CISSP Questions and Answers 05

QUESTION 501:
Which one of the following entails immediately transmitting copies of on-line transactions to a remote
computer
facility for backup?
A. Archival storage management (ASM)
B. Electronic vaulting
C. Hierarchical storage management (HSM)
D. Data compression
Answer: B
“Electronic vaulting makes an immediate copy of a changed file or transaction and sends it to a remote location
where the original backup is stored….Another technology used for automated backups is hierarrchial storage
management (HSM). In this situation, the HSM system dynamically manages the storage and covery of files,
which
are copied to storage media devices that vary in speed and cost. The faster media hold the data that is accessed
more
often and the seldom-useed files are stored on the slower devices, or near-line devices. The different storage
media
rang from optical disk, magnetic disks, and tapes. Pg. 619 Shon Harris CISSP All-In-One Certification Exam
Guide
QUESTION 502:
When continuous availability (24 hours-a-day processing) is required, which one of the
following provides a good alternative to tape backups?
A. Disk mirroring
B. Backup to jukebox
C. Optical disk backup
D. Daily archiving
Answer: B
Hierarchical Storage Management (HSM). HSM provides continuous on-line backup by using
optical or tape ‘jukeboxes,’ similar to WORMs. It appears as an infinite disk to the system, and
can be configured to provide the closest version of an available real-time backup. This is
commonly employed in very large data retrieval systems.” Pg. 71 Krutz: The CISSP Prep Guide.
QUESTION 503:
Zip/Jaz drives are frequently used for the individual backups of small data sets of:
A. specific application data
B. sacrificial application data
C. static application data
D. dynamic application data
Answer: A
QUESTION 504:
With non-continuous backup systems, data that was entered after the last backup prior to
a system crash will have to be:
A. recreated
B. created
C. updated
D. deleted
Answer: A
QUESTION 505:
The alternate processing strategy in a business continuity plan can provide for required backup computing
capacity through a hot site, a cold site, or
A. A dial-up services program.
B. An off-site storage replacement.
C. An online backup program.
D. A crate and ship replacement.
Answer: C
What I believe is being wanted here is not the other data center backup alternatives but
transaction redundancy implementation.
The CISSP candidate should understand the three concepts used to create a level of fault
tolerance and redundancy in transaction processing. While these processes are not used solely
for disaster recovery, they are often elements of a larger disaster recovery plan. If one or more of
these processes are employed, the ability of a company to get back online is greatly enhanced.
-Ronald Krutz The CISSP PREP Guide (gold edition) pg 394 (they are Electronic Vaulting,
Remote journaling, and Database shadowing)
QUESTION 506:
The 8mm tape format is commonly used in Helical Scan tape drives, but was superseded
by:
A. Digital Linear Tape (DLT)
B. Analog Linear Tape (ALT)
C. Digital Signal Tape (DST)
D. Digital Coded Tape (DCT)
Answer: A
“8mm Tape. This format was commonly used in Helical Scan tape drives, but was superseded by
Digital Linear Tape (DLT).” Pg 95 Krutz: CISSP Prep Guide: Gold Edition.
QUESTION 507:
The spare drives that replace the failed drives are usually hot swappable, meaning they can
be replaced on the server in which of the following scenarios?
A. system is up and running
B. system is quiesced but operational
C. system is idle but operational
D. system is up and in single-user-mode
Answer: A
QUESTION 508:
Primarily run when time and tape space permits, and is used for the system archive or
baselined tape sets is the:
A. full backup method
B. Incremental backup method
C. differential backup method
D. tape backup method
Answer: A
QUESTION 509:
This backup method makes a complete backup of every file on the server every time it is
run by:
A. full backup method
B. incremental backup method
C. differential backup method
D. tape backup method
Answer: A
QUESTION 510:
A backup of all files that are new or modified since the last full backup is
A. In incremental backup
B. A father/son backup
C. A differential backup
D. A full backup
Answer: C
“Incremental backup -A procedure that backs up only those files that have been modified since
the previous backup of any sort. It does remove the archive attribute.
Differential backup – A procedure that backs up all files that have been modified since the last
full backup. It does not remove the archive attribute.” – Shon Harris All-in-one CISSP
Certification Guide pg 618
QUESTION 511:
What two factors should a backup program track to ensure the serviceability of backup
tape media?
A. The initial usage data of the media and the number of uses.
B. The physical characteristics and rotation cycle of the media.
C. The manufactured and model number of the tape media.
D. The frequency of usage and magnetic composition.
Answer: B
The answer should be B. The physical charecteristics (what type of tape drive) and rotation cyle.
(Frequency of backup cycles and retention timE.)
QUESTION 512:
Which of the following virus types changes some of its characteristics as it spreads?
A. boot sector
B. parasitic
C. stealth
D. polymorphic
Answer: D
QUESTION 513:
Which one of the following is a good defense against worms?
A. Differentiating systems along the lines exploited by the attack.
B. Placing limits on sharing, writing, and executing programs.
C. Keeping data objects small, simple, and obvious as to their intent.
D. Limiting connectivity by means of well-managed access controls.
Answer: B
Take as general information regarding worms
“Although the worm is not technically malicious, opening the attachment allows the file to copy
itself to the user’s PC Windows folder and then send the .pif-based program to any e-mail
address stored on the hard drive.
Ducklin said the huge risks associated with accepting program files such as .pif, .vbs (visual
basic script) or the more common .exe (executable) as attachments via e-mail outweighs the
usefulness of distributing such files in this manner.
“There’s no business sense for distributing programs via e-mail,” he said.
To illustrate the point, Ducklin said six of the top 10 viruses reported to Sophos in April spread
as Windows programs inside e-mails.”
http://security.itworld.com/4340/030521stopworms/page_1.html
QUESTION 514:
An active content module, which attempts to monopolize and exploits system resources is
called a
A. Macro virus
B. Hostile applet
C. Plug-in worm
D. Cookie
Answer: B
This applet can execute in the network browser and may contain malicious code. The types of
downloadable programs are also known as mobile code. -Ronald Krutz The CISSP PREP Guide
(gold edition) pg 361
“ActiveX Controls are Microsoft’s answer to Sun’s Java applets. They operate in a very similar
fashion, but they are implemented using any on of a variety of languages, including Visual
Basic, C, C++ and Java. There are two key distinctions between Java applets and ActiveX
controls. First, ActiveX controls use proprietary Microsoft technology and, therefore, can only
execute on systems running Microsoft operating systems. Second, ActiveX controls are not
subject to the sandbox restrictions placed on Java applets. They have full access to the Windows
operating environment and can perform a number of privileged actions. Therefore, special
precautions must be taken when deciding which ActiveX controls to download and execute.
Many security administrators have taken the somewhat harsh position of prohibiting the
download of any ActiveX content from all but a select handful of trusted sites.” Pg. 214 Tittel:
CISSP Study Guide
QUESTION 515:
Macro viruses written in Visual Basic for Applications (VDA) are a major problem because
A. Floppy disks can propagate such viruses.
B. These viruses can infect many types of environments.
C. Anti-virus software is usable to remove the viral code.
D. These viruses almost exclusively affect the operating system.
Answer: D
QUESTION 516:
What is the term used to describe a virus that can infect both program files and boot sectors?
A. Polymorphic
B. Multipartite
C. Stealth
D. Multiple encrypting
Answer: B
QUESTION 517:
Why are macro viruses easy to write?
A. Active contents controls can make direct system calls
B. The underlying language is simple and intuitive to apply.
C. Only a few assembler instructions are needed to do damage.
D. Office templates are fully API compliant.
Answer: B
Macro Languages enable programmers to edit, delete, and copy files. Because these languages
are so easy to use, many more types of macro viruses are possible. – Shon Harris All-in-one
CISSP Certification Guide pg 785
QUESTION 518:
Which one of the following traits alow macro viruses to spread more effectively than other
types?
A. They infect macro systems as well as micro computers.
B. They attach to executable and batch applications.
C. They can be transported between different operating systems.
D. They spread in distributed systems without detection
Answer: C
Macro virus is a virus written in one of these programming languages and is platform
independent. They infect and replicate in templates and within documents. – Shon Harris
All-in-one CISSP Certification Guide pg 784
QUESTION 519:
In what way could Java applets pose a security threat?
A. Their transport can interrupt the secure distribution of World Wide Web pages over the
Internet by removing SSL and S-HTTP
B. Java interpreters do not provide the ability to limit system access that an applet could have
on a client system
C. Executables from the Internet may attempt an intentional attack when they are downloaded
on a client system
D. Java does not check the bytecode at runtime or provide other safety mechanisms for program
isolation from the client system.
Answer: C
Explanation:
“Java Security
Java applets use a security scheme that employs a sandbox to limit the applet’s access to certain
specific areas within the user’s system and protects the system from malicious or poorly written
applets. The applet is supposed to run only within the sandbox. The sandbox restricts the applet’s
environment by restricting access to a user’s hard drives and system resources. If the applet does
not go outside the sandbox, it is considered safe.
However, as with many other things in the computing world, the bad guys have figured out how
to escape their confines and restrictions. Programmers have figured out how to write applets that
enable the code to access hard drives and resources that are supposed to be protected by the Java
security scheme. This code can be malicious in nature and cause destruction and mayhem to the
user and her system.
Java employs a sandbox in its security scheme, but if an applet can escape the confines of the
sandbox, the system can be easily compromised.” Pg 726 Shon Harris: All-In-One CISSP
Certification Guide.
QUESTION 520:
What setup should an administrator use for regularly testing the strength of user
passwords?
A. A networked workstation so that the live password database can easily be accessed by the
cracking program
B. A networked workstation so the password database can easily be copied locally and
processed by the cracking program
C. A standalone workstation on which the password database is copied and processed by the
cracking program
D. A password-cracking program is unethical; therefore it should not be used.
Answer: C
QUESTION 521:
On UNIX systems, passwords shall be kept:
A. In any location on behalf of root.
B. In a shadow password file.
C. In the /etc/passwd file.
D. In root.
Answer: B
Explanation:
When possible, on UNIX systems, passwords shall not be kept in the /etc/passwd file,
but rather in a shadow password file which can be modified only by root or a program executing
on behalf of root.
QUESTION 522:
Which of the following would constitute the best example of a password to use for access to
a system by a network administrator?
A. holiday
B. Christmas12
C. Jenny&30
D. TrZc&45g
Answer: D
QUESTION 523:
Which of the following is not a media viability control used to protect the viability of data
storage media?
A. clearing
B. marking
C. handling
D. storage
Answer: A
Reference: pg 315 Krutz: CISSP Study Guide: Gold Edition
QUESTION 524:
Which of the following refers to the data left on the media after the media has been erased?
A. remanence
B. recovery
C. sticky bits
D. semi-hidden
Answer: A
QUESTION 525:
What is the main issue with media reuse?
A. Degaussing
B. Data remanence
C. Media destruction
D. Purging
Answer: B
QUESTION 526:
What should a company do first when disposing of personal computers that once were used
to store confidential data?
A. Overwrite all data on the hard disk with zeroes
B. Delete all data contained on the hard disk
C. Demagnetize the hard disk
D. Low level format the hard disk
Answer: C
QUESTION 527:
Which of the following is not a critical security aspect of Operations Controls?
A. Controls over hardware
B. data media used
C. Operations using resources
D. Environment controls
Answer: D
Reference: pg 311 Krutz: CISSP Prep Guide: Gold Edition
QUESTION 528:
What tool is being used to determine whether attackers have altered system files of executables?
A. File Integrity Checker
B. Vulnerability Analysis Systems
C. Honey Pots
D. Padded Cells
Answer: A
Explanation:
Although File Integrity Checkers are most often used to determine whether attackers
have altered system files or executables, they can also help determine whether
vendor-supplied bug patches or other desired changes have been applied to system
binaries. They are extremely valuable to those conducting a forensic examination of
systems that have been attacked, as they allow quick and reliable diagnosis of the
footprint of an attack. This enables system managers to optimize the restoration of
service after incidents occur.
QUESTION 529:
A system file that has been patched numerous times becomes infected with a virus. The
anti-virus software warns that disinfecting the file can damage it. What course of action
should be taken?
A. Replace the file with the original version from master media
B. Proceed with automated disinfection
C. Research the virus to see if it is benign
D. Restore an uninfected version of the patched file from backup media
Answer: D
QUESTION 530:
In an on-line transaction processing system, which of the following actions should be taken
when erroneous or invalid transactions are detected?
A. The transactions should be dropped from processing
B. The transactions should be processed after the program makes adjustments
C. The transactions should be written to a report and reviewed
D. The transactions should be corrected and reprocessed
Answer: C
QUESTION 531:
Which of the following is a reasonable response from the intrusion detection system when it detects Internet
Protocol (IP) packets where the IP source address is the same as the IP destination address?
A. Allow the packet to be processed by the network and record the event.
B. Record selected information about the item and delete the packet.
C. Resolve the destination address and process the packet.
D. Translate the source address and resend the packet.
Answer: B
RFC 1918 and RFC 2827 state about private addressing and ip spoofing using the same source
address as destination address. Drop the packet.
QUESTION 532:
Which of the following is not a good response to a detected intrusion?
A. Collect additional information about the suspected attack
B. Inject TCP reset packets into the attacker’s connection to the victim system
C. Reconfigure routers and firewalls to block packets from the attacker’s apparent connection
D. Launch attacks or attempt to actively gain information about the attacker’s host
Answer: D
QUESTION 533:
Once an intrusion into your organizations information system has been detected, which of
the following actions should be performed first?
A. Eliminate all means of intruder access
B. Contain the intrusion
C. Determine to what extent systems and data are compromised
D. Communicate with relevant parties
Answer: B
QUESTION 534:
After an intrusion has been contained and the compromised systems having been
reinstalled, which of the following need not be reviewed before bringing the systems back
to service?
A. Access control lists
B. System services and their configuration
C. Audit trails
D. User accounts
Answer: C
QUESTION 535:
Which of the following includes notifying the appropriate parties to take action in order to
determine the extent of the severity of an incident and to remediate the incident’s effects?
A. Intrusion Evaluation (IE) and Response
B. Intrusion Recognition (IR) and Response
C. Intrusion Protection (IP) and Response
D. Intrusion Detection (ID) and Response
Answer: D
“Intrusion Detection (ID) and Response is the task of monitoring systems for evidence of an
intrusion or an inappropriate usage. This includes notifying the appropriate parties to take action
in order to determine the extent of the severity of an incident and to remediate the incident’s
effects.” Pg 86 Krutz: CISSP Prep Guide: Gold Edition.
QUESTION 536:
Which of the following is used to monitor network traffic or to monitor host audit logs in
order to determine violations of security policy that have taken place?
A. Intrusion Detection System
B. Compliance Validation System
C. Intrusion Management System
D.)Compliance Monitoring System
Answer: A
QUESTION 537:
Which of the following is not a technique used for monitoring?
A. Penetration testing
B. Intrusion detection
C. Violation processing (using clipping levels)
D. Countermeasures testing
Answer: D
QUESTION 538:
Which one of the following is NOT a characteristic of an Intrusion Detection System? (IDS)
A. Determines the source of incoming packets.
B. Detects intruders attempting unauthorized activities.
C. Recognizes and report alterations to data files.
D. Alerts to known intrusion patterns.
Answer: C
Explanation: Software employed to monitor and detect possible attacks and behaviors that
vary from the normal and expected activity. The IDS can be network-based, which
monitors network traffic, or host-based, which monitors activities of a specific system and
protects system files and control mechanisms. – Shon Harris All-in-one CISSP Certification
Guide pg 932
QUESTION 539:
An IDS detects an attach using which of the following?
A. an event-based ID or a statistical anomaly-based ID
B. a discrete anomaly-based ID or a signature-based ID
C. a signature-based ID or a statistical anomaly-based ID
D. a signature-based ID or an event-based ID
Answer: C
QUESTION 540:
Which of the following monitors network traffic in real time?
A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS
Answer: A
QUESTION 541:
What technology is being used to detect anomalies?
A. IDS
B. FRR
C. Sniffing
D. Capturing
Answer: A
Explanation:
Intrusion Detection is a quickly evolving domain of expertise. In the past year we have
seen giant steps forward in this area. We are now seeing IDS engines that will detect
anomalies, and that have some built-in intelligence. It is no longer a simple game of
matching signatures in your network traffic.
QUESTION 542:
IDSs verify, itemize, and characterize threats from:
A. Inside your organization’s network.
B. Outside your organization’s network.
C. Outside and inside your organization’s network.
D. The Internet.
Answer: C
Explanation:
IDSs verify, itemize, and characterize the threat from both outside and inside your
organization’s network, assisting you in making sound decisions regarding your
allocation of computer security resources. Using IDSs in this manner is important, as
many people mistakenly deny that anyone (outsider or insider) would be interested in
breaking into their networks. Furthermore, the information that IDSs give you regarding
the source and nature of attacks allows you to make decisions regarding security
strategy driven by demonstrated need, not guesswork or folklore.
QUESTION 543:
IDS can be described in terms of what fundamental functional components?
A. Response
B. Information Sources
C. Analysis
D. All of the choices.
Answer: D
Explanation:
Many IDSs can be described in terms of three fundamental functional components:
Information Sources – the different sources of event information used to determine
whether an intrusion has taken place. These sources can be drawn from different levels
of the system, with network, host, and application monitoring most common.
Analysis – the part of intrusion detection systems that actually organizes and makes
sense of the events derived from the information sources, deciding when those events
indicate that intrusions are occurring or have already taken place. The most common
analysis approaches are misuse detection and anomaly detection.
Response – the set of actions that the system takes once it detects intrusions. These
are typically grouped into active and passive measures, with active measures involving
some automated intervention on the part of the system, and passive measures involving
reporting IDS findings to humans, who are then expected to take action based on those
reports.
QUESTION 544:
What are the primary goals of intrusion detection systems? (Select all that apply.)
A. Accountability
B. Availability
C. Response
D. All of the choices
Answer: A, C
Explanation:
Although there are many goals associated with security mechanisms in general, there are
two overarching goals usually stated for intrusion detection systems.
Accountability is the capability to link a given activity or event back to the party
responsible for initiating it. This is essential in cases where one wishes to bring
criminal charges against an attacker. The goal statement associated with accountability
is: “I can deal with security attacks that occur on my systems as long as I know who
did it (and where to find them.)” Accountability is difficult in TCP/IP networks, where
the protocols allow attackers to forge the identity of source addresses or other source
identifiers. It is also extremely difficult to enforce accountability in any system
that employs weak identification and authentication mechanisms.
Response is the capability to recognize a given activity or event as an attack and then
taking action to block or otherwise affect its ultimate goal. The goal statement
associated with response is “I don’t care who attacks my system as long as I can
recognize that the attack is taking place and block it.” Note that the requirements of
detection are quite different for response than for accountability.
QUESTION 545:
What is the most common way to classify IDSs?
A. Group them by information source.
B. Group them by network packets.
C. Group them by attackers.
D. Group them by signs of intrusion.
Answer: A
Explanation:
The most common way to classify IDSs is to group them by information source. Some IDSs
analyze network packets, captured from network backbones or LAN segments, to find
attackers. Other IDSs analyze information sources generated by the operating system or
application software for signs of intrusion.
QUESTION 546:
The majority of commercial intrusion detection systems are:
A. Identity-based
B. Network-based
C. Host-based
D. Signature-based
Answer: B
Explanation:
The majority of commercial intrusion detection systems are network-based. These IDSs
detect attacks by capturing and analyzing network packets. Listening on a network
segment or switch, one network-based IDS can monitor the network traffic affecting
multiple hosts that are connected to the network segment, thereby protecting those
hosts.
QUESTION 547:
Which of the following is a drawback of Network-based IDSs?
A. It cannot analyze encrypted information.
B. It is very costly to setup.
C. It is very costly to manage.
D. It is not effective.
Answer: A
Explanation:
Network-based IDSs cannot analyze encrypted information. This problem is increasing as
more organizations (and attackers) use virtual private networks. Most network-based
IDSs cannot tell whether or not an attack was successful; they can only discern that an
attack was initiated. This means that after a network-based IDS detects an attack,
administrators must manually investigate each attacked host to determine whether it was
indeed penetrated.
QUESTION 548:
Host-based IDSs normally utilize information from which of the following sources?
A. Operating system audit trails and system logs.
B. Operating system audit trails and network packets.
C. Network packets and system logs.
D. Operating system alarms and system logs.
Answer: A
Explanation:
Host-based IDSs normally utilize information sources of two types, operating system
audit trails, and system logs. Operating system audit trails are usually generated at
the innermost (kernel) level of the operating system, and are therefore more detailed
and better protected than system logs. However, system logs are much less obtuse and
much smaller than audit trails, and are furthermore far easier to comprehend. Some
host-based IDSs are designed to support a centralized IDS management and reporting
infrastructure that can allow a single management console to track many hosts. Others
generate messages in formats that are compatible with network management systems.
QUESTION 549:
When comparing host based IDS with network based ID, which of the following is an
obvious advantage?
A. It is unaffected by switched networks.
B. It cannot analyze encrypted information.
C. It is not costly to setup.
D. It is not costly to manage.
Answer: A
Explanation:
Host-based IDSs are unaffected by switched networks. When Host-based IDSs operate on OS
audit trails, they can help detect Trojan horse or other attacks that involve software
integrity breaches. These appear as inconsistencies in process execution.
QUESTION 550:
You are comparing host based IDS with network based ID. Which of the following will you
consider as an obvious disadvantage of host based IDS?
A. It cannot analyze encrypted information.
B. It is costly to remove.
C. It is affected by switched networks.
D. It is costly to manage.
Answer: D
Explanation:
Host-based IDSs are harder to manage, as information must be configured and managed for
every host monitored. Since at least the information sources (and sometimes part of the
analysis engines) for host-based IDSs reside on the host targeted by attacks, the IDS
may be attacked and disabled as part of the attack.
Host-based IDSs are not well suited for detecting network scans or other such
surveillance that targets an entire network, because the IDS only sees those network
packets received by its host. Host-based IDSs can be disabled by certain
denial-of-service attacks.
QUESTION 551:
Which of the following IDS inflict a higher performance cost on the monitored systems?
A. Encryption based
B. Host based
C. Network based
D. Trusted based
Answer: B
Explanation:
Host-based IDSs use the computing resources of the hosts they are monitoring, therefore
inflicting a performance cost on the monitored systems.
QUESTION 552:
Application-based IDSs normally utilize information from which of the following sources?
A. Network packets and system logs.
B. Operating system audit trails and network packets.
C. Operating system audit trails and system logs.
D. Application’s transaction log files.
Answer: D
Explanation:
Application-based IDSs are a special subset of host-based IDSs that analyze the events
transpiring within a software application. The most common information sources used by
application-based IDSs are the application’s transaction log files.
QUESTION 553:
Which of the following are the major categories of IDSs response options?
A. Active responses
B. Passive responses
C. Hybrid
D. All of the choices.
Answer: D
Explanation:
Once IDSs have obtained event information and analyzed it to find symptoms of attacks,
they generate responses. Some of these responses involve reporting results and findings
to a pre-specified location. Others involve more active automated responses. Though
researchers are tempted to underrate the importance of good response functions in IDSs,
they are actually very important. Commercial IDSs support a wide range of response
options, often categorized as active responses, passive responses, or some mixture of
the two.
QUESTION 554:
Alarms and notifications are generated by IDSs to inform users when attacks are detected.
The most common form of alarm is:
A. Onscreen alert
B. Email
C. Pager
D. Icq
Answer: A
Explanation:
Alarms and notifications are generated by IDSs to inform users when attacks are
detected. Most commercial IDSs allow users a great deal of latitude in determining how
and when alarms are generated and to whom they are displayed.
The most common form of alarm is an onscreen alert or popup window. This is displayed
on the IDS console or on other systems as specified by the user during the
configuration of the IDS. The information provided in the alarm message varies widely,
ranging from a notification that an intrusion has taken place to extremely detailed
messages outlining the IP addresses of the source and target of the attack, the
specific attack tool used to gain access, and the outcome of the attack. Another set of
options that are of utility to large or distributed organizations are those involving
remote notification of alarms or alerts. These allow organizations to configure the IDS
so that it sends alerts to cellular phones and pagers carried by incident response
teams or system security personnel.
QUESTION 555:
Which of the following is a valid tool that complements IDSs?
A. All of the choices.
B. Padded Cells
C. Vulnerability Analysis Systems
D. Honey Pots
Answer: A
Explanation:
Several tools exist that complement IDSs and are often labeled as intrusion detection
products by vendors since they perform similar functions. They are Vulnerability
Analysis Systems, File Integrity Checkers, Honey Pots, and Padded Cells.
“IDS-Related Tools
Intrusion detection systems are often deployed in concert with several other components. These
IDS-related tools expand the usefulness and capabilities of IDSs and make IDSs more efficient
and less prone to false positives. These tools include honey pots, padded cells, and vulenerability
scanners.” Pg. 46 Tittel: CISSP Study Guide
QUESTION 556:
A problem with a network-based ID system is that it will not detect attacks against a host
made by an intruder who is logged in at which of the following?
A. host’s terminal
B. guest’s terminal
C. client’s terminal
D. server’s terminal
Answer: A
QUESTION 557:
When the IDS detect attackers, the attackers are seamlessly transferred to a special host.
This method is called:
A. Vulnerability Analysis Systems
B. Padded Cell
C. Honey Pot
D. File Integrity Checker
Answer: B
Explanation:
Padded cells take a different approach. Instead of trying to attract attackers with
tempting data, a padded cell operates in tandem with traditional IDS. When the IDS
detect attackers, it seamlessly transfers then to a special padded cell host.
QUESTION 558:
Which of the following is a weakness of both statistical anomaly detection and pattern
matching?
A. Lack of ability to scale.
B. Lack of learning model.
C. Inability to run in real time.
D. Requirement to monitor every event.
Answer: B
Explanation: Disadvantages of Knowledge-based ID systems:
This system is resources- intensive; the knowledge database continually needs maintenance and
updates
New, unique, or original attacks often go unnoticed.Disadvantages of Behavior-based ID
systems:
The system is characterized by high false alarm rates. High positives are the most common
failure of ID systems and can create data noise that makes the system unusable.
The activity and behavior of the users while in the networked system might not be static enough
to effectively implement a behavior-based ID system. -Ronald Krutz The CISSP PREP Guide
(gold edition) pg 88
QUESTION 559:
The two most common implementations of Intrusion Detection are which of the following?
A. They commonly reside on a discrete network segment and monitor the traffic on that
network segment
B. They commonly will not reside on a discrete network segment and monitor the traffic on that
network segment
C. They commonly reside on a discrete network segment but do not monitor the traffic on that
network segment
D. They commonly do not reside on a discrete network segment and monitor the traffic on that
network segment
Answer: A
QUESTION 560:
What are the primary approaches IDS takes to analyze events to detect attacks?
A. Misuse detection and anomaly detection.
B. Log detection and anomaly detection.
C. Misuse detection and early drop detection.
D. Scan detection and anomaly detection.
Answer: A
Explanation:
There are two primary approaches to analyzing events to detect attacks: misuse
detection and anomaly detection. Misuse detection, in which the analysis targets
something known to be “bad”, is the technique used by most commercial systems. Anomaly
detection, in which the analysis looks for abnormal patterns of activity, has been, and
continues to be, the subject of a great deal of research. Anomaly detection is used in
limited form by a number of IDSs. There are strengths and weaknesses associated with
each approach, and it appears that the most effective IDSs use mostly misuse detection
methods with a smattering of anomaly detection components.
QUESTION 561:
Misuse detectors analyze system activity and identify patterns. The patterns corresponding to
know attacks are called:
A. Attachments
B. Signatures
C. Strings
D. Identifications
Answer: B
Explanation:
Misuse detectors analyze system activity, looking for events or sets of events that
match a predefined pattern of events that describe a known attack. As the patterns
corresponding to known attacks are called signatures, misuse detection is sometimes
called “signature-based detection.” The most common form of misuse detection used in
commercial products specifies each pattern of events corresponding to an attack as a
separate signature. However, there are more sophisticated approaches to doing misuse
detection (called “state-based” analysis techniques) that can leverage a single
signature to detect groups of attacks.
QUESTION 562:
Which of the following is an obvious disadvantage of deploying misuse detectors?
A. They are costly to setup.
B. They are not accurate.
C. They most be constantly updated with signatures of new attacks.
D. They are costly to use.
Answer: C
Explanation:
Misuse detectors can only detect those attacks they know about – therefore they must be
constantly updated with signatures of new attacks. Many misuse detectors are designed to use
tightly defined signatures that prevent them from detecting variants of common attacks.
State-based misuse detectors can overcome this limitation, but are not commonly used in
commercial IDSs.
QUESTION 563:
What detectors identify abnormal unusual behavior on a host or network?
A. None of the choices.
B. Legitimate detectors.
C. Anomaly detectors.
D. Normal detectors.
Answer: C
Explanation:
Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network.
They function on the assumption that attacks are different from “normal” (legitimate)
activity and can therefore be detected by systems that identify these differences.
Anomaly detectors construct profiles representing normal behavior of users, hosts, or
network connections. These profiles are constructed from historical data collected over
a period of normal operation. The detectors then collect event data and use a variety
of measures to determine when monitored activity deviates from the norm.
QUESTION 564:
A network-based IDS is which of the following?
A. active while it acquires data
B. passive while it acquires data
C. finite while it acquires data
D. infinite while it acquires data
Answer: B
QUESTION 565:
Which of the following usually provides reliable, real-time information without consuming
network or host resources?
A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS
Answer: A
“A network-based IDS has little negative affect on overall network performance, and because it
is deployed on a single-purpose system, it doesn’t adversely affect the performance of any other
computer.” Pg 34 Krutz: CISSP Prep Guide: Gold Edition.
QUESTION 566:
Which of the following would assist in intrusion detection?
A. audit trails
B. access control lists
C. security clearances
D. host-based authentication
Answer: A
QUESTION 567:
Using clipping levels refers to:
A. setting allowable thresholds on reported activity
B. limiting access to top management staff
C. setting personnel authority limits based on need-to-know basis
D. encryption of data so that it cannot be stolen
Answer: A
QUESTION 568:
In what way can violation clipping levels assist in violation tracking and analysis?
A. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold
will be recorded for analysis of why the violations occurred
B. Clipping levels enable a security administrator to customize the audit trail to record only
those violations which are deemed to be security relevant
C. Clipping levels enable the security administrator to customize the audit trail to record only
actions for users with access to usercodes with a privileged status
D. Clipping levels enable a security administrator to view all reductions in security levels which
have been made to usercodes which have incurred violations
Answer: A
QUESTION 569:
When establishing a violation tracking and analysis process, which one of the following
parameters is used to keep the quantity of data to manageable levels?
A. Quantity baseline
B. Maximum log size
C. Circular logging
D. Clipping levels
Answer: D
To make violation tracking effective, clipping levels must be established. A clipping level is a
baseline of user activity that is considered a routine level of user errors. When a clipping level is
exceeded, a violation record is then produced. Clipping levels are also used for variance
detection. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 318
QUESTION 570:
Audit trails based upon access and identification codes establish…
A. intrustion detection thresholds
B. individual accountability
C. audit review critera
D. individual authentication
Answer: B
Accountability is another facet of access control. Individuals on a system are responsible for
their actions. This accountability property enables system activities to be traced to the proper
individuals. Accountability is supported by audit trails that record events on the system and on
the network. Audit trails can be used for intrusion detection and for the reconstruction of past
events. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 65
QUESTION 571:
The primary reason for enabling software audit trails is which of the following?
A. Improve system efficiency
B. Improve response time for users
C. Establish responsibility and accountability
D. Provide useful information to track down processing errors
Answer: C
“Auditing capabilities ensure that users are accountable for their actions, verify that the security
polices are enforced, and are used as investigation tools.” Pg 161 Shon Harris: All-in-One CISSP
Certification
QUESTION 572:
Tracing violations, or attempted violations of system security to the user responsible is a
function of?
A. authentication
B. access management
C. integrity checking
D. accountability
Answer: D
Auditing capabilities ensure that users are accountable for their actions, verify that the security
policies are enforced, worked as a deterrent to improper actions, and are used as investigation
tools. – Shon Harris All-in-one CISSP Certification Guide pg 182
QUESTION 573:
According to the Minimum Security Requirements (MSR) for Multi-User Operating
Systems (NISTIR 5153) document, which of the following statements pertaining to audit
data recording is incorrect?
A. The system shall provide end-to-end user accountability for all security-relevant events
B. The system shall protect the security audit trail from unauthorized access
C. For maintenance purposes, it shall be possible to disable the recording of activities that
require privileges.
D. The system should support an option to maintain the security audit trail data in encrypted
format
Answer: C
QUESTION 574:
Which of the following questions is less likely to help in assessing controls over audit trails?
A. Does the audit trail provide a trace of user actions?
B. Are incidents monitored and tracked until resolved?
C. Is access to online logs strictly controlled?
D. Is there separation of duties between security personnel who administer the access control
function and those who administer the audit trail?
Answer: B
QUESTION 575:
You should keep audit trail on which of the following items?
A. Password usage.
B. All unsuccessful logon.
C. All of the choices.
D. All successful logon.
Answer: C
Explanation:
Keep audit trail of password usage; log all Successful logon, Unsuccessful logon, Date,
Time, ID, Login name. Control maximum logon attempt rate where possible.Where possible
users must be automatically logged off after 30 minutes of inactivity.
QUESTION 576:
In addition to providing an audit trail required by auditors, logging can be used to
A. provide backout and recovery information
B. prevent security violations
C. provide system performance statistics
D. identify fields changed on master files.
Answer: B
Auditing tools are technical controls that track activity within a network on a network device or
on a specific computer. Even though auditing is not an activity that will deny an entity access to
a network or computer, it will track activities so a network administrator can understand the
types of access that took place, identify a security breach, or warn the administrator of suspicious
activity. This can be used to point out weakness of their technical controls and help
administrators understand where changes need to be made to preserve the necessary security
level within the environment. . – Shon Harris All-in-one CISSP Certification Guide pg 179-180
QUESTION 577:
Which of the following should NOT be logged for performance problems?
A. CPU load.
B. Percentage of use.
C. Percentage of idle time.
D. None of the choices.
Answer: D
Explanation:
The level of logging will be according to your company requirements. Below is a list of
items that could be logged, please note that some of the items may not be applicable to
all operating systems. What is being logged depends on whether you are looking for
performance problems or security problems. However you have to be careful about
performance problems that could affect your security.
QUESTION 578:
Which of the following should be logged for security problems?
A. Use of mount command.
B. Percentage of idle time.
C. Percentage of use.
D. None of the choices.
Answer: A
Explanation:
The level of logging will be according to your company requirements. Below is a list of
items that could be logged, please note that some of the items may not be applicable to
all operating systems. What is being logged depends on whether you are looking for
performance problems or security problems. However you have to be careful about
performance problems that could affect your security.
QUESTION 579:
Which of the following services should be logged for security purpose?
A. bootp
B. All of the choices.
C. sunrpc
D. tftp
Answer: B
Explanation:
Request for the following services should be logged: systat, bootp, tftp, sunrpc, snmp,
snmp-trap, nfs.
QUESTION 580:
The auditing method that assesses the extent of the system testing, and identifies specific program logic that has
not
been tested is called
A. Decision process analysis
B. Mapping
C. Parallel simulation
D. Test data method
Answer: D
“Testing of software modules or unit testing should be addressed when the modules are being designed.
Personnel
separate from the programmers should conduct this testing. The test data is part of the specifications. Testing
should
not only check the modules using normal and valid input data, but it should also check for incorrect types,
out-of-range values, and other bounds and/or conditions. Live or actual field data is not recommended for use in
the
testing procedures because both data types might not cover out-of-range situations and the correct outputs of the
test
are unknown. Special test suites of data that exercise all paths of the software to the fullest extent possible and
whose corrected resulting outputs are known beforehand should be used.” Pg. 345 Krutz: The CISSP Prep
Guide:
Gold Edition.
QUESTION 581:
Who should NOT have access to the log files?
A. Security staff.
B. Internal audit staff.
C. System administration staff.
D. Manager’s secretary.
Answer: D
Explanation:
Logs must be secured to prevent modification, deletion, and destruction. Only
authorized persons should have access or permission to read logs. A person is
authorized if he or she is a member of the internal audit staff, security staff, system
administration staff, or he or she has a need for such access to perform regular
duties.
QUESTION 582:
Which of the following correctly describe the use of the collected logs?
A. They are used in the passive monitoring process only.
B. They are used in the active monitoring process only.
C. They are used in the active and passive monitoring process.
D. They are used in the archiving process only.
Answer: C
Explanation:
All logs collected are used in the active and passive monitoring process. All logs are
kept on archive for a period of time. This period of time will be determined by your
company policies. This allows the use of logs for regular and annual audits if
retention is longer then a year. Logs must be secured to prevent modification,
deletion, and destruction.
QUESTION 583:
All logs are kept on archive for a period of time. What determines this period of time?
A. Administrator preferences.
B. MTTR
C. Retention polices
D. MTTF
Answer: C
Explanation:
All logs collected are used in the active and passive monitoring process. All logs are
kept on archive for a period of time. This period of time will be determined by your
company policies. This allows the use of logs for regular and annual audits if
retention is longer then a year. Logs must be secured to prevent modification,
deletion, and destruction.
QUESTION 584:
Logs must be secured to prevent:
A. Creation, modification, and destruction.
B. Modification, deletion, and initialization.
C. Modification, deletion, and destruction.
D. Modification, deletion, and inspection.
Answer: C
Explanation:
All logs collected are used in the active and passive monitoring process. All logs are
kept on archive for a period of time. This period of time will be determined by your
company policies. This allows the use of logs for regular and annual audits if
retention is longer then a year. Logs must be secured to prevent modification,
deletion, and destruction.
QUESTION 585:
To ensure dependable and secure logging, all computers must have their clock synchronized to:
A. A central timeserver.
B. The log time stamp.
C. The respective local times.
D. None of the choices.
Answer: A
Explanation:
The following pre-requisite must be met to ensure dependable and secure logging:
All computers must have their clock synchronized to a central timeserver to ensure
accurate time on events being logged.
If possible all logs should be centralized for easy analysis and also to help detect
patterns of abuse across servers.
Logging information traveling on the network must be encrypted if possible.
Log files are stored and protected on a machine that has a hardened shell.
Log files must not be modifiable without a trace or record of such modification.
QUESTION 586:
To ensure dependable and secure logging, logging information traveling on the network should
be:
A. Stored
B. Encrypted
C. Isolated
D. Monitored
Answer: B
Explanation:
The following pre-requisite must be met to ensure dependable and secure logging:
All computers must have their clock synchronized to a central timeserver to ensure
accurate time on events being logged.
If possible all logs should be centralized for easy analysis and also to help detect
patterns of abuse across servers.
Logging information traveling on the network must be encrypted if possible.
Log files are stored and protected on a machine that has a hardened shell.
Log files must not be modifiable without a trace or record of such modification.
QUESTION 587:
The activity that consists of collecting information that will be used for monitoring is called:
A. Logging
B. Troubleshooting
C. Auditing
D. Inspecting
Answer: A
Explanation:
Logging is the activity that consists of collecting information that will be used for
monitoring and auditing. Detailed logs combined with active monitoring allow detection
of security issues before they negatively affect your systems.
QUESTION 588:
How often should logging be run?
A. Once every week.
B. Always
C. Once a day.
D. During maintenance.
Answer: B
Explanation:
Usually logging is done 24 hours per day, 7 days per week, on all available systems and
services except during the maintenance window where some of the systems and services
may not be available while maintenance is being performed.
QUESTION 589:
Which of the following are security events on Unix that should be logged?
A. All of the choices.
B. Use of Setgid.
C. Change of permissions on system files.
D. Use of Setuid.
Answer: A
Explanation:
The following file changes, conditions, and events are logged:
.rhosts.
UNIX Kernel.
/etc/password.
rc directory structure.
bin files.
lib files.
Use of Setuid.
Use of Setgid.
Change of permission on system or critical files.
QUESTION 590:
Which of the following are potential firewall problems that should be logged?
A. Reboot
B. All of the choices.
C. Proxies restarted.
D. Changes to configuration file.
Answer: B
Explanation:
The following firewall configuration problem are logged:
Reboot of the firewall.
Proxies that cannot start (e.g. Within TIS firewall).
Proxies or other important services that have died or restarted.
Changes to firewall configuration file.
A configuration or system error while firewall is running.
QUESTION 591:
Which of the following is required in order to provide accountability?
A. Authentication
B. Integrity
C. Confidentiality
D. Audit trails
Answer: A
Reference: pg 5 Tittel: CISSP Study Guide
QUESTION 592:
The principle of accountability is a principle by which specific action can be traced back
to:
A. A policy
B. An individual
C. A group
D. A manager
Answer: B
Explanation:
The principle of accountability has been described in many reference; it is a
principle by which specific action can be traced back to an individual. As mentioned by
Idrach, any significant action should be traceable to a specific user. The definition
of “Significant” is entirely dependant on your business circumstances and risk
management model. It was also mentioned by Rino that tracing the actions of a specific
user is fine but we must also be able to ascertain that this specific user was
responsible for the uninitiated action.
QUESTION 593:
The principle of _________ is a principle by which specific action can be traced back to
anyone of your users.
A. Security
B. Integrity
C. Accountability
D. Policy
Answer: C
Explanation:
The principle of accountability has been described in many reference; it is a
principle by which specific action can be traced back to an individual. As mentioned by
Idrach, any significant action should be traceable to a specific user. The definition
of “Significant” is entirely dependant on your business circumstances and risk
management model. It was also mentioned by Rino that tracing the actions of a specific
user is fine but we must also be able to ascertain that this specific user was
responsible for the uninitiated action.
QUESTION 594:
According to the principle of accountability, what action should be traceable to a specific
user?
A. Material
B. Intangible
C. Tangible
D. Significant
Answer: D
Explanation:
The principle of accountability has been described in many reference; it is a
principle by which specific action can be traced back to an individual. As mentioned by
Idrach, any significant action should be traceable to a specific user. The definition
of “Significant” is entirely dependant on your business circumstances and risk
management model. It was also mentioned by Rino that tracing the actions of a specific
user is fine but we must also be able to ascertain that this specific user was
responsible for the uninitiated action.
QUESTION 595:
Which of the following best ensures accountability of users for actions taken within a
system or domain?
A. Identification
B. Authentication
C. Authorization
D. Credentials
Answer: A
“Identification is the process by which a subject professes an identify and accountability is
initiated.” Pg 149 Tittel: CISSP Study Guide
“Identification and authentication are the keystones of most access control systems.
Identification is the act of a user professing an identify to a system, usually in the form of a
log-on ID to the system. Identification establishes user accountability for the actions on the
system. Authentication is verification that the user’s claimed identity is valid and is usually
implemented through a user password at log-on time.” Pg 36 Krutz: The CISSP Prep Guide
QUESTION 596:
Individual accountability does not include which of the following?
A. unique identifiers
B. policies & procedures
C. access rules
D. audit trails
Answer: B
QUESTION 597:
Controls provide accountability for individuals who are accessing sensitive information.
This accountability is accomplished:
A. through access control mechanisms that require identification and authentication and through
the audit function.
B. through logical or technical controls involving the restriction of access to systems and the
protection of information
C. through logical or technical controls but not involving the restriction of access to systems
and the protection of information.
D. through access control mechanisms that do not require identification and authentication and
do not operate through the audit function.
Answer: A
QUESTION 598:
What types of computer attacks are most commonly reported by IDSs?
A. System penetration
B. Denial of service
C. System scanning
D. All of the choices
Answer: D
Explanation:
Three types of computer attacks are most commonly reported by IDSs: system scanning,
denial of service (DOS), and system penetration. These attacks can be launched locally,
on the attacked machine, or remotely, using a network to access the target. An IDS
operator must understand the differences between these types of attacks, as each
requires a different set of responses.
QUESTION 599:
Operation security requires the implementation of physical security to control which of the
following?
A. unauthorized personnel access
B. incoming hardware
C. contingency conditions
D. evacuation procedures
Answer: A
QUESTION 600:
Configuration Management is a requirement for the following level(s)?
A. B3 and A1
B. B1, B2 and B3
C. A1
D. B2, B3, and A1
Answer: D
Reference: pg 306 Krutz: CISSP Study Guide: Gold Edition
QUESTION 601:
Which of the following is not concerned with configuration management?
A. Hardware
B. Software
C. Documentation
D. They all are concerned with configuration management
Answer: D
QUESTION 602:
Configuration Management controls what?
A. Auditing of changes to the Trusted Computing Base
B. Control of changes to the Trusted Computing Base
C. Changes in the configuration access to the Trusted Computing Base
D. Auditing and controlling any changes to the Trusted Computing Base
Answer: D
“Official Definition of Configuration Management
Identifying, controlling, accounting for and auditing changes made to the baseline TCB, which
includes changes to hardware, software, and firmware.
A System that will control changes and test documentation through the operational life cycle of a
system.” Pg 698 Shon Harris: All-in-One CISSP Certification
“[B3] The security administrator role is clearly defined, and the system must be able to recover
from failures without its security level being compromised.” Pg. 226 Shon Harris CISSP
All-In-One Exam Guide

QUESTION 603:
In addition to ensuring that changes to the computer system take place in an identifiable
and controlled environment, configuration management provides assurance that future
changes:
A. The application software cannot bypass system security features.
B. Do not adversely affect implementation of the security policy.
C. To do the operating system are always subjected to independent validation and verification.
D. In technical documentation maintain an accurate description of the Trusted Computer Base.
Answer: B
“The primary security goal of configuration management is to ensure that changes to the system
do not unintentionally diminish security.” Pg 306 Krutz: CISSP Prep Guide: Gold Edition.
QUESTION 604:
Which set of principal tasks constitutes configuration management?
A. Program management, system engineering, and quality assurance.
B. Requirements verification, design, and system integration and testing.
C. Independent validation and verification of the initial and subsequent baseline.
D. Identification, control, status accounting, and auditing of changes.
Answer: D
Configuration management is the process of tracking and approving changes to a system. It
involves identifying, controlling, and auditing all changes made to the system.
Pg. 223 Krutz: The CISSP Prep Guide
QUESTION 605:
If the computer system being used contains confidential information, users must not:
A. Leave their computer without first logging off.
B. Share their desks.
C. Encrypt their passwords.
D. Communicate
Answer: A
Explanation:
If the computer system being used or to which a user is connected contains sensitive or
confidential information, users must not leave their computer, terminal, or workstation
without first logging off. Users should be reminded frequently to follow this rule.
QUESTION 606:
Separation of duties is valuable in deterring:
A. DoS
B. external intruder
C. fraud
D. trojan house
Answer: C
Explanation:
Separation of duties is considered valuable in deterring fraud since fraud can occur if
an opportunity exists for collaboration between various jobs related capabilities.
Separation of duty requires that for particular sets of transactions, no single
individual be allowed to execute all transactions within the set. The most commonly
used examples are the separate transactions needed to initiate a payment and to
authorize a payment. No single individual should be capable of executing both
transactions.
QUESTION 607:
What principle requires that for particular sets of transactions, no single individual be
allowed to execute all transactions within the set?
A. Use of rights
B. Balance of power
C. Separation of duties
D. Fair use
Answer: C
Explanation:
Separation of duties is considered valuable in deterring fraud since fraud can occur if
an opportunity exists for collaboration between various jobs related capabilities.
Separation of duty requires that for particular sets of transactions, no single
individual be allowed to execute all transactions within the set. The most commonly
used examples are the separate transactions needed to initiate a payment and to
authorize a payment. No single individual should be capable of executing both
transactions.
QUESTION 608:
Separation of duty can be:
A. Dynamic only
B. Encrypted
C. Static only
D. Static or dynamic
Answer: D
Explanation:
Separation of duty can be either static or dynamic. Compliance with static separation
requirements can be determined simply by the assignment of individuals to roles and
allocation of transactions to roles. The more difficult case is dynamic separation of
duty where compliance with requirements can only be determined during system operation.
The objective behind dynamic separation of duty is to allow more flexibility in
operations.
QUESTION 609:
What is the company benefit, in terms of risk, for people taking a vacation of a specified minimum length?
A. Reduces stress levels, thereby lowering insurance claims.
B. Improves morale, thereby decreasing errors.
C. Increases potential for discovering frauds.
D. Reduces dependence on critical individuals.
Answer: C
Mandatory vacations are another type of administrative control that may sound a bit odd at first.
Chapter 3 touches on reasons to make sure that employees take their vacations; this has to do
with being able to identify fraudulent activities and enable job rotation to take place. – Shon
Harris All-in-one CISSP Certification Guide pg 810
QUESTION 610:
Which of the following would be less likely to prevent an employee from reporting
an incident?
A. They are afraid of being pulled into something they don’t want to be involved with
B. The process of reporting incidents is centralized
C. They are afraid of being accused of something they didn’t do
D. They are unaware of the company’s security policies and procedures
Answer: A
Explanation:
Reference: ALL-IN-ONE CISSP Third Edition by Shon Harris Pg 783.
QUESTION 611:
Employee involuntary termination processing should include
A. A list of all passwords used by the individual.
B. A report on outstanding projects.
C. The surrender of any company identification.
D. Signing a non-disclosure agreement.
Answer: C
“Before the employee is released, all organization-specific identification, access, or security
badges as well as cards, keys, and access tokens should be collected.”
Pg. 173 Tittel: CISSP Study Guide
QUESTION 612:
Which trusted facility management concept implies that two operators must review and
approve the work of each other?
A. Two-man control
B. Dual control
C. Double control
D. Segregation control
Answer: A
Explanation:
“In the concept of two-man control, two operators review and approve the work of each other.
The purpose of two-man control is to provide accountability and to minimize fraud in highly
sensitive or high-risk transactions. The concept of dual control means that both operators are
needed to complete a sensitive task.” Pg. 303 Krutz: The CISSP Prep Guide: Gold Edition.
QUESTION 613:
When two operators review and approve the work of each other, this is known as?
A. Dual control
B. Two-man control
C. Two-fold control
D. Twin control
Answer: B
QUESTION 614:
What security procedure forces an operator into collusion with an operator of a different
category to have access to unauthorized data?
A. Enforcing regular password changes
B. Management monitoring of audit logs
C. Limiting the specific accesses of operations personnel
D. Job rotation of people through different assignments
Answer: C
QUESTION 615:
Which of the following user items can be shared?
A. Password
B. Home directory
C. None of the choices.
Answer: C
Explanation:
Each user assigned directory (home directory) is not to be shared with others. None of
the choices is correct.
QUESTION 616:
What should you do to the user accounts as soon as employment is terminated?
A. Disable the user accounts and erase immediately the data kept.
B. Disable the user accounts and have the data kept for a specific period of time.
C. None of the choices.
D. Maintain the user accounts and have the data kept for a specific period of time.
Answer: B
Explanation:
A record of user logins with time and date stamps must be kept. User accounts shall be
disabled and data kept for a specified period of time as soon as employment is
terminated. All users must log on to gain network access.
QUESTION 617:
What is the main objective of proper separation of duties?
A. To prevent employees from disclosing sensitive information
B. To ensure access controls are in place
C. To ensure that no single individual can compromise a system
D. To ensure that audit trails are not tampered with
Answer: C
“Separation of duties (also called segregation of duties) assigns parts of tasks to different
personnel. Thus if no single person has total control of the system’s security mechanisms, the
theory is that no single person can completely compromise the system.”
Pg. 303 Krutz: The CISSP Prep Guide: Gold Edition
QUESTION 618:
What are the benefits of job rotation?
A. All of the choices.
B. Trained backup in case of emergencies.
C. Protect against fraud.
D. Cross training to employees.
Answer: A
Explanation:
Job assignments should be changed periodically so that it is more difficult for users
to collaborate to exercise complete control of a transaction and subvert it for
fraudulent purposes. This principle is effective when used in conjunction with a
separation of duties. Problems in effectively rotating duties usually appear in
organizations with limited staff resources and inadequate training programs. Rotation
pf duties will protect you against fraud; provide cross training to you employees, as
well as assuring trained backup in case of emergencies.
QUESTION 619:
Which of the following control pairing include organizational policies and procedures,
pre-employment background checks, strict hiring practices, employment agreements,
friendly and unfriendly employee termination procedures, vacation scheduling, labeling of
sensitive materials, increased supervision, security awareness training, behavior awareness,
and sign-up procedures to obtain access to information systems and networks in?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing
Answer: A
QUESTION 620:
Which of the following are functions that are compatible in a properly segregated
environment?
A. Application programming and computer operation
B. Systems programming and job control analysis
C. Access authorization and database administration
D. Systems development and systems maintenance
Answer: D
QUESTION 621:
Which of the following are functions that are compatible in a properly segregated
environment?
A. Security administration and quality assurance
B. Security administration and data entry
C. Security administration and application programming
D. Application programming and data entry
Answer: A
Explanation:
Security Administration and Quality Assurance are the most similar tasks.
Administrative Management: Administrative management is a very important piece of
operational security. One aspect of administrative management is dealing with personnel issues.
This includes separation of duties and job rotation. The objective of separation of duties is to
ensure that one person acting alone cannot compromise the company’s security in any way.
High-risk activities should be broken up into different parts and distributed to different
individuals. This way the company does not need to put a dangerously high level of trust on
certain individuals and if fraud were to take place, collusion would need to be committed,
meaning more than one person would have to be involved in the fraudulent activity.
Separation of duties also helps to prevent many different types of mistakes that can take place if
one person is performing a task from the beginning to the end. For instance, a programmer
should not be the one to test her own code. A different person with a different job and agenda
should perform functionality and integrity testing on the programmer’s code because the
programmer may have a focused view of what the program is supposed to accomplish and only
test certain functions, input values, and in certain environments.
Another example of separation of duties is the difference between the functions of a computer
operator versus the functions of a system administrator. There must be clear cut lines drawn
between system administrator duties and computer operator duties. This will vary from
environment to environment and will depend on the level of security required within the
environment. The system administrators usually have responsibility of performing backups and
recovery procedures, setting permissions, adding and removing users, setting user clearance, and
developing user profiles. The computer operator on the other hand, may be allowed to install
software, set an initial password, alter desktop configurations, and modify certain system
parameters. The computer operator should not be able to modify her own security profile, add
and remove users globally, or set user security clearance. This would breach the concept of
separation of duties.
Pg 808-809 Shon Harris: All-In-One CISSP Certification
QUESTION 622:
Which of the following are functions that are compatible in a properly segregated
environment?
A. Data entry and job scheduling
B. Database administration and systems security
C. Systems analyst and application programming
D. Security administration and systems programming
Answer: A
The two most similar jobs are Data Entry and Job Scheduling, so they need not be segregated.
Administrative Management: Administratative management is a very important piece of
operational security. One aspect of administrative management is dealing with personnel issues.
This includes separation of duties and job rotation. The objective of separation of duties is to
ensure that one person acting alone cannot compromise the company’s security in any way.
High-risk activities should be broken up into different parts and distributed to different
individuals. This way the company does not need to put a dangerously high level of trust on
certain individuals and if fraud were to take place, collusion would need to be committed,
meaning more than one person would have to be involved in the fraudulent activity.
Separation of duties also helps to prevent many different types of mistakes that can take place if
one person is performing a task from the beginning to the end. For instance, a programmer
should not be the one to test her own code. A different person with a different job and agenda
should perform functionality and integrity testing on the programmer’s code because the
programmer may have a focused view of what the program is supposed to accomplish and only
test certain functions, input values, and in certain environments.
Another example of separation of duties is the difference between the functions of a computer
operator versus the functions of a system administrator. There must be clear cut lines drawn
between system administrator duties and computer operator duties. This will vary from
environment to environment and will depend on the level of security required within the
environment. The system administrators usually have responsibility of performing backups and
recovery procedures, setting permissions, adding and removing users, setting user clearance, and
developing user profiles. The computer operator on the other hand, may be allowed to install
software, set an initial password, alter desktop configurations, and modify certain system
parameters. The computer operator should not be able to modify her own security profile, add
and remove users globally, or set user security clearance. This would breach the concept of
separation of duties.
Pg 808-809 Shon Harris: All-In-One CISSP Certification Exam Guide
QUESTION 623:
Which of the following are functions that are compatible in a properly segregated
environment?
A. Application programming and computer operation
B. Systems programming and job control analysis
C. Access authorization and database administration
D. System development and systems maintenance
Answer: C
Access Authorization and Database Administration are the most similar tasks of all the choices
so they need not be separated.
Administrative Management: Administratative management is a very important piece of
operational security. One aspect of administrative management is dealing with personnel issues.
This includes separation of duties and job rotation. The objective of separation of duties is to
ensure that one person acting alone cannot compromise the company’s security in any way.
High-risk activities should be broken up into different parts and distributed to different
individuals. This way the company does not need to put a dangerously high level of trust on
certain individuals and if fraud were to take place, collusion would need to be committed,
meaning more than one person would have to be involved in the fraudulent activity.
Separation of duties also helps to prevent many different types of mistakes that can take place if
one person is performing a task from the beginning to the end. For instance, a programmer
should not be the one to test her own code. A different person with a different job and agenda
should perform functionality and integrity testing on the programmer’s code because the
programmer may have a focused view of what the program is supposed to accomplish and only
test certain functions, input values, and in certain environments.
Another example of separation of duties is the difference between the functions of a computer
operator versus the functions of a system administrator. There must be clear cut lines drawn
between system administrator duties and computer operator duties. This will vary from
environment to environment and will depend on the level of security required within the
environment. The system administrators usually have responsibility of performing backups and
recovery procedures, setting permissions, adding and removing users, setting user clearance, and
developing user profiles. The computer operator on the other hand, may be allowed to install
software, set an initial password, alter desktop configurations, and modify certain system
parameters. The computer operator should not be able to modify her own security profile, add
and remove users globally, or set user security clearance. This would breach the concept of
separation of duties.
Pg 808-809 Shon Harris: All-In-One CISSP Certification
QUESTION 624:
Controls are implemented to:
A. eliminate risk and reduce potential for loss
B. mitigate risk and eliminate the potential for loss
C. mitigate risk and reduce the potential for loss
D. eliminate risk and eliminate the potential for loss
Answer: C
QUESTION 625:
A timely review of system access audit records would be an example of which of the basic
security functions?
A. avoidance
B. deterrence
C. prevention
D. detection
Answer: D
QUESTION 626:
A security control should
A. Allow for many exceptions.
B. Cover all contingencies.
C. Not rely on the security of its mechanism.
D. Change frequently.
Answer: C
QUESTION 627:
What set of principles is the basis for information systems controls?
A. Authentication, audit trails, and awareness briefings
B. Individual accountability, auditing, and separation of duties
C. Need to know, identification, and authenticity
D. Audit trails, limited tenure, and awareness briefings
Answer: C
“In addition to the CIA Triad, there is a plethora of other security-related concepts, principles,
and tenants that should be considered and addressed when designing a security policy and
deploying a security solution. This section discusses privacy, identification, authentication,
authorization, accountability, nonrepudiation, and auditing.” Pg. 133 Tittel: CISSP Study Guide
QUESTION 628:
An audit trail is a category of what control?
A. System, Manual
B. Detective, Technical
C. User, Technical
D. Detective, Manual
Answer: B
Explanation:
Detective Technical Controls warn of technical Access Control violations. Under this
category you would find the following:
Audit trails
Violation reports
Intrusion detection system
Honeypot
QUESTION 629:
An IDS is a category of what control?
A. Detective, Manual
B. Detective, Technical
C. User, Technical
D. System, Manual
Answer: B
Explanation:
Detective Technical Controls warn of technical Access Control violations. Under this
category you would find the following:
Audit trails
Violation reports
Intrusion detection system
Honeypot
QUESTION 630:
Technical controls such as encryption and access control can be built into the operating
system, be software applications, or can be supplemental hardware/software units. Such
controls, also known as logical controls, represent which pairing?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Technical Pairing
Answer: B
QUESTION 631:
Which one of the following can be identified when exceptions occur using operations
security detective controls?
A. Unauthorized people seeing confidential reports.
B. Unauthorized people destroying confidential reports.
C. Authorized operations people performing unauthorized functions.
D. Authorized operations people not responding to important console messages.
Answer: C
C is the one that makes the most sence.
[Operation Security] Detective Controls are used to detect an error once it has occurred. Unlike
preventative controls, these controls operate after the fact and can be used to track an
unauthorized transaction for prosecution, or to lessen an error’s impact on the system by
identifying it quickly. An example of this type of control is an audit trail. -Ronald Krutz The
CISSP PREP Guide (gold edition) pg 299
QUESTION 632:
Which of the following is not an example of an operation control?
A. backup and recovery
B. audit trails
C. contingency planning
D. operations procedures
Answer: C
“Operation controls are the mechanisms and daily procedures that provide protection for
systems.”
When designing a protection scheme for resources, it is important to keep the following aspects
or elements of the IT infrastructure in mind:
Communication hardware/software
Boundary devices
Processing equipment
Password files
Application program libraries
Application source code
Vendor software
Operating System
System Utilities
Directories and address tables
Proprietary packages
Main storage
Removable storage
Sensitive/critical data
System logs/audit trails
Violation reports
Backup files and media
Sensitive forms and printouts
Isolated devices, such as printers and faxes
Telephone network”
Pg 406-407 Tittel: CISSP Study Guide
QUESTION 633:
Which of the following is not an example of an operational control?
A. backup and recovery
B. audit trails
C. contingency planning
D. operations procedures
Answer: B
Audit Trails are under Operations Security Auditing opposed to Operations Security Operations
Controls.
“Operations Controls embody the day-to-day procedures used to protect computer operations.
The concepts of resource protection, hardware/software control, and privileged entity must be
understood by the CISSP candidate.” Pg. 311 Krutz: The CISSP Prep Guide: Gold Edition
QUESTION 634:
Access control allows you to exercise directing influence over which of the following aspects
of a system?
A. Behavior, user, and content provider.
B. Behavior, use, and content.
C. User logs and content.
D. None of the choices.
Answer: B
Explanation:
Access control is the collection of mechanisms that permits managers of a system to
exercise a directing or restraining influence over the behavior, use, and content of a
system. It permits management to specify what users can do, which resources they can
access, and what operations they can perform on a system.
QUESTION 635:
____________ is the means by which the ability to do something with a computer resource
is explicitly enabled or restricted.
A. Access control
B. Type of access
C. System resource
D. Work permit
Answer: A
Explanation:
Access is the ability to do something with a computer resource (e.g., use, change, or
view). Access control is the means by which the ability is explicitly enabled or
restricted in some way (Usually through physical and system-based controls).
Computer-based access controls can prescribe not only who or what process may have
access to a specific system resource, but also the type of access that is permitted.
These controls may be implemented in the computer system or in external devices.
QUESTION 636:
The ability to do something with a computer resource can be explicitly enabled or
restricted through:
A. Physical and system-based controls.
B. Theoretical and system-based controls.
C. Mental and system-based controls.
D. Physical and trap-based controls.
Answer: A
Explanation:
Access is the ability to do something with a computer resource (e.g., use, change, or
view). Access control is the means by which the ability is explicitly enabled or
restricted in some way (Usually through physical and system-based controls).
Computer-based access controls can prescribe not only who or what process may have
access to a specific system resource, but also the type of access that is permitted.
These controls may be implemented in the computer system or in external devices.
QUESTION 637:
The main categories of access control do NOT include:
A. Administrative Access Control
B. Logical Access Control
C. Random Access Control
D. Physical Access Control
Answer: C
Explanation:
There are several different categories of access control. The main categories are:
–Physical Access Control
–Administrative Access Control
–Logical Access Control
–Data Access Control
QUESTION 638:
You have very strict Physical Access controls. At the same time you have loose Logical
Access Controls. What is true about this setting?
Actualtests.com – The Power of Knowing
CISSP
A. None of the choices.
B. It can 100% secure your environment.
C. It may secure your environment.
D. It may not secure your environment.
Answer: D
Explanation:
Access control is a bit like the four legs of a chair. Each of the legs must be equal
or else an imbalance will be created. If you have very strict Physical Access controls
but very poor Logical Access Controls then you may not succeed in securing your
environment.
QUESTION 639:
Which of the following is not a detective technical control?
A. Intrusion detection system
B. Violation reports
C. Honeypot
D. None of the choices.
Answer: D
Explanation:
Detective Technical Controls warn of technical Access Control violations. Under this
category you would find the following:
Audit trails
Violation reports
Intrusion detection system
Honeypot
QUESTION 640:
A business continuity plan is an example of which of the following?
A. Corrective Control
B. Detective Control
C. Preventive Control
D. Compensating Control
Answer: A
QUESTION 641:
________ Technical Controls warn of technical Access Control violations.
A. Elusive
B. Descriptive
C. Corrective
D. Detective
Answer: D
Explanation:
Detective Technical Controls warn of technical Access Control violations. Under this
category you would find the following:
Audit trails
Violation reports
Intrusion detection system
Honeypot
QUESTION 642:
A two factor authentication method is considered a:
A. Technical control
B. Patching control
C. Corrective control
D. Logical control
Answer: D
Explanation:
By technical controls we mean some or all of the following:
Access Control software
Antivirus Software
Passwords
Smart Cards
Encryption
Call-back systems
Two factor authentication
QUESTION 643:
Which of the following are NOT considered technical controls?
A. Access Control software
B. Man trap
C. Passwords
D. Antivirus Software
Answer: B
Explanation:
By technical controls we mean some or all of the following:
Access Control software
Antivirus Software
Passwords
Smart Cards
Encryption
Call-back systems
Two factor authentication
QUESTION 644:
___________________ are the technical ways of restricting who or what can access system
resources.
A. Preventive Manual Controls
B. Detective Technical Controls
C. Preventive Circuit Controls
D. Preventive Technical Controls
Answer: D
Explanation:
Preventive Technical Controls are the technical ways of restricting who or what can
access system resources and what type of access is permitted. Its purpose is to protect
the OS and other systems from unauthorized modification or manipulation. It is usually
built into an operating system, or it can be a part of an application or program, or an
add-on security package, or special components to regulate communication between
computers. It also protects the integrity and availability by limiting the number of
users and/or processes. These controls also protect confidential information from being
disclosed to unauthorized persons.
QUESTION 645:
Which of the following is not a form of detective administrative control?
A. Rotation of duties
B. Required vacations
C. Separation of duties
D. Security reviews and audits
Answer: C
QUESTION 646:
Preventive Technical Controls are usually built:
A. By using MD5.
B. Into an operating system.
C. By security officer.
D. By security administrator.
Answer: B
Explanation:
Preventive Technical Controls are the technical ways of restricting who or what can
access system resources and what type of access is permitted. Its purpose is to protect
the OS and other systems from unauthorized modification or manipulation. It is usually
built into an operating system, or it can be a part of an application or program, or an
add-on security package, or special components to regulate communication between
computers. It also protects the integrity and availability by limiting the number of
users and/or processes. These controls also protect confidential information from being
disclosed to unauthorized persons.
QUESTION 647:
Preventive Technical Controls cannot:
A. Protect the OS from unauthorized modification.
B. Protect confidential information from being disclosed to unauthorized persons.
C. Protect the OS from unauthorized manipulation.
D. Protect users from being monitored.
Answer: D
Explanation:
Preventive Technical Controls are the technical ways of restricting who or what can
access system resources and what type of access is permitted. Its purpose is to protect
the OS and other systems from unauthorized modification or manipulation. It is usually
built into an operating system, or it can be a part of an application or program, or an
add-on security package, or special components to regulate communication between
computers. It also protects the integrity and availability by limiting the number of
users and/or processes. These controls also protect confidential information from being
disclosed to unauthorized persons.
QUESTION 648:
How do Preventive Technical Controls protect system integrity and availability?
A. By limiting the number of threads only.
B. By limiting the number of system variables.
C. By limiting the number of function calls only.
D. By limiting the number of users and/or processes.
Answer: D
Explanation:
Preventive Technical Controls are the technical ways of restricting who or what can
access system resources and what type of access is permitted. Its purpose is to protect
the OS and other systems from unauthorized modification or manipulation. It is usually
built into an operating system, or it can be a part of an application or program, or an
add-on security package, or special components to regulate communication between
computers. It also protects the integrity and availability by limiting the number of
users and/or processes. These controls also protect confidential information from being
disclosed to unauthorized persons.
QUESTION 649:
Which of the following is NOT a type of access control?
A. Intrusive
B. Deterrent
C. Detective
D. Preventive
Answer: A
Explanation:
There are different types of access control. Access controls can be categorized as
follows:
Preventive (in order to avoid occurrence)
Detective (in order to detect or identify occurrences)
Deterrent (in order to discourage occurrences)
Corrective (In order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)
QUESTION 650:
As a type of access control, which of the following asks for avoiding occurrence?
A. Preventive
B. Deterrent
C. Intrusive
D. Detective
Answer: A
Explanation:
There are different types of access control. Access controls can be categorized as
follows:
Preventive (in order to avoid occurrence)
Detective (in order to detect or identify occurrences)
Deterrent (in order to discourage occurrences)
Corrective (In order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)
QUESTION 651:
As a type of access control, which of the following asks for identifying occurrences?
A. Deterrent
B. Preventive
C. Detective
D. Intrusive
Answer: C
Explanation:
There are different types of access control. Access controls can be categorized as
follows:
Preventive (in order to avoid occurrence)
Detective (in order to detect or identify occurrences)
Deterrent (in order to discourage occurrences)
Corrective (In order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)

QUESTION 652:
As a type of access control, which of the following asks for discouraging occurrence?
A. Detective
B. Intrusive
C. Deterrent
D. Preventive
Answer: C
Explanation:
There are different types of access control. Access controls can be categorized as
follows:
Preventive (in order to avoid occurrence)
Detective (in order to detect or identify occurrences)
Deterrent (in order to discourage occurrences)
Corrective (In order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)
QUESTION 653:
As a type of access control, which of the following asks for restoring controls?
A. Deterrent
B. Intrusive
C. Corrective
D. Preventive
Answer: C
Explanation:
There are different types of access control. Access controls can be categorized as
follows:
Preventive (in order to avoid occurrence)
Detective (in order to detect or identify occurrences)
Deterrent (in order to discourage occurrences)
Corrective (In order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)
QUESTION 654:
What type of access control focuses on restoring resources?
A. Recovery
B. Preventive
C. Intrusive
D. Corrective
Answer: A
Explanation:
There are different types of access control. Access controls can be categorized as
follows:
Preventive (in order to avoid occurrence)
Detective (in order to detect or identify occurrences)
Deterrent (in order to discourage occurrences)
Corrective (In order to correct or restore controls)
Recovery (in order to restore resources, capabilities, or losses)
QUESTION 655:
Access control is the collection of mechanisms that permits managers of a system to
exercise influence over the use of:
A. A man guard
B. An IS system
C. A threshold
D. A Trap
Answer: B
Explanation:
Access control is the collection of mechanisms that permits managers of a system to
exercise a directing or restraining influence over the behavior, use, and content of a
system. It permits management to specify what users can do, which resources they can
access, and what operations they can perform on a system.
QUESTION 656:
What fencing height is likely to stop a determined intruder?
A. 3′ to 4′ high
B. 6′ to 7′ high
C. 8′ high and above with strands of barbed wire
D. No fence can stop a determined intruder
Answer: C
QUESTION 657:
Lock picking is classified under which one of the following lock mechanism attacks?
A. Illicit key
B. Circumvention
C. Manipulation
D. Shimming
Answer: D
QUESTION 658:
The Physical Security domain addresses three areas that can be utilized to physically
protect an enterprise’s resources and sensitive information. Which of the following is not
one of these areas?
A. Threats
B. Countermeasures
C. Vulnerabilities
D. Risks
Answer: D
QUESTION 659:
Which issue when selecting a facility site deals with the surrounding terrain, building
markings and signs, and high or low population in the area?
A. surrounding area and external entities
B. natural disasters
C. accessibility
D. visibility
Answer: D
QUESTION 660:
Which of the following is not a physical control for physical security?
A. lighting
B. fences
C. training
D. facility construction materials
Answer: C
QUESTION 661:
The main risks that physical security components combat are all of the following
EXCEPT:
A. SYN flood
B. physical damage
C. theft
D. availability
Answer: A
QUESTION 662:
What mechanism automatically causes an alarm originating in a data center to be
transmitted over the local municipal fire or police alarm circuits for relaying to both the
local police/fire station and the appropriate headquarters?
A. Central station alarm
B. Proprietary alarm
C. A remote station alarm
D. An auxiliary station alarm
Answer: A
QUESTION 663:
Examples of types of physical access controls include all except which of the following?
A. badges
B. locks
C. guards
D. passwords
Answer: D
QUESTION 664:
Which of the following is the most costly countermeasures to reducing physical security
risks?
A. procedural controls
B. hardware devices
C. electronic systems
D. personnel
Answer: D
QUESTION 665:
Which of the following protection devices is used for spot protection within a few inches of
the object, rather than for overall room security monitoring?
A. Wave pattern motion detectors
B. Capacitance detectors
C. Field-powered devices
D. Audio detectors
Answer: A
QUESTION 666:
Which of the following questions is less likely to help in assessing physical access controls?
A. Does management regularly review the list of persons with physical access to sensitive
facilities?
B. Is the operating system configured to prevent circumvention of the security software and
application controls?
C. Are keys or other access devices needed to enter the computer room and media library?
D. Are visitors to sensitive areas signed in and escorted?
Answer: B
QUESTION 667:
The concentric circle approach is used to
A. Evaluate environmental threats.
B. Assess the physical security facility,
C. Assess the communications network security.
D. Develop a personnel security program.
Answer: B
The original answer for this question was C (assess the communications network security) however I think the
concentric circle is defining what in the krutz book is know as the security perimeter. To this end this is a
reference
“A circular security perimeter that is under the access control defines the area or zone to be protected.
Preventive/physical controls include fences, badges, multiple doors (man-traps that consists of two doors
physically
separated so that an individual can be ‘trapped’ in the space between the doors after entering one of the doors),
magnetic card entry systems, biometrics (for identification), guards, dogs, environmental control systems
(temperature, humidity, and so forth), and building and access area layout.” -Ronald Krutz The CISSP PREP
Guide (gold edition) pg 13
This is a standard concentric circle model shown in Figure 1 . If you’ve never seen this, you
haven’t had a security lecture.
On the outside is our perimeter. We are fortunate to have some defenses on our base. Although
some bases don’t have people guarding the gates and checking IDs any longer, there’s still the
perception that it’s tougher to commit a crime on a Naval base than it would be at GM.
The point is: How much control do we have over fencing and guards? The answer: Not much.
The next circle, the red circle, contains your internal access controls. For our purposes, the heart
of the red circle is the computer. That’s what I want to zero in on. The internal controls are the
things you can do to keep people out of your PCs and off your network.
http://www.chips.navy.mil/archives/96_oct/file5.htm
QUESTION 668:
The MAIN reason for developing closed-circuit television (CCTV) as part of your physical security program
is to
A. Provide hard evidence for criminal prosecution.
B. Apprehend criminals.
C. Deter criminal activity.
D. Increase guard visibility.
Answer: D
A CCTV enables a guard to monitor many different areas at once from a centralized location.-
Shon Harris All-in-one CISSP Certification Guide pg 179-180
QUESTION 669:
Closed circuit TV is a feature of:
A. Detective Physical Controls
B. Corrective Physical Controls
C. Corrective Logical Controls
D. Logical Physical Controls
Answer: A
Explanation:
Detective Physical Controls would use the following: motion detectors, closed circuit
TV, sensors, and alarms.
QUESTION 670:
Motion detector is a feature of:
A. Corrective Logical Controls.
B. Logical Physical Controls.
C. Corrective Physical Controls.
D. Detective Physical Controls.
Answer: D
Explanation:
Detective Physical Controls would use the following: motion detectors, closed circuit
TV, sensors, and alarms.
QUESTION 671:
Which of the following is a physical control?
A. Monitoring of system activity
B. Environmental controls
C. Identification and authentication methods
D. Logical access control mechanisms
Answer: B
QUESTION 672:
Which of the following is a detective control?
A. Segregation of duties
B. Back-up procedures
C. Audit trails
D. Physical access control
Answer: C
QUESTION 673:
The basic Electronic Access Control (EAC) components required for access doors are an electromagnetic
lock,
A. A credential reader, and a door closed sensor.
B. A card reader, and a door open sensor.
C. A biometric reader, and a door open sensor.
D. A card reader, and door motion detector.
Answer: A
We have not been able to find any reference to this question really. So we are going with A
“In addition to smart and dumb cards, proximity readers can be used to control physical access.
A proximity reader can be passive device, a field-powered device, or a transponder.” – Ed Tittle
CISSP Study Guide (sybex) pg 650
QUESTION 674:
Which of the following control pairing places emphasis on “soft” mechanisms that support
the access control objectives?
A. Preventive/Technical Pairing
B. Preventive/Administrative Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing
Answer: B
“Preventive-Administrative
The following are the soft mechanisms that are put into place to enforce access control and
protection for the company as a whole:
Policies and procedures
Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness”
Pg. 157 Shon Harris: All-In-One CISSP Certification Guide.
QUESTION 675:
Controls like guards and general steps to maintain building security, securing of server
rooms or laptops, the protection of cables, and the backing up of files are some of the
examples of:
A. Administrative controls
B. Logical controls
C. Technical controls
D. Physical controls
Answer: D
QUESTION 676:
Which of the following is NOT a type of motion detector?
A. photoelectric sensor
B. wave pattern
C. capacitance
D. audio detector
Answer: D
Explanation: Audio detector detects sound not motion
Not A: A photoelectric sensor is a motion sensor that’s what it was designed to do.
QUESTION 677:
Which of the following measures would be the BEST deterrent to the theft of corporate
information from a laptop which was left in a hotel room?
A. Store all data on disks and lock them in an in-room safe
B. Remove the batteries and power supply from the laptop and store them separately from the
computer
C. Install a cable lock on the laptop when it is unattended
D. Encrypt the data on the hard drive
Answer: D
QUESTION 678:
Guards are appropriate whenever the function required by the security program involves
which of the following?
A. The use of discriminating judgment
B. The use of physical force
C. The operation of access control devices
D. The need to detect unauthorized access
Answer: A
QUESTION 679:
Which of the following floors would be most appropriate to locate information processing
facilities in a 6-stories building?
A. Basement
B. Ground floor
C. Third floor
D. Sixth floor
Answer: C
QUESTION 680:
Which of the following risk will most likely affect confidentiality, integrity and availability?
A. Physical damage
B. Unauthorized disclosure of information
C. Loss of control over system
D. Physical theft
Answer: D
QUESTION 681:
Which is the last line of defense in a physical security sense?
A. people
B. interior barriers
C. exterior barriers
D. perimeter barriers
Answer: A
QUESTION 682:
The recording of events with a closed-circuit TV camera is considered a:
A. Preventative control
B. Detective control
C. Compensating control
D. Corrective Control
Answer: B
QUESTION 683:
Sensor is:
A. Logical, Physical
B. Corrective, Logical
C. Detective, Physical
D. Corrective, Physical
Answer: C
Explanation:
Detective Physical Controls would use the following: motion detectors, closed circuit
TV, sensors, and alarms.
QUESTION 684:
What fencing height is likely to stop a determined intruder?
A. 3′ to 4′ high
B. 6′ to 7′ high
C. 8′ high and above with strands of barbed wire
D. No fence can stop a determined intruder
Answer: C
Reference: “2.4 meters/8 feet with top guard: Deters determined intruder”. Pg 467 Hansche:
Official (ISC)2 Guide to the CISSP Exam
QUESTION 685:
A controlled light fixture mounted on a 5-meter pole can illuminate an area 30 meter in diameter.
For security lighting purposes, what would be the proper distance between fixtures?
A. 25 meters
B. 30 meters
C. 35 meters
D. 40 meters
Answer: B
The National Institute of Standards and Technology (NIST) standard pertaining to perimeter
protection states that critical areas should be illuminated eight feet high and two feet out. (It is
referred to as two-feet candles that reach eight feet in height) – Shon Harris All-in-one CISSP
Certification Guide pg 325
QUESTION 686:
Critical areas should be lighted:
A. Eight feet high and two feet out
B. Eight feet high and four feet out
C. Ten feet high and four feet out
D. Ten feet high and six feet out
Answer: A
QUESTION 687:
Which of the following statements regarding an off-site information processing facility is
TRUE?
A. It should have the same amount of physical access restrictions as the primary processing unit
B. It should be located in proximity to the originating site so that it can quicl be made
operational
C. It should be easily identified from the outside so in the event of an emergency it can be easily
found
D. Need not have the same level of environmental monitoring as the originating site since this
would be cost prohibitive
Answer: A
QUESTION 688:
Which of the following is electromagnetic interference (EMI) that is noise from the
radiation generated by the difference between the hot and ground wires?
A. common-mode noise
B. traverse-mode noise
C. transversal-mode noise
D. crossover-mode noise
Answer: A
QUESTION 689:
Which of the following is NOT a precaution you can take to reduce static electricity?
A. power line conditioning
B. anti-static sprays
C. maintain proper humidity levels
D. anti-static flooding
Answer: A
QUESTION 690:
Devices that supply power when the commercial utility power system fails are called which
of the following?
A. power conditioners
B. uninterruptible power supplies
C. power filters
D. power dividers
Answer: B
QUESTION 691:
A prolonged high voltage is a:
A. spike
B. blackout
C. surge
D. fault
Answer: C
QUESTION 692:
A prolonged power supply that is below normal voltage is a:
A. brownout
B. blackout
C. surge
D. fault
Answer: A
QUESTION 693:
A prolonged power outage is a:
A. brownout
B. blackout
C. surge
D. fault
Answer: B
QUESTION 694:
A momentary power outage is a:
A. spike
B. blackout
C. surge
D. fault
Answer: D
QUESTION 695:
What can be defined as a momentary low voltage?
A. Spike
B. Sag
C. Fault
D. Brownout
Answer: B
QUESTION 696:
Electrical systems are the lifeblood of computer operations. The continued supply of clean,
steady power is required to maintain the proper personnel environment as well as to
sustain data operations. Which of the following is not an element that can threaten power
systems?
A. Noise
B. Humidity
C. Brownouts
D. UPS
Answer: D
QUESTION 697:
Under what conditions would use of a “Class C” hand-held fire extinguisher be preferable
to use of a “Class A” hand-held fire extinguisher?
A. When the fire is in its incipient stage
B. When the fire involves electrical equipment
C. When the fire is located in an enclosed area
D. When the fire is caused by flammable products
Answer: B
QUESTION 698:
Which of the following is a class C fire?
A. electrical
B. liquid
C. common combustibles
D. soda acid
Answer: A
QUESTION 699:
Which of the following is not a EPA-approved replacement for Halon?
A. Water
B. Argon
C. NAF-S-III
D. Bromine
Answer: D
QUESTION 700:
Which of the following suppresses combustion through a chemical reaction that kills the
fire?
A. Halon
B. Co2
C. water
D. soda acid
Answer: A

Leave a Reply

Your email address will not be published. Required fields are marked *