Domain-1

Security and Risk

Management
 Quiz Question 1
You are working in Philadelphia using a VPN to connect
to a network in Singapore for a China-based company.
Some of the laws differ across these jurisdictions.
According to the ISC2 Code of Ethics, what is the
proper action(s) to take?

A) Avoid conflicts of interest

B) Follow the most restrictive laws
C) China laws take precedence since this is the where
corporate headquarters is located
D) Philadelphia laws take precedence since this is
where you are rendering service.
 Question 1) Answer D

Explanation:
The ISC2 Code of Ethics specifically states “When
resolving differing laws in different jurisdictions, give
preference to the laws of the jurisdiction in which you
render your service”. This is still a very difficult
question as the Code of Ethics also mentions “Avoid
conflicts of interest or the appearance thereof” though d
is a more direct match to this situation. Answer b is a
good answer but it is not addressed in the ISC2 Code of
Ethics.
 Quiz Question 2
Alice is asked by a potential customer if she can provide
service for an intrusion detection system (IDS) to assess the
rule-set currently configured on the system, and make
recommendations for improvement, to comply with a new
regulation pertaining to the customer’s line of business.
Though Alice has an interest in working with intrusion
detection systems she has no hands-on experience. What
ISC2 code of ethics requirement may force Alice to decline
the primary role for such an assignment?
A) Render only those services for which you are fully
competent and qualified
B) Thou shall not make false claims
C) Provide only services in your area of expertise
D) Where compliance is paramount, certification is required
 Question 2) Answer A

Explanation:
Only a is addressed in the ISC2 Code of Ethics
 Quiz Question 3
Alice is aggressively trying to increase personnel to meet
market demands and tries to recruit Bob, a colleague, by
offering 5% ownership to the entire enterprise and agreeing
to put this in writing soon. For expedience, they agree on a
start date before the lawyers approve the contract regarding
the 5% ownership. Nine months pass and Alice fails to
provide the agreement in writing and changes her mind.
According to the ISC2 Code of Ethics, what can be said of
the situation?
A) Alice is at fault for “Conflict of Interest”
B) Bob is at fault for failing “To ensure proper
documentation”
C) Alice is at fault for failure to “Observe all contracts
and agreements, express or implied”
D) There is no violation of the ISC2 Code of Ethics
 Question 3) Answer C
Explanation:
Answer a does not apply here, b is a distracter.
Answer c is a very important issue and a requirement
of a CISSP
 Quiz Question 4
Due to new laws governing the actions taken by
companies when customer-identifiable information is
collected, a senior manager directs internal auditors to
analyze the company’s exposure to the new regulations.
The results of the audit identify a number of potential
violations. What is the most appropriate action to take?
A) Consult outside advice to ensure that the audit is
accurate
B) Conduct a gap analysis to prioritize ways to close
the gaps
C) Review the company’s privacy policy and determine
the necessary changes
D) Take steps to encrypt the sensitive data to protect
the information
 Question 4) Answer B

Explanation:
After an audit reports differences between a current
position and a desired position, gap analysis is
performed to determine the best ways to reconcile
the differences.
 Quiz Question 5

Which of the following is not an example of civil

law?

A) Contract
B) Property
C) Tort
D) Regulatory
 Question 5) Answer D
Explanation:
Regulatory, also known as administrative or business
law, is a separate branch of law and violations can
entail jail time. Contract, property are protected by
both criminal and civil and tort law (harm done to a
person) is a civil law. In civil law the only penalties
are financial. While contracts and property are
relatively easy to quantify it is very challenging in tort
cases as it is a difficult question to place a dollar value
on life. How much is Bob worth? How much should
an insurance company pay him if he loses a finger? Or
his identity?
 Quiz - Question 6

Which of the following is out of place?

A) High, medium, low rankings

B) Subjective intuition
C) Objective opinions
D) Value

12
 Question 6) Answer - C

Explanation:
Opinions are by nature, subjective. Answers a, b & d
are all examples of qualitative reasoning.

13
 Quiz - Question 7
Management requires that all employees with a
company laptop keep their virus signatures up to date
and run a full system scan at least weekly. It is
suggested however that they update signatures every
night if possible. In what document type would such
suggestions likely be made?

A) Policies
B) Procedures
C) Guidelines
D) Standards
14
 Question 7) Answer - C

Explanation:
Guidelines are defined as non-binding suggestions
only.

15
 Quiz - Question 8
Which of the following is the most logical order for
risk management?
A) Asset valuation, threat analysis, control analysis,
mitigation, policy creation, awareness
B) Threat analysis, control recommendation, asset
valuation, mitigation
C) Policy creation, risk mitigation, control
evaluation, training
D) Test, recommend, acquire/create, control,
valuation

16
 Question 8) Answer - A

Explanation:
Of the answers only A does not contain an out of
order step. Answer B places control recommendation
before asset valuation, C places mitigation before
control evaluation, and D is just a distracter

17
 Quiz - Question 9

The scope of ISO/IEC 27002 includes which of the

following?
A) Standards for information security management
systems
B) Mandatory requirements for audit objectives
C) Guidance on development of security standards
D) Policies on controls objectives

18
 Question 9) Answer - C

Explanation:
ISO/IEC 27002 (formerly ISO/IEC 17799) is a non-
binding guideline only. The other answers listed
requirements. As such, it provides:
“a common basis and practical guideline for
developing organizational security standards and
effective security management practices, and to
help build confidence in inter-organizational
activities”*

19
* www.iso.org
 Quiz - Question 10

Which of the following is likely the BEST evidence of

due care with regards to governance oversight?

A) Risk Assessment results

B) IT staff has a robust and effective change
management process
C) The CISO reports to the CIO
D) The steering committee regularly reviews audit
data

20
 Question 10) Answer - D

Explanation:
Only answer D refers to both oversight ("the action of
overseeing something") as well a governance, as the
steering committee is a governance role.

21
 Quiz - Question 11

Intellectual property rights are the primary focus of

which organization?

A) World Trade Organization (WTO)

B) Organization of Economic Cooperative
Development (OECD)
C) International Intellectual Property Organization
(IIPO)
D) World Intellectual Property Organization
(WIPO)

22
 Question 11) Answer - D
Explanation:
“WIPO is the global forum for intellectual property
services, policy, information and cooperation. We are a
self-funding agency of the United Nations, with 189
member states.”

“Our mission is to lead the development of a balanced

and effective international intellectual property (IP)
system that enables innovation and creativity for the
benefit of all. Our mandate, governing bodies and
procedures are set out in the WIPO Convention, which
established WIPO in 1967.”
23
http://www.wipo.int/
 Quiz - Question 12

Which of the following intellectual property laws

provides confidentiality protection?

A) Trademark
B) Trade Secret
C) Copyright
D) Patent

24
 Question 12) Answer - B
Explanation:
Only the trade secret provides confidentiality protection
of these answers.

25
 Quiz - Question 13

Insurance is mostly associated with what risk

treatment approach?It reduces

A) Likelihood
B) Exposures
C) Vulnerabilities
D) Impact

26
 Question 13) Answer - D
Explanation:
Insurance can reduce the financial impact of an
security incident.

27
 Quiz - Question 14

In what stage of a system development life cycle

would be of most use to a subject matter expert to
verify their builds?

A) Design
B) Develop
C) Requirements
D) Testing

28
 Question 14) Answer - A
Explanation:
When an architect develops a design, part of the
design includes a checklist for developers to follow. Be
comparing their work to the checklist, the subject
matter ensures or “verifies” follow the design of the
architect.

29
 Quiz - Question 15

Which of the following best explains cost benefit analysis

with regards to an information security management
system?

A) The value of remediation should not exceed the

cost of assets being protected
B) The cost a safeguard should not exceed the
business value of a protected system
C) The value of a control should not exceed the cost
of an asset
D) The cost of a control should exceed the asset value

30
 Question 15) Answer - B
Explanation:
The cost including Total Cost of Ownership (TCO) of a
control should not exceed the value of an asset. In B I
just used the term “protected system” to stand for an
asset.

31
 Domain 2

Asset Security
 Quiz - Question 1
To address a contract agreement with a new client,
management is required to select stronger encryption
algorithms. What document needs to be modified to
define the specifications for
these new algorithms?

A) Policies
B) Standards
C) Procedures
D) Baselines
33
 Question 1) Answer - B

Explanation:
While it is possible that all of these documents would
have to be modified, specifications are typically
defined in Standards. Policies are more associated
with basic requirements; procedures are step-by-step
instructions and Baselines define the acceptable (and
unacceptable) risk levels.

34
 Quiz - Question 2
Using asymmetric algorithms (public/private or “public
key cryptography”) for session key distribution addresses
two major concerns over purely symmetric systems. One
is scalability the other is the need to protect the initial
key exchange. However, it introduces a new vulnerability.
Which of the following is the weak link?

A) Public keys are easily stolen

B) Anyone with the the owner's public key can now
spoof the private
C) Social engineering allows sharing of public keys
D) Public keys could be spoofed
35
 Question 2) Answer - D
Explanation:
When one shares a public key, it has identity
information associated with the owner of the private
key. Public key requires a trusted 3rd party to
validate that associated is authentic.
There is little to no risk associated the sharing public
keys as, it should be impossible to determine the
value of the private key based on knowledge of the
public.

36
 Quiz - Question 3
An information security manager has reviewed the data
classification scheme of the accounting department's and
feels the current system is inadequate, as it is based
purely on loss of confidentiality, with no regards to
availability. Who should she work with most to
determine the requirements of the new scheme

A) The common control provider

B) The system owner
C) A risk manager
D) Data owner
37
 Question 3) Answer - D

Explanation:
A security manager (CISO) is responsible for creating
and maintaining the information classification scheme,
however it is the the data owner that primarily
responsible to actually determine the different data
protection requirements. It is likely a good idea to
get feedback from many sources of course.

38
 Quiz - Question 4
An information owner has specified a particular file's
security category (SC) as {(confidentiality, low),
(integrity, high), (availability, medium)}. Which of
the following algorithms would be most appropriate
for ensuring the highest requirement?

A) SHA2
B) AES
C) RSA
D) MD5

39
 Question 4) Answer - A

Explanation:
The highest requirement in this case is the Integrity,
high. Hashing algorithms are used to ensure integrity.
Only MD5 and SHA2 are the only hashing algorithms
to choose from and SHA2 is much more secure than
MD5.

40
 Quiz - Question 5
After a policy is developed, which of the following
must be determined first for directing users on how
to handle an information asset?
A) Baselines
B) Standards
C) Procedures
D) Guidelines

41
 Question 5) Answer - B

Explanation:
After a policy specifying the requirements for data
handling is developed, for example the requirement
to encrypt, standards must then be determined, for
example AES. After this baselines, procedures and
guidelines can be addressed.

42
 Quiz - Question 6
Who is ultimately responsible to see that information
assets are properly categorized?

A) Chief Executive Officer / Head of Agency

B) Data Owner
C) System Owner
D) Chief Information Security Officer

43
 Question 6) Answer - A

Explanation:
Ultimately it is the responsibility of the highest in
charge to see that security measures are considered
(due diligence) and taken (due care). While primary
responsibility is the day to day job of the owner.

44
 Quiz - Question 7
Which of the following best explains the use of
asymmetric algorithms?

A) Data encryption and integrity

B) Integrity and authentication
C) SSL & IPSec
D) Signing and key exchange

45
 Question 7) Answer - D
Explanation:
The original use of the first publicly known
asymmetric algorithm (Diffie Hellman or DH) was to
solve the problem of sharing symmetric keys. Later
algorithms (RSA) showed a way to also authenticate
hash values (signing). The most efficient asymmetric
algorithms in use today, appear to be based on
Elliptical Curves. When used for Key Agreement it is
called ECDH for Elliptical Curve Diffie Hellman and
when used for signing it is known as ECDSA for
Elliptical Curve Digital Signature Algorithm.

46
 Quiz - Question 8
Why is MD5 not as popular as it used to be?

A) It is highly vulnerable to Known Plain Text

Attacks
B) It is highly vulnerable to Collisions
C) It is highly vulnerable to Clustering
D) It is highly vulnerable to Chosen Plain Text
Attacks with differential analysis

47
 Question 8) Answer - B
Explanation:
MD5 is a hashing algorithm and used to check
integrity. If two files hash to the same value, it is
called a collision. Collisions should be based only one
the number of bits an algorithm provides for entropy.
For example, if a hash is 8 bits long the chance of
collisions should be 1 in 256. MD5 was cracked! This
means it doesn't provided it's goal of 128 bits of
entropy and should no longer be used. The Flame
virus is one example of an exploit based on the MD5
crack.

48
 Quiz - Question 9
What are the two fundamental ways a Ciphertext
Only attack can reveal a key?

A) Dictionary Attack and Brute Force

B) Brute Force and Avalanche
C) Related Key and Brute Force
D) Side Channel and Brute Force

49
 Question 9) Answer - D
Explanation:
Using a cardboard puzzle as an example, if one had
only the puzzle pieces (no picture of the original
picture) one could still solve the puzzle by either;
trying to match every two pieces (brute force) or be
recognizing a pattern (side channel).

50
 Quiz - Question 10
A Data owner is primarily responsible for valuation of
an asset. What other processes are the primary
responsibility of the data owner?

A) Categorizing and capability assignment

B) Access rights and custodial assignments
C) Administration and classification
D) Compartmentalization and classification

51
 Question 10) Answer - A
Explanation:
A data owner is the primary person to assign values
to data as well as classifying or categorizing and
asset as well as determining user access permissions
(AKA rights, capabilities and/or entitlements).
Please remember no mater how technical an exam,
it is a language test first. I encourage my students to
read as if they were a lawyer going over an SLA!

52
 Domain 3a

Security Engineering
 Quiz - Question 1
A CISO has met with a process owner and performed
a risk assessment, identifying a potential exposure of
PII. Before defining an architecture for stronger
controls, what should the CISO do first?

A) Confirm with IT the use of approved standards

B) Assess existing controls
C) Ask the data owner for more input
D) Have the strategy for the control approved by
users
54
 Question 1) Answer - D
Explanation:
The most important attribute of a control is that it
achieves security objectives with minimal impact to
the users. Only user management understands this
impact.

55
 Quiz - Question 2
Having a process to regularly review vulnerability
databases and initiate patching where appropriate is
most associated with which of the following control
categories?

A) Detective administrative
B) Directive technical
C) Preventive technical
D) Physical deterrent

56
 Question 2) Answer - C
Explanation:
Patches are technical and primarily associated with
fixing a flaw before an exploit is launched.

57
 Quiz - Question 3
The finance department requires that accountants
rotate their roles as a control that falls into which
category?

A) Detective administrative
B) Directive technical
C) Preventive technical
D) Physical deterrent

58
 Question 3) Answer - A
Explanation:
Rotation of duties is an administrative control that
can be used to detect dangerous shortcuts, fraud and
collusion. It is also implemented to provide cross
training.

59
 Quiz - Question 4
A CISO reviews an insurance policy to indemnify an
organization should an accident occur to a machine
due to accidental mistreatment. What situation below
would most likely be the reason the CISO would
decide not to implement the insurance policy?

A) Likelihood of failure is low

B) There is already a backup to ensure continuity
of operations
C) Impact values are below risk metrics
D) The cost of the control exceeds asset value
60
 Question 4) Answer - A
Explanation:
Rotation of duties is an administrative control that
can be used to detect dangerous shortcuts, fraud and
collusion. It is also implemented to provide cross
training.

61
 Quiz - Question 5
A sales manager wants to implement a new application
for their department that is sourced from a cloud
provider as a Software as as Service (SaaS). The
application uses SAML to authenticate remote users. It
is determined that this will require a change on an SSL
proxy. Which of the following is most likely the CISO's
role during the change?

A) Making the change

B) Approving the change
C) Reporting the change
D) Monitoring the change
62
 Question 5) Answer - D
Explanation:
Security is primarily an advisory role, with little
authority to approve any change. Making the change
is primary function of IT. To ensure that IT
implemented the change properly, security should
have the ability to monitor their work.

63
 Quiz - Question 6
Management has decided to accept a given risk due to
a cost benefit analysis. This typically refers to which
type of control?

A) Preventive technical
B) Detective technical
C) Responsive technical
D) Detective physical

64
 Question 6) Answer - A
Explanation:
Risks should be prevented if possible and cost
effective. A cost benefit analysis weighs the cost of
the control against the value of the asset to an
organization. When it is determined that it is more
cost effective to accept the risk, then it is imperative
that controls to detect and respond to the risk are
implemented, i.e. business continuity plans and
procedures.

65
 Quiz - Question 7
To ensure performance as expected, management has
implemented continuous monitoring of a given control.
Which of the following are the most important metrics
to record and review for trending?

A) Key Performance Indicators (KRIs)

B) Key Risk Indicators (KRIs)
C) Key Goal Indicators (KGIs)
D) Key Usage Indicators (KUIs)

66
 Question 7) Answer - B
Explanation:
Controls are typically implemented to reduce or
mitigate risks within an acceptable level. Key Risk
Indicators (KRIs) define thresholds or baselines to
allow administrators to determine when the risks
approach or exceed tolerance levels.

67
 Quiz - Question 8
An organization is in the process of implementing an
intrusion detection system consisting of dozens of
sensors placed at various vulnerability points on their
network infrastructure. What process below is MOST
imperative?
A) Sensors must be placed on DMZ networks
B) Rules need to be updated based on vendor
suggestions
C) The management console should have a trusted
path to the sensors
D) The system must be tailored to the organizations
needs
68
 Question 8) Answer - D
Explanation:
All controls must be configured to meet the
requirements of a particular need. IDS systems come
with default rule sets and must be tailored or tuned
to meet the particular needs of an organization.

69
 Quiz - Question 9
When determining the total cost of ownership of a
control, which of the following is not necessary?

A) Cost to transfer
B) Cost to administer
C) Cost to maintain
D) Cost to operate

70
 Question 9) Answer - A
Explanation:
Controls are not associated with transference.

71
 Quiz - Question 10
Which of the following is the best option when
available and acceptable to the users?

A) Detection
B) Correction
C) Restoration
D) Prevention

72
 Question 10) Answer - D
Explanation:
It is far better an option to prevent a risk than to
respond to it. As the saying goes “An ounce of
prevention is worth a pound of cure”.

73
 Quiz - Question 11
The cost of acquisition or development of a control is
most likely far less than the costs associated with the
cost of administration. In addition, the total cost of
ownership should also include?

A) TCO
B) Impact on performance
C) Purchase price
D) Incentives

74
 Question 11) Answer - B
Explanation:
Total cost of ownership of a control should include
the cost to build or buy, operate and maintain, as
well as impact to the process it protects. For
example, if a system performs slower due to the
control, how much is business financially impacted?
How fewer business transactions can be performed in
a given day?

75
 Domain 3b

Security Engineering
 Quiz - Question 1
A system engineer would like to design a backup system
that allows an operator to perform backups on all
system data without giving the operator file system
rights. What should the engineer consider?

A) The Clark Wilson model

B) A SANS device
C) RBAC
D) Least privilege and need to know. In this case the
operator by nature must have read access only.

77
 Question 1) Answer - A

Explanation:
In the Clark Wilson model, subjects must not
have direct access to objects. In this case the
engineer could give access privileges (to the file
system) to the backup program and the operator
access to the backup program. Outside of the
backup system the operator would have no
rights to the file system. This is how the old
Wang VS system was administered.

78
 Quiz - Question 2

What is the purpose of the *_property in the Bell-

Lapadula model?
A) To prevent an unauthenticated user from
leaking secrets
B) To prevent an unauthenticated user from
accessing sensitive data
C) To prevent an authenticated user from leaking
secrets
D) To prevent an authenticated user from accessing
sensitive data
 Question 2) Answer C

Explanation:
The *_property, “no write down,” is used to prevent
“spillage” of information, i.e. to prevent someone
with high clearance writing data to a lower
classification.
 Quiz Question 3
A remote database user maliciously enters a command
in a user input dialog box, and manages to execute a
command to upgrade his rights in the system. Which
recommended remediation method is least likely to
mitigate this risk?

A) The system should check for input length

B) The system should check for input type
C) The system should block data control language
from remote locations
D) The system should implement a mandatory access
control
 Question 3) Answer D

Explanation:
Mandatory Access Control (MAC) refers to a system’s
functionality policy but not necessarily the assurance
provided. Even in a discretionary model this should
not happen by policy. The other answers are all
good ways to mitigate code injection.
 Quiz Question 4
When determining whether to use a product in your
environment you are asked to consult the product for
certification per the Common Criteria. The category for
this product does not contain a protection profile (PP).
Which of the following is true?
A) An exception report may be created to allow this
product, provided local testing can certify a build of
the system.
B) The system may grandfather an existing rating from
the TCSEC
C) The product can still be rated against the security
target (ST)
D) Review other products to see if there is a viable
alternative
 Question 4) Answer C

Explanation:
All Common Criteria certifications require a vendor
provided security target. While it is desirable to also
rate a system against a vendor neutral protection
profile, it is not required. Xacta IA Manager is an
example
 Quiz Question 5
Which of the following is an example of a reference
monitor?
A) Requiring that the sales role have write
capability to a shared folder
B) Account lockouts after three unsuccessful
attempts
C) Log files
D) Directory attributes that allow for multiple
access methods
 Question 5) Answer A

Explanation:
The reference monitor is the policy of an operating
system, enforced by the security kernel. Answers b,
c & d are examples of policy enforcement
technologies.
 Quiz Question 6
An organization wants to contract with a cloud provider.
The organization would like to maintain control over
guest operating systems so that OS patch management
can be under their control. Which Model would be most
appropriate?

A) Platform as a Service (PaaS)

B) Software as a Service (SaaS)
C) Hardware as a Service (HaaS)
D) Infrastructure as a Service (IaaS)
 Question 6) Answer D

Explanation:
The basic models are SaaS, PaaS & IaaS.
Infrastructure as a Service requires that this customer
maintain all guest operating systems, middleware and
applications.
 Quiz Question 7
A computer stores information in a series of bits, which
can have a value of zero or one, or binary. To represent
a group of four bits, scientists developed hexadecimal.
Eight bits together form a byte. Which series of bits are
represented by the hexadecimal number 0x2A

A) 00101010
B) 00011110
C) 00101100
D) 00011001
Question 7) Answer A Binary Hex Decimal
0000 0 0
0001 1 1
Explanation: 0010 2 2
0011 3 3
0100 4 4
0010 = 2 0101 5 5
0110 6 6
1010 = A (decimal 10)
0111 7 7
1000 8 8
1001 9 9

1010 A 10
1011 B 11
1100 C 12
1101 D 13
1110 E 14
1111 F 15
 Quiz Question 8
Which process below entails a detailed objective review
of a system's features and service assurances, often by
a third party, to ensure compliance to a set of
requirements?

A) Accreditation
B) Assessment
C) Audit
D) Certification
 Question 8) Answer D

Explanation:
Certification means to be “certain” that a subject,
object or system, meets a set of predefined
requirements
 Quiz Question 8
SE Linux provides two models for Mandatory Access
Control. The default is called targeted and is based on
the Clark Wilson model. The other is Multi Level
Security (MLS) with implements the Bell Labadula
model. In MLS mode, which of the following is
prohibited?

A) Processes reading objects on the same level

B) Processes writing to objects on the same level
C) Processes reading objects on lower levels
D) Processes writing to objects on lower levels
 Question 8) Answer D

Explanation:
The BLP model is implemented to provide multilevel
security for confidentiality. This requires simply that
subjects cannot read objects at a higher level (the
Simple Property) as well as prohibiting subjects from
writing to objects at a lower level.
 Quiz Question 9
To be certified under the ISO/IEC 15408 a product
must meet a series of functional and assurance
requirements. A vendor of a given product must
provide a detailed list of the features and assurance
claims so that evaluators can conduct testing in a
document referred to as

A) The Protection Profile

B) The Security Target
C) The TCSEC or “Orange Book”
D) The Target of Evaluation
 Question 9) Answer B

Explanation:
The Security Target is written by a vendor and must
be supplied by the vendor to be considered for
certification.
 Quiz Question 10
A rogue application required administrator privileges
during the installation by an unsuspecting system
owner. It was discovered later that the application
contained a back door, and was attempting to contact
an external IP address. Why would simply removing
the application likely fail to remove the back door?

A) The application modified a user profile

B) The application modified a program DLL
C) The application modified an application EXE
D) The application modified a device driver
 Question 10) Answer D

Explanation:
Of the answers, only a device driver would require
administrative access and allow for the rogue service
regardless of removing the application.
 Quiz Question 11
What types of tests are required for ISO/IEC-15408?

A) Technical and Physical

B) Technical and Functional
C) Storage and Timing
D) Functionality and Assurance
 Question 11) Answer D

Explanation:
ISO/IEC 15408 or Common Criteria, provides 3rd party
certification for information technology security
evaluations. These tests are to ensure a products has
features (functionality) it claims and how well these
features are implemented (assurance).
 Domain 3c

Security Engineering
 Quiz – Question 1
Which of the following statements is incorrect?

A) To ensure the integrity of data create a

message digest
B) To ensure privacy, encrypt the data with a
symmetric key and the symmetric key with the
receiver’s private key
C) To validate the sender, encrypt the message
digest with the sender’s private key
D) To obtain the fastest method to encrypt data
use a symmetric, shared secret key
 Question 1) Answer B

Explanation:
The second part of the sentence should have read
“with the receiver’s public key”

Slide 103
 Quiz – Question 2
What is the most trusted way to ensure only the
intended recipient obtains the key in a purely
symmetric system?

A) Manager hand-delivers the key

B) Encrypt the key with the receiver’s public key
C) Encrypt the key with a passphrase
D) Encrypt the key with the sender’s private key
 Question 2) Answer A

Explanation:
One major challenge in a purely symmetric system is
how to share the secret key. Encrypting the key
with a passphrase is out of place here, since we still
have the fundamental problem of sharing the
passphrase. Answers b and d refer to asymmetric
cryptography.

Slide 105
 Quiz – Question 3
Alice gives a copy of her private key to the
crypto admin, Bob for backup. Which problem
below would most likely affect the accountability
of the system?

A) Bob could sign documents as Alice

B) Bob could read documents destined for Alice
C) Bob could leave the company and her backup
could be unavailable
D) Bob could update the CRL claiming Alice’s key
was lost
 Question 3) Answer A

Explanation:
While Answers a,b & c could be problems, Answer a
is mostly associated with accountability.

Slide 107
 Quiz – Question 4
Alice works in customer service for a large
manufacturing corporation and is responsible for
working with customer’s time sensitive orders. One
of her customers, Bob, sends her a signed and
encrypted email and requests a signed receipt. Bob
receives a signed receipt from Alice and becomes
concerned when she does not follow through with his
order and calls her on the phone a few days later.
Alice claims she did not receive the email. Which of
the following could explain the situation?

A) The email is stuck in her server’s inbound queue

B) Bob’s private key has been compromised
C) The CA has issued a duplicate certificate
D) Alice’s private key has been compromised
 Question 4) Answer D

Explanation:
Alice’s private key would have been used to create
the signature on the receipt that Bob received. If
Alice did not send the receipt, then her private key
must have been compromised

Slide 109
 Quiz – Question 5
Bob connects to an SSL server daily to check his
email over an encrypted channel. His company-issued
laptop is upgraded to meet new client standards. He
receives an error message stating that he is about to
download a certificate that has not been signed by a
trusted 3rd party. What is the most likely cause?

A) The admin forgot to copy his private key to the

new system
B) The new laptop has the wrong network address
C) The public key of the CA is not on his machine
D) His session key needs to be recreated
 Question 5) Answer C

Explanation:
To validate the server certificate, the issuing CA (the
certificate authority) must be trusted by the client.
This is a common problem for companies that use
private certificate authorities.

Slide 111
 Quiz – Question 6
Which of the following best explains the difference
between using certificate revocation lists versus the
online certificate status protocol?

A) CRLs are only updated once a day, where OCSP

updates are real time
B) OCSP uses serial numbers to identify a certificate
C) CLRs require a reboot
D) OCSP is only supported in private PKI certificate
authorities
 Question 6) Answer B

Explanation:
CRLs are entire lists of revoked certificates and
present performance issues. When a client checks an
OCSP server, they only request the state of a
particular certificate by using the serial number to
identify the certificate and can perform much faster.

Slide 113
 Quiz – Question 7
When connecting to an SSL server, Bob notices that
the server presented three different certificates; one
for the server he tried to connect to and two more.
Which of the following is the most likely reason?

A) The web server he was connected to also gave him

the certificate for a SQL server and a DNS server
B) The web server's certificate was issued by a
subordinate CA
C) The web server was compromised and also provided
rogue server certificates
D) There was a mutual trust relationship between Bob's
CA and the web server's CA
 Question 7) Answer B

Explanation:
When an organization uses a subordinate CA, they
must supply the client with both the server's CA and
the subordinate CA's certificate. To ensure that the
client has the most updated root CA's certificate
(which would be used to sign the subordinate CA's
certificate, the server often also provides the most
updated root' CA's certificate as well. For example
this is typically what happens when someone
connects to any Google server.

Slide 115
 Quiz – Question 8
Which of the following best describes the difference
between a Stream Cipher and a Block cipher?

A) Stream ciphers only substitute bits, where block

ciphers substitute and transpose or permutate
B) Stream ciphers are slower than block ciphers
C) Stream ciphers are considered more effective than
block ciphers
D) Stream ciphers encrypt a bit at a time where block
ciphers encrypt along an elliptical curve
 Question 8) Answer A

Explanation:
Stream ciphers, for example RC4, encrypt a bit at a
time, by replacing or substituting the original bit
with the results of an XOR function with the “key
stream”. Block ciphers however, will also change the
positions of a group or “block” of bits, much the
way someone would shuffle a deck of cards and are
considered much stronger. The use of stream ciphers
today is greatly discouraged. Starting in 2014, most
browsers have dropped support for RC4.

Slide 117
 Quiz – Question 9
There are many Boolean functions however the XOR
function has a special feature in that it can be
reversed quite easily, therefore making it attractive to
cryptographers. What be be the cipher text result if
we XOR a plain text value of 0x95 with a key value
of 0xC6?

A) 01010011
B) 00101100
C) 10100010
D) 01101011
 Question 9) Answer A

Explanation:
This question tests the student's ability to do a
Hexadecimal to Binary conversion as well as perform
the XOR function. First we must convert the values
of 0x95 = 10010101 (0x9 = 1001 and 0x5 = 0101)
and 0xC6 = 11000110 (0xC = 1100 and 0x6 = 0110)
Then we can perform the XOR function:
10010101
XOR 11000110
Result 01010011

Slide 119
 Quiz – Question 10
Elliptical Curve Cryptography is far more efficient than
either Diffie Hellman or RSA. For example, it would
require over 15,000 bits in an RSA key to provide the
equivalent entropy to an ECC key of only 512 bits.
Since an asymmetric system provides two basic
purposes, key agreement and hash authentication,
which of the following is the algorithm that is based
on ECC for authenticating hash values?

A) ECDHE
B) ECDH
C) ECHASH
D) ECDSA
 Question 10) Answer D

Explanation:
ECDSA stands for Elliptical Curve Digital Signature
Algorithm. When an asymmetric algorithm
authenticates a hash value, this is known as signing.
ECDH (sometimes called ECDHE, with DH for Diffie
Hellman), is used for session key agreement.

Slide 121
 Domain 3d

Security Engineering
 Question 1
What is the purpose of a strike plate?

A) To prevent damage to a door in a loading dock

B) It is part of a locking mechanism
C) To allow egress traffic in the event of an emergency
evacuation
D) To prevent damage to a door from moving
equipment
 Question 1) Answer B
Explanation:
The strike plate or door catch is part of the
locking system. It is a common weakness in
physical security, as no matter how strong a lock
is, if the strike plate is weak, the door can be
breached
 Question 2
Measuring light output and sensitivity to light is
an important concept for physical security. Lux
ratings refer to lumens per square meter. What
rating refers to lumens per square foot?

A) LPSF
B) Luminescence
C) Joules
D) Foot-Candles
 Answer 2
Answer D
Explanation: a foot-candle is a standard from the
British Standards Institute.
 Question 3
Which of the following is not an advantage to using
security dogs?

A) Olfactory sensitivity
B) Work in a power failure
C) Can cover a large area
D) Will prevent intruders from entering the premises
 Question 3) Answer D
Explanation:
Dogs are primarily used as detective controls not
preventive. Armed intruders can easily injure a dog
 Question 4
Closed circuit television (CCTV) is an important
detective control. Which of the following is most
likely to be a common application for CCTV?

A) To be used after a crime in event correlation

B) To enable guards to extend their vision to
detect suspicious activity before a crime can be
committed
C) To allow police to monitor sensitive areas
D) To allow management to monitor employee
behavior
 Question 4) Answer A
Explanation:
While CCTV can be used to catch events in real
time it is not likely. CCTV controls include:
cameras, monitors, lights, recording devices and
trained guards. After a crime is committed,
authorities can use the recordings to gather
evidence. All the other answers are applications
but a is the common use
 Question 5
What is the primary purpose of emergency lighting?

A) To allow rescue teams to search for distressed

personnel after a power failure
B) Illumination of evacuation routes
C) To assist in CCTV controls during a threatening
situation
D) Lighting is an effective deterrent
 Question 5) Answer B
Explanation:
To prevent loss of life in an emergency including a
power failure, personnel may need to evacuate the
premises. Emergency lights must be available to
assist the people in finding the way out of the
building.
 Question 6
Many organizations use access badges for the
purpose of ingress authentication. What is primary
reason an organization would also implement egress
authentication?

A) To discourage piggybacking and tailgating

B) To provide pass back protection
C) To allow for logical access termination
D) To track contractors and temporary employees
 Question 6) Answer B
Explanation:
If an access badge is used only for ingress
authentication, a subject can then pass the badge to
another subject for reuse. By requiring the original
subject to first badge out before it can be used for
another ingress, this vulnerability is greatly
mitigated.
 Question 7
Without controls to protect electromagnetic signals,
which vulnerability is of most concern to an
information security professional?

A) Information Leakage
B) Electro Mechanical Interference (EMI)
C) Radio Frequency Interference (RFI)
D) Electro Static Discharge (ESD)
 Question 7) Answer A
Explanation:
While all could be a problem, without having
emanation controls (for example TEMPEST) to
contain electro magnetic signals, data can be
reproduced from the emanating signals. Also called
Electro Magnetic Interception.
 Question 8
What is the relationship of focal length to field of
view?

A) They are inversely proportional

B) They are directly proportional
C) They are abstractly proportional
D) They are unrelated
 Question 8) Answer A
Explanation:
They are inversely proportional. For example, a short
focal length creates a wider field of view.
 Question 9
A CISO has been asked to design a physical access
solution to an organizations premise that employs
smart cards. In addition to new readers, what other
component is most required to gain the full benefits
of smart cards versus memory cards?

A) DNS
B) A domain controller
C) An SQL server
D) A certificate authority
 Question 9) Answer D
Explanation:
For a smart card to be used as more than just a
memory card, it must contain a private key for a
subject and a public key of a CA.
 Question 10
An AC power system provides power through an
alternating current. The characteristics of the voltage
current is measured by the amplitude and what
other metric?

A) Height
B) Width
C) Depth
D) Modulus
 Question 10) Answer B
Explanation:
An AC or “Alternating Current” alternates from high
to low amplitudes in a given time frame. For
example, in the USA standard voltages are 110 volts
in peak to peak amplitude and wavelength that
allows for it to alternate 60 times a second. The
frequency of the wave in a given second is also
known as Hertz (Hz)*.

*for the scientist Heinrich Rudolf Hertz who

discovered waves of electricity)
 Domain 4

Communications and
Network Security
 Quiz Question 1
Why is it advisable to prevent packets from leaving
your network where the source address is not from your
network or a private (RFC 1918) address?
A) To prevent your perimeter or edge devices from
being attacked with a denial of service attack.
B) To prevent your internal devices from being
attacked with a denial of service attack.
C) To prevent your systems from being used to attack
others
D) To prevent your systems from a reconnaissance
attack.
144
 Question 1) Answer C
Explanation:
The most likely answer is to prevent your systems
from being used to attack others in a distributed
denial of service attack (DDoS). Many so called
“zombies” are configured to send packets with
spoofed source addresses as in Smurf and Fraggle

145
 Quiz Question 2
Bob is attempting to use the hotel wireless network to
connect to his company’s email server. He is told by
the hotel staff that the SSID is HOTELX (where X
equals his floor number). After gaining connection it is
discovered that his email has been posted to some
hacker website. Which of the following would have
most likely prevented this problem?
A) RADIUS
B) Mutual authentication
C) Two factor authentication
D) Extensible Authentication Protocol
146
 Question 2) Answer B
Explanation:
It is likely that Bob connected to a rogue access point.
Mutual authentication refers to authentication at both
ends of a connection. It is one of the more overlooked
features in authentication.
When a person uses their ATM card and PIN they are
proving who they are to the system. What assurance is
provided to the person the ATM itself is not
counterfeit? Smart Cards implementations allow for
mutual authentication. This is the primary reason that
are preferred over simple memory cards.

147
 Quiz Question 3
In what layer of the OSI model are electrical signals
turned into binary addressing information?
A) Host to host
B) Biba
C) Data-link
D) Physical

148
 Question 3) Answer C
Explanation:
The data-link layer receives electrical signals from the
physical layer and turns these into bits and bytes. A
major component to the data-link layer is the MAC
sub-layer responsible for media access including
determining MAC addresses. Host to host is
associated with the DoD model and Biba is a
distraction.

149
 Quiz Question 4
The firewall administrator notices that an IP address on
the inside appears to be attempting to open ports to an
unknown host in a foreign country. What is the most
appropriate action to take?
A) Block the port until the host can be authenticated
B) Document and analyze the situation
C) Run a virus scan on the machine that is attempting
the connection as it may be infected
D) Interview the user of the machine to determine his
intention.

150
 Question 4) Answer B
Explanation:
When there appears to be a violation of what has
been deemed normal, then a violation analysis is
conducted to determine the cause and potential
impact. While this may be the result of an attack, it
may be just a new service, or perhaps something else.
This may include running a virus scan and
interviewing users

151
 Quiz Question 5

Which VPN method is less likely to work through

NAT?
A) SSL/TLS
B) IPSec AH
C) IPSec ESP
D) PPTP

152
 Question 5) Answer B
Explanation: Authentication Header (AH) checks the
integrity of an IP address and is intrinsically
incompatible with Network Address Translation (NAT).
There are modifications that allow for AH to
function through NAT but are not very widespread.
Due to many of the configuration challenges with
IPSec, many organizations have migrated to SSL based
VPNs. These are by comparison much easier to
administer.

153
 Quiz Question 6
With regards to an intrusion detection system, what is
meant by an insertion attack?

A) Enabling attackers to insert themselves into a

system without detection
B) Injecting false data to mislead an IDS
C) Adding additional rules to misclassify an attack
D) Code injection attacks

154
 Question 6) Answer B
Explanation:
If an attacker knows the rules of an IDS, they may be
able to mislead the IDS by injecting false data making
an attack sneak through because it did not exactly
match the rules for a given attack. Similar to this is
sending in an attack that contains signatures for both
a low risk and high risk attack to direct the IDS to
misclassify an attack

155
 Quiz Question 7
Which of the following attacks does not take
advantage of systems that do not check for
unsolicited replies?

A) ARP poisoning
B) DNS cache poisoning
C) OS Fingerprinting
D) Fragmenting

156
 Question 7) Answer D
Explanation:
This question is designed to train the tester to read
tricky questions with double negatives. The question
could have read, “Three of these attacks function by
sending replies for to systems that did not ask for
information. For example, sending an ARP reply to a
system that did not send an ARP request. The victim
receives the ARP reply and places the bogus MAC
address in it's ARP cache for a period of time.

157
 Quiz Question 8
Voice Over IP or VOIP, uses two protocols; the
Session Initiation Protocol (SIP) to initiate and
maintain the session and one to carry the voice
traffic. Which protocol listed below performs this
second function?
A) Transport Layer Security
B) Point to Point Tunneling Protocol
C) Voice Telephony Protocol
D) Real-time Transport Protocol

158
 Question 8) Answer D
Explanation:
One vulnerability in today's implementations of VOIP
is that the voice traffic is not encrypted. This
eliminates A&B. C is a made up answer, and not a
real protocol that I know of. RTP or Real-time
Transport Protocol is the name given to the protocol
that transfers the data in VOIP.

159
 Quiz Question 9
A remote system appears to be continuously
attempting to establish a connection with an internal
host, but never completes the session establishment
phase. After an initial analysis, it also appears the
source IP is a series of spoofed host addresses. What
attack might this system most likely be attempting?
A) Reconnaissance
B) Denial of Service
C) Tunneling
D) IDS evasion

160
 Question 9) Answer B
Explanation:
This is the basic description of a SYN flood.

161
 Quiz Question 10
One of the many weaknesses of WEP is that the key
used to authenticate to the access point is also used
to encrypt data. WPA2 fixes this problem by using
separate keys for these functions. To derive the
encryption key, a function is run using a number of
inputs including?
A) Pairwise Master Key
B) Digital Signing Key
C) A Diffie Hellman agreement
D) Elliptical Curves

162
 Question 10) Answer A
Explanation:
The formula to create the data encryption key or
Pairwise Transient Key (PTK) includes the access
point's MAC, the station's MAC, a NONCE from each
partner and a value known as the Pairwise Master
Key. If using personal mode of WPA2, this is the
phassphrase used to authenticate. When someone
“cracks” WPA2, it is typically through a dictionary
attack against the PMK. This is not a problem in
Enterprise Mode.

163
 Domain 5

Identity & Access

Management
164
 Question 1
Bob enrolls with a fingerprint reader and is able to
authenticate for a number of weeks using the system.
One day, Bob cuts his finger and finds he can no
longer authenticate and receives a “Type 1” error.
What is most likely the problem?

A) The system does not examine enough information to

assess that it is Bob
B) Fingerprint readers are not very good at handling
type 1 errors by nature since these are very dynamic
metrics
C) Fingerprint readers are not very good at handling
type 1 errors by nature since they have high cross-
over error rates
D) The system examines too much information and
needs to be configured to be less sensitive
 Question 1) Answer D

Explanation:
A biometric system cannot examine all the detail in
an object or they are prone to false rejects (type 1
errors). If they however do not examine enough
information about an object they are prone to false
accepts (type 2 errors). Fingerprints are fairly static
metrics and some systems are very accurate.
 Question 2
If a complex password, stored in a system that uses
the full entropy of the Extended ASCII key set (8 bits
per character), can be cracked in one week, what is
the maximum time it would it take to crack it if one
more character is added?

A) 256 weeks
B) 2 weeks
C) 1 week and 1 day
D) 10.5 days
 Question 2) Answer A
Explanation:
By adding one character or 8 bits the measure of
entropy is raised by 28
 Question 3
A small number of sales people share an office with
marketing. Rather than purchase a separate printer,
management has requested that the sales people use
the marketing printer. Which of the following is
the most appropriate way to grant authorization for
these users?

A) Add the sales people names to the printer ACL

B) Add the sales people names to the marketing
group
C) Create a new group for these users and add
the group to the printer’s ACL
D) Advise against it as it is a possible conflict of
interest
 Question 3) Answer C
Explanation:
Adding each user to the group, makes explicit access
control difficult to manage. Adding the sales people
names to the marketing group may grant more
privileges to some resources. Marketing and sales
typically are not mutually exclusive groups.
 Question 4
To validate a claimed identity, which of the following
best describes authentication tokens

A) Time-based access control

B) Sensitivity labels
C) Access control lists
D) Credentials
 Question 4) Answer D
Explanation:
Tokens are typically something a user has.
Credentials give credit to a claim. The other answers
are methods.
 Question 5
In organizations where it is considered unacceptable
risk to allow a user to make entitlement changes
which access control model would be most
appropriate?

A) Dynamic MIC
B) Mandatory Access Control
C) RBAC
D) Two factor authentication
 Question 5) Answer B
Explanation:
Mandatory Access Control or MAC models only allow
for security admins to modify the objects label. This
is contrary to DAC models that allow the “owner” to
modify an ACL. The other answers are distractions.

Note: In the SELinux implementations of MAC (both

Targeted and Multilevel), DAC rules still exist and are
checked first! So if a subject is denied access in a
DAC ACL, the MAC Label is not checked. If however,
the DAC rules permit access, then the system will
also compare the subject's Label to the object's Label
before granting access.
 Question 6
To protect the central store of passwords, most systems
have adopted the best practice of not actually storing a
password, only hash values of the password. However,
if hash is based on only the password value, which of
the following is a serious concern?

A) An attacker could pre-compute hash values

B) An attacker could inject collisions
C) An attacker could reverse the hash value
D) An attacker could spoof the hash value
 Question 6) Answer A
Explanation:
If a system only hashes the value of a password,
then an attacker could could use a database of all
the possible hashes given a password length, known
as Rainbow Tables. To defend against such attacks, it
is considered best practice to add another value or
“Salt” the password. There was a famous
compromise of LinkIn where their database of
password hashes were not salted and exposed a lot
users.
 Question 7
A CISO is asked to assist a process owner review the
services provided by a cloud provider for a given
application using the SaaS model. The process owner
doesn't want their users to have to maintain a
separate set of credentials to gain access to the
provider network. Which technology below would
most likely assist the CISO if supported?

A) Kerberos
B) RADIUS
C) TACACS+
D) SAML
 Question 7) Answer D
Explanation:
The Security Assertion Markup Language (SAML)
allows a service provider to utilize an existing X.500
based directory service for authentication. This has
become very popular with cloud providers serving
Software as a Service (SaaS).
 Question 8
The most basic way to authenticate is Type 1 or
“Something a user knows”. However stronger
methods have been developed that can be based on
what the user has or even through a biometric.
Which protocol below allows the use of other
credential types?

A) Two factor authentication

B) PAP
C) CHAP
D) EAP
 Question 8) Answer D
Explanation:
The first standardized authentication protocol was the
Password Authentication Protocol (PAP). PAP sends
credentials (passwords) in clear text and should be
avoided. To protect the password from interception
and replay attacks, CHAP (RFC-1994) was developed.
However, CHAP is still for passwords only. To enable
the use of other technologies (passphrases, tokens,
biometrics, etc) standard Extensible Authentication
Protocol (EAP) was developed. While originally only
supported on PPP networks, EAP is now supported on
LANs as EAPoL (EAP over LAN) also known as 802.1x
 Question 9
Granting access to an object can be based on identity
of a subject, however this can present process
challenges for both administration and server CPU
usage. Which of the following allows for implicit
access control, by grouping subjects together with
similar needs?

A) MAC
B) RBAC
C) Rule Based
D) Someone You're With (Type 6)
 Question 9) Answer B
Explanation:
Role Based Access Control solves many problems
associated with granting access capabilities (rights,
privileges, permissions, etc).
 Question 10
Kerberos provides which of the following services?

A) Confidentiality, Integrity & Authenticity

B) Confidentiality, Authenticity & Non-Repudiation
C) Authenticity, Accessibility & Authenticity
D) Confidentiality, Integrity & Availability
 Question 10 Answer A
Explanation:
Kerberos is an authentication service that also allows
for session data to be encrypted and check for
integrity. No service by itself can guarantee availability
(or accessibility)
 Domain 6

Security Assessment
& Testing
 Quiz - Question 1
What is the term most associated with the assessment of
a control to ensure it meets the desired requirements
and operates as intended, before it is approved by
management for production operation by the user
community.

A) Accreditation
B) Certification
C) Authorization
D) Compartmentalization

186
 Question 1) Answer - B
Explanation:
Before management approves (accredits or authorizes)
a system for operations, it must be first assessed by
a technical representative to ensure it meets
requirements without introducing unacceptable risk.
This process is best known as certification as in to
“be certain”.

187
 Quiz - Question 2
Which of the following best describes the difference
between testing and exercising?

A) Testing people is a learning process for classroom

training and exercising is ongoing in operations
B) Testing is before operations and exercising is in
operations
C) Testing goes against a set of metrics and
exercising is qualitative
D) Testing is a technical review and exercising is for
training
188
 Question 2) Answer - D
Explanation:
A test is typically used to determine if a system,
plan, procedure, etc actually works and exercising is
having people go through the plan, procedure, etc to
ensure the people know how to perform the steps.

189
 Quiz - Question 3
After a change to strengthen an existing control to meet
new industry guidelines has been certified and
accredited (authorized) it is implemented. Immediately,
users start complaining of slow performance. Which of
the following should a security manager do first?

A) Bring the issue up to senior management for

guidance
B) Inform the users that the change must stay to be
in line with the industry guidelines
C) Initiate a rollback if possible
D) Review the issue with the data owner
190
 Question 3) Answer - D
Explanation:
Before doing anything, it is best to think first. Senior
management likely would not fully understand the
impact as much as the data owner

191
 Quiz - Question 4
A new exploit, taking advantage of an operating system
flaw, is currently spreading rapidly on the internet
through a variety of vectors including email and social
networking sites. The operating system vendor has
released a patch that appears to fix the vulnerability.
After confirming that critical systems in an organization
depend on the effected operating systems and a CISO
and system owner agree to maintenance to apply the
patch immediately. Which process below can be
skipped?
A) Testing
B) Scheduling
C) Documenting
192
D) Authorization
 Question 4) Answer - B
Explanation:
When an emergency change is required, it often skips
normal scheduling processes. While it may
retroactively happen after the emergency, the change
still needs to be tested, approved and documented.

193
 Quiz - Question 5
A penetration test is authorized and currently underway.
A tester sends a TCP SYN on port 80 to a system and
receives a SYN/ACK. Which of the following is most
likely to assume?

A) The system is listening on port 443 as well

B) The system is a WEB server
C) The system is proxy WEB
D) The system is a live host

194
 Question 5) Answer - D
Explanation:
Port 80 is associated with Web traffic but without
further investigation, for example eliciting HTML
responses, the best that can be said of the system is
that it is a live host and listening on port 80.

195
 Quiz - Question 6
Which of the following is most important to include in
a Rules of Engagement document before starting a
penetration test?

A) The names of the personnel conducting the test

B) Vendor products involved
C) Network diagrams
D) IP addresses of the testing systems

196
 Question 6) Answer - D
Explanation:
Depending on the size and publicity of an
organization, they may be the subject of multiple
attacks by entities from around the world. If a
penetration test is being conducted at the same time
an actual attack successfully penetrates a network, it
is imperative to have the IP addresses of the testing
machines, to be able to properly respond.

197
 Quiz - Question 7
Which of the following about penetration testing is most
true? Penetration tests...

A) Can assure management security is effective

B) Can identify best practices
C) Can guarantee requirements are being met
D) Can be used to test controls

198
 Question 7) Answer - D
Explanation:
A penetration test cannot prove good security, but it
can identify deficiencies in controls. For example,
how would you know your IDS works at all, if you
don't try some attacks?

199
 Quiz - Question 8
Vulnerability scanning tools are used to primarily
identify what types of vulnerabilities?

A) Administrative, Technical & Operational

B) Management, Technical & Physical
C) Configuration and patch level
D) Configuration & Operation

200
 Question 8) Answer - C
Explanation:
Vulnerability scanning tools, for example NESSUS,
are primarily used to identify missing patches and
weak configurations.

201
 Quiz - Question 9
Several vulnerabilities are discovered on a production
server. Which of the following should occur first?

A) Initiate a change request to patch and/or

reconfigure the system to mitigate the vulnerabilities
B) Perform and impact assessment
C) Meet with the steering committee to determine the
best time to make the change with minimal impact
to users
D) Work with the data owner to initiate the required
changes
202
 Question 9) Answer - B
Explanation:
Vulnerabilities do not mean there is a risk. Before
making initiating any changes, an impact analysis
should be performed to determine if the
vulnerabilities present a significant threat to the
organization.

203
 Quiz - Question 10
Which of the following is the most likely reason a
tester would attempt to send data over internet control
message protocol?

A) To test a the capabilities of a circuit level proxy

B) To determine the resiliency of a stateful firewall
C) To examine the results of an IPS
D) To assess the features of an IDS

204
 Question 10) Answer - D
Explanation:
ICMP is typically used to relay network status
messages. However, since an ICMP packet can
contain data, attackers have exploited this feature to
use ICMP as a covert channel. OF the answers
provided, it would be likely that a tester would
attempt such an exploit to see of an IDS would
detect such an attack.

205
 Domain 7

Security Operations
 Quiz Question 1

Question 1
What RAID level is primarily associated with fastest
writes but not necessarily reads?

A) 0
B) 1
C) 3
D) 5

207
 Question 1) Answer A
Explanation:
RAID level 0 should probably be called AID as there is
no redundancy. The benefit of this system is very fast
writes as data are written (striped) across many drives.
Reads may be more complicated as all drives must be
positioned to the proper place. RAID 1 is mirroring,
where all data are redundantly written to two drives.
This may make for slower writes as the data must be
written twice and may be faster on reads because in
some systems the drive that is closer to the data can
read the data. RAID 3 and 5 stripe as does level 0 but
requires extra time to write the recovery data.
208
 Quiz Question 2

Which of the following control is more likely to

provide confidentiality protection?

A) Rotation of Duties
B) Segregation of Duties
C) Dual Control
D) Quality assurance

209
 Question 2) Answer B

Explanation:
By segregating (or separating) the duties required to
perform a function, no one person is required to have
all knowledge. The other answers, while good
controls, do not address confidentiality.

210
 Quiz Question 3
Bob is hired to perform a penetration test for Griffin
Space Tech, a leading space exploration company.
Alice is nearly killed when her navigation system is
interrupted by what turned out to be a test on a
system that was not supposed to be part of the test.
What document, if defined and understood, most likely
may have prevented such a problem?

A) Rules of engagement
B) Concept of operations
C) Statement of work
D) Exception reports 211
 Question 3) Answer A

Explanation:
One very important administrative control when
planning a penetration test is the creation of a “Rules
of Engagement” document, which addresses what
systems are to be tested, and the accepted testing
techniques. Performing a test entails risk and care
must be taken to ensure the least amount of
disruption.

212
 Quiz Question 4
A critical server is scheduled to have a service pack
installed. Departmental management requests that the
change is tested on a spare server first before being
applied to the production server. To ensure that the
spare server is configured exactly as the production
server, operations plan to make an unscheduled backup
of the production server. Which backup method is most
appropriate?
A) Full
B) Incremental
C) Differential
D) Copy
213
 Question 4) Answer D

Explanation:
Only the full and the copy are likely to backup all the
data on the server. Since a full backup modifies the
archive bit, it is not appropriate in this situation as it
would affect the normal backup schedule

214
 Quiz Question 5
A user in your organization habitually surfs
inappropriate websites. You are responsible for desktop
support and notice these sites in the history log. What
is the best way to ensure the company is not held
accountable by other user’s complaints about this user?

A) Block access to these sites with an approved filter

B) Nothing as you are not in security
C) Inform law enforcement
D) Report your findings to management

215
 Question 5) Answer D

Explanation:
The decision to take disciplinary action is a
management responsibility.

216
 Question 6
Bob is charged with creating disaster recovery plans
for his group. He is very concerned that paper-based
tests are not realistic enough but is very concerned
with risking downtime of production systems. What
test type is most appropriate in this situation?

A) Structured walk through

B) Warm
C) Simulation
D) Full Interruption
 Question 6) Answer C
Explanation:
In a simulation test, the system may be tested on
“test” hardware and software. This is likely to be
more accurate than either the checklist or structured
walkthrough, which are paper-based only. In the
parallel test some subset of production systems are
indeed involved and run at the alternate site. Warm
test is a distracter
 Question 7
A company provides outsourced help desk service to
a number of clients worldwide. Currently they are
equipped to handle over a thousand calls a day, with
an average call length of 10 minutes. If they need to
move to an alternate facility in the event of some
disaster or disruption, management wants to be able
to provide at least 80 percent of the current capacity.
What metric would need to be determined in the
Business Impact Analysis (BIA)?

A) Recovery time objectives

B) Service level objectives
C) Maximum tolerable downtime
D) Recovery point objectives
 Question 7) Answer B
Explanation:
In a disaster it may be cost prohibitive to attempt
recovery to full capacity, so service level objectives
are set to determine the required service levels to
protect the business. Answers a and c are the
same thing and refer to the time needed to bring a
service or department up and running. Answer d
refers to the data point required to recover and is
mostly associated with data backup schedules and
methods.
 Question 8
The senior network administrator responsible for
managing perimeter security devices is named in the
disaster recovery plan as the primary person to
perform recovery of the firewall at an alternate site
in an event requiring relocation. However, this
administrator may be affected by the disaster and
may no longer be available for this role. What plan
should be used to prepare for such situations

A) Business impact analysis

B) Succession
C) Personnel migration
D) Restructuring
 Question 8) Answer B
Explanation:
Succession plans are maintained to prepare for events
where a person named in the BCP may be affected by
the event and cannot perform their duties. It is
imperative that there are clear lines of authority and
this becomes very challenging in a disaster scenario.
 Question 9
Critical systems are migrated to a hot site after a
disaster. The backup operator from the recovery team
receives a call from a user complaining that the data
that have been restored for their system are too old to
be of any use. The operator checks the tape that was
used for the restore and confirms it was indeed the most
recent backup and that the tape was created only the
night before. What is the most likely cause of the
problem?

A) The user is looking at a cached copy

B) The data was restored to the wrong directory
C) There is a network latency issue
D) Recovery point objectives are very short
 Question 9) Answer D
Explanation:
Recovery Point Objectives (RPOs) relate to the data
that must be recovered and the desired age of the
data. If the RPO is less then 24 hours, the nightly
backups are not frequent enough and perhaps
remote journaling, electronic vaulting or restoring
from a shadow file should be considered.
 Question 10
Why might an organization fail after a disaster even if
recovery was performed in the proper time frames with
all identified operation requirements?

A) Recovery was compromised due to a failed BIA

B) Supply chain management failed to identify necessary
resources
C) Reconstitution was mismanaged
D) Insufficient senior management support
 Question 10) Answer C
Explanation:
Just as one cannot continue to drive using a spare
tire that does not provide the same service levels as
a normal tire, an organization cannot stay in
recovery mode. The disaster is not over until the
operations return to normal service levels. The other
answers referred to Recovery. The questions was in
regards to Reconstitution.
 Domain 8

Software Development
Security
 Quiz Question 1
At what phase of the system development life
cycle are the customer-specific requirements
determined?

A) Analysis
B) System design
C) Validations
D) Initiation

228
 Question 1) Answer A

Explanation:
Requirements (both functional and assurance)
Analysis is where the customer- specific needs
are determined, a very detailed “what the
system must do.” System design is more
associated with how the specifications are
determined; project initiation is not very
detailed. Validations is during testing and
represents that it meets requirements.

229
 Quiz Question 2
Which statement is true?

A) In a relational database parents can have only

one child
B) In a relational database a child can have only
one parent
C) In a hierarchical database a parent can have
only one child
D) In a hierarchical database a child can have
only one parent

230
 Question 2) Answer D

Explanation:
One of the benefits of the relational database
over the hierarchical database is that a number
of different relations can be defined including
overcoming the limitation of hierarchical
databases that allow for a child to have only
one parent.

231
 Quiz Question 3
A change is planned to an application to address a
specific problem. After the change however it appears
that other modules that should not have been affected
appear to be broken. What is the likely cause?

A) The changed module had low cohesion

B) The changed module had high cohesion
C) The changed module was tightly coupled
D) The changed module was loosely coupled

232
 Question 3) Answer A

Explanation:
A module is cohesive when it performs only a
single precise task. Coupling refers to the measure
of interaction. Both can have a significant affect
on change management. It is usually desirable to
have high cohesion and loose coupling.

233
 Quiz Question 4
A user complains that his phone number in the
employee database is not accurate. Each time the user
makes a change to the number it seems to take but then
reverts back to the old number by the end of the day.
Which of the following is the most likely cause?

A) The user does not have modification rights

B) The schema does not allow changes from the
user’s machine
C) Someone in personnel has put a lock on the cell
D) Replication integrity is inaccurate due to
mismatched times
234
 Question 4) Answer D
Explanation:
In a distributed environment, invalid time
synchronization can cause a server to overwrite
newer data. If the change took hold for a while, it
is unlikely to be a rights issue and c is not likely.

235
 Quiz Question 5
A person in Applications Development writes a new module
for a production customer tracking system. This module may
increase productivity significantly for the organization, leading
to substantial savings over time. Another person in
Development has tested the module and has found no
problem with the code. Which of the following is NOT
recommended?
A) The new code should be implemented as soon as Quality
Assurance personnel certify the module
B) The module should go to Operations for implementation
C) An accrediting official should wait for the results of
certification
D) All changes must be logged in the configuration
management database (CMDB) 236
 Question 5) Answer A
Explanation:
Before making this significant change, the module
should be technically tested (certification) and
administratively approved (accreditation)

237
 Quiz Question 6
A system is patched to remediate an operating system
flaw. If fully patched and no known OS vulnerabilities
are known to a malware author, what other way, would
most likely be sued to allow malicious code inter the
kernel, assuming the configuration is considered strong?

A) Through a network service service worm

B) Through a virus
C) Through a device driver
D) Through a trojan horse

238
 Question 6) Answer D
Explanation:
If an operating system is fully patched and configured
well, the most likely way to get past the security
provided by the system is to trick a user into trusting
software that contains malicious code. This is how a
trojan basically works, by trick a user into accepting
something that has a payload that will cause damage,
for example a smart watch with a device driver that
installs a key logger.

239
 Quiz Question 7
An organization's software development department has
demonstrated a consistent ability to effectively repeat
their processes and documented them in a shared area.
What would likely follow to further the processes level of
growth?

A) The processes should be made more efficient

B) The processes should be measured
C) The processes should be counted
D) The processes should be defined

240
 Question 7) Answer B
Explanation:
This question is about CMMI. I tried my best to not
use CMMI or the word “maturity” in either the
question or the answers. Recall:
0) Incomplete
1) Ad-hoc
2) Repeatable
3) Defined/Documented
4) Measured/Managed
5) Optimized
241
 Quiz Question 8
Which of the following ways to check for input
validation problems should be performed first?

A) Fuzzing to see how the input buffers respond to

various input types and lengths
B) Vulnerability Scanning to check for both missing
patches and weak configurations
C) Reviewing documented configuration baselines
D) Code reviews before compilation of the source

242
 Question 8) Answer D
Explanation:
Source code reviews should be down before the code is
compiled. All the other answers refer to post
compilation.

243
 Quiz Question 9
After completing the logical design of a newly planned
application, including algorithms and key lengths, what
process would most likely follow?

A) Users test the performance and features of the

system
B) Management is supplied with a list of budget
requests
C) Process owners define the key objectives of the
system
D) Subject matter experts proceed
244
 Question 9) Answer D
Explanation:
In the system development life cycle, after the system
is designed, subject matters build according to design.

245
 Quiz Question 10
If a database isn't properly developed and configured to
check input variables, which of the following is the most
likely attack vectors?

A) SQL_Injection
B) Stack Based Buffer Overflow
C) Heap Based Buffer Overflow
D) Cross Site Scripting

246
 Question 10) Answer A
Explanation:
While all could possibly happen, databases input
vulnerabilities are mostly associated with SQL_injection

247