Quix16 - 125Q

James is building a disaster recovery plan for his organization and
would like to determine the amount of acceptable data loss after an
outage. What variable is James determining?

Fred needs to deploy a network device that can connect his network to
other networks while controlling traffic on his network. What type of
device is Fred’s best choice?

Alex is preparing to solicit bids for a penetration test of his company’s
network and systems. He wants to maximize the effectiveness of the
testing rather than the realism of the test. What type of penetration
test should he require in his bidding process?

Which one of the following is not a key process area for the
Repeatable phase of the Software Capability Maturity Model (SWCMM)?

Application banner information is typically recorded during what
penetration testing phase?

What is the default subnet mask for a Class B network?

Jim has been asked to individually identify devices that users are
bringing to work as part of a new BYOD policy. The devices will not be
joined to a central management system like Active Directory, but he
still needs to uniquely identify the systems. Which of the following
options will provide Jim with the best means of reliably identifying
each unique device?

David works in an organization that uses a formal data governance
program. He is consulting with an employee working on a project that
created an entirely new class of data and wants to work with the
appropriate individual to assign a classification level to that
information. Who is responsible for the assignment of information to
a classification level?

What type of inbound packet is characteristic of a ping flood attack?

Gabe is concerned about the security of passwords used as a
cornerstone of his organization’s information security program. Which
one of the following controls would provide the greatest improvement
in Gabe’s ability to authenticate users?

The separation of network infrastructure from the control layer,
combined with the ability to centrally program a network design in a
vendor-neutral, standards-based implementation, is an example of
what important concept?

Susan is preparing to decommission her organization’s archival DVDROMs
that contain Top Secret data. How should she ensure that the
data cannot be exposed?

What is the final stage of the Software Capability Maturity Model (SWCMM)?

Angie is configuring egress monitoring on her network to provide
added security. Which one of the following packet types should Angie
allow to leave the network headed for the Internet?

Matt is conducting a penetration test against a Linux server and
successfully gained access to an administrative account. He would now
like to obtain the password hashes for use in a brute-force attack.
Where is he likely to find the hashes, assuming the system is
configured to modern security standards?

Theresa is implementing a new access control system and wants to
ensure that developers do not have the ability to move code from
development systems into the production environment. What
information security principle is she most directly enforcing?

Which one of the following tools may be used to achieve the goal of
nonrepudiation?

What RADIUS alternative is commonly used for Cisco network gear
and supports two-factor authentication?

What two types of attacks are VoIP call managers and VoIP phones
most likely to be susceptible to?

Vivian works for a chain of retail stores and would like to use a
software product that restricts the software used on point-of-sale
terminals to those packages on a preapproved list. What approach
should Vivian use?

Hunter is the facilities manager for DataTech, a large data center
management firm. He is evaluating the installation of a flood
prevention system at one of DataTech’s facilities. The facility and
contents are valued at $100 million. Installing the new flood
prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the
facility lies within a 200-year flood plain and that, if a flood
occurred, it would likely cause $20 million in damage to the
facility.

Based on the information in this scenario, what is the exposure factor
for the effect of a flood on DataTech’s data center?

Hunter is the facilities manager for DataTech, a large data center
management firm. He is evaluating the installation of a flood
prevention system at one of DataTech’s facilities. The facility and
contents are valued at $100 million. Installing the new flood
prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the
facility lies within a 200-year flood plain and that, if a flood
occurred, it would likely cause $20 million in damage to the
facility.

Based on the information in this scenario, what is the annualized rate
of occurrence for a flood at DataTech’s data center?

Hunter is the facilities manager for DataTech, a large data center
management firm. He is evaluating the installation of a flood
prevention system at one of DataTech’s facilities. The facility and
contents are valued at $100 million. Installing the new flood
prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the
facility lies within a 200-year flood plain and that, if a flood
occurred, it would likely cause $20 million in damage to the
facility.

Based on the information in this scenario, what is the annualized loss
expectancy for a flood at DataTech’s data center?

Which accounts are typically assessed during an account management
assessment?

Which one of the following tools might an attacker use to best identify
vulnerabilities in a targeted system?

What type of error occurs when a valid subject using a biometric
authenticator is not authenticated?

What three types of interfaces are typically tested during software
testing?

George is assisting a prosecutor with a case against a hacker who
attempted to break into the computer systems at George’s company.
He provides system logs to the prosecutor for use as evidence, but the
prosecutor insists that George testify in court about how he gathered
the logs. What rule of evidence requires George’s testimony?

Which of the following is not a valid use for key risk indicators?

Which one of the following malware types uses built-in propagation
mechanisms that exploit system vulnerabilities to spread?

Don’s company is considering the use of an object-based storage
system where data is placed in a vendor-managed storage
environment through the use of API calls. What type of cloud
computing service is in use?

In what model of cloud computing do two or more organizations
collaborate to build a shared cloud computing environment that is for
their own use?

Which one of the following is not a principle of the Agile approach to
software development?

Harry is concerned that accountants within his organization will use
data diddling attacks to cover up fraudulent activity in accounts that
they normally access. Which one of the following controls would best
defend against this type of attack?

What class of fire extinguisher is capable of fighting electrical fires?

What important factor differentiates Frame Relay from X.25?

Metrics like the attack vector, complexity, exploit maturity, and
how much user interaction is required are all found in what scoring
system?

What two logical network topologies can be physically implemented as
a star topology?

Bell-LaPadula is an example of what type of access control model?

Martha is the information security officer for a small college and is
responsible for safeguarding the privacy of student records. What law
most directly applies to her situation?

What US law mandates the protection of protected health
information?

Which one of the following techniques can an attacker use to exploit a
TOC/TOU vulnerability?

Susan is configuring her network devices to use syslog. What should
she set to ensure that she is notified about issues but does not receive
normal operational issue messages?

What RAID level is also known as disk mirroring?

What type of firewall uses multiple proxy servers that filter traffic
based on analysis of the protocols used for each service?

Surveys, interviews, and audits are all examples of ways to measure
what important part of an organization’s security posture?

Tom is the general counsel for an Internet service provider, and he
recently received notice of a lawsuit against the firm because of
copyrighted content illegally transmitted over the provider’s circuits
by a customer. What law protects Tom’s company in this case?

A Type 2 authentication factor that generates dynamic passwords
based on a time- or algorithm-based system is what type of
authenticator?

Fred’s new employer has hired him for a position with access to their
trade secrets and confidential internal data. What legal tool should
they use to help protect their data if he chooses to leave to work at a
competitor?

Which one of the following computing models allows the execution of
multiple processes on a single processor by having the operating
system switch between them without requiring modification to the
applications?

How many possible keys exist when using a cryptographic algorithm
that has an 8-bit binary encryption key?

What activity is being performed when you apply security controls
based on the specific needs of the IT system that they will be applied
to?

During what phase of the electronic discovery process does an
organization perform a rough cut of the information gathered to
discard irrelevant information?

Ben’s job is to ensure that data is labeled with the appropriate
sensitivity label. Since Ben works for the US government, he has to
apply the labels Unclassified, Confidential, Secret, and Top Secret to
systems and media. If Ben is asked to label a system that handles
Secret, Confidential, and Unclassified information, how should he
label it?

Susan has discovered that the smart card-based locks used to keep the
facility she works at secure are not effective because staff members are
propping the doors open. She places signs on the doors reminding
staff that leaving the door open creates a security issue, and she adds
alarms that will sound if the doors are left open for more than five
minutes. What type of controls has she put into place?

Ben is concerned about password cracking attacks against his system.
He would like to implement controls that prevent an attacker who has
obtained those hashes from easily cracking them. What two controls
would best meet this objective?

Amanda is considering the implementation of a database recovery
mechanism recommended by a consultant. In the recommended
approach, an automated process will move records of transactions
from the primary site to a backup site on an hourly basis. What
type of database recovery technique is the consultant describing?

Which group is best suited to evaluate and report on the effectiveness
of administrative controls an organization has put in place to a third
party?

A process on a system needs access to a file that is currently in use
by another process. What state will the process scheduler place this
process in until the file becomes available?

Renee is using encryption to safeguard sensitive business secrets when
in transit over the Internet. What risk metric is she attempting to
lower?

As part of hiring a new employee, Kathleen’s identity management
team creates a new user object and ensures that the user object is
available in the directories and systems where it is needed. What is
this process called?

Ricky would like to access a remote file server through a VPN
connection. He begins this process by connecting to the VPN and
attempting to log in. Applying the subject/object model to this
request, what is the subject of Ricky’s login attempt?

Alice is designing a cryptosystem for use by six users and would like to
use a symmetric encryption algorithm. She wants any two users to be
able to communicate with each other without worrying about
eavesdropping by a third user. How many symmetric encryption keys
will she need to generate?

Which one of the following intellectual property protection
mechanisms has the shortest duration?

Which of the following is not a code review process?

Gordon is developing a business continuity plan for a manufacturing
company’s IT operations. The company is located in North Dakota and
currently evaluating the risk of earthquake. They choose to pursue a
risk acceptance strategy. Which one of the following actions is
consistent with that strategy?

Carol would like to implement a control that protects her organization
from the momentary loss of power to the data center. Which control is
most appropriate for her needs?

Ben has encountered problems with users in his organization reusing
passwords, despite a requirement that they change passwords every
30 days. What type of password setting should Ben employ to help
prevent this issue?

Chris is conducting a risk assessment for his organization and has
determined the amount of damage that a single flood could be
expected to cause to his facilities. What metric has Chris identified?

The removal of a hard drive from a PC before it is retired and sold as
surplus is an example of what type of action?

During which phase of the incident response process would an
organization determine whether it is required to notify law
enforcement officials or other regulators of the incident?

What OASIS standard markup language is used to generate
provisioning requests both within organizations and with third
parties?

Michelle is in charge of her organization’s mobile device management
efforts and handles lost and stolen devices. Which of the following
recommendations will provide the most assurance to her organization
that data will not be lost if a device is stolen?

Susan’s SMTP server does not authenticate senders before accepting
and relaying email. What is this security configuration issue known
as?

The large business that Jack works for has been using
noncentralized logging for years. They have recently started to
implement centralized logging, however, and as they reviewed logs,
they discovered a breach that appeared to have involved a
malicious insider.

When the breach was discovered and the logs were reviewed, it was
discovered that the attacker had purged the logs on the system that
they compromised. How can this be prevented in the future?

The large business that Jack works for has been using
noncentralized logging for years. They have recently started to
implement centralized logging, however, and as they reviewed logs,
they discovered a breach that appeared to have involved a
malicious insider.

How can Jack detect issues like this using his organization’s new
centralized logging?

The large business that Jack works for has been using
noncentralized logging for years. They have recently started to
implement centralized logging, however, and as they reviewed logs,
they discovered a breach that appeared to have involved a
malicious insider.

How can Jack best ensure accountability for actions taken on systems
in his environment?

Ed’s organization has 5 IP addresses allocated to them by their ISP but
needs to connect over 100 computers and network devices to the
Internet. What technology can he use to connect his entire network via
the limited set of IP addresses he can use?

What type of attack would the following precautions help prevent?
- Requesting proof of identity
- Requiring callback authorizations on voice-only requests
- Not changing passwords via voice communications

Fred’s organization needs to use a non-IP protocol on their VPN.
Which of the common VPN protocols should he select to natively
handle non-IP protocols?

Residual data is another term for what type of data left after attempts
have been made to erase it?

Fred finds a packet that his protocol analyzer shows with both PSH
and URG set. What type of packet is he looking at, and what do the
flags mean?

Which one of the following disaster recovery test types involves the
actual activation of the disaster recovery facility?

What access control system lets owners decide who has access to the
objects they own?

Using a trusted channel and link encryption are both ways to prevent
what type of access control attack?

Which one of the following is not one of the canons of the (ISC)2 Code
of Ethics?

Which one of the following components should be included in an
organization’s emergency response guidelines?

Ben is working on integrating a federated identity management system
and needs to exchange authentication and authorization information
for browser-based single sign-on. What technology is his best option?

What is the minimum interval at which an organization should
conduct business continuity plan refresher training for those with
specific business continuity roles?

What is the minimum number of cryptographic keys necessary to
achieve strong security when using the 3DES algorithm?

Lauren wants to monitor her LDAP servers to identify what types of
queries are causing problems. What type of monitoring should she use
if she wants to be able to use the production servers and actual traffic
for her testing?

Steve is developing an input validation routine that will protect the
database supporting a web application from SQL injection attack.
Where should Steve place the input validation code?

Linda is selecting a disaster recovery facility for her organization,
and she wishes to retain independence from other organizations as
much as possible. She would like to choose a facility that balances
cost and recovery time, allowing activation in about one week after
a disaster is declared. What type of facility should she choose?

Ben is selecting an encryption algorithm for use in an organization
with 10,000 employees. He must facilitate communication between
any two employees within the organization. Which one of the
following algorithms would allow him to meet this goal with the least
time dedicated to key management?

Which one of the following activities transforms a zero-day
vulnerability into a less dangerous attack vector?

Which one of the following is an example of a hardening provision that
might strengthen an organization’s existing physical facilities and
avoid implementation of a business continuity plan?

Susan wants to monitor traffic between systems in a VMWare
environment. What solution would be her best option to monitor that
traffic?

Matthew and Richard are friends located in different physical
locations who would like to begin communicating with each other
using cryptography to protect the confidentiality of their
communications. They exchange digital certificates to begin this
process and plan to use an asymmetric encryption algorithm for
the secure exchange of email messages.

When Matthew sends Richard a message, what key should he use to
encrypt the message?

Matthew and Richard are friends located in different physical
locations who would like to begin communicating with each other
using cryptography to protect the confidentiality of their
communications. They exchange digital certificates to begin this
process and plan to use an asymmetric encryption algorithm for
the secure exchange of email messages.

When Richard receives the message from Matthew, what key should
he use to decrypt the message?

Matthew and Richard are friends located in different physical
locations who would like to begin communicating with each other
using cryptography to protect the confidentiality of their
communications. They exchange digital certificates to begin this
process and plan to use an asymmetric encryption algorithm for
the secure exchange of email messages.

Matthew would like to enhance the security of his communication by
adding a digital signature to the message. What goal of cryptography
are digital signatures intended to enforce?

Matthew and Richard are friends located in different physical
locations who would like to begin communicating with each other
using cryptography to protect the confidentiality of their
communications. They exchange digital certificates to begin this
process and plan to use an asymmetric encryption algorithm for
the secure exchange of email messages.

When Matthew goes to add the digital signature to the message, what
encryption key does he use to create the digital signature?

When Jim logs into a system, his password is compared to a hashed
value stored in a database. What is this process?

What is the primary advantage of decentralized access control?

Which of the following types of controls does not describe a mantrap?

Sally’s organization needs to be able to prove that certain staff
members sent emails, and she wants to adopt a technology that will
provide that capability without changing their existing email system.
What is the technical term for the capability Sally needs to implement
as the owner of the email system, and what tool could she use to do it?

Which one of the following background checks is not normally
performed during normal pre-hire activities?

Margot is investigating suspicious activity on her network and uses a
protocol analyzer to sniff inbound and outbound traffic. She notices an
unusual packet that has identical source and destination IP addresses.
What type of attack uses this packet type?

Which of the following vulnerabilities might be discovered during a
penetration test of a web-based application?

In the OSI model, when a packet changes from a datastream to a
segment or a datagram, what layer has it traversed?

Tommy handles access control requests for his organization. A user
approaches him and explains that he needs access to the human
resources database in order to complete a headcount analysis
requested by the CFO. What has the user demonstrated successfully to
Tommy?

During which phase of the incident response process would
administrators design new security controls intended to prevent a
recurrence of the incident?

Kathleen wants to set up a service to provide information about her
organization’s users and services using a central, open, vendorneutral,
standards-based system that can be easily queried. Which of
the following technologies is her best choice?

Bethany received an email from one of her colleagues with an
unusual attachment named smime.p7s. She does not recognize the
attachment and is unsure what to do. What is the most likely
scenario?

What type of firewall is capable of inspecting traffic at layer 7 and
performing protocol-specific analysis for malicious traffic?

Alice would like to add another object to a security model and grant
herself rights to that object. Which one of the rules in the Take-Grant
protection model would allow her to complete this operation?

What type of assessment methods are associated with mechanisms
and activities based on the recommendations of NIST SP800-53A,
the Guide for Assessing Security Controls in Federal Information
Systems?

Colin is reviewing a system that has been assigned the EAL7
evaluation assurance level under the Common Criteria. What is the
highest level of assurance that he may have about the system?