CISSP Questions – Volume 03 – 401-600 Questions

QUESTION 401: 
With __________, access decisions are based on the roles that individual users have as part 
of an organization. 
A. Server based access control. 
B. Rule based access control. 
C. Role based access control. 
D. Token based access control. 
Answer: C 
Explanation: 
With role-based access control, access decisions are based on the roles that individual 
users have as part of an organization. Users take on assigned roles (such as doctor, 
nurse, teller, manager). The process of defining roles should be based on a thorough 
analysis of how an organization operates and should include input from a wide spectrum 
of users in an organization. 
QUESTION 402: 
Under Role based access control, access rights are grouped by: 
A. Policy name 
B. Rules 
C. Role name 
D. Sensitivity label 
Answer: C 
Explanation: 
With role-based access control, access rights are grouped by role name, and the use of 
resources is restricted to individuals authorized to assume the associated role. For 
example, within a hospital system the role of doctor can include operations to perform 
diagnosis, prescribe medication, and order laboratory tests; and the role of researcher 
can be limited to gathering anonymous clinical information for studies. 
QUESTION 403: 
Which of the following will you consider as a "role" under a role based access control 
system? 
A. Bank rules 
B. Bank computer 
C. Bank teller 
D. Bank network 
Answer: C 
Explanation: 
With role-based access control, access rights are grouped by role name, and the use of 
resources is restricted to individuals authorized to assume the associated role. For 
example, within a hospital system the role of doctor can include operations to perform 
diagnosis, prescribe medication, and order laboratory tests; and the role of researcher 
can be limited to gathering anonymous clinical information for studies. 
QUESTION 404: 
Role based access control is attracting increasing attention particularly for what 
applications? 
A. Scientific 
B. Commercial 
C. Security 
D. Technical 
Answer: B 
Explanation: 
Role based access control (RBAC) is a technology that is attracting increasing 
attention, particularly for commercial applications, because of its potential for 
reducing the complexity and cost of security administration in large networked 
applications. 
QUESTION 405: 
What is one advantage of deploying Role based access control in large networked 
applications? 
A. Higher security 
B. Higher bandwidth 
C. User friendliness 
D. Lower cost 
Answer: D 
Explanation: 
Role based access control (RBAC) is an alternative to traditional discretionary (DAC) 
and mandatory access control (MAC) policies. The principle motivation behind RBAC is 
the desire to specify and enforce enterprise-specific security policies in a way that 
maps naturally to an organization's structure. Traditionally, managing security has 
required mapping an organization's security policy to a relatively low-level set of 
controls, typically access control lists. 
QUESTION 406: 
DAC and MAC policies can be effectively replaced by: 
A. Rule based access control. 
B. Role based access control. 
C. Server based access control. 
D. Token based access control 
Answer: B 
Explanation: 
Role based access control (RBAC) is an alternative to traditional discretionary (DAC) 
and mandatory access control (MAC) policies. The principle motivation behind RBAC is 
the desire to specify and enforce enterprise-specific security policies in a way that 
maps naturally to an organization's structure. Traditionally, managing security has 
required mapping an organization's security policy to a relatively low-level set of 
controls, typically access control lists. 
QUESTION 407: 
Which of the following correctly describe Role based access control? 
A. It allows you to specify and enforce enterprise-specific security policies in a way that maps to 
your user profile groups. 
B. It allows you to specify and enforce enterprise-specific security policies in a way that maps to 
your organizations structure. 
C. It allows you to specify and enforce enterprise-specific security policies in a way that maps to 
your ticketing system. 
D. It allows you to specify and enforce enterprise-specific security policies in a way that maps to 
your ACL. 
Answer: B 
Explanation: 
Role based access control (RBAC) is an alternative to traditional discretionary (DAC) 
and mandatory access control (MAC) policies. The principle motivation behind RBAC is 
the desire to specify and enforce enterprise-specific security policies in a way that 
maps naturally to an organization's structure. Traditionally, managing security has 
required mapping an organization's security policy to a relatively low-level set of 
controls, typically access control lists. 
QUESTION 408: 
Which of the following RFC talks about Rule Based Security Policy? 
A. 1316 
B. 1989 
C. 2717 
D. 2828 
Answer: D 
Explanation: 
The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A 
security policy based on global rules imposed for all users. These rules usually rely 
on comparison of the sensitivity of the resource being accessed and the possession of 
corresponding attributes of users, a group of users, or entities acting on behalf of 
users. 
QUESTION 409: 
With Rule Based Security Policy, a security policy is based on: 
A. Global rules imposed for all users. 
B. Local rules imposed for some users. 
C. Global rules imposed for no body. 
D. Global rules imposed for only the local users. 
Answer: A 
Explanation: 
The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A 
security policy based on global rules imposed for all users. These rules usually rely 
on comparison of the sensitivity of the resource being accessed and the possession of 
corresponding attributes of users, a group of users, or entities acting on behalf of 
users. 
QUESTION 410: 
With Rule Based Security Policy, global rules usually rely on comparison of the _______ of 
the resource being accessed. 
A. A group of users. 
B. Users 
C. Sensitivity 
D. Entities 
Answer: C 
Explanation: 
The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A 
security policy based on global rules imposed for all users. These rules usually rely 
on comparison of the sensitivity of the resource being accessed and the possession of 
corresponding attributes of users, a group of users, or entities acting on behalf of 
users. 
QUESTION 411: 
Which of the following is a facial feature identification product that can employ artificial 
intelligence and can require the system to learn from experience? 
A. All of the choices. 
B. Digital nervous system. 
C. Neural networking 
D. DSV 
Answer: C 
Explanation: 
There are facial feature identification products that are on the market that use other 
technologies or methods to capture one's face. One type of method used is neural 
networking technology. This type of technology can employ artificial intelligence that 
requires the system to "learn" from experience. This "learning" experience helps the 
system to close in on an identification of an individual. Most facial feature 
identification systems today only allow for two-dimensional frontal images of one's 
face. 
Not DSV: 
Signature biometrics are often referred to dynamic signature verification (DSV) and look at the 
way we sign our names. [15] The dynamic nature differentiates it from the study of static 
signatures on paper. Within DSV a number of characteristics can be extracted from the physical 
signing process. Examples of these behavioral characteristics are the angle of the pen is held, the 
time taken to sign, velocity and acceleration of the tip of the pen, number of times the pen is 
lifted from the paper. Despite the fact that the way we sign is mostly learnt during the years it is 
very hard to forge and replicate. 
QUESTION 412: 
Which option is NOT a benefit derived from the use of neural networks? 
A. Linearity 
B. Input-Output Mapping 
C. Adaptivity 
D. Fault Tolerance 
Answer: D 
Linearity: "If the sum of the weighted inputs then exceeds the threshold, the neuron will "fire" 
and there will be an output from that neuron. An alternative approach would be to have the 
output of the neuron be a linear function of the sum of the artificial neuron inputs." 
Input-Output Mapping: "For example, if a specific output vector was required for a specific input 
where the relationship between input and output was non-linear, the neural network would be 
trained by applying a set of input vector." 
Adaptivity: "The neural network would have then be said to have learned to provide the correct 
response for each input vector." 
Pg. 261 Krutz: The CISSP Prep Guide 
QUESTION 413: 
Which of the following is a characteristic of a decision support system (DSS)? 
A. DSS is aimed at solving highly structured problems 
B. DSS emphasizes flexibility in the decision making approach of users 
C. DSS supports only structured decision-making tasks 
D. DSS combines the use of models with non-traditional data access and retrieval functions 
Answer: B 
QUESTION 414: 
Which of the following is a communication mechanism that enables direct conversation 
between two applications? 
A. DDE 
B. OLE 
C. ODBC 
D. DCOM
Answer: A 
"Dynamic Data Exchange (DDE) enables applications to share data by providing IPC. It is based 
on the client/server model and enables two programs to send commands to each other directly. 
DDE is a communication mechanism that enables direct conversation between two applications. 
The source of the data is called the server, and the receiver of the data is the client." Pg. 718 
Shon Harris: All-In-One CISSP Certification Exam Guide 
QUESTION 415: 
Which expert system operating mode allows determining if a given hypothesis is valid? 
A. Vertical chaining 
B. Lateral chaining 
C. Forward chaining 
D. Backward chaining 
Answer: D 
"The expert system operates in either a forward-chaining or backward-chaining mode. In a 
forward-chaining mode, the expert system acquires information and comes to a conclusion based 
on that information. Forward-chaining is the reasoning approach that can be used when there is a 
small number of solutions relative to the number of inputs. In a backward-chaining mode, the 
expert system backtracks to determine if a given hypothesis is valid. Backward-chaining is 
generally used when there are a large number of possible solutions relative to the number of 
inputs. Another type of expert system is the blackboard. A blackboard is an expert 
system-reasoning methodology in which a solution is generated by the use of a virtual 
"blackboard," wherein information or portential solutions are placed on the blackboard by the 
plurality of individuals or expert knowledge sources. As more information is placed on the 
blackboard in an iterative process, a solution is generated." Pg 354 Krutz: The CISSP Prep 
Guide: Gold Edition 
QUESTION 416: 
Which one of the following is a security issue related to aggregation in a database? 
A. Polyinstantiation 
B. Inference 
C. Partitioning 
D. Data swapping 
Answer: B 
Inference is the ability of users to infer or deduce information about data at sensitivity levels for 
which they do not have access privileges. -Ronald Krutz The CISSP PREP Guide (gold edition) 
pg 358 
The other security issue is inference, which is very similar to aggregation. - Shon Harris 
All-in-one CISSP Certification Guide pg 727 
Partitioning a database involves dividing the database into different parts, which makes it much 
harder for an unauthorized individual to find connecting pieces of data that can be brought 
together and other information that can be deduced or uncovered. - Shon Harris All-in-one 
CISSP Certification Guide pg 726 
Polyinstantiation- This enables a relation to contain multiple tuples with the same primary keys 
with each instance distinguished by a security level. - Shon Harris All-in-one CISSP 
Certification Guide pg 727 
QUESTION 417: 
How is polyinstantiation used to secure a multilevel database? 
A. It prevents low-level database users from inferring the existence of higher level data. 
B. It confirms that all constrained data items within the system conform to integrity 
specifications. 
C. It ensures that all mechanism in a system are responsible for enforcing the database security 
policy. 
D. Two operations at the same layer will conflict if they operate on the same data item and at 
least one of them is an update. 
Answer: A 
"Polyinstantiation is the development of a detailed version of an object from another object using 
different values in the new object. In the database information security, this term is concerned 
with the same primary key for different relations at different classification levels being stored in 
the same database. For example, in a relational database, the same of a military unit may be 
classified Secret in the database and may have an identification number as the primary key. If 
another user at a lower classification level attempts to create a confidential entry for another 
military unit using the same identification number as a primary key, a rejection of this attempt 
would imply to the lower level user that the same identification number existed at a higher level 
of classification. To avoid this inference channel of information, the lower level user would be 
issued the same identification number for their unit and the database management system would 
manage this situation where the same primary key was used for different units." Pg 352-353 
Krutz: The CISSP Prep Guide: Gold Edition. 
"Polyinstantiation occurs when to or more rows in the same table appear to have identical 
primary key elements but contain different data for use at differing classification levels. 
Polyinstantiation is often used as a defense against some types of inference attacks. 
For example, consider a database table containing the location of various naval ships on patrol. 
Normally, this database contains the exact position of each ship stored at the level with secret 
classification. However, on particular ship, the USS UpToNoGood, is on an undercover mission 
to a top-secret location. Military commanders do not want anyone to know that the ship deviated 
from its normal patrol. If the database administrators simply change the classification of the 
UpToNoGood's location to top secret, a user with secret clearance would know that something 
unusual was going on when they couldn't query the location of the ship. However, if 
polyinstantiation is used, two records could be inserted into the table. The first one, classified at 
the top secret level, would reflect the true location of the ship and be available only to users with 
the appropriate top secret security clearance. The second record, classified at the secret level, 
would indicate that the ship was on routine patrol and would be returned to users with a secret 
clearance." 
Pg. 191 Tittel: CISSP Study Guide Second Edition 
QUESTION 418: 
Which of the following defines the software that maintains and provides access to the 
database? 
A. database management system (DBMS) 
B. relational database management systems (RDBMS) 
C. database identification system (DBIS) 
D. Interface Definition Language system (IDLS) 
Answer: A 
QUESTION 419: 
Which of the following is not a responsibility of a database administrator? 
A. Maintaining databases 
B. Implementing access rules to databases 
C. Reorganizing databases 
D. Providing access authorization to databases 
Answer: D 
QUESTION 420: 
SQL commands do not include which of the following? 
A. Select, Update 
B. Grant, Revoke 
C. Delete, Insert 
D. Add, Replace 
Answer: D 
"SQL commands include Select, Update, Delete, Insert, Grant, and Revoke." Pg 62 Krutz: 
CISSP Prep Guide: Gold Edition 
QUESTION 421: 
A persistent collection of interrelated data items can be defined as which of the following? 
A. database 
B. database management system 
C. database security 
D. database shadowing 
Answer: A 
QUESTION 422: 
Which one of the following is commonly used for retrofitting multilevel security to a Database Management 
System? 
A. Trusted kernel 
B. Kernel controller 
C. Front end controller 
D. Trusted front-end 
Answer: D 
QUESTION 423: 
Which of the following is the marriage of object-oriented and relational technologies 
combining the attributes of both? 
A. object-relational database 
B. object-oriented database 
C. object-linking database 
D. object-management database 
Answer: A 
QUESTION 424: 
A department manager has read access to the salaries of the employees in his/her 
department but not to the salaries of employees in other departments. A database security 
mechanism that enforces this policy would typically be said to provide which of the 
following? 
A. content-dependent access control 
B. context-dependent access control 
C. least privileges access control 
D. ownership-based access control 
Answer: A 
"Database security takes a different approach than operating system security. In an operating 
system, the identity and authentication of the subject controls access. This is done through access 
control lists (ACLs), capability tables, roles, and security labels. The operating system only 
makes decisions about where a subject can access a file; it does not make this decisions based on 
the contents of the file itself. If Mitch can access file A, it does not matter if that file contains 
information about a cookie recipe or secret information from the Cold War. On the other hand, 
database security does look at the contents of a file when it makes an access control decision, 
which is referred to as content-dependent access control. This type of access control increases 
processing overhead, but it provides higher granular control." Pg. 677 Shon Harris: CISSP 
Certification All-in-One Exam Guide 
QUESTION 425: 
Which of the following is an important part of database design that ensures that attributes 
in a table depend only on the primary key? 
A. Normalization 
B. Assimilation 
C. Reduction 
D. Compaction 
Answer: A 
QUESTION 426: 
Which of the following does not address Database Management Systems (DBMS) Security? 
A. Perturbation 
B. Cell suppression 
C. Padded Cells 
D. Partitioning 
Answer: C 
QUESTION 427: 
Which of the following is commonly used for retrofitting multilevel security to a database 
management system? 
A. trusted front-end 
B. trusted back-end 
C. controller 
D. kernel 
Answer: A 
QUESTION 428: 
Normalizing data within a database includes all of the following except which? 
A. Eliminating repeating groups by putting them into separate tables 
B. Eliminating redundant data 
C. Eliminating attributes in a table that are not dependent on the primary key of that table 
D. Eliminating duplicate key fields by putting them into separate tables 
Answer: D 
"Data Normalization 
Normalization is an important part of database design that ensures that attributes in a table 
depend only on the primary key. This process makes it easier to maintain data and have 
consistent reports. 
Normalizing data in the database consists of three steps: 
1.) Eliminating any repeating groups by putting them into separate tables 
2.) Eliminating redundant data (occurring in more than one table) 
3.) Eliminating attributes in a table that are not dependent on the primary key of that table" 
Pg. 62 Krutz: The CISSP Prep Guide: Gold Edition 
QUESTION 429: 
SQL commands do not include which of the following? 
A. Select, Update 
B. Grant, Revoke 
C. Delete, Insert 
D. Add, Replace 
Answer: D 
"SQL commands include Select, Update, Delete, Grant, and Revoke." Pg. 62 Krutz: The CISSP 
Prep Guide: Gold Edition 
"Developed by IBM, SQL is a standard data manipulation and relational database definition 
language. The SQL Data Definition Language creates and deletes views and relations (tables). 
SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two 
commands are used in access control to grant and revoke privileges to resources. Usually, the 
owner of an object can withhold or transfer GRANT privileges to an object to another subject. If 
the owner intentionally does not transfer the GRANT privileges, however, which are relative to 
an object to the individual A, A cannot pass on the GRANT privileges to another subject. In 
some instances, however, this security control can be circumvented. For example, if A copies the 
object, A essentially becomes the owner of that object and thus can transfer the GRANT 
privileges to another user, such as user B. 
SQL security issues include the granularity of authorization and the number of different ways 
you can execute the same query. 
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 430: 
SQL security issues include which of the following? 
A. The granularity of authorizations 
B. The size of databases 
C. The complexity of key structures 
D. The number of candidate key elements 
Answer: A 
Developed by IBM, SQL is a standard data manipulation and relational database definition 
language. The SQL Data Definition Language creates and deletes views and relations (tables). 
SQL commands include Select, Update, Delete, Insert, Grant, and Revoke. The latter two 
commands are used in access control to grant and revoke privileges to resources. Usually, the 
owner of an object can withhold or transfer GRANT privileges to an object to another subject. If 
the owner intentionally does not transfer the GRANT privileges, however, which are relative to 
an object to the individual A, A cannot pass on the GRANT privileges to another subject. In 
some instances, however, this security control can be circumvented. For example, if A copies the 
object, A essentially becomes the owner of that object and thus can transfer the GRANT 
privileges to another user, such as user B. 
SQL security issues include the granularity of authorization and the number of different ways 
you can execute the same query. 
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 431: 
Which of the following are placeholders for literal values in a Structured Query Language 
(SQL) query being sent to the database on a server? 
A. Bind variables 
B. Assimilation variables 
C. Reduction variables 
D. Resolution variables 
Answer: A 
QUESTION 432: 
What ensures that attributes in a table depend only on the primary key? 
A. Referential integrity 
B. The database management system (DBMS) 
C. Data Normalization 
D. Entity integrity 
Answer: C 
QUESTION 433: 
Which of the following represent the rows of the table in a relational database? 
A. attributes 
B. records or tuples 
C. record retention 
D. relation 
Answer: B 
QUESTION 434: 
With regard to databases, which of the following has characteristics of ease of reusing code 
and analysis and reduced maintenance? 
A. Object-Oriented Data Bases (OODB) 
B. Object-Relational Data Bases (ORDB) 
C. Relational Data Bases 
D. Data Base management systems (DBMS) 
Answer: A 
QUESTION 435: 
Complex applications involving multimedia, computer aided design, video, graphics, and 
expert systems are more suited to which of the following? 
A. Object-Oriented Data Bases (OODB) 
B. Object-Relational Data Bases 
C. Relational Data Bases 
D. Data base management systems (DBMS) 
Answer: A 
QUESTION 436: 
Which of the following refers to the number of columns in a table? 
A. Schema 
B. Relation 
C. Degree 
D. Cardinality 
Answer: C 
QUESTION 437: 
Which of the following refers to the number of rows in a relation? 
A. cardinality 
B. degree 
C. depth 
D. breadth 
Answer: A 
QUESTION 438: 
Which of the following refers to the number of columns in a relation? 
A. degree 
B. cardinality 
C. depth 
D. breadth 
Answer: A 
QUESTION 439: 
What is one disadvantage of content-dependent protection of information? 
A. It increases processing overhead 
B. It requires additional password entry 
C. It exposes the system to data locking 
D. It limits the user's individual address space 
Answer: A 
Content-Dependent Access Control 
"Just like the name sounds, access to objects is determined by the content within the object. This 
is used many times in databases and the type of Web-based material a firewall allows...If a table 
within the database contains information about employees' salaries, the managers were not 
allowed to view it, but they could view information about an employee's work history. The 
content of the database fields dictates which user can see specific information within the 
database tables." pg 161 Shon Harris: All-In-One CISSP Certification. Decisions will have to be 
made about the content, therefore increasing processing overhead. 
QUESTION 440: 
Which one of the following control steps is usually NOT performed in data warehousing 
applications? 
A. Monitor summary tables for regular use. 
B. Control meta data from being used interactively. 
C. Monitor the data purging plan. 
D. Reconcile data moved between the operations environment and data warehouse. 
Answer: A 
Not B: It is important to control meta data from being used interactively by unauthorized users. 
"Data warehouses and data mining are significant to security professionals for two reasons. First, 
as previously mentioned, data warehouses contain large amounts of potentially sensitive 
information vulnerable to aggregation and inference attacks, and security practitioners must 
ensure that adequate access controls and other security measures are in place to safeguard this 
data." Pg 192 Tittel: CISSP Study Guide 
Not C: "The data in the data warehouse must be maintained to ensure that it is timely and valid. 
The term data scrubbing refers to maintenance of the data warehouse by deleting information 
that is unreliable or no longer relevant." Pg 358-359 Krutz: The CISSP Prep Guide: Gold Edition 
Not D: "To create a data warehouse, data is taken from an operational database, redundancies are 
removed, and the data is "cleaned up" in general." Pg 358 Krutz: The CISSP Prep Guide: Gold 
Edition 
QUESTION 441: 
A storage information architecture does not address which of the following? 
A. archiving of data 
B. collection of data 
C. management of data 
D. use of data 
Answer: A 
QUESTION 442: 
Which of the following can be defined as the set of allowable values that an attribute can 
take? 
A. domain of a relation 
B. domain name service of a relation 
C. domain analysis of a relation 
D. domains, in database of a relation 
Answer: A 
QUESTION 443: 
Programmed procedures which ensure that valid transactions are processed accurately and only once in the 
current timescale are referred to as 
A. Data installation controls 
B. Application controls 
C. Operation controls 
D. Physical controls 
Answer: B 
QUESTION 444: 
What is the most effective means of determining how controls are functioning within an 
operating system? 
A. Interview with computer operator 
B. Review of software control features and/or parameters 
C. Review of operating system manual 
D. Interview with product vendor 
Answer: B 
QUESTION 445: 
What is the most effective means of determining how controls are functioning within an 
operating system? 
A. Interview with computer operator 
B. Review of software control features and/or parameters 
C. Review of operating system manual 
D. Interview with product vendor 
Answer: B 
QUESTION 446: 
Program change controls must ensure that all changes are 
A. Audited to verify intent. 
B. Tested to ensure correctness. 
C. Implemented into production systems. 
D. Within established performance criteria. 
Answer: B 
Document of the change. Once the change is approved, it should be entered into a change log 
and the log should be updated as the process continues toward completion. 
Tested and presented. The change must be fully tested to uncover any unforeseen results. 
Depending on the severity of the change and the company's organization, the change and 
implementation may need to be presented to a change control committee. This helps show 
different sides to the purpose and outcome of the change and the possible ramifications. - Shon 
Harris All-in-one CISSP Certification Guide pg 815 
QUESTION 447: 
Which question is NOT true concerning Application Control? 
A. It limits end users use of applications in such a way that only particular screens are visible 
B. Only specific records can be requested choice 
C. Particular uses of application can be recorded for audit purposes 
D. Is non-transparent to the endpoint applications so changes are needed to the applications 
involved 
Answer: D 
QUESTION 448: 
A computer program used to process the weekly payroll contains an instruction that the 
amount of the gross pay cannot exceed $2,500 for any one employee. This instruction is an 
example of a control that is referred to as a: 
A. sequence check 
B. check digit 
C. limit check 
D. record check 
Answer: C 
QUESTION 449: 
What are edit controls? 
A. Preventive controls 
B. Detective controls 
C. Corrective controls 
D. Compensating controls 
Answer: A 
Explanation: 
"Challenge Handshake Authentication Protocol (CHAP) One of the authentication protocols 
used over PPP links. CHAP encrypts usernames and passwords." Pg. 682 Glossary: Tittel: 
CISSP Study Guide 
QUESTION 450: 
Which one of the following properties of a transaction processing system ensures that once a transaction 
completes successfully (commits), the update service even if there is a system failure? 
A. Atomicity 
B. Consistency 
C. Isolation 
D. Durability 
Answer: A 
Atomicity is correct. Consistency is not a viable answer. 
Atomicity states that database modifications must follow an "all or nothing" rule. Each 
transaction is said to be "atomic." If one part of the transaction fails, the entire transaction fails. 
It is critical that the database management system maintain the atomic nature of transactions in 
spite of any DBMS, operating system or hardware failure. 
Consistency states that only valid data will be written to the database. If, for some reason, a 
transaction is executed that violates the database's consistency rules, the entire transaction will 
be rolled back and the database will be restored to a state consistent with those rules. On the 
other hand, if a transaction successfully executes, it will take the database from one state that is 
consistent with the rules to another state that is also consistent with the rules. 
Isolation requires that multiple transactions occurring at the same time not impact each other's 
execution. For example, if Joe issues a transaction against a database at the same time that Mary 
issues a different transaction, both transactions should operate on the database in an isolated 
manner. The database should either perform Joe's entire transaction before executing Mary's or 
vice-versa. This prevents Joe's transaction from reading intermediate data produced as a side 
effect of part of Mary's transaction that will not eventually be committed to the database. Note 
that the isolation property does not ensure which transaction will execute first, merely that they 
will not interfere with each other. 
Durability ensures that any transaction committed to the database will not be lost. Durability is 
ensured through the use of database backups and transaction logs that facilitate the restoration of 
committed transactions in spite of any subsequent software or hardware failures. 
QUESTION 451: 
To ensure integrity, a payroll application program may record transactions in the appropriate 
accounting period by using 
A. Application checkpoints 
B. Time and date stamps 
C. Accrual journal entries 
D. End of period journals 
Answer: B 
QUESTION 452: 
What ensures that the control mechanisms correctly implement the security policy for the 
entire life cycle of an information system? 
A. Accountability controls 
B. Mandatory access controls 
C. Assurance procedures 
D. Administrative controls 
Answer: C 
Assurance procedures ensure that the control mechanisms correctly implement the security 
policy for the entire life cycle of an information system. 
Pg 33 Krutz: The CISSP Prep Guide. 
QUESTION 453: 
Development staff should: 
A. Implement systems 
B. Support production data 
C. Perform unit testing 
D. Perform acceptance testing 
Answer: C 
QUESTION 454: 
Which of the following is not used as a cost estimating technique during the project 
planning stage? 
A. Delphi technique 
B. Expert Judgment 
C. Program Evaluation Review Technique (PERT) charts 
D. Function points (FP) 
Answer: C 
Explanation: 
"Methods and techniques for cost estimation: 
Experts' evaluation 
Delphi 
Bottom-up approaches 
Empirical models 
COCOMO 
Function Points 
Combining Methods" 
QUESTION 455: 
Which of the following methodologies is appropriate for planning and controlling activities 
and resources in a system project? 
A. Gantt charts 
B. Program evaluation review technique (PERT) 
C. Critical path methodology (CPM) 
D. Function point analysis (FP) 
Answer: A 
A Gantt chart is a popular type of bar chart showing the interrelationships of how projects, 
schedules, and other time-related systems progress over time. 
Not B: 
Program Evaluation and Review Technique - (PERT) A method used to size a software product 
and calculate the Standard Deviation (SD) for risk assessment. The PERT equation (beta 
distribution) estimates the Equivalent Delivered Source Instructions (EDSIs) and the SD based 
on the analyst's estimates of the lowest possible size, the most likely size, and the highest 
possible size of each computer program component (CPC). 
http://computing-dictionary.thefreedictionary.com/ 
QUESTION 456: 
Which of the following is an advantage of using a high-level programming language? 
A. It decreases the total amount of code writters 
B. It allows programmers to define syntax 
C. It requires programmer-controlled storage management 
D. It enforces coding standards 
Answer: A 
QUESTION 457: 
The design phase in a system development life cycle includes all of the following EXCEPT 
A. Determining sufficient security controls. 
B. Conducting a detailed design review. 
C. Developing an operations and maintenance manual. 
D. Developing a validation, verification, and testing plan. 
Answer: C 
Systems Development Life Cycle 
Conceptual Defintion 
Functional Requirements Determination 
Protection Specifications Development 
Design Review 
Code Review Walk-Through 
System Test Review 
Certification and Accreditation 
Maintenance 
Pg 224-228 Tittel: CISSP Study Guide. 
QUESTION 458: 
By far, the largest security exposure in application system development relates to 
A. Maintenance and debugging hooks. 
B. Deliberate compromise. 
C. Change control. 
D. Errors and lock of training 
Answer: A 
Maintenance hook - instructions within a program's code that enable the developer or maintainer 
to enter the program without having to go through the usual access control and authentication 
processes. They should be removed from the code before being released for production; 
otherwise, they can cause serious security risks. They are also referred to as trapdoors. - Shon 
Harris All-in-one CISSP Certification Guide pg 933 
QUESTION 459: 
Which of the following is a 5th Generation Language? 
A. LISP 
B. BASIC 
C. NATURAL 
D. Assembly Language 
Answer: A 
QUESTION 460: 
When considering the IT Development Life-Cycle, security should be: 
A. Mostly considered during the initiation phase. 
B. Mostly considered during the development phase. 
C. Treated as an integral part of the overall system design. 
D. Add once the design is completed. 
Answer: C 
QUESTION 461: 
Which of the following represents the best programming? 
A. Low cohesion, low coupling 
B. Low cohesion, high coupling 
C. High cohesion, low coupling 
D. High cohesion, high coupling 
Answer: C 
QUESTION 462: 
The INITIAL phase of the system development life cycle would normally include 
A. Cost-benefit analysis 
B. System design review 
C. Executive project approval 
D. Project status summary 
Answer: C 
Project management is an important part of product development and security management is an 
important part of project management. - Shon Harris All-in-one CISSP Certification Guide pg 
732 
QUESTION 463: 
Which of the following computer design approaches is based on the fact that in earlier 
technologies, the instruction fetch was the longest part of the cycle? 
A. Pipelining 
B. Reduced Instruction Set Computers (RISC) 
C. Complex Instruction Set Computers (CISC) 
D. Scolar processors 
Answer: C 
Reference: pg 255 Krutz: CISSP Prep Guide: Gold Edition 
QUESTION 464: 
Which one of the following tests determines whether the content of data within an application program falls 
within predetermined limits? 
A. Parity check 
B. Reasonableness check 
C. Mathematical accuracy check 
D. Check digit verification 
Answer: B 
Reasonableness check: A test to determine whether a value conforms to specified criteria. Note: 
A reasonableness check can be used to eliminate questionable data points from subsequent 
processing. 
QUESTION 465: 
Buffer overflow and boundary condition errors are subsets of: 
A. Race condition errors 
B. Access validation errors 
C. Exceptional condition handling errors 
D. Input validation errors 
Answer: D 
QUESTION 466: 
Which of the following statements pertaining to software testing approaches is correct? 
A. A bottom-up approach allows interface errors to be detected earlier 
B. A top-down approach allows errors in critical modules to be detected earlier 
C. The test plan and results should be retained as part of the system's permanent documentation 
D. Black box testing is predicated on a close examination of procedural detail 
Answer: C 
QUESTION 467: 
Which of the following phases of a system development life-cycle is most concerned with 
authenticating users and processes to ensure appropriate access control decisions? 
A. Development/acquisition 
B. Implementation 
C. Operation/Maintenance 
D. Initiation 
Answer: C 
QUESTION 468: 
Which of the following would be the most serious risk where a systems development life 
cycle methodology is inadequate? 
A. The project will be completed late 
B. The project will exceed the cost estimates 
C. The project will be incompatible with existing systems 
D. The project will fail to meet business and user needs 
Answer: D 
QUESTION 469: 
Which of the following would best describe the difference between white-box testing and 
black-box testing? 
A. White-box testing is performed by an independent programmer team 
B. Black-box testing uses the bottom-up approach 
C. White-box testing examines the program internal logical structure 
D. Black-box testing involves the business units 
Answer: C 
QUESTION 470: 
Which of the following refers to the work product satisfying the real-world requirements 
and concepts? 
A. validation 
B. verification 
C. concurrence 
D. accuracy 
Answer: A 
Reference: pg 820 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 471: 
Which model, based on the premise that the quality of a software product is a direct 
function of the quality of it's associated software development and maintenance processes, 
introduced five levels with which the maturity of an organization involved in the software 
process is evaluated? 
A. The total Quality Model (TQM) 
B. The IDEAL Model 
C. The Software Capability Maturity Model 
D. The Spiral Model 
Answer: C 
QUESTION 472: 
Which of the following would provide the best stress testing environment? 
A. Test environment using test data 
B. Test environment using live workloads 
C. Production environment using test data 
D. Production environment using live workloads 
Answer: B 
QUESTION 473: 
In a change control environment, which one of the following REDUCES the assurance of proper changes to 
source programs in production status? 
A. Authorization of the change. 
B. Testing of the change. 
C. Programmer access. 
D. Documentation of the change. 
Answer: C 
I think I am going to disagree with the original answer (B testing of the change) here. The 
question has REDUCES the assurance. 
"Personnel separate from the programmers should conduct this testing." -Ronald Krutz The 
CISSP PREP Guide (gold edition) pg 345 
QUESTION 474: 
Why should batch files and scripts be stored in a protected area? 
A. Because of the least privilege concept 
B. Because they cannot be accessed by operators 
C. Because they may contain credentials 
D. Because of the need-to-know concept 
Answer: C 
QUESTION 475: 
The PRIMARY purpose of operations security is 
A. Protect the system hardware from environment damage. 
B. Monitor the actions of vendor service personnel. 
C. Safeguard information assets that are resident in the system. 
D. Establish thresholds for violation detection and logging. 
Answer: C 
I think A or C could be the answers. I am leaning towards the C answer but use your best judgment. 
"Operations Security can be described as the controls over the hardware in a computing facility, the data media 
used 
in a facility, and the operators using these resources in a facility...A Cissp candidate will be expected to know 
the 
resources that must be protected, the privileges that must be restricted, the control mechanisms that are 
available, 
the potential for access abuse, the appropriate controls, and the principles of good practice." -Ronald Krutz The 
CISSP PREP Guide (gold edition) pg 297 
QUESTION 476: 
Which of the following is not a component of a Operations Security "triples"? 
A. Asset 
B. Threat 
C. Vulnerability 
D. Risk 
Answer: D 
Reference: pg 298 Krutz: CISSP Study Guide: Gold Edition 
QUESTION 477: 
A periodic review of user account management should not determine: 
A. Conformity with the concept of least privilege 
B. Whether active accounts are still being used 
C. Strength of user-chosen passwords 
D. Whether management authorizations are up-to-date 
Answer: C 
QUESTION 478: 
Which of the following functions is less likely to be performed by a typical security 
administrator? 
A. Setting user clearances and initial passwords 
B. Adding and removing system users 
C. Setting or changing file sensitivity labels 
D. Reviewing audit data 
Answer: B 
QUESTION 479: 
Who is responsible for setting user clearances to computer-based information? 
A. Security administrators 
B. Operators 
C. Data owners 
D. Data custodians 
Answer: A 
QUESTION 480: 
Who is the individual permitted to add users or install trusted programs? 
A. Database Administrator 
B. Computer Manager 
C. Security Administrator 
D. Operations Manager 
Answer: D 
Typical system administrator or enhanced operator functions can include the following 
Installing system software 
Starting up (booting) and shutting down a system 
Adding and removing system users 
Performing back-ups and recovery 
Handling printers and managing print queues -Ronald Krutz The CISSP PREP Guide (gold 
edition) pg 305-304 
QUESTION 481: 
In Unix, which file is required for you to set up an environment such that every used on the 
other host is a trusted user that can log into this host without authentication? 
A. /etc/shadow 
B. /etc/host.equiv 
C. /etc/passwd 
D. None of the choices. 
Answer: B 
Explanation: 
The /etc/hosts.equiv file is saying that every user on the other host is a trusted user 
and allowed to log into this host without authentication (i.e. NO PASSWORD). The only 
thing that must exist for a user to log in to this system is an /etc/passwd entry by 
the same login name the user is currently using. In other words, if there is a user 
trying to log into this system whose login name is "bhope", then there must be a 
"bhope" listed in the /etc/passwd file. 
QUESTION 482: 
For what reason would a network administrator leverage promiscuous mode? 
A. To screen out all network errors that affect network statistical information. 
B. To monitor the network to gain a complete statistical picture of activity. 
C. To monitor only unauthorized activity and use. 
D. To capture only unauthorized internal/external use. 
Answer: B 
QUESTION 483: 
Which of the following questions is less likely to help in assessing controls over hardware 
and software maintenance? 
A. In access to all program libraries restricted and controlled? 
B. Are integrity verification programs used by applications to look for evidences of data 
tampering, errors, and omissions? 
C. Is there version control? 
D. Are system components tested, documented, and approved prior to promotion to production? 
Answer: B 
QUESTION 484: 
Which of the following correctly describe "good" security practice? 
A. Accounts should be monitored regularly. 
B. You should have a procedure in place to verify password strength. 
C. You should ensure that there are no accounts without passwords. 
D. All of the choices. 
Answer: D 
Explanation: 
In many organizations accounts are created and then nobody ever touches those accounts 
again. This is a very poor security practice. Accounts should be monitored regularly, 
you should look at unused accounts and you should have a procedure in place to ensure 
that departing employees have their rights revoke prior to leaving the company. You 
should also have a procedure in place to verify password strength or to ensure that 
there are no accounts without passwords. 
QUESTION 485: 
Access to the _________ account on a Unix server must be limited to only the system 
administrators that must absolutely have this level of access. 
A. Superuser of inetd. 
B. Manager or root. 
C. Fsf or root 
D. Superuser or root. 
Answer: D 
Explanation: 
Access to the superuser or root account on a server must be limited to only the system 
administrators that must absolutely have this level of access. Use of programs such as 
SUDO is recommended to give limited and controlled root access to administrators that 
have a need for such access. 
QUESTION 486: 
Which of the following files should the security administrator be restricted to READ only 
access? 
A. Security parameters 
B. User passwords 
C. User profiles 
D. System log 
Answer: D 
QUESTION 487: 
Root login should only be allowed via: 
A. Rsh 
B. System console 
C. Remote program 
D. VNC 
Answer: B 
Explanation: 
The root account must be the only account with a user ID of 0 (zero) that has open 
access to the UNIX shell. It must not be possible for root to sign on directly except 
at the system console. All other access to the root account must be via the 'su' 
command. 
QUESTION 488: 
What does "System Integrity" mean? 
A. The software of the system has been implemented as designed. 
B. Users can't tamper with processes they do not own 
C. Hardware and firmware have undergone periodic testing to verify that they are functioning 
properly 
D. Design specifications have been verified against the formal top-level specification 
Answer: C 
QUESTION 489: 
Operations Security seeks to primarily protect against which of the following? 
A. object reuse 
B. facility disaster 
C. compromising emanations 
D. asset threats 
Answer: D 
QUESTION 490: 
In order to avoid mishandling of media or information, you should consider using: 
A. Labeling 
B. Token 
C. Ticket 
D. SLL 
Answer: A 
Explanation: 
In order to avoid mishandling of media or information, proper labeling must be used. 
All tape, floppy disks, and other computer storage media containing sensitive 
information must be externally marked with the appropriate sensitivity classification. 
All tape, floppy disks, and other computer storage media containing unrestricted 
information must be externally marked as such. 
All printed copies, printouts, etc., from a computer system must be clearly labeled 
with the proper classification. 
QUESTION 491: 
In order to avoid mishandling of media or information, which of the following should be 
labeled? 
A. All of the choices. 
B. Printed copies 
C. Tape 
D. Floppy disks 
Answer: A 
Explanation: 
In order to avoid mishandling of media or information, proper labeling must be used. 
All tape, floppy disks, and other computer storage media containing sensitive 
information must be externally marked with the appropriate sensitivity classification. 
All tape, floppy disks, and other computer storage media containing unrestricted 
information must be externally marked as such. 
All printed copies, printouts, etc., from a computer system must be clearly labeled 
with the proper classification. 
As a rule of thumb, you should have an indication of the classification of the 
document. The classification is based on the sensitivity of information. It is usually 
marked at the minimum on the front and back cover, title, and first pages. 
QUESTION 492: 
Compact Disc (CD) optical media types is used more often for: 
A. very small data sets 
B. very small files data sets 
C. larger data sets 
D. very aggregated data sets 
Answer: A 
QUESTION 493: 
At which temperature does damage start occurring to magnetic media? 
A. 100 degrees 
B. 125 degrees 
C. 150 degrees 
D. 175 degrees 
Answer: A 
QUESTION 494: 
Which of the following statements pertaining to air conditioning for an information 
processing facility is correct? 
A. The AC units must be controllable from outside the area 
B. The AC units must keep negative pressure in the room so that smoke and other gases are 
forced out of the room 
C. The AC units must be n the same power source as the equipment in the room to allow for 
easier shutdown 
D. The AC units must be dedicated to the information processing facilities 
Answer: D 
QUESTION 495: 
Removing unnecessary processes, segregating inter-process communications, and reducing executing 
privileges to increase system security is commonly called 
A. Hardening 
B. Segmenting 
C. Aggregating 
D. Kerneling 
Answer: A 
What is hardening? Naturally, there is more than one definition, but in general, one tightens 
control using policies which affect authorization, authentication and permissions. Nothing 
happens by default. You only give out permission after thinking about it, something like "deny 
all" to everyone, then "allow" with justification. Shut off everything, then only turn on that 
which must be turned on. It is not unlike locking every single door, window and access point in 
your house, then unlocking only those that need to be. It is quite common for users to take all the 
defaults when their new system gets turned on making for instant vulnerability. A major problem 
is trying to figure out where all those details are that need to be turned off, without making the 
system unusable. 
QUESTION 496: 
RAID levels 3 and 5 run: 
A. faster on hardware 
B. slower on hardware 
C. faster on software 
D.)at the same speed on software and hardware 
Answer: A 
QUESTION 497: 
Which of the following RAID levels functions as a single virtual disk? 
A. RAID Level 7 
B. RAID Level 5 
C. RAID Level 10 
D. RAID Level 2 
Answer: A 
QUESTION 498: 
Which of the following takes the concept of RAID 1 (mirroring) and applies it to a pair of 
servers? 
A. A redundant server implementation 
B. A redundant client implementation 
C. A redundant guest implementation 
D. A redundant host implementation 
Answer: A 
QUESTION 499: 
Which of the following enables the drive array to continue to operate if any disk or any 
path to any disk fails? 
A. RAID Level 7 
B. RAID Level 1 
C. RAID Level 2 
D. RAID Level 5 
Answer: A 
"RAID Level 7 is a variation of RAID 5 wherein the array functions as a single virtual disk in 
the hardware. This is sometimes simulated by software running over a RAID level 5 hardware 
implementation, which enables the drive array to continue to operate if any disk or any path to 
any disk fails. It also provides parity protection." Pg 91 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 500: 
Depending upon the volume of data that needs to be copied, full backups to tape can take: 
A. an incredible amount of time 
B. a credible amount of time 
C. an ideal amount of time 
D. an exclusive amount of time 
Answer: A 
QUESTION 501: 
Which one of the following entails immediately transmitting copies of on-line transactions to a remote 
computer 
facility for backup? 
A. Archival storage management (ASM) 
B. Electronic vaulting 
C. Hierarchical storage management (HSM) 
D. Data compression 
Answer: B 
"Electronic vaulting makes an immediate copy of a changed file or transaction and sends it to a remote location 
where the original backup is stored....Another technology used for automated backups is hierarrchial storage 
management (HSM). In this situation, the HSM system dynamically manages the storage and covery of files, 
which 
are copied to storage media devices that vary in speed and cost. The faster media hold the data that is accessed 
more 
often and the seldom-useed files are stored on the slower devices, or near-line devices. The different storage 
media 
rang from optical disk, magnetic disks, and tapes. Pg. 619 Shon Harris CISSP All-In-One Certification Exam 
Guide 
QUESTION 502: 
When continuous availability (24 hours-a-day processing) is required, which one of the 
following provides a good alternative to tape backups? 
A. Disk mirroring 
B. Backup to jukebox 
C. Optical disk backup 
D. Daily archiving 
Answer: B 
Hierarchical Storage Management (HSM). HSM provides continuous on-line backup by using 
optical or tape 'jukeboxes,' similar to WORMs. It appears as an infinite disk to the system, and 
can be configured to provide the closest version of an available real-time backup. This is 
commonly employed in very large data retrieval systems." Pg. 71 Krutz: The CISSP Prep Guide. 
QUESTION 503: 
Zip/Jaz drives are frequently used for the individual backups of small data sets of: 
A. specific application data 
B. sacrificial application data 
C. static application data 
D. dynamic application data 
Answer: A 
QUESTION 504: 
With non-continuous backup systems, data that was entered after the last backup prior to 
a system crash will have to be: 
A. recreated 
B. created 
C. updated 
D. deleted 
Answer: A 
QUESTION 505: 
The alternate processing strategy in a business continuity plan can provide for required backup computing 
capacity through a hot site, a cold site, or 
A. A dial-up services program. 
B. An off-site storage replacement. 
C. An online backup program. 
D. A crate and ship replacement. 
Answer: C 
What I believe is being wanted here is not the other data center backup alternatives but 
transaction redundancy implementation. 
The CISSP candidate should understand the three concepts used to create a level of fault 
tolerance and redundancy in transaction processing. While these processes are not used solely 
for disaster recovery, they are often elements of a larger disaster recovery plan. If one or more of 
these processes are employed, the ability of a company to get back online is greatly enhanced. 
-Ronald Krutz The CISSP PREP Guide (gold edition) pg 394 (they are Electronic Vaulting, 
Remote journaling, and Database shadowing) 
QUESTION 506: 
The 8mm tape format is commonly used in Helical Scan tape drives, but was superseded 
by: 
A. Digital Linear Tape (DLT) 
B. Analog Linear Tape (ALT) 
C. Digital Signal Tape (DST) 
D. Digital Coded Tape (DCT) 
Answer: A 
"8mm Tape. This format was commonly used in Helical Scan tape drives, but was superseded by 
Digital Linear Tape (DLT)." Pg 95 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 507: 
The spare drives that replace the failed drives are usually hot swappable, meaning they can 
be replaced on the server in which of the following scenarios? 
A. system is up and running 
B. system is quiesced but operational 
C. system is idle but operational 
D. system is up and in single-user-mode 
Answer: A 
QUESTION 508: 
Primarily run when time and tape space permits, and is used for the system archive or 
baselined tape sets is the: 
A. full backup method 
B. Incremental backup method 
C. differential backup method 
D. tape backup method 
Answer: A 
QUESTION 509: 
This backup method makes a complete backup of every file on the server every time it is 
run by: 
A. full backup method 
B. incremental backup method 
C. differential backup method 
D. tape backup method 
Answer: A 
QUESTION 510: 
A backup of all files that are new or modified since the last full backup is 
A. In incremental backup 
B. A father/son backup 
C. A differential backup 
D. A full backup 
Answer: C 
"Incremental backup -A procedure that backs up only those files that have been modified since 
the previous backup of any sort. It does remove the archive attribute. 
Differential backup - A procedure that backs up all files that have been modified since the last 
full backup. It does not remove the archive attribute." - Shon Harris All-in-one CISSP 
Certification Guide pg 618 
QUESTION 511: 
What two factors should a backup program track to ensure the serviceability of backup 
tape media? 
A. The initial usage data of the media and the number of uses. 
B. The physical characteristics and rotation cycle of the media. 
C. The manufactured and model number of the tape media. 
D. The frequency of usage and magnetic composition. 
Answer: B 
The answer should be B. The physical charecteristics (what type of tape drive) and rotation cyle. 
(Frequency of backup cycles and retention timE.) 
QUESTION 512: 
Which of the following virus types changes some of its characteristics as it spreads? 
A. boot sector 
B. parasitic 
C. stealth 
D. polymorphic 
Answer: D 
QUESTION 513: 
Which one of the following is a good defense against worms? 
A. Differentiating systems along the lines exploited by the attack. 
B. Placing limits on sharing, writing, and executing programs. 
C. Keeping data objects small, simple, and obvious as to their intent. 
D. Limiting connectivity by means of well-managed access controls. 
Answer: B 
Take as general information regarding worms 
"Although the worm is not technically malicious, opening the attachment allows the file to copy 
itself to the user's PC Windows folder and then send the .pif-based program to any e-mail 
address stored on the hard drive. 
Ducklin said the huge risks associated with accepting program files such as .pif, .vbs (visual 
basic script) or the more common .exe (executable) as attachments via e-mail outweighs the 
usefulness of distributing such files in this manner. 
"There's no business sense for distributing programs via e-mail," he said. 
To illustrate the point, Ducklin said six of the top 10 viruses reported to Sophos in April spread 
as Windows programs inside e-mails." 
http://security.itworld.com/4340/030521stopworms/page_1.html 
QUESTION 514: 
An active content module, which attempts to monopolize and exploits system resources is 
called a 
A. Macro virus 
B. Hostile applet 
C. Plug-in worm 
D. Cookie 
Answer: B 
This applet can execute in the network browser and may contain malicious code. The types of 
downloadable programs are also known as mobile code. -Ronald Krutz The CISSP PREP Guide 
(gold edition) pg 361 
"ActiveX Controls are Microsoft's answer to Sun's Java applets. They operate in a very similar 
fashion, but they are implemented using any on of a variety of languages, including Visual 
Basic, C, C++ and Java. There are two key distinctions between Java applets and ActiveX 
controls. First, ActiveX controls use proprietary Microsoft technology and, therefore, can only 
execute on systems running Microsoft operating systems. Second, ActiveX controls are not 
subject to the sandbox restrictions placed on Java applets. They have full access to the Windows 
operating environment and can perform a number of privileged actions. Therefore, special 
precautions must be taken when deciding which ActiveX controls to download and execute. 
Many security administrators have taken the somewhat harsh position of prohibiting the 
download of any ActiveX content from all but a select handful of trusted sites." Pg. 214 Tittel: 
CISSP Study Guide 
QUESTION 515: 
Macro viruses written in Visual Basic for Applications (VDA) are a major problem because 
A. Floppy disks can propagate such viruses. 
B. These viruses can infect many types of environments. 
C. Anti-virus software is usable to remove the viral code. 
D. These viruses almost exclusively affect the operating system. 
Answer: D 
QUESTION 516: 
What is the term used to describe a virus that can infect both program files and boot sectors? 
A. Polymorphic 
B. Multipartite 
C. Stealth 
D. Multiple encrypting 
Answer: B 
QUESTION 517: 
Why are macro viruses easy to write? 
A. Active contents controls can make direct system calls 
B. The underlying language is simple and intuitive to apply. 
C. Only a few assembler instructions are needed to do damage. 
D. Office templates are fully API compliant. 
Answer: B 
Macro Languages enable programmers to edit, delete, and copy files. Because these languages 
are so easy to use, many more types of macro viruses are possible. - Shon Harris All-in-one 
CISSP Certification Guide pg 785 
QUESTION 518: 
Which one of the following traits alow macro viruses to spread more effectively than other 
types? 
A. They infect macro systems as well as micro computers. 
B. They attach to executable and batch applications. 
C. They can be transported between different operating systems. 
D. They spread in distributed systems without detection 
Answer: C 
Macro virus is a virus written in one of these programming languages and is platform 
independent. They infect and replicate in templates and within documents. - Shon Harris 
All-in-one CISSP Certification Guide pg 784 
QUESTION 519: 
In what way could Java applets pose a security threat? 
A. Their transport can interrupt the secure distribution of World Wide Web pages over the 
Internet by removing SSL and S-HTTP 
B. Java interpreters do not provide the ability to limit system access that an applet could have 
on a client system 
C. Executables from the Internet may attempt an intentional attack when they are downloaded 
on a client system 
D. Java does not check the bytecode at runtime or provide other safety mechanisms for program 
isolation from the client system. 
Answer: C 
Explanation: 
"Java Security 
Java applets use a security scheme that employs a sandbox to limit the applet's access to certain 
specific areas within the user's system and protects the system from malicious or poorly written 
applets. The applet is supposed to run only within the sandbox. The sandbox restricts the applet's 
environment by restricting access to a user's hard drives and system resources. If the applet does 
not go outside the sandbox, it is considered safe. 
However, as with many other things in the computing world, the bad guys have figured out how 
to escape their confines and restrictions. Programmers have figured out how to write applets that 
enable the code to access hard drives and resources that are supposed to be protected by the Java 
security scheme. This code can be malicious in nature and cause destruction and mayhem to the 
user and her system. 
Java employs a sandbox in its security scheme, but if an applet can escape the confines of the 
sandbox, the system can be easily compromised." Pg 726 Shon Harris: All-In-One CISSP 
Certification Guide. 
QUESTION 520: 
What setup should an administrator use for regularly testing the strength of user 
passwords? 
A. A networked workstation so that the live password database can easily be accessed by the 
cracking program 
B. A networked workstation so the password database can easily be copied locally and 
processed by the cracking program 
C. A standalone workstation on which the password database is copied and processed by the 
cracking program 
D. A password-cracking program is unethical; therefore it should not be used. 
Answer: C 
QUESTION 521: 
On UNIX systems, passwords shall be kept: 
A. In any location on behalf of root. 
B. In a shadow password file. 
C. In the /etc/passwd file. 
D. In root. 
Answer: B 
Explanation: 
When possible, on UNIX systems, passwords shall not be kept in the /etc/passwd file, 
but rather in a shadow password file which can be modified only by root or a program executing 
on behalf of root. 
QUESTION 522: 
Which of the following would constitute the best example of a password to use for access to 
a system by a network administrator? 
A. holiday 
B. Christmas12 
C. Jenny&30 
D. TrZc&45g 
Answer: D 
QUESTION 523: 
Which of the following is not a media viability control used to protect the viability of data 
storage media? 
A. clearing 
B. marking 
C. handling 
D. storage 
Answer: A 
Reference: pg 315 Krutz: CISSP Study Guide: Gold Edition 
QUESTION 524: 
Which of the following refers to the data left on the media after the media has been erased? 
A. remanence 
B. recovery 
C. sticky bits 
D. semi-hidden 
Answer: A 
QUESTION 525: 
What is the main issue with media reuse? 
A. Degaussing 
B. Data remanence 
C. Media destruction 
D. Purging 
Answer: B 
QUESTION 526: 
What should a company do first when disposing of personal computers that once were used 
to store confidential data? 
A. Overwrite all data on the hard disk with zeroes 
B. Delete all data contained on the hard disk 
C. Demagnetize the hard disk 
D. Low level format the hard disk 
Answer: C 
QUESTION 527: 
Which of the following is not a critical security aspect of Operations Controls? 
A. Controls over hardware 
B. data media used 
C. Operations using resources 
D. Environment controls 
Answer: D 
Reference: pg 311 Krutz: CISSP Prep Guide: Gold Edition 
QUESTION 528: 
What tool is being used to determine whether attackers have altered system files of executables? 
A. File Integrity Checker 
B. Vulnerability Analysis Systems 
C. Honey Pots 
D. Padded Cells 
Answer: A 
Explanation: 
Although File Integrity Checkers are most often used to determine whether attackers 
have altered system files or executables, they can also help determine whether 
vendor-supplied bug patches or other desired changes have been applied to system 
binaries. They are extremely valuable to those conducting a forensic examination of 
systems that have been attacked, as they allow quick and reliable diagnosis of the 
footprint of an attack. This enables system managers to optimize the restoration of 
service after incidents occur. 
QUESTION 529: 
A system file that has been patched numerous times becomes infected with a virus. The 
anti-virus software warns that disinfecting the file can damage it. What course of action 
should be taken? 
A. Replace the file with the original version from master media 
B. Proceed with automated disinfection 
C. Research the virus to see if it is benign 
D. Restore an uninfected version of the patched file from backup media 
Answer: D 
QUESTION 530: 
In an on-line transaction processing system, which of the following actions should be taken 
when erroneous or invalid transactions are detected? 
A. The transactions should be dropped from processing 
B. The transactions should be processed after the program makes adjustments 
C. The transactions should be written to a report and reviewed 
D. The transactions should be corrected and reprocessed 
Answer: C 
QUESTION 531: 
Which of the following is a reasonable response from the intrusion detection system when it detects Internet 
Protocol (IP) packets where the IP source address is the same as the IP destination address? 
A. Allow the packet to be processed by the network and record the event. 
B. Record selected information about the item and delete the packet. 
C. Resolve the destination address and process the packet. 
D. Translate the source address and resend the packet. 
Answer: B 
RFC 1918 and RFC 2827 state about private addressing and ip spoofing using the same source 
address as destination address. Drop the packet. 
QUESTION 532: 
Which of the following is not a good response to a detected intrusion? 
A. Collect additional information about the suspected attack 
B. Inject TCP reset packets into the attacker's connection to the victim system 
C. Reconfigure routers and firewalls to block packets from the attacker's apparent connection 
D. Launch attacks or attempt to actively gain information about the attacker's host 
Answer: D 
QUESTION 533: 
Once an intrusion into your organizations information system has been detected, which of 
the following actions should be performed first? 
A. Eliminate all means of intruder access 
B. Contain the intrusion 
C. Determine to what extent systems and data are compromised 
D. Communicate with relevant parties 
Answer: B 
QUESTION 534: 
After an intrusion has been contained and the compromised systems having been 
reinstalled, which of the following need not be reviewed before bringing the systems back 
to service? 
A. Access control lists 
B. System services and their configuration 
C. Audit trails 
D. User accounts 
Answer: C 
QUESTION 535: 
Which of the following includes notifying the appropriate parties to take action in order to 
determine the extent of the severity of an incident and to remediate the incident's effects? 
A. Intrusion Evaluation (IE) and Response 
B. Intrusion Recognition (IR) and Response 
C. Intrusion Protection (IP) and Response 
D. Intrusion Detection (ID) and Response 
Answer: D 
"Intrusion Detection (ID) and Response is the task of monitoring systems for evidence of an 
intrusion or an inappropriate usage. This includes notifying the appropriate parties to take action 
in order to determine the extent of the severity of an incident and to remediate the incident's 
effects." Pg 86 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 536: 
Which of the following is used to monitor network traffic or to monitor host audit logs in 
order to determine violations of security policy that have taken place? 
A. Intrusion Detection System 
B. Compliance Validation System 
C. Intrusion Management System 
D.)Compliance Monitoring System 
Answer: A 
QUESTION 537: 
Which of the following is not a technique used for monitoring? 
A. Penetration testing 
B. Intrusion detection 
C. Violation processing (using clipping levels) 
D. Countermeasures testing 
Answer: D 
QUESTION 538: 
Which one of the following is NOT a characteristic of an Intrusion Detection System? (IDS) 
A. Determines the source of incoming packets. 
B. Detects intruders attempting unauthorized activities. 
C. Recognizes and report alterations to data files. 
D. Alerts to known intrusion patterns. 
Answer: C 
Explanation: Software employed to monitor and detect possible attacks and behaviors that 
vary from the normal and expected activity. The IDS can be network-based, which 
monitors network traffic, or host-based, which monitors activities of a specific system and 
protects system files and control mechanisms. - Shon Harris All-in-one CISSP Certification 
Guide pg 932 
QUESTION 539: 
An IDS detects an attach using which of the following? 
A. an event-based ID or a statistical anomaly-based ID 
B. a discrete anomaly-based ID or a signature-based ID 
C. a signature-based ID or a statistical anomaly-based ID 
D. a signature-based ID or an event-based ID 
Answer: C 
QUESTION 540: 
Which of the following monitors network traffic in real time? 
A. network-based IDS 
B. host-based IDS 
C. application-based IDS 
D. firewall-based IDS 
Answer: A 
QUESTION 541: 
What technology is being used to detect anomalies? 
A. IDS 
B. FRR 
C. Sniffing 
D. Capturing 
Answer: A 
Explanation: 
Intrusion Detection is a quickly evolving domain of expertise. In the past year we have 
seen giant steps forward in this area. We are now seeing IDS engines that will detect 
anomalies, and that have some built-in intelligence. It is no longer a simple game of 
matching signatures in your network traffic. 
QUESTION 542: 
IDSs verify, itemize, and characterize threats from: 
A. Inside your organization's network. 
B. Outside your organization's network. 
C. Outside and inside your organization's network. 
D. The Internet. 
Answer: C 
Explanation: 
IDSs verify, itemize, and characterize the threat from both outside and inside your 
organization's network, assisting you in making sound decisions regarding your 
allocation of computer security resources. Using IDSs in this manner is important, as 
many people mistakenly deny that anyone (outsider or insider) would be interested in 
breaking into their networks. Furthermore, the information that IDSs give you regarding 
the source and nature of attacks allows you to make decisions regarding security 
strategy driven by demonstrated need, not guesswork or folklore. 
QUESTION 543: 
IDS can be described in terms of what fundamental functional components? 
A. Response 
B. Information Sources 
C. Analysis 
D. All of the choices. 
Answer: D 
Explanation: 
Many IDSs can be described in terms of three fundamental functional components: 
Information Sources - the different sources of event information used to determine 
whether an intrusion has taken place. These sources can be drawn from different levels 
of the system, with network, host, and application monitoring most common. 
Analysis - the part of intrusion detection systems that actually organizes and makes 
sense of the events derived from the information sources, deciding when those events 
indicate that intrusions are occurring or have already taken place. The most common 
analysis approaches are misuse detection and anomaly detection. 
Response - the set of actions that the system takes once it detects intrusions. These 
are typically grouped into active and passive measures, with active measures involving 
some automated intervention on the part of the system, and passive measures involving 
reporting IDS findings to humans, who are then expected to take action based on those 
reports. 
QUESTION 544: 
What are the primary goals of intrusion detection systems? (Select all that apply.) 
A. Accountability 
B. Availability 
C. Response 
D. All of the choices 
Answer: A, C 
Explanation: 
Although there are many goals associated with security mechanisms in general, there are 
two overarching goals usually stated for intrusion detection systems. 
Accountability is the capability to link a given activity or event back to the party 
responsible for initiating it. This is essential in cases where one wishes to bring 
criminal charges against an attacker. The goal statement associated with accountability 
is: "I can deal with security attacks that occur on my systems as long as I know who 
did it (and where to find them.)" Accountability is difficult in TCP/IP networks, where 
the protocols allow attackers to forge the identity of source addresses or other source 
identifiers. It is also extremely difficult to enforce accountability in any system 
that employs weak identification and authentication mechanisms. 
Response is the capability to recognize a given activity or event as an attack and then 
taking action to block or otherwise affect its ultimate goal. The goal statement 
associated with response is "I don't care who attacks my system as long as I can 
recognize that the attack is taking place and block it." Note that the requirements of 
detection are quite different for response than for accountability. 
QUESTION 545: 
What is the most common way to classify IDSs? 
A. Group them by information source. 
B. Group them by network packets. 
C. Group them by attackers. 
D. Group them by signs of intrusion. 
Answer: A 
Explanation: 
The most common way to classify IDSs is to group them by information source. Some IDSs 
analyze network packets, captured from network backbones or LAN segments, to find 
attackers. Other IDSs analyze information sources generated by the operating system or 
application software for signs of intrusion. 
QUESTION 546: 
The majority of commercial intrusion detection systems are: 
A. Identity-based 
B. Network-based 
C. Host-based 
D. Signature-based 
Answer: B 
Explanation: 
The majority of commercial intrusion detection systems are network-based. These IDSs 
detect attacks by capturing and analyzing network packets. Listening on a network 
segment or switch, one network-based IDS can monitor the network traffic affecting 
multiple hosts that are connected to the network segment, thereby protecting those 
hosts. 
QUESTION 547: 
Which of the following is a drawback of Network-based IDSs? 
A. It cannot analyze encrypted information. 
B. It is very costly to setup. 
C. It is very costly to manage. 
D. It is not effective. 
Answer: A 
Explanation: 
Network-based IDSs cannot analyze encrypted information. This problem is increasing as 
more organizations (and attackers) use virtual private networks. Most network-based 
IDSs cannot tell whether or not an attack was successful; they can only discern that an 
attack was initiated. This means that after a network-based IDS detects an attack, 
administrators must manually investigate each attacked host to determine whether it was 
indeed penetrated. 
QUESTION 548: 
Host-based IDSs normally utilize information from which of the following sources? 
A. Operating system audit trails and system logs. 
B. Operating system audit trails and network packets. 
C. Network packets and system logs. 
D. Operating system alarms and system logs. 
Answer: A 
Explanation: 
Host-based IDSs normally utilize information sources of two types, operating system 
audit trails, and system logs. Operating system audit trails are usually generated at 
the innermost (kernel) level of the operating system, and are therefore more detailed 
and better protected than system logs. However, system logs are much less obtuse and 
much smaller than audit trails, and are furthermore far easier to comprehend. Some 
host-based IDSs are designed to support a centralized IDS management and reporting 
infrastructure that can allow a single management console to track many hosts. Others 
generate messages in formats that are compatible with network management systems. 
QUESTION 549: 
When comparing host based IDS with network based ID, which of the following is an 
obvious advantage? 
A. It is unaffected by switched networks. 
B. It cannot analyze encrypted information. 
C. It is not costly to setup. 
D. It is not costly to manage. 
Answer: A 
Explanation: 
Host-based IDSs are unaffected by switched networks. When Host-based IDSs operate on OS 
audit trails, they can help detect Trojan horse or other attacks that involve software 
integrity breaches. These appear as inconsistencies in process execution. 
QUESTION 550: 
You are comparing host based IDS with network based ID. Which of the following will you 
consider as an obvious disadvantage of host based IDS? 
A. It cannot analyze encrypted information. 
B. It is costly to remove. 
C. It is affected by switched networks. 
D. It is costly to manage. 
Answer: D 
Explanation: 
Host-based IDSs are harder to manage, as information must be configured and managed for 
every host monitored. Since at least the information sources (and sometimes part of the 
analysis engines) for host-based IDSs reside on the host targeted by attacks, the IDS 
may be attacked and disabled as part of the attack. 
Host-based IDSs are not well suited for detecting network scans or other such 
surveillance that targets an entire network, because the IDS only sees those network 
packets received by its host. Host-based IDSs can be disabled by certain 
denial-of-service attacks. 
QUESTION 551: 
Which of the following IDS inflict a higher performance cost on the monitored systems? 
A. Encryption based 
B. Host based 
C. Network based 
D. Trusted based 
Answer: B 
Explanation: 
Host-based IDSs use the computing resources of the hosts they are monitoring, therefore 
inflicting a performance cost on the monitored systems. 
QUESTION 552: 
Application-based IDSs normally utilize information from which of the following sources? 
A. Network packets and system logs. 
B. Operating system audit trails and network packets. 
C. Operating system audit trails and system logs. 
D. Application's transaction log files. 
Answer: D 
Explanation: 
Application-based IDSs are a special subset of host-based IDSs that analyze the events 
transpiring within a software application. The most common information sources used by 
application-based IDSs are the application's transaction log files. 
QUESTION 553: 
Which of the following are the major categories of IDSs response options? 
A. Active responses 
B. Passive responses 
C. Hybrid 
D. All of the choices. 
Answer: D 
Explanation: 
Once IDSs have obtained event information and analyzed it to find symptoms of attacks, 
they generate responses. Some of these responses involve reporting results and findings 
to a pre-specified location. Others involve more active automated responses. Though 
researchers are tempted to underrate the importance of good response functions in IDSs, 
they are actually very important. Commercial IDSs support a wide range of response 
options, often categorized as active responses, passive responses, or some mixture of 
the two. 
QUESTION 554: 
Alarms and notifications are generated by IDSs to inform users when attacks are detected. 
The most common form of alarm is: 
A. Onscreen alert 
B. Email 
C. Pager 
D. Icq 
Answer: A 
Explanation: 
Alarms and notifications are generated by IDSs to inform users when attacks are 
detected. Most commercial IDSs allow users a great deal of latitude in determining how 
and when alarms are generated and to whom they are displayed. 
The most common form of alarm is an onscreen alert or popup window. This is displayed 
on the IDS console or on other systems as specified by the user during the 
configuration of the IDS. The information provided in the alarm message varies widely, 
ranging from a notification that an intrusion has taken place to extremely detailed 
messages outlining the IP addresses of the source and target of the attack, the 
specific attack tool used to gain access, and the outcome of the attack. Another set of 
options that are of utility to large or distributed organizations are those involving 
remote notification of alarms or alerts. These allow organizations to configure the IDS 
so that it sends alerts to cellular phones and pagers carried by incident response 
teams or system security personnel. 
QUESTION 555: 
Which of the following is a valid tool that complements IDSs? 
A. All of the choices. 
B. Padded Cells 
C. Vulnerability Analysis Systems 
D. Honey Pots 
Answer: A 
Explanation: 
Several tools exist that complement IDSs and are often labeled as intrusion detection 
products by vendors since they perform similar functions. They are Vulnerability 
Analysis Systems, File Integrity Checkers, Honey Pots, and Padded Cells. 
"IDS-Related Tools 
Intrusion detection systems are often deployed in concert with several other components. These 
IDS-related tools expand the usefulness and capabilities of IDSs and make IDSs more efficient 
and less prone to false positives. These tools include honey pots, padded cells, and vulenerability 
scanners." Pg. 46 Tittel: CISSP Study Guide 
QUESTION 556: 
A problem with a network-based ID system is that it will not detect attacks against a host 
made by an intruder who is logged in at which of the following? 
A. host's terminal 
B. guest's terminal 
C. client's terminal 
D. server's terminal 
Answer: A 
QUESTION 557: 
When the IDS detect attackers, the attackers are seamlessly transferred to a special host. 
This method is called: 
A. Vulnerability Analysis Systems 
B. Padded Cell 
C. Honey Pot 
D. File Integrity Checker 
Answer: B 
Explanation: 
Padded cells take a different approach. Instead of trying to attract attackers with 
tempting data, a padded cell operates in tandem with traditional IDS. When the IDS 
detect attackers, it seamlessly transfers then to a special padded cell host. 
QUESTION 558: 
Which of the following is a weakness of both statistical anomaly detection and pattern 
matching? 
A. Lack of ability to scale. 
B. Lack of learning model. 
C. Inability to run in real time. 
D. Requirement to monitor every event. 
Answer: B 
Explanation: Disadvantages of Knowledge-based ID systems: 
This system is resources- intensive; the knowledge database continually needs maintenance and 
updates 
New, unique, or original attacks often go unnoticed.Disadvantages of Behavior-based ID 
systems: 
The system is characterized by high false alarm rates. High positives are the most common 
failure of ID systems and can create data noise that makes the system unusable. 
The activity and behavior of the users while in the networked system might not be static enough 
to effectively implement a behavior-based ID system. -Ronald Krutz The CISSP PREP Guide 
(gold edition) pg 88 
QUESTION 559: 
The two most common implementations of Intrusion Detection are which of the following? 
A. They commonly reside on a discrete network segment and monitor the traffic on that 
network segment 
B. They commonly will not reside on a discrete network segment and monitor the traffic on that 
network segment 
C. They commonly reside on a discrete network segment but do not monitor the traffic on that 
network segment 
D. They commonly do not reside on a discrete network segment and monitor the traffic on that 
network segment 
Answer: A 
QUESTION 560: 
What are the primary approaches IDS takes to analyze events to detect attacks? 
A. Misuse detection and anomaly detection. 
B. Log detection and anomaly detection. 
C. Misuse detection and early drop detection. 
D. Scan detection and anomaly detection. 
Answer: A 
Explanation: 
There are two primary approaches to analyzing events to detect attacks: misuse 
detection and anomaly detection. Misuse detection, in which the analysis targets 
something known to be "bad", is the technique used by most commercial systems. Anomaly 
detection, in which the analysis looks for abnormal patterns of activity, has been, and 
continues to be, the subject of a great deal of research. Anomaly detection is used in 
limited form by a number of IDSs. There are strengths and weaknesses associated with 
each approach, and it appears that the most effective IDSs use mostly misuse detection 
methods with a smattering of anomaly detection components. 
QUESTION 561: 
Misuse detectors analyze system activity and identify patterns. The patterns corresponding to 
know attacks are called: 
A. Attachments 
B. Signatures 
C. Strings 
D. Identifications 
Answer: B 
Explanation: 
Misuse detectors analyze system activity, looking for events or sets of events that 
match a predefined pattern of events that describe a known attack. As the patterns 
corresponding to known attacks are called signatures, misuse detection is sometimes 
called "signature-based detection." The most common form of misuse detection used in 
commercial products specifies each pattern of events corresponding to an attack as a 
separate signature. However, there are more sophisticated approaches to doing misuse 
detection (called "state-based" analysis techniques) that can leverage a single 
signature to detect groups of attacks. 
QUESTION 562: 
Which of the following is an obvious disadvantage of deploying misuse detectors? 
A. They are costly to setup. 
B. They are not accurate. 
C. They most be constantly updated with signatures of new attacks. 
D. They are costly to use. 
Answer: C 
Explanation: 
Misuse detectors can only detect those attacks they know about - therefore they must be 
constantly updated with signatures of new attacks. Many misuse detectors are designed to use 
tightly defined signatures that prevent them from detecting variants of common attacks. 
State-based misuse detectors can overcome this limitation, but are not commonly used in 
commercial IDSs. 
QUESTION 563: 
What detectors identify abnormal unusual behavior on a host or network? 
A. None of the choices. 
B. Legitimate detectors. 
C. Anomaly detectors. 
D. Normal detectors. 
Answer: C 
Explanation: 
Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network. 
They function on the assumption that attacks are different from "normal" (legitimate) 
activity and can therefore be detected by systems that identify these differences. 
Anomaly detectors construct profiles representing normal behavior of users, hosts, or 
network connections. These profiles are constructed from historical data collected over 
a period of normal operation. The detectors then collect event data and use a variety 
of measures to determine when monitored activity deviates from the norm. 
QUESTION 564: 
A network-based IDS is which of the following? 
A. active while it acquires data 
B. passive while it acquires data 
C. finite while it acquires data 
D. infinite while it acquires data 
Answer: B 
QUESTION 565: 
Which of the following usually provides reliable, real-time information without consuming 
network or host resources? 
A. network-based IDS 
B. host-based IDS 
C. application-based IDS 
D. firewall-based IDS 
Answer: A 
"A network-based IDS has little negative affect on overall network performance, and because it 
is deployed on a single-purpose system, it doesn't adversely affect the performance of any other 
computer." Pg 34 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 566: 
Which of the following would assist in intrusion detection? 
A. audit trails 
B. access control lists 
C. security clearances 
D. host-based authentication 
Answer: A 
QUESTION 567: 
Using clipping levels refers to: 
A. setting allowable thresholds on reported activity 
B. limiting access to top management staff 
C. setting personnel authority limits based on need-to-know basis 
D. encryption of data so that it cannot be stolen 
Answer: A 
QUESTION 568: 
In what way can violation clipping levels assist in violation tracking and analysis? 
A. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold 
will be recorded for analysis of why the violations occurred 
B. Clipping levels enable a security administrator to customize the audit trail to record only 
those violations which are deemed to be security relevant 
C. Clipping levels enable the security administrator to customize the audit trail to record only 
actions for users with access to usercodes with a privileged status 
D. Clipping levels enable a security administrator to view all reductions in security levels which 
have been made to usercodes which have incurred violations 
Answer: A 
QUESTION 569: 
When establishing a violation tracking and analysis process, which one of the following 
parameters is used to keep the quantity of data to manageable levels? 
A. Quantity baseline 
B. Maximum log size 
C. Circular logging 
D. Clipping levels 
Answer: D 
To make violation tracking effective, clipping levels must be established. A clipping level is a 
baseline of user activity that is considered a routine level of user errors. When a clipping level is 
exceeded, a violation record is then produced. Clipping levels are also used for variance 
detection. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 318 
QUESTION 570: 
Audit trails based upon access and identification codes establish... 
A. intrustion detection thresholds 
B. individual accountability 
C. audit review critera 
D. individual authentication 
Answer: B 
Accountability is another facet of access control. Individuals on a system are responsible for 
their actions. This accountability property enables system activities to be traced to the proper 
individuals. Accountability is supported by audit trails that record events on the system and on 
the network. Audit trails can be used for intrusion detection and for the reconstruction of past 
events. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 65 
QUESTION 571: 
The primary reason for enabling software audit trails is which of the following? 
A. Improve system efficiency 
B. Improve response time for users 
C. Establish responsibility and accountability 
D. Provide useful information to track down processing errors 
Answer: C 
"Auditing capabilities ensure that users are accountable for their actions, verify that the security 
polices are enforced, and are used as investigation tools." Pg 161 Shon Harris: All-in-One CISSP 
Certification 
QUESTION 572: 
Tracing violations, or attempted violations of system security to the user responsible is a 
function of? 
A. authentication 
B. access management 
C. integrity checking 
D. accountability 
Answer: D 
Auditing capabilities ensure that users are accountable for their actions, verify that the security 
policies are enforced, worked as a deterrent to improper actions, and are used as investigation 
tools. - Shon Harris All-in-one CISSP Certification Guide pg 182 
QUESTION 573: 
According to the Minimum Security Requirements (MSR) for Multi-User Operating 
Systems (NISTIR 5153) document, which of the following statements pertaining to audit 
data recording is incorrect? 
A. The system shall provide end-to-end user accountability for all security-relevant events 
B. The system shall protect the security audit trail from unauthorized access 
C. For maintenance purposes, it shall be possible to disable the recording of activities that 
require privileges. 
D. The system should support an option to maintain the security audit trail data in encrypted 
format 
Answer: C 
QUESTION 574: 
Which of the following questions is less likely to help in assessing controls over audit trails? 
A. Does the audit trail provide a trace of user actions? 
B. Are incidents monitored and tracked until resolved? 
C. Is access to online logs strictly controlled? 
D. Is there separation of duties between security personnel who administer the access control 
function and those who administer the audit trail? 
Answer: B 
QUESTION 575: 
You should keep audit trail on which of the following items? 
A. Password usage. 
B. All unsuccessful logon. 
C. All of the choices. 
D. All successful logon. 
Answer: C 
Explanation: 
Keep audit trail of password usage; log all Successful logon, Unsuccessful logon, Date, 
Time, ID, Login name. Control maximum logon attempt rate where possible.Where possible 
users must be automatically logged off after 30 minutes of inactivity. 
QUESTION 576: 
In addition to providing an audit trail required by auditors, logging can be used to 
A. provide backout and recovery information 
B. prevent security violations 
C. provide system performance statistics 
D. identify fields changed on master files. 
Answer: B 
Auditing tools are technical controls that track activity within a network on a network device or 
on a specific computer. Even though auditing is not an activity that will deny an entity access to 
a network or computer, it will track activities so a network administrator can understand the 
types of access that took place, identify a security breach, or warn the administrator of suspicious 
activity. This can be used to point out weakness of their technical controls and help 
administrators understand where changes need to be made to preserve the necessary security 
level within the environment. . - Shon Harris All-in-one CISSP Certification Guide pg 179-180 
QUESTION 577: 
Which of the following should NOT be logged for performance problems? 
A. CPU load. 
B. Percentage of use. 
C. Percentage of idle time. 
D. None of the choices. 
Answer: D 
Explanation: 
The level of logging will be according to your company requirements. Below is a list of 
items that could be logged, please note that some of the items may not be applicable to 
all operating systems. What is being logged depends on whether you are looking for 
performance problems or security problems. However you have to be careful about 
performance problems that could affect your security. 
QUESTION 578: 
Which of the following should be logged for security problems? 
A. Use of mount command. 
B. Percentage of idle time. 
C. Percentage of use. 
D. None of the choices. 
Answer: A 
Explanation: 
The level of logging will be according to your company requirements. Below is a list of 
items that could be logged, please note that some of the items may not be applicable to 
all operating systems. What is being logged depends on whether you are looking for 
performance problems or security problems. However you have to be careful about 
performance problems that could affect your security. 
QUESTION 579: 
Which of the following services should be logged for security purpose? 
A. bootp 
B. All of the choices. 
C. sunrpc 
D. tftp 
Answer: B 
Explanation: 
Request for the following services should be logged: systat, bootp, tftp, sunrpc, snmp, 
snmp-trap, nfs. 
QUESTION 580: 
The auditing method that assesses the extent of the system testing, and identifies specific program logic that has 
not 
been tested is called 
A. Decision process analysis 
B. Mapping 
C. Parallel simulation 
D. Test data method 
Answer: D 
"Testing of software modules or unit testing should be addressed when the modules are being designed. 
Personnel 
separate from the programmers should conduct this testing. The test data is part of the specifications. Testing 
should 
not only check the modules using normal and valid input data, but it should also check for incorrect types, 
out-of-range values, and other bounds and/or conditions. Live or actual field data is not recommended for use in 
the 
testing procedures because both data types might not cover out-of-range situations and the correct outputs of the 
test 
are unknown. Special test suites of data that exercise all paths of the software to the fullest extent possible and 
whose corrected resulting outputs are known beforehand should be used." Pg. 345 Krutz: The CISSP Prep 
Guide: 
Gold Edition. 
QUESTION 581: 
Who should NOT have access to the log files? 
A. Security staff. 
B. Internal audit staff. 
C. System administration staff. 
D. Manager's secretary. 
Answer: D 
Explanation: 
Logs must be secured to prevent modification, deletion, and destruction. Only 
authorized persons should have access or permission to read logs. A person is 
authorized if he or she is a member of the internal audit staff, security staff, system 
administration staff, or he or she has a need for such access to perform regular 
duties. 
QUESTION 582: 
Which of the following correctly describe the use of the collected logs? 
A. They are used in the passive monitoring process only. 
B. They are used in the active monitoring process only. 
C. They are used in the active and passive monitoring process. 
D. They are used in the archiving process only. 
Answer: C 
Explanation: 
All logs collected are used in the active and passive monitoring process. All logs are 
kept on archive for a period of time. This period of time will be determined by your 
company policies. This allows the use of logs for regular and annual audits if 
retention is longer then a year. Logs must be secured to prevent modification, 
deletion, and destruction. 
QUESTION 583: 
All logs are kept on archive for a period of time. What determines this period of time? 
A. Administrator preferences. 
B. MTTR 
C. Retention polices 
D. MTTF 
Answer: C 
Explanation: 
All logs collected are used in the active and passive monitoring process. All logs are 
kept on archive for a period of time. This period of time will be determined by your 
company policies. This allows the use of logs for regular and annual audits if 
retention is longer then a year. Logs must be secured to prevent modification, 
deletion, and destruction. 
QUESTION 584: 
Logs must be secured to prevent: 
A. Creation, modification, and destruction. 
B. Modification, deletion, and initialization. 
C. Modification, deletion, and destruction. 
D. Modification, deletion, and inspection. 
Answer: C 
Explanation: 
All logs collected are used in the active and passive monitoring process. All logs are 
kept on archive for a period of time. This period of time will be determined by your 
company policies. This allows the use of logs for regular and annual audits if 
retention is longer then a year. Logs must be secured to prevent modification, 
deletion, and destruction. 
QUESTION 585: 
To ensure dependable and secure logging, all computers must have their clock synchronized to: 
A. A central timeserver. 
B. The log time stamp. 
C. The respective local times. 
D. None of the choices. 
Answer: A 
Explanation: 
The following pre-requisite must be met to ensure dependable and secure logging: 
All computers must have their clock synchronized to a central timeserver to ensure 
accurate time on events being logged. 
If possible all logs should be centralized for easy analysis and also to help detect 
patterns of abuse across servers. 
Logging information traveling on the network must be encrypted if possible. 
Log files are stored and protected on a machine that has a hardened shell. 
Log files must not be modifiable without a trace or record of such modification. 
QUESTION 586: 
To ensure dependable and secure logging, logging information traveling on the network should 
be: 
A. Stored 
B. Encrypted 
C. Isolated 
D. Monitored 
Answer: B 
Explanation: 
The following pre-requisite must be met to ensure dependable and secure logging: 
All computers must have their clock synchronized to a central timeserver to ensure 
accurate time on events being logged. 
If possible all logs should be centralized for easy analysis and also to help detect 
patterns of abuse across servers. 
Logging information traveling on the network must be encrypted if possible. 
Log files are stored and protected on a machine that has a hardened shell. 
Log files must not be modifiable without a trace or record of such modification. 
QUESTION 587: 
The activity that consists of collecting information that will be used for monitoring is called: 
A. Logging 
B. Troubleshooting 
C. Auditing 
D. Inspecting 
Answer: A 
Explanation: 
Logging is the activity that consists of collecting information that will be used for 
monitoring and auditing. Detailed logs combined with active monitoring allow detection 
of security issues before they negatively affect your systems. 
QUESTION 588: 
How often should logging be run? 
A. Once every week. 
B. Always 
C. Once a day. 
D. During maintenance. 
Answer: B 
Explanation: 
Usually logging is done 24 hours per day, 7 days per week, on all available systems and 
services except during the maintenance window where some of the systems and services 
may not be available while maintenance is being performed. 
QUESTION 589: 
Which of the following are security events on Unix that should be logged? 
A. All of the choices. 
B. Use of Setgid. 
C. Change of permissions on system files. 
D. Use of Setuid. 
Answer: A 
Explanation: 
The following file changes, conditions, and events are logged: 
.rhosts. 
UNIX Kernel. 
/etc/password. 
rc directory structure. 
bin files. 
lib files. 
Use of Setuid. 
Use of Setgid. 
Change of permission on system or critical files. 
QUESTION 590: 
Which of the following are potential firewall problems that should be logged? 
A. Reboot 
B. All of the choices. 
C. Proxies restarted. 
D. Changes to configuration file. 
Answer: B 
Explanation: 
The following firewall configuration problem are logged: 
Reboot of the firewall. 
Proxies that cannot start (e.g. Within TIS firewall). 
Proxies or other important services that have died or restarted. 
Changes to firewall configuration file. 
A configuration or system error while firewall is running. 
QUESTION 591: 
Which of the following is required in order to provide accountability? 
A. Authentication 
B. Integrity 
C. Confidentiality 
D. Audit trails 
Answer: A 
Reference: pg 5 Tittel: CISSP Study Guide 
QUESTION 592: 
The principle of accountability is a principle by which specific action can be traced back 
to: 
A. A policy 
B. An individual 
C. A group 
D. A manager 
Answer: B 
Explanation: 
The principle of accountability has been described in many reference; it is a 
principle by which specific action can be traced back to an individual. As mentioned by 
Idrach, any significant action should be traceable to a specific user. The definition 
of "Significant" is entirely dependant on your business circumstances and risk 
management model. It was also mentioned by Rino that tracing the actions of a specific 
user is fine but we must also be able to ascertain that this specific user was 
responsible for the uninitiated action. 
QUESTION 593: 
The principle of _________ is a principle by which specific action can be traced back to 
anyone of your users. 
A. Security 
B. Integrity 
C. Accountability 
D. Policy 
Answer: C 
Explanation: 
The principle of accountability has been described in many reference; it is a 
principle by which specific action can be traced back to an individual. As mentioned by 
Idrach, any significant action should be traceable to a specific user. The definition 
of "Significant" is entirely dependant on your business circumstances and risk 
management model. It was also mentioned by Rino that tracing the actions of a specific 
user is fine but we must also be able to ascertain that this specific user was 
responsible for the uninitiated action. 
QUESTION 594: 
According to the principle of accountability, what action should be traceable to a specific 
user? 
A. Material 
B. Intangible 
C. Tangible 
D. Significant 
Answer: D 
Explanation: 
The principle of accountability has been described in many reference; it is a 
principle by which specific action can be traced back to an individual. As mentioned by 
Idrach, any significant action should be traceable to a specific user. The definition 
of "Significant" is entirely dependant on your business circumstances and risk 
management model. It was also mentioned by Rino that tracing the actions of a specific 
user is fine but we must also be able to ascertain that this specific user was 
responsible for the uninitiated action. 
QUESTION 595: 
Which of the following best ensures accountability of users for actions taken within a 
system or domain? 
A. Identification 
B. Authentication 
C. Authorization 
D. Credentials 
Answer: A 
"Identification is the process by which a subject professes an identify and accountability is 
initiated." Pg 149 Tittel: CISSP Study Guide 
"Identification and authentication are the keystones of most access control systems. 
Identification is the act of a user professing an identify to a system, usually in the form of a 
log-on ID to the system. Identification establishes user accountability for the actions on the 
system. Authentication is verification that the user's claimed identity is valid and is usually 
implemented through a user password at log-on time." Pg 36 Krutz: The CISSP Prep Guide 
QUESTION 596: 
Individual accountability does not include which of the following? 
A. unique identifiers 
B. policies & procedures 
C. access rules 
D. audit trails 
Answer: B 
QUESTION 597: 
Controls provide accountability for individuals who are accessing sensitive information. 
This accountability is accomplished: 
A. through access control mechanisms that require identification and authentication and through 
the audit function. 
B. through logical or technical controls involving the restriction of access to systems and the 
protection of information 
C. through logical or technical controls but not involving the restriction of access to systems 
and the protection of information. 
D. through access control mechanisms that do not require identification and authentication and 
do not operate through the audit function. 
Answer: A 
QUESTION 598: 
What types of computer attacks are most commonly reported by IDSs? 
A. System penetration 
B. Denial of service 
C. System scanning 
D. All of the choices 
Answer: D 
Explanation: 
Three types of computer attacks are most commonly reported by IDSs: system scanning, 
denial of service (DOS), and system penetration. These attacks can be launched locally, 
on the attacked machine, or remotely, using a network to access the target. An IDS 
operator must understand the differences between these types of attacks, as each 
requires a different set of responses. 
QUESTION 599: 
Operation security requires the implementation of physical security to control which of the 
following? 
A. unauthorized personnel access 
B. incoming hardware 
C. contingency conditions 
D. evacuation procedures 
Answer: A 
QUESTION 600: 
Configuration Management is a requirement for the following level(s)? 
A. B3 and A1 
B. B1, B2 and B3 
C. A1 
D. B2, B3, and A1 
Answer: D 
Reference: pg 306 Krutz: CISSP Study Guide: Gold Edition

Leave a Reply

Your email address will not be published. Required fields are marked *