CISSP Questions – Volume 06 – 1201-1400 Questions

QUESTION 1201: 
Which of the following is used in database information security to hide information? 
A. Inheritance 
B. Polyinstantiation 
C. Polymorphism 
D. Delegation 
Answer: B
Explanation: Polyinstantiation represents an environment characterized by information 
stored in more than one location in the database. This permits a security model with 
multiple levels-of-view and authorization. The current problem with polyinstantiation is 
ensuring the integrity of the information in the database. Without an effective method for 
the simultaneous updating of all occurrences of the same data element - integrity cannot be 
guaranteed. 
QUESTION 1202: 
Which of the following evaluates the product against the specification? 
A. Verification 
B. Validation 
C. Concurrence 
D. Accuracy 
Answer: A 
Explanation: This is the proper term, "Verification", this term is used when we are making 
a comparison of a product against a specification. For example, you can have a product 
that is build on open standards, you can have a proof of that by making a "verification" of 
it against the standards or specifications included in those. 
QUESTION 1203: 
Application Level Firewalls are commonly a host computer running proxy server software, 
which makes a? 
A. Proxy Client 
B. Proxy Session 
C. Proxy System 
D. Proxy Server 
Answer: D 
Explanation: A proxy server is a server that sits between a client and server application, 
such as a Web browser and a source web server. It intercepts all requests to the real server 
to see if it can fulfill the requests itself. If not, it forwards the request to the original source 
web server. Firewalls usually provides this kind of services to have more control over user 
request and allow / deny the traffic of those through the gateway. At this time the most 
common Proxy server is for HTTP protocol, we can also have proxies for SMTP and FTP. 
QUESTION 1204: 
What attack involves the perpetrator sending spoofed packet(s) with the SYN flag set to the 
victim's machine on any open port that is listening? 
A. Bonk attack 
B. Land attack 
C. Teardrop attack 
D. Smurf attack 
Answer: B 
Explanation: The Land attack involves the perpetrator sending spoofed packet(s) with the 
SYN flag set to the victim's machine on any open port that is listening. If the packet(s) 
contain the same destination and source IP address as the host, the victim's machine could 
hang or reboot. 
In addition, most systems experience a total freeze up, where as CTRL-ALT-DELETE fails to 
work, the mouse and keyboard become non operational and the only method of correction is to 
reboot via a reset button on the system or by turning the machine off. 
Vulnerable Systems: 
This will affect almost all Windows 95, Windows NT, Windows for Workgroups systems that 
are not properly patched and allow Net Bios over TCP/IP. 
In addition, machines running services such as HTTP, FTP, Identd, etc that do not filter 
packet(s), that contain the same source / destination IP address, can still be vulnerable to attack 
through those ports. 
Prevention: 
This attack can be prevented for open / listening ports by filtering inbound packets containing 
the same source / destination IP address at the router or firewall level. 
For most home users not running a lot of services, and for those who use IRC, disabling the 
Identd server within their client will stop most attacks since the identd service (113) is becoming 
the most attacked service/port. 
QUESTION 1205: 
The beginning and the end of each transfer during asynchronous communication data transfer are 
marked by? 
A. Start and Stop bits. 
B. Start and End bits. 
C. Begin and Stop bits. 
D. Start and Finish bits. 
Answer: A 
Explanation: The ASYNCHRONOUS (ASYNC) format for data transmission is a 
procedure or protocol in which each information CHARACTER or BYTE is individually 
synchronized or FRAMED by the use of Start and Stop Elements, also referred to as 
START BITS and STOP BITS. The Asynchronous Transmission Format is also known as 
START-STOP mode or CHARACTER mode. Each character or byte is framed as a 
separate and independent unit of DATA that may be transmitted and received at irregular 
and independent time intervals. The characters or bytes may also be transmitted as a 
contiguous stream or series of characters. 
QUESTION 1206: 
Most of unplanned downtime of information systems is attributed to which of the 
following? 
A. Hardware failure 
B. Natural disaster 
C. Human error 
D. Software failure 
Answer: A 
Explanation: 
This is what the static's says. Most of the downtime is cause of unexpected hardware 
failure. Commonly you just replace the FRU (Field replazable unit) when they fail. Usually 
a well written software does not fail if the hardware is running correctly. The human 
errors are controllable and natural disasters are not very often. Hardware failure is very 
common, it's a good practice to have spare disks, NIC and any other hardware FRU´s in 
your company to minimize the downtime with quick replacements. 
QUESTION 1207: 
Raid that functions as part of the operating system on the file server 
A. Software implementation 
B. Hardware implementation 
C. Network implementation 
D. Netware implementation 
Answer: A 
Explanation: This kind of RAID is totally depended on the operating system, this is 
because the server does not have any special hardware - RAID controller in the board. This 
kind of RAID implementation usually degrades performance because it takes many CPU 
cycles. A very common example of software RAID is the support for it on Windows 2000 
Server, where you can create RAID 0,1 and 5 through heterogeneous disks, you can even 
make a RAID between one SCSI and one EIDE disk. The software implementation is 
hardware independent always that the disks are recognized by the Operating System. 
QUESTION 1208: 
During which phase of an IT system life cycle are security requirements developed? 
A. Operation 
B. Initiation 
C. Development 
D. Implementation 
Answer: C 
Explanation: 
The System Development Life Cycle is the process of developing information systems 
through investigation, analysis, design, implementation, and maintenance. The System 
Development Life Cycle (SDLC) is also known as Information Systems Development or 
Application Development. If you take a look at the standard IT system life cycle chart, you 
will see that everything that deals with security requirements is done at the "development" 
stage. In this stage you can create the access controls, the form of authentication to use and 
all the other security requirements. 
QUESTION 1209: 
Ensuring that printed reports reach proper users and that receipts are signed before releasing 
sensitive documents are examples of? 
A. Deterrent controls 
B. Output controls 
C. Information flow controls 
D. Asset controls 
Answer: B 
Explanation: Since we want to deal with printer reports, we are talking about output 
controls, Why, because printer produce output, and we can control it. As a best practice 
you can have people dedicated in the company to receive the different print jobs in the 
printing center, and people that takes care of the confidential information requiring a 
signature from the sender stating that the document was delivered to the owner in a timely 
and secure fashion. 
QUESTION 1210: 
Non-Discretionary Access Control. A central authority determines what subjects can have access 
to certain objects based on the organizational security policy. The access controls may be based 
on? 
A. The societies role in the organization. 
B. The individual's role in the organization. 
C. The group-dynamics as they relate to the individual's role in the organization. 
D. The group-dynamics as they relate to the master-slave role in the organization. 
Answer: B 
Explanation: An access control model defines a computer and/or network system's rules 
for user access to information resources. Access control models provide confidentiality, 
integrity and also provide accountability through audit trails. An audit trail documents the 
access of an object by a subject with a record of what operations were performed. 
Operations include: read, write, execute and own. 
Non-Discretionary Access Control is usually role-based, centrally administered with 
authorization decisions based on the roles individuals have within an organization (e.g. bank 
teller, loan officer, etc. in a banking model). A system's security administrator grants and/or 
revokes system privileges based on a user's role. This model works well for corporations with a 
large turnover of personnel. 
QUESTION 1211: 
An effective information security policy should not have which of the following characteristics? 
A. Include separation of duties. 
B. Be designed with a short-to mid-term focus. 
C. Be understandable and supported by all stakeholders. 
D. Specify areas of responsibility and authority. 
Answer: B 
Explanation: This is not a very good practice, specially for the CISSP examination, when 
you plan and develop the security policy for your enterprise you should always plan it with 
a long term focus. The policy should be created to be there for a long time, and you should 
only make revisions of it every certain time to comply with changes or things that could 
have changed. 
In a security policy the duties should be well specified, be understandable by the people involved 
in it, and specify areas of responsibility. 
QUESTION 1212: 
Which of the following statements pertaining to secure information processing facilities is 
incorrect? 
A. Walls should have an acceptable fire rating. 
B. Windows should be protected by bars. 
C. Doors must resist forcible entry. 
D. Location and type of fire suppression systems should be known. 
Answer: B 
Explanation: The correct answer can be determined through elimination. We need to have 
an acceptable fire rating for the walls, this is well known for any CISSP aspirant, its like 
that because we need to contain the fire as much as we can. We also need resistant doors so 
unauthorized people do not enter easily using the force. The people also need to know 
about fire suppression systems to be able to deal with a fire situation inside the facilities. As 
you can see, We should not protect windows with bars, this is a bad practice because, in the 
case of a fire, the people cannot get out of the building through the windows. 
QUESTION 1213: 
Making sure that the data is accessible when and where it is needed is which of the following? 
A. Confidentiality 
B. Integrity 
C. Acceptability 
D. Availability 
Answer: D 
Explanation: This is one of the pillars of network security. We can say that the data is 
available if we can access to it when we need it. This what is referred in the question, 
Availability refers to get access to data when and where you need it. Confidentiality deals 
with encryption and data protection against third party interception. Integrity deals with 
digital signatures and assures that the data has not changed. Acceptability is not a related 
term. 
QUESTION 1214: 
Business continuity plan development depends most on? 
A. Directives of Senior Management 
B. Business Impact Analysis (BIA) 
C. Scope and Plan Initiation 
D. Skills of BCP committee 
Answer: B 
Explanation: Business continuity is of course a vital activity. However, prior to the creation 
of a business continuity plan, it is essential to consider the potential impacts of disaster and 
to understand the underlying risks. It is now widely accepted that both business impact 
analysis and risk analysis are vital components of the business continuity process. 
However, many organizations are unsure of how to approach these important disciplines. 
BIA is important because it provides management level analysis by which an organization 
assesses the quantitative (financial) and qualitative (non-financial) impacts, effects and loss that 
might result if the organization were to suffer a Business Continuity E/I/C. The findings from a 
BIA are used to make decisions concerning Business Continuity Management strategy and 
solutions. 
QUESTION 1215: 
Which layer defines the X.25, V.35, X,21 and HSSI standard interfaces? 
A. Transport layer 
B. Network layer 
C. Data link layer 
D. Physical layer 
Answer: D 
Explanation: The Physical Layer is the layer that is concerned with the signaling of the 
message and the interface between the sender or receiver and the medium. The physical 
layer is generally defined by one of the standards bodies and carries a designation that 
indicates the characteristics of the connection. Among frequently used physical layers 
standards are EIA-232-D, ITU V.35, and some of the X series (X.21/X.21bis, for example). 
QUESTION 1216: 
Related to information security, availability is the opposite of which of the following? 
A. Delegation 
B. Distribution 
C. Documentation 
D. Destruction 
Answer: D 
Explanation: This is the correct term, remember that Availability refers to get access to 
data when and where you need it. When we talk about destruction, we are saying the 
opposite, if your information is destroyed, you cant access to it neither when or where you 
want it. Delegation deals with permissions, distribution deals with deployment and 
documentation deals with information and how to´s. The term we are looking here is 
definitively "destruction". 
QUESTION 1217: 
Which of the following is a disadvantage of a behavior-based ID system? 
A. The activity and behavior of the users while in the networked system may not be static 
enough to effectively implement a behavior-based ID system. 
B. The activity and behavior of the users while in the networked system may be dynamic enough 
to effectively implement a behavior-based ID system. 
C. The activity and behavior of the users while in the networked system may not be dynamic 
enough to effectively implement a behavior-based ID system. 
D. The system is characterized by high false negative rates where intrusions are missed. 
Answer: A 
Explanation: Behavior-based intrusion detection techniques assume that an intrusion can 
be detected by observing a deviation from normal or expected behavior of the system or 
the users. The model of normal or valid behavior is extracted from reference information 
collected by various means. The intrusion detection system later compares this model with 
the current activity. When a deviation is observed, an alarm is generated. In other words, 
anything that does not correspond to a previously learned behavior is considered intrusive. 
The high false alarm rate is generally cited as the main drawback of behavior-based 
techniques because the entire scope of the behavior of an information system may not be 
covered during the learning phase. Also, behavior can change over time, introducing the 
need for periodic online retraining of the behavior profile, resulting either in unavailability 
of the intrusion detection system or in additional false alarms. To get the most out of this 
kind of IDS you need to have very static behavior on your network and the user actions, 
this is because any new thing is considered dangerous, providing many false-positives but 
increased security. If you are in a very "dynamic" environment these kind of IDS system is 
not recommended. 
QUESTION 1218: 
Which of the following statements pertaining to VPN protocol standards is false? 
A. L2TP is a combination of PPTP and L2F. 
B. L2TP and PPTP were designed for single point-to-point client to server communication. 
C. L2TP operates at the network layer. 
D. PPTP uses native PPP authentication and encryption services. 
Answer: C 
Explanation: The Layer 2 Tunnel Protocol (L2TP) is an emerging Internet Engineering 
Task Force (IETF) standard that combines the best features of two existing tunneling 
protocols: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling 
Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an 
important component for VPNs. VPNs allow users and telecommuters to connect to their 
corporate intranets or extranets. VPNs are cost-effective because users can connect to the 
Internet locally and tunnel back to connect to corporate resources. This not only reduces 
overhead costs associated with traditional remote access methods, but also improves 
flexibility and scalability. 
PPTP and L2TP are Layer 2 tunneling protocols; both encapsulate the payload in a 
Point-to-Point Protocol (PPP) frame to be sent across an intermediate network. 
QUESTION 1219: 
What is the most critical characteristic of a biometric identifying system? 
A. Perceived intrusiveness 
B. Storage requirements 
C. Accuracy 
D. Reliability 
Answer: C 
Explanation: The principle of biometrics is to use some unique characteristic to identify 
whether the person is who they say they are. Biometrics works by matching or verifying a 
person's unique traits with stored data in two categories: physiological characteristics and 
those that are behavioral. Physical indicators include iris, fingerprint, facial, or hand 
geometry. Behavior types are usually voiceprints, keystroke dynamics and handwritten 
signatures. Most biometric technologies require special hardware to convert analog 
measurements of signatures, voices, or patterns of fingerprints and palm prints, to digital 
measurement, which computers can read. 
The biggest characteristic and problem of biometric implementations today is the accuracy, we 
must see the level of accuracy before buying a solution, because the technology is not perfect at 
this time and it can be erroneous sometimes. 
QUESTION 1220: 
RAID Software can run faster in the operating system because neither use the hardware-level 
parity drives by? 
A. Simple striping or mirroring. 
B. Hard striping or mirroring. 
C. Simple hamming code parity or mirroring. 
D. Simple striping or hamming code parity. 
Answer: A 
Explanation: 
This is true, if we do not use parity in our RAID implementation, like RAID 1 (Mirroring) 
or RAID 0 (Stripping) we can improve performance because the CPU does not need waste 
cycles to make the parity calculations. For example this can be achieved in Windows 2000 
server through the use of RAID 0 (No fault tolerance, just stripping in 64kb chunks) or 
RAID 1 (Mirroring through a file system driver). This is not the case of RAID 5 that 
actually use parity to provide fault tolerance. 
QUESTION 1221: 
The guarantee that the message sent is the message received, and that the message was not 
intentionally or unintentionally altered is? 
A. Integrity 
B. Confidentiality 
C. Availability 
D. Identity 
Answer: A 
Explanation: Here are 2 definitions for Data Integrity: 
1. The condition existing when data is unchanged from its source and has not been accidentally 
or maliciously modified, altered, or destroyed. 
2. The condition in which data are identically maintained during any operation, such as transfer, 
storage, and retrieval. 
Availability refers to get access to data when and where you need it. Confidentiality deals with 
encryption and data protection against third party interception. Identity deals with authentication. 
QUESTION 1222: 
Which of the following is a preventive control? 
A. Motion detectors 
B. Guard dogs 
C. Audit logs 
D. Intrusion detection systems 
Answer: B 
Explanation: This is very obvious. Since we want to prevent something from happening, we 
can go out and buy some Guard dogs to make the job. You are buying them because you 
want to prevent something from happening. The intruder will see the dogs and will maybe 
go back, this prevents an attack, this dogs are a form of preventive control. Motion 
Detectors and IDS are real-time, Audit Logs are passive. 
QUESTION 1223: 
What uses a key of the same length as the message? 
A. Running key cipher 
B. One-time pad 
C. Steganography 
D. Cipher block chaining 
Answer: B 
Explanation: The one time pad is the most secure, and one of the simplest of all 
cryptographic methods. It was invented and patented just after World War I by Gilbert 
Vernam (of AT&T) and Joseph Mauborgne (USA, later chief of the Signal Corps). The 
fundamental features are that the sender and receiver each have a copy of an encryption 
key, which is as long as the message to be encrypted, and each key is used for only one 
message and then discarded. That key must be random, that is without pattern, and must 
remain unknown to any attacker. In addition, the key must never be reused, otherwise the 
cipher becomes trivially breakable. One of its features it's the key length, it's the same as 
the message. 
QUESTION 1224: 
Which of the following protocols operates at the session layer (layer 5)? 
A. RPC 
B. IGMP 
C. LDP 
D. SPX 
Answer: A 
Explanation: The socket method of network use is a message-based system, in which one 
process writes a message to another. This is a long way from the procedural model. 
The remote procedure call is intended to act like a procedure call, but to act across the network 
transparently. The process makes a remote procedure call by pushing its parameters and a return 
address onto the stack, and jumping to the start of the procedure. The procedure itself is 
responsible for accessing and using the network. After the remote execution is over, the 
procedure jumps back to the return address. The calling process then continues. RPC works at 
the Session layer of the OSI model. 
QUESTION 1225: 
Which of the following are NOT a countermeasure to traffic analysis? 
A. Padding messages 
B. Eavesdropping 
C. Sending noise 
D. Covert channel analysis 
Answer: B 
Explanation: Lets do this with a elimination process. With padding messages you can 
countermeasure traffic analysis because you add garbage information to the message to let 
in end in a fixed length, this can confuse the analyzer. Sending noise on the communication 
line could also countermeasure analysis because the analyzer don't now how to 
differentiate between real information and noise. You can also covert channel analysis. 
Eavesdropping does not apply in this situation, its not considered a counter measure to 
traffic analysis. 
QUESTION 1226: 
Which of the following layers of the ISO/OSI model do packet filtering firewalls operate 
at? 
A. Application layer 
B. Session layer 
C. Network layer 
D. Presentation layer 
Answer: C 
Explanation: Packet filtering firewalls work at the network level of the OSI model, or the 
IP layer of TCP/IP. These firewalls are normally part of a router, which is a device that 
receives and forwards packets to networks. "In a packet filtering firewall each packet is 
compared to a set of criteria before it is forwarded. Depending on the packet and the 
criteria, the firewall can drop the packet, forward it, or send a message to the originator." 
The criteria used to evaluate a packet include source, destination IP address, destination 
port, and protocol used. These types of firewalls are low in cost and don't have much of an 
impact on the network's performance. 
QUESTION 1227: 
A prolonged high voltage is? 
A. Spike 
B. Blackout 
C. Surge 
D. Fault 
Answer: C 
Explanation: A surge is a prolonged spike, it occur when the power level rises above 
normal levels and then drop back to normal in less than one second. A Spike occurs when 
the power level rises above normal levels and stays there for more than 1 or 2 seconds.. A 
blackout is the total loss of power and a fault is the opposite of a Spike, it's a lowering in 
the voltage, its usually around one second. The surge is the most dangerous from the listed 
above. 
QUESTION 1228: 
How do the Information Labels of Compartmented Mode Workstation differ from the Sensitivity 
Levels of B3 evaluated systems? 
A. Information Labels in CMW are homologous to Sensitivity Labels, but a different term was 
chosen to emphasize that CMW's are not described in the Orange Book. 
B. Information Labels contain more information than Sensitivity Labels, thus allowing more 
granular access decisions to be made. 
C. Sensitivity Labels contain more information than Information Labels because B3+ systems 
should store more sensitive data than workstations. 
D. Information Labels contain more information than Sensitivity Labels, but are not used by the 
Reference Monitor to determine access permissions. 
Answer: D 
Explanation: The primary goal of the compartmented mode workstation (CMW) project 
was to articulate the security requirements that workstations must meet to process highly 
classified intelligence data. As a basis for the validity of the requirements developed, a 
prototype was implemented which demonstrated that workstations could meet the 
requirements in an operationally useful manner while still remaining binary compatible 
with off-the-shelf software. The security requirements not only addressed traditional 
security concerns but also introduced concepts in areas such as labeling and the use of a 
trusted window management system. The CMW labeling paradigm is based on associating 
two types of security labels with objects: sensitivity levels and information labels. 
Sensitivity levels describe the levels at which objects must be protected. Information labels 
are used to prevent data over classification and also provide a mechanism for associating 
with data those markings that are required for accurate data labeling, but which play no 
role in access control decisions. The use of a trusted window manager allows users to easily 
operate at multiple sensitivity levels and provides a convenient mechanism for 
communicating security information to users in a relatively unobtrusive manner. 
Information labels are not used by reference monitor, permissions are referenced in 
Sensibility labels. 
QUESTION 1229: 
In what security mode can a system be operating if all users have the clearance or authorization 
and need-to-know to all data processed within the system? 
A. Dedicated security mode. 
B. System-high security mode. 
C. Compartmented security mode. 
D. Multilevel security mode. 
Answer: A 
Explanation: An information-system (IS) security mode of operation wherein each user 
with direct or indirect 
access to the system, its peripherals, remote terminals, or remote hosts, has all of the 
Following: (a) a valid security clearance for all information within the system; (b) formal 
access approval and signed nondisclosure agreements for all the information stored and/or 
processed (including all compartments, sub compartments, and/or special access 
programs); and (c) a valid need_to_know for all information contained within the IS. When 
in the dedicated security mode, a system is specifically and exclusively dedicated to and 
controlled for the processing of one particular type or classification of information, either 
for full-time operation or for a specified period of time. 
QUESTION 1230: 
What are the three conditions that must be met by the reference monitor? 
A. Confidentiality, availability and integrity. 
B. Policy, mechanism and assurance. 
C. Isolation, layering and abstraction. 
D. Isolation, completeness and verifiability. 
Answer: D 
Explanation: These are three of the main characteristics of a Reference Monitor. You need 
Isolation, because it cant be of public access, the less access the better. It must have a sense 
of completeness to provide the whole information and process cycles. It must be verifiable, 
to provide security, audit and accounting functions. 
QUESTION 1231: 
While referring to Physical Security, what does Positive pressurization means? 
A. The pressure inside your sprinkler system is greater than zero. 
B. The air goes out of a room when a door is opened and outside air does not go into the room. 
C. Causes the sprinkler system to go off. 
D. A series of measures that increase pressure on employees in order to make them more 
productive. 
Answer: B 
Explanation: 
Positive Pressurization is a condition that exists when more air is supplied to a space than 
is exhausted, so the air pressure within that space is greater than that in surrounding 
areas. This condition can cause the situation mentioned above in the answer B, you can 
make air go out of a room but not enter to it from the outside. 
QUESTION 1232: 
The baseline sets certain thresholds for specific errors or mistakes allowed and the amount of 
these occurrences that can take place before it is considered suspicious? 
A. Checkpoint level 
B. Ceiling level 
C. Clipping level 
D. Threshold level 
Answer: C 
Explanation: According to CISSP documentation, this is the proper term, The Clipping 
level is used to determine suspicious occurrences that are a production of errors or 
mistakes. Checkpoint level is not a related term. Ceiling level is not related to baselines. 
Threshold level is attractive, but is not the correct term. Take a look at your CISSP 
documentation. 
QUESTION 1233: 
The most prevalent cause of computer center fires is which of the following? 
A. AC equipment 
B. Electrical distribution systems. 
C. Heating systems 
D. Natural causes 
Answer: B 
Explanation: According to static's, this is the greatest cause, Electrical distribution 
systems, specially those not installed through standards are very prone to fail and make 
fire inside places. AC equipment its not very prone to make fire. Natural causes it's a 
possibility but is definitively not the most prevalent cause. Heating systems are a very rare 
case of Fire beginners. 
QUESTION 1234: 
An offsite backup facility intended to operate an information processing facility, having no 
computer or communications equipment, but having flooring, electrical writing, air conditioning, 
etc. Is better known as a? 
A. Hot site 
B. Duplicate processing facility 
C. Cold site 
D. Warm site 
Answer: C 
Explanation: A cold site has all the appropriate power requirements, and floor space to 
install the hardware and to enable you to recreate your computer environment, but does 
not provide the actual equipment. Many of the companies that provide hot sites also 
provide cold sites. It may be reasonable for your company to consider creating its won cold 
site if your company has floor space available in another location than the home site. They 
require much more outage than Hot sites before operations can be restored. 
QUESTION 1235: 
Which of the following are necessary components of a Multi-Level Security Policy? 
A. Sensitivity Labels and a "system high" evaluation. 
B. Sensitivity Labels and Discretionary Access Control. 
C. Sensitivity Labels and Mandatory Access Control. 
D. Object Labels and a "system high" evaluation. 
Answer: C 
Explanation: First implemented in Military organizations (and I think even today it's 
implemented there only), this model was a significant improvement in terms of security 
policy implementation. This model made implementation of complex security policies very 
simple. It's specifications are present in the orange book from DoD. In this model, every 
object is assigned a sensitivity label. Also, every user is assigned a sensitivity label. If a 
user's sensitivity label is greater than or equal to the sensitivity label, he is allowed access 
to the object, otherwise, he is denied access. This methodology is used for creating a 
hierarchy of access. We can say that this method is used for partitioning the organization 
hierarchy horizontally. 
Multi-Level Security is considered a Mandatory Access Control method. 
QUESTION 1236: 
Which of the following, used to extend a network, has a storage capacity to store frames 
and act as a store-and-forward device? 
A. Bridge 
B. Router 
C. Repeater 
D. Gateway 
Answer: A 
Explanation: A bridge is a network device that connects two similar network segments 
together. The primary function of a bridge is to keep traffic separated on both sites of the 
bridge. Traffic is allowed to pass through the bridge only if the transmission is intended for 
a station in the opposite side. Bridges operate at the data link layer of the OSI model an 
provides two different collision domains in Ethernet, but they only provide one broadcast 
domain for layer 3 an up of the OSI model. The bridge can store frames and forward them 
in many forms like Cut-through and Store and Forward. 
QUESTION 1237: 
Which of the following is addressed by Kerberos? 
A. Authorization and authentication. 
B. Validation and integrity. 
C. Confidentiality and integrity. 
Answer: C 
Explanation: Kerberos is a network authentication protocol. It is designed to provide 
strong authentication for client/server applications by using secret-key cryptography. A 
free implementation of this protocol is available from the Massachusetts Institute of 
Technology. Kerberos is available in many commercial products as well. Kerberos was 
created by MIT as a solution to these network security problems. The Kerberos protocol 
uses strong cryptography so that a client can prove its identity to a server (and vice versa) 
across an insecure network connection. After a client and server has used Kerberos to 
prove their identity, they can also encrypt (confidentiality) all of their communications to 
assure privacy and data integrity as they go about their business. 
QUESTION 1238: 
Access Control techniques do not include which of the following choices? 
A. Relevant Access Controls 
B. Discretionary Access Control 
C. Mandatory Access Control 
D. Lattice Based Access Control 
Answer: A 
Explanation: Relevant Access Controls are not included as a Access Control Technique. 
Lattice-based access control models were developed in the early 1970s to deal with the 
confidentiality of military information. In the late 1970s and early 1980s, researchers applied 
these models to certain integrity concerns. Later, application of the models to the Chinese Wall 
policy, a confidentiality policy unique to the commercial sector, was demonstrated. 
Discretionary control is the most common type of access control mechanism implemented in 
computer systems today. The basis of this kind of security is that an individual user, or program 
operating on the user's behalf, is allowed to specify explicitly the types of access other users (or 
programs executing on their behalf) may have to information under the user's control. 
Discretionary Access control security differs from mandatory access control security in that it 
implements the access control decisions of the user. Mandatory controls are driven by the results 
of a comparison between the user's trust level or clearance and the sensitivity designation of the 
information. 
QUESTION 1239: 
Why is public key cryptography recommended for use in the process of securing facsimiles 
during transmission? 
A. Keys are never transmitted over the network. 
B. Data compression decreases key change frequency. 
C. Key data is not recognizable from facsimile data. 
D. The key is securely passed to the receiving machine. 
Answer: D 
Explanation: In this method of cryptography we use 2 keys, one to encrypt the data, and 
another to decrypt it. In Public Key Cryptography, the users have a public and a private 
key, the public key is of free distribution and is usually published in a directory, while the 
private keys must be keep secure. This allows the keys to pass in a secure fashion to the 
receiving machine, its because the public key is not confidential and can be send through a 
secure channel. You need to use a certification authority to make this kind of cryptography 
work. 
QUESTION 1240: 
Database views are not used to: 
A. Implement referential integrity. 
B. Implement least privilege. 
C. To implement content-dependent access restrictions. 
D. Implement need-to-know. 
Answer: A 
Explanation: A View is a display of one or more table shows that shows the table data. You 
can even retrieve part of the table and display the same to the user. Before a user is able to 
use a view, they must have both, permission on the view and all dependent objects. Views 
can also be used to implement security, for example you can create a view that only shows 3 
of 5 columns contained in a table. Views are not used to provide integrity you can use 
constraints, rule or other components of database systems. 
QUESTION 1241: 
Which of the following is most concerned with personnel security? 
A. Management controls 
B. Operational controls 
C. Technical controls 
D. Human resources controls. 
Answer: B 
Explanation: Personnel security always have to deal more with Operational controls, 
Operational controls provide the guidelines and the correct procedures to implement the 
different operations. Management controls are usually used only by managers. Human 
resources and Technical Controls are not related to personal security as the question states. 
See the different control definitions in your CISSP documentation. 
QUESTION 1242: 
Which of the following statements pertaining to the Trusted Computer System Evaluation 
Criteria (TCSEC) is incorrect? 
A. With TCSEC, functionality and assurance are evaluated separately. 
B. TCSEC provides a means to evaluate the trustworthiness of an information system. 
C. The Orange book does not cover networks and communications. 
D. Data base management systems are not covered by the TCSEC. 
Answer: A 
Explanation: TCSEC does not separate functionality and assurance from evaluation. It 
makes them a combined criteria. Just to remember, The Trusted Computer System 
Evaluation Criteria (TCSEC) is a collection of criteria used to grade or rate the security 
offered by a computer system product. The TCSEC is sometimes referred to as "the 
Orange Book" because of its orange cover (Orange Book deals with networks and 
communications). The current version is dated 1985 (DOD 5200.28-STD, Library 
No.S225,711) The TCSEC, its interpretations and guidelines all have different color covers, 
and are sometimes known as the "Rainbow Series". Database management is also covered 
in TCSEC. 
The Orange Book is used to evaluate whether a product contains the security properties 
the vendor claims it does and whether the product is appropriate for a specific application 
or function. The Orange Book is used to review the functionality, effectiveness, and 
assurance of a product during its evaluation, and it uses classes that were devised to 
address typical patterns of security requirements. 
- Shon Harris, "CISSP All-in-One Exam Guide", 3rd Ed, p 302. 
QUESTION 1243: 
Which of the following could illegally capture network user passwords? 
A. Data diddling 
B. Sniffing 
C. Spoofing 
D. Smurfing 
Answer: B 
Explanation: Sniffing is the action of capture the information going over the network. 
Most popular way of connecting computers is through Ethernet. Ethernet protocol works by 
sending packet information to all the hosts on the same circuit. The packet header contains the 
proper address of the destination machine. Only the machine with the matching address is 
suppose to accept the packet. A machine that is accepting all packets, no matter what the packet 
header says, is said to be in promiscuous mode. Because, in a normal networking environment, 
account and password information is passed along Ethernet in clear-text, it is not hard for an 
intruder to put a machine into promiscuous mode and by sniffing, compromise all the machines 
on the net by capturing password in an illegal fashion. 
QUESTION 1244: 
Which trusted facility management concept implies that two operators must review and approve 
the work of each other? 
A. Two-man control 
B. Dual control 
C. Double control 
D. Segregation control 
Answer: A 
Explanation: The proper term for this trusted facility management concept is "Two-man 
Control", it means that two people must work and approve each others work to provide 
increased security and eliminate the possibility of one of them to hurt the company. For 
example they can only make changes to the system if both of them authenticate with their 
retina at the same time at the data center and enter their secret password This kind of 
work fashion is only used in highly secure environments, its not very common. 
QUESTION 1245: 
There are more than 20 books in the Rainbow Series. Which of the following covers password 
management guidelines? 
A. Orange Book 
B. Green Book 
C. Red Book 
D. Lavender Book 
Answer: B 
Explanation: The DoD Password Management Guideline was published at 12 April 1985, it 
is also called the "Green Book" because of the color of its cover. Here is the password 
definition according to it: "A character string used to authenticate an identity. Knowledge 
of the password that is associated with a user ID is considered proof of authorization to use 
the capabilities associated with that user ID." 
QUESTION 1246: 
Which of the following is an ip address that is private? (i.e. reserved for internal networks, and 
not a valid address to use on the Internet)? 
A. 172.5.42.5 
B. 172.76.42.5 
C. 172.90.42.5 
D. 172.16.42.5 
Answer: D 
Explanation: The IP address 172.16.42.5 is contained in a class B reserved network, IANA 
reserved the 172.16.0.0 through 172.31.255.255 networks for internal use, this network its 
not routable in Internet and its commonly used in intranets. Class B networks are used in 
medium-sized networks. In class B networks, the two high order bits are always 10, and 
then remaining bits are used to define 16.384 networks, each with as many as 65.534 hosts 
attached. Examples of valid Class B networks include Microsoft and Exxon. 
QUESTION 1247: 
How fast is private key cryptography compared to public key cryptography? 
A. 10 to 100 times faster. 
B. 100 to 1000 times faster. 
C. 1000 to 10000 times faster. 
D. 10000 to 20000 times faster. 
Answer: C 
Explanation: Since Private Key encryption (Symmetric) only has one key for 
encrypt-decrypt, you need to use an alternative way to pass the shared secret in a secure 
manner, in our days, it's usually done by telephone or some secure methods that not 
involve the channel you are trying to secure. Also, since you need one different key to 
encrypt-decrypt every connection, the number of keys gets huge in a little time, for 
example, if we have 10 users trying to communicate between themselves, we have 100 
different encryption keys to manage. There is an advantage for Private key encryption, the 
encryption is very fast, about 1000 / 10000 times faster than asymmetric encryption. 
QUESTION 1248: 
The continual effort of making sure that the correct policies, procedures and standards are in 
place and being followed is described as what? 
A. Due care 
B. Due concern 
C. Due diligence 
D. Due practice 
Answer: A 
Explanation: "Due care means that a company did all that it could have reasonable done to 
try and prevent security breaches, and also took the necessary steps to ensure that if a 
security breach did take place, the damages were reduced because of the controls or 
countermeasures that existed. Due care means that a company practiced common sense 
and prudent management practices with responsible actions. Due diligence meants that the 
company properly investigated all of their possible weaknesses and vulnerabilities before 
carrying out any due care practices. 
The following list describes some of the actions required to show that due care is being properly 
practiced in a corporation: 
Adequate physical and logical access controls 
Adequate telecommunication security, which could require encryption 
Proper information, application, and hardware backups 
Disaster recovery and business continuity plans 
Periodic review, drills, tests, and improvement in disaster recovery and business continuity plans 
Properly informing employees of expected behavior and ramifications of not following these 
expectations 
Developing a security policy, standards, procedures, and guidelines 
Performing security awareness training 
Running updated antivirus software 
Periodically performing penetration test from outside and inside the network 
Implementing dial-back or preset dialing features on remote access applications 
Abiding by and updating external service level agreements (SLAs) 
Ensuring that downstream security responsibilities are being met 
Implementing measure that ensure software piracy is not taking place 
Ensuring that proper auditing and reviewing of those audit logs are taking place 
Conducting background checks on potential employees" 
Pg. 616 Shon Harris: CISSP Certification All-in-One Exam Guide 
QUESTION 1249: 
Which tape format type is mostly used for home/small office backups? 
A. Quarter Inch Cartridge drives (QIC) 
B. Digital Linear Tapes (DLT) 
C. 8mm tape 
D. Digital Audio Tape (DAT) 
Answer: A 
Explanation: QIC technology utilizates belt-driven dual-hub cartridges containing integral 
tape motion and guidance mechanisms, providing a rich spectrum of compatible solutions 
across a wide range of PC system platforms. QIC reliability is unsurpassed by any other 
removable storage technology. Reliability can be measured both in mean-time-between 
failure (MTBF) and, more practically, as a function of drive duty cycles. QIC has a 
worldwide installed base in excess of 15 million drives -- more than twice that of any 
alternate removable storage technology -- a level of acceptance that would have been 
unachievable without rock-solid reliability. QIC is the most common tape solution for 
SOHO. 
QUESTION 1250: 
In an organization, an Information Technology security function should: 
A. Be a function within the information systems function of an organization. 
B. Report directly to a specialized business unit such as legal, corporate security or insurance. 
C. Be lead by a Chief Security Officer and report directly to the CEO. 
D. Be independent but report to the Information Systems function. 
Answer: C 
Explanation: This is one of the best practices because its not good to be lead and report to 
the same person, in that case, that person could take possession of everything that is 
happening and hurt the enterprise, we can't let that to happen with security concerns. The 
best practice is to always be lead by a different person that the one you report to, this can 
be checked in real life. An advice, always try to report to the highest person you can inside 
the company. 
QUESTION 1251: 
Who of the following is responsible for ensuring that proper controls are in place to address 
integrity, confidentiality, and availability of IT systems and data? 
A. Business and functional managers. 
B. IT Security practitioners. 
C. System and information owners. 
D. Chief information officer. 
Answer: C 
Explanation: This is true, the people who own the information and the equipment are the 
ones who need to ensure they are making everything to get integrity, confidentiality and 
availability. The security professionals can develop policies and show how to keep the 
environment secure, but it depends on the owners of the actual data to achieve the security. 
QUESTION 1252: 
The act of requiring two of the three factors to be used in the authentication process refers to? 
A. Two-Factor Authentication 
B. One-Factor Authentication 
C. Bi-Factor Authentication 
D. Double Authentication 
Answer: A 
Explanation: Two-Factor Authentication is a security process that confirms user identities 
using two distinctive factors-something you know, such as a Personal Identification 
Number (PIN), and something you have, such as a smart card or token. 
The overall strength of Two-Factor Authentication lies in the combination of both factors, 
something you know and something you have. 
QUESTION 1253: 
This type of backup management provides a continuous on-line backup by using optical or tape 
"jukeboxes", similar to WORMs, (Write Once, Read Many) 
A. Hierarchical Storage Management (HSM). 
B. Hierarchical Resource Management (HRM). 
C. Hierarchical Access Management (HAM). 
D. Hierarchical Instance Management (HIM). 
Answer: A 
Explanation: Hierarchical Storage Management originated in the mainframe world where 
it was used to minimize storage costs. The HSM name signifies that the software has the 
intelligence to move files along a hierarchy of storage devices that are ranked in terms of 
cost per megabyte of storage, speed of storage and retrieval, and overall capacity limits. 
Files are migrated along the hierarchy to less expensive forms of storage based on rules 
tied to the frequency of data access. File migration and retrieval is transparent to users. 
Two major factors, data access response time and storage costs determine the appropriate 
combination of storage devices used in HSM. A typical three tier strategy may be 
composed of hard drives as primary storage on the file servers, rewritable optical as the 
secondary storage type, and tape as the final tertiary storage location. If faster access is 
required, a hard drive can be considered as an alternative to optical for secondary storage, 
and WORM (Write Once, Read Many) optical can also be implemented, in place of tape, as 
the final storage destination. 
QUESTION 1254: 
Which of the following elements is not included in a Public Key Infrastructure (PKI)? 
A. Timestamping 
B. Lightweight Directory Access Protocol (LDAP) 
C. Certificate revocation 
D. Internet Key Exchange (IKE) 
Answer: D 
Explanation: Public key cryptography is one mechanism that is often used to fulfill the 
security requirements necessary to conduct electronic transactions over public networks. 
PKI (public key infrastructure) and cryptography based solutions are taking the lead in secure 
e-commerce. PKI addresses nonrepudiation of identity using a dual-key encryption system that 
allows users to uniquely sign documents with a digital signature. Public key cryptography uses 
pairs of keys, each pair consisting of one public key and one private key. Information encrypted 
with one key in the pair can only be decrypted with the other key. LDAP is issued to bring user 
information and Timestamping to track changes over time. PKI also relies on certificated and 
CRL (Certificate Revocation list) to discard compromised, expired digital certificates. 
QUESTION 1255: 
Which of the following best corresponds to the type of memory addressing where the address 
location that is specified in the program instruction contains the address of the final desired 
location? 
A. Direct addressing 
B. Indirect addressing 
C. Indexed addressing 
D. Program addressing 
Answer: B 
Explanation: An addressing mode found in many processors' instruction sets where the 
instruction contains the address of a memory location which contains the address of the 
operand (the "effective address") or specifies a register which contains the effective 
address. Indirect addressing is often combined with pre- or post- increment or decrement 
addressing, allowing the address of the operand to be increased or decreased by one (or 
some specified number) either before or after using it. 
QUESTION 1256: 
Creation and maintenance of intrusion detection systems and processes for the following is one 
of them identify it: 
A. Event nonrepudiation 
B. Event notification 
C. Netware monitoring 
D. Guest access 
Answer: B 
Explanation: There is not much to explain or comment in here, when you administer an 
IDS system you have to deal with the maintenance and creation of event notification 
processes, this have to be reviewed every certain time. This is a well known topic for any 
Intrusion detection system administrator. This notifications will save your life when your 
network is being attacked and you get real time notifications that will allow you to shut 
down your external interface before the attacker gets what he was looking for. 
QUESTION 1257: 
Which of the following is true related to network sniffing? 
A. Sniffers allow an attacker to monitor data passing across a network. 
B. Sniffers alter the source address of a computer to disguise and exploit weak authentication 
methods, 
C. Sniffers take over network connections. 
D. Sniffers send IP fragments to a system that overlap with each other. 
Answer: A 
Explanation: Sniffing is the action of capture / monitor the traffic going over the network. 
Because, in a normal networking environment, account and password information is passed 
along Ethernet in clear-text, it is not hard for an intruder to put a machine into promiscuous 
mode and by sniffing, compromise all the machines on the net by capturing password in an 
illegal fashion. 
QUESTION 1258: 
Which of the following protocols is not implemented at the Internet layer of the TCP/IP protocol 
model? 
A. User datagram protocol (UDP) 
B. Internet protocol (IP) 
C. Address resolution protocol (ARP) 
D. Internet control message protocol (ICMP) 
Answer: A 
Explanation: UDP (User Datagram Protocol) is a communications method (protocol) that 
offers a limited amount of service when messages are exchanged between computers in a 
network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission 
Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like the 
Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit 
(called a datagram) from one computer to another. Unlike TCP, however, UDP does not 
provide the service of dividing a message into packets (datagrams) and reassembling it at 
the other end. Specifically, UDP doesn't provide sequencing of the packets that the data 
arrives in. UDP is implemented at the Transport layer of the TCP/IP protocol model. 
QUESTION 1259: 
Which of the following is used to help business units understand the impact of a disruptive 
event? 
A. A risk analysis. 
B. A business impact assessment. 
C. A vulnerability assessment. 
D. A disaster recovery plan. 
Answer: B 
Explanation: A Business impact assessment can provide information in combination with 
the BIA to the different business units about how can an attack impact or disrupt the 
business. Every disaster recovery plan should include an study containing a BIA and a 
Business impact assessment to better understand how is going to be in the case that a 
business continuity disruptive event takes place. 
QUESTION 1260: 
A contingency plan should address? 
A. Potential risks 
B. Residual risks 
C. Identified risks 
D. All of the above 
Answer: B 
Explanation: This is true, as stated in CISSP documentation, you should address any 
possible "Residual Risk" at your contingency plan to minimize business impact when you 
are in a downtime situation. The identified Risks and the Potential Risks are not identified 
there, they are identified earlier. 
QUESTION 1261: 
In the OSI/ISO model, at what level is SET (SECURE ELECTRONIC TRANSACTION 
PROTOCOL) provided? 
A. Application 
B. Network 
C. Presentation 
D. Session 
Answer: A 
Explanation: This protocol was created by VISA and MasterCard as a common effort to 
make the buying process over the Internet secure through the distribution line of those 
companies. It is located in layer 7 of the OSI model, the application layer. SET uses a 
system of locks and keys along with certified account IDs for both consumers and 
merchants. Then, through a unique process of "encrypting" or scrambling the information 
exchanged between the shopper and the online store, SET ensures a payment process that 
is convenient, private and most of all secure. 
QUESTION 1262: 
A packet filtering firewall looks at the data packet to get information about the source and 
destination addresses of an incoming packet, the session's communications protocol (TCP, UDP 
or ICMP), and the source destination application port for the? 
A. Desired service 
B. Dedicated service 
C. Delayed service 
D. Distributed service. 
Answer: A 
Explanation: This is true, the packets filters show the desired service port (Remember that 
they are layer 3 devices), this is because you can have many different referenced port 
number in the destination port field of the different packets. You have to look for the 
well-known port numbers of the service desired. For example, look in port 80 for HTTP 
and port 21 for FTP. This is the correct terminology, see the features of Packet Filters in 
your CISSP documentation. 
QUESTION 1263: 
Packet Filtering Firewalls system is considered a? 
A. First generation firewall. 
B. Second generation firewall. 
C. Third generation firewall. 
D. Fourth generation firewall. 
Answer: A 
Explanation: Firewall technology is a young but quickly maturing industry. The first 
generation of firewall architectures has been around almost as long as routers, first 
appearing around 1985 and coming out of Cisco's IOSsoftware division. These firewalls are 
called packet filter firewalls. However, the first paper describing the screening process 
used by packet filter firewalls did not appear until 1988, when Jeff Mogul from Digital 
Equipment Corporation published his studies. At this time we are in the Fourth generation 
of firewall devices and software. 
QUESTION 1264: 
When should a post-mortem review meeting be held after an intrusion has been properly taken 
care of? 
A. Within the first three months after the investigation of the intrusion is completed. 
B. Within the first week after prosecution of intruders have taken place, whether successful or 
not. 
C. Within the first month after the investigation of the intrusion is completed. 
D. Within the first week of completing the investigation of the intrusion. 
Answer: D 
Explanation: As stated in CISSP documentation, you should make post mortem review 
meetings after taking care of the intrusion, and no more than one week after the facts. Its 
not a good practice to wait more than this time, it's a matter of common sense too, three 
months, one month, 2 weeks, its too much time. 
QUESTION 1265: 
Which of the following can be used as a covert channel? 
A. Storage and timing. 
B. Storage and low bits. 
C. Storage and permissions. 
D. Storage and classification. 
Answer: A 
Explanation: Those are the proper elements, you can use these two to achieve a covert 
channel. Low bits is not a term related to covert channels. Permissions are related to 
authentication, they do not achieve what the question wants. Also, classification is could not 
selected as a correct choice. 
Check your official CISSP documentation to see what can be used as a covert channel. 
"An active variation on eavesdropping is called Covert Channel eavesdropping, which consists 
of using a hidden unauthorized network connection to communicate unauthorized information. A 
Covert Storage Channel operates by writing information to storage by one process and then 
reading by using another process from a different security level. A Covert Timing Channel 
signals information to another process by modulating its own resource use to affect the response 
time of another." Pg. 101 Krutz: The CISSP Prep Guide: Gold Edition 
QUESTION 1266: 
Which software development model is actually a meta-model that incorporates a number of the 
software development models? 
A. The Waterfall model. 
B. The modified Waterfall model. 
C. The Spiral model. 
D. The Critical Patch Model (CPM). 
Answer: C 
Explanation: 
The spiral model for software engineering has evolved to encompass the best features of 
the classic waterfall model, while at the same time adding an element known as risk 
analysis. The spiral model is more appropriate for large, industrial software projects and 
has four main blocks/quadrants. Each release or version of the software requires going 
through new planning, risk analysis, engineering and customer evaluation phases and this 
is illustrated in the model by the spiral evolution outwards from the center. For each new 
release of a software product, a risk analysis audit should be performed to decide whether 
the new objectives can be completed within budget (time and costs), and decisions have to 
be made about whether to proceed. The level of planning and customer evaluation is 
missing from the waterfall model which is mainly concerned with small software programs. 
The spiral model also illustrated the evolutionary development of software where a solution 
may be initially proposed which is very basic (first time round the loop) and then later 
releases add new features and possibly a more elaborate GUI. 
QUESTION 1267: 
What is not true with pre-shared key authentication within IKE / IPsec protocol: 
A. Pre-shared key authentication is normally based on simple passwords. 
B. Needs a PKI to work. 
C. Only one preshared key for all VPN connections is needed. 
D. Costly key management on large user groups. 
Answer: B 
Explanation: Pre-Shared Secret is usually used when both ends of the VPN lacks access to 
a compatible certificate server. Once you have defined all the endpoints in your VPN, you 
can establish a password that is used to authenticate the other end of the connection, this is 
the Pre-Shared secret. Since you are using Pre-Shared key because you don't have an 
available / compatible certificate server, IPSEC and IKE do not need to use PKI in this 
case (that actually provides the certificate server infrastructure). 
QUESTION 1268: 
Which question is NOT true concerning Application Control? 
A. It limits end users of applications in such a way that only particular screens are visible. 
B. Only specific records can be requested choice. 
C. Particular uses of the application can be recorded for audit purposes. 
D. Is non-transparent to the endpoint applications so changes are needed to the applications 
involved. 
Answer: D 
Explanation: Application control provides a transparent feeling to endpoint applications 
when changes are needed, this is one of the features of it. With application control you can 
audit certain use of the applications involved and only specify record of your choice. There 
is also the possibility to limit the end users applications to provide access to only certain 
screens. Check your CISSP documentation about Application Control. 
QUESTION 1269: 
In order to ensure the privacy and integrity of the data, connections between firewalls over 
public networks should use? 
A. Screened subnets 
B. Digital certificates 
C. Encrypted Virtual Private Networks 
D. Encryption 
Answer: C 
Explanation: This is the correct answer, since firewall does not mean "VPN" we have to 
select "Encrypted Virtual Private Networks". With a VPN and encryption we can provide 
secure communication in a transparent way for the users between the endpoints achieving 
"Confidentiality". This confidentiality is achieved through encryption, and this encryption 
relies on encryption algorithms like AES, DES, CAST and others. Screened Subnet are not 
related to secure data over public networks, it's a place to put our network services 
accessible from the outside. Digital certificates do not provide confidentiality, they only 
provide integrity. 
QUESTION 1270: 
What is necessary for a subject to have write access to an object in a Multi-Level Security 
Policy? 
A. The subject's sensitivity label must dominate the object's sensitivity label. 
B. The subject's sensitivity label subordinates the object's sensitivity label. 
C. The subject's sensitivity label is subordinated by the object's sensitivity label. 
D. The subject's sensitivity label is dominated by the object's sensitivity label. 
Answer: A 
QUESTION 1271: 
What best describes a scenario when an employee has been shaving off pennies from multiple 
accounts and depositing the funds into his own ban account? 
A. Data fiddling 
B. Data diddling 
C. Data hiding 
D. Data masking 
Answer: B 
Explanation: This kind of an attack involves altering the raw data just before it is 
processed by a computer and then changing it back after the processing is completed. This 
kind of attack was used in the past to make what is stated in the question, steal small 
quantities of money and transfer them to the attackers account. See "Data deddling 
crimes" on the Web. 
The most correct answer is 'Salami', but since that is not an option the most correct answer is 
data diddling. 
"A salami attack is committing several small crimes with the hope that the overall larger crime 
will go unnoticed. ....An example would be if an employee altered a banking software program 
to subtract 5 cents from each of the bank's customers' accounts once a month and moved this 
amount to the employee's bank account. If this happened to all of the bank's 50,000 customer 
accounts, the intruder could make up to $ 30,000 a year. 
Data diddling refers to the alteration of existing data. Many times this modification happens 
before it is entered into an application or as soon as it completes processing and is outputted 
from an application. 
There was an incident in 1997, in Maryland, where a Taco Bell employee was sentenced to ten 
years in jail because he reprogrammed the drive-up window cash register to ring up ever 42.99 
order as one penny. He collected the full amount from the customer, put the penny in the till, and 
pocketed the other $2.98. He made $3600 before his arrest." 
Pg. 602-603 Shon Harris: All-In-One CISSP Certification Exam Guide 
QUESTION 1272: 
Which of the following is unlike the other three? 
A. El Gamal 
B. Teardrop 
C. Buffer Overflow 
D. Smurf 
Answer: A 
Explanation: Options B, C and D are all Denial of Service attacks. El Gamal is the 
Diffie-Hellman key exchange algorithm and is usually described as an active exchange of 
keys by two parties. The buffer overflow attack objective is consume the available memory 
for the TCP/IP protocol stack to make the machine crash. Teardrop and Smurf are DoS 
attacks that make use of spoofing. 
QUESTION 1273: 
Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud 
manipulates the line voltage to receive a tool-free call? 
A. Red Boxes 
B. Blue Boxes 
C. White Boxes 
D. Black Boxes 
Answer: D 
Explanation: A Black Box is a device that is hooked up to your phone that fixes your phone 
so that when you get a call, the caller doesn't get charged for the call. This is good for calls 
up to 1/2 hour, after 1/2 hour the Phone Co. gets suspicious, and then you can guess what 
happens. 
The Red box basically simulates the sounds of coins being dropped into the coin slot of a 
payphone. The traditional Red Box consisting of a pair of Wien-bridge oscillators with the 
timing controlled by 555 timer chips. The Blue Box, The mother of all boxes, The first box in 
history, which started the whole phreaking scene. Invented by John Draper (aka "Captain 
Crunch") in the early 60s, who discovered that by sending a tone of 2600Hz over the telephone 
lines of AT&T, it was possible to make free calls. 
The White Box turns a normal touch tone keypad into a portable unit. This kind of box can be 
commonly found in a phone shop. 
QUESTION 1274: 
Which of the following groups represents the leading source of computer crime losses? 
A. Hackers 
B. Industrial saboteurs 
C. Foreign intelligence officers 
D. Employees 
Answer: D 
Explanation: This can be checked at the computer crime static's on the web. Most of the 
attacks, actually 70% of them, come from inside the company, and 80% of them from 
employees of it. This is a reality, when we protect our infrastructure be sure to give great 
importance to internal security, we don't when is one of the company employees going to 
make a strike. Hackers are also important, but less than our own employees. 
QUESTION 1275: 
Which of the following steps should be performed first in a business impact analysis (BIA)? 
A. Identify all business units within the organization. 
B. Evaluate the impact of disruptive events. 
C. Estimate the Recovery Time Objectives (RTO). 
D. Evaluate the criticality of business functions. 
Answer: A 
Explanation: Remember that when we talk about a BIA (Business Impact Analysis), we are 
analyzing and identifying possible issues about our infrastructure. It's an analysis about 
the business, the process that it relays on, the level of the systems and a estimative of the 
financial impact, or in other words, how much many we loose with our systems down. The 
first step on it should always be the identifying of the business units in the company. You 
can then go to other requirements like estimate losses and downtime costs. 
QUESTION 1276: 
Which of the following embodies all the detailed actions that personnel are required to follow? 
A. Standards 
B. Guidelines 
C. Procedures 
D. Baselines 
Answer: C 
Explanation: As stated in the dictionary, here are 3 definitions of procedure: 
1. A manner of proceeding; a way of performing or effecting something: standard procedure. 
2. A series od steps taken to accomplish an end: a medical procedure; evacuation procedures. 
3. A set of established forms or methods for conducting the affairs of an organized body such as 
a business, club, or government. 
Its pretty visible that this is the term we are looking for as stated in the questions, you can check 
your CISSP documentation too. 
QUESTION 1277: 
Immune to the effects of electromagnetic interference (EMI) and therefore has a much longer 
effective usable length (up to two kilometers in some cases) is? 
A. Coaxial cable 
B. Twisted Pair cable 
C. Axial cable 
D. Fiber Optic cable 
Answer: D 
Explanation: Since fiber optics does not use electrical signals to transmit the information 
(it uses lights that goes through the mirrored silvered cable from source to end), its not 
affected by EMI (Electro Magnetic Interference) like other copper transmission methods 
like 10base5 and 10base2, therefore EMI does not affect the possible transmission distance. 
Fiber optics can have a great distance between end points, much greater than the copper 
transmission methods. Examples of Fiber optics standards are: 100BaseFX and 
1000BaseFX. 
QUESTION 1278: 
Which of the following is the most reliable, secure means of removing data from magnetic 
storage media such as a magnetic tape, or cassette? 
A. Degaussing 
B. Parity Bit Manipulation 
C. Certification 
D. Buffer overflow 
Answer: A 
Explanation: An alternating current (AC) bulk eraser (degausser) is used for complete 
erasure of data and other signal on magnetic media. Degaussing is a process where 
magnetic media is exposed to a powerful, alternating magnetic field. Degaussing removes 
any previously written data, leaving the media in a magnetically randomized (blank) state. 
The degausser must subject the media to an alternating magnetic field of sufficient 
intensity to saturate the media and then by slowly withdrawing or reducing the field leaves 
the magnetic media in a magnetically neutral state. 
QUESTION 1279: 
Which of the following is an advantage of prototyping? 
A. Prototype systems can provide significant time and cost savings. 
B. Change control is often less complicated with prototype systems. 
C. It ensures that functions or extras are not added to the intended system. 
D. Strong internal controls are easier to implement. 
Answer: A 
Explanation: The Prototype Phase is also called the "Proof of Concept" Phase. Whether 
it's called one or the other depends on what the creator is trying to "prove." If the main 
deliverable of the Phase includes a working version of the product's technical features, it's 
a "prototype." If the main deliverable just looks like it has the product's technical features, 
then it's a "proof of concept." 
Prototypes can save time and money because you can test some functionality earlier in the 
process. You don't have to make the whole final product to begin testing it. 
QUESTION 1280: 
The IS security analyst's participation in which of the following system development life cycle 
phases provides maximum benefit to the organization? 
A. System requirements definition. 
B. System design. 
C. Program development. 
D. Program testing. 
Answer: B 
QUESTION 1281: 
Controls are implemented to? 
A. Eliminate risk and reduce the potential for loss. 
B. Mitigate risk and eliminate the potential for loss. 
C. Mitigate risk and reduce the potential for loss. 
D. Eliminate risk and eliminate the potential for loss. 
Answer: C 
Explanation: That's the essence of Controls, you put them in your environment to 
minimize the impact of a potential loss, with them you can also mitigate the risk and obtain 
the first through this. 
Controls are a very good practice to secure an environment, they should be considered by any 
security professional, CISSP or not, the risk should be minimized as much as you can. 
QUESTION 1282: 
A circuit level gateway is ________ when compared to an application level firewall. 
A. Easier to maintain. 
B. More difficult to maintain. 
C. More secure. 
D. Slower 
Answer: A 
Explanation: Since circuit level gateways are not as high in the OSI model for the 
inspection as Application level firewalls, they are easier to maintain and configure. 
Application layer firewalls are up to layer 7 of the OSI model and provide a great bunch of 
options and complex configurations. Application layer firewalls are more secure than 
circuit level gateway because they can track and analyze information up to layer 7, a 
drawback to this, is that this functionality makes them slower. 
QUESTION 1283: 
In IPSec, if the communication mode is gateway-gateway or host-gateway: 
A. Only tunnel mode can be used. 
B. Only transport mode can be used. 
C. Encapsulating Security Payload (ESP) authentication must be used. 
D. Both tunnel and transport mode can be used. 
Answer: C 
Explanation: ESP or Encrypted Security Payload, is a header that when its added to an IP 
datagram, protects the confidentiality, integrity and authenticity of the data. AH and ESP 
can be used separately or together. As defined by the IETF, IPSec transport mode can only 
be used when both the source and destination systems understand IPSEC. In most cases 
you deploy IPSEC in tunnel mode. In this transport mode (gateway to gateway and 
gateway to host) you must use ESP for authentication. 
QUESTION 1284: 
Which integrity model defines a constrained data item, an integrity verification procedure and a 
transformation procedure? 
A. The Take-Grant model 
B. The Biba integrity model 
C. The Clark Wilson integrity model 
D. The Bell-LaPadula integrity model 
Answer: C 
Explanation: The Clark-Wilson model was developed to address security issues in 
commercial environments. The model uses two categories of mechanisms to realize 
integrity: well-formed transactions and separation of duty. It defines a constraint data 
item, a integrity verification and a transformation of that object. A possible way to 
represent a constraint that only certain trusted programs can modify objects is using 
application:checksum condition, where the checksum ensures authenticity of the 
application. Another way is using application:endorser condition, which indicates that a 
valid certificate, stating that the application has been endorsed by the specified endorser, 
must be presented. Static separation of duty is enforced by the security administrator when 
assigning group membership. Dynamic separation of duty enforces control over how 
permissions are used at the access time 
QUESTION 1285: 
Which of the following rules pertaining to a Business Continuity Plan/Disaster Recovery Plan is 
incorrect? 
A. In order to facilitate recover, a single plan should cover all locations. 
B. There should be requirements for to form a committee to decide a course of action. 
These decisions should be made ahead of time and incorporated into the plan. 
C. In its procedures and tasks, the plan should refer to functions, not specific individuals. 
D. Critical vendors should be contacted ahead of time to validate equipment can be obtained in a 
timely manner. 
Answer: A 
Explanation: This is not the best practice, even more for the CISSP exam. Continuity / 
recovery plans should be make for every location in separate. This is because when there is 
a disaster, Its not usually in all the different locations, its better to have one plan for each of 
it so you can use and follow only the plan of the affected site and don't bother the other 
ones. 
QUESTION 1286: 
What are suitable protocols for securing VPN connections? 
A. S/MIME and SSH 
B. TLS and SSL 
C. IPsec and L2TP 
D. PKCS# and X.509 
Answer: C 
Explanation: Both of them can be used to create and secure VPN's. The Layer 2 Tunnel 
Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that 
combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding 
(L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to 
the Point-to-Point Protocol (PPP), which is an important component for VPNs. VPNs allow 
users and telecommuters to connect to their corporate intranets or extranets. IPSec is a 
series of guidelines for the protection of Internet Protocol (IP) communications. It specifies 
ways for securing private information transmitted over public networks. Services 
supported by IPSec include confidentiality (encryption), authenticity (proof of sender), 
integrity (detection of data tampering) and replay protection (defense against unauthorized 
re-sending of data). It work on layer 3 of the OSI model and is the most common protocols 
used to create VPNs. 
QUESTION 1287: 
Which of the following questions is less likely to help in assessing identification and 
authentication controls? 
A. Is a current list maintained and approved of authorized users and their access? 
B. Are passwords changed at least every ninety days or earlier if needed? 
C. Are inactive user identifications disabled after a specified period of time? 
D. Is there a process for reporting incidents? 
Answer: D 
Explanation: We just some common sense to answer this question correctly, why are we 
going to ask about process reporting for incidents?, does is help relating to identification 
and authentication?, I don't think so. There are other more interesting questions, password 
deal with authentication, inactive user Ids are also related to identification. But the most 
important to me, know if there is a list with authorized users and their current access, this 
can help you to identify unauthorized activities. 
QUESTION 1288: 
The primary purpose for using one-way encryption of user passwords within a system is which 
of the following? 
A. It prevents an unauthorized person from trying multiple passwords in one logon attempt. 
B. It prevents an unauthorized person from reading or modifying the password list. 
C. It minimizes the amount of storage required for user passwords. 
D. It minimizes the amount of processing time used for encrypting passwords. 
Answer: B 
Explanation: This kind of encryption flavor increases security for passwords, if you use a 
one way encryption algorithm, you know that the encryption is not reversible, you cannot 
get the original value that you provided as a password from the resulting hash with any key 
or algorithm. This increase security in the way that when a person see the password list, it 
will only see the hash values and cannot read the original password or modify them without 
getting corruption. 
QUESTION 1289: 
The security of a computer application is most effective and economical in which of the 
following cases? 
A. The system is optimized prior to the addition of security. 
B. The system is procured off-the-shelf. 
C. The system is customized to meet the specific security threat. 
D. The system is designed originally to provide the necessary security. 
Answer: D 
Explanation: This is very obvious, if your system is designed from the ground up to provide 
security, its going to be cheaper and more effective at the end, because you don't need 
re-analysis, re-coding, and re-structure of the internal code of the computer application. If 
you don't address security at the beginning you will also need to spend time and money 
reviewing the code to try to put the security infrastructure in some place of it. 
QUESTION 1290: 
In the following choices there is one that is a typical biometric characteristics that is not used to 
uniquely authenticate an individual's identity? 
A. Retina scans 
B. Iris scans 
C. Palm scans 
D. Skin scans 
Answer: D 
Explanation: Answer A, B and C can be used to uniquely identify a person, but in the case 
of the Skin, there are no unique characteristics that can differentiate two distinct 
individuals in an acceptable accurate way. In the case of the IRIS and the Retina, there are 
not two of them equal. In the case of the palm, every person has different marks on it. The 
skin is common to all and does not have specific textures or marks to make it unique in 
comparison to another individual. 
QUESTION 1291: 
Which of the following proves or disproves a specific act though oral testimony based on 
information gathered through the witness's five senses? 
A. Direct evidence 
B. Circumstantial evidence 
C. Conclusive evidence 
D. Corroborative evidence 
Answer: A 
Explanation: As stated in the CISSP documentation, "If you want to make achieve the 
validation or revalidation of the oral testimony of a witness, you need to provide physical, 
direct evidence to backup your statements and override the five senses of an oral 
testimony". Circumstantial or Corroborative evidence is not enough in this case, we need 
direct, relevant evidence backing up the facts. 
QUESTION 1292: 
Which of the following would be defined as an absence of safeguard that could be exploited? 
A. A threat 
B. A vulnerability 
C. A risk 
D. An exposure 
Answer: B 
Explanation: In IT, a vulnerability is the weakness of a System to be exploited and 
corrupted by a security hole. There is always a risk that our systems been vulnerable, with 
security we cannot make the risk to be 0%, but we can decrease the possibility of a threat 
becoming in a successful attack through one of those vulnerabilities. There is no system 
without vulnerabilities, we need to patch our systems frequently to reduce the risk of a 
threat through a vulnerability of one of our systems. 
QUESTION 1293: 
Which of the following is a LAN transmission protocol? 
A. Ethernet 
B. Ring topology 
C. Unicast 
D. Polling 
Answer: C 
Reference: "LAN Transmission Methods. LAN data is transmitted from the sender to one or 
more receiving stations using either a unicast, multicast, or broadcast transmission." pg 528 
Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 1294: 
Why would a database be denormalized? 
A. To ensure data integrity. 
B. To increase processing efficiency. 
C. To prevent duplication of data. 
D. To save storage space. 
Answer: B 
Explanation: Denormalization is the process of attempting to optimize the performance of 
data storage by adding redundant data. It is necessary because current DBMSs are not 
fully relational. A fully relational DBMS would be able to preserve full normalization at 
the logical level, while allowing it to be mapped to performance-tuned physical level. 
Database designers often justify denormalization on performance issues, but they should 
note that logical denormalization can easily break the consistency of the database, one of 
the all-important ACID properties. However, a designer can achieve the performance benefits while retraining 
consistency by performing denormalization at a physical level; such 
denormalization is often called caching. 
QUESTION 1295: 
Under "Named Perils" form of Property insurance 
A. Burden of proof that particular loss is covered is on Insurer. 
B. Burden of proof that particular loss is not covered is on Insurer. 
C. Burden of proof that particular loss is covered is on Insured. 
D. Burden of proof that particular loss is not covered is on Insured. 
Answer: C 
Explanation: 
Here is something on "Named Perils" for your understanding: "Named Perils is a formal 
and specific listing of perils covered in a policy providing property insurance. A policy 
covering for damage by fire is said to cover for "the named peril" of fire". As you can see, 
Answer C is correct. 
QUESTION 1296: 
The following is not true: 
A. Since the early days of mankind humans have struggled with the problems of protecting 
assets. 
B. The addition of a PIN keypad to the card reader was a solution to unreported card or lost card 
problem. 
C. There has never been of problem of lost keys. 
D. Human guard is an inefficient and sometimes ineffective method of protecting resources. 
Answer: C 
Explanation: This is absolutely false, this problem can be seen almost anywhere. There 
have always been trouble with the lost of keys. Some of those looses are more important 
than others, its not the same to lost the key of the company safe box, that lost the key of you 
locker with that contains your shoes. 
This is obviously an incorrect statement, answer C is the one in here. 
"Unfortunately, using security guards is not a perfect solution. There are numerous 
disadvantages to deploying, maintaining, and relying upon security guards. Not all environments 
and facilities support security guards. This may be due actual human incompatibility with the 
layout, design, location, and construction of the facility. Not all security guards are themselves 
reliable. Prescreening, bonding, and training does not guarantee that you won't end up with an 
ineffective and unreliable security guard." Pg 646 Tittel: CISSP Guide. 
QUESTION 1297: 
Which of the following statements pertaining to software testing approaches is correct? 
A. A bottom-up approach allows interface errors to be detected earlier. 
B. A top-down approach allows errors in critical modules to be detected earlier. 
C. The test plan and results should be retained as part of the system's permanent documentation. 
D. Black box testing is predicted on a close examination of procedural detail. 
Actualtests.com - The Power of Knowing 
CISSP 
Answer: C 
Explanation: This is an absolute best practice in the software testing field, you should 
always have to keep all your testing approaches with the results as part of the product 
documentation. This can help you in the case you have problems with some tasks or 
components of the software in the future, you can check back your testing and results and 
see if the system was making the tasks correctly and if anything changed from that 
environment. 
QUESTION 1298: 
Which Orange Book evaluation level is described as "Structured Protection"? 
A. A1 
B. B3 
C. B2 
D. B1 
Answer: C 
Explanation: Class B2 corresponds to Structured Protection. 
Division B - Mandatory Protection 
Mandatory access is enforced by the use of security labels. The architecture is based on the 
Bell-LaPadula security model and evidence of the reference monitor enforcement must be 
available. 
B1: Labeled Security Each data object must contain a classification label and each subject must 
have a clearance label. When a subject attempts to access an object, the system must compare the 
subject and the object's security labels to ensure the requested actions are acceptable. Data 
leaving the system must also contain an accurate security label. The security policy is based on 
an informal statement and the design specifications are reviewed and verified. It is intended for 
environments that handle classified data. 
B2: Structured Protection The security policy is clearly defined and documented and the system 
design and implementation is subjected to more thorough review and testing procedures. This 
class requires more stringent authentication mechanisms and well-defined interfaces between 
layers. Subject and devices require labels, and the system must not allow covert channels. A 
trusted path for logon and authentication processes must be in place, which means there are no 
trapdoors. There is a separation of operator and administration functions within the system to 
provide more trusted and protected operational functionality. Distinct address spaces must be 
provided to isolated processes, and a covert channel analysis is conducted. This class adds 
assurance by adding requirements to the design of the system. The environment that would 
require B2 systems could process sensitive data that requires a higher degree of security. This 
environment would require systems that are relatively resistant to penetration and compromise. 
B3 Security Domains In this class, more granularity is provided in each protects mechanism and 
the programming code that is not necessary to support the security is excluded. The design and 
implementation should not provide too much complexity because as the complexity of a system 
increases, the ability of the individuals who need to test, maintain, and configure it reduces; thus, 
the overall security can be threatened. The reference monitor components must be small enough 
to test properly and be tamperproof. The security administrator role is clearly defined and the 
system must be able to recover from failures without its security level being compromised. When 
the system starts up and loads its operating system and components, it must be done in an initial 
secure state to ensure any weakness of the system cannon be taken advantage of in this slice of 
time. An environment that requires B3 systems is a highly secured environment that processes 
very sensitive information. It requires systems that are highly resistant to penetration. 
Note: In class (B2) systems, the TCB is based on a clearly defined and documented formal 
security policy model that requires the discretionary and mandatory access control enforcement 
found in class (B1) systems be extended to all subjects and objects in the ADP system. In 
addition, covert channels are addressed. The TCB must be carefully structured into 
protection-critical and non-protection-critical elements. Class B corresponds to "Structured 
Protection" inside the Orange Book. 
QUESTION 1299: 
Which of the following questions should any user not be able to answer regarding their 
organization information security policy? 
A. Who is involved in establishing the security policy? 
B. Where is the organization security policy defined? 
C. What are the actions that need to be performed in case of a disaster? 
D. Who is responsible for monitoring compliance to the organization security policy? 
Answer: C 
Explanation: According to CISSP documentation, the actual definition and procedures 
defined inside an organization disaster recovery policy are of private nature. Only people 
working in the company and with a role inside it should know about those procedures. Its 
not a good practice to be divulgating Disaster recovery procedures to external people. 
Many times external people need to know who is involved in it, and who is responsible. 
This could be the case of a vendor providing replacement equipment in case of disaster. 
QUESTION 1300: 
RAID Level 1 mirrors the data from one disk to set of disks using which of the following 
techniques? 
A. Copying the data onto another disk or set of disks. 
B. Moving the data onto another disk or set of disks. 
C. Establishing dual connectivity to another disk or set of disks. 
D. Establishing dual addressing to another disk or set of disks. 
Answer: A 
Explanation: RAID 1 or Mirroring is a technique in which data is written to two duplicate 
disks simultaneously through a copy process. This way if one of the disk drives fails, the 
system can instantly switch to the other disk without any loss of data or service. Disk 
mirroring is used commonly in on-line database systems where it's critical that the data be 
accessible at all times. RAID means "Redundant Array of Inexpensive Disks". 
QUESTION 1301: 
Which type of firewall can be used to track connectionless protocols such as UDP and RPC? 
A. Statefull inspection firewalls 
B. Packet filtering firewalls 
C. Application level firewalls 
D. Circuit level firewalls 
Answer: A 
Explanation: Here are some characteristics of Statefull Inspection technology on Firewalls: 
1. Scan information from all layers in the packet. 
2. Save state information derived from previous communications, such as the outgoing Port 
command of an FTP session, so that incoming data communication can be verified against it. 
3. Provides tracking support for connectionless protocols through the use of session state 
databases. 
4. Allow state information derived from other applications access through the firewall for 
authorized services only, such as previously authenticated users. 
5. Evaluate and manipulate flexible expressions based on communication and application 
derived state information. 
QUESTION 1302: 
Which of the following items should not be retained in an E-mail directory? 
A. Drafts of documents. 
B. Copies of documents. 
C. Permanent records. 
D. Temporary documents. 
Answer: C 
Explanation: This is another matter of common sense, the CISSP exam has many situations 
like this. Its not a good practice to have Permanent documents in your e-mail, this is 
because you don't know if your -mail is always backed up, and maybe the document must 
be available in a corporate repository. There is not problem to have Copies, draft or 
temporary documents in your e-mail. The important ones for the company are the 
Permanent documents. 
QUESTION 1303: 
Which of the following department managers would be best suited to oversee the development of 
an information security policy? 
A. Information systems 
B. Human resources 
C. Business operations 
D. Security administration 
Answer: C 
Explanation: He is the most appropriate manager, this is because he know the inns and 
outs of the business processes inside the company. Remember that he manages the business 
operations, and are those operations the ones that make the company live and generate the 
revenue. He knows who should access what and when. Security administrators develop the 
policy with the information provided by persons like the Business operations manager. 
Human Resources is not appropriate in this case, and the Information systems manager 
know about the technology, but not the business needs of the company. 
QUESTION 1304: 
Which of the following countermeasures is not appropriate for war dialing attacks? 
A. Monitoring and auditing for such activity. 
B. Disabling call forwarding. 
C. Making sure only necessary phone numbers are made public. 
D. Using completely different numbers for voice and data accesses. 
Answer: B 
Explanation: War dialing, or scanning, has been a common activity in the computer 
underground and computer security industry for decades. Hollywood made war dialing 
popular with the 1983 movie, War Games, in which a teenager searching for a videogame 
company ultimately uncovers a government nuclear war warning system. The act of war 
dialing is extremely simple - a host computer dials a given range of telephone numbers 
using a modem. Every telephone number that answers with a modem and successfully 
connects to the host is stored in a log. Disabling call forwarding is not a useful 
countermeasure because it's the attacker machine the one who connects to the attacked 
system and forwarding is not an issue inside the attack. Answer A, C and D can be used as 
countermeasures to harder the war dial attack. 
QUESTION 1305: 
Which of the following tools is less likely to be used by a hacker? 
A. I0phtcrack 
B. Tripwire 
C. Crack 
D. John the Ripper 
Answer: B 
Explanation: Tripwire is a tool that checks to see what has changed on your system. The 
program monitors key attributes of files that should not change, including binary 
signature, size, expected change of size, etc. The hard part is doing it the right way, 
balancing security, maintenance, and functionality. This tool is not usually used by hackers 
to attack, its usually used to defend against hackers attacks. L0phtcrack is a hacker utility 
to get passwords, Crack and John the Ripper are also password crackers. 
QUESTION 1306: 
Which of the following logical access exposures involves changing data before, or as it is 
entered into the computer? 
A. Data diddling 
B. Salami techniques 
C. Trojan horses 
D. Viruses 
Answer: A 
Explanation: This kind of attack involves altering the raw data just before it is processed 
by a computer and then changing it back after the processing is completed. This kind of 
attack was used in the past to steal small quantities of money and transfer them to the 
attackers account, there are many other uses too. Trojan horses open ports without the 
user knowledge to permit remote control and a Virus is a malicious piece of code that 
executed inside your computer. 
QUESTION 1307: 
Which of the following computer aided software engineering (CASE) products is used for 
developing detailed designs, such as screen and report layouts? 
A. Lower CASE 
B. Middle CASE 
C. Upper CASE 
D. I-CASE 
Answer: B 
Explanation: This is the proper name, you can search for "Middle CASE" on the Internet. 
"Middle CASE" its a CASE flavor and UML design tool that provides the required 
functionality like screen and report layouts and detailed designs. There are many well 
known vendors providing this kind of tools for the development process of Software. 
QUESTION 1308: 
What is called the number of columns in a table? 
A. Schema 
B. Relation 
C. Degree 
D. Cardinality 
Answer: C 
Explanation: In database terminology, is the same to say that the number of Degrees is 
"X" and that the number of columns is "X" inside a Table. This question is just trying to 
test our knowledge of rare, difficult to fin terminology. You can check this in the 
knowledgebase of Oracle. When we talk about degrees, we are just talking about columns. 
The schema is the structure of the database, and the relations are the way each table 
relates to others. 
QUESTION 1309: 
Which of the following is the most reliable authentication device? 
A. Variable callback system 
B. Smart Card system 
C. Fixed callback system 
D. Combination of variable and fixed callback system. 
Answer: B 
Explanation: The smart card, an intelligent token, is a credit card sized plastic card 
embedded with an integrated circuit chip. It provides not only memory capacity, but 
computational capability as well. The self-containment of smart card makes it resistant to 
attack as it does not need to depend upon potentially vulnerable external resources. 
Because of this characteristic, smart cards are often used in different applications which 
require strong security protection and authentication. Option B is the most correct option, 
this is because Callback systems are not considered very reliable in the CISSP examination, 
Smart cards can also provide 2 mode authentication. 
"Caller ID and callback options are great, but they are usually not practical because they require 
users to call in from a static phone number each time they access the network. Most users are 
accessing the network remotely because they are on the road and moving from place to place." 
Pg. 428 Shon Harris: All-In-One CISSP Certification Guide. 
QUESTION 1310: 
Which of the following firewall rules is less likely to be found on a firewall installed between 
and organization internal network and the Internet? 
A. Permit all traffic to and from local host. 
B. Permit all inbound ssh traffic 
C. Permit all inbound tcp connections. 
D. Permit all syslog traffic to log-server.abc.org. 
Answer: C 
Explanation: Option "C" is a very bad practice in a firewall connecting one of its 
interfaces to a public network like Internet. Since in that rule you are allowing all inbound 
TCP traffic, the hackers can send all the attacks they want to any TCP port, they can make 
port scanning, Syn Attacks, and many other dangerous DoS activities to our private 
network. Permit the traffic from local host is a best practice, our firewall is the local host. 
Permit SSH (Secure Shell) is also good because this protocol use cryptography. 
QUESTION 1311: 
The Internet can be utilized by either? 
A. Public or private networks (with a Virtual Private Networks). 
B. Private or public networks (with a Virtual Private Networks). 
C. Home or private networks (with a Virtual Private Networks). 
D. Public or home networks (with a Virtual Private Networks). 
Answer: B 
Explanation: This is true, you can utilize Internet from a Private network and get access 
through an access translation method that gives you a valid IP address to make the request. 
Or you can access the Internet directly from a routable, public IP address contained in a 
public network. To increase security, you can create VPN´s to pass information between 
two endpoints with confidentiality through the Internet. 
QUESTION 1312: 
This backup method must be made regardless of whether Differential or Incremental methods are 
used. 
A. Full Backup Method 
B. Incremental backup method 
C. Differential backup method 
D. Tape backup method 
Answer: A 
Explanation: Since the "Full" backup method provides a baseline for our systems for 
Restore, the full backup must be done at least once regardless of the method you are using. 
Its very common to use full backups in combination with incremental or differential ones 
to decrease the backup time (however you increment the restore time), but there is no way 
to maintain a system only with incremental or differential backups. You always need to 
begin from your restore baseline, the Full Backup. 
QUESTION 1313: 
Why do buffer overflows happen? 
A. Because buffers can only hold so much data. 
B. Because input data is not checked for appropriate length at time of input. 
C. Because they are an easy weakness to exploit. 
D. Because of insufficient system memory. 
Answer: B 
QUESTION 1314: 
Which of the following should not be performed by an operator? 
A. Mounting disk or tape 
B. Backup and recovery 
C. Data entry 
D. Handling hardware 
Answer: C 
Explanation: This is very obvious, the operators are responsible of making operative tasks 
that deals with the hardware and software implementations, they can handle the hardware 
and put t in condition for the user, be in charge of the backup and restore procedures and 
Mounting the disk or tapes for the backup. Those are all common tasks. When we talk 
about the data entry, is the user who has to make does, If the operator do that too, what is 
the user going to do? 
QUESTION 1315: 
What security model is dependant on security labels? 
A. Discretionary access control 
B. Label-based access control 
C. Mandatory access control 
D. Non-discretionary access control 
Answer: C 
Explanation: 
With mandatory controls, only administrators and not owners of resources may make 
decisions that bear on or derive from policy. Only an administrator may change the 
category of a resource, and no one may grant a right of access that is explicitly forbidden in 
the access control policy. This kind of access control method is based on Security labels. It 
is important to note that mandatory controls are prohibitive (i.e., all that is not expressly 
permitted is forbidden). 
QUESTION 1316: 
Detection capabilities of Host-based ID systems are limited by the incompleteness of which of 
the following? 
A. Audit log capabilities 
B. Event capture capabilities 
C. Event triage capabilities 
D. Audit notification capabilities 
Answer: A 
Explanation: This is one of the weakest point of IDS systems installed on the individual 
hosts. Since much of the malicious activity could be circulating through the network, and 
this kind of IDS usually have small logging capabilities and of local nature. So any activity 
happening in the network could go unnoticed, and intrusions can't be tracked as in depth 
as we could with an enterprise IDS solution providing centralized logging capabilities. 
QUESTION 1317: 
Computer crime is generally made possible by which of the following? 
A. The perpetrator obtaining training & special knowledge. 
B. Victim carelessness. 
C. Collusion with others in information processing 
D. System design flaws. 
Answer: B 
Explanation: 
This is a real problem, nobody thinks that can be victim of a computer crime until it is. 
There is a big problem relating to the people thinking about this kind of attacks. Computer 
crimes can be very important and can make great damage to enterprises. Computer Crime 
will decrease once people begin to think about the Risks and begin to protect their systems 
from the most common attacks. 
QUESTION 1318: 
The structures, transmission methods, transport formats, and security measures that are used to 
provide integrity, availability, authentication, and confidentiality for transmissions over private 
and public communications networks and media includes? 
A. The Telecommunications and Network Security domain. 
B. The Telecommunications and Netware Security domain. 
C. The Technical communications and Network Security domain. 
D. The Telnet and Network Security domain. 
Answer: A 
Explanation: This is pretty straight forward. The four principal pillars of computer 
security: integrity, authentication, confidentiality and availability are all part of the 
network security and telecommunication domain. Why? Because those pillars deal with 
that. We provide integrity through digital signatures, authentication through passwords, 
confidentiality through encryption and availability by fault tolerance and disaster 
recovery. All of those are networking and telecommunication components. 
QUESTION 1319: 
Which of the following is the lowest TCSEC class where in the system must protected against 
covert storage channels (but not necessarily covert timing channels)? 
A. B2 
B. B1 
C. B3 
D. A1 
Answer: A 
Explanation: The B2 class referenced in the orange book is the formal security policy 
model based on device labels that can use DAC (Discretionary access controls) and MAC 
(Mandatory Access Controls). It provides functionality about covert channel control. It 
does not require covert timing channels. You can review the B2 section of the Orange 
Book. 
QUESTION 1320: 
Which type of control is concerned with avoiding occurrences of risks? 
A. Deterrent controls 
B. Detective controls 
C. Preventive controls 
D. Compensating controls 
Answer: C 
Explanation: Preventive controls deals with the avoidance of risk through the diminution 
of probabilities. Is like the example we read earlier about the dogs. Just to remember, Since 
we want to prevent something from happening, we can go out and buy some Guard dogs to 
make the job. You are buying them because you want to prevent something from 
happening. The intruder will see the dogs and will maybe go back, this prevents an attack, 
this dogs are a form of preventive control. 
QUESTION 1321: 
The basic function of an FRDS is to? 
A. Protect file servers from data loss and a loss of availability due to disk failure. 
B. Persistent file servers from data gain and a gain of availability due to disk failure. 
C. Prudent file servers from data loss and a loss of acceptability due to disk failure. 
D. Packet file servers from data loss and a loss of accountability due to disk failure. 
Answer: A 
Explanation: 
FRDS systems will give us the functionality to protect our servers from disk failure an 
allow us to have highly available file services in our production servers. FRDS provides 
high availability against many types of disk failures and well known problems, if one disk 
goes down, the others still work providing no downtime. FRDS solutions are the preferred 
way to protect file servers against data corruption and loss. You can see more about FRDS 
in the Internet, search "FRDS System". 
QUESTION 1322: 
Which of the following protocols does not operate at the data link layer (layer 2)? 
A. PPP 
B. RARP 
C. L2F 
D. ICMP 
Answer: D 
Explanation: Internet Control Message Protocol. ICMP is used for diagnostics in the 
network. The Unix program, ping, uses ICMP messages to detect the status of other hosts 
in the net. ICMP messages can either be queries (in the case of ping) or error reports, such 
as when a network is unreachable. This protocol resides in layer 3 of the OSI model 
(Network layer). 
QUESTION 1323: 
This tape format can be used to backup data systems in addition to its original intended audio 
used by: 
A. Digital Audio tape (DAT) 
B. Digital video tape (DVT) 
C. Digital Casio Tape (DCT) 
D. Digital Voice Tape (DVT) 
Answer: A 
Explanation: Digital Audio Tape (DAT or R-DAT) is a signal recording and playback 
medium introduced by Sony in 1987. In appearance it is similar to a 
compact audio cassette, using 1/8" magnetic tape enclosed in a protective shell, but is 
roughly half the size at 73 mm x 54 mm x 10.5 mm. As the name suggests the recording is 
digital rather than analog, DAT converting and recording at the same rate as a CD (44.1 
kHz sampling rate and 16 bits quantization) without data compression. This means that the 
entire input signal is retained. If a digital source is copied then the DAT will produce an 
exact clone. 
The format was designed for audio use, but through an ISO standard it has been adopted for 
general data storage, storing from 4 to 40 GB on a 120 meter tape depending on the standard and 
compression (DDS-1 to DDS-4). It is, naturally, sequential-access media and is commonly used 
for backups. Due to the higher requirements for integrity in data backups a computer-grade DAT 
was introduced. 
QUESTION 1324: 
By examining the "state" and "context" of the incoming data packets, it helps to track the 
protocols that are considered "connectionless", such as UDP-based applications and Remote 
Procedure Calls (RPC). This type of firewall system is used in? 
A. First generation firewall systems. 
B. Second generation firewall systems. 
C. Third generation firewall systems. 
D. Fourth generation firewall systems. 
Answer: C 
Explanation: Statefull inspection is a third generation firewall technology designed to be 
aware of, and inspect, not only the information being received, but the dynamic connection 
and transmission state of the information being received. Control decisions are made by 
analyzing and utilizing the following: Communication Information, Communication 
derived state, Application derived state and information manipulation. Here are some 
characteristics of Statefull Inspection technology on Firewalls: 
1. Scan information from all layers in the packet. 
2. Save state information derived from previous communications, such as the outgoing Port 
command of an FTP session, so that incoming data communication can be verified against it. 
3. Provides tracking support for connectionless protocols through the use of session state 
databases. 
4. Allow state information derived from other applications access through the firewall for 
authorized services only, such as previously authenticated users. 
5. Evaluate and manipulate flexible expressions based on communication and application 
derived state information. 
QUESTION 1325: 
Guards are appropriate whenever the function required by the security program involves which 
of the following? 
A. The use of discriminating judgment. 
B. The use of physical force. 
C. The operation of access control devices. 
D. The need to detect unauthorized access. 
Answer: A 
Explanation: This is the correct answer, we don't have guards only to use physical force, 
that is not the real functionality of them if your security policy is well oriented. They are 
not only there to operate control devices and to detect unauthorized access, as stated in 
CISSP documentation, the appropriate function of a guard inside a security program is the 
use of discriminating judgment. 
QUESTION 1326: 
A server cluster looks like a? 
A. Single server from the user's point of view. 
B. Dual server from the user's point of view. 
C. Tripe server from the user's point of view. 
D. Quardle server from the user's point of view. 
Answer: A 
Explanation: A "Cluster" is a grouping of machines running certain services providing 
high availability and fault tolerance fro them. In other words, they are grouped together as 
a means of fail over support. From the users view, a cluster is a single server, but its only a 
logical one, you can have an array of 4 server in cluster all with the same IP address 
(/achieving correct resolution through ARP), there is no difference for the client. 
QUESTION 1327: 
Which of the following are functions that are compatible in a properly segregated environment? 
A. Application programming and computer operation. 
B. System programming and job control analysis. 
C. Access authorization and database administration. 
D. System development and systems maintenance. 
Answer: D 
Explanation: If you think about it, System development and system maintenance are 
perfectly compatible, you can develop in the systems for certain time, and when it time for 
a maintenance, you stop the development process an make the maintenance. It's a pretty 
straight forward process. The other answer do not provide the simplicity and freedom of 
this option. 
QUESTION 1328: 
Encryption is applicable to all of the following OSI/ISO layers except: 
A. Network layer 
B. Physical layer 
C. Session layer 
D. Data link layer 
Answer: B 
Explanation: The Physical Layer describes the physical properties of the various 
communications media, as well as the electrical properties and interpretation of the 
exchanged signals. Ex: this layer defines the size of Ethernet coaxial cable, the type of BNC 
connector used, and the termination method. You cannot encrypt nothing at this layer 
because its physical, it is not protocol / software based. Network, Data link and transport 
layer supports encryption. 
QUESTION 1329: 
The Computer Security Policy Model the Orange 
Book is based on is which of the following? 
A. Bell-LaPadula 
B. Data Encryption Standard 
C. Kerberos 
D. Tempest 
Answer: A 
Explanation: Following the publication of the Anderson report, considerable research was 
initiated into formal models of security policy requirements and of the mechanisms that 
would implement and enforce those policy models as a security kernel. Prominent among 
these efforts was the ESD-sponsored development of the Bell and LaPadula model, an 
abstract formal treatment of DoD security policy.[2] Using mathematics and set theory, the 
model precisely defines the notion of secure state, fundamental modes of access, and the 
rules for granting subjects specific modes of access to objects. Finally, a theorem is proven 
to demonstrate that the rules are security-preserving operations, so that the application of 
any sequence of the rules to a system that is in a secure state will result in the system 
entering a new state that is also secure. This theorem is known as the Basic Security 
Theorem. 
QUESTION 1330: 
Which type of attack would a competitive intelligence attack best classify as? 
A. Business attack 
B. Intelligence attack 
C. Financial attack 
D. Grudge attack 
Answer: A 
Explanation: Since we are talking about a competitive intelligence attack, we can classify it 
as a Business attack because it is disrupting business activities. Intelligence attacks are one 
of the most commonly used to hurt a company where more it hurts, in its information. To 
see more about competitive intelligence attacks you can take a look at some CISSP study 
guide. It could be the CISSP gold edition guide. 
"Military and intelligence attacks are launched primarily to obtain secret and restricted 
information from law enforcement or military and technological research sources. 
Business attacks focus on illegally obtaining an organization's confidential information. 
Financial attacks are carried out to unlawfully obtain money or services. 
Grudge attacks are attacks that are carried out to damage an organization or a person." 
Pg. 616 Tittel: CISSP Study Guide 
QUESTION 1331: 
Which of the following is responsible for the most security issues? 
A. Outside espionage 
B. Hackers 
C. Personnel 
D. Equipment failure 
Answer: C 
Explanation: As I stated earlier in the comments, the great part of the attacks to companies 
comes from the personnel. Hackers are out there and attack some targets, but should never 
forget that your worst enemy can be inside of your company. Is for that that we usually 
implement IDS and profundity security. It's a very good practice to install Host based IDS 
to limit the ability of internal attackers through the machines. 
Another problem with personal is the ignorance, there are time that they just don't know what 
they are doing, and certainly are violating the security policy. 
QUESTION 1332: 
Which of the following goals is NOT a goal of Problem Management? 
A. To eliminate all problems. 
B. To reduce failures to a manageable level. 
C. To prevent the occurrence or re-occurrence of a problem. 
D. To mitigate the negative impact of problems on computing services and resources. 
Answer: A 
Explanation: This is not possible, nobody can eliminate all problems, only god can, this is a 
reality and Problem Management Gurus know that. With problem management we can 
reduce failures, prevent reoccurrence of problems and mitigate negative impact as much as 
we can, but we cannot eliminate all problems, this is not a perfect world. 
QUESTION 1333: 
Examples of types of physical access controls include all except which of the following? 
A. badges 
B. locks 
C. guards 
D. passwords 
Answer: D 
Explanation: A password is not a physical thing, it's a logical one. You can control physical 
access with armed guards, by locking doors and using badges to open doors, but you can't 
relate password to a physical environment. Just to remember, Passwords are used to verify 
that the user of an ID is the owner of the ID. The ID-password combination is unique to 
each user and therefore provides a means of holding users accountable for their activity on 
the system. They are related to software, not to hardware. 
QUESTION 1334: 
Which of the following statements pertaining to the (ISC)2 Code of Ethics is incorrect? 
A. All information systems security professionals who are certified by (ISC)2 recognize that 
such a certification is a privilege that must be both earned and maintained. 
B. All information systems security professionals who are certified by (ISC)2 shall provide 
diligent and competent service to principals. 
C. All information systems security professionals who are certified by (ISC)2 shall discourage 
such behavior as associating or preparing to associate with criminals or criminal behavior. 
D. All information systems security professionals who are certified by (ISC)2 shall promote the 
understanding and acceptance of prudent information security measures. 
Answer: C 
Explanation: This is not one of the statements of the ISC2 code of Ethics, ISC2 certified 
people is free to get in association with any person and any party they want. ISC2 thinks 
that their certified people must have liberty of choice in their associations. However ISC2 
ask the certified professionals to promote the certification and the understanding and 
acceptance of security measures, they also ask the certified people to provide competent 
services and be proud of their exclusive ISC2 certified professional status. 
I think is very fair, you are free to who where you want, with the people you want, but always be 
proud of your certification and your skills as a security professional. 
Code from ISC web site. 
"All information systems security professionals who are certified by (ISC)2 recognize that such 
certification is a privilege that must be both earned and maintained. In support of this principle, 
all Certified Information Systems Security Professionals (CISSPs) commit to fully support this 
Code of Ethics. CISSPs who intentionally or knowingly violate any provision of the Code will 
be subject to action by a peer review panel, which may result in the revocation of certification. 
There are only four mandatory canons in the code. By necessity such high-level guidance is not 
intended to substitute for the ethical judgment of the professional. 
Additional guidance is provided for each of the canons. While this guidance may be considered 
by the Board in judging behavior, it is advisory rather than mandatory. It is intended to help the 
professional in identifying and resolving the inevitable ethical dilemmas that will confront 
him/her. 
Code of Ethics Preamble: 
* Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, 
and be seen to adhere, to the highest ethical standards of behavior. 
* Therefore, strict adherence to this code is a condition of certification. 
Code of Ethics Canons: 
* Protect society, the commonwealth, and the infrastructure. 
* Act honorably, honestly, justly, responsibly, and legally. 
* Provide diligent and competent service to principals. 
* Advance and protect the profession. 
The following additional guidance is given in furtherance of these goals. 
Objectives for Guidance 
In arriving at the following guidance, the committee is mindful of its responsibility to: 
* Give guidance for resolving good v. good and bad v. bad dilemmas. 
* To encourage right behavior such as: 
* Research 
* Teaching 
* Identifying, mentoring, and sponsoring candidates for the profession 
* Valuing the certificate 
* To discourage such behavior as: 
* Raising unnecessary alarm, fear, uncertainty, or doubt 
* Giving unwarranted comfort or reassurance 
* Consenting to bad practice 
* Attaching weak systems to the public net 
* Professional association with non-professionals 
* Professional recognition of or association with amateurs 
* Associating or appearing to associate with criminals or criminal behavior 
However, these objecttives are provided for information only; the professional is not required or 
expected to agree with them. 
In resolving the choices that confront him, the professional should keep in mind that the 
following guidance is advisory only. Compliance with the guidance is neither necessary nor 
sufficient for ethical conduct. 
Compliance with the preamble and canons is mandatory. Conflicts between the canons should be 
resolved in the order of the canons. The canons are not equal and conflicts between them are not 
intended to create ethical binds. 
Protect society, the commonwealth, and the infrastructure 
* Promote and preserve public trust and confidence in information and systems. 
* Promote the understanding and acceptance of prudent information security measures. 
* Preserve and strengthen the integrity of the public infrastructure. 
* Discourage unsafe practice. 
Act honorably, honestly, justly, responsibly, and legally 
* Tell the truth; make all stakeholders aware of your actions on a timely basis. 
* Observe all contracts and agreements, express or implied. 
* Treat all constituents fairly. In resolving conflicts, consider public safety and duties to 
principals, individuals, and the profession in that order. 
* Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take 
care to be truthful, objective, cautious, and within your competence. 
* When resolving differing laws in different jurisdictions, give preference to the laws of the 
jurisdiction in which you render your service. 
Provide diligent and competent service to principals 
* Preserve the value of their systems, applications, and information. 
* Respect their trust and the privileges that they grant you. 
* Avoid conflicts of interest or the appearance thereof. 
* Render only those services for which you are fully competent and qualified. 
Advance and protect the profession 
* Sponsor for professional advancement those best qualified. All other things equal, prefer those 
who are certified and who adhere to these canons. Avoid professional association with those 
whose practices or reputation might diminish the profession. 
* Take care not to injure the reputation of other professionals through malice or indifference. 
Maintain your competence; Keep your skills and Knowledge current. Give generously of your 
time and knowledge in training others. 
QUESTION 1335: 
Which DES modes can best be used for authentication? 
A. Cipher Block Chaining and Electronic Code Book. 
B. Cipher Block Chaining and Output Feedback. 
C. Cipher Block Chaining and Cipher Feedback. 
D. Output Feedback and Electronic Code Book. 
Answer: C 
Explanation: Cipher Block Chaining (CBC) uses feedback to feed the result of encryption 
back into the encryption of the next block. The plain-text is XOR'ed with the previous 
cipher-text block before it is encrypted. The encryption of each block depends on all the 
previous blocks. This requires that the decryption side processes all encrypted blocks 
sequentially. This mode requires a random initialization vector which is XOR'ed with the 
first data block before it is encrypted. The initialization vector does not have to be kept 
secret. The initialization vector should be a random number (or a serial number), to ensure 
that each message is encrypted uniquely. In the Cipher Feedback Mode (CFB) is data 
encrypted in units smaller than the block size. This mode can be used to encrypt any 
number of bits e.g. single bits or single characters (bytes) before sending across an insecure 
data link. 
Both of those method can be best used to provide user authentication capabilities. 
QUESTION 1336: 
In the OSI / ISO model, at what layer are some of the SLIP, CSLIP, PPP control functions are 
provided? 
A. Link 
B. Transport 
C. Presentation 
D. Application 
Answer: A 
Explanation: The Data Link layer takes raw data from the physical layer and gives it 
logical structure. This logic includes information about where the data is meant to go, 
which computer sends the data, and the overall validity of the bytes sent. The Data Link 
layer also controls functions of logical network topologies and physical addressing as well 
as data transmission synchronization and corrections. SLIP, CSLIP and PPP provide 
control functions at the Data Link Layer (layer 2 of the OSI model). 
QUESTION 1337: 
Which of the following best describes the purpose of debugging programs? 
A. To generate random data that can be used to test programs before implementing them 
B. To ensure that program coding flaws are detected and corrected. 
C. To protect, during the programming phase, valid changes from being overwritten by other 
changes. 
D. To compare source code versions before transferring to the test environment. 
Answer: B 
Explanation: A bug is a coding error in a computer program. The process of finding bugs 
before program final users is called debugging. Debugging starts after the code is first 
written and continues in successive stage as code is combined with other units of 
programming to form a software product, such as an operating system or application. The 
main reason to debug is to detect and correct errors in the program. 
QUESTION 1338: 
With RAID Level 5 the spare drives that replace the failed drives are usually hot swappable, 
meaning the can be replaced on the server while the? 
A. System is up and running. 
B. System is down and running. 
C. System is in-between and running. 
D. System is centre and running. 
Answer: A 
Explanation: This is true, since RAID 5 uses parity to provide fault tolerance through the 
array, once of the disk in it can become corrupted, and you usually can just take it out 
without turning off the system (Hot SWAP) and plug a spare disk on the bay. Then the 
array will automatically begin to reconstruct the information in the new disk with the 
parity contained through the other disks in the array. This Hot Swap capability is usually 
present in enterprise servers that require high availability. 
QUESTION 1339: 
What is the process that RAID Level 0 uses as it creates one large disk by using several 
disks? 
A. Striping 
B. Mirroring 
C. Integrating 
D. Clustering 
Answer: A 
Explanation: This is the correct term, with stripping RAID 0 can evenly distribute the 
information through the disk that form the array in a transparent way for the final user. 
With RAID 0 you can be writing to 12 disk simultaneously and you see them as only one 
large logical partition. This level of RAID does not provide fault tolerance but provides an 
increase in performance because you are writing and reading from many disks and heads. 
An example of this stripping is the software version that comes with Windows 2000, it 
supports up to 32 disks. 
QUESTION 1340: 
Which of the following is used to create and delete views and relations within tables? 
A. SQL Data Definition Language 
B. SQL Data Manipulation Language 
C. SQL Data Relational Language 
D. SQL Data Identification Language 
Answer: A 
Explanation: SQL supports the data definition language (DDL) for creating, altering, and 
deleting tables and indexes. SQL does not permit metadata object names to be represented 
by parameters in DDL statements. With this language you can create many of the objects 
used in SQL, this language is standard and is supported by most database vendors in its 
standard form. Many of them also extends its functionality for proprietary products. 
QUESTION 1341: 
Which division of the Orange Book deals with discretionary protection (need-to-know)? 
A. D 
B. C 
C. B 
D. A 
Answer: B 
Explanation: The C division of the Orange Book deals discretionary (need-to-know) 
protection and, through the inclusion of audit capabilities, for accountability of subjects 
and the actions they initiate. 
This information can be checked in the orange book. Just make a search online through it with 
the words "discretionary protection". 
QUESTION 1342: 
The Diffie-Hellman algorithm is used for?
A. Encryption 
B. Digital signature 
C. Key exchange 
D. Non-repudiation 
Answer: C 
Explanation: 
Diffie Hellman is a Key exchange algorithm, its strength its in the difficulty of computing 
discrete logarithms in a finite field generated by a large primary number. Although RSA 
and Diffie Hellman are similar in mathematical theory, their implementation is somewhat 
different. This algorithm has been released to the public. It's the primary alternative to the 
RSA algorithm for key exchange. 
QUESTION 1343: 
Primary run when time and tape space permits, and is used for the system archive or baselined 
tape sets is the? 
A. Full backup method. 
B. Incremental backup method. 
C. Differential backup method. 
D. Tape backup method. 
Answer: A 
Explanation: "Full" backup method provides a baseline for our systems for Restore; the 
full backup must be done at least once regardless of the method you are using to make 
backups. It's very common to use full backups in combination with incremental or 
differential ones to decrease the backup time (however you increment the restore time with 
incremental and differential) because it takes the largest time to complete. You always need 
to begin a system restoration from your baseline, and this baseline is the Full Backup. 
QUESTION 1344: 
Which of the following teams should not be included in an organization's contingency 
plan? 
A. Damage assessment team. 
B. Hardware salvage team. 
C. Tiger team. 
D. Legal affairs team. 
Answer: C 
Explanation: In the computer industry, a tiger team is a group of programmers or users 
who volunteer or are hired to expose errors or security holes in new software or to find out 
why a computer network's security is being broken. In hiring or recruiting volunteers for a 
tiger team, some software developers advise others to be sure that tiger team members 
don't include crackers, who might use their special knowledge of the software to disable or 
compromise it in the future. We don't need a tiger team inside our contingency plan, 
however, we do need someone to assest the damage, the hardware and legal affairs. 
QUESTION 1345: 
When an organization takes reasonable measures to ensure that it took precautions to 
protect its network and resources is called: 
A. Reasonable Action 
B. Security Mandate 
C. Due Care 
D. Prudent Countermeasures 
Answer: C 
Explanation: Due care are the steps taken to show it has taken responsibility for its actions. 
QUESTION 1346: 
What two things below are associated with security policy?(Choose Two) 
A. Support of upper management 
B. Support of department managers 
C. Are tactical in nature 
D. Are strategic in nature 
E. Must be developed after procedures 
F. Must be developed after guidelines 
Answer: A,D 
Explanation: Policies are written as a broad overview and require the support of upper 
management. After the development and approval of policies, guidelines and procedures 
may be written. 
QUESTION 1347: 
Total risk is equal to:(Choose All That Apply) 
A. Threat 
B. Vulnerability 
C. Frequency 
D. Asset value 
E. Asset loss 
Answer: A,B,D 
Explanation: Total risk = asset value * vulnerability * threats 
QUESTION 1348: 
Government data classifications include which of the following:(Choose three) 
A. Open 
B. Unclassified 
C. Confidential 
D. Private 
E. Secret 
F. Top Secret 
Answer: B,C,F 
Explanation: One of the most common systems used to classify information is the one 
developed within the US Department of Defense. These include: unclassified, sensitive, 
confidential, secret, and top secret. 
QUESTION 1349: 
Job rotation is important because: 
A. It insures your employees are cross-trained. 
B. It increases job satisfaction. 
C. It reduces the opportunity for fraud 
Answer: C 
Explanation: Job rotation is tightly tied to the principle of least privilege. It is an effective 
security control. 
QUESTION 1350: 
Your co-worker is studying for the CISSP exam and has come to you with a question. What 
is ARP poisoning? 
A. Flooding of a switched network 
B. A denial of service that uses the DNS death ping 
C. Turning of IP to MAC resolution 
D. Inserting a bogus IP and MAC address in the ARP table 
E. Modifying a DNS record 
Answer: D 
Explanation: ARP poisoning is a masquerading attack where the attacker inserts a bogus 
IP and MAC address in a victims ARP table or into the table of a switch. This has the effect 
of redirecting traffic to the attacker and not to the intended computer. 
QUESTION 1351: 
What is the best description for CHAP Challenge Handshake Authentication Protocol? 
A. Passwords are sent in clear text 
B. Passwords are not sent in clear text 
C. Passwords are not used, a digital signature is sent 
D. It is substandard to PAP 
E. It was used with PS2's and has been discontinued 
Answer: B 
Explanation: Passwords are not sent in clear text. The server performing the 
authentication sends a challenge value and the user types in the password. The password is 
used to encrypt the challenge value then is sent back to the authentication server. 
QUESTION 1352: 
CSMA/CD computers cannot communicate without a token.(True/False) 
A. True 
B. False 
Answer: B 
Explanation: CSMA/CD computers do not use a token. It is the media access method used 
in Ethernet. 
QUESTION 1353: 
__________ sends out a message to all other computers indicating it is going to send out 
data. 
A. CSMA/CD 
B. CSMA/CA 
C. CSMA/HB 
D. PPP 
E. SLIP 
Answer: B 
Explanation: CSMA/CA sends out a message to all other computers indicating it is going to 
send out data. CSMA/CA or token ring networking uses this approach to reduce the 
amount of data collisions. 
Note: When computers use the carrier sense multiple access with collision detection 
(CSMA/CD) protocols, they monitor the transmission activity, or carrier activity, on the wire so 
that they can determine when would be the best time to transmit data. 
Carrier sense multiple access with collision avoidance (CSMA/CA) is an access method where 
each computer signals its intent to transmit data before it actually does so. 
pg 390-391 Shon Harris All-In-One CISSP Certification 
QUESTION 1354: 
Which of the following best describes ISDN BRI(Choose two) 
A. 2 B channels 
B. 4 B channels 
C. 23 B channels 
D. 1 D channel 
E. 2 D channels 
Answer: A,D 
Explanation: ISDN BRI has 2 B and 1 D channels 
QUESTION 1355: 
The top speed of ISDN BRI is 256 KBS.(True/False) 
A. True 
B. False 
Answer: B 
Explanation: The top speed of ISDN BRI is 128 KBS. Its two primary channels are each 
capable of carrying 64 KBS so the combined top speed is 128 KBS. 
QUESTION 1356: 
Which of the following should NOT be implemented to protect PBX's?(Choose all that 
apply) 
A. Change default passwords and configurations 
B. Make sure that maintenance modems are on 24/7 
C. Review telephone bill regularly 
D. Block remote calling after business hours 
E. Post PBX configuration and specs on the company website 
Answer: B,E 
Explanation: Many vendors have maintenance modems that vendors can use to 
troubleshoot systems and provide updates. They should normally be turned off. Also 
information about the system should not be posted on the website and should be closely 
guarded. 
QUESTION 1357: 
Which of the following best describes the difference between a circuit based and 
application based firewall? 
A. Application based is more flexible and handles more protocols 
B. Circuit based provides more security 
C. Application based builds a state table 
D. Circuit based looks at IP addresses and ports 
E. Circuit based firewalls are only found in Cisco routers 
Answer: D 
Explanation: Circuit based look only at IP address and ports, whereas application based 
dig much deeper into the packet. This makes it more secure. 
QUESTION 1358: 
_________ is the fraudulent use of telephone services. 
A. Rolling 
B. Warzing 
C. Wardriving 
D. Wardialing 
E. Phreaking 
Answer: E 
Explanation: Phreaking is the fraudulent use of telephone services. 
QUESTION 1359: 
What is another name for a VPN? 
A. Firewall 
B. Tunnel 
C. Packet switching 
D. Pipeline 
E. Circuit switching 
Answer: B 
Explanation: A VPN creates a secure tunnel through an insecure network. 
QUESTION 1360: 
Which of the following is a connection-orientated protocol? 
A. IP 
B. UDP 
C. TCP 
D. ICMP 
E. SNMP 
F. TFTP 
Answer: C 
Explanation: TCP is a connection-orientated protocol. 
QUESTION 1361: 
Which of the following is not considered firewall technology? 
A. Screened subnet 
B. Screened host 
C. Duel gateway host 
D. Dual homed host 
Answer: C 
Explanation: Duel gateway host is not considered firewall technology. 
QUESTION 1362: 
Which type of network topology passes all traffic through all active nodes? 
A. Broadband 
B. Star 
C. Baseband 
D. Token Ring 
Answer: D 
Token ring passes all traffic through nodes. 
QUESTION 1363: 
The act of validating a user with a unique and specific identifier is called what? 
A. Validation 
B. Registration 
C. Authentication 
D. Authorization 
E. Identification 
Answer: C 
Authentication is the act of validating a user with a unique and specific identifier. 
QUESTION 1364: 
Why is fiber the most secure means of transmission? 
A. High speed multiplexing 
B. Interception of traffic is more difficult because it is optically based 
C. Higher data rates make it more secure 
D. Multiplexing prevents traffic analysis 
E. Built-in fault tolerance 
Answer: B 
Fiber is more secure because it is hard to tap into and gives off no EMI such as copper cabling. 
QUESTION 1365: 
The IAB defines which of the following as a violation of ethics? 
A. Performing a DoS 
B. Downloading an active control 
C. Performing a penetration test 
D. Creating a virus 
E. Disrupting Internet communications 
Answer: E 
The IAAB considers the Internet a privilege, not a right, and as such considers it unethical to 
purposely disrupt communications. 
QUESTION 1366: 
A chain of custody shows who ______ _________ and _________.(Choose three) 
A. Who controlled the evidence 
B. Who transcribed the evidence 
C. Who validated the evidence 
D. Who presented the evidence 
E. Secured the evidence 
F. Obtained the evidence 
Answer: A,E,F 
The chain of evidence shows who obtained the evidence, who secured the evidence, and who 
controlled the evidence. 
QUESTION 1367: 
Good forensics requires the use of a bit level copy?(True/False) 
A. True 
B. False 
Answer: A 
Good forensics requires the use of a bit level copy. A bit level copy duplicates all information on 
the suspect's disk. This includes slack space and free space. 
QUESTION 1368: 
Which agency shares the task of investigating computer crime along with the FBI? 
A. Secret Service 
B. CIA 
C. Department of justice 
D. Police force 
E. NSA 
Answer: A 
Along with the FBI, the Secret Service has been given the authority to investigate computer 
crime. 
QUESTION 1369: 
This type of password recovery is considered more difficult and must work through all 
possible combinations of numbers and characters. 
A. Passive 
B. Active 
C. Dictionary 
D. Brute force 
E. Hybrid 
Answer: D 
Brute force cracking is considered more difficult and must work through all possible 
combinations of numbers and characters. 
QUESTION 1370: 
_______ are added to Linux passwords to increase their randomness. 
A. Salts 
B. Pepper 
C. Grains 
D. MD5 hashes 
E. Asymmetric algorithms 
Answer: A 
Salts are added to Linux passwords to increase their randomness. They are used to help insure 
that no two users have the same, hashed password. 
QUESTION 1371: 
The Linux root user password is typically kept in where?(Choose two) 
A. etc/shadow 
B. cmd/passwd 
C. etc/passwd 
D. windows/system32 
E. var/sys 
F. var/password 
Answer: A,C 
The Linux root user password is typically kept in /etc/passwd or etc/shadow. 
QUESTION 1372: 
The goal of cryptanalysis is to ____________. 
A. Determine the number of encryption permutations required 
B. Reduce the system overhead for a crypto-system 
C. Choose the correct algorithm for a specified purpose 
D. Forge coded signals that will be accepted as authentic 
E. Develop secure crypto-systems 
Answer: D 
The goal of cryptanalysis is to forge coded signals that will be accepted as authentic. 
QUESTION 1373: 
If an employee is suspected of computer crime and evidence need to be collected, which of 
the following departments must be involved with the procedure? 
A. Public relations 
B. Law enforcement 
C. Computer security 
D. Auditing 
E. HR 
Answer: E 
Human Resources always needs to be involved if an employee is suspected of wrongdoing. They 
know what rules apply to protect and prosecute employees. 
QUESTION 1374: 
What is it called when a system has apparent flaws that were deliberately available for 
penetration and exploitation? 
A. A jail 
B. Investigation 
C. Enticement 
D. Data manipulation 
E. Trapping 
Answer: C 
Administrators that leave systems with apparent flaws are performing an act of enticement. This 
is sometimes called a honeypot. 
QUESTION 1375: 
Why are computer generated documents not considered reliable? 
A. Difficult to detect electron tampering 
B. Stored in volatile media 
C. Unable to capture and reproduce 
D. Too delicate 
E. Because of US law, Section 7 paragraph 154 
Answer: A 
Because it is difficult to detect electron tampering and can be easily modified. 
QUESTION 1376: 
What is the name of the software that prevents users from seeing all items or directories on 
a computer and is most commonly found in the UNIX/Linux environment? 
A. Shell Kits 
B. Root Kits 
C. Ethereal 
D. Shadow data 
E. Netbus 
Answer: D 
Shadowing, used for Unix password files hides the password hash. 
IF SHAWDOWING IS ACTIVE: 
If the shawdowing is active the /etc/passwd would look like this: 
root:x:0:1:0000:/: 
sysadm:x:0:0:administration:/usr/admin:/bin/rsh 
The password filed is substituted by "x". 
The /etc/shawdow file only readable by root will look similar to 
this: 
root:D943/sys34:5288:: 
: 
super user accounts 
: 
Cathy:masai1:5055:7:120 
: 
all other users 
: 
The first field contains users id:the second contains the password(The pw will 
be NONE if logining in remotely is deactivated):the third contains a code of 
when the password was last changed:the fourth and the fifth contains the 
minimum and the maximum numbers of days for pw changes(Its rare that you will 
find this in the super user logins due to there hard to guess passwords) 
QUESTION 1377: 
What is a commercial application of steganography that is used to identify pictures or 
verify their authenticity? 
A. A MAC 
B. A digital checksum 
C. A MD5 hash 
D. A digital signature 
E. A watermark 
Answer: E 
A watermark is a commercial application of steganography that is used to identify pictures or 
verify its authenticity. 
QUESTION 1378: 
What are the basic questions that must be asked at the beginning of any 
investigation?(Choose all that apply) 
A. Who 
B. Cost 
C. What 
D. When 
E. Where 
F. How 
G. Time frame 
H. Budget 
Answer: A,C,D,E,F 
At the beginning of any investigation, an investigator must ask who, what, when, where, and 
how. Answering the questions will lead to the successful conclusion of the case. 
QUESTION 1379: 
Risk can be eliminated.(True/False) 
A. True 
B. False 
Answer: B 
Risk can never be eliminated. It may be reduced or transferred to a third party through insurance, 
but will always remain in some form. 
QUESTION 1380: 
Employees are a greater risk to employers than outsiders. T/F(True/False) 
A. True 
B. False 
Answer: A 
Employees are a greater risk to employers than outsiders, because they possess two of the three 
items required to commit a crime: means and opportunity. 
QUESTION 1381: 
When an organization takes reasonable measures to ensure that it took precautions to 
protect its network and resources is called: 
A. Reasonable Action 
B. Security Mandate 
C. Due Care 
D. Prudent Countermeasures 
Answer: C 
Due care are the steps taken to show it has taken responsibility for its actions. 
QUESTION 1382: 
What two things below are associated with security policy?(Choose Two) 
A. Support of upper management 
B. Support of department managers 
C. Are tactical in nature 
D. Are strategic in nature 
E. Must be developed after procedures 
F. Must be developed after guidelines 
Answer: A,D 
Policies are written as a broad overview and require the support of upper management. After the 
development and approval of policies, guidelines and procedures may be written. 
QUESTION 1383: 
Total risk is equal to:(Choose All That Apply) 
A. Threat 
B. Vulnerability 
C. Frequency 
D. Asset value 
E. Asset loss 
Answer: A,B,D 
Total risk = asset value * vulnerability * threats 
QUESTION 1384: 
Government data classifications include which of the following:(Choose three) 
A. Open 
B. Unclassified 
C. Confidential 
D. Private 
E. Secret 
F. Top Secret 
Answer: B,C,F 
One of the most common systems used to classify information is the one developed within the 
US Department of Defense. These include: unclassified, sensitive, confidential, secret, and top 
secret. 
QUESTION 1385: 
Job rotation is important because: 
A. It insures your employees are cross-trained. 
B. It increases job satisfaction. 
C. It reduces the opportunity for fraud 
Answer: C 
Job rotation is tightly tied to the principle of least privilege. It is an effective security control. 
QUESTION 1386: 
Your co-worker is studying for the CISSP exam and has come to you with a question. What 
is ARP poisoning? 
A. Flooding of a switched network 
B. A denial of service that uses the DNS death ping 
C. Turning of IP to MAC resolution 
D. Inserting a bogus IP and MAC address in the ARP table 
E. Modifying a DNS record 
Answer: D 
ARP poisoning is a masquerading attack where the attacker inserts a bogus IP and MAC address 
in a victims ARP table or into the table of a switch. This has the effect of redirecting traffic to 
the attacker and not to the intended computer. 
QUESTION 1387: 
What is the best description for CHAP Challenge Handshake Authentication Protocol? 
A. Passwords are sent in clear text 
B. Passwords are not sent in clear text 
C. Passwords are not used, a digital signature is sent 
D. It is substandard to PAP 
E. It was used with PS2's and has been discontinued 
Answer: B 
Passwords are not sent in clear text. The server performing the authentication sends a challenge 
value and the user types in the password. The password is used to encrypt the challenge value 
then is sent back to the authentication server. 
QUESTION 1388: 
CSMA/CD computers cannot communicate without a token.(True/False) 
A. True 
B. False 
Answer: B 
CSMA/CD computers do not use a token. It is the media access method used in Ethernet. 
QUESTION 1389: 
__________ sends out a message to all other computers indicating it is going to send out 
data. 
A. CSMA/CD 
B. CSMA/CA 
C. CSMA/HB 
D. PPP 
E. SLIP 
Answer: B 
CSMA/CA sends out a message to all other computers indicating it is going to send out data. 
CSMA/CA or token ring networking uses this approach to reduce the amount of data collisions. 
QUESTION 1390: 
Which of the following best describes ISDN BRI(Choose two) 
A. 2 B channels 
B. 4 B channels 
C. 23 B channels 
D. 1 D channel 
E. 2 D channels 
Answer: A,D 
ISDN BRI has 2 B and 1 D channels 
QUESTION 1391: 
The top speed of ISDN BRI is 256 KBS.(True/False) 
A. True 
B. False 
Answer: B 
The top speed of ISDN BRI is 128 KBS. Its two primary channels are each capable of carrying 
64 KBS so the combined top speed is 128 KBS. 
QUESTION 1392: 
Which of the following should NOT be implemented to protect PBX's?(Choose all that 
apply) 
A. Change default passwords and configurations 
B. Make sure that maintenance modems are on 24/7 
C. Review telephone bill regularly 
D. Block remote calling after business hours 
E. Post PBX configuration and specs on the company website 
Answer: B,E 
Many vendors have maintenance modems that vendors can use to troubleshoot systems and 
provide updates. They should normally be turned off. Also information about the system should 
not be posted on the website and should be closely guarded. 
QUESTION 1393: 
Which of the following best describes the difference between a circuit based and 
application based firewall? 
A. Application based is more flexible and handles more protocols 
B. Circuit based provides more security 
C. Application based builds a state table 
D. Circuit based looks at IP addresses and ports 
E. Circuit based firewalls are only found in Cisco routers 
Answer: D 
Circuit based look only at IP address and ports, whereas application based dig much deeper into 
the packet. This makes it more secure. 
QUESTION 1394: 
_________ is the fraudulent use of telephone services. 
A. Rolling 
B. Warzing 
C. Wardriving 
D. Wardialing 
E. Phreaking 
Answer: E 
Phreaking is the fraudulent use of telephone services. 
QUESTION 1395: 
What is another name for a VPN? 
A. Firewall 
B. Tunnel 
C. Packet switching 
D. Pipeline 
E. Circuit switching 
Answer: B 
A VPN creates a secure tunnel through an insecure network. 
QUESTION 1396: 
Which of the following is a connection-orientated protocol? 
A. IP 
B. UDP 
C. TCP 
D. ICMP 
E. SNMP 
F. TFTP 
Answer: C 
TCP is a connection-orientated protocol. 
QUESTION 1397: 
Which of the following is not considered firewall technology? 
A. Screened subnet 
B. Screened host 
C. Duel gateway host 
D. Dual homed host 
Answer: C 
Duel gateway host is not considered firewall technology. 
QUESTION 1398: 
Which of the following can be used to defeat a call-back security system? 
A. Call waiting 
B. Passive wiretapping 
C. Active wiretapping 
D. Brute force password attacks 
E. Call forwarding 
Answer: E 
Call forwarding can be used to bypass the call back feature and is considered a security risk. 
QUESTION 1399: 
Which type of network topology passes all traffic through all active nodes? 
A. Broadband 
B. Star 
C. Baseband 
D. Token Ring 
Answer: D 
Token ring passes all traffic through nodes. 
QUESTION 1400: 
The act of validating a user with a unique and specific identifier is called what? 
A. Validation 
B. Registration 
C. Authentication 
D. Authorization 
E. Identification 
Answer: C 
Authentication is the act of validating a user with a unique and specific identifier.

Leave a Reply

Your email address will not be published. Required fields are marked *