Hlg Ckf Test

8/13/2019 Hlg Ckf Test

1/44

Access Control

Question 1Bob enrolls with a fingerprint reader and is able to authenticate fora number of weeks using the system. One day, Bob cuts his fingerand finds he can no longer authenticate and receives a Type 1error. What is most likely the problem?

a) The system does not examine enough information to assessthat it is Bob

b) Fingerprint readers are not very good at handling type 1errors by nature since these are very dynamic metricsc) Fingerprint readers are not very good at handling type 1

errors by nature since they have high cross-over error ratesd) The system examines too much information and needs to be

configured to be less sensitive

Question 2If a complex password, stored in a system that uses the full entropyof the Extended ASCII key set (8 bits per character), can becracked in one week, what is the maximum time it would it take tocrack it if one more character is added?

a) 256 weeksb) 2 weeksc) 1 week and 1 dayd) 10.5 days

Question 3A small number of sales people share an office with marketing.Rather than purchase a separate printer, management has requestedthat the sales people use the marketing printer. Which of thefollowing is the most appropriate way to grant authorization forthese users?


2/44


3/44

Question 2Which statement is true?

a) In a relational database parents can have only one childb) In a relational database a child can have only one parentc) In a hierarchical database a parent can have only one childd) In a hierarchical database a child can have only one parent

Question 3

A change is planned to an application to address a specific problem.After the change however it appears that other modules that shouldnot have been affected appear to be broken. What is the likelycause?

a) The changed module had low cohesionb) The changed module had high cohesionc) The changed module was tightly coupledd) The changed module was loosely coupled

Question 4A user complains that his phone number in the employee databaseis not accurate. Each time the user makes a change to the numberit seems to take but then reverts back to the old number by the endof the day. Which of the following is the most likely cause?

a) The user does not have modification rightsb) The schema does not allow changes from the users machinec) Someone in personnel has put a lock on the celld) Replication integrity is inaccurate due to mismatched times

Question 5A person in Applications Development writes a new module for aproduction customer tracking system. This module may increaseproductivity significantly for the organization, leading to


4/44

substantial savings over time. Another person in Development hastested the module and has found no problem with the code. Whichof the following is NOT recommended?

a) The new code should be implemented as soon as QualityAssurance personnel certify the module

b) The module should go to operations for implementationc) An accrediting official should wait for the results of

certificationd) All changes must be logged in the change management

database (CMDB)

Business Continuity and Disaster Recovery PlanningQuestion 1Bob is charged with creating disaster recovery plans for his group.He is very concerned that paper-based tests are not realistic enoughbut is very concerned with risking downtime of production systems.What test type is most appropriate in this situation?

a) Structured walkthroughb) Warmc) Simulationd) Parallel

Question 2A company provides outsourced help desk service to a number ofclients worldwide. Currently they are equipped to handle over athousand calls a day, with an average call length of 10 minutes. Ifthey need to move to an alternate facility in the event of somedisaster or disruption, management wants to be able to provide atleast 80 percent of the current capacity. What metric would needto be determined in the Business Impact Analysis (BIA)?

a) Recovery time objectivesb) Service level objectives


5/44


6/44

used for the restore and confirms it was indeed the most recentbackup and that the tape was created only the night before. Whatis the most likely cause of the problem?

a) The user is looking at a cached copyb) The data was restored to the wrong directoryc) There is a network latency issued) Recovery point objectives are very short

Cryptography

Question 1Which of the following statements is incorrect?

a) To ensure the integrity of data create a message digestb) To ensure privacy, encrypt the data with a symmetric key and

the symmetric key with the receivers private keyc) To validate the sender, encrypt the message digest with the

senders private keyd) To obtain the fastest method to encrypt data use a symmetric,

shared secret key

Question 2What is the most trusted way to ensure only the intended recipientobtains the key in a purely symmetric system?

a) Manager hand-delivers the keyb) Encrypt the key with the receivers public keyc) Encrypt the key with a passphrased) Encrypt the key with the senders private key

Question 3Alice gives a copy of her private key to the crypto admin, Bob forbackup. Which problem below would most likely affect theaccountability of the system?


7/44

a) Bob could sign documents as Aliceb) Bob could read documents destined for Alicec) Bob could leave the company and her backup could be

unavailabled) Bob could update the CRL claiming Alices key was lost

Question 4Alice works in customer service for a large manufacturingcorporation and is responsible for working with customers timesensitive orders. One of her customers, Bob, sends her a signed

and encrypted email and requests a signed receipt. Bob receives areceipt from Alice and becomes concerned when she does notfollow through with his order and calls her on the phone a fewdays later. Alice claims she did not receive the email. Which ofthe following could explain the situation?

a) The email is stuck in her servers inbound queueb) Bobs private key has been compromisedc) The CA has issued a duplicate certificated) Alices private key has been compromised

Question 5Bob connects to an SSL server daily to check his email over anencrypted channel. His company-issued laptop is upgraded tomeet new client standards. He receives an error message statingthat he is about to download a certificate that has not been signedby a trusted 3 rd party. What is the most likely cause?

a) The admin forgot to copy his private key to the new systemb) The new laptop has the wrong network addressc) The public key of the CA is not on his machined) His session key needs to be recreated

Information Security and Risk ManagementQuestion 1


8/44

To address a contract agreement with a new client, management isrequired to select stronger encryption algorithms. What documentneeds to be modified to define the specifications for these newalgorithms?

a) Policiesb) Standardsc) Proceduresd) Baselines

Question 2Which of the following is out of place?

a) High, medium, low rankingsb) Subjective intuitionc) Objective opinionsd) Value

Question 3Management requires that all employees with a company laptopkeep their virus signatures up to date and run a full system scan atleast weekly. It is suggested however that they update signaturesevery night if possible. In what document type would suchsuggestions likely be made?

a) Policiesb) Proceduresc) Guidelinesd) Standards

Question 4Which of the following is the most logical order for riskmanagement?


9/44


10/44

d) Where compliance is paramount, service personnel requireappropriate certification

Question 3Alice is aggressively trying to increase personnel to meet marketdemands and tries to recruit Bob, a colleague, by offering 5%ownership to the entire enterprise and agreeing to put this inwriting soon. For expedience, they agree on a start date before thelawyers approve the contract regarding the 5% ownership. Ninemonths pass and Alice fails to provide the agreement in writing

and changes her mind. According to the ISC2 Code of Ethics,what can be said of the situation?

a) Alice is at fault for Conflict of Interestb) Bob is at fault for failing To ensure proper documentationc) Alice is at fault for failure to Observe all contracts and

agreements, express or impliedd) There is no violation of the ISC2 Code of Ethics

Question 4Due to new laws governing the actions taken by companies whencustomer-identifiable information is collected, a senior managerdirects internal auditors to analyze the companys exposure to thenew regulations. The results of the audit identify a number ofpotential violations. What is the most appropriate action to take?

a) Consult outside advice to ensure that the audit is accurateb) Conduct a gap analysis to prioritize ways to close the gapsc) Review the companys privacy policy and determine the

necessary changesd) Take steps to encrypt the sensitive data to protect the

information

Question 5Which of the following is not an example of civil law?


11/44

a) Contractb) Propertyc) Tortd) Regulatory

Operations SecurityQuestion 1What RAID level is primarily associated with fastest writes but notnecessarily reads

a) 0b) 1c) 3d) 5

Question 2Which of the following control is more likely to provideconfidentiality protection?

a) Rotation of Dutiesb) Segregation of Dutiesc) Dual Controld) Quality assurance

Question 3Bob is hired to perform a penetration test for Griffin Space Tech, aleading space exploration company. Alice is nearly killed whenher navigation system is interrupted by what turned out to be a teston a system that was not supposed to be part of the test. Whatdocument, if defined and understood, most likely may haveprevented such a problem?

a) Rules of engagementb) Concept of operations


12/44

c) Statement of workd) Exception reports

Question 4A critical server is scheduled to have a service pack installed.Departmental management requests that the change is tested on aspare server first before being applied to the production server. Toensure that the spare server is configured exactly as the productionserver, operations plan to make an unscheduled backup of theproduction server. Which backup method is most appropriate?

a) Fullb) Incrementalc) Differentiald) Copy

Question 5A user in your organization habitually surfs inappropriate websites.You are responsible for desktop support and notice these sites inthe history log. What is the best way to ensure the company is notheld accountable by other users complaints about this user?

a) Block access to these sites with an approved filterb) Nothing as you are not in securityc) Inform law enforcementd) Report your findings to management

Physical (Environmental) SecurityQuestion 1What is the purpose of a strike plate?

a) To prevent damage to a door in a loading dockb) It is part of a locking mechanismc) To allow egress traffic in the event of an emergency

evacuation


13/44


14/44

a) To allow rescue teams to search for distressed personnel aftera power failure

b) Illumination of evacuation routesc) To assist in CCTV controls during a threatening situationd) They act as a deterrent as criminals fear detection

Security Architecture and DesignQuestion 1A system engineer would like to design a backup system thatallows an operator to perform backups on all system data without

giving the operator file system rights. What should the engineerconsider?

a) The Clark Wilson modelb) A SANS devicec) RBACd) Least privilege and need to know. In this case the operator

by nature must have read access only.

Question 2What is the purpose of the *_property in the Bell-Lapadula model?

a) To prevent an unauthenticated user from leaking secretsb) To prevent an unauthenticated user from accessing sensitive

datac) To prevent an authenticated user from leaking secretsd) To prevent an authenticated user from accessing sensitive

data

Question 3A remote database user maliciously enters a command in a userinput dialog box, and manages to execute a command to upgradehis rights in the system. Which recommended remediation methodis least likely to mitigate this risk?


15/44

a) The system should check for input lengthb) The system should check for input typec) The system should block data control language from remote

locationsd) The system should implement a mandatory access control

Question 4When determining whether to use a product in your environmentyou are asked to consult the product for certification per theCommon Criteria. The category for this product does not contain a

protection profile (PP). Which of the following is true?

a) An exception report may be created to allow this product,provided local testing can certify a build of the system.

b) The system may grandfather an existing rating from theTCSEC

c) The product can still be rated against the security target (ST)d) Review other products to see if there is a viable alternative

Question 5Which of the following is an example of the reference monitor?

a) Requiring users to provide proof of identificationb) Account lockoutsc) Log filesd) Directory attributes

Telecommunications and Network SecurityQuestion 1Why is it advisable to prevent packets from leaving your networkwhere the source address is not from your network or a private(RFC 1918) address?

a) To prevent your perimeter or edge devices from beingattacked with a denial of service attack.


16/44

b) To prevent your internal devices from being attacked with adenial of service attack.

c) To prevent your systems from being used to attack othersd) To prevent your systems from a reconnaissance attack.

Question 2Bob is attempting to use the hotel wireless network to connect tohis companys email server. He is told by the hotel staff that theSSID is HOTELX (where X equals his floor number). Aftergaining connection it is discovered that his email has been posted

to some hacker website. Which of the following would have mostlikely prevented this problem?

a) RADIUSb) Mutual authenticationc) Two factor authenticationd) Extensible Authentication Protocol

Question 2

In what layer of the OSI model are electrical signals turned intobinary addressing information?

a) Host to hostb) Bibac) Datalinkd) Physical

Question 3The firewall administrator notices that an IP address on the insideis attempting to open ports to an unknown host in a foreign country.What is the most appropriate action to take?

a) Block the port until the host can be authenticatedb) Perform a violation analysis


17/44

c) Run a virus scan on the machine that is attempting theconnection as it may be infected

d) Interview the user of the machine to determine his intention.

Question 4Which VPN method is less likely to work through NAT?

a) IPSec transport modeb) IPSec tunnel with AHc) IPSec tunnel with ESP

d) PPTP

Question 5With regards to an intrusion detection system, what is meant by aninsertion attack?

a) Enabling attackers to insert themselves into a system withoutdetection

b) Injecting false data to mislead an IDSc) Adding additional rules to misclassify an attackd) Code injection attacks

Question 6Which of the following attacks does not take advantage of systemsthat do not check for unsolicited replies?

a) Arp poisoningb) DNS cache poisoningc) OS Fingerprintingd) Fragmenting

Questions & Answers

Access Control


18/44

Question 1Bob enrolls with a fingerprint reader and is able to authenticate fora number of weeks using the system. One day, Bob cuts his fingerand finds he can no longer authenticate and receives a Type 1error. What is most likely the problem?

e) The system does not examine enough information to assessthat it is Bob

f) Fingerprint readers are not very good at handling type 1errors by nature since these are very dynamic metrics

g) Fingerprint readers are not very good at handling type 1errors by nature since they have high cross-over error ratesh) The system examines too much information and needs to be

configured to be less sensitive

Answer: d

Explanation: A biometric system cannot examine all the detail inan object or they are prone to false rejects (type 1 errors). If theyhowever do not examine enough information about an object theyare prone to false accepts (type 2 errors). Fingerprints are fairlystatic metrics and some systems are very accurate.

Question 2If a complex password, stored in a system that uses the full entropyof the Extended ASCII key set (8 bits per character), can becracked in one week, what is the maximum time it would it take tocrack it if one more character is added?

e) 256 weeksf) 2 weeksg) 1 week and 1 dayh) 10.5 days


19/44

Answer: a

Explanation: By adding one character or 8 bits the strength israised by 2 8

Question 3A small number of sales people share an office with marketing.Rather than purchase a separate printer, management has requestedthat the sales people use the marketing printer. Which of thefollowing is the most appropriate way to grant authorization forthese users?

e) Add the sales people names to the printer ACLf) Add the sales people names to the marketing groupg) Create a new group for these users and add the group to the

printers ACLh) Advise against it as it is a possible conflict of interest

Answer: c

Explanation: Adding each user to the group, makes explicit accesscontrol difficult to manage. Adding the sales people names to themarketing group may grant more privileges to some resources.

Marketing and sales typically are not mutually exclusive groups.

Question 4To validate a claimed identity, which of the following bestdescribes authentication tokens?

e) Time-based access controlf) Sensitivity labelsg) Access control listsh) Credentials

Answer: d

Explanation: Tokens are typically something a user has.Credentials give credit to a claim. The other answers are methods.


20/44

Question 5An Intrusion Detection System (IDS) has detected an ACK storm.What does this mean?

e) An intruder is sending unsolicited acknowledgements to scanthe network

f) An intruder is sending unsolicited acknowledgements toperform a denial of service

g) An intruder is attempting to spoof the host to hijack a session

h) There is a bridging loop Answer: c

Explanation: If someone spoofs an IP address (source) and sends aTCP SYN to a server (in an attempt to hijack a session) the serverwill reply with a SYN/ACK to the spoofed host. The spoofed hostwill reply with an ACK/RST to the server since the spoofed host isnot really listening for the SYN/ACK. The server will assume therewas a communication problem and retry. This results in what isknown as an ACK storm.

Application SecurityQuestion 1At what phase of the system development life cycle are thecustomer-specific requirements determined?

e) Functional designf) System designg) Validationsh) Project initiation

Answer: a

Explanation: Functional design is where the customer- specificrequirements are determined, a very detailed what the systemmust do. System design is more associated with how the


21/44

specifications are determined; project initiation is not verydetailed; and Validations is a distracter.

Question 2Which statement is true?

e) In a relational database parents can have only one childf) In a relational database a child can have only one parentg) In a hierarchical database a parent can have only one childh) In a hierarchical database a child can have only one parent

Answer: d

Explanation: One of the benefits of the relational database overthe hierarchical database is that a number of different relationscan be defined including overcoming the limitation of hierarchicaldatabases that allow for a child to have only one parent.

Question 3A change is planned to an application to address a specific problem.After the change however it appears that other modules that shouldnot have been affected appear to be broken. What is the likelycause?

e) The changed module had low cohesionf) The changed module had high cohesiong) The changed module was tightly coupledh) The changed module was loosely coupled

Answer: a

Explanation: A module is cohesive when it performs only a single precise task. Coupling refers to the measure of interaction. Bothcan have a significant affect on change management. It is usuallydesirable to have high cohesion and loose coupling.

Question 4


22/44

A user complains that his phone number in the employee databaseis not accurate. Each time the user makes a change to the numberit seems to take but then reverts back to the old number by the endof the day. Which of the following is the most likely cause?

e) The user does not have modification rightsf) The schema does not allow changes from the users machineg) Someone in personnel has put a lock on the cellh) Replication integrity is inaccurate due to mismatched times

Answer: d Explanation: In a distributed environment, invalid timesynchronization can cause a server to overwrite newer data. If thechange took hold for a while, it is unlikely to be a rights issue andc is not likely.

Question 5A person in Applications Development writes a new module for aproduction customer tracking system. This module may increaseproductivity significantly for the organization, leading tosubstantial savings over time. Another person in Development hastested the module and has found no problem with the code. Whichof the following is NOT recommended?

e) The new code should be implemented as soon as QualityAssurance personnel certify the module

f) The module should go to operations for implementationg) An accrediting official should wait for the results of

certificationh) All changes must be logged in the change management

database (CMDB)


23/44

Answer: a Explanation: Before making this significant change, the moduleshould be technically tested (certification) and administrativelyapproved (accreditation)

Note: This question generated a bit of discussion. To furtherclarify my answer I posted the following comments inhttp://groups.yahoo.com/group/cyberkungfu/message/898

In this question I am trying to lead you to B but here is why Ibelieve A is the "more correct" answer. Providing separation of

duties to ensure trusted change management, it is recommendedthat developers cannot approve code or interface with productionsoftware, changes to applications should:

1) Be tested by a test group QA/QC2) Be accredited by management3) Go to operations for implementation4) Logged in a CMDB

While B may look like I am bypassing 1&2 if you read carefully Ionly say The module should go to operations for implementation.I did not say anything about ignoring the other phases.

A says The new code should be implemented as soon as QualityAssurance personnel certify the module. This wording doesindeed suggest that accreditation is ignored.

This is the type of question that messes me up in tests because Istart to add in my head words I think the author meant to say, andthen wonder if the author omitted the words on purpose as I did inthis question.

Business Continuity and Disaster Recovery PlanningQuestion 1


24/44

Bob is charged with creating disaster recovery plans for his group.He is very concerned that paper-based tests are not realistic enoughbut is very concerned with risking downtime of production systems.What test type is most appropriate in this situation?

e) Structured walkthroughf) Warmg) Simulationh) Parallel

Answer: c Explanation: In a simulation test, the system may be tested ontest hardware and software. This is likely to be more accuratethan either the checklist or structured walkthrough, which are

paper-based only. In the parallel test some subset of productionsystems are indeed involved and run at the alternate site. Warmtest is a distracter

Question 2A company provides outsourced help desk service to a number ofclients worldwide. Currently they are equipped to handle over athousand calls a day, with an average call length of 10 minutes. Ifthey need to move to an alternate facility in the event of somedisaster or disruption, management wants to be able to provide atleast 80 percent of the current capacity. What metric would needto be determined in the Business Impact Analysis (BIA)?

e) Recovery time objectivesf) Service level objectivesg) Maximum tolerable downtimeh) Recovery point objectives

Answer: b

Explanation: In a disaster it may be cost prohibitive to attemptrecovery to full capacity, so service level objectives are set to


25/44

determine the required service levels to protect the business. Answers a and c are the same thing and refer to the time needed tobring a service or department up and running. Answer d refers tothe data point required to recover and is mostly associated withdata backup schedules and methods.

Question 3Griffin Space Tech, a space development company experiences afire requiring relocation to an off-site location. An operator, a keyperson on the recovery team, fails to show up at the site. When

contacted, the operator claims he was not clear on his role and didnot realize he was named in the plan. Which document type wouldexplain the specific names of the teams involved?

e) Reconstitution plansf) Recovery proceduresg) Service level agreementh) Memorandum of understanding (MOA)

Answer: d

Explanation: MOAs are documents maintained to identify the people and their roles in a business continuity plan. These arecritical to keep current and must be tied to HR to ensure that the

people named are still operating in the planned capacity

Question 4The senior network administrator responsible for managingperimeter security devices is named in the disaster recovery plan asthe primary person to perform recovery of the firewall at analternate site in an event requiring relocation. However, thisadministrator may move to another department and may no longerbe available for this role. What plan should be used to prepare forsuch situations?

e) Business impact analysis


26/44

f) Successiong) Personnel migrationh) Restructuring

Answer: b

Explanation: Succession plans are maintained to prepare forchanges in personnel.

Question 5Critical systems are migrated to a hot site after a disaster. The

backup operator from the recovery team receives a call from a usercomplaining that the data that have been restored for their systemare too old to be of any use. The operator checks the tape that wasused for the restore and confirms it was indeed the most recentbackup and that the tape was created only the night before. Whatis the most likely cause of the problem?

e) The user is looking at a cached copyf) The data was restored to the wrong directoryg) There is a network latency issueh) Recovery point objectives are very short

Answer: d

Explanation: Recovery Point Objectives (RPOs) relate to the datathat must be recovered and the desired age of the data. If the RPOis less then 24 hours, the nightly backups are not frequent enoughand perhaps remote journaling, electronic vaulting or restoring

from a shadow file should be considered.

CryptographyQuestion 1Which of the following statements is incorrect?

e) To ensure the integrity of data create a message digest


27/44

f) To ensure privacy, encrypt the data with a symmetric key andthe symmetric key with the receivers private key

g) To validate the sender, encrypt the message digest with thesenders private key

h) To obtain the fastest method to encrypt data use a symmetric,shared secret key

Answer: bExplanation: The second part of the sentence should have readwith the receivers public key

Question 2What is the most trusted way to ensure only the intended recipientobtains the key in a purely symmetric system?

e) Manager hand-delivers the keyf) Encrypt the key with the receivers public keyg) Encrypt the key with a passphraseh) Encrypt the key with the senders private key

Answer: a

Explanation: One major challenge in a purely symmetric system ishow to share the secret key. Encrypting the key with a passphraseis out of place here, since we still have the fundamental problem ofsharing the passphrase. Answers b and d refer to asymmetriccryptography.

Question 3Alice gives a copy of her private key to the crypto admin, Bob forbackup. Which problem below would most likely affect theaccountability of the system?

e) Bob could sign documents as Alicef) Bob could read documents destined for Alice


28/44

g) Bob could leave the company and her backup could beunavailable

h) Bob could update the CRL claiming Alices key was lost

Answer A

Explanation: While Answers a,b & c could be problems, Answer ais mostly associated with accountability.

Question 4Alice works in customer service for a large manufacturing

corporation and is responsible for working with customers timesensitive orders. One of her customers, Bob, sends her a signedand encrypted email and requests a signed receipt. Bob receives areceipt from Alice and becomes concerned when she does notfollow through with his order and calls her on the phone a fewdays later. Alice claims she did not receive the email. Which ofthe following could explain the situation?

e) The email is stuck in her servers inbound queuef) Bobs private key has been compromisedg) The CA has issued a duplicate certificateh) Alices private key has been compromised

Answer: d

Explanation: Alices private key would have been used to createthe signature on the receipt that Bob received. If Alice did notsend the receipt, then her private key must have been compromised.

Question 5Bob connects to an SSL server daily to check his email over anencrypted channel. His company-issued laptop is upgraded tomeet new client standards. He receives an error message statingthat he is about to download a certificate that has not been signedby a trusted 3 rd party. What is the most likely cause?


29/44

e) The admin forgot to copy his private key to the new systemf) The new laptop has the wrong network addressg) The public key of the CA is not on his machineh) His session key needs to be recreated

Answer: c

To validate the server certificate, the issuing CA (the certificateauthority) must be trusted by the client. This is a common problem

for companies that use private certificate authorities.

Information Security and Risk ManagementQuestion 1To address a contract agreement with a new client, management isrequired to select stronger encryption algorithms. What documentneeds to be modified to define the specifications for these newalgorithms?

e) Policiesf) Standardsg) Proceduresh) Baselines

Answer: b

Explanation: While it is possible that all of these documents wouldhave to be modified, specifications are typically defined inStandards. Policies are more associated with basic requirements;

procedures are step-by-step instructions and Baselines define theacceptable (and unacceptable) risk levels.

Question 2Which of the following is out of place?

e) High, medium, low rankingsf) Subjective intuitiong) Objective opinions


30/44

h) Value

Answer: c Explanation: Opinions are by nature, subjective. Answers a, b & dare all examples of qualitative reasoning.

Question 3Management requires that all employees with a company laptopkeep their virus signatures up to date and run a full system scan atleast weekly. It is suggested however that they update signatures

every night if possible. In what document type would suchsuggestions likely be made?

e) Policiesf) Proceduresg) Guidelinesh) Standards

Answer: c

Explanation: Guidelines are defined as non-binding suggestionsonly.

Question 4Which of the following is the most logical order for riskmanagement?

e) Asset valuation, threat analysis, control analysis, mitigation,policy creation, awareness

f) Threat analysis, control recommendation, asset valuation,mitigation

g) Policy creation, risk mitigation, control evaluation, trainingh) Test, recommend, acquire/create, control, valuation

Answer A


31/44

Explanation: Of the answers only a does not contain an out oforder step. Answer b places control recommendation before assetvaluation, c places mitigation before control evaluation, and d is

just a distracter.

Legal, Regulations, Compliance and InvestigationsQuestion 1You are working in Philadelphia using a VPN to connect to anetwork in Singapore for a China-based company. Some of thelaws differ across these jurisdictions. According to the ISC2 Code

of Ethics, what is the proper action(s) to take?

e) Avoid conflicts of interestf) Follow the most restrictive lawsg) China laws take precedence since this is the where corporate

headquarters is locatedh) Philadelphia laws take precedence since this is where you are

rendering service.

Answer: d

Explanation: The ISC2 Code of Ethics specifically states Whenresolving differing laws in different jurisdictions, give preferenceto the laws of the jurisdiction in which you render your service.This is still a very difficult question as the Code of Ethics alsomentions Avoid conflicts of interest or the appearance thereofthough d is a more direct match to this situation. Answer b is agood answer but it is not addressed in the ISC2 Code of Ethics.

Question 2Alice is asked by a potential customer if she can provide servicefor an intrusion detection system (IDS) to assess the rule-setcurrently configured on the system, and make recommendationsfor improvement, to comply with a new regulation pertaining tothe customers line of business. Though Alice has an interest inworking with intrusion detection systems she has no hands-on


32/44

experience. What ISC2 code of ethics requirement may forceAlice to decline the primary role for such an assignment?

e) Render only those services for which you are fully competentand qualified

f) Thou shall not make false claimsg) Provide only services in your area of expertiseh) Where compliance is paramount, service personnel require

appropriate certification

Answer A Explanation: Only a is addressed in the ISC2 Code of Ethics

Question 3Alice is aggressively trying to increase personnel to meet marketdemands and tries to recruit Bob, a colleague, by offering 5%ownership to the entire enterprise and agreeing to put this inwriting soon. For expedience, they agree on a start date before thelawyers approve the contract regarding the 5% ownership. Ninemonths pass and Alice fails to provide the agreement in writingand changes her mind. According to the ISC2 Code of Ethics,what can be said of the situation?

e) Alice is at fault for Conflict of Interestf) Bob is at fault for failing To ensure proper documentationg) Alice is at fault for failure to Observe all contracts and

agreements, express or impliedh) There is no violation of the ISC2 Code of Ethics

Answer: c

Explanation: Answer a does not apply here, b is a distracter. Answer c is a very important issue and a requirement of a CISSP

Question 4


33/44

Due to new laws governing the actions taken by companies whencustomer-identifiable information is collected, a senior managerdirects internal auditors to analyze the companys exposure to thenew regulations. The results of the audit identify a number ofpotential violations. What is the most appropriate action to take?

e) Consult outside advice to ensure that the audit is accuratef) Conduct a gap analysis to prioritize ways to close the gapsg) Review the companys privacy policy and determine the

necessary changes

h) Take steps to encrypt the sensitive data to protect theinformation

Answer: b

Explanation: After an audit reports differences between a current position and a desired position, gap analysis is performed todetermine the best ways to reconcile the differences.

Question 5Which of the following is not an example of civil law?

e) Contractf) Propertyg) Torth) Regulatory

Answer: d

Explanation: Regulatory also known as administrative or businesslaw is a separate branch of law and violations can entail jail time.Contract, property and tort law are types of civil law and the only

penalties are financial.

Operations SecurityQuestion 1


34/44


35/44

Question 3Bob is hired to perform a penetration test for Griffin Space Tech, aleading space exploration company. Alice is nearly killed whenher navigation system is interrupted by what turned out to be a teston a system that was not supposed to be part of the test. Whatdocument, if defined and understood, most likely may haveprevented such a problem?

e) Rules of engagementf) Concept of operations

g) Statement of workh) Exception reports

Answer: a

Explanation: One very important administrative control when planning a penetration test is the creation of a Rules of Engagement document, which addresses what systems are to betested, and the accepted testing techniques. Performing a testentails risk and care must be taken to ensure the least amount ofdisruption.

Question 4A critical server is scheduled to have a service pack installed.Departmental management requests that the change is tested on aspare server first before being applied to the production server. Toensure that the spare server is configured exactly as the productionserver, operations plan to make an unscheduled backup of theproduction server. Which backup method is most appropriate?

e) Fullf) Incrementalg) Differentialh) Copy

Answer: d


36/44

Explanation: Only the full and the copy are likely to backup all thedata on the server. Since a full backup modifies the archive bit, itis not appropriate in this situation as it would affect the normalbackup schedule

Question 5A user in your organization habitually surfs inappropriate websites.You are responsible for desktop support and notice these sites inthe history log. What is the best way to ensure the company is notheld accountable by other users complaints about this user?

e) Block access to these sites with an approved filterf) Nothing as you are not in securityg) Inform law enforcementh) Report your findings to management

Answer: dExplanation: The decision to take disciplinary action is amanagement responsibility.

Physical (Environmental) SecurityQuestion 1What is the purpose of a strike plate?

e) To prevent damage to a door in a loading dockf) It is part of a locking mechanismg) To allow egress traffic in the event of an emergency

evacuationh) To prevent damage to a door from moving equipment

Answer: b

Explanation: The strike plate or door catch is part of the lockingsystem. It is a common weakness in physical security, as no matterhow strong a lock is, if the strike plate is weak, the door can bebreached


37/44


38/44

g) To allow police to monitor sensitive areash) To allow management to monitor employee behavior

Answer: a

Explanation: While CCTV can be used to catch events in real timeit is not likely. CCTV controls include: cameras, monitors, lights,recording devices and trained guards. After a crime is committed,authorities can use the recordings to gather evidence. All theother answers are applications but a is the common use

Question 5What is the purpose of emergency lighting?

e) To allow rescue teams to search for distressed personnel aftera power failure

f) Illumination of evacuation routesg) To assist in CCTV controls during a threatening situationh) They act as a deterrent as criminals fear detection

Answer: b

To prevent loss of life in an emergency including a power failure, personnel may need to evacuate the premises. Emergency lightsmust be available to assist the people in finding the way out of thebuilding.

Security Architecture and DesignQuestion 1A system engineer would like to design a backup system thatallows an operator to perform backups on all system data withoutgiving the operator file system rights. What should the engineerconsider?

e) The Clark Wilson modelf) A SANS deviceg) RBAC


39/44

h) Least privilege and need to know. In this case the operatorby nature must have read access only.

Answer: a

Explanation: In the Clark Wilson model, subjects must not havedirect access to objects. In this case the engineer could giveaccess privileges (to the file system) to the backup program andthe operator access to the backup program. Outside of the backupsystem the operator would have no rights to the file system

Question 2What is the purpose of the *_property in the Bell-Lapadula model?

e) To prevent an unauthenticated user from leaking secretsf) To prevent an unauthenticated user from accessing sensitive

datag) To prevent an authenticated user from leaking secretsh) To prevent an authenticated user from accessing sensitive

data

Answer: c

Explanation: The *_property, no write down, is used to preventspillage of information, i.e. to prevent someone with highclearance writing data to a lower classification.

Question 3A remote database user maliciously enters a command in a userinput dialog box, and manages to execute a command to upgradehis rights in the system. Which recommended remediation methodis least likely to mitigate this risk?

e) The system should check for input lengthf) The system should check for input typeg) The system should block data control language from remote

locations


40/44

h) The system should implement a mandatory access control

Answer: d Explanation: Mandatory Access Control (MAC) refers to asystems functionality policy but not necessarily the assurance

provided. Even in a discretionary model this should not happen by policy. The other answers are all good ways to mitigate codeinjection.

Question 4

When determining whether to use a product in your environmentyou are asked to consult the product for certification per theCommon Criteria. The category for this product does not contain aprotection profile (PP). Which of the following is true?

e) An exception report may be created to allow this product,provided local testing can certify a build of the system.

f) The system may grandfather an existing rating from theTCSEC

g) The product can still be rated against the security target (ST)h) Review other products to see if there is a viable alternative

Answer: c

Explanation: All Common Criteria certifications require a vendor provided security target. While it is desirable to also rate a systemagainst a vendor neutral protection profile, it is not required.

Question 5Which of the following is an example of the reference monitor?

e) Requiring users to provide proof of identificationf) Account lockoutsg) Log filesh) Directory attributes


41/44

Answer: a

Explanation: The reference monitor is the policy of an operatingsystem, enforced by the security kernel. Answers b, c & d areexamples of policy enforcement technologies.

Telecommunications and Network SecurityQuestion 1Why is it advisable to prevent packets from leaving your networkwhere the source address is not from your network or a private(RFC 1918) address?

e) To prevent your perimeter or edge devices from beingattacked with a denial of service attack.

f) To prevent your internal devices from being attacked with adenial of service attack.

g) To prevent your systems from being used to attack othersh) To prevent your systems from a reconnaissance attack.

Answer: c

Explanation: The most likely answer is to prevent your systems from being used to attack others in a distributed denial of serviceattack (DDoS). Many so called zombies are configured to send

packets with spoofed source addresses as in Smurf and Fraggle

Question 2Bob is attempting to use the hotel wireless network to connect tohis companys email server. He is told by the hotel staff that theSSID is HOTELX (where X equals his floor number). Aftergaining connection it is discovered that his email has been postedto some hacker website. Which of the following would have mostlikely prevented this problem?

e) RADIUSf) Mutual authenticationg) Two factor authentication


42/44

h) Extensible Authentication Protocol

Answer: b Explanation: It is likely that Bob connected to a rouge access point. Mutual authentication refers to authentication at both ends of aconnection.

Question 2 In what layer of the OSI model are electrical signals turned intobinary addressing information?

Host to hostBibaDatalinkPhysical

Answer: c

Explanation: The datalink layer receives electrical signals fromthe physical layer and turns these into bits and bytes. A majorcomponent to the datalink layer is the MAC sub-layer responsible

for media access including determining MAC addresses. Host tohost is associated with the DoD model and Biba is a distracter.

Question 3The firewall administrator notices that an IP address on the insideis attempting to open ports to an unknown host in a foreign country.What is the most appropriate action to take?

e) Block the port until the host can be authenticatedf) Perform a violation analysisg) Run a virus scan on the machine that is attempting the

connection as it may be infectedh) Interview the user of the machine to determine his intention.

Answer: b


43/44

Explanation: When there is a violation of what has been deemednormal, then a violation analysis is conducted to determine thecause. While this may be the result of an attack, it may be just anew service, or perhaps something else. This may include runninga virus scan and interviewing users

Question 4Which VPN method is less likely to work through NAT?

e) IPSec transport mode

f) IPSec tunnel with AHg) IPSec tunnel with ESPh) PPTP

Answer: b

Explanation: Authentication Header (AH) checks the integrity ofan IP address and is intrinsically incompatible with Network

Address Translation (NAT)

Question 5With regards to an intrusion detection system, what is meant by aninsertion attack?

a) Enabling attackers to insert themselves into a system withoutdetection

b) Injecting false data to mislead an IDSc) Adding additional rules to misclassify an attackd) Code injection attacks

Answer: b

Explanation: If an attacker knows the rules of an IDS, they may beable to mislead the IDS by injecting false data making an attacksneak through because it did not exactly match the rules for agiven attack. Similar to this is sending in an attack that contains


44/44

Date post:	04-Jun-2018
Category:	Documents
Upload:	jegreen3
View:	223 times
Download:	0 times

Hlg Ckf Test

Documents