Answer B ‐ A web site should be hosted on a secure hardened device that does not support
any unnecessary services. An example of this would be a bastion host.
An extranet is like a DMZ – as a subnet off of the organization’s network but usually used to
communicating with business partners or remote users and requires additional
authentication.
A proxy firewall (circuit or application level proxy) is an excellent intermediary device that
can filter traffic between the internal network and the internet but it is not the place to
build a web server.
A database server is far too often found in a DMZ – a place it should never be if it contains
sensitive information.
5) The security of WPA2 is based on:
a. RC4 and TKIP
b. AES CTR and CBC
c. 3DES and HMAC
d. RC4 and MIC
Answer B – WPA2 uses AES in Counter (CTR) mode for confidentiality and CBC‐MAC (Cipher
Block Chaining Message Authentication Code) for message integrity. This combination is usually
called CCMP (Counter with CBC‐MAC Protocol).
WPA uses RC4 and TKIP and also MIC. 3DES and HMAC has been used in older implementations
of SSL/
6) ARP is used to:
a. Associate MAC addresses with IP addresses
b. Reconcile IPv4 to IPv6 addresses
c. Avoid the use of tunneling protocols
d. Resolve web names with IP addresses
Answer A – ARP (Address Resolution Protocol) resolves 48 bit MAC ‐ Ethernet and
Network Interface Card (NIC) addresses to 32 bit IPv4 addresses. The other answers are
made up distractors.
Module 12 – Security Architecture
What to know:
Architecture purposes and concepts, models, system components, threats
1) A covert channel is:
a. A way to bypass normal security controls
b. Either timing or storage
c. An authorized way to share information between users
d. A way to mask the identity of privileged users
Answer B – Covert channels are hidden methods of releasing information in violation of policy. This
is in contrast to an overt channel which is obvious or intentional – a covert channel may be
accidental.
Answer A is a good answer – but in many cases a covert channel does not bypass security controls –
it is an absence of adequate security controls.
Covert channels are unauthorized and do not mask the identity of privileged users.
2) The primary purpose of architecture is to:
a. Develop systems that meet user requirements
b. Expedite the development of new systems and applications
c. Integrate systems and networks across the enterprise
d. Create a consistent approach to security management
Answer A – The primary purpose of architecture is to meet user requirements through
understanding user needs and designing and developing a solution to those needs.
Architecture is not about speeding up development – it is about better quality deliverables.
Architecture may allow for integration of systems and networks – often into a CRM product – but
that is not its primary purpose.
A good architecture should encourage the use of standards and baselines for consistency,
maintainability and reliability but that is a component of architecture – not its purpose.
3) A packet filtering router is best used:
a. In a DMZ
b. To host a web application
c. As a first layer of network defense
d. To filter out Trojan horse software
Answer C – a packet filtering router is an excellent first line of defense – setting up a screened host
or protecting an application layer proxy from having to handle obvious errors. It would rarely be the
primary defense in a DMZ and never used to host a web application. Since a packet filtering router
only examines header information it would not be able to detect a Trojan Horse attack
4) One way to avoid disclosing confidential information through traffic analysis is via:
a. Traffic management
b. Traffic padding
c. Traffic segregation
d. Traffic encryption
Answer B – traffic padding is sending out consistent volumes of traffic to mask the true amount
of traffic being sent. Traffic segregation would not allow a person on another network segment
to see traffic but would not mask the volume of traffic. Traffic encryption would hide the
content of the traffic but not the analysis of the traffic.
Module 13 – Software Development and Module 14 – Database Security
What to know:
Database models, Inference and aggregation, expert systems and AI, SDLC, development models, web
application security.
1) An expert system is based on the interpretation of data in a database to simulate human
expertise through the application of:
a. Theorems
b. Logical models
c. Rules
d. Database schemas
Answer C – An expert system runs on rules (and changes to the rules must be carefully tested and
managed). These rules or arguments allow the system to make decisions similar to the logic used by
a human expert given the same input data. The rules are based on theorems and logical models or
flowcharts. The database schema describes the layout and structure of the database.
2) Aggregation is an attack based on:
a. Learning about protected information from combining other data
b. Learning about systems operations through timing analysis
c. Watching the execution times of systems processors
d. Integrating artificial intelligence into new software applications
Answer A – aggregation is combing data elements together to learn something that was not known
previously. Inference is learning something new by watching another activity. Watching execution
time is a type of side channel attack. Aggregation is not based on artificial intelligence.
3) A relational database represents data as:
a. A tree
b. A network
c. A table
d. An object
Answer C – A relational database (the most in use today) represents data based on a table. An
hierarchical database represents data as a tree, a network database as a network of many to many
relationships, an object oriented database as objects.
4) The SDLC model that divides a project into distinct consecutive steps is:
a. The Spiral model
b. Extreme programming
c. The Clean Room
d. The Waterfall
Answer D – the waterfall methodology of SDLC breaks a project into a series of consecutive steps.
This has the disadvantage of poor resource management (different skill sets are busy at different
times), lack on ongoing user involvement and extended timelines. It can also be hard to adjust to
changing or incomplete requirements.
The Spiral model is a type of prototyping and incremental development based on a series of
individual mini‐projects (spirals). Extreme programming also breaks projects into small pieces and
works on each module as small integratable elements. The clean room is a process of writing error‐
free code and addressing problems through better quality rather than fix them later as they are
found.
5) The purpose of Middleware is to:
a. Allow legacy systems to work together
b. Interface between users and applications
c. Support the use of Virtual Machines
d. Enforce security rules across multiple platforms
Answer A – one use of middleware is to integrate older technologies and systems together into a a
more user‐friendly and uniform environment. Middleware acts as an interface between users and
applications but that is its function – not its purpose. Its purpose is not to support VMs or to enforce
security rules.
6) A buffer overflow will often lead to:
a. Poor session management
b. Vulnerabilities to cross site scripting (XSS)
c. Installation of a Trojan Horse
d. SQL injection
Answer C – A buffer overflow is often used by hackers to install a Trojan Horse or execute some
other arbitrary code. The other answers are other types of attacks and not the result of a buffer
overflow.
Module 15 – Malware
What to Know:
Types of malware, malware prevention, detection and eradication.
1) An attack that attempts to install itself at the kernel of the operating system and assume system
control is probably a:
a. Virus
b. Logic bomb
c. Rootkits
d. Trojan Horse
Answer C – A rootkit attempts to gain root level access to a system and can be very hard to detect
and eliminate. A virus is malware that usually requires the user to take action in order to trigger the
attack (open an executable). A logic bomb is an attack that triggers on an event or date. A Trojan
horse is an attack buried inside of another product (file, application, music, picture, etc.,).
2) To lock out a user account after a certain number of invalid login attempts is based on a:
a. Clipping level
b. Brute force attack
c. Collision
d. Salts or seed value
Answer A – A clipping level sets the threshold at which to take action – this is the point at which to
lock out an account after invalid password attempts since this may be a brute force attack not just
normal human error.
A brute force attack is trying all possible values. A collision is where two different messages create
the same hash value. Salts or seed values are used to defeat Rainbow tables or dictionary attacks.
3) Zombies are usually used in which types of malware attacks?
a. Writing a new virus
b. Triggering a logic bomb
c. Launching a DDOS
d. Controlling a Rootkit
Answer C – a DDOS is often launched using a botnet (robotically controlled network) of many
machines infected with an agent (zombie) that sits on the machine and activates when triggered by
the botherder or controller. Zombies are not used in any of the other ways listed in the other
answers.
4) Phishing, spear phishing, whaling and dumpster diving are all forms of:
a. Name dropping
b. Social engineering
c. Man in the middle attacks
d. Side channel attacks
Answer B – these are all types of social engineering attacks. Name dropping is also a form of
social engineering. A man in the middle attack is where a person puts themself in the middle of
communications channel between other parties and is able to intercept, read, modify or delete
communications.
Module 16 ‐ Business Continuity and Module 17 – Disaster Recovery
What to know:
BIA, Steps in a BCP project, Critical Business Functions, RTO and RPO, Types of Recovery Strategies,
Types of Tests
1) The measure of the amount of data an organization is willing to lose is calculated as the:
a. RTO
b. RPO
c. MTD
d. BIA
Answer B – The Recovery Point Objective refers to the currency or most recent version of the data
available following a disaster. This is dependent on the frequency that the data is backed up.
The Recovery Time Objective is the measure time until the organization hopes to recover
sustainable operations following a disaster.
Maximum Tolerable Downtime is the maximum time the business can be out of operation before it
is not able to recover (financially or operationally).
Business Impact Analysis is the assessment of how the level of impact due to a crisis will increase
over time.
2) The BIA will help identify:
a. Recovery strategies
b. Test procedures
c. Critical business functions
d. Project management tools
Answer C – the most important deliverables from a BIA are the time frames for recovery and the list
of critical business functions and dependencies.
The next phase of the project is to determine the best recovery strategy. This will be dependent on
the results of the BIA. Once the plan is written then the test strategy will be developed and the plan
maintained. Project management tools, scope and team members should be determined in the first
phase of the project, project initiation.
3) The type of recovery solution based on outsourcing a function to another organization is often
called:
a. Reciprocal agreement
b. Mutual aid agreement
c. Contingency plan
d. Service Bureau
Answer D – Outsourcing a business function (call center, payroll, etc.,) during a disaster to another
company that provides those services is called a Service Bureau.
A reciprocal aid agreement (also called a mutual aid agreement) is where two organizations agree to
assist one another in the event of a failure. A contingency plan (a Plan B) is where the organization
has more than one solution available in case of a crisis and to alleviate the fear that the primary
solution supplier may not be able to live up to the terms of the contracted agreement
(communications backup, diesel fuel, etc.).
4) A test that runs both the primary and backup systems simultaneously is known as a:
a. Parallel test
b. Simulation test
c. Deskcheck
d. Full interruption
Answer A – A parallel test runs both systems in parallel. It does not disable the primary system like a
full interruption test would do. A deskcheck is just reading through the plan to ensure the data in it –
contact numbers etc., are up to date. A simulation – like a fire drill – simulates and incident and
trains people how to react in a crisis.
5) The best way to determine the impact of a disaster on an organization would be through:
a. Historical records
b. Automated risk assessment
c. Audit reports
d. Asking the stakeholders
Answer D – the best way to determine the level of impact an event would have on the organization
is to talk to the stakeholders that are familiar with business processes, interdependencies and past
incidents. Historical records will have limited benefit for new types of incidents. A risk assessment or
audit may have valuable but incomplete information.
6) An organization needs to recover its critical business functions in less than three hours – which
recovery strategy should they use?
a. Mobile site
b. Commercial hot site
c. Mirrored site
d. Warm site
Answer C – A mirrored site will allow for very rapid recovery – often within minutes. None of the
other options would allow a recovery that quickly. A vendor (commercial) hot site will usually have
an outage of more than four hours, a mobile site depends on how long it takes the mobile site to
arrive at the destination, and a warm site is usually going to take days or weeks to recover.
7) In the event of a disaster, a critical business function may need to use the facility space used by
a less critical function. What type of recovery alternative would this be?
a. Consolidation
b. Outsourcing
c. Displacement
d. Ship in
Answer C – Displacement is to displace less critical business functions (such as training,
conference rooms, etc.,) during a disaster. Consolidation is to combine multiple locations or
departments into one location, Outsourcing is to outsource certain business functions (payroll,
call center) during a crisis to a service bureau, and ship in is an agreement with vendors to
supply critical equipment on demand.
8) The order of steps in a Business Continuity Management program ais:
i. Project planning
ii. Recovery strategy
iii. Maintenance
iv. Business Impact Analysis
v. Writing the plan
a. i, ii, iii, iv, v
b. v, ii, iii, I, iv
c. i, v, iii, iv, ii
d. i, iv, ii, v, iii
Answer D – this is the correct order of steps in a business continuity project.
Module 18 – Incident Management
What to Know:
Legal systems, ethics, forensics, incident management
1) The type of legal system that relies heavily on precedence and higher court rulings is
known as:
a. Civil Law
b. Administrative Law
c. Maritime Law
d. Common Law
Answer D – Common law is highly dependent on previous court rulings (precedence) and rulings
from a higher court. Civil or statutory law is more focused on the interpretation of statutes.
Administrative law refers to the regulations that are applied to various industries – lawyers,
doctors, telecom, banking. Maritime law is the universal law of the high seas.
2) The most important considerations in conducting an investigation are:
a. Integrity and confidentiality
b. Completeness and timeliness
c. Evidence handling and interpretation
d. Ethics and regulations
Answer A – while many things are important in conducting an investigation including evidence
handling, ethics and completeness, the most important considerations are integrity of the
investigation and personnel conducting the investigation and the confidentiality of the ongoing
investigation.
3) The protection of evidence is managed through:
a. Expert witnesses
b. Chain of custody
c. Independent analysis
d. Search and seizure
Answer B – the chain of custody is an important document that outlines the handling of the
evidence throughout the entire evidence lifecycle. This helps assure the investigators that the
evidence has not been tampered with or mishandled. An expert witness (often an independent
analyst) is able to interpret the evidence and offer opinion. Search and seizure refers to the
rules associated with gathering and processing the evidence.
4) Corporate ethics are based on:
a. What is, and is not, legal
b. Policies and culture
c. Personal values
d. Security standards
Answer B – corporate ethics are a reflection of the policy and culture of the organization. It is
important that an organization set out its ethical position and communicate those ethics to all
staff. Ethics must be legal and should reflect security standards but personal ethics may be quite
different from organizational ethics.
Module 19 – Physical
What to know:
Physical security measures, power, fences, HVAC, cameras, fire protection, detection, suppression,
natural threats, Crime Prevention through Environmental Design, Lighting
1) A momentary power failure is known as a:
a. Sag
b. Spike
c. Brownout
d. Fault
Answer D – an extended power outage is known as a blackout, a momentary outage as a fault. A
short term increase in voltage is a spike, a longer increase a surge. A short term drop in voltage is a
sag or a brownout if it is for an extended period of time.
2) Glare lighting is lighting that:
a. Lights the outside walls of a secure facility
b. Lights large areas such as parking lots
c. Blinds an approaching intruder
d. Shines into CCTV cameras and affects their function
Answer C – glare lighting is set up to put an advancing party – intruder at a disadvantage. Lighting is
used to light the walls of a facility to prevent a person from hiding along the wall and to augment
the cameras.
3) The best way to suppress a liquid (Class B) fire is through:
a. Water
b. Remove fuel
c. Carbon dioxide
d. Dry powder
Answer D – the best way to suppress a liquid fire is through a dry powder or foam that will smother
the flame and impede the flow of oxygen to the burning fuel. Putting water on burning fuel is
extremely hazardous. Carbon dioxide may blow the burning fuel into other areas and removal of the
fuel is often not possible.
4) Ideal humidity should be maintained:
a. At 30 ‐70 %
b. At 20 – 80 %
c. At 40 ‐ 60 %
d. At 50 – 55 %
Answer C – the ideal relative humidity for a computer room is between 40‐60%. Too much
humidity leads to condensation and corrosion. Too low humidity leads to static electricity and
damage to electrical components.