Practice Exam Questions | Practice Exam 2

1:	What type of access control is typically used by organizations such as the DoD, the NSA, and the FBI? A. Restricted access control B. Discretionary access control C. Mandatory access control D. Role-based access control
2:	Which of the following is not a form of single sign-on (SSO)? A. NetSP B. SESAME C. Kerberos D. RADIUS
3:	What form of biometric system analyzes the features that exist in the colored tissue surrounding the pupil to validate access? A. Retina B. Cornea C. Iris D. Optic nerve
4:	What is the most important item to consider when examining biometric systems? A. The crossover acceptance ratethe lower the number, the better the biometric system B. The crossover error ratethe higher the number, the better the biometric system C. The crossover acceptance ratethe lower the number, the better the biometric system D. The crossover error ratethe lower the number, the better the biometric system
5:	What type of biometric error occurs when an unauthorized individual is granted access? A. Type I B. Type II C. Type III D. Type IV
6:	What height of fence will deter only casual trespassers? A. 23 feet B. 34 feet C. 45 feet D. 57 feet
7:	When discussing policies and procedures, who is strictly responsible for the protection of the company's assets and data? A. User B. Data owner C. Data custodian D. Security auditor
8:	Which of the following is considered a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage? A. Risk B. Vulnerability C. Exposure D. Threat
9:	Which of the following are the correct steps involved in determining the single loss expectancy? A. Single loss expectancy = Asset value · Exposure factor B. Single loss expectancy = Asset value x Exposure factor C. Single loss expectancy = Risk · Exposure factor D. Single loss expectancy = Vulnerability x Exposure factor
10:	Estimating potential loss is an important task of CISSP-certified professionals. In order, which of the following are the steps used to perform a quantitative assessment? A. Estimate potential losses, perform a vulnerability assessment, and determine annual loss expectancy B. Estimate potential losses, conduct a threat analysis, and rank losses as high, medium, or low C. Assemble a team, prepare a matrix of critical systems and services, and rank losses as high, medium, or low D. Estimate potential losses, conduct a threat analysis, and determine annual loss expectancy
11:	What is the Delphi Technique an example of? A. A BCP analysis technique B. A quantitative-assessment technique C. A DRP analysis technique D. A qualitative-assessment technique
12:	What is the formula for total risk? A. (Threat - Countermeasure) / Asset value = Total risk B. (Threat - Countermeasure) x Asset value = Total risk C. Threat x Vulnerability x Asset value = Total risk D. Threat x Vulnerability / Asset value = Total risk
13:	What method of dealing with risk occurs when individuals accept the potential cost and loss? A. Risk reduction B. Risk rejection C. Risk transference D. Risk acceptance
14:	The security kernel is found at what protection ring level? A. Ring 0 B. Ring 1 C. Ring 2 D. Ring 4
15:	At what protection ring are applications found? A. Ring 1 B. Ring 2 C. Ring 3 D. Ring 4
16:	Which of the following are considered temporary storage units within the CPU? A. I/O buffer B. Registers C. Control circuit D. ALU
17:	Confidentiality and integrity are important concepts when discussing security models. Which of the following was the first model developed to address the concerns of both confidentiality and integrity? A. Biba B. Clark-Wilson C. Brewer and Nash D. Clark-Phillips
18:	Which of the following is considered the first security model to be based on confidentiality? A. Biba B. Bell-LaPadula C. Graham-Denning D. Clark-Wilson
19:	What piece of documentation was developed to evaluate integrity and is also know as TNI? A. The Orange Book B. The Red Book C. Common Criteria D. CTCPEC
20:	Which level of Orange Book protection is considered discretionary protection? A. D B. C C. B D. A
21:	What is considered the smallest set of code that can be scheduled for processing? A. Subroutine B. Line C. Process D. Thread
22:	Which of the following frequencies do cordless phones not use? A. 850MHz B. 900MHz C. 2.4GHz D. 5.8GHz
23:	Which of the following wireless standards used frequency-hopping spread spectrum (FHSS) by default? A. Bluetooth B. 802.11a C. 802.11b D. 802.11g
24:	Which of the following is the original technique used to digitize voice with 8 bits of sampling 8,000 times per second, which yields 64Kbps for one voice channel? A. DAT B. CDMA C. PCM D. GMS
25:	How many DS0 channels are bundled to make a T1? A. 18 B. 21 C. 24 D. 32
26:	Which of the following protocols was developed in the mid-1970s for use in Systems Network Architecture (SNA) environments? A. SDLC B. ISDN C. LAP-B D. X.25
27:	Which of the following best defines transaction persistence? A. Database transactions should be all or nothing to protect the integrity of the database. B. The database should be in a consistent state, and there should not be a risk of integrity problems. C. The database should be the same before and after a transaction has occurred. D. Databases should be available to multiple users at the same time without endangering the integrity of the data.
28:	What is the capability to combine data from separate sources to gain information? A. Metadata B. Inference C. Aggregation D. Deadlocking
29:	Joey considers himself a skillful hacker. He has devised a way to replace the existing autoexec.bat file between the time that the system boots and checks to see if there is an autoexec file yet before the system actually executes the autoexec.bat file. He believes that if he can perfect his attack, he can gain control of the system. What type of attack is described here? A. Synchronous attack B. TOC/TOU attack C. DCOM attack D. Smurf attack
30:	Which of the following is evidence that is not based on personal knowledge but that was told to the witness? A. Best evidence B. Secondary evidence C. Conclusive evidence D. Hearsay evidence
31:	Which of the following is considered the fastest mode of DES? A. ECB B. CBC C. CFB D. OFB
32:	What mode of Triple DES uses three keys? A. DES E3 B. DES-EEE3 C. 3DES D. DES EDE2
33:	Which asymmetric cryptosystem is used for digital signatures? A. DES B. SHA1 C. Diffie-Hellman D. ECC
34:	When developing the organization's contingency plan, which of the following should not be included in the process? A. Damage-assessment team B. Legal counsel C. Salvage team D. Tiger team
35:	Which of the following is a valid form of attack against ARP? A. Flooding B. Corruption of the tree C. Name server poisoning D. Reverse lookups
36:	Which of the following is considered the weakest form of authentication? A. CHAP B. EAP C. MS-CHAP D. PAP
37:	Which of the following address ranges is not listed in RFC 1918? A. 10.0.0.0 to 10.255.255.255 B. 172.16.0.0 to 172.31.255.255 C. 172.16.0.0 to 172.63.255.255 D. 192.168.0.0 to 192.168.255.255
38:	Which of the following is not a reason why email should be encrypted? A. Encryption is a time-consuming process. B. Faking email is easy. C. Sniffing email is easy. D. Stealing email is not difficult.
39:	Which of the following statements about instant messaging is incorrect? A. No capability for scripting B. Can bypass corporate firewalls C. Lack of encryption D. Insecure password management
40:	ActiveX is used by which of the following technologies? A. Java B. CORBA C. EJB D. DCOM
41:	Which of the following protocols is said to use "a web of trust"? A. PKI B. IGMP C. PGP D. PEM
42:	Which of the following is considered the act of inducing a person to commit a crime in order to bring criminal charges against him? A. Inducement B. Entrapment C. Honeypotting D. Enticement
43:	Which of the following terms describes the U.S. law enforcement agreements that are carried out with law enforcement agents in other nations to fight computer crime and terrorism? A. G8 B. MLAT C. SWAT D. UN Resolution 1154
44:	Which of the following is not one of the main BCP testing strategies? A. Partial interruption B. Structured walk-through C. Parallel D. Full interruption
45:	When discussing the BCP, critical resources are usually divided into five primary categories. The categories are which of the following groups? A. Business, administrative, user, technical, and data B. Administrative, policy, user, technical, and data C. Business, facility and supply, user, technical, and nontechnical D. Business, facility and supply, user, technical, and data
46:	Which of the following is not one of the three layers used by the Java interpreter? A. Java language B. Java script C. Java libraries D. Java interpreter
47:	Which of the following protocols is used for router multicasting? A. ICMP B. RIP C. 224.0.0.1 D. IGMP
48:	VoIP uses which of the following because network congestion can be such a critical problem? A. Time-division multiplexing B. TCP protocol C. VLANs technology D. Isochronous design
49:	Which of the following is considered a network technology based on transferring data in cells or packets of a fixed size? A. ATM B. ISDN C. SMDS D. Frame Relay
50:	WEP has been publicized as having vulnerabilities. Which of the following is not a reason why it is vulnerable? A. Shared WEP keys among all clients B. An RC4 engine not properly initialized C. 20-bit initialization vector D. 400-bit WEP keys
51:	You are an advisory board member for a local nonprofit charity. The charity has been given a new server, and members plan to use it to connect their 24 client computers to the Internet for email access. Currently, none of these computers has antivirus software installed. Your research indicates that there is a 95% chance these systems will become infected after email is in use. A local vendor has offered to sell 25 copies of antivirus software to the nonprofit organization for $400. Even though the nonprofit's 10 paid employees make only about $9 an hour, there's a good chance that a virus could bring down the network for an entire day. They would like you to tell them what the ALE for this proposed change would be. How will you answer them? A. $423 B. $950 C. $720 D. $684
52:	A Common Criteria rating of structurally tested means the design meets what level of verification? A. EAL 1 B. EAL 2 C. EAL 4 D. EAL 5
53:	Which of the following is not a valid Red Book rating? A. A1 B. B2 C. C1 D. C2
54:	What Bell-LaPadula model rule states that someone at one security level cannot write information to a lower security level? A. Star * property B. Simple security rule C. Simple integrity property D. Strong star rule
55:	You are an advisory board member for a nonprofit organization that has decided to go forward with a proposed Internet and email connectivity project. The CEO would like to know how much money, if any, will be saved through the purchase of antivirus software. Here are the projected details: 24 computers connected to the Internet 95% probability of virus infection 10 paid employees who make $9 an hour A successful virus outage could bring down the network for an entire day 25 copies of antivirus software will cost the nonprofit $399 A. $218 B. $285 C. $380 D. $490
56:	Which of the following is considered the first line of defense against human behavior? A. Cryptography B. Physical security C. Business continuity planning D. Policies
57:	HVAC should provide which of the following? A. HVAC should be a closed-loop system with negative pressurization. B. HVAC should be an open-loop system with positive pressurization. C. HVAC should be an open-loop system with negative pressurization. D. HVAC should be a closed-loop system with positive pressurization.
58:	Which of the following types of fire detectors uses rate-of-rise sensors? A. Flame activated B. Heat activated C. Smoke activated D. Ion activated
59:	A fire caused by electrical equipment is considered which class of fire? A. D B. C C. B D. A
60:	Which of the following types of water sprinkler systems is known as a closed-head system? A. Deluge B. Dry pipe C. Preaction D. Wet pipe