CISSP Study Quiz 2

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Skofft2134
S
Skofft2134
Community Contributor
Quizzes Created: 2 | Total Attempts: 3,296
| Attempts: 353
Quiz Flashcard
SettingsSettings
Please wait...
  • 1/222 Questions

    Organizations should consider which of the following first before allowing external access to their LANs via the Internet?

    • Plan for implementing workstation locking mechanisms
    • Plan for protecting the modem pool
    • Plan for providing the user with his account usage information
    • Plan for considering proper authentication options
Please wait...
About This Quiz

CISSP Study Quiz 2 assesses knowledge on key cybersecurity concepts including biometric systems, access control models, and authentication mechanisms. It prepares learners for CISSP certification, focusing on practical security solutions and attack prevention.

CISSP Quizzes & Trivia

Quiz Preview

  • 2. 

    Who developed one of the first mathematical models of a multilevel-security computer system?

    • Diffie and Hellman

    • Clark and Wilson

    • Bell and LaPadula

    • Gasser and Lipner

    Correct Answer
    A. Bell and LaPadula
    Explanation
    The Bell-LaPadula model was the first mathematical model of a multilevel security policy used to
    define the concept of a secure state machine and modes of access, and outlined rules of access.

    Rate this question:

  • 3. 

    A company outsources payroll services to a third party company.  Which of the following roles most likely applies to the third-party payroll company?

    • Data controller

    • Data handler

    • Data owner

    • Data processor

    Correct Answer
    A. Data processor
    Explanation
    The third-party payroll company most likely applies to the role of a data processor. As a data processor, they handle and process the payroll data on behalf of the company outsourcing the services. They are responsible for ensuring the accuracy and security of the data while performing the necessary payroll calculations and generating payslips for the employees. However, they do not have ownership or control over the data, and their actions are governed by a data processing agreement with the company.

    Rate this question:

  • 4. 

    What method destroys the integrity of magnetic media, such as tapes or disk drives, and the data they contain by exposing them to a strong magnetic field?

    • Bit-level overwrite

    • Degaussing

    • Destruction

    • Shredding

    Correct Answer
    A. Degaussing
    Explanation
    Degaussing is the method that destroys the integrity of magnetic media by exposing them to a strong magnetic field. This process effectively erases the data stored on the tapes or disk drives by neutralizing the magnetic particles. It is commonly used to ensure that sensitive information cannot be recovered from the media. Degaussing is a reliable and secure method for data destruction on magnetic media.

    Rate this question:

  • 5. 

    What access control method weighs additional factors, such as time of attempted access, before granting access?

    • Content-dependent access control

    • Context-dependent access control

    • Role-based access control

    • Task-based access control

    Correct Answer
    A. Context-dependent access control
    Explanation
    Context-dependent access control is an access control method that takes into consideration additional factors, such as the time of attempted access, before granting access. This means that access is granted based on the specific context or situation in which the access request is made. This method allows for more granular control over access permissions, as it considers various contextual factors to determine whether access should be granted or denied.

    Rate this question:

  • 6. 

    What protocol is a common open protocol for interfacing and querying directory service information provided network operating systems using port 389 via TCP or UDP?

    • CHAP

    • LDAP

    • PAP

    • RADIUS

    Correct Answer
    A. LDAP
    Explanation
    LDAP = Lightweight directory access protocol is an open protocol for interfacing and querying directory service information from network operating systems using port 389 TCP or UDP.

    CHAP, PAP, & RADIUS are authentication protocols:

    CHAP = Challenge-Handshake Authentication Protocol
    PAP = Password Authentication Protocol
    RADIUS = Remote Authentication Dial-In User Service

    Rate this question:

  • 7. 

    What can be done to ensure that software meets the customer's requirements?

    • Integration testing

    • Installation testing

    • Acceptance testing

    • Unit testing

    Correct Answer
    A. Acceptance testing
    Explanation
    Acceptance testing is designed to ensure the software meets the customer's operational requirements

    Integration testing examines multiple software components as they are combined into a working system.
    Installation testing examines software as it is installed and first operated
    Unit testing is a low-level test of software components, such as functions, procedures, or objects

    Rate this question:

  • 8. 

    What type of testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective?

    • Acceptance testing

    • Integration testing

    • Regression testing

    • Unit testing

    Correct Answer
    A. Acceptance testing
    Explanation
    acceptance testing determines whether software meets various end-state requirements from a user or customer, contract, or compliance perspective.

    Integration testing tests multiple software components as they are combined into a working system.
    Regression testing tests software after updates, modifications, or patches.
    Unit testing consists of low-level tests of software components, such as functions, procedures, or objects.

    Rate this question:

  • 9. 

    Which of the following is the FIRST step in protecting data's confidentiality?

    • Install a firewall

    • Implement encryption

    • Identify which information is sensitive

    • Review all user access rights

    Correct Answer
    A. Identify which information is sensitive
    Explanation
    It is important to identify the data that must be classified prior to implementing security mechanisms to avoid implementing the same level of security for both critical and normal data.

    Rate this question:

  • 10. 

    Which of the following is the WEAKEST authentication mechanism?

    • Passphrases

    • Passwords

    • One-time passwords

    • Token devices

    Correct Answer
    A. Passwords
    Explanation
    Passwords are considered one of the weakest security mechanisms available, because users generally select passwords that are easy to guess.

    Rate this question:

  • 11. 

    This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What best describes this scenario?

    • Excessive Rights

    • Excessive Access

    • Excessive Permissions

    • Excessive Privileges

    Correct Answer
    A. Excessive Privileges
    Explanation
    Privilege is a term used to describe what a user can do on a computer or system. It covers rights, access and permissions. A user who has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill is said to have ‘excessive privileges’.

    Rate this question:

  • 12. 

    Ensuring least privilege does not require:

    • Identifying what the user's job is.

    • Ensuring that the user alone does not have sufficient rights to subvert an important process.

    • Determining the minimum set of privileges required for a user to perform their duties.

    • Restricting the user to required privileges and nothing more.

    Correct Answer
    A. Ensuring that the user alone does not have sufficient rights to subvert an important process.
    Explanation
    Ensuring that the user alone does not have sufficient rights to subvert an important process is not a requirement for least privilege. This is an example of separation of duties where it would take collusion between two or more people to subvert the process.

    Rate this question:

  • 13. 

    How would nonrepudiation be best classified as?

    • A preventive control

    • A logical control

    • A corrective control

    • A compensating control

    Correct Answer
    A. A preventive control
    Explanation
    Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.

    For example, if a user sends a message and then later claims he did not send it, this is an act of repudiation. When a cryptography mechanism provides nonrepudiation, the sender cannot later deny he sent the message (well, he can try to deny it, but the cryptosystem proves otherwise). It’s a way of keeping the sender honest.

    Nonrepudiation is a preventive control – it prevents someone having the ability to deny something.

    Rate this question:

  • 14. 

    Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets?

    • UDP

    • SNMP V1

    • SNMP V3

    • SNMP V2

    Correct Answer
    A. SNMP V3
    Explanation
    SNMP versions 1 and 2 send their community string values in cleartext, but with SNMP version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So any sniffers that are installed on the network cannot sniff SNMP traffic.

    Rate this question:

  • 15. 

    When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the proper term to refer to a single unit of TCP data at the transport layer?

    • TCP segment

    • TCP datagram

    • TCP frame

    • TCP packet

    Correct Answer
    A. TCP segment
    Explanation
    In the OSI model layer 4 is the transport layer. In the TCP/IP model, Application Layer data is encapsulated in a Layer 4 TCP segment. That TCP segment is encapsulated in a Layer 3 IP packet. Data, segments, and packets are examples of Protocol Data Units (PDUs)

    Rate this question:

  • 16. 

    Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)?

    • 192.168.42.5

    • 192.166.42.5

    • 192.175.42.5

    • 192.1.42.5

    Correct Answer
    A. 192.168.42.5
    Explanation
    The IP address 192.168.42.5 is in the private Class C IP address range.

    The private IP address ranges are:

    * 10.0.0.0–10.255.255.255 (Class A network)
    * 172.16.0.0–172.31.255.255 (Class B networks)
    * 192.168.0.0–192.168.255.255 (Class C networks)

    Rate this question:

  • 17. 

    What layer of the OSI/ISO model does Point-to-point tunneling protocol (PPTP) work at?

    • Data link layer

    • Transport layer

    • Session layer

    • Network layer

    Correct Answer
    A. Data link layer
    Explanation
    PPTP works at the data link layer

    Rate this question:

  • 18. 

    Which of the following protocols does not operate at the data link layer (layer 2)?

    • PPP

    • RARP

    • L2F

    • ICMP

    Correct Answer
    A. ICMP
    Explanation
    ICMP works at the network layer of the OSI model.

    Rate this question:

  • 19. 

    Behavioral-based systems are also known as?

    • Profile-based systems

    • Pattern matching systems

    • Misuse detective systems

    • Rule-based IDS

    Correct Answer
    A. Profile-based systems
    Explanation
    Behavioral-based systems are also known as Profile-based systems because they rely on creating profiles or baselines of normal behavior for users, systems, or networks. These systems analyze and compare current behavior against these profiles to detect any anomalies or deviations that may indicate potential threats or attacks. By understanding the typical behavior of users or systems, profile-based systems can effectively identify abnormal activities and trigger alerts or preventive actions to mitigate risks.

    Rate this question:

  • 20. 

    Which of the following groups represents the leading source of computer crime losses?

    • Hackers

    • Industrial saboteurs

    • Foreign intelligence officers

    • Employees

    Correct Answer
    A. Employees
    Explanation
    Employees represent the leading source of computer crime losses. This can be through hardware theft, data theft, physical damage and interruptions to services. Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands.

    Rate this question:

  • 21. 

    According to private sector data classification levels, how would salary levels and medical information be classified?

    • Public

    • Internal Use Only

    • Restricted

    • Confidential

    Correct Answer
    A. Confidential
    Explanation
    Data such as salary levels and medical information would be classified as confidential according to private sector data classification levels.

    The following shows the common levels of sensitivity from the highest to the lowest for commercial business (public sector):

    Confidential
    Private
    Sensitive
    Public

    Rate this question:

  • 22. 

    Common Criteria 15408 generally outlines assurance and functional requirements through a security evaluation process concept of ______________, ____________, __________ for Evaluated Assurance Levels (EALs) to certify a product or system.

    • EAL, Security Target, Target of Evaluation

    • SFR, Protection Profile, Security Target

    • Protection Profile, Target of Evaluation, Security Target

    • SFR, Security Target, Target of Evaluation

    Correct Answer
    A. Protection Profile, Target of Evaluation, Security Target
    Explanation
    Under the Common Criteria model, an evaluation is carried out on a product and it is assigned an Evaluation Assurance Level (EAL). The thorough and stringent testing increases in detailed oriented tasks as the assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1, where functionality testing takes place, to EAL7, where thorough testing is performed and the system design is verified.

    The Common Criteria process is based on two key elements: protection profiles and security targets. Protection profiles (PPs) specify for a product that is to be evaluated (the target of evaluation (TOE)) the security requirements and protections, which are considered the security desires or the “I want” from a customer. Security targets (STs) specify the claims of
    security from the vendor that are built into a TOE. STs are considered the implemented security measures or the “I will provide” from the vendor. In addition to offering security targets, vendors may offer packages of additional security features. A package is an intermediate grouping of security requirement components that can be added or removed from a TOE (like the option packages when purchasing a new vehicle).

    Rate this question:

  • 23. 

    What is the number of columns in a table called?

    • Schema

    • Relation

    • Degree

    • Cardinality

    Correct Answer
    A. Degree
    Explanation
    The number of columns in a database table (relation) is referred to as the degree.

    Rate this question:

  • 24. 

    What is the main problem of the renewal of a root CA certificate?

    • It requires key recovery of all end user keys

    • It requires the authentic distribution of the new root CA certificate to all PKI participants

    • It requires the collection of the old root CA certificates from all the users

    • It requires issuance of the new root CA certificate

    Correct Answer
    A. It requires the authentic distribution of the new root CA certificate to all PKI participants
    Explanation
    Every entity (user, computer, application, network device) that has a certificate from a PKI trusts
    other entities with certificates issued by the same PKI because they all trust the root Certificate Authority (CA). This trust is ensured because every entity has a copy of the root CA’s public certificate.

    If you want to change or renew the root CA certificate, to maintain the trust, the new certificate must be distributed to every entity that has a certificate from the PKI.

    Rate this question:

  • 25. 

    What service is known as cloud identity, which allows organizations to leverage cloud service for identity management?

    • IaaS

    • IDaas

    • PaaS

    • SaaS

    Correct Answer
    A. IDaas
    Explanation
    IDaaS = Identity as a Service

    IaaS = Infrastructure as a Service
    PaaS = Platform as a Service
    SaaS = Software as a Service

    Rate this question:

  • 26. 

    Which of the following is NOT an asymmetric key algorithm?

    • RSA

    • ECC

    • El Gamal

    • DES

    Correct Answer
    A. DES
    Explanation
    Data Encryption Standard (DES) is not an asymmetric key algorithm; it’s a symmetric key algorithm.

    DES is a symmetric block encryption algorithm. When 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key: 56 bits make up the true key, and 8 bits are used for parity. When the DES algorithm is applied to data, it divides the message into blocks and operates on them one at a time. The blocks are put through 16 rounds of transposition and substitution functions. The order and type of transposition and substitution functions depend on the value of the key used with the algorithm. The result is 64-bit blocks of ciphertext.

    Rate this question:

  • 27. 

    What is an XML-based framework for exchanging security information, including authentication data?

    • Kerberos

    • OpenID

    • SAML

    • SESAME

    Correct Answer
    A. SAML
    Explanation
    SAML is an XML-based framework for exchanging security information, including authentication data.

    Kerberos is a third-party authentication service that may be used to support single sign-on.
    OpenID is a framework for exchanging authentication data, but it is not XML-based.
    SESAME = Secure European System for Applications in a Multivendor Environment, a single sign-on system that supports heterogeneous environments

    Rate this question:

  • 28. 

    Which approach to a security program ensures people responsible for protecting the company's assets are DRIVING the program?

    • The Delphi approach

    • The top-down approach

    • The bottom-up approach

    • The technology approach

    Correct Answer
    A. The top-down approach
    Explanation
    A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to
    assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies.

    Rate this question:

  • 29. 

    What uses a key of the same length as the message where each bit or character from the plaintext is encrypted by a modular addition?

    • Running key cipher

    • One-time pad

    • Steganography

    • Cipher block chaining

    Correct Answer
    A. One-time pad
    Explanation
    In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret,
    then the resulting ciphertext will be impossible to decrypt or break. However, practical problems have prevented one-time pads from being widely used.

    Rate this question:

  • 30. 

    A criminal deduces that an organization is holding an offsite meeting and there are few people in the building, based on the low traffic volume to and from the parking lot.  The criminal uses the opportunity to break into the building to steal laptops.  What type of attack has been launched?

    • Aggregation

    • Emanations

    • Inference

    • Maintenance Hook

    Correct Answer
    A. Inference
    Explanation
    Inference requires an attacker to “fill in the blanks” and deduce sensitive information from public information.

    Rate this question:

  • 31. 

    You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.During the course of the penetration test, the testers discover signs of an active compromise of the new custom-developed, three-tier web application. What is the best course of action? 

    • Attempt to contain and eradicate the malicious activity

    • Continue the test

    • Quietly end the test, immediately call the operational IT contact, and escalate the issue

    • Shut the server down

    Correct Answer
    A. Quietly end the test, immediately call the operational IT contact, and escalate the issue
    Explanation
    Attackers will often act more maliciously if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test and immediately escalate the issue. The client must be notified immediately, as incident handling is not the penetration tester's responsibility.

    Rate this question:

  • 32. 

    Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—Oxley Section 404 compliance?

    • Committee of Sponsoring Organizations of the Treadway Commission (COSO)

    • BIBA

    • National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66)

    • CCTA Risk Analysis and Management Method (CRAMM)

    Correct Answer
    A. Committee of Sponsoring Organizations of the Treadway Commission (COSO)
    Explanation
    COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide
    sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.

    There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its books (manipulate its revenue and earnings reports), but it took the Sarbanes–Oxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could send executives to jail if it was discovered that their company was submitting fraudulent accounting findings to the Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain their internal COSO structure.

    Rate this question:

  • 33. 

    With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance?

    • Object-Oriented Databases (OODB)

    • Object-Relational Databases (ORDB)

    • Relational Databases

    • Database management systems (DBMS)

    Correct Answer
    A. Object-Oriented Databases (OODB)
    Explanation
    An object-oriented database (OODB) is more dynamic than a relational database as it stores data as objects. It allows object-oriented programming (OOP) code, including classes, to manipulate the objects. This also makes the reusing of code possible.

    Rate this question:

  • 34. 

    Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks. What is the ARO?

    • $20,000

    • 40%

    • 7

    • $10,000

    Correct Answer
    A. 7
    Explanation
    ARO = Annual Rate of Occurrence; number of losses suffered per year

    Rate this question:

  • 35. 

    Which level of RAID does NOT provide additional reliability?

    • RAID 1

    • RAID 5

    • RAID 0

    • RAID 3

    Correct Answer
    A. RAID 0
    Explanation
    RAID 0 provides only striping and is used simply for performance purposes. It offers no additional data redundancy or resiliency.

    RAID 1: Mirrored Set
    RAID 3: Striped set w/ parity (allows for failure of 1 drive)
    RAID 5: Striped set w/ distributed parity (allows for failure of 1 drive)

    Rate this question:

  • 36. 

    What describes a more agile development and support model, where developers directly support operations?

    • DevOps

    • Sashimi

    • Spiral

    • Waterfall

    Correct Answer
    A. DevOps
    Explanation
    DevOps is a more agile development and support model, where developers directly support operations.

    Sashimi, spiral, and waterfall are software development methodologies that do not describe a model for developers directly supporting operations.

    Rate this question:

  • 37. 

    Which of the following characteristics pertaining to databases is not true?

    • A data model should exist and all entities should have a significant name.

    • Justifications must exist for normalized data.

    • No NULLs should be allowed for primary keys.

    • All relations must have a specific cardinality.

    Correct Answer
    A. Justifications must exist for normalized data.
    Explanation
    Data normalization is the process of reducing data to its canonical form. Database normalization is the process of organizing the fields and tables of a relational database to minimize redundancy and dependency. Justification is not a term that is used for normalized data.

    Rate this question:

  • 38. 

    Maximum Tolerable Downtime (MTD) is comprised of which two metrics?

    • Recovery Point Objective (RPO) and Work Recovery Time (WRT)

    • Recovery Point Objective (RPO) and Mean Time to Repair (MTTR)

    • Recovery Time Objective (RTO) and Work Recovery Time (WRT)

    • Recovery Time Objective (RTO) and Mean Time to Repair (MTTR)

    Correct Answer
    A. Recovery Time Objective (RTO) and Work Recovery Time (WRT)
    Explanation
    The Recovery Time Objective (RTO, the time it takes bring a failed system back online) and Work Recovery Time (WRT, the time required to configure a failed system) are used to calculate the Maximum Tolerable Downtime. RTO + WRT = MTD.

    Maximum Tolerable Downtime does not directly use Recovery Point Objective or Mean Time to Repair as metrics.

    Rate this question:

  • 39. 

    In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessity of answering two questions:

    • What was the sex of a person and his age

    • What part of body to be used and how to accomplish identification that is viable

    • What was the age of a person and his income level

    • What was the tone of the voice of a person and his habits

    Correct Answer
    A. What part of body to be used and how to accomplish identification that is viable
    Explanation
    The correct answer is "What part of body to be used and how to accomplish identification that is viable". This answer accurately reflects the two questions that were raised in the context of biometric identification systems. It acknowledges the need to determine which part of the body should be utilized for identification purposes and how to effectively achieve a viable identification process. The other options mentioned in the question, such as determining a person's age and income level or tone of voice and habits, do not directly address the main concerns of biometric identification systems.

    Rate this question:

  • 40. 

    In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server?

    • Peer-to-peer authentication

    • Only server authentication (optional)

    • Server authentication (mandatory) and client authentication (optional)

    • Role based authentication scheme

    Correct Answer
    A. Server authentication (mandatory) and client authentication (optional)
    Explanation
    SSL and TLS both support server authentication (mandatory) and client authentication (optional).

    Rate this question:

  • 41. 

    Which of these terms is MOST closely related to confidentiality?

    • Reliability

    • Need-to-know

    • Auditability

    • Trustworthiness

    Correct Answer
    A. Need-to-know
    Explanation
    Confidentiality refers to the protection of sensitive information from unauthorized access. The term "need-to-know" is closely related to confidentiality as it emphasizes that only individuals with a legitimate need should have access to confidential information. This principle ensures that information is disclosed on a strictly need-to-know basis, reducing the risk of unauthorized disclosure and maintaining confidentiality.

    Rate this question:

  • 42. 

    In discretionary access environments, which of the following entities is authorized to grant information access to other people?

    • System Administrator

    • Data Custodian

    • Security Manager

    • Data Owner

    Correct Answer
    A. Data Owner
    Explanation
    The data owner is authorized to grant information access to other people in discretionary access environments. As the owner of the data, they have the authority to determine who can access the information and to what extent. They are responsible for ensuring that access is granted based on the appropriate permissions and security requirements. The system administrator, data custodian, and security manager may have roles in managing and securing the data, but it is ultimately the data owner who has the authority to grant access.

    Rate this question:

  • 43. 

    Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.Is the DoS mitigation service a good investment?

    • Yes, it will pay for itself

    • Yes, $10,000 is less than the $56,000 ALE

    • No, the annual TCO is higher than the ALE

    • No, the annual TCO is lower than the ALE

    Correct Answer
    A. No, the annual TCO is higher than the ALE
    Explanation
    TCO = Total Cost of ownership; $10,000 per month or $120,000 per year
    ALE = Annualized Loss Expectancy; Single Loss Expectancy or SLE (40% of $20,000 = $8000) * Annualized Rate of Occurrence or ARO (7 times per year) = $56,000
    TCO ($120,000) is greater than ARO ($56,000) so this would be a bad investment

    Rate this question:

  • 44. 

    You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? 

    • Secure compiler warnings

    • Fuzzing

    • Static testing

    • White-box testing

    Correct Answer
    A. Fuzzing
    Explanation
    Fuzzing is a black-box testing method that does not require access to source code.

    Rate this question:

  • 45. 

    What is the access protection system that limits connections by calling back the number of a previously authorized location called?

    • Sendback systems

    • Callback forward systems

    • Callback systems

    • Sendback forward systems

    Correct Answer
    A. Callback systems
    Explanation
    Callback is when the host system disconnects the caller and then dials the authorized telephone
    number of the remote terminal in order to reestablish the connection.

    Rate this question:

  • 46. 

    RADIUS incorporates which of the following services?

    • Authentication server and PIN codes.

    • Authentication of clients and static passwords generation.

    • Authentication of clients and dynamic passwords generation.

    • Authentication server as well as support for Static and Dynamic passwords.

    Correct Answer
    A. Authentication server as well as support for Static and Dynamic passwords.
    Explanation
    A central authentication service for dial-up users is the standard Remote Authentication and Dial-In User Service (RADIUS). RADIUS incorporates an authentication server and dynamic passwords. The RADIUS protocol is an open lightweight, UDP-based protocol that can be modified to work with a variety of security systems. It provides authentication, authorization and
    accounting services to routers, modem servers, and wireless applications. RADIUS is described in RFC 2865.

    Rate this question:

  • 47. 

    When considering all the reasons that buffer overflow vulnerabilities exist what is the real reason?

    • Human error

    • The Windows Operating system

    • Insecure programming languages

    • Insecure Transport Protocols

    Correct Answer
    A. Human error
    Explanation
    The human error in this answer is poor programming by the software developer.

    A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed.

    When a programmer writes a piece of software that will accept data, this data and its associated instructions will be stored in the buffers that make up a stack. The buffers need to be the right size to accept the inputted data. So if the input is supposed to be one character, the buffer should be one byte in size. If a programmer does not ensure that only one byte of data is being inserted into the software, then someone can input several characters at once and thus overflow that specific
    buffer.

    Rate this question:

  • 48. 

    Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided?

    • Data Link

    • Transport

    • Presentation

    • Application

    Correct Answer
    A. Data Link
    Explanation
    PPP (Point-to-Point Protocol) is a data link protocol used to establish a direct connection between two nodes. PPP has replaced the older SLIP and CSLIP protocols.

    Rate this question:

  • 49. 

    With SQL Relational databases where is the actual data stored?

    • Views

    • Tables

    • Schemas and sub-schemas

    • Index-sequential tables

    Correct Answer
    A. Tables
    Explanation
    In a relational database the actual data is stored in tables that consist of tuples (rows) and attributes (columns).

    Rate this question:

Quiz Review Timeline (Updated): Mar 21, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Apr 03, 2017
    Quiz Created by
    Skofft2134
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.