CISSP Questions – Volume 05 – 801-1000 Questions

QUESTION 801: 
The "revocation request grace period" is defined as: 
A. The period for to the user within he must make a revocation request upon a revocation reason 
B. Minimum response time for performing a revocation by the CA 
C. Maximum response time for performing a revocation by the CA 
D. Time period between the arrival of a revocation reason and the publication of the revocation 
information 
Answer: C 
QUESTION 802: 
What enables users to validate each other's certificate when they are certified under 
different certification hierarchies? 
A. Cross-certification 
B. Multiple certificates 
C. Redundant certificate authorities 
D. Root certification authorities 
Answer: A 
QUESTION 803: 
Digital signature users register their public keys with a certification authority, which 
distributes a certificate containing the user's public key and digital signature of the 
certification authority. In creating the certificate, the user's public key and the validity 
period are combined with what other information before computing the digital signature? 
A. Certificate issuer and the Digital Signature Algorithm identifier 
B. User's private key and the identifier of the master key code 
C. Name of secure channel and the identifier of the protocol type 
D. Key authorization and identifier of key distribution center 
Answer: A 
The key word is 'In create the certificate.." Certificates Certificates that conform to X.509 
contain the following data: Version of X.509 to which the certificate conforms; Serial number 
(from the certificate cerator); Signature algorithm identifier (specifies the technique used by the 
certified authority to digitally sign the contents of the certificate); Issuer name (identification 
of the certificate authority that issues the certificate) Validity period (specifies the dates and 
times - a starting date and time and an ending date and time - during which the certificate is 
validated); Subject's name (contains the distinguished name, or DN, of the entity that owns the 
public key contained in teh certificate); Subject's public key (the meat of the certificate - the 
actual public key of the certificate owner used to setup secure communications) pg 343-344 
CISSP Study Guide byTittel 
QUESTION 804: 
What level of assurance for digital certificate verifies a user's name, address, social security 
number, and other information against a credit bureau database? 
A. Level 1 
B. Level 2 
C. Level 3 
D. Level 4 
Answer: B 
QUESTION 805: 
Which one of the following security technologies provides safeguards for authentication 
before securely sending information to a web server? 
A. Secure/Multipurpose Internet Mail Extension (S/MIME) 
B. Common Gateway Interface (CGI) scripts 
C. Applets 
D. Certificates 
Answer: D 
Digital certificates provide communicating parties with the assurance that they are 
communicating with people who truly are who they claim to be." Titel: CISSP Study Guide. pg 
343. In this case, if the web server was a bank, you want to have a certificate confirming that 
they really are the bank before you authenticate with your username and password. 
QUESTION 806: 
The primary role of cross certification is: 
A. Creating trust between different PKIs 
B. Build an overall PKI hierarchy 
C. set up direct trust to a second root CA 
D. Prevent the nullification of user certifications by CA certificate revocation 
Answer: A 
QUESTION 807: 
Windows 98 includes the ability to check the digitally signed hardware drivers. Which of 
the following are true? 
A. Drivers are the only files supplied with W98 that can checked for digital signatures and all 
drivers included with W98 have been digitally signed 
B. If a file on a windows W98 has been digitally signed it means that the file has passed quality 
testing by Microsoft. 
C. The level to which signature checking is implemented could only be changed by editing the 
registry 
D. All of the statements are true 
Answer: B 
Windows device drivers and operating system files have been digitally signed by Microsoft to 
ensure their quality. A Microsoft digital signature is your assurance that a particular file has met 
a certain level of testing, and that the file has not been altered or overwritten by another 
program's installation process. 
Depending on how your administrator has configured your computer, Windows either ignores 
device drivers that are not digitally signed, displays a warning when it detects device drivers that 
are not digitally signed (the default behavior), or prevents you from installing device drivers 
without digital signatures. 
Windows includes the following features to ensure that your device drivers and system files 
remain in their original, digitally-signed state: 
Window Files Protection 
System File Checker 
File Signature Verification 
Windows XP help. 
Not A: operating system files are included. 
Not C: the setting can be changed in the GUI. 
QUESTION 808: 
What is the purpose of certification path validation? 
A. Checks the legitimacy of the certificates in the certification path. 
B. Checks that all certificates in the certification path refer to same certification practice statement. 
C. Checks that no revoked certificates exist outside the certification path. 
D. Checks that the names in the certification path are the same. 
Answer: A 
Not C. Revoked certificates are not checked outside the certification path. 
"A Transaction with Digital Certificates 
1.) Subscribing entity sends Digital Certificate Application to Certificate Authority. 
2.) Certificate Authority issues Signed Digital Certificate to Subscribing Entity. 
3.) Certificate Authority sends Certificate Transaction to Repository. 
4.) Subscribing Entity Signs and sends to Party Transacting with Subscriber. 
5.) Party Transacting with Subscriber queries Repository to verify Subscribers Public Key. 
6.) Repository responds to Party Transacting with Subscriber the verification request." 
Pg. 214 Krutz: The CISSP Prep Guide: Gold Edition. 
"John needs to obtain a digital certificate for himself so that he can participate in a PKI, so he 
makes a request to the R 
A. The RA requests certain identification from John, like a copy of his 
driver's licens, his phone number, address, and other identification information. Once the RA 
receives the required informoration from John and verifies it, the RA sends his certificate request 
to the C 
A. The CA creates a certificate with John's public key and identify information 
embedded. (The private/public key pair is either generated by the CA or on John's machine, 
which depends on the systems' configurations. If it is created at the CA, his private key needs to 
be sent to him by secure means. In most cases the user generates this pair and sends in his public 
key during the registration process.) Now John is registered and can participate in PKI. John 
decides he wants to communicate with Diane, so he requests Diane's public key from a public 
directory. The directory, sometimes called a repository, sends Diane's public key, and John uses 
this to encrypt a session key that will be used to encrypt their messages. John sends the 
encrypted session key to Diane. Jon then sends his certificate, containing his public key, to 
Diane. When Diane receives John's certificate, her browser looks to see if it trusts the CA that 
digitally signed this certificate. Diane's browser trusts this CA, and she makes a reques to the CA 
to see if this certificate is still valid. The CA responds that the certificate is valid, so Diane 
decrypts the session key with her private key. Now they can both communicate using 
encryption." Pg 499 Shon Harris: All-In-One CISSP Certification Guide. 
QUESTION 809: 
In what type of attack does an attacker try, from several encrypted messages, to figure out 
the key using the encryption process? 
A. Known-plaintext attack 
B. Ciphertext-only attack 
C. Chosen-Ciphertext attack 
D. Known Ciphertext attack 
Answer: B 
"Ciphertext-Only Attack 
In this type of attack, the attacker has the ciphertext of several messages. Each of the messages 
has been encrypted using the same encryption algorithm. The attacker's goal is to discover the 
key that was used in the encryption process. Once the attacker figures out the key, she can 
decrypt all other messages encrypted with the same key. 
A ciphertext-only attack is the most common because it is very easy to get ciphertext by sniffing 
someone's traffic, but it is the hardest attack to actually be successful at because the attacker has 
so little information about the encryption process." Pg 531 Shon Harris CISSP All-In-One Exam 
Guide 
QUESTION 810: 
When combined with unique session values, message authentication can protect against which of the 
following? 
A. Reverse engineering, frequency analysis, factoring attacks, and ciphertext-only attack. 
B. Masquerading, frequency analysis, sequence manipulation, and ciphertext-only attack. 
C. Reverse engineering, content modification, factoring attacks, and submission notification. 
D. Masquerading, content modification, sequence manipulation, and submission notification. 
Answer: C 
Unique session values: "IPSec: ....Each device will have one security association (SA) for each 
session that it uses. The SA is critical to the IPSec architecture and is a record of the 
configuration the device needs to support an IPSec connection. Pg 575 Shon Harris All-In-One 
CISSP Certification Exam Guide. 
Message authentication and content modification: "Hashed Message Authentication Code 
(HMAC): An HMAC is a hashed alogrithim that uses a key to generate a Message 
Authentication Code (MAC). A MAC is a type of check sum that is a function of the information 
in the message. The MAC is generated before the message is sent, appended to the message, and 
then both are transmitted. At the receiving end, a MAC is generated from the message alone 
using the same algorithm as used by the sender and this MAC is compared to the MAC sent with 
the message. If they are not identical, the message was modified en route. Hashing algorithms 
can be used to generate the MAC and hash algorithms using keys provide stronger protection 
than ordinary MAC generation. 
Frequency analysis: Message authentication and session values do not protect against Frequency 
Analysis so A and B are eliminated. 
"Simple substitution and transposition ciphers are vulnerable to attacks that perform frequency 
analysis. In every language, there are words and patters that are used more often than others. For 
instance, in the English language, the words "the.' "and," "that," and "is" are very frequent patters 
of letters used in messages and conversation. The beginning of messages usually starts "Hello" 
or "Dear" and ends with "Sincerely" or "Goodbye." These patterns help attackers figure out the 
transformation between plaintext to ciphertext, which enables them to figure out the key that was 
used to perform the transformation. It is important for cryptosystems to no reveal these patterns." 
Pg. 507 Shon Harris All-In-One CISSP Certification Exam Guide 
Ciphertext-Only Attack: Message authentication and session values do not protect against 
Ciphertext so A and B are again eliminated. 
"Ciphertext-Only Attack: In this type of an attack, an attacker has the ciphertext of several 
messages. Each of the messages has been encrypted using the same encryption algorithm. The 
attacker's goal is to discover the plaintext of the messages by figuring out the key used in the 
encryption process. Once the attacker figures out the key, she can now decrypt all other 
messages encrypted with the same key." Pg 577 Shon Harris All-In-One CISSP Certification 
Exam Guide. 
Birthday attack: "....refer to an attack against the hash function known as the birthday attack." Pg 
162 Krutz: The CISSP Prep Guide. MAC utilizes a hashing function and is therefore susceptible 
to birthday attack. 
Masguerading Attacks: Session values (IPSec) does protect against session hijacking but not 
spoofing so C is eliminated. 
"Masguerading Attacks: ....we'll look at two common masquerading attacks - IP Spoofing and 
session hijacking." Pg 275 Tittel: CISSP Study Guide. 
Session hijacking: "If session hijacking is a concern on a network, the administrator can 
implement a protocol that requires mutual authentication between users like IPSec. Because the 
attacker will not have the necessary credentials to authenticate to a user, she cannot act as an 
imposter and hijack sessions." Pg 834 Shon Harris All-In-One CISSP Certification Exam Guide 
Reverse engineering: Message authentication protects against reverse engineering. 
Reverse engineering: "The hash function is considered one-way because the original file cannot 
be created from the message digest." Pg. 160 Krutz: The CISSP Prep Guide 
Content modification: Message authentication protects against content modification. 
Factoring attacks: Message authentication protects against factoring attacks. 
QUESTION 811: 
The relative security of a commercial cryptographic system can be measured by the? 
A. Rating value assigned by the government agencies that use the system. 
B. Minimum number of cryptographic iterations required by the system. 
C. Size of the key space and the available computational power. 
D. Key change methodology used by the cryptographic system. 
Answer: C 
The strength of the encryption method comes from the algorithm, secrecy of the key, length of 
the key, initialization vectors, and how they all work together. - Shon Harris All-in-one CISSP 
Certification Guide pg 504 
QUESTION 812: 
Which one of the following describes Kerchoff's Assumption for cryptoanalytic attack? 
A. Key is secret; algorithm is Known 
B. Key is known; algorithm is Known 
C. Key is secret; algorithm is secret 
D. Key is known; algorithm is secret 
Answer: A 
Kerhkoff's laws were intended to formalize the real situation of ciphers in the field. Basically, 
the more we use any particular cipher system, the more likely it is that it will "escape" into 
enemy hands. So we start out assuming that our opponents know "all the details" of the cipher 
system, except the key. http://www.ciphersbyritter.com/NEWS4/LIMCRYPT.HTM 
QUESTION 813: 
Which of the following actions can make a cryptographic key more resistant to an 
exhaustive attack? 
A. None of the choices. 
B. Increase the length of a key. 
C. Increase the age of a key. 
D. Increase the history of a key. 
Answer: B 
Explanation: 
Defenses against exhaustive attacks involve increasing the cost of the attack by 
increasing the number of possibilities to be exhausted. For example, increasing the 
length of a password will increase the cost of an exhaustive attack. Increasing the 
effective length of a cryptographic key variable will make it more resistant to an 
exhaustive attack. 
QUESTION 814: 
Which type of attack is based on the probability of two different messages using the same 
hash function producing a common message digest? 
A. Differential cryptanalysis 
B. Differential linear cryptanalysis 
C. Birthday attack 
D. Statistical attack 
Answer: C 
Attacks Against One-Way Hash Functions: A good hashing algorithm should not produce the 
same hash value for two different messages. If the algorithm does produce the same value for 
two distinctly different messages, this is referred to as a collision. If an attacker finds an instance 
of a collision, he has more information to use when trying to break the cryptographic methods 
used. A complex way of attacking a one-way hash function is called the birthday attack. Now 
hold on to your had while we go through this -- it is a bit tricky. In standard statistics, a birthday 
paradox exists. It goes something like this: 
How many people must be in the same room for the chance to be greater than even that another 
person has the same birthday as you? 
Answer: 253 
How many people must be in the same room for the chance to be greater than even that at least 
two people share the same birthday? 
Answer: 23 
This seems a bit backwards, but the difference is that in the first instance, you are looking for 
someone with a specific birthday date, which matches yours. In the second instance, you are 
looking for any two people who share the same birthday. There is a higher probability of finding 
two people who share a birthday than you finding another person sharing your birthday -- thus, 
the birthday paradox. 
....This means that if an attacker has one hash value and wants to find a message that hashes to 
the same hash value, this process could take him years. However, if he just wants to find any two 
messages with the same hashing value, it could take him only a couple hours. .....The main point 
of this paradox and this section is to show how important longer hashing values truly are. A 
hashing algorithm that has a larger bit output is stronger and less vulnerable to brute force 
attacks like a birthday attack. 
Pg 554-555 Shon Harris: All-In-One Certification Exam Guide 
QUESTION 815: 
Frame-relay uses a public switched network to provide: 
A. Local Area Network (LAN) connectivity 
B. Metropolitan Area Network (MAN) connectivity 
C. Wide Area Network (WAN) connectivity 
D. World Area Network (WAN) connectivity 
Answer: C 
QUESTION 816: 
Which of the following technologies has been developed to support TCP/IP networking 
over low-speed serial interfaces? 
A. ISDN 
B. SLIP 
C. xDSL 
D. T1 
Answer: B 
QUESTION 817: 
Which of the following provide network redundancy in a local network environment? 
A. Mirroring 
B. Shadowing 
C. Dual backbones 
D. Duplexing 
Answer: C 
QUESTION 818: 
Which of the following is a Wide Area Network that was originally funded by the 
Department of Defense, which uses TCP/IP for data interchange? 
A. the Internet 
B. the Intranet 
C. the Extranet 
D. The Ethernet 
Answer: A 
QUESTION 819: 
Internet specifically refers to the global network of: 
A. public networks and Internet Service Providers (ISPs) throughout the world 
B. private networks and Internet Services Providers (ISPs) through the world 
C. limited networks and Internet Service Providers (ISPs) throughout the world 
D. point networks and Internet Service Providers (ISPs) throughout the world 
Answer: A 
QUESTION 820: 
To improve the integrity of asynchronous communications in the realm of personal computers, 
the Microcom Networking Protocol (MNP) uses a highly effective communications error-control 
technique known as 
A. Cyclic redundancy check. 
B. Vertical redundancy check. 
C. Checksum. 
D. Echoplex. 
Answer: D 
QUESTION 821: 
Organizations should consider which of the following first before connecting their LANs to 
the Internet? 
A. plan for implementing W/S locking mechanisms 
B. plan for protecting the modem pool 
C. plan for providing the user with his account usage information 
D. plan for considering all authentication options 
Answer: D 
QUESTION 822: 
Which xDSL flavour delivers both downstream and upstream speeds of 1.544 MBps over 
two copper twisted pairs? 
A. HDSL 
B. SDSL 
C. ADSL 
D. VDSL 
Answer: A 
QUESTION 823: 
Which of the following statements pertaining to Asynchronous Transfer Mode (ATM) is 
false? 
A. It can be used for voice 
B. It can be used for data 
C. It carries various sizes of packets 
D. It can be used for video 
Answer: C 
"Asynchronous transfer mode (ATM) is a cell-switching technology, as opposed to a 
packet-switching technology like Frame Relay. ATM uses virtual circuits much like Frame 
Relay, but because it uses fixed-size frames or cells, it can guarantee throughput. This makes 
ATM an excellent WAN technology for voice and video conferencing." Pg 87 Tittel: CISSP 
Study Guide 
QUESTION 824: 
Satellite communications are easily intercepted because__ 
A. transmissions are continuous 24 hours per day. 
B. a satellite footprint is narrowly focused. 
C. a satellite footprint is very large. 
D. a satellite footprint does not change. 
Answer: C 
I think it may have to do with the footprint of the satellite. 
Footprint - The area of Earth with sufficient antenna gain to receive a signal from a satellite. - 
http://www.aero.org/publications/crosslink/winter2002/backpage.html 
Not A: Granted Satellites transmit but they may not do it 24x7 as it could be only when traffic is 
sent. 
QUESTION 825: 
Which one of the following protocols CANNOT be used for full duplex Wide Area Network (WAN) 
communications? 
A. Synchronous Data Link Control (SDLC) 
B. Serial Line Internet Protocol (SLIP) 
C. Point-to-Point Protocol (PPP) 
D. High-Level Data Link Control (HDLC) 
Answer: A 
"SDLC was developed to enable mainframes to communicate with remote locations." Pg 456 
Shon Harris CISSP Certification Exam Guide. This is a WAN protocol. 
Not B 
"Serial Line Internet Protocol (SLIP) is an older technology developed to support TCP/IP 
communications over asynchronous serial connections, such as serial cables or modem dial-up." 
Pg 96. Tittel: CISSP Study Guide. SLIP is serial protocol opposed to WAN protocol. This could 
be correct answer but SDLC is more correct. 
Not C. 
"PPP is a full-duplex protocol that provides bi-directional links over synchronous, asynchronous, 
ISDN, frame relay and SONET connections." Pg. 472 Shon Harris CISSP All-In-One 
Certification Exam Guide. PPP is full-duplex. 
Not D. 
"HDLC is an extension of SDLC, which is mainly used in SNA environments. HDLC provides 
high throughput because it supports full-duplex transmissions and is used in point-to-point and 
multipoint connections." Pg 456 Shon Harris CISSP All-In-One Certification Exam Guide. PPP 
is full-duplex. 
QUESTION 826: 
Fast ethernet operates at which of the following? 
A. 10 MBps 
B. 100 MBps 
C. 1000 MBps 
D. All of the above 
Answer: B 
"Fast Ethernet 100bps - IEE 802.3u" pg 810 Shon Harris CISSP All-In-One Exam Guide 
QUESTION 827: 
Which of the following statements about the "Intranet" is NOT true? 
A. It is an add-on to a local area network. 
B. It is unrestricted and publicly available. 
C. It is usually restricted to a community of users 
D. t can work with MANS or WANS 
Answer: B 
Explanation: 
"An intranet is a 'private' network that uses Internet technologies, such as TCP/IP. The company 
has Web servers and client machines using Web browsers, and it uses the TCP/IP protocol suite. 
The Web pages are written in Hypertext Markup Language (HTML) or Extensible Markup 
Language (XML) and are accessed via HTTP." Pg 395 Shon Harris: All-In-One CISSP 
Certification Guide. 
QUESTION 828: 
Frame relay and X.25 networks are part of which of the following? 
A. Circuit-switched services 
B. Cell-switched services 
C. Packet-switched services 
D. Dedicated digital services 
Answer: C 
Packet-Switched Technologies: 
X.25 
Link Access Procedure-Balanced (LAPB) 
Frame Relay 
Switched Multimegabit Data Service (SMDS) 
Asynchronous Transfer Mode (ATM) 
Voice over IP (VoIP) 
QUESTION 829: 
A Wide Area Network (WAN) may be privately operated for a specific user community, 
may support multiple communication protocols, or may provide network connectivity and 
services via: 
A. interconnected network segments (extranets, intranets, and Virtual Private Networks) 
B. interconnected network segments (extranets, internets, and Virtual Private Networks) 
C. interconnected netBIOS segments (extranets, intranets, and Virtual Private Networks) 
D. interconnected NetBIOS segments (extranets, interest, and Virtual Private Networks) 
Answer: A 
QUESTION 830: 
What is the proper term to refer to a single unit of Ethernet data? 
A. Ethernet segment 
B. Ethernet datagram 
C. Ethernet frame 
D. Ethernet packet 
Answer: C 
When the Ethernet software receives a datagram from the Internet layer, it performs the 
following steps: 1.) Breaks IP layer data into smaller chunks if necessary which will be in the 
data field of ethernet frames. Pg. 40 Sams Teach Yourself TCP/IP in 24 hrs. 
QUESTION 831: 
Which of the following is a LAN transmission protocol? 
A. Ethernet 
B. Ring Topology 
C. Unicast 
D. Polling 
Answer: C 
Reference: "LAN Transmission Methods. LAN data is transmitted from the sender to one or 
more receiving stations using either a unicast, multicast, or broadcast transmission." pg 528 
Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 832: 
Which of the following access methods is used by Ethernet? 
A. CSMA/CD 
B. CSU/DSU 
C. TCP/IP 
D. FIFO 
Answer: A 
"Under the Ethernet CSMA/CD media-access process, any computer on a CSMA/CD LAN can 
access the network at any time." Pg. 103 Krutz: The CISSP Prep Guide. 
QUESTION 833: 
Which one of the following data transmission technologies is NOT packet-switch based? 
A. X.25 
B. ATM (Asynchronous Transfer Mode) 
C. CSMA/CD (Carrier Sense Multiple Access/Collision Detection) 
D. Frame Relay 
Answer: C 
"Examples of packet-switching networks are X.25, Link Access Procedure-Balanced (LAPB), 
Frame Relay, Switched Multimegabit Data Systems (SMDS), Asynchronous Transfer Mode 
(ATM), and Voice over IP (VoIP)." Pg 146 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 834: 
Unshielded (UTP) does not require the fixed spacing between connections that is: 
A. necessary with telephone-type connections 
B. necessary with coaxial-type connections 
C. necessary with twisted pair-type connections 
D. necessary with fiber optic-type connections 
Answer: B 
QUESTION 835: 
What type of cable is used with 100Base-TX Fast Ethernet? 
A. Fiber-optic cable 
B. Four pairs of Category 3, 4, or 5 unshielded twisted-pair (UTP) wires. 
C. Two pairs of Category 5 unshielded twisted-pair (UTP) or Category 1 shielded twisted-pair 
(STP) wires 
D. RG-58 Cable 
Answer: C 
QUESTION 836: 
Which cable technology refers to the CAT 3 and Cat5 Categories? 
A. Coaxial cables 
B. Fiber Optic cables 
C. Axial cables 
D. Twisted Pair cables 
Answer: D 
QUESTION 837: 
On which Open System Interconnection (OSI) Reference Model layer are repeaters used as communications 
transfer devices? 
A. Data-link 
B. Physical 
C. Network 
D. Transport 
Answer: B 
This original answer is wrong (network) repeater is physical layer. Repeaters just regenerates the 
signal 
"Hubs are multi port repeaters, and as such they obey the same rules as repeaters (See previous 
section OSI Operating Layer). They operate at the OSI Model Physical Layer." 
http://www.thelinuxreview.com/howto/intro_to_networking/c5434.htm 
QUESTION 838: 
In the OSI/ISO model, at what layer are some of the SLIP, CSLIP, PPP, control functions 
are provided? 
A. Link 
B. Transport 
C. Presentation 
D. Application 
Answer: A 
QUESTION 839: 
In the OSI/ISO model, at what level are TCP and UDP provided? 
A. Transport 
B. Network 
C. Presentation 
D. Application 
Answer: A 
Transport Layer. .... TCP and UDP operate on this layer.' Pg 82. Krutz: The CISSP Prep Guide. 
QUESTION 840: 
DNS, FTP, TFTP, SNMP are provided at what level of the OSI/ISO model? 
A. Application 
B. Network 
C. Presentation 
D. Transport 
Answer: A 
QUESTION 841: 
Which of the following OSI layers does not provide confidentiality? 
A. Presentation 
B. Network 
C. Transport 
D. Session 
Answer: C 
Reference: "[Network Layer] The routing protocols are located at this layer and include the 
following: .....Internet Protocol Security (IPSec)". "The following protocols operate within the 
Session layer: Secure Sockets Layer (SSL)". "The Presentation layer is also responsible for 
encryption and compression." Pg 61-62 Tittel: CISSP Study Guide 
QUESTION 842: 
Which of the following OSI layers provides routing and related services? 
A. Network 
B. Presentation 
C. Session 
C. Physical 
Answer: A 
QUESTION 843: 
The International Standards Organization/Open Systems Interconnection (ISO/OSI) 
Layers does NOT have which of the following characteristics? 
A. Standard model for network communications 
B. Used to gain information from network devices such as count of packets received and routing 
tables 
C. Allows dissimilar networks to communicate 
D. Defines 7 protocol layers (a.k.a. protocol stacks) 
Answer: B 
Not A. 
"The Open System Interconnect (OSI) is a worldwide federation that works to provide 
international standards. " 
Not C. 
"A protocol is a standard set of rules that determine how systems will communicate across 
networks. Two different systems can communicate and understand each other because they use 
the same protocols in spite of their differences." 
Pg. 343-344 Shon Harris: CISSP All-In-One Certification Exam Guide 
QUESTION 844: 
Which of the following layers supervises the control rate of packet transfers in an Open Systems 
Interconnections (OSI) implementation? 
A. Physical 
B. Session 
C. Transport 
D. Network 
Answer: C 
The transport layer defines how to address the physical locations and /or devices on the network, how to make 
connections between nodes, and how to handle the networking of messages. It is responsible for maintaining the 
end-to-end integrity and control of the session. Services located in the transport layer both segment and 
reassemble 
the data from upper-layer applications and unite it onto the same data stream, which provides end-to-end data 
transport services and establishes a logical connection between the sending host and destination host on a 
network. 
The transport layer is also responsible for providing mechanisms for multiplexing upper-layer applications, 
session 
establishment, and the teardown of virtual circuits. -Ronald Krutz The CISSP PREP Guide (gold edition) 
pg 275-276 
"Transport Layer The agreement on these issues before transferring data helps provide more 
reliable data transfer, error detection and correction, and flow control and it optimizes network 
services needed to perform these tasks." Pg. 318 - 319 Shon Harris: All-In-One CISSP 
Certification Guide. 
QUESTION 845: 
Which Open Systems Interconnect (OSI) layers provide Transport Control Protocol/Internet Protocol (TCP/IP) 
end-to-end security? 
A. Application and presentation 
B. Presentation and session 
C. Network and application 
D. Application and transport 
Answer: B 
"The Session layer (layer 5) is responsible for establishing, maintaining, and terminating 
communication sessions between two computers. The primary technology within layer 5 is a 
gateway. The following protocols operate within the Session layer: 
Secure Sockets Layer (SSL) 
Network File System (NFS) 
Structured Query Language (SQL) 
Remote Procedure Call (RPC) 
The presentation layer (layer 6) is responsible for transforming data received from the 
application layer into a format that any system following the OSI model can understand. It 
imposes common or standardized structure and formatting rules onto the data. The Presentation 
layer is also responsible for encryption and compression." Pg. 79-80 Tittel: CISSP Study Guide. 
QUESTION 846: 
Which one of the following is a TRUE statement about the bottom three layers of the Open 
Systems Interconnection (OSI) Reference Model? 
A. They generally pertain to the characteristics of the communicating end systems. 
B. They cover synchronization and error control of network data transmissions. 
C. They support and manage file transfer and distribute process resources. 
D. They support components necessary to transmit network messages. 
Answer: D 
By exclusion: 
Not A. 
"The Session layer (layer 5) is responsible for establish, maintaining, and terminating 
communication sessions between two computers." Pg 79 Tittel: CISSP Study Guide. 
Not B. 
"The Transport layer (layer 4) ....This layer includes mechanisms for segmentation, sequencing, 
error checking, controlling the flow of data, error correction and network service optimization." 
Pg 79 Tittel: CISSP Study Guide. 
Not C. 
"The Application itself it is not located within this layer [Application]; rather the protocols and 
services required to transmit files, exchange messages, connect to remote terminals, and so on 
are here." Pg. 80 Tittel: CISSP Study Guide. 
QUESTION 847: 
ICMP and IGMP belong to which layer of the OSI model? 
A. Datagram 
B. Network 
C. Transport 
D. Link 
Answer: B 
The Network layer (layer 3) is responsible for adding routing information to the data. The 
Network layer accepts the segment from the Transport layer and adds information to it to create 
a packet. The packet includes the source and destination IP addresses. T 
The routing protocols are located at this layer and include the following: 
Internet Control Message Protocol (ICMP) 
Routing Information Protocol (RIP) 
Open Shortest Path First (OSPF) 
Border Gateway Protocol (BGP) 
Internet Group Management Protocol (IGMP) 
Internet Protocol (IP) 
Internet Packet Exchange (IPX) 
Pg. 78 Tittel: CISSP Study Guide 
QUESTION 848: 
The International Standards Organization / Open Systems Interconnection (ISO/OSI) 
Layers 6 is which of the following? 
A. Application Layer 
B. Presentation Layer 
C. Data Link Layer 
D. Network Layer 
Answer: B 
"Presentation Layer (Layer 6)." Pg 81 Krutz The CISSP Prep Guide. 
QUESTION 849: 
Which OSI/ISO layer is IP implemented at? 
A. Session layer 
B. Transport layer 
C. Network layer 
D. Data link layer 
Answer: C 
QUESTION 850: 
Which of the following security-focused protocols operates at a layer different from the 
others? 
A. Secure HTTP 
B. Secure shell (SSH-2) 
C. Secure socket layer (SSL) 
D. Simple Key Management for Internet Protocols (SKIP) 
Answer: A 
QUESTION 851: 
In the OSI/ISO model, at what layer are some of the SLIP, CSLIP, PPP control functions 
are provided? 
A. Link 
B. Transport 
C. Presentation 
D. Application 
Answer: A 
QUESTION 852: 
ICMP and IGMP belong to which layer of the OSI Model? (Fill in the blank) 
Answer: Network 
QUESTION 853: 
The International Standards Organization / Open Systems Interconnection (ISO/OSI) 
Layers 6 is which of the following? (Fill in the blank) 
Answer: Presentation 
QUESTION 854: 
The International Standards Organization / Open Systems Interconnection (ISO/OSI) 
Layers are in which of the following order (1 to 7). (Fill in the blank) 
Answer: 
Explanation: 
Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer, 
Presentation Layer, Application Layer 
QUESTION 855: 
Which of the following OSI layers provides non-repudiation services? (Fill in the blank) 
Answer: Application 
QUESTION 856: 
The OSI model contains seven layers. TCP/IP is generally accepted as having how many 
layers? 
A. four 
B. five 
C. six 
D. eight 
Answer: A 
The TCP/IP Protocol Model is similar to the OSI model, but it defines only the following four 
layers instead of seven: Application Layer, Host-to-Host Transport Layer, Internet Layer, 
Network Access or Link Layer. 
Pg. 84 Krutz: The CISSP Prep Guide. 
QUESTION 857: 
Which of the following layers provides end-to-end service? 
A. Network Layer 
B. Link Layer 
C. Transport Layer 
D. Presentation Layer 
Answer: C 
Session services located in the Transport Layer both segment and reassemble the data from 
upper-layer applications and unite it onto the same data stream, which provides end-to-end data 
transport services and establishes a logical connection between the sending host and destination 
host on a network. 
Pg. 82 Krutz: The CISSP Prep Guide. 
QUESTION 858: 
Both TCP and UDP use port numbers of what length? 
A. 32 bits 
B. 16 bits 
C. 8 bits 
D. 4 bits 
Answer: B 
QUESTION 859: 
Which one of the following is an effective communications error-control technique usually implemented in 
software? 
A. Redundancy check 
B. Packet filtering 
C. Packet checksum 
D. Bit stuffing 
Answer: C 
QUESTION 860: 
What is the proper term to refer to a single unit of IP data? (Fill in the blank) 
Answer: Datagram 
"When the Ethernet software receives a datagram from the Internet layer, it performs the 
following steps: 1.) Breaks IP layer data into smaller chunks if necessary which will be in the 
data field of ethernet frames." Pg. 40 Sams Teach Yourself TCP/IP in 24 hrs. 
QUESTION 861: 
What is the proper term to refer to a single unit of TCP data at the transport layer? 
A. TCP segment 
B. TCP datagram 
C. TCP frame 
D. TCP packet 
Answer: A 
The data package created at the transport layer, which encapsulates the Application layer 
message is called a segment if it comes from TCP/IP." Pg. 27 Pg. 55 Casad: Sams Teach 
Yourself TCP/IP in 24 hrs. 
QUESTION 862: 
Each data packet is assigned the IP address of the sender and the IP address of the: 
A. recipient 
B. host 
C. node 
D. network 
Answer: A 
QUESTION 863: 
Both TCP and UDP use port numbers of what length? 
A. 32 bits 
B. 16 bits 
C. 8 bits 
D. 4 bits 
Answer: B 
2 to 16th power = 65,536 
"TCP and UDP each have 65,536 ports". Pg 75 Tittel: CISSP Study Guide 
QUESTION 864: 
Which of the following type of packets can *easily* be denied with a stateful packet filter? 
A. ICMP 
B. TCP 
C. UDP 
D. IP 
Answer: B 
QUESTION 865: 
Which ports are the "Register ports", registered by the IANA? 
A. Ports 128 to 255 
B. Ports 1024 to 49151 
C. Ports 1023 to 65535 
D. Ports 1024 to 32767 
Answer: B 
"The User (Registered) Ports are those from 1024 through 49151." 
http://www.iana.org/numbers.htm#P 
QUESTION 866: 
What protocol was UDP based and mainly intended to provide validation of dial up user login 
passwords? 
A. PPTP 
B. L2TP 
C. IPSec 
D. TACACS 
Answer: D 
Explanation: 
The original TACACS protocol was developed by BBN for MILNET. It was UDP based and 
mainly intended to provide validation of dial up user login passwords. The TACACS 
protocol was formally specified, but the spec is not generally available. 
QUESTION 867: 
On which port is POP3 usually run? 
A. 110 
B. 109 
C. 139 
D. 119 
Answer: A 
QUESTION 868: 
The primary function of this protocol is to send messages between network devices 
regarding the health of the network: 
A. Internet Control Message Protocol (ICMP) 
B. Reverse Address Resolution Protocol (RARP) 
C. Address Resolution Protocol (AR) 
D. Internet Protocol (IP) 
Answer: A 
QUESTION 869: 
Telnet and rlogin use which protocol? 
A. UDP 
B. SNMP 
C. TCP 
D. IGP 
Answer: C 
QUESTION 870: 
The IP header contains a protocol field. If this file contains the value of 2, what type of data 
is contained within the IP datagram? 
A. TCP 
B. ICMP 
C. UDP 
D. IGMP 
Answer: D 
QUESTION 871: 
The IP header contains a protocol field. If this field contains the value of 17, what type of 
data is contained within the ip datagram? 
A. TCP 
B. ICMP 
C. UDP 
D. IGMP 
Answer: C 
ICMP = 1 
TCP = 6 
UDP = 17 
Pg. 55 Casad: Sams Teach Yourself TCP/IP in 24 hrs. 
QUESTION 872: 
Why do some sites choose not to implement Trivial File Transfer Protocol (TFTP)? 
A. list restrictions 
B. inherent security risks 
C. user authentication requirement 
D. directory restriction 
Answer: B 
QUESTION 873: 
The IP header contains a protocol field. If this field contains the value of 6, what type of 
data is contained within the ip datagram? 
A. TCP 
B. ICMP 
C. UDP 
D. IGMP 
Answer: A 
ICMP = 1 
TCP = 6 
UDP = 17 
Pg. 55 Casad: Sams Teach Yourself TCP/IP in 24 hrs. 
QUESTION 874: 
Which of the following is not a basic security service defined by the OSI? 
A. Routing control 
B. Authentication 
C. Data Confidentiality 
D. Logging and monitoring 
Answer: A 
QUESTION 875: 
Which of the following is not an OSI architecture-defined broad category of security 
standards? 
A. Security techniques standards 
B. Layer security protocol standards 
C. Application-specific security 
D. Firewall security standards 
Answer: D 
QUESTION 876: 
Which one of the following is the Open Systems Interconnection (OSI) protocol for 
message handling? 
A. X.25 
B. X.400 
C. X.500 
D. X.509 
Answer: B 
An ISO and ITU standard for addressing and transporting e-mail messages. It conforms to layer 
7 of the OSI model and supports several types of transport mechanisms, including Ethernet, 
X.25, TCP/IP, and dial-up lines. - http://www.webopedia.com/TERM/X/X_400.html 
QUESTION 877: 
The IP header contains a protocol field. If this field contains the value of 1, what type of 
data is contained within the IP datagram? 
A. TCP 
B. ICMP 
C. UDP 
D. IGMP 
Answer: B 
ICMP = 1 
TCP = 6 
UDP = 17 
Pg. 55 Casad: Sams Teach Yourself TCP/IP in 24 hrs. 
QUESTION 878: 
Which of the following is true? 
A. TCP is connection-oriented. UDP is not 
B. UDP provides for Error Correction. TCP does not. 
C. UDP is useful for longer messages 
D. UDP guarantees delivers of data. TCP does not guarantee delivery of data. 
Answer: A 
QUESTION 879: 
What works as an E-mail message transfer agent? 
A. SMTP 
B. SNMP 
C. S-RPC 
D. S/MIME 
Answer: A 
QUESTION 880: 
A common way to create fault tolerance with leased lines is to group several T-1's together 
with an inverse multiplexer placed: 
A. at one end of the connection 
B. at both ends of the connection 
C. somewhere between both end points 
D. in the middle of the connection 
Answer: B 
QUESTION 881: 
Several methods provide telecommunications continuity, which of the following is a method 
of routing traffic through split cable or duplicate cable facilities? 
A. diverse routing 
B. alternative routing 
C. last mile circuit protection 
D. long haul network diversity 
Answer: A 
QUESTION 882: 
Which of the following is the primary security feature of a proxy server? 
A. Client hiding 
B. URL blocking 
C. Route blocking 
D. Content filtering 
Answer: A 
QUESTION 883: 
Which of the following Common Data Network Services is used to send and receive email 
internally or externally through an email gateway device? 
A. File services 
B. Mail services 
C. Print Services 
D. Client/Server services 
Answer: B 
QUESTION 884: 
Which one of the following is a technical solution for the quality of service, speed, and security problems 
facing the Internet? 
A. Random Early Detection (RED) queuing 
B. Multi-protocol label-switching (MPLS) 
C. Public Key Cryptography Standard (PKCS) 
D. Resource Reservation Protocol (RSVP) 
Answer: B 
The original answer to this question was RED however I think this is incorrect because of this reason. Both Red 
and 
MPLS deal with qos/cos issues, there by increasing speed. Mpls more so the RED. However I have not been 
able to 
find any documents that state RED is a security implementation while MPLS is heavy used in the ISP VPN 
market. 
See this link for MPLS security http://www.nwfusion.com/research/2001/0521feat2.html 
Below are the link that are formation of the ration for this answer of B (MPLS) 
Congestion avoidance algorithm in which a small percentage of packets are dropped when 
congestion is detected and before the queue in question overflows completely 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/r12.htm 
Multiprotocol Label Switching. Switching method that forwards IP traffic using a label. This 
label instructs the routers and the switches in the network where to forward the packets based on 
preestablished IP routing information 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/m12.htm 
Resource Reservation Protocol. Protocol that supports the reservation of resources across an IP 
network. Applications running on IP end systems can use RSVP to indicate to other nodes the 
nature (bandwidth, jitter, maximum burst, and so on) of the packet streams they want to receive. 
RSVP depends on IPv6. Also known as Resource Reservation Setup Protocol. 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/r12.htm 
Random Early Detection (RED) is the recommended approach for queue congestion 
management in routers (Braden et al., 1998). Although in its basic form RED can be 
implemented in a relatively short C program, as the speed of ports and the number of queues per 
port increase, the implementation moves more and more into hardware. Different vendors choose 
different ways to implement and support RED in their silicon implementations. The degree of 
programmability, the number of queues, the granularity among queues, and the calculation 
methods of the RED parameters all vary from implementation to implementation. Some of these 
differences are irrelevant to the behavior of the algorithm-and hence to the resulting network 
behavior. Some of the differences, however, may result in a very different behavior of the RED 
algorithm-and hence of the network efficiency. 
http://www.cisco.com/en/US/products/hw/routers/ps167/products_white_paper09186a0080091fe4.shtml 
Based on label swapping, a single forwarding mechanism provides opportunities for new control 
paradigms and applications. MPLS Label Forwarding is performed with a label lookup for an 
incoming label, which is then swapped with the outgoing label and finally sent to the next hop. 
Labels are imposed on the packets only once at the edge of the MPLS network and removed at 
the other end. These labels are assigned to packets based on groupings or forwarding 
equivalence classes (FECs). Packets belonging to the same FEC get similar treatment. The label 
is added between the Layer 2 and the Layer 3 header (in a packet environment) or in the virtual 
path identifier/virtual channel identifier (VPI/VCI) field (in ATM networks). The core network 
merely reads labels, applies appropriate services, and forwards packets based on the labels. This 
MPLS lookup and forwarding scheme offers the ability to explicitly control routing based on 
destination and source addresses, allowing easier introduction of new IP services. 
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/xlsw_ds.htm 
QUESTION 885: 
How do you distinguish between a bridge and a router?
A. The router connects two networks at the data-link layer, while bridge connects two networks 
at the network layer 
B. The bridge connects two networks at the data-link layer, while router connects two networks 
at the network layer 
C. It is not possible to distinguish them. They have the same funcationality. 
Answer: B 
QUESTION 886: 
Why should you avoid having two routers connect your trusted internal LAN to your 
demilitarized zone? 
A. Network congestion might cause the routers to pass data from your private network through 
the demilitarized zone 
B. This provides attackers with multiple paths to access your trusted network 
C. There is a substantial increase in cost with only a nominal increase in security 
D. You may overlook an attack on one of your routers because your data still teaches the 
outside world from your other router 
Answer: C 
QUESTION 887: 
In the days before CIDR (Classless Internet Domain Routing), networks were commonly 
organized by classes. Which of the following would have been true of a Class B network? 
A. The first bit of the ip address would be set to zero 
B. The first bit of the ip address would be set to one and the second bit set to zero 
C. The first two bits of an ip address would be set to one, and the third bit set to zero 
D. The first three bits of the ip address would be set to one 
Answer: B 
QUESTION 888: 
Which of the following is an ip address that is private (i.e. reserved for internal networks, 
and not a valid address to use on the internet)? 
A. 172.5.42.5 
B. 172.76.42.5 
C. 172.90.42.5 
D. 172.16.42.5 
Answer: D 
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the 
IP address space for private Internets - 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, 
and 192.168.0.0 to 192.168.255.255- that are known as "global non-routable addresses."" Pg. 94 
Krutz: The CISSP Prep Guide. 
QUESTION 889: 
Which of the following is an ip address that is private (i.e. reserved for internal networks, 
and not a valid address to use on the internet)? 
A. 10.0.42.5 
B. 11.0.42.5 
C. 12.0.42.5 
D. 13.0.42.5 
Answer: A 
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the 
IP address space for private Internets - 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, 
and 192.168.0.0 to 192.168.255.255- that are known as "global non-routable addresses."" Pg. 94 
Krutz: The CISSP Prep Guide. 
QUESTION 890: 
Which of the following is an ip address that is private (i.e. reserved for internal networks, 
and not a valid address to use on the internet)? 
A. 172.12.42.5 
B. 172.140.42.5 
C. 172.31.42.5 
D. 172.15.45.5 
Answer: C 
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the 
IP address space for private Internets - 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, 
and 192.168.0.0 to 192.168.255.255- that are known as "global non-routable addresses."" Pg. 94 
Krutz: The CISSP Prep Guide. 
QUESTION 891: 
In the days before CIDR (Classless Internet Domain Routing), networks were commonly 
organized by classes. Which of the following would have been true of a Class C network? 
A. The first bit of the ip address would be set to zero 
B. The first bit of the ip address would be set to one and the second bit set to zero 
C. The first two bits of the ip address would be set to one, and the third bit set to zero 
D. The first three bits of the ip address would be set to one 
Answer: C 
Pg. 80 Sams Teach Yourself TCP/IP in 24 hrs. 
QUESTION 892: 
Which of the following is an ip address that is private (i.e. reserved for internal networks, 
and not a valid address to use on the Internet)? 
A. 192.168.42.5 
B. 192.166.42.5 
C. 192.175.42.5 
D. 172.1.42.5 
Answer: A 
QUESTION 893: 
How long are IPv4 addresses: 
A. 32 bits long 
B. 64 bits long 
C. 128 bits long 
D. 16 bits long 
Answer: A 
"Ipv4 user 32 bits for addresses, and Ipv6 user 128 bits; thus v6 provide more possible 
addresses to work with." Pg 331 Shon Harris: All-in-One CISSP Certification 
QUESTION 894: 
ARP and RARP map between which of the following? 
A. DNS addresses and IP addresses 
B. 32-bit hardware addresses and 48-bit IPv6 addresses 
C. 32-bit hardware addresses and 48-bit IPv4 addresses 
D. 32-bit addresses in IPv4 and 48-bit hardware addresses 
Answer: D 
An Ethernet address is a 48-bit address that is hard-wired into the NIC of the network node. ARP 
matches up the 32-bit IP address with this hardware address, which is technically referred to as 
the Media Access Control (MAC) address or the physical address. Pg. 87 Krutz: The CISSP Prep 
Guide. 
QUESTION 895: 
Which protocol matches an Ethernet address to an Internet Protocol (IP) address? 
A. Address Resolution Protocol (ARP) 
B. Reverse Address Resolution Protocol (RARP) 
C. Internet Control Message Protocol (ICMP) 
D. User Datagram Protocol (UDP) 
Answer: B 
"As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the 
subnet, but only the RARP server responds. Once the RARP server receives this request, it looks 
in its table to see which IP address matches the broadcast hardware address. The server then 
sends a message back to the requesting computer that contains its IP address. The system now 
has an IP address and can function on the network." Pg 357 Shon Harris: All-in-One CISSP 
Certification 
QUESTION 896: 
In a typical firewall configuration, what is the central host in organization's network 
security? 
A. Stateful 
B. Screen 
C. Gateway 
D. Bastion 
Answer: D 
Bastion Host: A system that has been hardened to resist attack at some critical point of entry, and 
which is installed on a network in such a way that it is expected to come under attack. Bastion 
hosts are often components of firewalls, or may be 'outside" Web servers or public access 
systems. Generally, a bastion host is running some form of general purpose operating system 
(e.g., LNIX, VMS, WNT, etC.) rather than a ROM-based or firmware operating system. 
http://www.securesynergy.com/library/articles/it_glossary/glossary_b.php 
QUESTION 897: 
Which one of the following describes a bastion host? 
A. A physically shielded computer located in a data center or vault. 
B. A computer which maintains important data about the network. 
C. A computer which plays a critical role in a firewall configuration. 
D. A computer used to monitor the vulnerability of a network. 
Answer: C 
A bastion host or screened host is just a firewall system logically positioned between a private 
network and an untrusted network. - Ed Tittle CISSP Study Guide (sybex) pg 93 
QUESTION 898: 
Which of the following statements pertaining to firewalls is incorrect? 
A. Firewalls should not run NIS (Network Information Systems) 
B. Firewalls should mount files systems via NFS 
C. All system logs on the firewall should log to a separate host 
D. Compilers should be deleted from the firewall 
Answer: B 
QUESTION 899: 
Which is the MAIN advantage of having an application gateway? 
A. To perform change control procedures for applications. 
B. To provide a means for applications to move into production. 
C. To log and control incoming and outgoing traffic. 
D. To audit and approve changes to applications. 
Answer: C 
"An application-level gateway firewall is also called a proxy firewall. A proxy is a mechanism 
that copies packets from one network into another; the copy process also changes the sources and 
destination address to protect the identity of the internal or private network. An application-level 
gateway firewall filters traffic based on the Internet service (i.e., application) used to transmit or 
receive the data." - Shon Harris All-in-one CISSP Certification Guide pg 92 
QUESTION 900: 
Which process on a firewall makes permit/deny forwarding decisions based solely on 
address and service port information? 
A. Circuit Proxy 
B. Stateful Packet Inspection Proxy 
C. Application Proxy 
D. Transparency Proxy 
Answer: A 
Circuit-level proxy creates a circuit between the client computer and the server. It does not 
understand or care about the higher-level issues that an application-level proxy deals with. It 
knows the source and destinations addresses and makes access decisions based on this 
information...IT looks at the data within the packet header versus the data within the payload of 
the packet. It does not know if the contents within the packet are actually safe or not. - Shon 
Harris All-in-one CISSP Certification Guide pg 419-420 
QUESTION 901: 
A proxy based firewall has which one of the following advantages over a firewall employing 
stateful packet inspection? 
A. It has a greater throughput. 
B. It detects intrusion faster. 
C. It has greater network isolation. 
D. It automatically configures the rule set. 
Answer: C 
QUESTION 902: 
Firewalls filter incoming traffic according to 
A. The packet composition. 
B. A security policy. 
C. Stateful packet rules. 
D. A security process. 
Answer: B 
QUESTION 903: 
Application Level Firewalls create: 
A. a real circuit between the workstation client and the server 
B. a virtual circuit between the workstation client and the server 
C. a imaginary circuit between the workstation guest and the server 
D. a temporary circuit between the workstation host and the server 
Answer: B 
QUESTION 904:
Which of the following is the biggest concern with firewall security? 
A. Internal hackers 
B. Complex configuration rules leading to misconfiguration 
C. Buffer overflows 
D. Distributed denial of service (DDOS) attacks 
Answer: B 
QUESTION 905: 
Which of the following is true of network security? 
A. A firewall is not a necessity in today's connected world 
B. A firewall is a necessity in today's connected world 
C. A whitewall is a necessity in today's connected world 
D. A black firewall is a necessity in today's connected world 
Answer: B 
QUESTION 906: 
Which of the following statements pertaining to firewalls is incorrect? 
A. Firewall create bottlenecks between the internal and external network 
B. Firewalls allow for centralization of security services in machines optimized and dedicated to 
the task 
C. Strong firewalls can protect a network at all layers of the OSI models 
D. Firewalls are used to create security checkpoints at the boundaries of private networks 
Answer: C 
QUESTION 907: 
Which of the following is the least important security service provided by a firewall? 
A. Packet filtering 
B. Encrypted tunnels 
C. Network Address Translation 
D. Proxy services 
Answer: B 
QUESTION 908: 
Which of the following firewall rules is less likely to be found on a firewall installed 
between an organization's internal network and internet? 
A. Permit all traffic to and from local host 
B. Permit all inbound ssh traffic 
C. Permit all inbound tcp connections 
D. Permit all syslog traffic to log-server.abc.org 
Answer: C 
QUESTION 909: 
Which of the following packets should NOT be dropped at a firewall protecting an 
organization's internal network? 
A. Inbound packets with Source Routing option set 
B. Router information exchange protocols 
C. Inbound packets with an internal source IP address 
D. Outbound packets with an external destination IP address 
Answer: D 
QUESTION 910: 
By examining the "state" and "context" of the incoming data packets, it helps to track the 
protocols that are considered "connectionless", such as UDP-based applications and 
Remote Procedure Calls (RPC). This type of firewall system is used in: 
A. first generation firewall systems 
B. second generation firewall systems 
C. third generation firewall systems 
D. fourth generation firewall systems 
Answer: C 
"Stateful Inspection Characteristics 
The firewall maintains a state table that tracks each and every communication channel. 
Frames are analyzed at all communication layers. 
It provides a high degree of security and does not introduce the performance hit that proxy 
firewalls introduce. 
It is scaleable and transparent to users 
It provides data tracking for tracking connectionless protocols such as UDP and ICMP 
The stat and context of the data within the packets are stored and updated continuously. 
It is considered a third-generation firewall." Pg. 375 Shon Harris: All-in-One CISSP 
Certification 
Not A: 
"Packet filtering is the first generation firewall-that is, it was the first type that was created and 
used, and other types were developed fall into different generations." Pg 373 Shon Harris: 
All-in-One CISSP Certification 
QUESTION 911: 
Which of the following statements pertaining to packet filtering is incorrect? 
A. It is based on ACLs 
B. It is not application dependant 
C. It operates at the network layer 
D. It keeps track of the state of a connection 
Answer: D 
QUESTION 912: 
A screening router can perform packet filtering based upon what data? 
A. Translated source destination addresses. 
B. Inverse address resolution. 
C. Source and destination port number. 
D. Source and destination addresses and application data. 
Answer: C 
The original answer was A (translated source destination address). I did not come across this term in my 
reading. 
Screening router 
A screening router is one of the simplest firewall strategies to implement. This is a popular 
design because most companies already have the hardware in place to implement it. A screening 
router is an excellent first line of defense in the creation of your firewall strategy. It's just a 
router that has filters associated with it to screen outbound and inbound traffic based on IP 
address and UDP and TCP ports. 
http://www.zdnet.co.uk/news/specials/2000/10/enterprise/techrepublic/2002/10/article002c.html 
QUESTION 913: 
Why are hardware security features preferred over software security features? 
A. They lock in a particular implementation. 
B. They have a lower meantime to failure. 
C. Firmware has fever software bugs. 
D. They permit higher performance. 
Answer: D 
This is a sort of iffy question. Hardware allows faster performance then software and does not 
need to utilize an underlying OS to make the security software operate. (An example is PIX 
firewall vs checkpoint). The meantime to failure answer to me is ok but the hardware that the 
software security also has a MTFF. A few people looked over this question and had no problem 
with the answer of B (meantime to failure question) but as I looked into it I have picked D. 
MTTF is typical the time to failure. "MTFF is the expected typical functional lifetime of the 
device given a specific operating environment" (- Ed Tittle CISSP Study Guide (sybex) pg 657). This 
leads me to think that this question says hardware has a SHORTER lifespan then software. Thus I am going to 
have 
to go with D (higher performance). This can be because of ASICs. As always uses your best judgment, 
knowledge 
and experience on this question. Below are some points of view. 
Few things to consider when deploying software based firewall: 
Patching OS or firewall software could bring down firewall or open additional holes 
OS Expertise vs. firewall expertise (you may need two administrators). 
Support contract (One for hardware, one for OS, one for firewall), who do you call? 
Administration (One for OS and one for firewall). If your not an expert in both then forget it. 
High-availability (Stateful failover) (usually requires additional software and costs a lot of 
money). As a result it adds to support costs. 
Is software firewalls a bad idea it depends. Every situation is different. -Bob 
http://www.securityfocus.com/archive/105/322401/2003-05-22/2003-05-28/2 
A software firewall application is designed to be installed onto an existing operating system 
running on generic server or desktop hardware. The application may or may not 'harden' the 
underlying operating system by replacing core components. Typical host operating systems 
include Windows NT, 2000 server or Solaris. 
Software firewall applications all suffer from the following key disadvantages: 
They run on a generic operating system that may or may not be hardened by the Firewall 
installation itself. 
A generic operating system is non-specialized and more complex than is necessary to operate the 
firewall. This leads to reliability problems and hacking opportunities were 
peripheral/unnecessary services are kept running. 
Generic operating systems have their own CPU and memory overheads making software based 
firewalls slower than their dedicated hardware counterparts. 
If the software firewalls uses PC hardware as the host platform, then there may be additional 
reliability problems with the hardware itself. Sub-optimal performance of generic hardware also 
affects software applications bundled with their own operating systems. 
There is no physical or topological separation of the firewalling activity. 
A dedicated hardware firewall is a software firewall application and operating system running on 
dedicated hardware. This means the hardware used is optimized for the task, perhaps including 
digital signal processors (DSPs) and several network interfaces. There may also be special 
hardware used to accelerate the encryption/decryption of VPN data. It may be rack mounted for 
easy installation into a comms' cabinet. 
We recommend dedicated hardware firewalls as they offer several key advantages over software 
applications: 
Dedicated hardware is typically more reliable. 
Hardware firewalls are simpler, hence more secure. 
Hardware firewalls are more efficient and offer superior performance, especially in support of 
VPNs. 
The firewalling activity is physically and topologically distinct. 
http://www.zensecurity.co.uk/default.asp?URL=hardware%20software%20firewall 
QUESTION 914: 
Firewalls can be used to 
A. Enforce security policy. 
B. Protect data confidentiality. 
C. Protect against protocol redirects. 
D. Enforce Secure Network Interface addressing. 
Answer: A 
A firewall is a device that supports and enforces the company's network security policy. - Shon 
Harris All-in-one CISSP Certification Guide pg 412 
QUESTION 915: 
Which one of the following operations of a secure communication session cannot be protected? 
A. Session initialization 
B. Session support 
C. Session termination 
D. Session control 
Answer: C 
I did not find the answer to this question in any of the texts sources I read for the cissp. However, Network 
Intrusion 
Detection (3rd edition) gives some hints. I am basing this off of the 3 way hand shake and looking for the 
termination of the session and who does it. Was it a RESET or FIN in the packet. So based off this concept I am 
concluding that Session Termination is really not controllable. Use your best judgment on this question based 
off of 
experience and knowledge. 
QUESTION 916: 
The general philosophy for DMZ's are that: 
A. any system on the DMZ can be compromised because it's accessible from the Internet 
B. any system on the DMZ cannot be compromised because it's not accessible from the Internet 
C. some systems on the DMZ can be compromised because they are accessible from the Internet 
D. any system on the DMZ cannot be compromised because it's by definition 100% safe and not 
accessible from the Internet 
Answer: A 
QUESTION 917: 
What is NOT an authentication method within IKE and IPsec: 
A. CHAP 
B. Pre-shared Key 
C. certificate based authentication 
D. Public Key authentication 
Answer: A 
QUESTION 918: 
In IPSec, if the communication mode is gateway-gateway or host-gateway: 
A. Only tunnel mode can be used 
B. Only transport mode can be used 
C. Encapsulating Security Payload (ESP) authentication must be used 
D. Both tunnel and transport mode can be used 
Answer: D 
"IPSec can work in one of two modes: transport mode, where the payload of the message is 
protected, and tunnel mode, where the payload and the routing and header information is 
protected." Pg 527 Shon Harris: All-in-One CISSP Certification 
Not: C 
"IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method 
to be used, but it is an open, modular framework that provides a lot of flexibility for companies 
when they choose to use this type of technology. IPSec uses two basic security protocols: 
Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH is the 
authenticating protocol, and ESP is an authenticating and encrypting protocol that uses 
cryptographic mechanisms to provide source authentication, confidentiality, and message 
integrity." Pg 527 Shon Harris: All-in-One CISSP Certification 
QUESTION 919: 
Internet Protocol Security (IPSec) provides security service within the Internet Protocol (IP) by doing all of 
the following EXCEPT 
A. Enabling a system to select required security protocols. 
B. Providing traffic analysis protection. 
C. Determining the algorithm(s) to use for the IPsec services. 
D. Putting in place any cryptographic keys required to provide the requested services. 
Answer: A 
Pg 527 Shon Harris CISSP All-In-One Certification Exam Guide 
QUESTION 920: 
Which of the following Internet Protocol (IP) security headers are defined by the Security 
Architecture for IP (IPSEC)? 
A. The IPv4 and IPv5 Authentication Headers 
B. The Authentication Header Encapsulating Security Payload 
C. The Authentication Header and Digital Signature Tag 
D. The Authentication Header and Message Authentication Code 
Answer: B 
"IPSec uses two basic security protocols: Authentication Header (AH) and the Encapsulating 
Security Payload (ESP)." pg 575 Shon Harris CISSP All-In-One Certification Exam Guide 
QUESTION 921: 
Actualtests.com - The Power of Knowing 
CISSP 
Which of the following statements is not true of IPSec Transport mode? 
A. It is required for gateways providing access to internal systems 
B. Set-up when end-point is host or communications terminates at end-points 
C. If used in gateway-to-host communication, gateway must act as host 
D.)Detective/Administrative Pairing 
Answer: A 
QUESTION 922: 
What is called the standard format that was established to set up and manage Security 
Associations (SA) on the Internet in IPSec? 
A. Internet Key Exchange 
B. Secure Key Exchange Mechanism 
C. Oakley 
D. Internet Security Association and Key Management Protocol 
Answer: D 
Reference: pg 221 Krutz 
QUESTION 923: 
What is the purpose of the Encapsulation Security Payload (ESP) in the Internet Protocol 
(IP) Security Architecture for Internet Protocol Security? 
A. To provide non-repudiation and confidentiality for IP transmission. 
B. To provide integrity and confidentiality for IP transmissions. 
C. To provide integrity and authentication for IP transmissions. 
D. To provide key management and key distribution for IP transmissions. 
Answer: B 
"Encapsulating Security Payload (ESP). AH is the authenticating protocol and ESP is an 
authenticating and encrypting protocol that uses cryptographic mechanisms to provide source 
authentication, confidentiality, and message integrity." Pg 575 Shon Harris CISSP All-In-One 
Certification Exam Guide 
QUESTION 924: 
Which one of the following is a circuit level application gateway and works independent of any supported 
TCP/IP application protocol? 
A. SOCK-et-S (SOCKS) 
B. Common Information Model (CIM) 
C. Secure Multipurpose Internet Mail Extension (S/MIME) 
D. Generic Security Service Application Programming Interface (GSS-API) 
Answer: A 
"Socks Proxy Server Characteristics 
Circuit-level proxy server 
Requires clients to be SOCKS-fied with SOCKS client software 
Mainly used for outbound Internet access and virtual private network (VPN) functionality 
Can be resource-intensive 
Provides authentication and encryption features to other VPN protocols, but not considered a 
traditional VPN protocol" 
Pg. 422 Shon Harris CISSP All-In-One Certification Exam Guide 
Reference: 
The SOCKS is an example of a circuit-level proxy gateway that provides a secure channel 
between two computers. pg. 379 Shon Harris CISSP 
QUESTION 925: 
How does the SOCKS protocol secure Internet Protocol (IP) connections? 
A. By negotiating encryption keys during the connection setup. 
B. By attaching Authentication Headers (AH) to each packet. 
C. By distributing encryption keys to SOCKS enabled applications. 
D. By acting as a connection proxy. 
Answer: D 
"SOCKS is an example of a circuit-level proxy gateway that provides a secure channel between 
two computers. When a SOCKS-enabled client sends a request to a computer on the Internet, this 
request actually goes to the network's SOCKS proxy server..." pg 379 Shon Harris: All-in-One 
CISSP Certification 
QUESTION 926: 
In the TCP/IP protocol stack, at what level is the SSL (Secure Sockets Layer) protocol 
provided? 
A. Application 
B. Network 
C. Presentation 
D. Session 
Answer: B 
QUESTION 927: 
SSL (Secure Sockets Layer) has two possible 'session key' lengths, what are they? 
A. 40 bit & 54 bit 
B. 40 bit & 128 bit 
C. 64 bit & 128 bit 
D. 128 bit & 256 bit 
Answer: B 
QUESTION 928: 
Which of the following is NOT true of SSL? 
A. By convention is uses 's-http://' instead of 'http://'. 
B. It stands for Secure Sockets Layer 
C. It was developed by Netscape 
D. IT is used for transmitting private documents over the internet 
Answer: A 
QUESTION 929: 
Which SSL version offers client-side authentication 
A. SSL v1 
B. SSL v2 
C. SSL v3 
D. SSL v4 
Answer: B 
"Client Authentication using Digital IDs 
Enable access by certificates1. Choose Encryption|Security Preferences in the Server Manager. 
2. Specify which versions of SSL your server can communication with. The latest and most 
secure version is SSL version 3, but many older clients use only SSL version 2. You will 
probably want to enable your server to use both versions. 
3. Refuse access to any client that does not have a client certificate from a trusted CA by 
choosing the Yes box under Require client certificates (regardless of access control): 
4. Click the OK button and confirm your changes." 
http://www.verisign.com/repository/clientauth/ent_ig.htm#clientauth 
QUESTION 930: 
In which way does a Secure Socket Layer (SSL) server prevent a "man-in-the-middle" attack? 
A. It uses signed certificates to authenticate the server's public key. 
B. A 128 bit value is used during the handshake protocol that is unique to the connection. 
C. It uses only 40 bits of secret key within a 128 bit key length. 
D. Every message sent by the SSL includes a sequence number within the message contents. 
Answer: A 
Secure Sockets Layer (SSL). An encryption technology that is used to provide secure 
transactions such as the exchange of credit card numbers. SSL is a socket layer security protocol 
and is a two-layered protocol that contains the SSL Record Protocol and the SSL Handshake 
Protocol. Similiar to SSH, SSL uses symmetric encryption for private connections and 
asymmetric or public key cryptography (certificates) for peer authentication. It also uses a 
Message Authentication Code for message integrity checking. 
Krutz: The CISSP Prep Guide pg. 89. It prevents a man in the middle attack by confirming that 
you are authenticating with the server desired prior entering your user name and password. If the 
server was not authenticated, a man-in-the-middle could retrieve the username and password 
then use it to login. 
The SSL protocol has been known to be vulnerable to some man-in-the-middle attacks. The 
attacker injects herself right at the beginning of the authentication phase so that she obtains both 
parties' keys. This enables her to decrypt and view messages that were not intended for her. 
Using digital signatures during the session-key exchange can circumvent the man-in-the-middle 
attack. If using kerberos, when Lance and Tanya obtain each other's public keys from the KDC, 
the public keys are signed by the KDC. Because Tanya and Lanace have the public key of the 
KDC, they both can decrypt and verify the signature on each other's public key and be sure that 
it came from the KDC itself. Because David does not have the private key of the KDC, he cannot 
substitute his pubic key during this type of transmission. Shon Harris All-In-One CISSP 
Certification pg. 579. 
One of the most important pieces a PKI is its public key certificate. A certificate is the 
mechanism used to associate a public key with a collection of components sufficient to uniquely 
authenticate the claimed owner. Shon Harris All-In-One CISSP Certification pg. 540. 
QUESTION 931: 
Secure Shell (SSH) and Secure Sockets Layer (SSL) are very heavily used for protecting 
A. Internet transactions 
B. Ethernet transactions 
C. Telnet transactions 
D. Electronic Payment transactions 
Answer: A 
QUESTION 932: 
Which one of the following CANNOT be prevented by the Secure Shell (SSH) program? 
A. Internet Protocol (IP) spoofing. 
B. Data manipulation during transmissions. 
C. Network based birthday attack. 
D. Compromise of the source/destination host. 
Answer: D 
This is a question that I disagreed with. The premises that SSH does use RSA and 3DES, thus 
susceptible to cryptographic attack (namely birthday attach) has merit but I think the answer is 
more simple, in that you SSH cant protect against a compromised source/destination. You can 
safely rule out spoofing and manipulation (that is the job of ssh to protect the transmission). 
Original answer was C birthday attack. Use your best judgment based on knowledge and 
experience. 
The use of ssh helps to correct these vulnerabilities. Specifically, ssh protects against these 
attacks: IP spoofing (where the spoofer is on either a remote or local host), IP source routing, 
DNS spoofing, interception of cleartext passwords/data and attacks based on listening to X 
authentication data and spoofed connections to an X11 server. 
http://www-arc.com/sara/cve/SSH_vulnerabilities.html 
Birthday attack - Usually applied to the probability of two different messages using the same 
hash fucntion that produces a common message digest; or given a message and its 
corresponding message digest, finding another message that when passed through the same hash function 
generates the same specific message digest. The term "birthday" comes from the fact that in a 
room with 23 people, the probability of two people having the same birthday is great than 50 
percent. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 212 
QUESTION 933: 
Another name for a VPN is a: 
A. tunnel 
B. one-time password 
C. pipeline 
D. bypass 
Answer: A 
QUESTION 934: 
Which one of the following attacks is MOST effective against an Internet Protocol Security 
(IPSEC) based virtual private network (VPN)? 
A. Brute force 
B. Man-in-the-middle 
C. Traffic analysis 
D. Replay 
Answer: B 
Active attacks find identities by being a man-in-the-middle or by replacing the responder in the 
negotiation. The attacker proceeds through the key negotiation with the attackee until the 
attackee has revealed its identity. In a well-designed system, the negotiation will fail after the 
attackee has revealed its identity because the attacker cannot spoof the identity of the 
originally-intended system. 
The attackee might then suspect that there was an attack because the other side failed before it 
gave its identity. Therefore, an active attack cannot be persistent because it would prevent all 
legitimate 
access to the desired IPsec system. 
http://msgs.securepoint.com/cgi-bin/get/ipsec-0201/18.html 
Not C: Traffic analysis is a good attack but not the most effective as it is passive in nature, while 
Man in the middle is active. 
QUESTION 935: 
Which of the following is NOT an essential component of a VPN? 
A. VPN Server 
B. NAT Server 
C. authentication 
D. encryption 
Answer: B 
QUESTION 936: 
Virtual Private Network software typically encrypts all of the following EXCEPT 
A. File transfer protocol 
B. Data link messaging 
C. HTTP protocol 
D. Session information 
Answer: B 
QUESTION 937: 
Which of the following is less likely to be used in creating a Virtual Private Network? 
A. L2TP 
B. PPTP 
C. IPSec 
D. L2F 
Answer: D 
"The following are the three most common VPN communications protocol standards: 
Point-to-Point Tunneling Protocol(PPTP). PPTP works at the Data Link Layer of the OSI model. 
Designed for individual client to server connections, it enables only a single point-to-point 
connection per session. This standard is very common with asynchronous connections that use 
Win9x or NT clients. PPTP uses native Point-to-Point Protocol (PPP) authentication and 
encryption services. 
Layer 2 Tunneling Protocol (L2TP). L2TP is a combination of PPTP and the earlier Layer 2 
Forwarding (L2F) Protocol that works at the Data Link Layer like PPTP. It has become an 
accepted tunneling standard for VPN's. In fact, dial-up VPNs use this standard quite frequently. 
Like PPTP, this standard was designed for single point-to-point client to server connections. Not 
that multiple protocols can be encapsulated within the L2TP tunnel, but do not use encryption 
like PPTP. Also, L2TP supports TACACS+ and RADIUS, but PPTP does not. 
IPSEC. IPSec operates at the Network Layer and it enables multiple and simultaneous tunnels, 
unlike the single connection of the previous standards. IPSec has the functionality to encrypt and 
authenticate IP data. It is built into the new Ipv6 standard, and is used as an add-on to the current 
Ipv4. While PPTP and L2TP are aimed more at dial-up VPNs, IPSec focuses more on 
network-to-network connectivity." Pg. 123-125 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 938: 
Which one of the following instigates a SYN flood attack? 
A. Generating excessive broadcast packets. 
B. Creating a high number of half-open connections. 
C. Inserting repetitive Internet Relay Chat (IRC) messages. 
D. A large number of Internet Control Message Protocol (ICMP) traces. 
Answer: B 
A SYN attack occurs when an attacker exploits the use of the buffer space during a Transmission Control 
Protocol 
(TCP) session initialization handshake. The attacker floods the target system's small "in-process" queue with 
connection requests, but it does not respond when a target system replies to those requests. This causes the 
target 
system to time out while waiting for the proper response, which makes the system crash or become unusable. - 
Ronald Krutz The CISSP PREP Guide (gold edition) pg 103 
"In a SYN flood attack, hackers use special software that sends a large number of fake packets 
with the SYN flag set to the targeted system. The victim then reserves space in memory for the 
connection and attempts to send the standard SYN/ACK reply but never hears back from the 
originator. This process repeats hundreds or even thousands of times, and the targeted computer 
eventually becomes overwhelmed and runs out of available resources for the half-opened 
connections. At that time, it either crashes or simply ignores all inbound connection requests 
because it can't possibly handle any more half-open connections." Pg 266 Tittel: CISSP Study 
Guide. 
QUESTION 939: 
Which one of the following is defined as the process of distributing incorrect Internet Protocol (IP) 
addresses/names with the intent of diverting traffic? 
A. Network aliasing 
B. Domain Name Server (DNS) poisoning 
C. Reverse Address Resolution Protocol (ARP) 
D. Port scanning 
Answer: B 
This reference is close to the one listed DNS poisoning is the correct answer however, Harris does not say the 
name 
when describing the attack but later on the page she state the following. 
This is how DNS DOS attack can occur. If the actual DNS records are unattainable to the attacker for him to 
alter in 
this fashion, which they should be, the attacker can insert this data into the cache of there server instead of 
replacing 
the actual records, which is referred to as cache poisoning. - Shon Harris All-in-one CISSP Certification 
Guide pg 795 
QUESTION 940: 
A Packet containing a long string of NOP's followed by a command is usually indicative of 
what? 
A. A syn scan 
B. A half-port scan 
C. A buffer overflow 
D. A packet destined for the network's broadcast address 
Answer: C 
Reference "This paper is for those who want a practical approach to writing buffer overflow 
exploits. As the title says, this text will teach you how to write these exploits 
in Perl. 
..... 
There are reasons why we construct the buffer this way. First we have a lot of 
NOPs, then the shellcode (which in this example will execute /bin/sh), and at last 
the ESP + offset values." http://hackersplayground.org/papers/perl-buffer.txt 
QUESTION 941: 
You are running a packet sniffer on a network and see a packet with a long string of long 
string of "90 90 90 90...." in the middle of it traveling to an x86-based machine. This could 
be indicative of what? 
A. Over-subscription of the traffic on a backbone 
B. A source quench packet 
C. a FIN scan 
D. A buffer overflow 
Answer: D 
Reference: "TCP Port 5000 Buffer Overflow Attack 
The attack on Port 5000 was part of this scan pattern 
Mar 14, 2004 15:58:17.837 - (TCP) 68.144.13.102 : 2282 >>> 192.168.1.36 : 2745 
Mar 14, 2004 15:58:17.857 - (TCP) 68.144.13.102 : 2283 >>> 68.144.193.246 : 135 
Mar 14, 2004 15:58:17.887 - (TCP) 68.144.13.102 : 2284 >>> 192.168.1.38 : 1025 
Mar 14, 2004 15:58:17.907 - (TCP) 68.144.13.102 : 2285 >>> 68.144.193.246 : 445 
Mar 14, 2004 15:58:17.938 - (TCP) 68.144.13.102 : 2286 >>> 192.168.1.36 : 3127 
Mar 14, 2004 15:58:17.958 - (TCP) 68.144.13.102 : 2287 >>> 68.144.193.246 : 6129 
Mar 14, 2004 15:58:17.988 - (TCP) 68.144.13.102 : 2288 >>> 68.144.193.246 : 139 
Mar 14, 2004 15:58:18.008 - (TCP) 68.144.13.102 : 2289 >>> 192.168.1.36 : 5000 
Mar 14, 2004 15:58:29.164 - (TCP) 68.144.13.102 : 1442 >>> 68.144.193.246 : 1981 
Mar 14, 2004 15:58:33.470 - (TCP) 68.144.13.102 : 1442 >>> 68.144.193.246 : 1981 
Mar 14, 2004 15:58:39.288 - (TCP) 68.144.13.102 : 1442 >>> 68.144.193.246 : 1981 
The attack appears to be a buffer overfull attack on the Plug and Play service on TCP Port 5000, which likely 
contains instructions to 
download and execute the rest of the worm. 
TCP Connection Request 
---- 14/03/2004 15:40:57.910 
68.144.193.124 : 4560 TCP Connected ID = 1 
---- 14/03/2004 15:40:57.910 
Status Code: 0 OK 
68.144.193.124 : 4560 TCP Data In Length 697 bytes 
MD5 = 19323C2EA6F5FCEE2382690100455C17 
---- 14/03/2004 15:40:57.920 
0000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0030 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0040 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0050 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0070 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0080 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
00A0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
00B0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
00C0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
00D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
00E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
00F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 ............M?.w 
0110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 .....cd......... 
0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 
0130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f. 
0140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p 
0150 99 98 99 99 C3 21 95 69 64 E6 12 99 12 E9 85 34 .....!.id......4 
0160 12 D9 91 12 41 12 EA A5 9A 6A 12 EF E1 9A 6A 12 ....A....j....j. 
0170 E7 B9 9A 62 12 D7 8D AA 74 CF CE C8 12 A6 9A 62 ...b....t......b 
0180 12 6B F3 97 C0 6A 3F ED 91 C0 C6 1A 5E 9D DC 7B .k...j?.....^..{ 
0190 70 C0 C6 C7 12 54 12 DF BD 9A 5A 48 78 9A 58 AA p....T....ZHx.X. 
01A0 50 FF 12 91 12 DF 85 9A 5A 58 78 9B 9A 58 12 99 P.......ZXx..X.. 
01B0 9A 5A 12 63 12 6E 1A 5F 97 12 49 F3 9A C0 71 E5 .Z.c.n._..I...q. 
01C0 99 99 99 1A 5F 94 CB CF 66 CE 65 C3 12 41 F3 9D ...._...f.e..A.. 
01D0 C0 71 F0 99 99 99 C9 C9 C9 C9 F3 98 F3 9B 66 CE .q............f. 
01E0 69 12 41 5E 9E 9B 99 9E 24 AA 59 10 DE 9D F3 89 i.A^....$.Y..... 
01F0 CE CA 66 CE 6D F3 98 CA 66 CE 61 C9 C9 CA 66 CE ..f.m...f.a...f. 
0200 65 1A 75 DD 12 6D AA 42 F3 89 C0 10 85 17 7B 62 e.u..m.B......{b 
0210 10 DF A1 10 DF A5 10 DF D9 5E DF B5 98 98 99 99 .........^...... 
0220 14 DE 89 C9 CF CA CA CA F3 98 CA CA 5E DE A5 FA ............^... 
0230 F4 FD 99 14 DE A5 C9 CA 66 CE 7D C9 66 CE 71 AA ........f.}.f.q. 
0240 59 35 1C 59 EC 60 C8 CB CF CA 66 4B C3 C0 32 7B Y5.Y.`....fK..2{ 
0250 77 AA 59 5A 71 62 67 66 66 DE FC ED C9 EB F6 FA w.YZqbgff....... 
0260 D8 FD FD EB FC EA EA 99 DA EB FC F8 ED FC C9 EB ................ 
0270 F6 FA FC EA EA D8 99 DC E1 F0 ED C9 EB F6 FA FC ................ 
0280 EA EA 99 D5 F6 F8 FD D5 F0 FB EB F8 EB E0 D8 99 ................ 
0290 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA F2 FC ED ................ 
02A0 D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 99 F8 FA ................ 
02B0 FA FC E9 ED 99 0D 0A 0D 0A ......... " http://www.linklogger.com/TCP5000_Overflow.htm 
QUESTION 942: 
Which of the following is true related to network sniffing? 
A. Sniffers allow an attacker to monitor data passing across a network. 
B. Sniffers alter the source address of a computer to disguise and exploit weak authentication 
methods. 
C. Sniffers take over network connections 
D. Sniffers send IP fragments to a system that overlap with each other. 
Answer: A 
Explanation: Sniffing is the action of capture / monitor the traffic going over the network. 
Because, in a normal networking environment, account and password information is passed 
along Ethernet in clear-text, it is not hard for an intruder to put a machine into promiscuous 
mode and by sniffing, compromise all the machines on the net by capturing password in an 
illegal fashion. 
QUESTION 943: 
Which one of the following threats does NOT rely on packet size or large volumes of data? 
A. SYN flood 
B. Spam 
C. Ping of death 
D. Macro virus 
Answer: D 
SPAM - The term describing unwanted email, newsgroup, or discussion forum messages. Spam 
can be innocuous as an advertisement from a well-meaning vendor or as malignant as floods or 
unrequested messages with viruses or Trojan horses attached 
SYN Flood Attack - A type of DoS. A Syn flood attack is waged by not sending the final ACK 
packet, which breaks the standard three-way handshake used by TCP/IP to initiate 
communication sessions. 
Ping of death attack - A type of DoS. A ping of death attack employs an oversized ping packet. 
Using special tools, an attacker can send numerous oversized ping packets to a victim. In many 
cases, when the victimized system attempts to process the packets, an error occurs causing the 
system to freeze, crash, or reboot. 
Macro Viruses - A virus that utilizes crude technologies to infect documents created in the 
Microsoft Word environment. 
- Ed Tittle CISSP Study Guide (sybex) pg 550 740, 743, 723, 713 
QUESTION 944: 
A TCP SYN Attack: 
A. requires a synchronized effort by multiple attackers 
B. takes advantage of the way a TCP session is established 
C. may result in elevation of privileges. 
D. is not something system users would notice 
Answer: B 
"[SYN Flood] Attackers can take advantage of this design flaw by continually sending the victim 
SYN messages with spoofed packets. The victim will commit the necessary resources to setup 
this communication socket, and it will send its SYN/ACK message waiting for the ACK message 
in return. However, the victim will never receive the ACK message, because the packet is 
spoofed, and victim system sent the SYN/ACK message to a computer that does not exist. So the 
victim system receives a SYN message, add it dutifully commits the necessary resources to setup 
a connection with another computer. This connection is queued waiting for the ACK message, 
and the attacker sends another SYN message. The victim system does what is supposed to can 
commits more resources, sends the SYN/ACK message, and queues this connection. This may 
only need to happen a dozen times before the victim system no longer has the necessary 
resources to open up another connection. This makes the victim computer unreachable from 
legitimate computers, denying other systems service from the victim computer." Pg. 735 Shon 
Harris CISSP All-In-One Exam Guide 
QUESTION 945: 
What attack is typically used for identifying the topology of the target network? 
A. Spoofing 
B. Brute force 
C. Teardrop 
D. Scanning 
Answer: D 
Explanation: 
Flaw exploitation attacks exploit a flaw in the target system's software in order to 
cause a processing failure or to cause it to exhaust system resources. An example of 
such a processing failure is the 'ping of death' attack. This attack involved sending 
an unexpectedly large ping packet to certain Windows systems. The target system could 
not handle this abnormal packet, and a system crash resulted. With respect to resource 
exhaustion attacks, the resources targeted include CPU time, memory, disk space, space 
in a special buffer, or network bandwidth. In many cases, simply patching the software 
can circumvent this type of DOS attack. 
QUESTION 946: 
Which one of the following is the reason for why hyperlink spoofing attacks are usually 
successful? 
A. Most users requesting DNS name service do not follow hyperlinks. 
B. The attack performs user authentication with audit logs. 
C. The attack relies on modifications to server software. 
D. Most users do not make a request to connect to a DNS names, they follow hyperlinks. 
Answer: D 
Explanation: 
The problem is that most users do not request to connect to DNS names or even URLs, they 
follow hyperlinks... But, whereas DNS names are subject to "DNS spoofing" (whereby a DNS 
server lies about the internet address of a server) so too are URLs subject to what I call 
"hyperlink spoofing" or "Trojan HTML", whereby a page lies about an URLs DNS name. Both 
forms of spoofing have the same effect of steering you to the wrong internet site, however 
hyperlink spoofing is technically much easier than DNS spoofing. 
http://www.brd.ie/papers/sslpaper/sslpaper.html 
QUESTION 947: 
Which of the following identifies the first phase of a Distributed Denial of Service attack? 
A. Establishing communications between the handler and agent. 
B. Disrupting the normal traffic to the host. 
C. Disabling the router so it cannot filter traffic. 
D. Compromising as many machines as possible. 
Answer: D 
Another form of attack is called the distributed denial of service (DDOS). A distributed denial of 
service occurs when the attacker compromises several systems and uses them as launching 
platforms against on or more victims. - Ed Tittle CISSP Study Guide (sybex) pg 51 
QUESTION 948: 
This type of vulnerability enables the intruder to re-route data traffic from a network 
device to a personal machine? This diversion enables the intruder to capture data traffic to 
and from the devices for analysis or modification, or to steal the password file from the 
server and gain access to user accounts. 
A. Network Address Translation 
B. Network Address Hijacking 
C. Network Address Supernetting 
D. Network Address Sniffing 
Answer: B 
"Network Address Hijacking. It might be possible for an intruder to reroute data traffic from a 
server or network device to a personal machine, either by device address modification or 
network address "hijacking." This diversion enables the intruder to capture traffic to and from 
the devices for data analysis or modification or to steal the password file from the server and 
gain access to user accounts. By rerouting the data output, the intruder can obtain supervisory 
terminal functions and bypass the system logs." 
Pg. 324 Krutz: The CISSP Prep Guide: Gold Edition 
QUESTION 949: 
Which one of the following is an example of hyperlink spoofing? 
A. Compromising a web server Domain Name Service reference. 
B. Connecting the user to a different web server. 
C. Executing Hypertext Transport Protocol Secure GET commands. 
D. Starting the user's browser on a secured page. 
Answer: B 
The problem is that most users do not request to connect to DNS names or even URLs, they 
follow hyperlinks... But, whereas DNS names are subject to "DNS spoofing" (whereby a DNS 
server lies about the internet address of a server) so too are URLs subject to what I call 
"hyperlink spoofing" or "Trojan HTML", whereby a page lies about an URLs DNS name. Both 
forms of spoofing have the same effect of steering you to the wrong internet site, however 
hyperlink spoofing is technically much easier than DNS spoofing. 
http://www.brd.ie/papers/sslpaper/sslpaper.html 
QUESTION 950: 
Why are packet filtering routers NOT effective against mail bomb attacks? 
A. The bomb code is obscured by the message encoding algorithm. 
B. Mail bombs are polymorphic and present no consistent signature to filter on. 
C. Filters do not examine the data portion of a packet. 
D. The bomb code is hidden in the header and appears as a normal routing information. 
Answer: C 
QUESTION 951: 
Which one of the following correctly identifies the components of a Distributed Denial of Service Attack? 
A. Node, server, hacker, destination 
B. Client, handler, agent, target 
C. Source, destination, client, server 
D. Attacker, proxy, handler, agent 
Answer: B 
Another form of DoS. A distributed denial of service occurs when the attacker compromises 
several systems to be used as launching platforms against one or more victims. The 
compromised systems used in the attacks are often called claves or zombies. A DDoS attack 
results in the victims being flooded with data from numerous sources. - Ed Tittle CISSP Study 
Guide (sybex) pg 693 
QUESTION 952: 
Which one of the following attacks will pass through a network layer intrusion detection system undetected? 
A. A teardrop attack 
B. A SYN flood attack 
C. A DNS spoofing attack 
D. A test.cgi attack 
Answer: D 
Explanation: 
"Because a network-based IDS reviews packets and headers, it can also detect denial of service 
(DoS) attacks." Pg. 64 Krutz: The CISSP Prep Guide 
Not A or B: 
"The following sections discuss some of the possible DoS attacks available. 
Smurf 
Fraggle 
SYN Flood 
Teardrop 
DNS DoS Attacks" 
Pg. 732-737 Shon Harris: All-In-One CISSP Certification Exam Guide 
QUESTION 953: 
Which one of the following is a passive network attack? 
A. Spoofing 
B. Traffic Analysis 
C. Playback 
D. Masquerading 
Answer: B 
Explanation: 
"Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets 
rather than the actual content of packets. Traffic and trend analysis can be used to infer a large 
amount of information, such as primary communication routes, sources of encrypted traffic, 
location of primary servers, primary and backup communication pathways, amount of traffic 
supported by the network, typical direction of traffic flow, frequency of communications, and 
much more." Pg 429 Tittel: CISSP Study Guide 
QUESTION 954: 
Which one of the following can NOT typically be accomplished using a Man-in-the-middle 
attack? 
A. DNS spoofing 
B. Session hijacking 
C. Denial of service flooding 
D. Digital signature spoofing 
Answer: D 
QUESTION 955: 
What is called an attach where the attacker spoofs the source IP address in an ICMP 
ECHO broadcast packet so it seems to have originated at the victim's system, in order to 
flood it with REPLY packets? 
A. SYN flood attack 
B. Smurf attack 
C. Ping of Dead Attack 
D. Denial of Service (DOS) Attack 
Answer: B 
Reference: pg 158 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 956: 
Which type of attack involves the alteration of a packet at the IP level to convince a system 
that it is communicating with a known entity in order to gain access to a system? 
A. TCP sequence number attack 
B. IP spoofing attack 
C. Piggybacking attack 
D. Teardrop attack 
Answer: B 
QUESTION 957: 
How does a teardrop attack work? 
Answer: 
Reference: Another attack that relies on poor TCP/IP implementation is Teardrop < 
http://www.rage.mircx.com/knowledge/tcpip-teardrop.htm> , which exploits defects in the way 
systems reassemble IP packet fragments. On their way from hither to you on the Internet, an IP 
packet may be broken up into smaller pieces. Each of these still has the original IP packet's 
header, as well as an offset field that identifies which bytes of the original packet it contains. 
With this information, an ordinary broken packet is reassembled at its destination and network 
continues uninterrupted. When a Teardrop attack hits, your server is bombarded with IP 
fragments that have overlapping offset fields. If your server or router can't disregard these 
fragments and attempts to reassemble them, your box will go castors up quickly. If your systems 
are up-to-date, or if you have a firewall that blocks Teardrop packets, you shouldn't have any 
trouble. 
QUESTION 958: 
What attack takes advantage of operating system buffer overflows? 
A. Spoofing 
B. Brute force 
C. DoS 
D. Exhaustive 
Answer: C 
Explanation: 
Denial of Service is an attack on the operating system or software using buffer 
overflows. The result is that the target is unable to reply to service requests. This 
is too a large an area of information to try to cover here, so I will limit my 
discussion to the types of denial of service (DoS) attacks: 
QUESTION 959: 
What attack is primarily based on the fragmentation implementation of IP and large 
ICMP packet size? 
A. Exhaustive 
B. Brute force 
C. Ping of Death 
D. Spoofing 
Answer: C 
Explanation: 
Ping of Death -- This exploit is based on the fragmentation implementation of IP 
whereby large packets are reassembled and can cause machines to crash. 'Ping of Death 
takes advantage of the fact that it is possible to send an illegal ICMP Echo packet 
with more than the allowable 65, 507 octets of data because of the way fragmentation is 
performed. A temporary fix is block ping packets. Ideally, an engineer should secure 
TCP/IP from overflow when reconstructing IP fragments. 
QUESTION 960: 
Land attack attacks a target by: 
A. Producing large volume of ICMP echos. 
B. Producing fragmented IP packets. 
C. Attacking an established TCP connection. 
D. None of the choices. 
Answer: C 
Explanation: 
Land.c. attack -- Attacks an established TCP connection. A program sends a TCP SYN 
packet giving the target host address as both the sender and destination using the same 
port causing the OS to hang. 
QUESTION 961: 
What attack is primarily based on the fragmentation implementation of IP? 
A. Teardrop 
B. Exhaustive 
C. Spoofing 
D. Brute force 
Answer: A 
Explanation: 
Teardrop attack - This is based on the fragmentation implementation of IP whereby 
reassembly problems can cause machines to crash. The attack uses a reassembly bug with 
overlapping fragments and causes systems to hang or crash. It works for any Internet 
Protocol type because it hits the IP layer itself. Engineers should turn off directed 
broadcast capability. 
QUESTION 962: 
What attack floods networks with broadcast traffic so that the network is congested? 
A. Spoofing 
B. Teardrop 
C. Brute force 
D. SMURF 
Answer: D 
Explanation: 
SMURF attack -- This attack floods networks with broadcast traffic so that the network 
is congested. The perpetrator sends a large number of spoofed ICMP (Internet Control 
Message Protocol) echo requests to broadcast addresses hoping packets will be sent to 
the spoofed addresses. You need to understand the OSI model and how protocols are 
transferred between layer 3 and layer 2 to understand this attack. The layer 2 will 
respond to the ICMP echo request with an ICMP echo reply each time, multiplying the 
traffic by the number of hosts involved. Engineers should turn off broadcast capability 
(if possible in your environment) to deter this kind of attack. 
QUESTION 963: 
What attack involves repeatedly sending identical e-message to a particular address? 
A. SMURF 
B. Brute force 
C. Teardrop 
D. Spamming 
Answer: D 
Explanation: 
Spamming -- Involves repeatedly sending identical e-message to a particular address. It 
is a variant of bombing, and is made worse when the recipient replies -- i.e. recent 
cases where viruses or worms were attached to the e-mail message and ran a program that 
forwarded the message from the reader to any one on the user's distribution lists. This 
attack cannot be prevented, but you should ensure that entrance and exit of such mail 
is only through central mail hubs. 
QUESTION 964: 
A stack overflow attack that "crashes" a Transmission Control Protocol/Internet Protocol (TCP/IP) service 
daemon 
can result in a serious security breach because the 
A. Process does not implement proper object reuse. 
B. Process is executed by a privileged entity. 
C. Network interface becomes promiscuous. 
D. Daemon can be replaced by a trojan horse. 
Answer: B 
QUESTION 965: 
The intrusion detection system at your site has detected Internet Protocol (IP) packets where the IP source 
address is 
the same as the destination address. 
This situation indicates 
A. Misdirected traffic jammed to the internal network. 
B. A denial of service attack. 
C. An error in the internal address matrix. 
D. A hyper overflow in the IP stack. 
Answer: B 
"The Land denial of service attack causes many older operating systems (such as Windows NT 
4, Windows 95, and SunOS 4.1.4) to freeze and behave in an unpredictable manner. It works by 
creating an artificial TCP packet that has the SYN flag set. The attacker set the destination IP 
address to the address of the victim machine and the destination port to an open port on that 
machine. Next, the attacker set the source IP address and source port to the same values as the 
destination IP address and port. When the targeted host receives this unusual packet, the 
operating system doesn't know how to process it and freezes, crashes, or behaves in an unusual 
manner as a result." Pg 237 Tittel: CISSP Study Guide 
QUESTION 966: 
What type of attacks occurs when a rogue application has been planted on an unsuspecting 
user's workstation? 
A. Physical attacks 
B. Logical attacks 
C. Trojan Horse attacks 
D. Social Engineering attacks 
Answer: C 
Explanation: 
Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has 
been planted on an unsuspecting user's workstation. The Trojan horse waits until the 
user submits a valid PIN from a trusted application, thus enabling usage of the private 
key, and then asks the smartcard to digitally sign some rogue data. The operation 
completes but the user never knows that their private key was just used against their 
will. 
QUESTION 967: 
Man-in-the-middle attacks are a real threat to what type of communication? 
A. Communication based on random challenge. 
B. Communication based on face to face contact. 
C. Communication based on token. 
D. Communication based on asymmetric encryption. 
Answer: D 
Explanation: 
The weakest point in the communication based on asymmetric encryption is the knowledge 
about the real owners of keys. Somebody evil could generate a key pair, give the public 
key away and tell everybody, that it belongs to somebody else. Now, everyone believing 
it will use this key for encryption, resulting in the evil man being able to read the 
messages. If he encrypts the messages again with the public key of the real recipient, 
he will not be easily recognized. This sort of attack is called ``man-in-the-middle'' 
attack and can only be prevented by making sure, public keys really belong to the one 
being designated as owner. 
QUESTION 968: 
Which of the following threats is not addressed by digital signature and token 
technologies? 
A. Spoofing 
B. replay attacks 
C. password compromise 
D. denial-of-service 
Answer: D 
QUESTION 969: 
Which one of the following is concerned with masking the frequency, length, and 
origin-destination patterns of the communications between protocol entities? 
A. Masking analysis 
B. Protocol analysis 
C. Traffic analysis 
D. Pattern analysis 
Answer: C 
Traffic analysis, which is sometimes called trend analysis, is a technique employed by an 
intruder that involves analyzing data characteristics (message length, message frequency, and so 
forth) and the patterns of transmissions (rather than any knowledge of the actual information 
transmitted) to infer information that is useful to an intruder) . -Ronald Krutz The CISSP PREP 
Guide (gold edition) pg 323 
QUESTION 970: 
Which of the following would NOT be considered a Denial of Service Attack? 
A. Zone Transfer 
B. Smurf 
C. Syn Flood 
D. TearDrop 
Answer: A 
Zone transfer is method that DNS uses to transfer zone information between servers. In some 
un-secure DNS installations zone transfers are allowed to un-trusted DNS servers. This allows 
the hacker to determine internal host names and ip addresses to provide additional information 
for an attack. 
QUESTION 971: 
The connection using fiber optics from a phone company's branch office to local customers 
is which of the following? 
A. new loop 
B. local loop 
C. loopback 
D. indigenous loop 
Answer: B 
In telecommunications Telecommunication the local loop is the wiring between the central office 
and the customer's premises demarcation point. The telephony local loop connection is typically 
a copper twisted pair carrying current from the central office to the customer premises and back 
again. Individual local loop telephone lines are connected to the local central office or to a 
remote concentrator. 
Local loop connections can be used to carry a range of technologies, including: 
Analog Voice 
ISDN 
DSL 
QUESTION 972: 
Which step ensures the confidentiality of a facsimile transmission? 
A. Pre-schedule the transmission of the information. 
B. Locate the facsimile equipment in a private area. 
C. Encrypt the transmission. 
D. Phone ahead to the intended recipient. 
Answer: C 
QUESTION 973: 
Which one of the following could a company implement to help reduce PBX fraud? 
A. Call vectoring 
B. Direct Inward System Access (DISA) 
C. Teleconferencing bridges 
D. Remote maintenance ports 
Answer: B 
The potential for fraud to occur in voice telecommunications equipment is a serious threat. PBX's (Private 
Branch 
Exchange) are telephone switches used within state agencies to allow employees to make out-going and receive 
incoming 
phone calls. These PBX's can also provide connections for communications between personal computers 
and local and wide area networks. Security measures must be taken to avoid the possibility of theft of either 
phone 
service or information through the telephone systems. 
Direct Inward System Access (DISA) is the ability to call into a PBX, either on an 800 number or a local dialin, 
and by using an authorization code, gain access to the long distance lines and place long distance calls through 
the 
PBX 
http://www.all.net/books/Texas/chap10.html 
QUESTION 974: 
Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud 
manipulates the line voltage to receive a toll-free call? 
A. Red boxes 
B. Blue boxes 
C. White boxes 
D. Black boxes 
Answer: D 
QUESTION 975: 
Which one of the following devices might be used to commit telecommunications fraud 
using the "shoulder surfing" technique? 
A. Magnetic stripe copier 
B. Tone generator 
C. Tone recorder 
D. Video recorder 
Answer: C 
QUESTION 976: 
What technique is used to prevent eavesdropping of digital cellular telephone 
conversations? 
A. Encryption 
B. Authentication 
C. Call detail suppression 
D. Time-division multiplexing 
Answer: D 
The name "TDMA" is also used to refer to a specific second generation mobile phone standard - 
more properly referred to as IS-136, which uses the TDMA technique to timeshare the 
bandwidth of the carrier wave. It provides between 3 to 6 times the capacity of its predecessor 
AMPS, and also improved security and privacy. In the United States, for example, AT&T 
Wireless uses the IS-136 TDMA standard. Prior to the introduction of IS-136, there was another 
TDMA North American digital cellular standard called IS-54(which was also referred to just as 
"TDMA"). 
QUESTION 977: 
Which of the following is a telecommunication device that translates data from digital to 
analog form and back to digital? 
A. Multiplexer 
B. Modem 
C. Protocol converter 
D. Concentrator 
Answer: B 
QUESTION 978: 
Which of the following could lead to the conclusion that a disaster recovery plan may not 
be operational within the timeframe the business needs to recover? 
A.)The alternate site is a warm site 
B. Critical recovery priority levels are not defined 
C. Offsite backups are located away from the alternate site 
D. The alternate site is located 70 miles away from the primary site 
Answer: B 
QUESTION 979: 
What are the four domains of communication in the disaster planning and recovery 
process? 
A. Plan manual, plan communication, primer for survival, warning and alarms 
B. Plan communication, primer for survival, escalation, declaration 
C. Plan manual, warning and alarm, declaration, primer for survival 
D. Primer for survival, escalation, plan communication, warning and alarm 
Answer: C 
QUESTION 980: 
The underlying reason for creating a disaster planning and recover strategy is to 
A. Mitigate risks associated with disaster. 
B. Enable a business to continue functioning without impact. 
C. Protect the organization's people, place and processes. 
D. Minimize financial profile. 
Answer: A 
"Disaster recovery has the goal of minimizing the effects of a disaster and taking the necessary 
steps to ensure that the resources, personnel, and business processes are able to resume operation 
in a timely manner." Pg 550 Shon Harris: All-in-One CISSP Certification 
QUESTION 981: 
Which of the following is not a direct benefit of successful Disaster Recovery Planning? 
A. Maintain Nance of Business Continuity 
B. Protection of Critical Data 
C. Increase in IS performance 
D. Minimized Impact of a disaster 
Answer: C 
QUESTION 982: 
Organizations should not view disaster recovery as which of the following? 
A. committed expense 
B. discretionary expense 
C. enforcement of legal statues 
D. compliance with regulations 
Answer: B 
QUESTION 983: 
Which of the following statements pertaining to disaster recovery is incorrect? 
A. A recovery team's primary task is to get the pre-defined critical business functions at the 
alternate backup processing site. 
B. A salvage team's task is to ensure that the primary site returns to normal processing 
conditions 
C. The disaster recovery plan should include how the company will return from the alternate 
site to the primary site 
D. When returning to the primary site, the most critical applications should be brought back first 
Answer: D 
QUESTION 984: 
Which of the following statements pertaining to dealing with the media after a disaster 
occurred and disturbed the organization's activities is incorrect? 
A. The CEO should always be the spokesperson for the company during a disaster 
B. The disaster recovery plan must include how the media is to be handled during the disaster 
C. The organization's spokesperson should report bad news before the press gets ahold of it 
through another channel 
D. An emergency press conference site should be planned ahead 
Answer: A 
QUESTION 985: 
What is a disaster recovery plan for a company's computer system usually focused on? 
A. Alternative procedures to process transactions 
B. The probability that a disaster will occur 
C. Strategic long-range planning 
D. Availability of compatible equipment at a hot site 
Answer: A 
QUESTION 986: 
What is the most critical piece to disaster recovery and continuity planning? 
A. Security Policy 
B. Management Support 
C. Availability of backup information processing facilities 
D. Staff training 
Answer: B 
QUESTION 987: 
Which of the following is the most important consideration in locating an alternate 
computing facility during the development of a disaster recovery plan? 
A. it is unlikely to be affected by the same contingency 
B. it is close enough to become operation quickly 
C. is it close enough to serve it's users 
D. it is convenient to airports and hotels 
Answer: A 
QUESTION 988: 
Which of the following are PRIMARY elements that are required when designing a Disaster Recovery Plan 
(DRP)? 
A. Back-up procedures, off-site storage, and data recover. 
B. Steering committee, emergency response team, and reconstruction team. 
C. Impact assessment, recover strategy, and testing. 
D. Insurance coverage, alternate site, and manual procedures. 
Answer: C 
The most critical piece to disaster recovery and continuity planning is management support. 
They must be convinced of its necessity. Therefore, a business case must be made to obtain this 
support. The business case can include current vulnerabilities, regulatory and legal obligations, 
current status of recovery plans, and recommendations. Management will mostly concerned with 
cost/benefit issues, so several preliminary numbers will need to be gathered and potential losses 
estimated. - Shon Harris All-in-one CISSP Certification Guide pg 595 
There are four major elements of the BCP process 
Scope and Plan Initiation - this phase marks the beginning of the BCP process. IT entails 
creating the scope and other elements needed to define the parameters of the plan. 
Business Impact Assessment - A BIA is a process used to help business units understand the 
impact of a disruptive event. This phase includes the execution of a vulnerability assessment 
Business Continuity Plan Development - This term refers to using the information collection in 
the BIA to develop the actual business continuity plan. This process includes the areas of plan 
implementation, plan testing, and ongoing plan maintenance. 
Plan Approval and Implementation - This process involves getting the final senior management 
signoff, creating enterprise-wide awareness of the plan, and implementing a maintenance 
procedure for updating the plan as needed. -Ronald Krutz The CISSP PREP Guide (gold edition) 
pg 380-381 
QUESTION 989: 
Emergency actions are taken at the incipient stage of a disaster with the objectives of 
preventing injuries or loss of life and of: 
A. determining the extent of property damage 
B. protecting evidence 
C. preventing looting and further damage 
D. mitigating the damage to avoid the need for recovery 
Answer: D 
QUESTION 990: 
Who should direct short-term recovery actions immediately following a disaster? 
A. Chief Information Officer 
B. Chief Operating Officer 
C. Disaster Recovery Manager 
D. Chief Executive Officer 
Answer: C 
QUESTION 991: 
The environment that must be protected includes all personnel, equipment, data, 
communication devices, power supply and wiring. The necessary level of protection 
depends on the value of data, the computer systems, and the company assets within the 
facility. The value of these items can be determined by what type of analysis? 
A. Critical-channel analysis 
B. Critical-route analysis 
C. Critical-path analysis 
D. Critical-conduit analysis 
Answer: C 
"The environment that must be protected through physical security controls includes all 
personnel, equipment, data, communication devices, power supplies, and wiring. The necessary 
level of protection depends on the value of the data, the computer systems, and the company 
assets within the facility. The value of these items can be determined by a critical-path analysis, 
which lists each piece of the infrastructure and what is necessary to keep those pieces healthy 
and operational." Pg 255 Shon Harris: All-in-One CISSP Certification 
QUESTION 992: 
Which of the following steps should be performed first in a business impact analysis (BIA)? 
A. Identify all business units within the organization 
B. Evaluate the impact of the disruptive events 
C. Estimate the Recovery Time Objectives (RTO) 
D. Evaluate the criticality of business functions 
Answer: A 
QUESTION 993: 
Which of the following steps it NOT one of the four steps of a Business Impact Analysis 
(BIA)? 
A. Notifying senior management 
B. Gathering the needed assessment materials 
C. Performing the vulnerability assessment 
D. Analyzing the information compiled 
Answer: A 
"A BIA generally takes the form of these four steps: 
1.) Gathering the needed assessment materials 
2.) Performing the vulnerability assessment 
3.) Analyzing the information compiled 
4.) Documenting the results and presenting recommendations" 
Pg. 383 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 994: 
What methodology is commonly used in Business Continuity Program? 
A. Work Group Recovery 
B. Business Impact Analysis 
C. Qualitative Risk Analysis 
D. Quantitative Risk Analysis 
Answer: B 
A BIA is performed at the beginning of disaster recovery and continuity planning to 
identify the areas that would suffer the greatest financial or operational loss in the event 
of a disaster or disruption. It identifies the company's critical systems needed for survival 
and estimates the outage time that can be tolerated by the company as a result of disaster 
or disruption. - Shon Harris All-in-one CISSP Certification Guide pg 597 
QUESTION 995: 
Which of the following steps should be performed first in a business impact analysis (BIA)? 
A. Identify all business units within an organization 
B. Evaluate the impact of disruptive events 
C. Estimate the Recovery Time Objectives (RTO) 
D. Evaluate the criticality of business functions 
Answer: A 
"The initial step of the BIA is identifying which business units are critical to continuing an 
acceptable level of operations." Pg 383 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 996: 
Which is not one of the primary goals of BIA? 
A. Criticality Prioritization 
B. Down time estimation 
C. Determining requirements for critical business functions 
D. Deciding on various test to be performed to validate Business Continuity Plan 
Answer: D 
QUESTION 997: 
Which of the following is used to help business units understand the impact of a disruptive 
event? 
A. A risk analysis 
B. A Business Impact assessment 
C. A Vulnerability assessment 
D. A disaster recovery plan 
Answer: B 
Reference: "The purpose of a BIA is to create a document to be used to help understand what 
impact a disruptive event would have on the business." Pg 383 Krutz : CISSP Prep Guide: Gold 
Edition 
QUESTION 998: 
A Business Impact Analysis (BIA) does not: 
A. Recommend the appropriate recovery solution 
B. Determine critical and necessary business functions and their resource dependencies 
C. Identify critical computer applications and the associated outage tolerance 
D. Estimate the financial and operation impact of a disruption 
Answer: A 
QUESTION 999: 
What assesses potential loss that could be caused by a disaster? 
A. The Business Assessment (BA) 
B. The Business Impact Analysis (BIA) 
C. The Risk Assessment (RA) 
D. The Business Continuity Plan (BCP) 
Answer: B 
QUESTION 1000: 
During the course of a Business Impact Analysis (BIA) you will less likely: 
A. Estimate the financial and operational impact of a disruption 
B. Identify regulatory exposure 
C. Determine if functions Recovery Time Objective (RTO) 
D. Determine the impact upon the organizations market share and corporate image 
Answer: C

Leave a Reply

Your email address will not be published. Required fields are marked *