Appendix A Answers to Assessment Questions

1. 

Which of the following choices is an incorrect description of a control?

1. Detective controls discover attacks and trigger preventative or corrective controls.
2. Corrective controls reduce the likelihood of a deliberate attack.
3. Corrective controls reduce the effect of an attack.
4. Controls are the countermeasures for vulnerabilities.

2. 

Which of the following statements is accurate about the reasons to implement a layered security architecture?

1. A layered security approach is not necessary when using COTS products.
2. A good packet-filtering router will eliminate the need to implement a layered security architecture.
3. A layered security approach is intended to increase the work-factor for an attacker.
4. A layered approach doesn’t really improve the security posture of the organization.

3. 

Which of the following choices represents an application or system demonstrating a need for a high level of confidentiality protection and controls?

1. Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access.
2. The application contains proprietary business information and other financial information, which, if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.
3. Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up either by paper documentation or on disk.
4. The mission of this system is to produce local weather forecast information that is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure.

4. 

Which of the following choices is not a concern of policy development at the high level?

1. Identifying the key business resources
2. Identifying the type of firewalls to be used for perimeter security
3. Defining roles in the organization
4. Determining the capability and functionality of each role

5. 

Which of the following choices is not an accurate statement about the visibility of IT security policy?

1. The IT security policy should not be afforded high visibility.
2. The IT security policy could be visible through panel discussions with guest speakers.
3. The IT security policy should be afforded high visibility.
4. The IT security policy should be included as a regular topic at staff meetings at all levels of the organization.

6. 

Which of the following statements is not accurate regarding the process of risk assessment?

1. The likelihood of a threat must be determined as an element of the risk assessment.
2. The level of impact of a threat must be determined as an element of the risk assessment.
3. Risk assessment is the first process in the risk management methodology.
4. Risk assessment is the final result of the risk management methodology.

7. 

Which of the following choices would not be considered an element of proper user account management?

1. Users should never be rotated out of their current duties.
2. The users’ accounts should be reviewed periodically.
3. A process for tracking access authorizations should be implemented.
4. Periodically rescreen personnel in sensitive positions.

8. 

Which of the following choices is not one of NIST’s 33 IT security principles?

1. Implement least privilege.
2. Assume that external systems are insecure.
3. Totally eliminate any level of risk.
4. Minimize the system elements to be trusted.

9. 

How often should an independent review of the security controls be performed, according to OMB Circular A-130?

1. Every year
2. Every three years
3. Every five years
4. Never

10. 

Which of the following choices best describes the difference between the System Owner and the Information Owner?

1. There is a one-to-one relationship between system owners and information owners.
2. One system could have multiple information owners.
3. The Information Owner is responsible for defining the system’s operating parameters.
4. The System Owner is responsible for establishing the rules for appropriate use of the information.

11. 

Which of the following choices is not a generally accepted benefit of security awareness, training, and education?

1. A security awareness program can help operators understand the value of the information.
2. A security education program can help system administrators recognize unauthorized intrusion attempts.
3. A security awareness and training program will help prevent natural disasters from occurring.
4. A security awareness and training program can help an organization reduce the number and severity of errors and omissions.

12. 

Who has the final responsibility for the preservation of the organization’s information?

1. Technology providers
2. Senior management
3. Users
4. Application owners

13. 

Which of the following choices is not an example of an issue-specific policy?

1. E-mail privacy policy
2. Virus-checking disk policy
3. Defined router ACLs
4. Unfriendly employee termination policy

14. 

Which of the following statements is not true about security awareness, training, and educational programs?

1. Awareness and training help users become more accountable for their actions.
2. Security education assists management in determining who should be promoted.
3. Security improves the users’ awareness of the need to protect information resources.
4. Security education assists management in developing the in-house expertise to manage security programs.

15. 

Which of the following choices is an accurate statement about standards?

1. Standards are the high-level statements made by senior management in support of information systems security.
2. Standards are the first element created in an effective security policy program.
3. Standards are used to describe how policies will be implemented within an organization.
4. Standards are senior management’s directives to create a computer security program.

16. 

Which of the following choices is a role of the Information Systems Security Officer?

1. The ISO establishes the overall goals of the organization’s computer security program.
2. The ISO is responsible for day-to-day security administration.
3. The ISO is responsible for examining systems to see whether they are meeting stated security requirements.
4. The ISO is responsible for following security procedures and reporting security problems.

17. 

Which of the following statements is not correct about safeguard selection in the risk analysis process?

1. Maintenance costs need to be included in determining the total cost of the safeguard.
2. The best possible safeguard should always be implemented, regardless of cost.
3. The most commonly considered criterion is the cost effectiveness of the safeguard.
4. Many elements need to be considered in determining the total cost of the safeguard.

18. 

Which of the following choices is usually the number-one used criterion to determine the classification of an information object?

1. Value
2. Useful life
3. Age
4. Personal association

19. 

What are high-level policies?

1. They are recommendations for procedural controls.
2. They are the instructions on how to perform a Quantitative Risk Analysis.
3. They are statements that indicate a senior management’s intention to support InfoSec.
4. They are step-by-step procedures to implement a safeguard.

20. 

Which policy type is most likely to contain mandatory or compulsory standards?

1. Guidelines
2. Advisory
3. Regulatory
4. Informative

21. 

What does an Exposure Factor (EF) describe?

1. A dollar figure that is assigned to a single event
2. A number that represents the estimated frequency of the occurrence of an expected threat
3. The percentage of loss that a realized threat event would have on a specific asset
4. The annual expected financial loss to an organization from a threat

22. 

What is the most accurate definition of a safeguard?

1. A guideline for policy recommendations
2. A step-by-step instructional procedure
3. A control designed to counteract a threat
4. A control designed to counteract an asset

23. 

Which choice most accurately describes the differences between standards, guidelines, and procedures?

1. Standards are recommended policies, whereas guidelines are mandatory policies.
2. Procedures are step-by-step recommendations for complying with mandatory guidelines.
3. Procedures are the general recommendations for compliance with mandatory guidelines.
4. Procedures are step-by-step instructions for compliance with mandatory standards.

24. 

What are the detailed instructions on how to perform or implement a control called?

1. Procedures
2. Policies
3. Guidelines
4. Standards

25. 

How is an SLE derived?

1. (Cost – benefit) × (% of Asset Value)
2. AV × EF
3. ARO × EF
4. % of AV – implementation cost

26. 

What are noncompulsory recommendations on how to achieve compliance with published standards called?

1. Procedures
2. Policies
3. Guidelines
4. Standards

27. 

Which group represents the most likely source of an asset loss through inappropriate computer use?

1. Crackers
2. Hackers
3. Employees
4. Saboteurs

28. 

Which choice most accurately describes the difference between the role of a data owner and the role of a data custodian?

1. The custodian implements the information classification scheme after the initial assignment by the owner.
2. The data owner implements the information classification scheme after the initial assignment by the custodian.
3. The custodian makes the initial information classification assignments, whereas the operations manager implements the scheme.
4. The custodian implements the information classification scheme after the initial assignment by the operations manager.

29. 

What is an ARO?

1. A dollar figure assigned to a single event
2. The annual expected financial loss to an organization from a threat
3. A number that represents the estimated frequency of an occurrence of an expected threat
4. The percentage of loss that a realized threat event would have on a specific asset

30. 

Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation?

1. SLE × ARO
2. Asset Value (AV) × EF
3. ARO × EF – SLE
4. % of ARO × AV

31. 

Which of the following assessment methodologies below is a self-guided assessment implemented in a series of short workshops focusing on key organizational areas and conducted in three phases?

1. Federal Information Technology Security Assessment Framework (FITSAF)
2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
3. Office of Management and Budget (OMB) Circular A-130
4. INFOSEC Assessment Methodology (IAM)

32. 

Which of the following assessment methodologies was developed by the National Security Agency to assist both assessment suppliers and consumers?

1. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
2. Federal Information Processing Standard (FIPS) 102
3. Federal Information Technology Security Assessment Framework (FITSAF)
4. INFOSEC Assessment Methodology (IAM)

1. 

Answer: b

The other three answers are correct descriptions of controls.

2. 

Answer: c

Security designs should consider a layered approach to increase the work-factor an attacker must expend to successfully attack the system.

3. 

Answer: b

Although elements of all the systems described could require specific controls for confidentiality, given the descriptions above, system b fits the definition most closely of a system requiring a very high level of confidentiality. Answer a is an example of a system requiring high availability. Answer c is an example of a system that requires medium integrity controls. Answer d is a system that requires only a low level of confidentiality.

4. 

Answer: b

Answers a, c, and d are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer d is the final step in the policy creation process and combines steps a and c. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity.

5. 

Answer: a

The other three answers are correct statements about the visibility of IT security policy.

6. 

Answer: d

Risk assessment is the first process in the risk management methodology.

7. 

Answer: a

The other answers are elements of proper user account management.

8. 

Answer: c

Risk can never be totally eliminated. NIST IT security principle 4 states: “Reduce risk to an acceptable level.”

9. 

Answer: b

OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years.

10. 

Answer: b

A single system may utilize information from multiple Information Owners.

11. 

Answer: c

The other answers are generally accepted benefits of security awareness, training, and education.

12. 

Answer: b

Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. Although senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

13. 

Answer: c

Answer c is an example of a system-specific policy - in this case the router’s access control lists. The other three answers are examples of issue-specific policy, as defined by NIST.

14. 

Answer: b

The other answers are correct statements about security awareness, training, and educational programs.

15. 

Answer: c

Answers a, b, and d describe policies. Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.

16. 

Answer: b

Answer a is a responsibility of senior management. Answer c is a description of the role of auditing. Answer d is the role of the user, or consumer, of security in an organization.

17. 

Answer: b

Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily fail to outweigh the cost of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, auditability, and the level of manual operations needed to maintain or operate the safeguard.

18. 

Answer: a

Value of the information asset to the organization is usually the first and foremost criterion used in determining its classification.

19. 

Answer: c.

High-level policies are senior management statements of recognition of the importance of security controls to the mission of the organization.

20. 

Answer: c

Answer b (advisory policies) might specify penalties for noncompliance, but regulatory policies are required to be followed by the organization. Answers a and d are informational or recommended policies only.

21. 

Answer: c

Answer a is an SLE, b is an ARO, and d is an ALE.

22. 

Answer: c

Answer a is a guideline, b is a procedure, and d is a distracter.

23. 

Answer: d

The other answers are incorrect.

24. 

Answer: a

25. 

Answer: b.

A Single Loss Expectancy is derived by multiplying the Asset Value by its Exposure Factor. The other answers do not exist.

26. 

Answer: c

27. 

Answer: c

Internal personnel far and away constitute the largest amount of dollar loss due to unauthorized or inappropriate computer use.

28. 

Answer: a

29. 

Answer: c

Answer a is the definition of SLE, b is an ALE, and d is an EF.

30. 

Answer: a

Answer b is the formula for an SLE, and answers c and d are nonsense.

31. 

Answer: b

Carnegie Mellon University’s Software Engineering Institute (SEI) created the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE is a self-guided assessment implemented in a series of short workshops focusing on key organizational areas.

It is conducted in three phases:

1. Identify critical assets and the threats to those assets
2. Identify the vulnerabilities that expose those threats
3. Develop an appropriate protection strategy for the organization’s mission and priorities

32. 

Answer: d

The INFOSEC Assessment Methodology (IAM) is a detailed and systematic way of examining cyber vulnerabilities that was developed by the National Security Agency to assist both INFOSEC assessment suppliers and consumers requiring assessments. The IAM examines the mission, organization, security policies and programs, and information systems and the threat to these systems.

1. 

The goals of integrity do not include:

1. Accountability of responsible individuals
2. Prevention of the modification of information by unauthorized users
3. Prevention of the unauthorized or unintentional modification of information by authorized users
4. Preservation of internal and external consistency

2. 

Kerberos is an authentication scheme that can be used to implement:

1. Public-key cryptography
2. Digital signatures
3. Hash functions
4. Single Sign-On (SSO)

3. 

The fundamental entity in a relational database is the:

1. Domain
2. Relation
3. Pointer
4. Cost

4. 

In a relational database, security is provided to the access of data through:

1. Candidate keys
2. Views
3. Joins
4. Attributes

5. 

In biometrics, a one-to-one search to verify an individual’s claim of an identity is called:

1. Audit trail review
2. Authentication
3. Accountability
4. Aggregation

6. 

Biometrics is used for identification in the physical controls and for authentication in the:

1. Detective controls
2. Preventive controls
3. Logical controls
4. Corrective controls

7. 

Referential integrity requires that for any foreign key attribute, the referenced relation must have:

1. A tuple with the same value for its primary key
2. A tuple with the same value for its secondary key
3. An attribute with the same value for its secondary key
4. An attribute with the same value for its other foreign key

8. 

A password that is the same for each logon is called a:

1. Dynamic password
2. Static password
3. Passphrase
4. One-time pad

9. 

Which one of the following is not an access attack?

1. Spoofing
2. Back door
3. Dictionary
4. Penetration test

10. 

An attack that uses a detailed listing of common passwords and words in general to gain unauthorized access to an information system is best described as:

1. Password guessing
2. Software exploitation
3. Dictionary attack
4. Spoofing

11. 

A statistical anomaly–based intrusion detection system:

1. Acquires data to establish a normal system operating profile
2. Refers to a database of known attack signatures
3. Will detect an attack that does not significantly change the system’s operating characteristics
4. Does not report an event that caused a momentary anomaly in the system

12. 

Which one of the following definitions best describes system scanning?

1. An attack that uses dial-up modems or asynchronous external connections to an information system in order to bypass information security control mechanisms
2. An attack that is perpetrated by intercepting and saving old messages and then sending them later, impersonating one of the communicating parties
3. Acquisition of information that is discarded by an individual or organization
4. A process used to collect information about a device or network to facilitate an attack on an information system

13. 

In which type of penetration test does the testing team have access to internal system code?

1. Closed-box
2. Transparent-box
3. Open-box
4. Coding-box

14. 

A standard data manipulation and relational database definition language is:

1. OOD
2. SQL
3. SLL
4. Script

15. 

An attack that can be perpetrated against a remote user’s callback access control is:

1. Call forwarding
2. A Trojan horse
3. A maintenance hook
4. Redialing

16. 

The definition of CHAP is:

1. Confidential Hash Authentication Protocol
2. Challenge Handshake Authentication Protocol
3. Challenge Handshake Approval Protocol
4. Confidential Handshake Approval Protocol

17. 

Using symmetric-key cryptography, Kerberos authenticates clients to other entities on a network and facilitates communications through the assignment of:

1. Public keys
2. Session keys
3. Passwords
4. Tokens

18. 

Three things that must be considered for the planning and implementation of access control mechanisms are:

1. Threats, assets, and objectives
2. Threats, vulnerabilities, and risks
3. Vulnerabilities, secret keys, and exposures
4. Exposures, threats, and countermeasures

19. 

In mandatory access control, the authorization of a subject to have access to an object is dependent upon:

1. Labels
2. Roles
3. Tasks
4. Identity

20. 

The type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can access is called:

1. Mandatory access control
2. Rule-based access control
3. Sensitivity-based access control
4. Discretionary access control

21. 

Role-based access control is useful when:

1. Access must be determined by the labels on the data.
2. There are frequent personnel changes in an organization.
3. Rules are needed to determine clearances.
4. Security clearances must be used.

22. 

Clipping levels are used to:

1. Limit the number of letters in a password
2. Set thresholds for voltage variations
3. Reduce the amount of data to be evaluated in audit logs
4. Limit errors in callback systems

23. 

Identification is:

1. A user being authenticated by the system
2. A user providing a password to the system
3. A user providing a shared secret to the system
4. A user professing an identity to the system

24. 

Authentication is:

1. The verification that the claimed identity is valid
2. The presentation of a user’s ID to the system
3. Not accomplished through the use of a password
4. Applied only to remote users

25. 

An example of two-factor authentication is:

1. A password and an ID
2. An ID and a PIN
3. A PIN and an ATM card
4. A fingerprint

26. 

In biometrics, a good measure of the performance of a system is the:

1. False detection
2. Crossover error rate (CER)
3. Positive acceptance rate
4. Sensitivity

27. 

In finger scan technology:

1. The full fingerprint is stored.
2. Features extracted from the fingerprint are stored.
3. More storage is required than in fingerprint technology.
4. The technology is applicable to large, one-to-many database searches.

28. 

An acceptable biometric throughput rate is:

1. One subject per two minutes
2. Two subjects per minute
3. Ten subjects per minute
4. Five subjects per minute

29. 

Which one of the following is not a type of penetration test?

1. Sparse-knowledge test
2. Full-knowledge test
3. Partial-knowledge test
4. Zero-knowledge test

30. 

Object-Oriented Database (OODB) systems:

1. Are ideally suited for text-only information
2. Require minimal learning time for programmers
3. Are useful in storing and manipulating complex data, such as images and graphics
4. Consume minimal system resources

31. 

A minimally configured information entry and retrieval device that relies on a remote server for its primary processing, security, storage, and printing functions is called a:

1. Workstation
2. Server
3. Thin client
4. Remote storage station

1. 

Answer: a

Accountability is holding individuals responsible for their actions. Answers b, c, and d are the three goals of integrity.

2. 

Answer: d

Kerberos is a third-party authentication protocol that can be used to implement SSO. Answer a is incorrect because public-key cryptography is not used in the basic Kerberos protocol. Answer b is a public-key-based capability, and answer c is a one-way transformation used to disguise passwords or to implement digital signatures.

3. 

Answer: b

The fundamental entity in a relational database is the relation, in the form of a table. Answer a is the set of allowable attribute values, and answers c and d are distracters.

4. 

Answer: b

Views enable access to data in their underlying tables to be controlled. Candidate keys (answer a) are the set of unique keys from which the primary key is selected. Answer c Joins (answer c) are operations that can be performed on the database, and the attributes (answer d) denote the columns in the relational table.

5. 

Answer: b

Answer b is correct. Answer a is a review of audit system data, usually done after the fact. Answer c is holding individuals responsible for their actions, and answer d is obtaining higher-sensitivity information from a number of pieces of information of lower sensitivity.

6. 

Answer: c

The correct answer is c (logical controls). The other answers are different categories of controls where preventive controls attempt to eliminate or reduce vulnerabilities before an attack occurs; detective controls attempt to determine that an attack is taking place or has taken place; and corrective controls involve taking action to restore the system to normal operation after a successful attack.

7. 

Answer: a

The correct answer is a. Answers b and c are incorrect because a secondary key is not a valid term. Answer d is a distracter because referential integrity has a foreign key referring to a primary key in another relation.

8. 

Answer: b

The correct answer is b. In answer a, the password changes at each logon. A passphrase (answer c) is a long word or phrase that is converted by the system to a password. A one-time pad (answer d) consists of using a random key only once when sending a cryptographic message.

9. 

Answer: d

The correct answer is d, a distracter. A penetration test is conducted to obtain a high level evaluation of a system’s defense or to perform a detailed analysis of the information system’s weaknesses. A penetration test can determine how a system reacts to an attack, whether or not a system’s defenses can be breached, and what information can be acquired from the system. It is performed with the approval of the target organization.

10. 

Answer: c

In a dictionary attack (answer c), a dictionary of common words and passwords are applied to attempt to gain unauthorized access to an information system. In password guessing (answer a), the attacker guesses passwords derived from sources such as notes on the user’s desk, the user’s birthday, a pet’s name, applying social engineering techniques, and so on. Answer b refers to exploiting software vulnerabilities, and answer d, spoofing, is a method used by an attacker to convince an information system that it is communicating with a known, trusted entity.

11. 

Answer: a

A statistical anomaly–based intrusion detection system acquires data to establish a normal system operating profile. Answer b is incorrect because it is used in signature-based intrusion detection. Answer c is incorrect because a statistical anomaly–based intrusion detection system will not detect an attack that does not significantly change the system operating characteristics. Similarly, answer d is incorrect because the statistical anomaly–based IDS is susceptible to reporting an event that caused a momentary anomaly in the system.

12. 

Answer: d

Answer d is correct. Answer a describes a back door attack, answer b is a replay attack, and answer c refers to dumpster diving.

13. 

Answer: c

The correct answer is c, open-box testing. In closed-box testing (answer a), the testing team does not have access to internal system code. The other answers are distracters.

14. 

Answer: b

All answers other than SQL (b) do not apply.

15. 

Answer: a

The correct answer is a. A cracker can have a person’s call forwarded to another number to foil the callback system. Answer b is incorrect because it is an example of malicious code embedded in useful code. Answer c is incorrect because it might enable bypassing controls of a system through a means used for debugging or maintenance. Answer d is incorrect because it is a distracter.

16. 

Answer: b

17. 

Answer: b

Session keys are temporary keys assigned by the KDC and used for an allotted period of time as the secret key between two entities. Answer a is incorrect because it refers to asymmetric encryption, which is not used in the basic Kerberos protocol. Answer c is incorrect because it is not a key, and answer d is incorrect because a token generates dynamic passwords.

18. 

Answer: b

Threats define the possible source of security policy violations; vulnerabilities describe weaknesses in the system that might be exploited by the threats; and the risk determines the probability of threats being realized. All three items must be present to meaningfully apply access control. Therefore, the other answers are incorrect.

19. 

Answer: a

Mandatory access controls use labels to determine whether subjects can have access to objects, depending on the subjects’ clearances. Answer b, roles, is applied in nondiscretionary access control, as is answer c, tasks. Answer d, identity, is used in discretionary access control.

20. 

Answer: d

Answer d is correct. Answers a and b require strict adherence to labels and clearances. Answer c is a made-up distracter.

21. 

Answer: b

Role-based access control is part of nondiscretionary access control. Answers a, c, and d relate to mandatory access control.

22. 

Answer: c

Clipping levels are used for reducing the amount of data to be evaluated by definition. Answer a is incorrect because clipping levels do not relate to letters in a password. Answer b is incorrect because clipping levels in this context have nothing to do with controlling voltage levels. Answer d is incorrect because they are not used to limit callback errors.

23. 

Answer: d

A user presents an ID to the system as identification. Answer a is incorrect because presenting an ID is not an authentication act. Answer b is incorrect because a password is an authentication mechanism. Answer c is incorrect because it refers to cryptography or authentication.

24. 

Answer: a

Answer a is correct. Answer b is incorrect because it is an identification act. Answer c is incorrect because authentication can be accomplished through the use of a password. Answer d is incorrect because authentication is applied to local and remote users.

25. 

Answer: c

The correct answer is c. These items are something you know and something you have. Answer a is incorrect because essentially, only one factor is being used - something you know (password). Answer b is incorrect for the same reason. Answer d is incorrect because only one biometric factor is being used.

26. 

Answer: b

Answer b is correct. The other items are made-up distracters.

27. 

Answer: b

In finger scan technology, the features extracted from the fingerprint are stored. Answer a is incorrect because the equivalent of the full finger-print is not stored in finger scan technology. Answers c and d are incorrect because the opposite is true of finger scan technology.

28. 

Answer: c

29. 

Answer: a

The correct answer is a, a distracter.

30. 

Answer: c

Answer c is correct. The other answers are false because for answer a, relational databases are ideally suited to text-only information. For b and d, OODB systems have a steep learning curve and consume a large amount of system resources.

31. 

Answer: c

Answer c is correct. Answers a and b are computing systems with extensive storage and processing capabilities. Answer d is a made up distracter.

1. 

Which of the following is not an element of a fiber-optic cable?

1. Core
2. BNC
3. Jacket
4. Cladding

2. 

To what does 10Base5 refer?

1. 10 Mbps thinnet coax cabling rated to 185 meters maximum length
2. 10 Mbps thicknet coax cabling rated to 500 meters maximum length
3. 10 Mbps baseband optical fiber
4. 100 Mbps unshielded twisted pair cabling

3. 

Which of the following LAN transmission methods describes a packet sent from a single source to multiple specific destinations?

1. Unicast
2. Multicast
3. Broadcast
4. Anycast

4. 

Which part of the 48-bit, 12-digit hexadecimal number known as the Media Access Control (MAC) address identifies the manufacturer of the network device?

1. The first three bytes
2. The first two bytes
3. The second half of the MAC address
4. The last three bytes

5. 

Which of the following best describes coaxial cable?

1. Coax consists of two insulated wires wrapped around each other in a regular spiral pattern.
2. Coax consists of a hollow outer cylindrical conductor surrounding a single, inner conductor.
3. Coax does not require the fixed spacing between connections that UTP requires.
4. Coax carries signals as light waves.

6. 

Which of the following is not one of the legal IP address ranges specified by RFC1976 and reserved by the Internet Assigned Numbers Authority (IANA) for nonroutable private addresses?

1. 10.0.0.0–10.255.255.255
2. 127.0.0.0–127.0.255.255
3. 172.16.0.0–172.31.255.255
4. 192.168.0.0–192.168.255.255

7. 

Which of the following statements about the difference between analog and digital signals is incorrect?

1. An analog signal produces an infinite waveform.
2. Analog signals cannot be used for data communications.
3. An analog signal can be varied by amplification.
4. A digital signal produces a square waveform.

8. 

Which of the following most accurately describes SSL?

1. It’s a widely used standard of securing e-mail at the Application level.
2. It gives a user remote access to a command prompt across a secure, encrypted session.
3. It uses two protocols, the Authentication Header and the Encapsulating Security Payload.
4. It allows an application to have authenticated, encrypted communications across a network.

9. 

Which IEEE protocol defines wireless transmission in the 5 GHz band with data rates up to 54 Mbps?

1. IEEE 802.11a
2. IEEE 802.11b
3. IEEE 802.11g
4. IEEE 802.15

10. 

Which protocol is used to resolve a known IP address to an unknown MAC address?

1. ARP
2. RARP
3. ICMP
4. TFTP

11. 

Which TCP/IP protocol operates at the OSI Network Layer?

1. FTP
2. IP
3. TCP
4. UDP

12. 

Which statement accurately describes the difference between 802.11b WLAN ad hoc and infrastructure modes?

1. The ad hoc mode requires an Access Point to communicate to the wired network.
2. Wireless nodes can communicate peer-to-peer in the infrastructure mode.
3. Wireless nodes can communicate peer-to-peer in the ad hoc mode.
4. Access points are rarely used in 802.11b WLANs.

13. 

Which of the following is true about the difference between TCP and UDP?

1. UDP is considered a connectionless protocol, and TCP is connection-oriented.
2. TCP is considered a connectionless protocol, and UDP is connection oriented.
3. UDP acknowledges the receipt of packets, and TCP does not.
4. TCP is sometimes referred to as an unreliable protocol.

14. 

Which of the following denotes a packet-switched connectionless wide area network (WAN) technology?

1. X.25
2. Frame Relay
3. SMDS
4. ATM

15. 

Which of the following answers is true about the difference between FTP and TFTP?

1. FTP does not have a directory-browsing capability, whereas TFTP does.
2. FTP enables print job spooling, whereas TFTP does not.
3. TFTP is less secure because session authentication does not occur.
4. FTP is less secure because session authentication does not occur.

16. 

Which of the following statements is correct regarding VLANs?

1. A VLAN restricts flooding to only those ports included in the VLAN.
2. A VLAN is a network segmented physically, not logically.
3. A VLAN is less secure when implemented in conjunction with private port switching.
4. A closed VLAN configuration is the least secure VLAN configuration.

17. 

Which of the following statements about a VPN tunnel is incorrect?

1. It can be created by implementing only IPSec devices.
2. It can be created by installing software or hardware agents on the client or network.
3. It can be created by implementing key and certificate exchange systems.
4. It can be created by implementing node authentication systems.

18. 

Which of the following can create a server-spoofing attack?

1. DNS poisoning
2. C2MYAZZ
3. Snort
4. BO2K

19. 

What is a server cluster?

1. A primary server that mirrors its data to a secondary server
2. A group of independent servers that are managed as a single system
3. A tape array backup implementation
4. A group of WORM optical jukeboxes

20. 

Which of the following attack types does not exploit TCP vulnerabilities?

1. Sequence Number attack
2. SYN attack
3. Ping of Death
4. land.c attack

21. 

What is probing used for?

1. To induce a user into taking an incorrect action
2. To give an attacker a road map of the network
3. To use up all of a target’s resources
4. To covertly listen to transmissions

22. 

Which of the following firewall types uses a dynamic state table to inspect the content of packets?

1. A packet-filtering firewall
2. An application-level firewall
3. A circuit-level firewall
4. A stateful-inspection firewall

23. 

To what does logon abuse refer?

1. Breaking into a network primarily from an external source
2. Legitimate users accessing networked services that would normally be restricted to them
3. Nonbusiness or personal use of the Internet
4. Intrusions via dial-up or asynchronous external network connections

24. 

What type of firewall architecture employs two network cards and a single screening router?

1. A screened-host firewall
2. A dual-homed host firewall
3. A screened-subnet firewall
4. An application-level proxy server

25. 

To what does covert channel eavesdropping refer?

1. Using a hidden, unauthorized network connection to communicate unauthorized information
2. Nonbusiness or personal use of the Internet
3. Socially engineering passwords from an ISP
4. The use of two-factor passwords

26. 

What is one of the most common drawbacks to using a dual-homed host firewall?

1. The examination of the packet at the Network Layer introduces latency.
2. The examination of the packet at the Application Layer introduces latency.
3. The ACLs must be manually maintained on the host.
4. Internal routing may accidentally become enabled.

27. 

Which is not a property of a bridge?

1. It forwards the data to all other segments if the destination is not on the local segment.
2. It operates at Layer 2, the Data Link Layer.
3. It operates at Layer 3, the Network Layer.
4. It can create a broadcast storm.

28. 

Which IEEE protocol defines the Spanning Tree protocol?

1. IEEE 802.5
2. IEEE 802.3
3. IEEE 802.11
4. IEEE 802.1D

29. 

What does the Data Encapsulation in the OSI model do?

1. It creates seven distinct layers.
2. It wraps data from one layer around a data packet from an adjoining layer.
3. It provides best-effort delivery of a data packet.
4. It makes the network transmission deterministic.

30. 

Which of the following choices is not an element of IPSec?

1. Authentication Header
2. Layer Two Tunneling Protocol
3. Security Association
4. Encapsulating Security Payload

31. 

Which of the following network attacks would not be considered a Denial of Service attack?

1. Ping of Death
2. Smurf
3. Brute Force
4. TCP SYN

32. 

Which statement is not true about the SOCKS protocol?

1. It is sometimes referred to as an application-level proxy.
2. It uses an ESP for authentication and encryption.
3. It operates in the Transport Layer of the OSI model.
4. Network applications need to be SOCKS-ified to operate.

33. 

Which of the following choices is not a way to get Windows NT passwords?

1. Obtain the backup SAM from the repair directory.
2. Boot the NT server with a floppy containing an alternate operating system.
3. Obtain root access to the /etc/passwd file.
4. Use pwdump2 to dump the password hashes directly from the registry.

34. 

Which type of routing commonly broadcasts its routing table information to all other routers every minute?

1. Static
2. Distance Vector
3. Link State
4. Dynamic Control Protocol

35. 

A back door into a network refers to what?

1. Socially engineering passwords from a subject
2. Mechanisms created by hackers to gain network access at a later time
3. Undocumented instructions used by programmers to debug applications
4. Monitoring programs implemented on dummy applications to lure intruders

36. 

What is the protocol that supports sending and receiving e-mail?

1. SNMP
2. SMTP
3. ICMP
4. RARP

37. 

Which of the following protocols does not pertain to e-mail?

1. SMTP
2. POP
3. CHAP
4. IMAP

38. 

Which of the following does not relate to analog dial-up hacking?

1. War dialing
2. War walking
3. Demon dialing
4. ToneLoc

39. 

Which of the following is the earliest and the most commonly found Interior Gateway Protocol?

1. RIP
2. OSPF
3. IGRP
4. EAP

40. 

What is the Network Layer of the OSI reference model primarily responsible for?

1. Internetwork packet routing
2. LAN bridging
3. SMTP Gateway services
4. Signal regeneration and repeating

41. 

Which of the following is not a true statement about Network Address Translation (NAT)?

1. NAT is used when corporations want to use private addressing ranges for internal networks.
2. NAT is designed to mask the true IP addresses of internal systems.
3. Private addresses can easily be routed globally.
4. NAT translates private IP addresses to registered “real” IP addresses.

42. 

In the DoD reference model, which layer conforms to the OSI Transport Layer?

1. Process/Application Layer
2. Host-to-Host Layer
3. Internet Layer
4. Network Access Layer

43. 

The IP address 178.22.90.1 is considered to be in which class of address?

1. Class A
2. Class B
3. Class C
4. Class D

44. 

What does TFTP stand for?

1. Trivial File Transport Protocol
2. Transport for TCP/IP
3. Trivial File Transfer Protocol
4. Transport File Transfer Protocol

45. 

Which IEEE protocol offers two different protocols to address security issues with 802.11 products?

1. IEEE 802.11e
2. IEEE 802.11f
3. IEEE 802.11g
4. IEEE 802.11i

46. 

Which new wireless IEEE protocol combines multiple input, multiple output (MIMO) technology with multiple antennas to achieve raw data rates from 100 Mbps to 600 Mbps?

1. IEEE 802.11h
2. IEEE 802.11i
3. IEEE 802.11n
4. IEEE 802.16

47. 

Which of the following choices is the best description of bluejacking?

1. A shareware program for locating WLAN SSIDs
2. A hacker determining an AP’s broadcast SSID
3. A Bluetooth wireless hack that exploits BT’s discover mode
4. HTML tailored to the small screens and limited resources of a wireless handheld

48. 

Which choice is not a common ability of a keylogger?

1. Log all Web sites visited
2. Interact with potential hackers in such a way as to capture the details of their attacks
3. Record all keystrokes
4. Log every application executed

49. 

Which choice is the best description of a spambot?

1. A program designed to collect e-mail addresses from the Internet in order to send advertising messages
2. A pop-up window that asks users to download a program to their computer’s hard drive
3. A program in which malicious code is contained inside apparently harmless programming
4. A program that surreptitiously allows access to a computer’s resources via a network connection

1. 

Answer: b

A BNC refers to a Bayonet Neil Concelman RG58 connector for 10Base2. Fiber-optic cable has three basic physical elements: the core, the cladding, and the jacket. The core is the innermost transmission medium, which can be glass or plastic. The next outer layer, the cladding, is also made of glass or plastic, but it has different properties and helps to reflect the light back into the core. The outermost layer, the jacket, provides protection from heat, moisture, and other environmental elements.

2. 

Answer: b

Answer a refers to 10Base2; answer c refers to 10BaseF; and answer d refers to 100BaseT.

3. 

Answer: b

Unicast (answer a) describes a packet sent from a single source to a single destination. Answer c (broadcast) describes a packet sent to all nodes on the network segment. Answer d (anycast) refers to communication between any sender and the nearest of a group of receivers in a network.

4. 

Answer: a

The first three bytes (or first half) of the six-byte MAC address is the manufacturer’s identifier. This can be a good troubleshooting aid if a network device is acting up, because it will isolate the brand of the failing device. The other answers are distracters.

5. 

Answer: b

Coax consists of a hollow outer cylindrical conductor surrounding a single, inner wire conductor. Answer a describes UTP. Answer c is false because coax requires fixed spacing between connections, and answer d describes fiber-optic cable.

6. 

Answer: b

The other three address ranges can be used for Network Address Translation (NAT). Although NAT is, in itself, not a very effective security measure, a large network can benefit from using NAT with Dynamic Host Configuration Protocol (DHCP) to help prevent certain internal routing information from being exposed. The address 127.0.0.1 is called the loopback address.

7. 

Answer: b

The other answers are all properties of analog or digital signals.

8. 

Answer: d

The Secure Sockets Layer (SSL) sits between higher-level application functions and the TCP/IP stack and provides security to applications. It includes a variety of encryption algorithms to secure transmitted data, but the functionality must be integrated into the application. Answer a refers to the Secure/Multipurpose Internet Mail Extension (S/MIME). Most major email clients support S/MIME today. Answer b describes Secure Shell (SSH). Answer c refers to IPSec. IPSec enables security to be built directly into the TCP/IP stack, without requiring application modification.

9. 

Answer: a

IEEE 802.11a specifies high-speed wireless connectivity in the 5 GHz band using Orthogonal Frequency Division Multiplexing with data rates up to 54 Mbps. Answer b, IEEE 802.11b, specifies high-speed wireless connectivity in the 2.4 GHz ISM band up to 11 Mbps. Answer c, IEEE 802.11g, is a proposed standard that offers wireless transmission over relatively short distances at speeds from 20 Mbps up to 54 Mbps and operates in the 2.4 GHz range (and is therefore expected to be backward-compatible with existing 802.11b-based networks). Answer d, IEEE 802.15, defines Wireless Personal Area Networks (WPAN), such as Bluetooth, in the 2.4-2.5 GHz band.

10. 

Answer: a

The Address Resolution Protocol (ARP) sends a broadcast asking for the host with a specified IP address to reply with its MAC, or hardware address. This information is kept in the ARP Cache. The Reverse Address Resolution Protocol (RARP), answer b, is commonly used on diskless machines when the MAC is known but not the IP address. It asks a RARP server to provide a valid IP address, which is somewhat the reverse of ARP. The Internet Control Message Protocol (ICMP), answer c, is a management protocol for IP. The Trivial File Transfer Protocol (TFTP), answer d, is a stripped-down version of the File Transfer Protocol (FTP).

11. 

Answer: b

IP operates at the Network Layer of the OSI model and at the Internet layer of the TCP/IP model. FTP operates at the Application layer of the TCP/IP model, which is roughly similar to the top three layers of the OSI model: the Application, Presentation, and Session Layers. TCP and UDP both operate at the OSI Transport Layer, which is similar to the TCP/IP host-to-host layer.

12. 

Answer: c

Nodes on an IEEE 802.11b wireless LANs can communicate in one of two modes: ad hoc or infrastructure. In ad hoc mode, the wireless nodes communicate directly with each other, without establishing a connection to an access point on a wired LAN. In infrastructure mode, the wireless nodes communicate to an access point, which operates similarly to a bridge or router and manages traffic between the wireless network and the wired network.

13. 

Answer: a

As opposed to the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP) is a connectionless protocol. It does not sequence the packets or acknowledge the receipt of packets and is referred to as an unreliable protocol.

14. 

Answer: c

Switched Multimegabit Data Service (SMDS) is a high-speed, connectionless, packet-switching public network service that extends LAN-like performance to a metropolitan area network (MAN) or a wide area network (WAN). It’s generally delivered over a SONET ring with a maximum effective service radius of around 30 miles. X.25, answer a, defines an interface to the first commercially successful connection-oriented packet-switching network, in which the packets travel over virtual circuits. Frame Relay, answer b, was a successor to X.25 and offers a connection-oriented packet-switching network. Asynchronous Transfer Mode (ATM), answer d, was developed from an outgrowth of ISDN standards and is a fast-packet, connection-oriented, cell-switching technology.

15. 

Answer: c

The Trivial File Transfer Protocol (TFTP) is considered less secure than the File Transfer Protocol (FTP) because authentication does not occur during session establishment.

16. 

Answer: a

A virtual local area network (VLAN) allows ports on the same or different switches to be grouped so that traffic is confined to members of that group only, and it restricts broadcast, unicast, and multicast traffic. Answer b is incorrect because a VLAN is segmented logically, rather than physically. Answer c is incorrect; when a VLAN is implemented with private port, or single-user, switching, it provides fairly stringent security because broadcast vulnerabilities are minimized. Answer d is incorrect, as a closed VLAN authenticates a user to an access control list on a central authentication server, where they are assigned authorization parameters to determine their level of network access.

17. 

Answer: a

IPSec-compatible and non-IPSec compatible devices are used to create VPNs. The other three answers are all ways in which VPNs can be created.

18. 

Answer: b

C2MYAZZ is a utility that enables server spoofing to implement a session hijacking or man-in-the-middle exploit. It intercepts a client LANMAN authentication logon and obtains the session’s logon credentials and password combination transparently to the user. DNS poisoning (answer a) is also known as cache poisoning. It is the process of distributing incorrect IP address information for a specific host with the intent to divert traffic from its true destination. Snort (answer c) is a utility used for network sniffing, is the process of gathering traffic from a network by capturing the data as it passes and storing it to analyze later. Back Orifice 2000 (BO2K), answer d, is an application-level Trojan horse used to give an attacker backdoor network access.

19. 

Answer: b

A server cluster is a group of servers that appears to be a single server to the user. Answer a refers to redundant servers.

20. 

Answer: c

The Ping of Death exploits the fragmentation vulnerability of large ICMP ECHO request packets by sending an illegal packet with more than 65K of data, creating a buffer overflow. A TCP sequence number attack (answer a) exploits the nonrandom predictable pattern of TCP connection sequence numbers to spoof a session. A TCP SYN attack (answer b) is a DoS attack that exploits the TCP three-way handshake. The attacker rapidly generates randomly sourced SYN packets filling the target’s connection queue before the connection can timeout. A land.c attack (answer d) is also a DoS attack that exploits TCP SYN packets. The attacker sends a packet that gives both the source and destination as the target’s address and uses the same source and destination port.

21. 

Answer: b

Probing is a procedure whereby the intruder runs programs that scan the network to create a network map for later intrusion. Answer a is spoofing, answer c is the objective of a DoS attack, and answer d describes passive eavesdropping.

22. 

Answer: d

A stateful-inspection firewall intercepts incoming packets at the Network level and then uses an Inspection Engine to extract state-related information from upper layers. It maintains the information in a dynamic state table and evaluates subsequent connection attempts. A packet-filtering firewall (answer a) is the simplest type of firewall commonly implemented on routers. It operates at the Network layer and offers good performance but is the least secure. An application-level firewall or application-layer gateway (answer b) is more secure because it examines the packet at the Application layer but at the expense of performance. A circuit-level firewall (answer c) is similar to the application-level firewall in that it functions as a proxy server, but it differs in that special proxy application software is not needed.

23. 

Answer: b

Logon abuse entails an otherwise proper user attempting to access areas of the network that are deemed off-limits. Answer a is called network intrusion, and d refers to backdoor remote access.

24. 

Answer: a

Like a dual-homed host, a screened-host firewall uses two network cards to connect to the trusted and untrusted networks, but it adds a screening router between the host and the untrusted network. A dualhomed host (answer b) has two NICs but not necessarily a screening router. A screened-subnet firewall, (answer c) also uses two NICs but has two screening routers with the host acting as a proxy server on its own network segment. One screening router controls traffic local to the network while the second monitors and controls incoming and outgoing Internet traffic. Answer d, application-level proxy, is unrelated to this question.

25. 

Answer: a

A covert channel is a connection intentionally created to transmit unauthorized information from inside a trusted network to a partner at an outside, untrusted node. Answer c is called masquerading.

26. 

Answer: d

A dual-homed host uses two NICs to attach to two separate networks, commonly a trusted network and an untrusted network. It’s important that the internal routing function of the host be disabled to create an Application-layer chokepoint and filter packets. Many systems come with routing enabled by default, such as IP forwarding, which makes the firewall useless. The other answers are distracters.

27. 

Answer: c

A bridge operates at Layer 2 and therefore does not use IP addressing to make routing decisions.

28. 

Answer: d

The 802.1D spanning tree protocol is an Ethernet link-management protocol that provides link redundancy while preventing routing loops. Because only one active path can exist for an Ethernet network to route properly, the STP algorithm calculates and manages the best loop-free path through the network. IEEE 802.5 (answer a) specifies a token-passing ring access method for LANs. IEEE 802.3 (answer b) specifies an Ethernet bus topology using Carrier Sense Multiple Access Control/ Carrier Detect (CSMA/CD). IEEE 802.11 (answer c) is the IEEE standard that specifies 1 Mbps and 2 Mbps wireless connectivity in the 2.4 MHz ISM (Industrial, Scientific, Medical) band.

29. 

Answer: b

Data Encapsulation attaches information from one layer to the packet as it travels from an adjoining layer. The OSI-layered architecture model creates seven layers. The TCP/IP protocol UDP provides best effort packet delivery, and a token-passing transmission scheme creates a deterministic network because it is possible to compute the maximum predictable delay.

30. 

Answer: b

The Layer Two Tunneling Protocol (L2TP) is a protocol that allows a host to establish a virtual connection. Although L2TP - an enhancement to Layer Two Forwarding Protocol (L2F), which supports some features of the Point to Point Tunneling Protocol (PPTP) - may coexist with IPSec, it is not natively an IPSec component. The Authentication Header (AH), answer a, is an authenticating protocol that uses a hash signature in the packet header to validate the integrity of the packet data and the authenticity of the sender. The Security Association (SA), answer c, is a component of the IPSec architecture that contains the information the IPSec device needs to process incoming and outbound IPSec packets. IPSec devices embed a value called the Security Parameter Index (SPI) in the header to associate a datagram with its SA and to store SAs in a Security Association Database (SAD). The Encapsulating Security Payload (ESP), answer d, is an authenticating and encrypting protocol that provides integrity, source authentication, and confidentiality services.

31. 

Answer: c

A brute force attack is an attempt to use all combinations of key patterns to decipher a message. The other three attacks are commonly used to create a Denial of Service (DoS). Ping of Death (answer a) exploits ICMP by sending an illegal ECHO packet of >65K octets of data, which can cause an overflow of system variables and lead to a system crash. SMURF (answer b) is a type of attack using spoofed ICMP ECHO requests to broadcast addresses, which the routers attempt to propagate, congesting the network. Three participants are required for a SMURF attack: the attacker, the amplifying network, and the victim. A TCP SYN flood attack (answer d) generates phony TCP SYN packets from random IP addresses at a rapid rate to fill up the connection queue and stop the system from accepting legitimate users.

32. 

Answer: b

The Encapsulating Security Payload (ESP) is a component of IPSec. Socket Security (SOCKS) is a Transport-layer, secure networking proxy protocol. SOCKS replaces the standard network systems calls with its own calls. These calls open connections to a SOCKS proxy server for client authentication, transparently to the user. Common network utilities, like Telnet or FTP, need to be SOCKS-ified or have their network calls altered to recognize SOCKS proxy calls.

33. 

Answer: c

The /etc/passwd file is a Unix system file. The NT Security Accounts Manager, SAM, contains the usernames and encrypted passwords of all local (and domain, if the server is a domain controller) users. The SAM uses an older, weaker LanManager hash that can be broken easily by tools like L0phtcrack. Physical access to the NT server and the rdisks must be controlled. The “Sam._” file in the repair directory must be deleted after creation of an rdisk. Pwdump and pwdump2 are utilities that allow someone with Administrator rights to target the Local Security Authority Subsystem, isass.exe, from a remote system.

34. 

Answer: b

Distance vector routing uses the Routing Information Protocol (RIP) to maintain a dynamic table of routing information that is updated regularly. It is the oldest and most common type of dynamic routing. Static routing (answer a) defines a specific route in a configuration file on the router and does not require the routers to exchange route information dynamically. Link state routers (answer c) function like distance vector routers but use first-hand information when building routing tables only by maintaining a copy of every other router’s Link State Protocol (LSP) frame. This helps to eliminate routing errors and considerably lessens convergence time. Answer d is a distracter.

35. 

Answer: b

Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications. Social engineering (answer a) is a technique used to manipulate users into revealing information like passwords. An undocumented hook into an application to assist programmers with debugging (answer c) is known as a trap door. It serves as a back door into an application rather than a network. Although intended innocently, these can be exploited by intruders. Answer d is a “honey pot” or “padded cell.” A honey pot uses a dummy server with bogus applications as a decoy for intruders.

36. 

Answer: b

Simple Mail Transport Protocol (SMTP) queues and transfers e-mail. SNMP stands for Simple Network Management Protocol. ICMP stands for Internet Control Message Protocol. RARP stands for Reverse Address Resolution Protocol.

37. 

Answer: c

The Challenge Handshake Authentication Protocol (CHAP) is used at the startup of a remote link to verify the identity of a remote node. The Simple Mail Transfer Protocol (RFCs 821 and 1869), answer a, is used by a server to deliver email over the Internet. The Post Office Protocol (RFC 1939), answer b, enables users to read their email by downloading it from a remote server onto their local computer. The Internet Message Access Protocol (RFC 2060), answer d, allows users to read their email on a remote server without downloading the mail locally.

38. 

Answer: b

War walking (or war driving) refers to scanning for 802.11-based wireless network information by either driving or walking with a laptop, a wireless adapter in promiscuous mode, some type of scanning software such as NetStumbler or AiroPeek, and a Global Positioning System (GPS). War dialing (answer a) is a method used to hack into computers by using a software program to automatically call a large pool of telephone numbers to search for those that have a modem attached. Demon dialing, similar to war dialing (answer c) is a tool used to attack one modem using brute force to guess the password and gain access. Tone-Loc (answer d) was one of the first war-dialing tools used by phone phreakers.

39. 

Answer: a

The Routing Information Protocol (RIP) bases its routing path on the distance (number of hops) to the destination. RIP maintains optimum routing paths by sending out routing update messages if the network topology changes. For example, if a router finds that a particular link is faulty, it will update its routing table and then send a copy of the modified table to each of its neighbors. Open Shortest Path First (OSPF), answer b, is a link-state hierarchical routing algorithm intended as a successor to RIP. It features least-cost routing, multipath routing, and load balancing. The Internet Gateway Routing Protocol (IGRP), answer c, is a Cisco protocol that uses a composite metric as its routing metric, including bandwidth, delay, reliability, loading, and maximum transmission unit. The Extensible Authentication Protocol (EAP), answer d, is a general protocol for PPP authentication that supports multiple remote authentication mechanisms.

40. 

Answer: a

Although many routers can perform most of the functions above, the OSI Network Layer is primarily responsible for routing. Bridging (answer b) is a Data Link Layer function. Gateways (answer c) most commonly function at the higher layers. Signal regeneration and repeating (Answer d) are primarily Physical Layer functions.

41. 

Answer: c

Private addresses are not easily routable.

42. 

Answer: b

In the DoD reference model, the Host-to-Host layer parallels the function of the OSI’s Transport Layer. This layer contains the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). The DoD Process/Application layer, (answer a) corresponds to the OSI’s top three layers: the Application, Presentation, and Session Layers. The DoD Internet layer (answer c) corresponds to the OSI’s Network Layer, and the DoD Network Access layer (answer d) is the equivalent of the Data Link and Physical Layers of the OSI model.

43. 

Answer: b

The class A address range is 1.0.0.0 to 126.255.255.255. The class B address range is 128.0.0.0 to 191.255.255.255. The class C address range is from 192.0.0.0 to 223.255.255.255. The class D address range is 244.0.0.0 to 239.255.255.255 and is used for multicast packets.

44. 

Answer: c

The other acronyms do not exist.

45. 

Answer: d

The 802.11i standard addresses security flaws in 802.11 products and presents an approach offering two different protocols: the TKIP protocol and the CCM protocol (CCMP).

46. 

Answer: c

802.11n is a new standard operating in the 5GHz range, combining multiple antennas, faster encoding, and an optional doubling of spectrum to achieve raw data rates from 100 Mbps up to 600 Mbps. The standard employs multiple input, multiple output (MIMO) technology to achieve this speed.

47. 

Answer: c.

Bluejacking is a Bluetooth wireless hack that exploits BT’s discover mode to drop code unnoticed on the victim’s unit.

48. 

Answer: b.

A honey pot is configured to interact with potential hackers in such a way as to capture the details of their attacks. The other answers are all common uses for a keylogger.

49. 

Answer: a

A spambot is a program designed to collect, or harvest, e-mail addresses from the Internet in order to build mailing lists for sending spam. Choice b describes a pop-up download. Choice c describes a Trojan horse, and choice d describes a remote access Trojan.

1. 

The Secure Hash Algorithm (SHA) is specified in the:

1. Data Encryption Standard
2. Digital Signature Standard
3. Digital Encryption Standard
4. Advanced Encryption Standard

2. 

What does Secure Sockets Layer (SSL)/Transaction Security Layer (TSL) do?

1. Implements confidentiality, authentication, and integrity above the Transport Layer
2. Implements confidentiality, authentication, and integrity below the Transport Layer
3. Implements only confidentiality above the Transport Layer
4. Implements only confidentiality below the Transport Layer

3. 

What are MD4 and MD5?

1. Symmetric encryption algorithms
2. Asymmetric encryption algorithms
3. Hashing algorithms
4. Digital certificates

4. 

Elliptic curves, which are applied to public-key cryptography, employ modular exponentiation, which characterizes the:

1. Elliptic curve discrete logarithm problem
2. Prime factors of very large numbers
3. Elliptic curve modular addition
4. Knapsack problem

5. 

Which algorithm is used in the Clipper Chip?

1. IDEA
2. DES
3. Skipjack
4. 3 DES

6. 

The hashing algorithm in the Digital Signature Standard (DSS) generates a message digest of:

1. 120 bits
2. 160 bits
3. 56 bits
4. 130 bits

7. 

The protocol of the Wireless Application Protocol (WAP), which performs functions similar to SSL in the TCP/IP protocol stack, is called the:

1. Wireless Application Environment (WAE)
2. Wireless Session Protocol (WSP)
3. Wireless Transaction Protocol (WTP)
4. Wireless Transport Layer Security Protocol (WTLS)

8. 

A Security Parameter Index (SPI) and the identity of the security protocol (AH or ESP) are the components of:

1. SSL
2. IPSec
3. S-HTTP
4. SSH-1

9. 

When two different keys encrypt a plaintext message into the same ciphertext, this situation is known as:

1. Public-key cryptography
2. Cryptanalysis
3. Key clustering
4. Hashing

10. 

What is the result of the Exclusive Or operation, 1 XOR 0?

1. 1
2. 0
3. Indeterminate
4. 10

11. 

A block cipher:

1. Encrypts by operating on a continuous data stream
2. Is an asymmetric-key algorithm
3. Converts variable-length plaintext into fixed-length ciphertext
4. Breaks a message into fixed length units for encryption

12. 

In most security protocols that support confidentiality, integrity, and authentication:

1. Public-key cryptography is used to create digital signatures.
2. Private-key cryptography is used to create digital signatures.
3. DES is used to create digital signatures.
4. Digital signatures are not implemented.

13. 

Which of the following is an example of a symmetric-key algorithm?

1. Rijndael
2. RSA
3. Diffie-Hellman
4. Knapsack

14. 

Which of the following is a problem with symmetric-key encryption?

1. It is slower than asymmetric-key encryption.
2. Most algorithms are kept proprietary.
3. Work factor is not a function of the key size.
4. It provides secure distribution of the secret key.

15. 

Which of the following is an example of an asymmetric-key algorithm?

1. IDEA
2. DES
3. 3 DES
4. Elliptic Curve

16. 

In public-key cryptography:

1. Only the private key can encrypt, and only the public key can decrypt.
2. Only the public key can encrypt, and only the private key can decrypt.
3. The public key is used to encrypt and decrypt.
4. If the public key encrypts, only the private key can decrypt.

17. 

In a hybrid cryptographic system, usually:

1. Public-key cryptography is used for the encryption of the message.
2. Private-key cryptography is used for the encryption of the message.
3. Neither public-key nor private-key cryptography is used.
4. Digital certificates cannot be used.

18. 

What is the block length of the Rijndael Cipher?

1. 64 bits
2. 128 bits
3. Variable
4. 256 bits

19. 

A polyalphabetic cipher is also known as:

1. One-time pad
2. Vigenère cipher
3. Steganography
4. Vernam cipher

20. 

The classic Caesar cipher is a:

1. Polyalphabetic cipher
2. Monoalphabetic cipher
3. Transposition cipher
4. Code group

21. 

In steganography:

1. Private-key algorithms are used.
2. Public-key algorithms are used.
3. Both public- and private-key algorithms are used.
4. The fact that the message exists is not known.

22. 

What is the key length of the Rijndael Block Cipher?

1. 56 or 64 bits
2. 512 bits
3. 128, 192, or 256 bits
4. 512 or 1024 bits

23. 

In a block cipher, diffusion:

1. Conceals the connection between the ciphertext and plaintext
2. Spreads the influence of a plaintext character over many ciphertext characters
3. Is usually implemented by nonlinear S-boxes
4. Cannot be accomplished

24. 

The NIST Advanced Encryption Standard uses the:

1. 3 DES algorithm
2. Rijndael algorithm
3. DES algorithm
4. IDEA algorithm

25. 

The modes of DES do not include:

1. Electronic Code Book
2. Cipher Block Chaining
3. Variable Block Feedback
4. Output Feedback

26. 

Which of the following is true?

1. The work factor of triple DES is the same as for double DES.
2. The work factor of single DES is the same as for triple DES.
3. The work factor of double DES is the same as for single DES.
4. No successful attacks have been reported against double DES.

27. 

The Rijndael Cipher employs a round transformation that is composed of three layers of distinct, invertible transformations. These transformations are also defined as uniform, which means that every bit of the State is treated the same. Which of the following is not one of these layers?

1. The nonlinear layer, which is the parallel application of S-boxes that have the optimum worst-case nonlinearity properties
2. The linear mixing layer, which provides a guarantee of the high diffusion of multiple rounds
3. The key addition layer, which is an Exclusive OR of the Round Key to the intermediate State
4. The key inversion layer, which provides confusion through the multiple rounds

28. 

The Escrowed Encryption Standard describes the:

1. Rijndael Cipher
2. Clipper Chip
3. Fair Public Key Cryptosystem
4. Digital certificates

29. 

Theoretically, quantum computing offers the possibility of factoring the products of large prime numbers and calculating discrete logarithms in polynomial time. These calculations can be accomplished in such a compressed time frame because:

1. Information can be transformed into quantum light waves that travel through fiber optic channels. Computations can be performed on the associated data by passing the light waves through various types of optical filters and solid-state materials with varying indices of refraction, thus drastically increasing the throughput over conventional computations.
2. A quantum bit in a quantum computer is actually a linear superposition of both the one and zero states and, therefore, can theoretically represent both values in parallel. This phenomenon allows computation that usually takes exponential time to be accomplished in polynomial time because different values of the binary pattern of the solution can be calculated simultaneously.
3. A quantum computer takes advantage of quantum tunneling in molecular scale transistors. This mode permits ultrahigh-speed switching to take place, thus exponentially increasing the speed of computations.
4. A quantum computer exploits the time-space relationship that changes as particles approach the speed of light. At that interface, the resistance of conducting materials effectively is zero and exponential-speed computations are possible.

30. 

Which of the following characteristics does a one-time pad have if used properly?

1. It can be used more than once.
2. The key does not have to be random.
3. It is unbreakable.
4. The key has to be of greater length than the message to be encrypted.

31. 

The DES key is:

1. 128 bits
2. 64 bits
3. 56 bits
4. 512 bits

32. 

In a digitally signed message transmission using a hash function:

1. The message digest is encrypted in the private key of the sender.
2. The message digest is encrypted in the public key of the sender.
3. The message is encrypted in the private key of the sender.
4. The message is encrypted in the public key of the sender.

33. 

The strength of RSA public-key encryption is based on the:

1. Difficulty in finding logarithms in a finite field
2. Difficulty of multiplying two large prime numbers
3. Fact that only one key is used
4. Difficulty in finding the prime factors of very large numbers

34. 

Elliptic curve cryptosystems:

1. Have a higher strength per bit than RSA.
2. Have a lower strength per bit than RSA.
3. Cannot be used to implement digital signatures.
4. Cannot be used to implement encryption.

35. 

Which of the following is not a fundamental component of Identity-Based Encryption (IBE)?

1. Bilinear mapping
2. Weil Pairing
3. Multiplication of points on an elliptic curve
4. A symmetrical session key

1. 

Answer: b

The correct answer is b. Answer a refers to DES, a symmetric encryption algorithm; answer c is a distracter - there is no such term; answer d is the Advanced Encryption Standard, which has replaced DES and is now the Rijndael algorithm.

2. 

Answer: a

The correct answer is a by definition. Answer b is incorrect because SSL/TLS operates above the Transport Layer; answer c is incorrect because authentication and integrity are provided also, and answer d is incorrect because it cites only confidentiality and SSL/TLS operates above the Transport Layer.

3. 

Answer: c

The correct answer is c. Answers a and b are incorrect because they are general types of encryption systems, and answer d is incorrect because hashing algorithms are not digital certificates.

4. 

Answer: a

The correct answer is a. Modular exponentiation in elliptic curves is the analog of the modular discrete logarithm problem. Answer b is incorrect because prime factors are involved with RSA public-key systems; answer c is incorrect because modular addition in elliptic curves is the analog of modular multiplication; and answer d is incorrect because the knapsack problem is not an elliptic curve problem.

5. 

Answer: c

The correct answer is c. Answers a, b, and d are other symmetric-key algorithms.

6. 

Answer: b

7. 

Answer: d

The answer d is correct. SSL performs security functions in TCP/IP. The other answers refer to protocols in the WAP protocol stack also, but their primary functions are not security.

8. 

Answer: b

The correct answer is b. The SPI, AH and/or ESP, and the destination IP address are components of an IPSec Security Association (SA). The other answers describe protocols other than IPSec.

9. 

Answer: c

The answer c is correct. Answer a describes a type of cryptographic system using a public and a private key; answer b is the art/science of breaking ciphers; answer d is the conversion of a message of variable length into a fixed-length message digest.

10. 

Answer: a

An XOR operation results in a 0 if the two input bits are identical and a 1 if one of the bits is a 1 and the other is a 0.

11. 

Answer: d

The answer d is correct. Answer a describes a stream cipher; answer b is incorrect because a block cipher applies to symmetric-key algorithms; and answer c describes a hashing operation.

12. 

Answer: a

The answer a is correct. Answer b is incorrect because private-key cryptography does not create digital signatures; answer c is incorrect because DES is a private-key system and, therefore, follows the same logic as in b; and answer d is incorrect because digital signatures are implemented to obtain authentication and integrity.

13. 

Answer: a

The correct answer is a. The other answers are examples of asymmetric-key systems.

14. 

Answer: d

The answer d is correct. Answer a is incorrect because the opposite is true; answer b is incorrect because most symmetric-key algorithms are published; and answer c is incorrect because work factor is a function of key size. The larger the key is, the larger the work factor.

15. 

Answer: d

The answer d is correct. All the other answers refer to symmetric-key algorithms.

16. 

Answer: d

The answer d is correct. Answers a and b are incorrect because if one key encrypts, the other can decrypt. Answer c is incorrect because if the public key encrypts, it cannot decrypt.

17. 

Answer: b

The answer b is correct. Answer a is incorrect because public-key cryptography is usually used for the encryption and transmission of the secret session key. Answer c is incorrect because both public- and private-key encryption are used, and answer d is incorrect because digital certificates can be used (and normally are used).

18. 

Answer: c

The correct answer is c. The other answers with fixed numbers are incorrect.

19. 

Answer: b

The answer b is correct. Answer a is incorrect because a one-time pad uses a random key with length equal to the plaintext message and is used only once. Answer c is the process of sending a message with no indication that a message even exists. Answer d is incorrect because it applies to stream ciphers that are XORed with a random key string.

20. 

Answer: b

The answer b is correct. The Caesar cipher uses one alphabet shifted three places. Answers a and c are incorrect because in a polyalphabetic cipher (answer a), multiple alphabets are used, and in a transposition cipher (answer c), the letters of the message are transposed. Answer d is incorrect because code groups deal with words and phrases and ciphers deal with bits or letters.

21. 

Answer: d

The correct answer is d. The other answers are incorrect because neither algorithm is used.

22. 

Answer: c

23. 

Answer: b

The answer b is correct. Answer a defines confusion; answer c defines how confusion is accomplished; and answer d is incorrect because it can be accomplished.

24. 

Answer: b

The correct answer is b. By definition, the others are incorrect.

25. 

Answer: c

The correct answer is c. There is no such encipherment mode.

26. 

Answer: c

The answer c is correct. The Meet-in-the-Middle attack has been successfully applied to double DES, and the work factor is equivalent to that of single DES. Thus, answer d is incorrect. Answer a is false because the work factor of triple DES is greater than that for double DES. In triple DES, three levels of encryption and/or decryption are applied to the message. The work factor of double DES is equivalent to the work factor of single DES. Answer b is false because the work factor of single DES is less than for triple DES.

27. 

Answer: d

The answer d is correct. This answer is a distracter and does not exist.

28. 

Answer: b

29. 

Answer: b

In digital computers, a bit is in either a one or a zero state. In a quantum computer, through linear superposition, a quantum bit can be in both states, essentially simultaneously. Thus, computations consisting of trial evaluations of binary patterns can take place simultaneously in exponential time. The probability of obtaining a correct result is increased through a phenomenon called constructive interference of light, while the probability of obtaining an incorrect result is decreased through destructive interference. Answer a describes optical computing that is effective in applying Fourier and other transformations to data to perform high-speed computations. Light representing large volumes of data passing through properly shaped physical objects can be subjected to mathematical transformations and recombined to provide the appropriate results. However, this mode of computation is not defined as quantum computing. Answers c and d are diversionary answers that do not describe quantum computing.

30. 

Answer: c

If the one-time-pad is used only once and its corresponding key is truly random and does not have repeating characters, it is unbreakable. Answer a is incorrect because if used properly, the one-time-pad should be used only once. Answer b is incorrect because the key should be random. Answer d is incorrect because the key has to be of the same length as the message.

31. 

Answer: c

32. 

Answer: a

The hash function generates a message digest. The message digest is encrypted with the private key of the sender. Thus, if the message can be opened with the sender’s public key, which is known to all, the message must have come from the sender. The message is not encrypted with the public key because the message is usually longer than the message digest and would take more computing resources to encrypt and decrypt. Because the message digest uniquely characterizes the message, it can be used to verify the identity of the sender.

Answers b and d will not work because a message encrypted in the public key of the sender can be read only by using the private key of the sender. Because the sender is the only one who knows this key, no one else can read the message. Answer c is incorrect because the message is not encrypted; the message digest is encrypted.

33. 

Answer: d

The correct answer is d. Answer a applies to public-key algorithms such as Diffie-Hellman and Elliptic Curve. Answer b is incorrect because it is easy to multiply two large prime numbers. Answer c refers to symmetric-key encryption.

34. 

Answer: a

It is more difficult to compute elliptic curve discrete logarithms than conventional discrete logarithms or factoring. Smaller key sizes in the elliptic curve implementation can yield higher levels of security. Therefore, answer b is incorrect. Answers c and d are incorrect because elliptic curve cryptosystems can be used for digital signatures and encryption.

35. 

Answer: d

IBE is based on using an arbitrary string as an individual’s public key. It is based on public-key cryptography; therefore, a symmetric key is not involved in the process.

1. 

What does the Bell-LaPadula model not allow?

1. Subjects to read from a higher level of security relative to their level of security
2. Subjects to read from a lower level of security relative to their level of security
3. Subjects to write to a higher level of security relative to their level of security
4. Subjects to read at their same level of security

2. 

In the * (star) security property of the Bell-LaPadula model:

1. Subjects cannot read from a higher level of security relative to their level of security.
2. Subjects cannot read from a lower level of security relative to their level of security.
3. Subjects cannot write to a lower level of security relative to their level of security.
4. Subjects cannot read from their same level of security.

3. 

The Clark-Wilson model focuses on data’s:

1. Integrity
2. Confidentiality
3. Availability
4. Format

4. 

The * (star) property of the Biba model states that:

1. Subjects cannot write to a lower level of integrity relative to their level of integrity.
2. Subjects cannot write to a higher level of integrity relative to their level of integrity.
3. Subjects cannot read from a lower level of integrity relative to their level of integrity.
4. Subjects cannot read from a higher level of integrity relative to their level of integrity.

5. 

Which of the following does the Clark-Wilson model not involve?

1. Constrained data items
2. Transformational procedures
3. Confidentiality items
4. Well-formed transactions

6. 

The Take-Grant model:

1. Focuses on confidentiality
2. Specifies the rights that a subject can transfer to an object
3. Specifies the levels of integrity
4. Specifies the levels of availability

7. 

The Biba model addresses:

1. Data disclosure
2. Transformation procedures
3. Constrained data items
4. Unauthorized modification of data

8. 

Mandatory access controls first appear in the Trusted Computer System Evaluation Criteria (TCSEC) at the rating of:

1. D
2. C
3. B
4. A

9. 

In the access control matrix, the rows are:

1. Access Control Lists (ACLs)
2. Tuples
3. Domains
4. Capability lists

10. 

What information security model formalizes the U.S. Department of Defense multilevel security policy?

1. Clark-Wilson
2. Stark-Wilson
3. Biba
4. Bell-LaPadula

11. 

A Trusted Computing Base (TCB) is defined as:

1. The total combination of protection mechanisms within a computer system that is trusted to enforce a security policy
2. The boundary separating the trusted mechanisms from the remainder of the system
3. A trusted path that permits a user to access resources
4. A system that employs the necessary hardware and software assurance measures to enable the processing of multiple levels of classified or sensitive information to occur

12. 

Memory space insulated from other running processes in a multiprocessing system is part of a:

1. Protection domain
2. Security perimeter
3. Least upper bound
4. Constrained data item

13. 

The boundary separating the TCB from the remainder of the system is called the:

1. Star property
2. Simple security property
3. Discretionary control boundary
4. Security perimeter

14. 

The system component that enforces access controls on an object is the:

1. Security perimeter
2. Trusted domain
3. Reference monitor
4. Access control matrix

15. 

Which one the following is not one of the three major parts of the Common Criteria (CC)?

1. Introduction and General Model
2. Security Evaluation Requirements
3. Security Functional Requirements
4. Security Assurance Requirements

16. 

A computer system that employs the necessary hardware and software assurance measures to enable it to process multiple levels of classified or sensitive information is called a:

1. Closed system
2. Open system
3. Trusted system
4. Safe system

17. 

For fault tolerance to operate, a system must be:

1. Capable of detecting and correcting the fault
2. Capable only of detecting the fault
3. Capable of terminating operations in a safe mode
4. Capable of a cold start

18. 

Which of the following choices describes the four phases of the National Information Assurance Certification and Accreditation Process (NIACAP)?

1. Definition, Verification, Validation, and Confirmation
2. Definition, Verification, Validation, and Post Accreditation
3. Verification, Validation, Authentication, and Post Accreditation
4. Definition, Authentication, Verification, and Post Accreditation

19. 

In the Common Criteria, an implementation-independent statement of security needs for a set of IT security products that could be built is called a:

1. Security Target (ST)
2. Package
3. Protection Profile (PP)
4. Target of Evaluation (TOE)

20. 

The termination of selected, noncritical processing when a hardware or software failure occurs and is detected is referred to as:

1. Fail-safe
2. Fault-tolerant
3. Fail-soft
4. An exception

21. 

Which one of the following is not a component of a CC Protection Profile?

1. Target of Evaluation (TOE) description
2. Threats against the product that must be addressed
3. Product-specific security requirements
4. Security objectives

22. 

Content-dependent control makes access decisions based on:

1. The object’s data
2. The object’s environment
3. The object’s owner
4. The object’s view

23. 

The term failover refers to:

1. Switching to a duplicate, “hot” backup component
2. Terminating processing in a controlled fashion
3. Resiliency
4. A fail-soft system

24. 

Primary storage is:

1. Memory directly addressable by the CPU for storage of instructions and data that are associated with the program being executed
2. Memory, such as magnetic disks, that provides nonvolatile storage
3. Memory used in conjunction with real memory to present a CPU with a larger, apparent address space
4. Memory in which information must be obtained by sequentially searching from the beginning of the memory space

25. 

In the Common Criteria, a Protection Profile:

1. Specifies the mandatory protection in the product to be evaluated
2. Is also known as the Target of Evaluation (TOE)
3. Is also known as the Orange Book
4. Specifies the security requirements and protections of the products to be evaluated

26. 

Context-dependent control uses which of the following to make decisions?

1. Subject or object attributes or environmental characteristics
2. Data
3. Formal models
4. Operating system characteristics

27. 

The secure path between a user and the Trusted Computing Base (TCB) is called:

1. Trusted distribution
2. Trusted path
3. Trusted facility management
4. The security perimeter

28. 

In a ring protection system, where is the security kernel usually located?

1. Highest ring number
2. Arbitrarily placed
3. Lowest ring number
4. Middle ring number

29. 

Increasing performance in a computer by overlapping the steps of different instructions is called:

1. A reduced instruction set computer
2. A complex instruction set computer
3. Vector processing
4. Pipelining

30. 

Random-access memory is:

1. Nonvolatile
2. Sequentially addressable
3. Programmed by using fusible links
4. Volatile

31. 

In the National Information Assurance Certification and Accreditation Process (NIACAP), a type accreditation performs which one of the following functions?

1. Evaluates a major application or general support system
2. Verifies the evolving or modified system’s compliance with the information agreed on in the System Security Authorization Agreement (SSAA)
3. Evaluates an application or system that is distributed to a number of different locations
4. Evaluates the applications and systems at a specific, self-contained location

32. 

Processes are placed in a ring structure according to:

1. Least privilege
2. Separation of duty
3. Owner classification
4. First in, first out

33. 

The MULTICS operating system is a classic example of:

1. An open system
2. Object orientation
3. Database security
4. Ring protection system

34. 

What are the hardware, firmware, and software elements of a Trusted Computing Base (TCB) that implement the reference monitor concept called?

1. The trusted path
2. A security kernel
3. An Operating System (OS)
4. A trusted computing system

1. 

Answer: a

The answer a is correct. The other options are not prohibited by the model.

2. 

Answer: c

The correct answer is c by definition of the star property.

3. 

Answer: a

The answer a is correct. The Clark-Wilson model is an integrity model.

4. 

Answer: b

5. 

Answer: c

The answer c is correct. Answers a, b, and d are parts of the Clark-Wilson model.

6. 

Answer: b

7. 

Answer: d

The answer d is correct. The Biba model is an integrity model. Answer a is associated with confidentiality. Answers b and c are specific to the Clark-Wilson model.

8. 

Answer: c

9. 

Answer: d

The answer d is correct. Answer a is incorrect because the access control list is not a row in the access control matrix. Answer b is incorrect because a tuple is a row in the table of a relational database. Answer c is incorrect because a domain is the set of allowable values a column or attribute can take in a relational database.

10. 

Answer: d

The answer d is correct. The Bell-LaPadula model addresses the confidentiality of classified material. Answers a and c are integrity models, and answer b is a distracter.

11. 

Answer: a

The answer a is correct. Answer b is the security perimeter. Answer c is the definition of a trusted path. Answer d is the definition of a trusted computer system.

12. 

Answer: a

13. 

Answer: d

The answer d is correct. Answers a and b deal with security models, and answer c is a distracter.

14. 

Answer: c

15. 

Answer: b

The correct answer is b, a distracter. Answer a is Part 1 of the CC. It defines general concepts and principles of information security and defines the contents of the Protection Profile (PP), Security Target (ST), and the Package. The Security Functional Requirements, answer c, are Part 2 of the CC, which contains a catalog of well-defined standard means of expressing security requirements of IT products and systems. Answer d is Part 3 of the CC and comprises a catalog of a set of standard assurance components.

16. 

Answer: c

The correct answer is c, by definition of a trusted system. Answers a and b refer to open, standard information on a product as opposed to a closed or proprietary product. Answer d is a distracter.

17. 

Answer: a

The correct answer is a, the two conditions required for a fault-tolerant system. Answer b is a distracter. Answer c is the definition of fail-safe, and answer d refers to starting after a system shutdown.

18. 

Answer: b

19. 

Answer: c

The answer c is correct. Answer a, ST, is a statement of security claims for a particular IT product or system. A Package, answer b, is defined in the CC as “an intermediate combination of security requirement compo-nents.” A TOE, answer d, is “an IT product or system to be evaluated.”

20. 

Answer: c

21. 

Answer: c

The answer c is correct. Product-specific security requirements for the product or system are contained in the Security Target (ST). Additional items in the PP are:

• TOE security environment description
• Assumptions about the security aspects of the product’s expected use
• Organizational security policies or rules
• Application notes
• Rationale

22. 

Answer: a

The answer a is correct. Answer b is context-dependent control. Answers c and d are distracters.

23. 

Answer: a

Failover means switching to a “hot” backup system that maintains duplicate states with the primary system. Answer b refers to fail-safe, and answers c and d refer to fail-soft.

24. 

Answer: a

The answer a is correct. Answer b refers to secondary storage. Answer c refers to virtual memory, and answer d refers to sequential memory.

25. 

Answer: d

The answer d is correct. Answer a is a distracter. Answer b is the product to be evaluated. Answer c refers to TCSEC.

26. 

Answer: a

The answer a is correct. Answer b refers to content-dependent characteristics, and answers c and d are distracters.

27. 

Answer: b

Answer a, trusted distribution, ensures that valid and secure versions of software have been received correctly. Trusted facility management, answer c, is concerned with the proper operation of trusted facilities as well as system administration and configuration. Answer d, the security perimeter, is the boundary that separates the TCB from the remainder of the system. Recall that the TCB is the totality of protection mechanisms within a computer system that are trusted to enforce a security policy.

28. 

Answer: c

29. 

Answer: d

30. 

Answer: d

RAM is volatile. The other answers are incorrect because RAM is volatile, randomly accessible, and not programmed by fusible links.

31. 

Answer: c

Answer a is the NIACAP system accreditation. Answer b is the Phase 2 or Verification phase of the Defense Information Technology Security Certification and Accreditation Process (DITSCAP). The objective is to use the SSAA to establish an evolving yet binding agreement on the level of security required before the system development begins or changes to a system are made. After accreditation, the SSAA becomes the baseline security configuration document. Answer d is the NIACAP site accreditation.

32. 

Answer: a

The correct answer is a. A process is placed in the ring that gives it the minimum privileges necessary to perform its functions.

33. 

Answer: d

MULTICS is based on the ring protection architecture.

34. 

Answer: b

1. 

Which of the following places the four systems security modes of operation in order, from the most secure to the least?

1. System-High Mode, Dedicated Mode, Compartmented Mode, and Multilevel Mode
2. Dedicated Mode, System-High Mode, Compartmented Mode, and Multilevel Mode
3. Dedicated Mode, System-High Mode, Multilevel Mode, and Compartmented Mode
4. System-High Mode, Compartmented Mode, Dedicated Mode, and Multilevel Mode

2. 

Why is security an issue when a system is booted into single-user mode?

1. The operating system is started without the security front-end loaded.
2. The users cannot log in to the system, and they will complain.
3. Proper forensics cannot be executed while in single-user mode.
4. Backup tapes cannot be restored while in single-user mode.

3. 

An audit trail is an example of what type of control?

1. Deterrent control
2. Preventative control
3. Detective control
4. Application control

4. 

Which of the following media controls is the best choice to prevent data remanence on magnetic tapes or floppy disks?

1. Overwriting the media with new application data
2. Degaussing the media
3. Applying a concentration of hydroiodic acid (55% to 58% solution) to the gamma ferric oxide disk surface
4. Making sure the disk is recirculated as quickly as possible to prevent object reuse

5. 

Which of the following choices is not a security goal of an audit mechanism?

1. To deter perpetrators’ attempts to bypass the system protection mechanisms
2. To review employee production output records
3. To review patterns of access to individual objects
4. To discover when a user assumes a functionality with privileges greater than his own

6. 

Which of the following tasks would normally be a function of the security administrator, not the system administrator?

1. Installing system software
2. Adding and removing system users
3. Reviewing audit data
4. Managing print queues

7. 

Which of the following is a reason to institute output controls?

1. To preserve the integrity of the data in the system while changes are being made to the configuration
2. To protect the output’s confidentiality
3. To detect irregularities in the software’s operation
4. To recover damage after an identified system failure

8. 

Which of the following statements is not correct about reviewing user accounts?

1. User account reviews cannot be conducted by outside auditors.
2. User account reviews can examine conformity with the concept of least privilege.
3. User account reviews may be conducted on a systemwide basis.
4. User account reviews may be conducted on an application-by-application basis.

9. 

Which of the following terms most accurately describes the trusted computing base (TCB)?

1. A computer that controls all access to objects by subjects
2. A piece of information that represents the security level of an object
3. Formal proofs used to demonstrate the consistency between a system’s specification and a security model
4. The totality of protection mechanisms within a computer system

10. 

Which of the following statements is accurate about the concept of object reuse?

1. Object reuse protects against physical attacks on the storage medium.
2. Object reuse ensures that users do not obtain residual information from system resources.
3. Object reuse applies to removable media only.
4. Object reuse controls the granting of access rights to objects.

11. 

Using prenumbered forms to initiate a transaction is an example of what type of control?

1. Deterrent control
2. Preventative control
3. Detective control
4. Application control

12. 

Which of the following choices is the best description of operational assurance?

1. Operational assurance is the process of examining audit logs to reveal usage that identifies misuse.
2. Operational assurance has the benefit of containing and repairing damage from incidents.
3. Operational assurance is the process of reviewing an operational system to see that security controls are functioning correctly.
4. Operational assurance is the process of performing pre-employment background screening.

13. 

Which of the following is not a proper media control?

1. The data media should be logged to provide a physical inventory control.
2. All data storage media should be accurately marked.
3. A proper storage environment should be provided for the media.
4. The media that is reused in a sensitive environment does not need sanitization.

14. 

Which of the following choices is considered the highest level of operator privilege?

1. Read/Write
2. Read Only
3. Access Change
4. Write Only

15. 

Which of the following choices below most accurately describes a covert storage channel?

1. A process that manipulates observable system resources in a way that affects response time
2. An information transfer path within a system
3. A communication channel that allows a process to transfer information in a manner that violates the system’s security policy
4. An information transfer that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process

16. 

Which of the following would not be a common element of a transaction trail?

1. The date and time of the transaction
2. Who processed the transaction
3. Why the transaction was processed
4. At which terminal the transaction was processed

17. 

Which of the following would not be considered a benefit of employing incident-handling capability?

1. An individual acting alone would not be able to subvert a security process or control.
2. It enhances internal communications and the readiness of the organization to respond to incidents.
3. It assists an organization in preventing damage from future incidents.
4. Security training personnel would have a better understanding of users’ knowledge of security issues.

18. 

Which of the following is the best description of an audit trail?

1. Audit trails are used to detect penetration of a computer system and to reveal usage that identifies misuse.
2. An audit trail is a device that permits simultaneous data processing of two or more security levels without risk of compromise.
3. An audit trail mediates all access to objects within the network by subjects within the network.
4. Audit trails are used to prevent access to sensitive systems by unauthorized personnel.

19. 

Which of the following best describes the function of change control?

1. To ensure that system changes are implemented in an orderly manner
2. To guarantee that an operator is given only the privileges needed for the task
3. To guarantee that transaction records are retained IAW compliance requirements
4. To assign parts of security-sensitive tasks to more than one individual

20. 

Which of the following is not an example of intentionally inappropriate operator activity?

1. Making errors when manually inputting transactions
2. Using the company’s system to store pornography
3. Conducting private business on the company system
4. Using unauthorized access levels to violate information confidentiality

21. 

Which book of the Rainbow Series addresses the Trusted Computer System Evaluation Criteria (TCSEC)?

1. Red Book
2. Orange Book
3. Green Book
4. Purple Book

22. 

Which term best describes the concept of least privilege?

1. Each user is granted the lowest clearance required for his or her tasks.
2. A formal separation of command, program, and interface functions.
3. A combination of classification and categories that represents the sensitivity of information.
4. Active monitoring of facility entry access points.

23. 

Which of the following best describes a threat as defined in the Operations Security domain?

1. A potential incident that could cause harm
2. A weakness in a system that could be exploited
3. A company resource that could be lost due to an incident
4. The minimization of loss associated with an incident

24. 

Which of the following is not a common element of user account administration?

1. Periodically verifying the legitimacy of current accounts and access authorizations
2. Authorizing the request for a user’s system account
3. Tracking users and their respective access authorizations
4. Establishing, issuing, and closing user accounts

25. 

Which of the following is not an example of using a social engineering technique to gain physical access to a secure facility?

1. Asserting authority or pulling rank
2. Intimidating or threatening
3. Praising or flattering
4. Employing the salami fraud (see Appendix A)

26. 

Which statement about covert channel analysis is not true?

1. It is an operational assurance requirement that is specified in the Orange Book.
2. It is required for B2 class systems in order to protect against covert storage channels.
3. It is required for B2 class systems to protect against covert timing channels.
4. It is required for B3 class systems to protect against both covert storage and covert timing channels.

27. 

“Separation of duties” embodies what principle?

1. An operator does not know more about the system than the minimum required to do the job.
2. Two operators are required to work in tandem to perform a task.
3. The operators’ duties are frequently rotated.
4. The operators have different duties to prevent one person from compromising the system.

28. 

Convert Channel Analysis, Trusted Facility Management, and Trusted Recovery are parts of which book in the TCSEC Rainbow Series?

1. Red Book
2. Orange Book
3. Green Book
4. Dark Green Book

29. 

How do covert timing channels convey information?

1. By changing a system’s stored data characteristics
2. By generating noise and traffic with the data
3. By performing a covert channel analysis
4. By modifying the timing of a system resource in some measurable way

30. 

Which of the following would be the best description of a clipping level?

1. A baseline of user errors above which violations will be recorded
2. A listing of every error made by users to initiate violation processing
3. Variance detection of too many people with unrestricted access
4. Changes a system’s stored data characteristics

31. 

Which of the following backup methods will probably require the backup operator to use the most number of tapes for a complete system restoration if a different tape is used every night in a five-day rotation?

1. Full
2. Differential
3. Incremental
4. Ad hoc

32. 

Which level of RAID is commonly referred to as disk mirroring?

1. RAID 0
2. RAID 1
3. RAID 3
4. RAID 5

33. 

Which is not a common element of an e-mail?

1. Header
2. Content
3. VBScript
4. Attachment(s)

34. 

Which of the following choices is the best description of a fax encryptor?

1. An individual user who encrypts fax documents
2. A encryption mechanism that encrypts all fax transmissions at the Data Link Layer
3. An application that encrypts all printed output
4. An application that encrypts faxes at the desktop

35. 

Which of the following statements is true about e-mail headers?

1. E-mail headers can never be spoofed.
2. Fraudulent e-mail is easily identified by the headers.
3. The header may point back to the hijacked spambot.
4. The header will always point back to the original spammer.

1. 

Answer: b

Dedicated Mode, System-High Mode, Compartmented Mode, and Multilevel Mode

2. 

Answer: a

When the operator boots the system in single-user mode, the user front-end security controls are not loaded. This mode should be used only for recovery and maintenance procedures, and all operations should be logged and audited.

3. 

Answer: c

An audit trail is a record of events to piece together what has happened and allow enforcement of individual accountability by creating a reconstruction of events. They can be used to assist in the proper implementation of the other controls, however.

4. 

Answer: b

Degaussing is recommended as the best method for purging most magnetic media. Answer a is not recommended because the application may not completely overwrite the old data properly. Answer c is a rarely used method of media destruction, and acid solutions should be used in a well-ventilated area only by qualified personnel. Answer d is wrong.

5. 

Answer: b

Answer b is a distracter; the other answers reflect proper security goals of an audit mechanism.

6. 

Answer: c

Reviewing audit data should be a function separate from the day-to-day administration of the system.

7. 

Answer: b

In addition to being used as a transaction control verification mechanism, output controls are used to ensure that output, such as printed reports, is distributed securely. Answer a is an example of change control, c is an example of application controls, and d is an example of recovery controls.

8. 

Answer: a

Reviews can be conducted by, among others, in-house systems personnel (a self-audit), the organization’s internal audit staff, or external auditors.

9. 

Answer: d

The Trusted Computing Base (TCB) represents totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. Answer a describes the reference monitor concept, answer b refers to a sensitivity label, and answer c describes formal verification.

10. 

Answer: b

Object reuse mechanisms ensure system resources are allocated and assigned among authorized users in a way that prevents the leak of sensitive information, and they ensure that the authorized user of the system does not obtain residual information from system resources. Answer a is incorrect, answer c is incorrect, and answer d refers to authorization: the granting of access rights to a user, program, or process.

11. 

Answer: b

Prenumbered forms are an example of preventative controls. They can also be considered a transaction control and input control.

12. 

Answer: c

Operational assurance is the process of reviewing an operational system to see that security controls, both automated and manual, are functioning correctly and effectively. Operational assurance addresses whether the system’s technical features are being bypassed or have vulnerabilities and whether required procedures are being followed. Answer a is a description of an audit trail review, answer b is a description of a benefit of incident handling, and answer d describes a personnel control.

13. 

Answer: d

Sanitization is the process of removing information from used data media to prevent data remanence. Different media require different types of sanitization. All the others are examples of proper media controls.

14. 

Answer: c

The three common levels of operator privileges, based on the concept of “least privilege,” are:

• Read Only - Lowest level, view data only
• Read/Write - View and modify data
• Access Change - Highest level, right to change data/operator permissions

Answer d is a distracter.

15. 

Answer: d

A covert storage channel typically involves a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. Answer a is a partial description of a covert timing channel, and answer b is a generic definition of a channel. A channel may also refer to the mechanism by which the path is affected. Answer c is a higher-level definition of a covert channel. While a covert storage channel fits this definition generically, answer d is the proper specific definition.

16. 

Answer: c

Why the transaction was processed is not initially a concern of the audit log, but it will be investigated later. The other three elements are all important information that the audit log of the transaction should record.

17. 

Answer: a

The primary benefits of employing an incident-handling capability are containing and repairing damage from incidents and preventing future damage. Answer a is a benefit of employing “separation of duties” controls.

18. 

Answer: a

An audit trail is a set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to related records and reports and/or backward from records and reports to their component source transactions. Answer b is a description of a multilevel device, and answer c refers to a network reference monitor. Answer d is incorrect because audit trails are detective, and answer d describes a preventative process - access control.

19. 

Answer: a

Answer b describes least privilege, answer c describes record retention, and answer d describes separation of duties.

20. 

Answer: a

Although operator error (answer a) is most certainly an example of a threat to a system’s integrity, it is considered unintentional loss, not an intentional activity.

21. 

Answer: b

22. 

Answer: a

The least privilege principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Answer b describes separation of privilege, answer c describes a security level, and answer d is a distracter.

23. 

Answer: a

Answer b describes a vulnerability, answer c describes an asset, and answer d describes risk management.

24. 

Answer: b

For proper separation of duties, the function of user account establishment and maintenance should be separated from the function of initiating and authorizing the creation of the account. User account management focuses on identification, authentication, and access authorizations.

25. 

Answer: d

Answers a, b, and c denote common tactics used by an intruder to gain either physical access or system access. The salami fraud is an automated fraud technique. In the salami fraud, a programmer will create or alter a program to move small amounts of money into his personal bank account. The amounts are intended to be so small as to be unnoticed, such as rounding in foreign currency exchange transactions; hence the name, a reference to slicing a salami.

26. 

Answer: c

Orange Book B2 class systems do not need to be protected from covert timing channels. Covert channel analysis must be performed for B2-level class systems to protect against only covert storage channels. B3 class systems need to be protected from both covert storage channels and covert timing channels.

27. 

Answer: d

Separation of duties means that the operators are prevented from generating and verifying transactions alone, for example. A task might be divided into different smaller tasks to accomplish this, or in the case of an operator with multiple duties, the operator makes a logical, functional job change when performing such conflicting duties. Answer a is need-to-know, answer b is dual-control, and c is job rotation.

28. 

Answer: b

The Red Book (answer a) is the Trusted Network Interpretation (TNI) summary of network requirements (described in the Telecommunications and Network Security domain); the Green Book (answer c) is the Department of Defense (DoD) Password Management Guideline; and the Dark Green Book (answer d) is The Guide to Understanding Data Remanence in Automated Information Systems.

29. 

Answer: d

A covert timing channel alters the timing of parts of the system to enable it to be used to communicate information covertly (outside the normal security function). Answer a is the description of the use of a covert storage channel, answer b is a technique to combat the use of covert channels, and answer c is the Orange Book requirement for B3, B2, and A1 evaluated systems.

30. 

Answer: a

This description of a clipping level is the best. Answer b is not correct because one reason to create clipping levels is to prevent auditors from having to examine every error. Answer c is a common use for clipping levels but is not a definition. Answer d is a distracter.

31. 

Answer: c

Most backup methods use the Archive file attribute to determine whether the file should be backed up. The backup software determines which files need to be backed up by checking to see whether the Archive file attribute has been set and then resets the Archive bit value to null after the backup procedure. The Incremental backup method backs up only files that have been created or modified since the last backup was made because the Archive file attribute is reset. This can result in the backup operator needing several tapes to do a complete restoration, because every tape with changed files as well as the last full backup tape will need to be restored.

A full or complete backup (answer a) backs up all files in all directories stored on the server regardless of when the last backup was made and whether the files have already been backed up. The Archive file attribute is changed to mark that the files have been backed up, and the tape or tapes will have all data and applications on it. This is an incorrect answer for this question, however, as it’s assumed that answers b and c will additionally require differential or incremental tapes.

The Differential backup method (answer b) backs up only files that have been created or modified since the last backup was made, like an incremental backup. However, the difference between an incremental backup and a differential backup is that the Archive file attribute is not reset after the differential backup is completed; therefore, the changed file is backed up every time the differential backup is run. The backup set grows in size until the next full backup as these files continue to be backed up during each subsequent differential backup. The advantage of this backup method is that the backup operator should need only the full backup and the one differential backup to restore the system.

Answer d is a distracter.

32. 

Answer: b

Redundant Array of Inexpensive Disks (RAID) is a method of enhancing hard disk fault tolerance, which can improve performance. RAID 1 maintains a complete copy of all data by duplicating each hard drive. Performance can suffer in some implementations of RAID 1, and twice as many drives are required. Novell developed a type of disk mirroring called disk duplexing, which uses multiple disk controller cards, increasing both performance and reliability. RAID 0 (answer a) gives some performance gains by striping the data across multiple drives but reduces fault tolerance, because the failure of any single drive disables the whole volume. RAID 3 (answer c) uses a dedicated error-correction disk called a parity drive, and it stripes the data across the other data drives. RAID 5 (answer d) uses all disks in the array for both data and error correction, increasing both storage capacity and performance.

33. 

Answer: c

E-mails have three basic parts: attachments, contents, and headers. Both the contents and attachments are areas of vulnerability.

34. 

Answer: b

A fax encryptor is a encryption mechanism that encrypts all fax transmissions at the Data Link layer and helps ensure that all incoming and outgoing fax data is encrypted at its source.

35. 

Answer: c

The header may point back to the hijacked spambot’s mail server. Email headers can be spoofed, fraudulent e-mail not always identified by the headers, and the header doesn’t always point back to the original spammer.

1. 

What is a data warehouse?

1. A remote facility used for storing backup tapes
2. A repository of information from heterogeneous databases
3. A table in a relational database system
4. A hot backup building

2. 

What does normalizing data in a data warehouse mean?

1. Redundant data is removed.
2. Numerical data is divided by a common factor.
3. Data is converted to a symbolic representation.
4. Data is restricted to a range of values.

3. 

What is a neural network?

1. A hardware or software system that emulates the reasoning of a human expert
2. A collection of computers that are focused on medical applications
3. A series of networked PCs performing artificial intelligence tasks
4. A hardware or software system that emulates the functioning of biological neurons

4. 

A neural network learns by using various algorithms to:

1. Adjust the weights applied to the data
2. Fire the rules in the knowledge base
3. Emulate an inference engine
4. Emulate the thinking of an expert

5. 

The SEI Software Capability Maturity Model is based on the premise that:

1. Good software development is a function of the number of expert programmers in the organization.
2. The maturity of an organization’s software processes cannot be measured.
3. The quality of a software product is a direct function of the quality of its associated software development and maintenance processes.
4. Software development is an art that cannot be measured by conventional means.

6. 

In configuration management, a configuration item is:

1. The version of the operating system that is operating on the workstation that provides information security services
2. A component whose state is to be recorded and against which changes are to be progressed
3. The network architecture used by the organization
4. A series of files that contain sensitive information

7. 

In an object-oriented system, polymorphism denotes:

1. Objects of many different classes that are related by some common superclass; thus, any object denoted by this name can respond to some common set of operations in a different way.
2. Objects of many different classes that are related by some common superclass; thus, all objects denoted by this name can respond to some common set of operations in identical fashion.
3. Objects of the same class; thus, any object denoted by this name can respond to some common set of operations in the same way.
4. Objects of many different classes that are unrelated but respond to some common set of operations in the same way.

8. 

The simplistic model of software life cycle development assumes that:

1. Iteration will be required among the steps in the process.
2. Each step can be completed and finalized without any effect from the later stages that may require rework.
3. Each phase is identical to a completed milestone.
4. Software development requires reworking and repeating some of the phases.

9. 

What is a method in an object-oriented system?

1. The means of communication among objects
2. A guide to the programming of objects
3. The code defining the actions that the object performs in response to a message
4. The situation where a class inherits the behavioral characteristics of more than one parent class

10. 

What does the Spiral model depict?

1. A spiral that incorporates various phases of software development
2. A spiral that models the behavior of biological neurons
3. The operation of expert systems
4. Information security checklists

11. 

In the software life cycle, verification:

1. Evaluates the product in development against real-world requirements
2. Evaluates the product in development against similar products
3. Evaluates the product in development against general baselines
4. Evaluates the product in development against the specification

12. 

In the software life cycle, validation:

1. Refers to the work product satisfying the real-world requirements and concepts
2. Refers to the work product satisfying derived specifications
3. Refers to the work product satisfying software maturity levels
4. Refers to the work product satisfying generally accepted principles

13. 

In the modified Waterfall model:

1. Unlimited backward iteration is permitted.
2. The model was reinterpreted to have phases end at project milestones.
3. The model was reinterpreted to have phases begin at project milestones.
4. Product verification and validation are not included.

14. 

Cyclic redundancy checks, structured walk-throughs, and hash totals are examples of what type of application controls?

1. Preventive security controls
2. Preventive consistency controls
3. Detective accuracy controls
4. Corrective consistency controls

15. 

In a system life cycle, information security controls should be:

1. Designed during the product implementation phase
2. Implemented prior to validation
3. Part of the feasibility phase
4. Specified after the coding phase

16. 

The software maintenance phase controls consist of:

1. Request control, change control, and release control
2. Request control, configuration control, and change control
3. Change control, security control, and access control
4. Request control, release control, and access control

17. 

In configuration management, what is a software library?

1. A set of versions of the component configuration items
2. A controlled area accessible only to approved users who are restricted to the use of an approved procedure
3. A repository of backup tapes
4. A collection of software build lists

18. 

What is configuration control?

1. Identifying and documenting the functional and physical characteristics of each configuration item
2. Controlling changes to the configuration items and issuing versions of configuration items from the software library
3. Recording the processing of changes
4. Controlling the quality of the configuration management procedures

19. 

What is searching for data correlations in the data warehouse called?

1. Data warehousing
2. Data mining
3. A data dictionary
4. Configuration management

20. 

The security term that is concerned with the same primary key existing at different classification levels in the same database is:

1. Polymorphism
2. Normalization
3. Inheritance
4. Polyinstantiation

21. 

What is a data dictionary?

1. A database for system developers
2. A database of security terms
3. A library of objects
4. A validation reference source

22. 

Which of the following is an example of mobile code?

1. Embedded code in control systems
2. Embedded code in PCs
3. Java and ActiveX code downloaded into a Web browser from the World Wide Web (WWW)
4. Code derived following the Spiral model

23. 

Which of the following is not true regarding software unit testing?

1. The test data is part of the specifications.
2. Correct test output results should be developed and known beforehand.
3. Live or actual field data is recommended for use in the testing procedures.
4. Testing should check for out-of-range values and other bounds conditions.

24. 

The definition “the science and art of specifying, designing, implementing, and evolving programs, documentation, and operating procedures whereby computers can be made useful to people” is that of:

1. Structured analysis/structured design (SA/SD)
2. Software engineering
3. An object-oriented system
4. Functional programming

25. 

In software engineering, the term verification is defined as:

1. Establishing the truth of correspondence between a software product and its specification
2. A complete, validated specification of the required functions, interfaces, and performance for the software product
3. Establishing the fitness or worth of a software product for its operational mission
4. A complete, verified specification of the overall hardware-software architecture, control structure, and data structure for the product

26. 

The discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle is called:

1. Change control
2. Request control
3. Release control
4. Configuration management

27. 

The basic version of the Construction Cost Model (COCOMO), which proposes quantitative life cycle relationships, performs what function?

1. It estimates software development effort based on user function categories.
2. It estimates software development effort and cost as a function of the size of the software product in source instructions.
3. It estimates software development effort and cost as a function of the size of the software product in source instructions modified by manpower buildup and productivity factors.
4. It estimates software development effort and cost as a function of the size of the software product in source instructions modified by hardware and input functions.

28. 

A refinement to the basic Waterfall model that states that software should be developed in increments of functional capability is called:

1. Functional refinement
2. Functional development
3. Incremental refinement
4. Incremental development

29. 

The Spiral model of the software development process uses which of the following metrics relative to the spiral?

1. The radial dimension represents the cost of each phase.
2. The radial dimension represents progress made in completing each cycle.
3. The angular dimension represents cumulative cost.
4. The radial dimension represents cumulative cost.

30. 

In the Capability Maturity Model (CMM) for software, the definition “describes the range of expected results that can be achieved by following a software process” is that of:

1. Structured analysis/structured design (SA/SD)
2. Software process capability
3. Software process performance
4. Software process maturity

1. 

Answer: b

A data warehouse is a repository of information from heterogeneous databases. Answers a and d describe physical facilities for backup and recovery of information systems, and answer c describes a relation in a relational database.

2. 

Answer: a

The correct answer is a, removing redundant data.

3. 

Answer: d

A neural network is a hardware or software system that emulates the functioning of biological neurons. Answer a refers to an expert system, and answers b and c are distracters.

4. 

Answer: a

A neural network learns by using various algorithms to adjust the weights applied to the data. Answers b, c, and d are terminology referenced in expert systems.

5. 

Answer: c

The quality of a software product is a direct function of the quality of its associated software development and maintenance processes. Answer a is false because the SEI Software CMM relates the production of good software to having the proper processes in place in an organization and not to expert programs or heroes. Answer b is false because the Software CMM provides means to measure the maturity of an organization’s software processes. Answer d is false for the same reason as answer b.

6. 

Answer: b

A configuration item is a component whose state is to be recorded and against which changes are to be progressed. Answers a, c, and d are incorrect by the definition of a configuration item.

7. 

Answer: a

Polymorphism refers to objects of many different classes that are related by some common superclass that are able to respond to some common set of operations, defined for the superclass, in different ways depending on their particular subclasses. Answers b, c, and d are incorrect by the definition of polymorphism.

8. 

Answer: b

The simplistic model assumes that each step can be completed and finalized without any effect from the later stages that might require rework. Answer a is incorrect because no iteration is allowed for in the model. Answer c is incorrect because it applies to the modified Waterfall model. Answer d is incorrect because no iteration or reworking is considered in the model.

9. 

Answer: c

A method in an object-oriented system is the code that defines the actions that the object performs in response to a message. Answer a is incorrect because it defines a message. Answer b is a distracter, and answer d refers to multiple inheritance.

10. 

Answer: a

The spiral in the Spiral model incorporates various phases of software development. The other answers are distracters.

11. 

Answer: d

In the software life cycle, verification evaluates the product in development against the specification. Answer a defines validation. Answers b and c are distracters.

12. 

Answer: a

In the software life cycle, validation is the work product satisfying the real-world requirements and concepts. The other answers are distracters.

13. 

Answer: b

The modified Waterfall model was reinterpreted to have phases end at project milestones. Answer a is false because unlimited backward iteration is not permitted in the modified Waterfall model. Answer c is a distracter, and answer d is false because verification and validation are included.

14. 

Answer: c

Cyclic redundancy checks, structured walkthroughs, and hash totals are examples of detective accuracy controls. The other answers do not apply by the definition of the types of controls.

15. 

Answer: c

In the system life cycle, information security controls should be part of the feasibility phase. The other answers are incorrect because the basic premise of information system security is that controls should be included in the earliest phases of the software life cycle and not added later in the cycle or as an afterthought.

16. 

Answer: a

The software maintenance phase controls consist of request control, change control, and release control, by definition. The other answers are, therefore, incorrect.

17. 

Answer: b

In configuration management, a software library is a controlled area, accessible only to approved users who are restricted to the use of approved procedure. Answer a is incorrect because it defines a build list. Answer c is incorrect because it defines a backup storage facility. Answer d is a distracter.

18. 

Answer: b

Configuration control consists of controlling changes to the configuration items and issuing versions of configuration items from the software library. Answer a is the definition of configuration identification. Answer c is the definition of configuration status accounting, and answer d is the definition of configuration audit.

19. 

Answer: b

Searching for data correlations in the data warehouse is called data mining. Answer a is incorrect because data warehousing is creating a repository of information from heterogeneous databases that is available to users for making queries. Answer c is incorrect because a data dictionary is a database for system developers. Answer d is incorrect because configuration management is the discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle.

20. 

Answer: d

The security term that is concerned with the same primary key existing at different classification levels in the same database is polyinstantiation. Answer a is incorrect because polymorphism is defined as objects of many different classes that are related by some common superclass so that any object denoted by this name is able to respond in its own way to some common set of operations. Answer b is incorrect because normalization refers to removing redundant or incorrect data from a database. Answer c is incorrect because inheritance refers to methods from a class inherited by a subclass.

21. 

Answer: a

A data dictionary is a database for system developers. Answers b, c, and d are distracters.

22. 

Answer: c

Examples of mobile code are Java applets and ActiveX controls downloaded into a Web browser from the World Wide Web. Answers a, b, and d are incorrect because they are types of code that are not related to mobile code.

23. 

Answer: c

Live or actual field data are not recommended for use in testing, because they do not thoroughly test all normal and abnormal situations, and the test results are not known beforehand. Answers a, b, and d are true of testing.

24. 

Answer: b

The definition of software engineering in answer b is a combination of popular definitions of engineering and software. One definition of engineering is “the application of science and mathematics to the design and construction of artifacts that are useful to people.” A definition of software is that it “consists of the programs, documentation and operating procedures by which computers can be made useful to people.” Answer a, SA/SD, deals with developing specifications that are abstractions of the problem to be solved and are not tied to any specific programming languages. Thus, SA/SD, through data flow diagrams (DFDs), shows the main processing entities and the data flow between them without any connection to a specific programming language implementation.

An object-oriented system (answer c) is a group of independent objects that can be requested to perform certain operations or exhibit specific behaviors. These objects cooperate to provide the system’s required functionality. The objects have an identity and can be created as the program executes (dynamic lifetime). To provide the desired characteristics of object-oriented systems, the objects are encapsulated (i.e., they can be accessed only through messages sent to them to request performance of their defined operations). The object can be viewed as a black box whose internal details are hidden from outside observation and cannot normally be modified. Objects also exhibit the substitution property, which means that objects providing compatible operations can be substituted for each other. In summary, an object-oriented system contains objects that exhibit the following properties:

• Identity - Each object has a name that is used to designate that object.
• Encapsulation - An object can be accessed only through messages to perform its defined operations.
• Substitution - Objects that perform compatible operations can be substituted for each other.
• Dynamic lifetimes - Objects can be created as the program executes.

Answer d, functional programming, uses only mathematical functions to perform computations and solve problems. This approach is based on the assumption that any algorithm can be described as a mathematical function. Functional languages have the characteristics that:

• They support functions and allow them to be manipulated by being passed as arguments and stored in data structures.
• Functional abstraction is the only method of procedural abstraction.

25. 

Answer: a

In the Waterfall model (W. W. Royce, “Managing the Development of Large Software Systems: Concepts and Techniques,” Proceedings, WESCON, August 1970), answer b defines the term requirements. Similarly, answer c defines the term validation, and answer d is the definition of product design. In summary, the steps of the Waterfall model are:

• System feasibility
• Software plans and requirements
• Product design
• Detailed design
• Code
• Integration
• Implementation
• Operations and maintenance

In this model, each phase finishes with a verification and validation (V&V) task that is designed to eliminate as many problems as possible in the results of that phase.

26. 

Answer: d

Answer d is correct, as is demonstrated in Configuration Management of Computer-Based Systems (British Standards Institution, 1984). Answers a, b, and c are components of the maintenance activity of software life cycle models. In general, one can look at the maintenance phase as the progression from request control, through change control, to release control. Request control (answer b) is involved with the users’ requests for changes to the software. Change control (answer a) involves the analysis and understanding of the existing code, the design of changes, and the corresponding test procedures. Release control (answer c) involves deciding which requests are to be implemented in the new release, performing the changes, and conducting testing.

27. 

Answer: b

The Basic COCOMO Model, set forth in Software Engineering Economics, B. W. Boehm (Prentice-Hall, 1981), proposes two equations that compute the number of man-months and the development schedule in months needed to develop a software product, given the number of thousands of delivered source instructions (KDSI) in the product.

In addition, Boehm has developed an intermediate COCOMO Model that takes into account hardware constraints, personnel quality, use of modern tools, and other attributes and their aggregate impact on overall project costs. A detailed COCOMO Model, also by Boehm, accounts for the effects of the additional factors used in the intermediate model on the costs of individual project phases.

Answer b describes a function point measurement model that does not require the user to estimate the number of delivered source instructions. The software development effort is determined using the follow-ing five user functions:

• External input types
• External output types
• Logical internal file types
• External interface file types
• External inquiry types

These functions are tallied and weighted according to complexity and used to determine the software development effort.

Answer c describes the Rayleigh curve applied to software development cost and effort estimation. A prominent model using this approach is the Software Life Cycle Model (SLIM) estimating method. In this method, estimates based on the number of lines of source code are modified by the following two factors:

• The manpower buildup index (MBI), which estimates the rate of buildup of staff on the project
• A productivity factor (PF), which is based on the technology used

Answer d is a distracter.

28. 

Answer: d

The advantages of incremental development include the ease of testing increments of functional capability and the opportunity to incorporate user experience into a successively refined product. Answers a, b, and c are distracters.

29. 

Answer: d

The radial dimension represents cumulative cost, and the angular dimension represents progress made in completing each cycle of the spiral. The Spiral model is actually a meta-model for software development processes. A summary of the stages in the spiral is as follows:

• The spiral begins in the top, left-hand quadrant by determining the objectives of the portion of the product being developed, the alternative means of implementing this portion of the product, and the constraints imposed on the application of the alternatives.
• Next, the risks of the alternatives are evaluated based on the objectives and constraints. Following this step, the relative balances of the perceived risks are determined.
• The spiral then proceeds to the lower right-hand quadrant where the development phases of the projects begin. A major review completes each cycle, and then the process begins anew for succeeding phases of the project. Typical succeeding phases are software product design, integration and test plan development, additional risk analyses, operational prototype, detailed design, code, unit test, acceptance test, and implementation.

Answers a, b, and c are distracters.

30. 

Answer: b

A software process is a set of activities, methods, and practices that are used to develop and maintain software and associated products. Software process capability is a means of predicting the outcome of the next software project conducted by an organization. Software process performance (answer c) is the result achieved by following a software process. Thus, software capability is aimed at expected results while software performance is focused on results that have been achieved. Software process maturity (answer d) is the extent to which a software process is:

• Defined
• Managed
• Measured
• Controlled
• Effective

Software process maturity, then, provides for the potential for growth in capability of an organization. An immature organization develops software in a crisis mode, usually exceeds budgets and time schedules, and develops software processes in an ad hoc fashion during the project. In a mature organization, the software process is effectively communicated to staff, the required processes are documented and consistent, software quality is evaluated, and roles and responsibilities are understood for the project.

Answer a is a distracter, but it is discussed in question 24.

1. 

Which of the following choices is the first priority in an emergency?

1. Communicating to employees’ families the status of the emergency
2. Notifying external support resources for recovery and restoration
3. Protecting the health and safety of everyone in the facility
4. Warning customers and contractors of a potential interruption of service

2. 

Which of the following choices is not considered an appropriate role for senior management in the business continuity and disaster recovery process?

1. Delegate recovery roles
2. Publicly praise successes
3. Closely control media and analyst communications
4. Assess the adequacy of information security during the disaster recovery

3. 

Why is it so important to test disaster recovery plans frequently?

1. The businesses that provide subscription services may have changed ownership.
2. A plan is not considered viable until a test has been performed.
3. Employees may get bored with the planning process.
4. Natural disasters can change frequently.

4. 

Which of the following types of tests of disaster recovery/emergency management plans is considered the most cost-effective and efficient way to identify areas of overlap in the plan before conducting more demanding training exercises?

1. Full-scale exercise
2. Walk-through drill
3. Table-top exercise test
4. Evacuation drill

5. 

Which type of backup subscription service will allow a business to recover quickest?

1. A hot site
2. A mobile or rolling backup service
3. A cold site
4. A warm site

6. 

Which of the following represents the most important first step in creating a business resumption plan?

1. Performing a risk analysis
2. Obtaining senior management support
3. Analyzing the business impact
4. Planning recovery strategies

7. 

What could be a major disadvantage to a mutual aid or reciprocal type of backup service agreement?

1. It is free or at a low cost to the organization.
2. The use of prefabricated buildings makes recovery easier.
3. In a major emergency, the site may not have the capacity to handle the operations required.
4. Annual testing by the Info Tech department is required to maintain the site.

8. 

In developing an emergency or recovery plan, which of the following would not be considered a short-term objective?

1. Priorities for restoration
2. Acceptable downtime before restoration
3. Minimum resources needed to accomplish the restoration
4. The organization’s strategic plan

9. 

When is the disaster considered to be officially over?

1. When the danger has passed and the disaster has been contained
2. When the organization has processing up and running at the alternate site
3. When all the elements of the business have returned to normal functioning at the original site
4. When all employees have been financially reimbursed for their expenses

10. 

When should the public and media be informed about a disaster?

1. Whenever site emergencies extend beyond the facility
2. When any emergency occurs at the facility, internally or externally
3. When the public’s health or safety is in danger
4. When the disaster has been contained

11. 

What is the number one priority of disaster response?

1. Resuming transaction processing
2. Personnel safety
3. Protecting the hardware
4. Protecting the software

12. 

Which of the following is the best description of the criticality prioritization goal of the Business Impact Assessment (BIA) process?

1. The identification and prioritization of every critical business unit process
2. The identification of the resource requirements of the critical business unit processes
3. The estimation of the maximum downtime the business can tolerate
4. The presentation of the documentation of the results of the BIA

13. 

Which of the following most accurately describes a business impact analysis (BIA)?

1. A program that implements the strategic goals of the organization
2. A management-level analysis that identifies the impact of losing an entity’s resources
3. A prearranged agreement between two or more entities to provide assistance
4. Activities designed to return an organization to an acceptable operating condition

14. 

What is considered the major disadvantage to employing a hot site for disaster recovery?

1. Exclusivity is assured for processing at the site.
2. Maintaining the site is expensive.
3. The site is immediately available for recovery.
4. Annual testing is required to maintain the site.

15. 

Which of the following is not considered an appropriate role for Financial Management in the business continuity and disaster recovery process?

1. Tracking the recovery costs
2. Monitoring employee morale and guarding against employee burnout
3. Formally notifying insurers of claims
4. Reassessing cash flow projections

16. 

Which of the following is the most accurate description of a warm site?

1. A backup processing facility with adequate electrical wiring and air conditioning but no hardware or software installed
2. A backup processing facility with most hardware and software installed, which can be operational within a matter of days
3. A backup processing facility with all hardware and software installed and 100 percent compatible with the original site, operational within hours
4. A mobile trailer with portable generators and air conditioning

17. 

Which of the following is not one of the five disaster recovery plan testing types?

1. Simulation
2. Checklist
3. Mobile
4. Full Interruption

18. 

Which of the following choices is an example of a potential hazard due to a technological event, rather than a human event?

1. Sabotage
2. Financial collapse
3. Mass hysteria
4. Enemy attack

19. 

Which of the following is not considered an element of a backup alternative?

1. Electronic vaulting
2. Remote journaling
3. Warm site
4. Checklist

20. 

Which of the following choices refers to a business asset?

1. Events or situations that could cause a financial or operational impact to the organization
2. Protection devices or procedures in place that reduce the effects of threats
3. Competitive advantage, credibility, or goodwill
4. Personnel compensation and retirement programs

21. 

Which of the following statements is not correct regarding the role of the recovery team during the disaster?

1. The recovery team must be the same as the salvage team, because they perform the same function.
2. The recovery team is often separate from the salvage team, because they perform different duties.
3. The recovery team’s primary task is to get predefined critical business functions operating at the alternate processing site.
4. The recovery team will need full access to all backup media.

22. 

Which of the following choices is incorrect regarding when a BCP, DRP, or emergency management plan should be evaluated and modified?

1. Never; once it has been fully tested, it should not be changed.
2. Annually, in a scheduled review.
3. After training drills, tests, or exercises.
4. After an emergency or disaster response.

23. 

When should security isolation of the incident scene start?

1. Immediately after the emergency is discovered
2. As soon as the disaster plan is implemented
3. After all personnel have been evacuated
4. When hazardous materials have been discovered at the site

24. 

Which of the following is not a recommended step to take when resuming normal operations after an emergency?

1. Reoccupy the damaged building as soon as possible.
2. Account for all damage-related costs.
3. Protect undamaged property.
4. Conduct an investigation.

25. 

Which of the following would not be a good reason to test the disaster recovery plan?

1. Testing verifies the processing capability of the alternate backup site.
2. Testing allows processing to continue at the database shadowing facility.
3. Testing prepares and trains the personnel to execute their emergency duties.
4. Testing identifies deficiencies in the recovery procedures.

26. 

Which of the following statements is not true about the post-disaster salvage team?

1. The salvage team must return to the site as soon as possible regardless of the residual physical danger.
2. The salvage team manages the cleaning of equipment after smoke damage.
3. The salvage team identifies sources of expertise to employ in the recovery of equipment or supplies.
4. The salvage team may be given the authority to declare when operations can resume at the disaster site.

27. 

Which of the following is the most accurate statement about the results of the disaster recovery plan test?

1. If no deficiencies were found during the test, then the plan is probably perfect.
2. The results of the test should be kept secret.
3. If no deficiencies were found during the test, then the test was probably flawed.
4. The plan should not be changed no matter what the results of the test.

28. 

Which statement is true regarding the disbursement of funds during and after a disruptive event?

1. Because access to funds is rarely an issue during a disaster, no special arrangements need to be made.
2. No one but the finance department should ever disburse funds during or after a disruptive event.
3. In the event senior-level or financial management is unable to disburse funds normally, the company will need to file for bankruptcy.
4. Authorized, signed checks should be stored securely off-site for access by lower-level managers in the event senior-level or financial management is unable to disburse funds normally.

29. 

Which statement is true regarding company/employee relations during and after a disaster?

1. The organization has a responsibility to continue salaries or other funding to the employees and families affected by the disaster.
2. The organization’s responsibility to the employee’s families ends when the disaster stops the business from functioning.
3. Employees should seek any means of obtaining compensation after a disaster, including fraudulent ones.
4. Senior-level executives are the only employees who should receive continuing salaries during the disruptive event.

30. 

Which of the following choices is the correct definition of a Mutual Aid Agreement?

1. A management-level analysis that identifies the impact of losing an entity’s resources
2. An appraisal or determination of the effects of a disaster on human, physical, economic, and natural resources
3. A prearranged agreement to render assistance to the parties of the agreement
4. Activities taken to eliminate or reduce the degree of risk to life and property

31. 

Which of the following most accurately describes a business continuity program?

1. An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery
2. A program that implements the mission, vision, and strategic goals of the organization
3. A determination of the effects of a disaster on human, physical, economic, and natural resources
4. A standard that allows for rapid recovery during system interruption and data loss

32. 

Which of the following would best describe a cold backup site?

1. A computer facility with electrical power and HVAC, all needed applications installed and configured on the file/print servers, and enough workstations present to begin processing
2. A computer facility with electrical power and HVAC but with no workstations or servers on-site prior to the event and no applications installed
3. A computer facility with no electrical power or HVAC
4. A computer facility available with electrical power and HVAC and some file/print servers, although the applications are not installed or configured, and all the needed workstations may not be on site or ready to begin processing

33. 

Which of the following would best describe a tertiary site?

1. A computer facility with no electrical power
2. A secondary backup site
3. Remote journaling
4. A mobile trailer with portable generators

1. 

Answer: c

Life safety, or protecting the health and safety of everyone in the facility, is the first priority in an emergency or disaster.

2. 

Answer: d

The tactical assessment of information security is a role of information management or technology management, not senior management.

3. 

Answer: b

A plan is not considered functioning and viable until a test has been performed. An untested plan sitting on a shelf is useless and might even have the reverse effect of creating a false sense of security. Although the other answers, especially a, are good reasons to test, b is the primary reason.

4. 

Answer: c

In a table-top exercise, members of the emergency management group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios.

5. 

Answer: a

Warm and cold sites require more work after the event occurs to get them to full operating functionality. A mobile backup site might be useful for specific types of minor outages, but a hot site is still the main choice of backup processing site.

6. 

Answer: b

The business resumption, or business continuity plan, must have total, highly visible senior management support.

7. 

Answer: c

The site might not have the capacity to handle the operations required during a major disruptive event. Mutual aid might be a good system for sharing resources during a small or isolated outage, but a major natural or other type of disaster can create serious resource contention between the two organizations, both of which may be affected simultaneously.

8. 

Answer: d

The organization’s strategic plan is considered a long-term goal.

9. 

Answer: c

The disaster is officially over when all the elements of the business have returned to normal functioning at the original site. It’s important to remember that a threat to continuity exists when processing is being returned to its original site after salvage and cleanup has been done.

10. 

Answer: a

When an emergency occurs that could potentially have an impact outside the facility, the public must be informed, regardless of whether there is any immediate threat to public safety.

11. 

Answer: b

The number one function of all disaster response and recovery is the protection of the safety of people; all other concerns are vital to business continuity but are secondary to personnel safety.

12. 

Answer: a

The three primary goals of a BIA are criticality prioritization, maximum downtime estimation, and identification of critical resource requirements. Answer d is a distracter.

13. 

Answer: b

A business impact analysis (BIA) measures the effect of resource loss and escalating losses over time in order to provide the entity with reliable data upon which to base decisions on hazard mitigation and continuity planning. Answer a is a definition of a disaster/emergency management program. Answer c describes a mutual aid agreement. Answer d is the definition of a recovery program.

14. 

Answer: b

A hot site is commonly used for those extremely time-critical functions that the business must have up and running to continue operating, but the expense of duplicating and maintaining all the hardware, software, and application elements is a serious resource drain to most organizations.

15. 

Answer: b

Monitoring employee morale and guarding against employee burnout during a disaster recovery event is the proper role of human resources.

16. 

Answer: b

17. 

Answer: c

18. 

Answer: b

A financial collapse is considered a technological potential hazard, whereas the other three are human events.

19. 

Answer: d

A checklist is a type of disaster recovery plan test. Electronic vaulting is the batch transfer of backup data to an offsite location. Remote journaling is the parallel processing of transactions to an alternate site. A warm site is a backup processing alternative.

20. 

Answer: c

Answer a is a definition for a threat. Answer b is a description of mitigating factors that reduce the effect of a threat, such as an uninterruptible power supply (UPS), sprinkler systems, or generators. Answer d is a distracter.

21. 

Answer: a

The recovery team performs different functions from the salvage team. The recovery team’s primary mandate is to get critical processing reestablished at an alternate site. The salvage team’s primary mandate is to return the original processing site to normal processing environmental conditions.

22. 

Answer: a

Emergency management plans, business continuity plans, and disaster recovery plans should be regularly reviewed, evaluated, modified, and updated. At a minimum, the plan should be reviewed at an annual audit.

23. 

Answer: a

Isolation of the incident scene should begin as soon as the emergency has been discovered.

24. 

Answer: a

Reoccupying the site of a disaster or emergency should not be undertaken until a full safety inspection has been done, an investigation into the cause of the emergency has been completed, and all damaged property has been salvaged and restored.

25. 

Answer: b

The other three answers are good reasons to test the disaster recovery plan.

26. 

Answer: a

Salvage cannot begin until all physical danger has been removed or mitigated and emergency personnel have returned control of the site to the organization.

27. 

Answer: c

The purpose of the test is to find weaknesses in the plan. Every plan has weaknesses. After the test, all parties should be advised of the results, and the plan should be updated to reflect the new information.

28. 

Answer: d

Authorized, signed checks should be stored securely off-site for access by lower-level managers in the event senior-level or financial management is unable to disburse funds normally.

29. 

Answer: a

The organization has an inherent responsibility to its employees and their families during and after a disaster or other disruptive event. The company must be insured to the extent it can properly compensate its employees and families. Alternatively, employees do not have the right to obtain compensatory damages fraudulently if the organization cannot compensate.

30. 

Answer: c

A mutual aid agreement is used by two or more parties to provide for assistance if one of the parties experiences an emergency. Answer a describes a business continuity plan. Answer b describes a damage assessment, and answer d describes risk mitigation.

31. 

Answer: a

A business continuity program is an ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance. Answer b describes a disaster/emergency management program. Answer c describes a damage assessment. Answer d is a distracter.

32. 

Answer: b

A computer facility with electrical power and HVAC, with workstations and servers not present (but available to be brought on-site when the event begins) and no applications installed, is a cold site. Answer a is a hot site, and d is a warm site. Answer c is just an empty room.

33. 

Answer: b

A “tertiary site” is a secondary backup site that can be used in case the primary backup site is not available.

1. 

According to the Internet Architecture Board (IAB), an activity that causes which of the following is considered a violation of ethical behavior on the Internet?

1. Wasting resources
2. Appropriating other people’s intellectual output
3. Using a computer to steal
4. Using a computer to bear false witness

2. 

Which of the following best defines social engineering?

1. Illegal copying of software
2. Gathering information from discarded manuals and printouts
3. Using people skills to obtain proprietary information
4. Destruction or alteration of data

3. 

Because the development of new technology usually outpaces the law, law enforcement uses which traditional laws to prosecute computer criminals?

1. Malicious mischief
2. Embezzlement, fraud, and wiretapping
3. Immigration
4. Conspiracy and elimination of competition

4. 

Which of the following is not a category of law under the Common Law System?

1. Criminal law
2. Civil law
3. Administrative/regulatory law
4. Derived law

5. 

A trade secret:

1. Provides the owner with a legally enforceable right to exclude others from practicing the art covered for a specified time period
2. Protects original works of authorship
3. Secures and maintains the confidentiality of proprietary technical or business-related information that is adequately protected from disclosure by the owner
4. Is a word, name, symbol, color, sound, product shape, or device used to identify goods and to distinguish them from those made or sold by others

6. 

Which of the following is not a European Union (EU) principle?

1. Data should be collected in accordance with the law.
2. Transmission of personal information to locations where equivalent personal data protection cannot be ensured is permissible.
3. Data should be used only for the purposes for which it was collected and should be used only for a reasonable period of time.
4. Information collected about an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual.

7. 

The Federal Sentencing Guidelines:

1. Hold senior corporate officers personally liable if their organizations do not comply with the law
2. Prohibit altering, damaging, or destroying information in a federal interest computer
3. Prohibit eavesdropping or the interception of message contents
4. Established a category of sensitive information called Sensitive But Unclassified (SBU)

8. 

What does the prudent-man rule require?

1. Senior officials to post performance bonds for their actions
2. Senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances
3. Senior officials to guarantee that all precautions have been taken and that no breaches of security can occur
4. Senior officials to follow specified government standards

9. 

Information Warfare is:

1. Attacking the information infrastructure of a nation to gain military or economic advantages
2. Developing weapons systems based on artificial intelligence technology
3. Generating and disseminating propaganda material
4. Signal intelligence

10. 

The chain of evidence relates to:

1. Securing laptops to desks during an investigation
2. DNA testing
3. Handling and controlling evidence
4. Making a disk image

11. 

The Kennedy-Kassebaum Act is also known as:

1. RICO
2. OECD
3. HIPAA
4. EU Directive

12. 

Which of the following refers to a U.S. government program that reduces or eliminates emanations from electronic equipment?

1. CLIPPER
2. ECHELON
3. ECHO
4. TEMPEST

13. 

Imprisonment is a possible sentence under:

1. Civil (tort) law
2. Criminal law
3. Both civil and criminal law
4. Neither civil nor criminal law

14. 

Which one of the following conditions must be met if legal electronic monitoring of employees is conducted by an organization?

1. Employees must be unaware of the monitoring activity.
2. All employees must agree with the monitoring policy.
3. Results of the monitoring cannot be used against the employee.
4. The organization must have a policy stating that all employees are regularly notified that monitoring is being conducted.

15. 

Which of the following is a key principle in the evolution of computer crime laws in many countries?

1. All members of the United Nations have agreed to uniformly define and prosecute computer crime.
2. Existing laws against embezzlement, fraud, and wiretapping cannot be applied to computer crime.
3. The definition of property is extended to include electronic information.
4. Unauthorized acquisition of computer-based information without the intent to resell is not a crime.

16. 

The concept of due care states that senior organizational management must ensure that:

1. All risks to an information system are eliminated.
2. Certain requirements must be fulfilled in carrying out their responsibilities to the organization.
3. Other management personnel are delegated the responsibility for information system security.
4. The cost of implementing safeguards is greater than the potential resultant losses resulting from information security breaches.

17. 

Liability of senior organizational officials relative to the protection of the organization’s information systems is prosecutable under:

1. Criminal law
2. Civil law
3. International law
4. Financial law

18. 

Responsibility for handling computer crimes in the United States is assigned to:

1. The Federal Bureau of Investigation (FBI) and the Secret Service
2. The FBI only
3. The National Security Agency (NSA)
4. The Central Intelligence Agency (CIA)

19. 

In general, computer-based evidence is considered:

1. Conclusive
2. Circumstantial
3. Secondary
4. Hearsay