Appendix A: Self Test Questions, Answers, and Explanations | SSCP Study Guide and DVD Training System

Overview

This appendix provides complete Self Test Questions, Answers, and Explanations for each chapter.

Chapter 2: Access Control

You are working on a presentation for upper management on how a new access control system will work. What three steps do you show are necessary for access to be granted to an access control object?
1. Authentication, repudiation, and identification
2. Authentication, identification, and authorization
3. Identification, repudiation, and availability
4. Identification, authorization, and assurance
þ Answer B is correct. These are the three steps required in any access control system in order to grant access to objects.

ý Answer A is incorrect because authentication, repudiation, and identification as repudiation refers to the ability to prove that a specific entity performed an action. This is not a step in obtaining access to objects. Answer C is incorrect because repudiation is not a step in obtaining access to objects and neither is availability, which refers to the ability to use the access control system itself. Answer D is incorrect because assurance is the part of access control that includes confidentiality, integrity, availability, and accountability. As such, assurance is not a specific step in gaining access to an object.
What advantage does a centralized access control methodology offer to security administrators?
1. It provides a method to ensure that the authentication responsibility is broken up across multiple systems.
2. It allows users to use a single ID and password to access all resources on the network.
3. It provides a method to ensure that all authentication responsibility is controlled by a single system or group of systems.
4. It allows users to use X.509 certificates to access secure Web sites via HTTP with SSL (S-HTTP).
þ Answer C is correct. A centralized access control methodology ensures that all authentication responsibility is controlled in a central location.

ý Answer A is incorrect because ensuring that the authentication responsibility is broken up is the behavior of a decentralized access control methodology, not centralized. Answer B is incorrect because using a single ID and password to access all resources on the network is done using SSO technology, not a centralized access control methodology. Answer D is incorrect because using X.509 certificates is not a part of the centralized access control methodology.
The "Orange" book and "Red" book are used to rate access control systems. How does the "Red" book differ from the "Orange" book in the guidelines that it provides?
1. The Red book provides guidelines on how to rate access control systems within operating systems.
2. The Red book provides guidelines on how to create access control systems that work with the guidelines in the Orange book.
3. The Red book provides guidelines on how the concepts and guidelines from the Orange book can be applied to enterprise environments.
4. The Red book provides guidelines on how the concepts and guidelines from the Orange book can be applied to network environments.
þ Answer D is correct. The Red book provides guidelines on how to apply the information in the Orange book to network environments.

ý Answer A is incorrect because the Orange book provides guidelines on how to rate access control systems within operating systems, not the Red book. Answer B is incorrect because the Red book does not provide guidelines on how to create access control systems. Answer C is incorrect because the Red book does not specifically provide guidelines for enterprise environments; it provides guidelines for network environments.
When using DAC systems with ACLs, what permission or privilege gives users the ability to read and write to an access control object?
1. Write
2. Create
3. Execute
4. Modify
þ Answer D is correct. The "modify" permission allows users to both read and write to an access control object.

ý Answer A is incorrect because the ability to write to an object does not imply the ability to read from the object. Answer B is incorrect because the ability to create new objects does not imply the ability to read or write to the new objects. Answer C is incorrect because the ability to execute an object does not imply the ability to read or write to the object.
When using MAC, how is permission to access control objects controlled after a user has been authenticated?
1. By ACLs
2. By sensitivity levels
3. By identification
4. By user role
þ Answer B is correct. Sensitivity levels such as "secret" or "top-secret" are used to control access to objects.

ý Answer A is incorrect because ACLs are used by DAC, not MAC. Answer C is incorrect because identification is a part of the authentication process and does not control access to objects. Answer D is incorrect because user roles are used in RBAC, not MAC.
How does RBAC differ from DAC?
1. RBAC requires that permissions be configured on every object and DAC does not.
2. RBAC uses the ID of the user to help determine permissions to objects and DAC does not.
3. RBAC uses the position of the user in the organization structure to determine permissions for objects and DAC does not.
4. RBAC requires that every object have a sensitivity label and DAC requires that every object have an ACL.
þ Answer C is correct. RBAC uses the position of the user in the organization structure or their role to determine the user's permissions.

ý Answer A is incorrect because both RBAC and DAC require that every object have permissions defined. Answer B is incorrect because DAC does use the ID of the user to determine their permissions. Answer D is not correct because RBAC does not use sensitivity labels.
The Bell-LaPadula formal model for access control is most similar to which access control model?
1. DAC
2. MAC
3. RBAC
4. Clark-Wilson access control
þ Answer B is correct. The Bell-LaPadula access control model specifies the use of sensitivity labels on every access control subject and object. MAC uses sensitivity labels in the same way.

ý Answer A is incorrect because DAC does not use sensitivity labels as outlined in the Bell-LaPadula formal access control model. Answer C is incorrect as RBAC uses roles or positions for access control rather than sensitivity labels. Answer D is incorrect because Clark-Wilson is another formal access control model, but it is a guideline for access control relating to integrity.
What are the three main parts of account administration within an access control system?
1. Creation, maintenance, and destruction
2. Creation, maintenance, and deletion
3. Creation, policies, and destruction
4. Creation, policies, and deletion
þ Answer A is correct. The processes of creation, maintenance, and destruction are the three main parts of account administration.

ý Answer B is incorrect because deletion is not necessarily a function of account administration. This is due to the fact that some access control systems do not allow for account deletion, just deactivation. Answer C is incorrect because policies are a part of access control administration, not necessarily account administration. Answer D is incorrect because policies are a part of access control administration and deletion is not necessarily a function of account administration.
The Clark-Wilson formal access control model specifies a very important guideline related to account administration. What is this guideline and what does it mean?
1. Principle of Least Privilege - Grant all the rights and permissions necessary to an account, but no more than what is needed.
2. Account Administration - Work hand-in-hand with the human resources or personnel office of the company to ensure that accounts can be authorized and created when employees are hired and immediately destroyed when they are dismissed.
3. Segregation of Duties - No single person should perform a task from beginning to end, but the task should be divided among two or more people to prevent fraud by one person acting alone.
4. Access Control - Provide access control subjects the ability to work with access control objects in a controlled manner.
þ Answer C is correct. The Clark-Wilson formal model provides guidelines related to segregation or separation of duties.

ý Answer A is incorrect because the principle of least privilege is not part of the Clark-Wilson formal model. Answer B is incorrect because this definition is only part of the definition for account administration. Answer D is incorrect because the Clark-Wilson formal model does not define access control itself, just manners in which access controls can be employed.
A MITM attack is used to hijack an existing connection. What is the principle technology behind the MITM attack that allows this to happen?
1. Cracking
2. Spoofing
3. Sniffing
4. Spamming
þ Answer B is correct. Spoofing is used to emulate the system that either side of the connection was expecting to communicate with while actually feeding the connection through a third system.

ý Answer A is incorrect because while cracking may be used to access routers and so forth during a MITM attack, it is not the principle technology used to perform the attack. Answer C is incorrect because sniffing is not the principle technology used to perform the attack, although it may be used as part of the attack. Answer D is incorrect because spamming has nothing to do with MITM attacks.
Some attackers will attempt to do a spamming attack while making it look like another system is performing the attack. This is done using open relays. What protocol is used with open relays to accomplish this attack?
1. NNTP
2. TCP/IP
3. SMTP
4. SNMP
þ Answer C is correct. The SMTP can be used over an open relay to forward spam.

ý Answer A is incorrect because NNTP does not use relays although it can be used to spam a Usenet newsgroup. Answer B is incorrect because TCP/IP by itself is not able to accomplish this attack. Answer D is incorrect because SNMP is used to manage networks, not transfer mail.
In a good access control system, how are audit trails and violation reports used after it has been determined that an actual attack has occurred?
1. Audit trails and violation reports are used to determine whether or not an attack has occurred.
2. Audit trails and violation reports are used to track the activities that occurred during the attack.
3. Audit trails and violation reports are used to monitor the access control system.
4. Audit trails and violation reports are used to determine the effectiveness of penetration testing.
þ Answer B is correct. After an attack has occurred, audit trails and violation reports can provide critical information about the nature of the attack and what was done during the attack. This is why most well planned attacks include the removal of any known log entries that might show what happened during the attack.

ý Answer A is incorrect because while audit trails and violation reports are used to determine whether or not an attack occurred, this is done prior to the actual determination not after. Answer C is incorrect because audit trails and violation reports are used to monitor the access control system, but that too is done before it has been determined that an attack has occurred. Answer D is incorrect because penetration testing is a planned attack and should not be labeled as an "actual attack."
What is the most important thing that you should do prior to beginning a penetration test?
1. Plan what type of attack you are going to perform.
2. Enable all necessary logging to track your test.
3. Obtain permission to perform the test.
4. Research the techniques that you plan to use during your test.
þ Answer C is correct. The most important thing to do prior to penetration testing is to obtain permission to perform the testing. Failure to do this can result in employee termination or even incarceration.

ý Answer A is incorrect because planning is not the most important thing that needs to be done prior to beginning the test. Answer B is incorrect because enabling logging is also not the most important thing to be done prior to testing. Answer D is not correct, as researching the techniques that you plan to use is not the most important thing to do prior to performing penetration testing.
You have been contracted to design and implement a new access control system. At what point during the process should you perform penetration testing against the system?
1. During the access control system design.
2. Before the access control system implementation.
3. After the access control system implementation.
4. During the entire design and implementation process.
þ Answer D is correct. Penetration testing should be done during the design, implementation, and post-implementation phases of your project.

ý Answer A is incorrect because during the design is not the only time that penetration testing should be done. Answer B is incorrect because prior to implementation is not the only time that penetration testing should be done. Answer C is incorrect because post-implementation is certainly not the best time to start performing penetration testing.
While performing penetration testing against your access control system, you are successful in uncovering a vulnerability in the system. After doing some follow-up research, you determine that this vulnerability has been addressed in a security patch for the software. What should you do?
1. Implement the patch for the software immediately to plug the hole.
2. Test the patch for the software and then implement it as soon as possible.
3. Wait until the next version of the software comes out which includes the security patch.
4. Do nothing and ensure that your IDS is scanning the system with the hole.
þ Answer B is correct. The patch should be implemented as soon as possible, but it is very important to perform testing first.

ý Answer A is incorrect because any changes to your software should be tested prior to implementation. Answer C is incorrect because waiting for the next version of the software could take some time during which you are vulnerable to attack. Answer D is incorrect because ignoring the hole leaves you vulnerable to attack even though your IDS may be scanning the system. It is always best to patch known security holes as soon as possible after appropriate testing of the patch.

Chapter 3: Administration

A potential customer has called you into their office to discuss some access control issues they are having. They tell you that their developers have traditionally had access to administrator accounts on operational systems and that some other users with no system administrator responsibilities also have administrator access. The customer would like to limit the access each employee has to the system to only the access needed to accomplish the employee's job function. Your customer has just described what security concept?
1. Least privilege
2. Authentication
3. Auditing
4. Integrity
þ Answer A is correct. Least privilege is the concept of only giving an individual the amount of access required for them to meet their job responsibilities. No excess access is permitted simply because it is not required.

ý Answer B is incorrect because authentication is a method for verifying an individual's identity through the use of several different mechanisms, including passwords, biometrics, and tokens. Answer C is incorrect because auditing is the process of tracking actions on a system, including logins, logouts, commands executed, and transition to administrative level system accounts. Answer D is incorrect because integrity deals specifically with maintaining the validity of information in a system.
Your company is having problems with users taking sensitive information home on disposable media such as floppy disks or CD-ROMs. Your boss tells you he is concerned about the possibility of sensitive corporate information falling into the wrong hands. From your security experience, you realize that your company has issues with which one of the following security fundamentals?
1. Integrity
2. Availability
3. Non-repudiation
4. Confidentiality
þ Answer D is correct. Confidentiality is the security principle that deals specifically with keeping sensitive information private and away from the hands of unauthorized individuals.

ý Answer A is incorrect because integrity deals specifically with maintaining the validity of information in a system. Answer B is incorrect because availability is the concept of keeping information and data available for use when it is needed to perform mission functions. Answer C is incorrect because non-repudiation means that actions taken on the system can be proven, beyond doubt, to have been performed by a specific person.
You have been contracted by a large e-commerce company to help mitigate issues they are having with DDoS attacks. They tell you that at least once a week they get hit by DDOS attacks that take down their Web site, which is the primary point of origin for customer orders. Your customer has just described a problem with which concept?
1. Confidentiality
2. Accountability
3. Availability
4. Integrity
þ Answer C is correct. Availability is having information available for use when it is needed in order to accomplish the organization's mission. Since the company Web site is the primary point of customer orders, any downtime of the Web resources means lost revenue for the customer.

ý Answer A is incorrect because confidentiality is the security principle that deals specifically with keeping sensitive information private and away from the hands of unauthorized individuals. Answer B is incorrect because accountability is the concept of ensuring users of an IT system are held responsible for their actions on the system. Answer D is incorrect because integrity deals specifically with maintaining the validity of information in a system.
Cheryl tells you that she has created the database file you will need for your new customer. She explains that you should be able to log in to the server and download the file from her home directory because she has changed the permissions on the file. You log in and download the file exactly as you expected. Cheryl has just demonstrated what method of access control?
1. MAC
2. DAC
3. RBAC
4. None of the above
þ Answer B is correct. DAC allows users of an IT system to set specific permissions for each file or object they own or have control over. Cheryl changed the permissions for the database file she created to allow you to download the file.

ý Answer A is incorrect because MAC is hard-coded into the operating system and cannot be altered. Answer C is incorrect because RBAC governs access permissions given to individuals based on their role in the system or the role of the group that individual belongs to.
You have just been hired as the new security manager at Corporation X. The company hired some contractors last year to help improve the company's security posture. They are now the proud new owners of a firewall. Your new manager seems concerned that the firewall might not actually fix all the security problems within the organization. You tell him that security is not a one step fix but instead is:
1. A process based on the life cycle of information security that is composed of analysis, improvement and feedback that is constantly improving the security of the organization.
2. A two-step process where you install not only a firewall, but also implement a good security policy.
3. A step-by-step process outlined by the firewall vendor that includes firewall updates and the validity checking of firewall rules.
4. Possible only through the use of a comprehensive security policy and enforced by a sizeable legal team.
þ Answer A is correct. Improvement in security posture is seen through the use of a life cycle model where improvements are made for observed weaknesses and feedback is given for each solution.

ý Answer B is only partially correct since the implementation of a good firewall and a security policy will help an organization's security posture, but does not lend itself to consistent improvement. Answer C is incorrect because a single product (such as a firewall) cannot solve all the security issues at any organization. Answer D is incorrect because legal means are only sought after a security incident has occurred.
Company Z uses an iterative process for implementing information security. An analysis of the current system is conducted to determine the current security needs of the system. A security plan is drawn up that defines the implementation of new solutions to address the needs. The plan is then implemented and the implementation is tested to ensure that it performs as expected. A feedback process then takes place to provide input on the process and solutions implemented. At this point, the process begins again. What process is Company Z using for security?
1. The life cycle of information security
2. Risk assessment process
3. Change management process
4. Quality assurance
þ Answer A is correct. The life cycle of information security is an ongoing, iterative process that strives to improve security at the organization over a stretch of time.

ý Answer B is incorrect because the risk assessment process is the evaluation of a system to determine need. Although it addresses one step in the life cycle process, it fails to address the remaining steps. Answer C is incorrect because the change management process is concerned with ensuring that operational systems are not impacted by changes to the system. It is not directly relevant to the life cycle process. Answer D is incorrect because quality assurance ensures that all organizational obligations are met when performing duties or services.
You work for a large product development company that is currently engineering a product for a government agency. As part of this process, your manager has asked you to do an in-depth evaluation of the product to ensure it meets all functional and security requirements. This process is known as what?
1. Accreditation
2. Assurance
3. Certification
4. Acceptance
þ Answer C is correct. Certification is the process of evaluating a system to ensure it meets all security and functional requirements.

ý Answer A is incorrect because accreditation is the designation of a system as "safe to use" based on a set of security guidelines that have been met. Answer B is incorrect because assurance is a term used to define the level of confidence in a system. System controls, security characteristics, and the actual architecture and design of the system are all pieces of assurance. Answer D is incorrect because acceptance designates that a system has met all security and performance requirements that were set for the project. Performance standards have been met and technical guidelines were followed correctly.
Your friend works on a government project where she has been developing a mission-specific security tool. She tells you about the system and how it was designed to promote trust in the system through the use of system controls, security characteristics, and secure architecture. Your friend has just described which security term?
1. Assurance
2. Accreditation
3. Certification
4. Acceptance
þ Answer A is correct. Assurance defines the levels of trust or confidence a system has by its users based on the implementation of security components, system controls, and secure architectural design.

ý Answer B is incorrect because accreditation is the designation of a system as "safe to use" based on a set of security guidelines that have been met. Answer C is incorrect because certification is the result of a process of in-depth evaluation (technical and non-technical) to determine if a system meets all required security guidelines. Answer D is incorrect because acceptance designates that a system has met all security and performance requirements that were set for the project. Performance standards have been met and technical guidelines were followed correctly.
Your manager has decided that it makes sense to have security and quality assurance involved in the development process from the very beginning. The developers, however, are hesitant to relent because they say it will dramatically slow down the development process. Which of the following statements are justification for security involvement in the development process?
1. It ensures that all policies, laws, and contractual obligations are met by the product.
2. Security requirements can be defined at the beginning of the development process and tracked through to completion.
3. Security and quality assurance practices help test and ensure processing integrity with the product. This helps avoid unintentional functionality that could sacrifice security.
4. All of the above.
þ Answer D is correct. The involvement of security and quality assurance help ensure that obligations, such as legal and contractual, are met in the final product. Security requirements can be defined along with all the other functional requirements to ensure that all the pieces work well together. Processing integrity can also be better performed with the involvement of the security team to look for unexpected functionality or unseen security issues.

ý Each answer by itself is correct, but all of them are reasonable justification for the involvement of security and quality assurance in the development process.
Your customer is beginning a quality assurance component within their organization. Their goal is to create a system that will ensure that all obligations are met in the course of normal operations. They ask you to define areas that need to be considered during the quality assurance process. Which of the following most fits their goals for the quality assurance process?
1. Contractual obligations, organizational policies, and employee availability
2. Regulations and laws, organizational policies, and contractual obligations
3. Employee availability, regulations and laws, and contractual obligations
4. Contractual obligations, organizational policies, and digital signatures
þ Answer B is correct. The quality assurance process ensures that all regulations and laws are respected and adhered to, organizational policies are followed, and all contractual obligations, such as SLAs or QoS agreements are met.

ý Answers A, C, and D are all missing one important piece of the quality assurance puzzle: Employee availability does not make a difference to the quality assurance process nor does the use of digital signatures.
You work on the internal security team for a company that has been trying to improve their security posture. Over the last year you have had the opportunity to recommend solutions to security issues and implement fixes for the issues. Your manager now tells you it is time to test the security posture of the organization. Who is the appropriate entity for performing this testing?
1. You should perform the security testing because your team has the most intimate knowledge of the system and the security solutions you have implemented.
2. Any third-party entity with the appropriate security experience and background to perform security assessments. This provides an objective third-party opinion on the security within the organization that is not hampered by tunnel vision.
3. Whatever vendor supplied the firewall or intrusion detection solutions for the company should also provide this assessment activity.
4. No real assessment is necessary at this point because the security concerns have been resolved through the implementation of various security solutions. What is really needed is a review of where the process is at in the information security life cycle.
þ Answer B is correct. An objective third party with no connections to the organization could potentially provide better insight into solutions and problems within the organization.

ý Answer A is incorrect because there is often a conflict of interest when the internal security team provides testing of their own security solutions. Answer C is incorrect because many vendors who sell and implement security devices may or may not have the adequate experience to perform the necessary testing. Answer D is incorrect because the security testing must occur, even though reviews of the information security life cycle may also occur simultaneously.
Company X is considering having a risk assessment performed against their organization. You have been called in as a potential contractor to perform the work. Upper management has a vague understanding of what a risk assessment consists of, but asks you to tell them more about the first general step in your risk assessment process. Which of the following procedures will you begin describing to them?
1. Recommend solutions to mitigate assessment findings and improve the organization's security posture.
2. Identify risks to the critical systems based on your prior security experience.
3. Identify the critical information types within the organization and the critical systems that store, process, and transmit that information.
4. Identify the costs associated with possible solutions to security problems within the organization.
þ Answer C is correct. Each risk assessment begins with an understanding of those information resources that are critical for an organization to complete its mission.

ý Answers A, B, and D are incorrect because even though they are all parts of the risk assessment process, they are not the first step. Each one depends on an understanding of how the organization completes its mission and what information types are critical to that process. Once you understand these critical information types and the systems associated with them, you can better identify risks to that information and make reasonable recommendations for mitigation of those risks.
Company X decided to let you perform the risk assessment and now you have arrived at the point in the process where you must recommend suitable solutions. The customer seems intent on spending large sums of money to prevent any loss in the system. In some cases, they are willing to spend more than the asset may be worth to the organization. What concept do you discuss with the customer?
1. The customer needs to understand that there is an acceptable level of loss for each information asset within the organization. The level of acceptable loss needs to be determined by the customer. Beyond that, the organization should not spend more to protect an asset than the asset is actually worth.
2. The pick and spend concept should be explained so that the customer understands that the more money and resources expended in the protection of an asset, the more secure that asset will remain.
3. Information resources can never be fully protected so the customer does not need to spend much money in order to give the maximum amount of protection. Consider the least expensive product line to save budget dollars and still get the job done.
4. You should only give input to the customer when requested by the customer. The customer knows their system better than you and can better come up with quality security solutions.
þ Answer A is correct. The acceptable level of loss sets customer expectations about how much damage to the system is acceptable before a mitigating solution should kick in. This also helps determine the amount of financial resources that must be spent to protect each asset. No asset should have protective measures in place that cost more than the asset is worth to the organization.

ý Answer B is incorrect because you cannot necessarily spend more money to buy the ultimate security solution. Answer C is only partially correct because there is no such thing as 100 percent security. But settling on the least expensive security solution does not mean the customer will be protected at all. Answer D is incorrect because it suggests that you should defer all decisions to the customer because this is their information system and they know it better than you. Although it may be true that they have a better understanding of the system, they will not normally have your level of security expertise. They have hired you for your knowledge and you should provide them with information that enables the customer to make wise security solution decisions.
The concept of secure architecture is intended to protect processes and data within a system from other processes and data in the system. One of the primary components is actually a virtual machine within the system that controls access to every object within the system. This ensures that system objects, processes, files, memory segments, and peripherals are protected. What is the name of this component?
1. Reference monitor
2. Hardware segmentation
3. High security mode
4. Data hiding
þ Answer A is correct. The reference monitor is a virtual machine within a system that controls access to every object on the system every time access is requested. It will allow access to an object only if it determines that the subject (individual, process, and so on) trying to access the object is allowed.

ý Answer B is incorrect because, although it is also a component of secure architecture, it deals primarily with the protection of each memory allocation within the system. Answer C is incorrect because high security mode is also a component of a secure architecture, but it ensures that processes at different levels of sensitivity or classification do not interact or contaminate each other. Answer D is incorrect because data hiding is the process of keeping sensitive data used by system processes away from processes run by less privileged users of the system.
A colleague from another branch in the same company calls you up and starts explaining how his department is implementing certain access security into their system. The idea is to limit the amount of information each individual is responsible for or is allowed to have access to within the processing cycle. He believes this will help secure the organization because no single person will know everything about the processes in the system and hence, cannot reveal that information. Your colleague has just explained what security concept?
1. Separation of duties
2. Least privilege
3. Change control
4. Account tracking
þ Answer A is correct. Separation of duties deals specifically with limiting the amount of information about an entire process chain that any individual knows or has access to. This prevents the unauthorized disclosure of information about the entire processing chain or the data contained within.

ý Answer B is incorrect because least privilege states that each individual should only have as much system access as they require to perform their job duties. Answer C is incorrect because change control helps ensure that system changes do not impact operational systems or other components. Answer D is incorrect because account tracking is used to ensure that all accounts issued on the system are correct and that they are removed once the employee leaves the organization.

Chapter 4: Audit & Monitoring

You are a senior security administrator in a national organization, and have been instructed by management to provide an audit report that provides sufficient evidence that the security of the organization is up to standard with the international security standard ISO 17799. Your first step in this process will be:
1. Review ISO 17799 to see what it involves.
2. Purchase or program a CAAT to facilitate the gathering of data.
3. Call the internal audit company that you use and tell them you need an audit based on ISO 17799.
4. Call the external audit company that you use and tell them you need an audit based on ISO 17799.
þ Answer A is correct. Before committing to any actions, you must know as much as possible about the audit that will need to be performed. ISO standards can be very long and complex, and without a good understanding of what needs to be done, you will probably waste a lot of time.

ý Answers B is incorrect. Although it is a valid activity if the audit were to be performed by the IS/IT group, or if the internal audit department requested this of IS/IT, but before purchasing or creating a CAAT, one must know what is going to be involved in the audit. Answer C is incorrect. It is a possible activity to be performed, but only once you are aware of what is involved in the audit. You were given the responsibility for the security audit, as you are the senior security administrator. Remember that internal auditors will not often (if ever) be security experts, and you will have to be involved with and direct a lot of their activities in order to ensure that they have interpreted standards and gathered the correct information for each type of information system. Answer D is incorrect. This would only come into play if you were specifically directed to use an external auditor, if the internal audit department is not capable of performing the audit, or if a review of policy mandates that this type of security audit be performed by a neutral third party.
Which of the following is an advantage of a continuous auditing approach?
1. It tests cumulative effects over the course of the time period where the audit is active.
2. Findings are more relevant and significant.
3. Audit results are used in decision making.
4. It allows for better integration with IS/IT personnel.
þ Answer A is correct. A continuous audit tests cumulative effects over the course of the time period where the audit is active.

ý Answer B is incorrect. A continuous audit will not come up with more significant and relevant findings, as the audit criteria are the same for a single audit. An analysis of the result of a continuous audit can be put into a potentially more relevant situation, but that is beyond the scope of the questions. Answer C is incorrect. While a correct statement in principle, it is not an advantage of a continuous audit. Answer D is incorrect. A continuous audit has nothing specific to do with IS/IT personnel.
You are asked to perform an audit of several site locations within an organization of several hundred employees. While conducting the audit, you have determined that there are many potential sources for security issues. Which of the following is not a source for potential problems?
1. Unauthorized hardware/software purchases are evident
2. High staff turnover is evident
3. End-user work requests are significantly backlogged
4. Employees have cluttered their desks with personal effects
þ Answer D is correct. Personal effects cluttering desks is not a security risk to company information. It is, however, a risk to productivity as personnel could be easily distracted.

ý Answer A is incorrect. Unauthorized purchases can lead to personnel appropriating company resources, and a loss in any areas that would benefit from the knowledge of where moneys are spent. Answer B is incorrect. High staff turnover can cause problems in two areas. First, many people departing at once can make it difficult to take over in some job functions. Second, there is a loss of money in that constantly training new personnel will take additional resources. Answer C is incorrect. Backlogged user requests (typically in the support departments) are definitely an issue that needs to be resolved
You work for a large company and are asked to audit the Electronic Data Interchange (EDI) infrastructure. Which of the following is not a recommended audit criterion for this audit?
1. Verify that only authorized users can access their respective database records.
2. Verify that only authorized trading partners can access their respective database records.
3. Verify that operations personnel and programmers can authorize individual transactions.
4. Verify that EDI transactions comply with organizational policy, are authorized, and are validated.
þ Answer C is correct. Separation of duties requires that that the person who originates a transaction cannot also authorize transactions. Therefore, to reduce the possibility of collusion or fraud, operations personnel and programmers who have access to data must not have authorization responsibilities as well.

ý Answer A is incorrect. Unauthorized users should not be able to access files for which permission was not granted. Answer B is incorrect. Trading partners should not have access to each other's data. Answer D is incorrect. EDI transactions should comply with organizational policy and testing should be done to ensure that authorized parties can process transactions.
You are asked to perform an audit of an organization's UNIX environment, and discover that the remote access policies have no specifications for security. After consulting with the IS/IT departments, you learn that the system administrators only need shell access. Choose the best answer for your recommendations:
1. Telnet offers good authentication for secure remote shell.
2. SSH offers good encryption for secure remote shell.
3. A VPN offers good encryption for secure remote shell.
4. SSH and Telnet through a VPN are both good options for secure remote shell, but Telnet alone should not be permitted.
þ Answer D is correct. SSH has inherent security for both authentication and encryption. A VPN will encrypt all traffic going through it for an insecure Telnet session. Telnet alone has no security features.

ý Answer A is incorrect. Telnet has no authentication features itself, but it does allow you to access a system remotely and then authenticate on that system. Answer B is incorrect. SSH is a good option, and this answer does make sense, but the question states to choose the best answer. Answer C is incorrect. Telnet through a VPN is also a good option, as VPNs will offer better authentication options than simple SSH, but the data passing through it is still unencrypted, so anyone on the remote end of the VPN (where the server is located) could still potentially sniff the traffic. Like the previous option, this is not the best answer.
Enabling the logging features of an information system and sending them to a central server for analysis is one method of establishing an audit trail. In the event of an incident, these logs would be used to reconstruct a sequence of activities that could help determine exactly how the attacker progresses through systems and services to accomplish their goals. Sometimes, active analyses will be performed on these logs by software that monitors system activities. What type of control is activated by enabling logging features and utilizing monitoring software?
1. Detective
2. Corrective
3. Defective
4. Selective
þ Answer A is correct. Logging to a central location and utilizing a monitoring software package (such as an IDS) is a detective control.

ý Answer B is incorrect. A corrective control would address a situation. Logging and monitoring does not address an action, although it could be part of a follow-up series of activities in the event of an incident, in order to detect if the incident should be repeated. Answer C is incorrect. A defective control would be a control that is not working properly. Answer D is incorrect. A selective control is not a type of control that is actively used.
The main difference between compliance testing and substantive testing is:
1. Compliance testing is gathering evidence to test against organizational control procedures, whereas substantive testing is evidence gathering to evaluate the integrity of data and transactions.
2. Compliance testing is meant to test organizational compliance with federal statutes, and substantive testing is to substantiate a claim.
3. Substantive testing affirms organizational control procedures, and compliance testing evaluates the integrity of transactions and data.
4. Compliance testing is subjective and substantive test is objective.
þ Answer A is the correct answer.

ý Answers B, C, and D are incorrect. They do not differentiate gathering of evidence to get organization control procedures (compliance testing) against gathering evidence for the purpose of evaluating the integrity of data and transactions.
Which one of the following is not associated with the concept of separation of duties?
1. No access to sensitive combinations of capabilities
2. No nepotism allowed per organization polices
3. Prohibit conversion and concealment
4. Same person cannot originate and approve transaction
þ Answer B is correct. While it is possible that hiring a relative into an organization or showing a relative preferential treatment is not prudent, it is not related to separation of duties per se.

ý Answer A is incorrect. No access to sensitive combinations of capabilities is required to prevent one person from having excessive rights. Answer C is incorrect. Prohibition of conversion and concealment is part of separation of duties. Answer D is incorrect. This is an integral component of the separation of duties principle.
Which of the following is the most significant feature of a security audit log?
1. Verification of successful operation procedures such as data restore
2. Verification of security policy compliance
3. Accountability for actions
4. Archival information
þ Answer C is correct. The audit log ensures accountability. Audit logs must be protected from accidental or malicious modification and provides accountability for actions.

ý Answers A, B, and D are incorrect. Audit logs can provide important operational information such as data restore success or failure, but tying accountability to a specific terminal, user ID, or individual is more significant from a security perspective.
You are asked to perform an audit of an organization and discover that network administrators are connected remotely using a Telnet session. What recommendation would you recommend?
1. Telnet is sufficient for remote administration
2. SSH should be used for remote administration
3. Telnet is fine as long as you run it through a VPN tunnel
4. B and C are both correct
þ Answer D is correct.

ý Answer A is incorrect. Telnet is inherently insecure because it passes credentials in the clear over the remote connection and is susceptible to interception. Answer C is incorrect. Although the VPN tunnel effectively encrypts the session, it does not do so from end to end. The encryption terminates at the VPN tunnel endpoints and is still susceptible to interception locally. This is a possible option but not as effective as Answer B.
When preparing an audit trail, which of the following is not recommended as the key query criteria for the resulting report?
1. By a particular User ID
2. By a particular server name
3. By a particular Internet Protocol (IP) address
4. By a particular exploit
þ Answer D is correct. Because you cannot accurately predict or anticipate the likelihood of all exploits in advance, it is difficult to use a query key.

ý Answers A, B, and C are incorrect. All are examples of concrete criteria that can be reviewed easily in an audit trail because it can be distinctly identified. Therefore, they are recommended for use as key query criteria.
You are auditing a real estate office and are asked to perform a substantive test. Which of the following is the best example of a substantive test for auditing purposes?
1. Creation of baseline testing criteria to reduce the likelihood of false positives.
2. Preventative controls such as a firewall to provide network segmentation.
3. Interviews with former employees to discover previously known security exploits.
4. By rerunning financial calculations. For example, choose a sample of accounts and house sales closing costs to see if the formulas work as expected and resulting data matches.
þ Answer D is correct. Substantive tests may include a test of transactions or analytical procedures.

ý Answer A is incorrect. This explains an aspect of IDS testing. Answer B is incorrect. Substantive testing involves testing to verify that controls are performing as expected, not as a preventative control. Answer C is incorrect. Interviews are considered data gathering, not testing procedures.
You are asked to perform an audit of several site locations within an organization of several hundred employees. Which of the following are considered flags for potential problems during an audit? (Choose all that apply.)
1. Unauthorized hardware/software purchases are evident
2. High staff turnover is evident
3. End user work requests are significantly backlogged
4. Employees have cluttered their desks with personal effects
þ Answers A, B, and C are correct. Many indicators exist that indicate an ineffective organization and invite circumvention of security policy. Unauthorized hardware/software purchases introduce significant liability and financial penalties for an organization if licensing agreements are violated. High staff turnover is often an indicator of low morale and may lead to a pervasive "lack of ownership" attitude that employees are not personally responsible for achieving organizational security goals. A backlog of work requests may indicate that current operations workflow is not efficient. If the quality and effectiveness of operational procedures are in disarray there is a good possibility that security practices will be negatively affected as well.

ý Answer D is incorrect. Personal effects cluttering employees desks is not an audit flag per se unless that clutter includes user ID and password "cheat sheets" or other security violations. Also, if family or pets names are visible and strong passwords are not in use the employee could become subject to password guessing based on personal items on desk and weak password combination.
You are asked to audit a relatively small organization with an IS staff of less than five people. If complete separation of duties is not feasible in this organization, which two of the following at a minimum should not be combined?
1. Transaction correction
2. Transaction authorization
3. Transaction origination
4. Transaction recording
þ Answer B is correct. Unauthorized use and allocation of records is made possible when separation of duties is not in place. Authorization is the key recordkeeping function that must be separated from the other three.

ý Answers A, C, and D are incorrect. Transaction correction, origination, and recording are standard recordkeeping procedures that must not be combined with authorization. The risk here is that any one of these three functions combined can increase the possibility of fraud.
A relatively small organization of less than 50 employees is considering outsourcing data processing and Web services. You are asked to review the Service Level Agreements of the HSP for this organization. Which of the following should you consider first from an information security audit perspective?
1. That the legal agreement includes a "Right to Audit" clause
2. That specific security controls are outlined in the services agreement
3. That cost of services aligns with industry standards
4. That the services being offered align with business needs
þ Answer D is correct. The auditor needs to ensure that the personnel responsible for determining business needs and services required are properly engaged and aligned. If the sufficient understanding of business needs and services required are not matched, the service provider may charge for services that are excessive and not required.

ý Answer A is incorrect. A "Right to Audit" clause is an important aspect of service level agreements but it is not the first thing to consider. To prevent misdirected allocation of resources and funds, the appropriate business personnel need to provide the business requirements. "Right to Audit" is significant but considered a detective control. Answer B is incorrect. Identification of security objectives are important to emphasize which assets are to be protected and to what degree. The mechanisms used to protect those assets vary with technology changes, but the end result and guaranteed level of protection is considered more significant. Answer C is incorrect. The cost of services is important when considering several vendors, but comes after verification that the services offered align with business needs and that the proper decision making business personnel are engaged.

Chapter 5: Risk, Response, and Recovery

You are performing risk management on a new project being developed by your company. At this point in the risk management cycle, you have recognized certain risks as being potentially harmful. Which phase of the risk management cycle have you just completed?
1. Identification
2. Assessment
3. Monitoring
4. Control
þ Answer A is correct. Identification is where each risk is recognized as being potentially harmful. This is the first phase of the risk management cycle, where risks are identified.

ý Answer B is incorrect, because assessment is where the consequences of a potential threat are determined and the likelihood and frequency of a risk occurring are analyzed. Answer C is incorrect, because monitoring is where risks are tracked and strategies are evaluated. Answer D is incorrect, because control is where steps are taken to correct plans that are not working, and improvements are made to the management of a risk.
As part of your risk management planning, you want the appropriate parties to understand various risks that are facing the organization. To accommodate this decision, you want to develop education for these people that will best suit their needs for dealing with risks. Which of the following members of your organization will you create education plans for?
1. Senior management
2. IT staff
3. Users
4. All of the above
þ Answer D is correct. By giving management the ability to understand the risks, they will be able to make well-informed decisions. By training decision makers on potential threats, they will be able make informed decisions on budgeting issues needed to manage risks, and justify expenditures made by IT staff. IT staff should also be the focus of an education program, so that they can effectively deal with risks if they become actual problems. Finally, users should also be aware of potential threats, so they can identify problems as they occur and report them to the necessary persons.

ý Answers A, B, and C are incorrect, because all of them should be included in an educational program on risks.
You are developing a training plan, to inform certain people in your organization on various risks associated with projects and the company as a whole. You want the people involved to know how they are to deal with hacking attempts, viruses, and other incidents, and which servers in the organization may be involved. As part of an education plan, you are determining what may be used to inform users about how to deal with these risks when they become actual problems. Which of the following will you not include in your education plan?
1. Policies and procedures
2. Knowledge bases
3. Procedures used by other companies
4. Handouts specifically created for the training session
þ Answer C is correct. Because the procedures used by other companies would address other servers and systems, they may be different from your own. In addition, these other companies may have policies and procedures that violate those of your own company.

ý Answer A is incorrect because policies, procedures, and other documentation should be available through the network, as it will provide an easy, accessible, and controllable method of disseminating information. Answer B is incorrect because knowledge bases are databases of information providing information on the features of various systems and solutions to problems that others have reported. Many software and hardware manufacturers provide support sites and knowledge bases that contain such valuable information. Answer D is incorrect because in classroom or one-on-one training sessions, training handouts are often given to detail how certain actions are performed, and the procedures that should be followed. These handouts can be referred to when needed, but may prove disastrous if this material falls into the wrong hands.
A risk has been identified where employees have been entering inaccurate data into a financial application that is used to track payroll deductions. Which of the following measures should be taken to determine where this inaccurate data has been entered, so the problem can be fixed?
1. ARO
2. Planning
3. Validation
4. Identification
þ Answer C is correct. Validation methods may be used to ensure that data has been entered correctly into systems. This should be done by performing both internal audits of processes, and by using third-party validation.

ý Answer A is incorrect because the ARO is the likelihood of a risk occurring within a year. Answer B is incorrect because planning involves generating strategies to deal with specific risks. Answer D is incorrect because identification is where a risk is recognized as being potentially harmful. In this case, the risk has already been identified, and measures need to be taken to deal with the risk.
A company has opened a branch office in an area where monsoons have struck twice over the last three years. While there is a distinct possibility that the storms may cause damage to the building, the company has decided to do nothing other than purchase insurance to cover the costs of repairing any damage that occurs. Which of the following risk mitigation options have been chosen?
1. Assumption
2. Avoidance
3. Planning
4. Transference
þ Answer D is correct. With transference, the risk is transferred to another source so that any loss can be compensated or the problem becomes that of another party. Since insurance was purchased, the loss has indeed been transferred to the insurer.

ý Answer A is incorrect because with assumption the risk is accepted and a decision is made to continue operating or lower likelihood and consequences of risks by implementing controls. Answer B is incorrect because with avoidance the risk is avoided by removing the cause or consequences of the risk. Answer C is incorrect because planning requires a plan is developed to prioritize, implement, and maintain safeguards.
A colleague is assisting in a risk management project, and is responsible for identifying assets and determining their value. This co-worker is unsure how to proceed in determining the value of some assets. Which of the following factors will you inform the colleague not to use in asset valuation?
1. The market value of the asset
2. The cost to support the asset
3. The ALE associated with the asset
4. The importance of the asset to the organization
þ Answer C is correct. This will not be used in asset valuation, because the ALE is not used to determine the value of an asset. Asset valuation is however used to reach the point of being able to calculate the ALE.

ý Answers A, B, and D are incorrect because the market value of the asset, the importance of an asset to the organization, and the cost of supporting an asset are all factors that are used in asset valuation.
As part of the risk management process, you create scenarios that examine various situations, and then rank threats and risks associated with them. In doing so, you are attempting to project what could occur from particular events and the damage that could be caused. What type of analysis are you performing?
1. Qualitative analysis
2. Quantitative analysis
3. Both of the above
4. None of the above
þ Answer A is correct. The primary component of qualitative analysis is the creation of scenarios, which are outlines or models built from anticipated or hypothetical events. The scenario begins with a focal point, such as a particular decision, and then tries to predict what could occur from that point. In doing so, different risks are identified and ranked.

ý Answer B is incorrect, because quantitative analysis uses values and equations to analyze risks and their impact on the company. Answers C and D are incorrect, because qualitative analysis is the correct answer.
A company is planning to install new payroll software that is to be used by the Finance department. The vendor claims that other companies have had no problems with the software, except when the server on which it is installed fails to function. After discussing this with the IT staff, you find that there is a 10 percent chance of this occurring annually, as the current server is old and due to be replaced at some point. When the server fails, they can get it back online within an hour, on average. If the Finance department is unable to perform their work, it can result in a $5,000 per hour loss. Based on this information, what is the total cost of the risk?
1. $5,000
2. $500
3. 10 percent
4. 1 percent
þ Answer A is correct. The SLE is the total cost of the risk. In this case, the total cost is estimated at being $5,000.

ý Answer B is incorrect, because this is the ALE. Answer C is incorrect, because this is the ARO. Answer D is incorrect, because this figure has no relevance in the scenario.
A company is planning to implement a new Web server, which is estimated as being available and running properly 98 percent of the time every year. When it fails, the IT staff feel they can bring it back online within an average of two hours. Because the Web server hosts the company's e-commerce site, the cost of the server failing can result in losses of $10,000 per hour. Based on this information, what is the ALE?
1. 2 percent
2. $20,000
3. $4,000
4. $8,000
þ Answer C is correct. The ALE is calculated by multiplying the ARO by the SLE. The formula for this is: ARO × SLE = ALE. This means the ALE would be: 0.2 × $20,000 = $4,000

ý Answer A is incorrect, because this is the ARO. Answer B is incorrect, because this is the SLE. Answer D is incorrect, because this figure has no relevance in the scenario.
You are the administrator of a network that is spread across a main building and a remote site several miles away. You make regular backups of the data on servers, which are centrally located in the main building. Where should you store the backup tapes so they are available when needed in the case of a disaster? (Choose all that apply.)
1. Keep the backup tapes in the server room within the main building, so they are readily at hand. If a disaster occurs, you will be able to obtain these tapes quickly, and restore the data to servers.
2. Keep the backup tapes in another section of the main building, so they are readily at hand.
3. Keep the backup tapes in the remote site.
4. Keep the backup tapes with a firm that provides offsite storage facilities.
þ Answers C and D are correct. Keep the backup tapes in the remote site, or with a firm that provides offsite storage facilities. Since the company has a remote location that is miles from the main building, the tapes can be kept there for safekeeping. A firm can also be hired to keep the tapes in a storage facility. When a disaster occurs, you can then retrieve these tapes and restore the data.

ý Answers A and B are both incorrect, because a disaster that affects the server room or main building could also destroy the backup tapes if they were stored in these locations.
An employee has been sending e-mails to coworker, flirting and asking her to go on a date. Some of the language in the e-mail has been explicit as to what the employee's intentions are, and the coworker has asked this person not to send any further e-mails of this type. The coworker has now complained about this activity, and would like the company to do something about it. Which of the following types of policy could be invoked to discipline the employee sending these unwanted e-mails?
1. Acceptable use policy
2. Disaster recovery plan
3. Incident response plan
4. Business continuity plan
þ Answer A is correct. This type of policy establishes guidelines on the appropriate use of technology. It is used to outline what types of activities are permissible when using a computer or network, and what an organization considers proper behavior. Being in breach of this policy could result in severe disciplinary actions, such as being terminated from the company's employ.

ý Answer B is incorrect, because a disaster recovery plan provides procedures for recovering from a disaster after it occurs, and addresses how to return normal IT functions to the business. Answer C is incorrect, because an incident response policy addresses various incidents that could occur, and relates procedures that should be followed if such events happen. Answer D is incorrect, because a business continuity plan identifies key functions of an organization, the threats most likely to endanger them, and creates processes and procedures that ensure these functions will not be interrupted (at least for long) in the event of an incident.
You believe that someone has hacked into a Windows 2000 server on your network, and want to view a list of the IP addresses for machines currently connected to the server. Which tool will you use?
1. PING
2. NETSTAT
3. NSLOOKUP
4. ROUTE
þ Answer B is correct. NETSTAT is a tool that provides information about active connections to a machine running TCP/IP, and can provide information on whether a hacker is still connected to a particular computer.

ý Answer A is incorrect, because PING allows you to check the configuration of TCP/IP on a machine, and determine if TCP/IP connections can be made to other IP addresses. Answer C is incorrect, because NSLOOKUP is used to view name resolution information. It will allow you to view information related to the resolution of IP addresses to hostnames, and hostnames to IP addresses. Answer D is incorrect, because it is used to view and modify routing tables, which determine how packets will be sent from the computer to other machines on a network.
As part of the incident investigation process, you create contact information showing who will need to be contacted during an incident, and give this information to department managers. Since you are concerned that some members of the incident response team may not remember every password, or know all of them, you also write down system passwords, seal them in an envelope, and put them in a safe. In which phase of the incident investigation process are you currently performing tasks?
1. Preparation
2. Detection
3. Containment
4. Eradication
þ Answer A is correct. During the preparation phase of the incident investigation process, tasks are performed to prepare for when (or if) an incident occurs. This could include making a contact list of people and documenting passwords that may be required during an investigation.

ý Answer B is incorrect, because detection involves determining if an incident has actually occurred. Answer C is incorrect, because containment prevents an incident from spreading further. Answer D is incorrect, because eradication involves removing the source of an incident.
When performing a forensic investigation, you are prepared to document certain facts dealing with the incident. This will provide information that may be used in court, and will refresh your memory when the time comes that you have to testify. Which of the following pieces of information are the most important to include in your documentation?
1. Tasks that were performed to obtain evidence, and the date and time of every activity that was documented.
2. The tasks performed as part of your job throughout the day.
3. Information on your skills, training, and experience to validate your ability to perform the examination.
4. The beginning and ending times of your work shift.
þ Answer A is correct. Information that is documented in the course of an investigation should include the date, time, conversations pertinent to the investigation, tasks that were performed to obtain evidence, names of those present or who assisted, and anything else that was relevant to the forensic procedures that took place.

ý Answer B is incorrect, because a list of every task performed as part of your job throughout the day will generally not be pertinent of an investigation. Answer C is incorrect, because creating a resume of your abilities is not generally relevant to document during the investigation. A copy of this information can be added to the documentation at a later time, if it is being submitted for the purpose of criminal or civil litigation. However, documentation created during the investigation should strictly deal with the case. Answer D is incorrect because the times you started and ended your shift generally is not pertinent to the investigation.
You have created an image of the contents of a hard disk to be used in a forensic investigation. You want to ensure that this data will be accepted in court as evidence. Which of the following tasks must be performed before it is submitted to the investigator and prosecutor?
1. Copies of data should be made on media that is forensically sterile.
2. Copies of data should be copied to media containing documentation on findings relating to the evidence.
3. Copies of data should be stored with evidence from other cases, so long as the media is read-only.
4. Delete any previous data from media before copying over data from this case.
þ Answer A is correct. Copies of data should be made on media that is forensically sterile. This means that the disk has no other data on it, and has no viruses or defects. This will prevent mistakes involving data from one case mixing with other data, as can happen with cross-linked files or when copies of files are mixed with others on a disk. When providing copies of data to investigators, defense lawyers, or the prosecution, the media used to distribute copies of evidence should also be forensically sterile.

ý Answer B is incorrect because the copied data would reside with other documentation created, so that it is no longer forensically sterile. Answer C is incorrect because it would mix the data with data from other cases, which could make the evidence inadmissible in court. Answer D is incorrect because deleting data only removes the pointers to the files from the partition table, but does not erase the data itself. Thus deleted data still resides on the media, meaning that it is not forensically sterile.

Chapter 6: Cryptography

Encryption involves taking ordinary data and manipulating it so that it is not readable except by the desired party. The resulting secret message created in an encryption process is called?
1. The one-time pad
2. Ciphertext
3. Message digest
4. Digital signature
þ Answer B is correct. The resulting encrypted data is called the ciphertext.

ý Answer A is incorrect because a one-time pad is a type of secret key. Answers C and D are incorrect because message digests and digital signatures do not include the data that is encrypted, but are produced dependent on that data.
Which of the following is not a symmetric algorithm?
1. RSA
2. IDEA
3. DES
4. AES
þ Answer A is correct. RSA is a public key system, not a symmetric algorithm.

ý Answers B, C, and D are incorrect because all are symmetric, or private key algorithms.
You are designing a high-speed encryption system for data communications. You believe that the best performance will be achieved through the use of a stream cipher. Which of the following do you select for your application?
1. MAC
2. MD5
3. RC4
4. RSA
þ Answer C is correct. RC4 is a stream cipher.

ý Answer A is incorrect because a MAC is a message authentication code. Answer B is incorrect because MD5 stands for Message Digest 5; message digests are not stream ciphers. Answer D is incorrect because RSA stands for Rives, Shamir and Adleman, the names of the creators of the RSA key exchange algorithm as well as other encryption processes and algorithms.
Your boss would like to evaluate a VPN solution from a new vendor and asks for your opinion regarding the strength of the system. You reply that the strength of an encryption process should rely on:
1. The strength of the encryption algorithm used
2. The secrecy of the algorithm used
3. The speed of the encryption process
4. The use of ASICs for hardware encryption
þ Answer A is correct. The use or choice of strong keys of sufficient length is also important, as are other issues such as the secrecy of those keys, passphrase(s), and other factors.

ý Answer B is incorrect because a strong encryption process should not depend on the encryption algorithm remaining secret. Answer C is incorrect because the speed of an encryption implementation may be important, but is unrelated to the inherent strength. Answer D is incorrect because the choice or use of hardware solutions such as ASICs is independent of the strength of the encryption process. Encryption strength should be equal regardless of a hardware or software implementation.
Digital signatures are created by?
1. Block ciphers
2. MACs
3. Hashing functions
4. Cryptanalysis
þ Answer C is correct. Digital signatures are created through the use of hashing functions.

ý Answer A is incorrect because block ciphers are not involved with digital signatures. Answer B is incorrect because MAC stands for Message Authentication Code Answer D is incorrect because cryptanalysis is the attempt to resolve plaintext from ciphertext.
In a PKI system certificates are issued by:
1. The client
2. The government
3. The CA
4. The ORA
þ Answer C is correct. Certificate Authorities issue and revoke certificates in PKI systems.

ý Answer A is incorrect because clients may possess certificates, but do not issue them. Answer B is incorrect because the government is a non sequitur in this question. Answer D is incorrect because an ORA verifies certificate holders, their identities, and public keys in a PKI system.
Your manager asks you how she knows if her digitally signed messages have been altered. You reply that if a single bit changes in a message with a digital signature then:
1. The signature will match with the addition of a single bit
2. The signature will not match and will not validate the message
3. The message will be unreadable
4. The sender will be unknown
þ Answer B is correct. Even a single bit changed will result in the digital signature not matching. This will alert the recipient to the change.

ý Answer A is incorrect because bits cannot be added to a signature - they are a fixed size. Answer C is incorrect because the message will still be readable. Answer D is incorrect because the signature will not affect knowledge of the sender.
Key escrow involves which of the following options?
1. Key storage on read-only media
2. The placement of a private key with a trusted third party
3. Destruction of keys after use
4. Sharing of keys between trusted users
þ Answer B is correct. Key escrow involves creation of a back door for recovery of keys.

ý Answers A, C, and D are incorrect.
Management has heard much regarding a vendor's use of Kerberos authentication in their product, and she wants to know what Kerberos is. You reply that it is:
1. A public key authentication protocol
2. An encryption algorithm for authentication protocols
3. A vendor-specific authentication system
4. A secret key authentication protocol
þ Answer D is correct. Kerberos is a secret key authentication protocol.

ý Answers A, B, and C are incorrect because Kerberos is not vendor specific and is not an algorithm.
Your database administrator would like his project's data encrypted and it includes an entire hard disk partition. What is the best choice for bulk data encryption?
1. A one-time pad
2. A private key system
3. An asymmetric encryption system
4. A hashing algorithm
þ Answer B is correct. A private key system will provide the performance needed to encrypt large amounts of data.

ý Answer A is incorrect because a one-time pad would require a key the size of the data set, thereby doubling the entire storage requirement, and is impractical. Answer C is incorrect because asymmetric systems are considered too slow for large encryption tasks. Answer D is incorrect because hashing would be a non-productive method of encrypting data for storage.
Security for public key exchanges can be provided by:
1. Courier
2. Known plaintext
3. Known ciphertext
4. Digital certificates
þ Answer D is correct. Digital certificates provide means to authenticate the sender of a public key. In a PKI system, a key distribution center can serve both functions.

ý Answer A is incorrect because, while a courier might carry a key, this answer bears little relation to modern data cryptography. Also, couriers may not be trustworthy. Answer B and Answer C are incorrect because they are types of cryptographic attacks.
What is the definition of steganography?
1. The hiding of ciphertext within plaintext
2. The conversion of plaintext to ciphertext
3. Hiding text data within images or other data types
4. A cryptanalysis procedure
þ Answer C is correct. Steganography involves hiding messages in images or other non-text data.

ý Answer A is incorrect because hiding ciphertext within plaintext does not accurately describe the process. Answer B is incorrect because the conversion of plaintext to ciphertext is simply described as encryption. Answer D is incorrect because steganography is not a cryptanalysis procedure.
For a recipient to decrypt a message you sent to them via a PKI system, you must do which of the following?
1. Nothing
2. Share your secret key
3. Manually send your public key
4. Manually create a session key
þ Answer A is correct. The PKI system handles the work for the recipient and the sender.

ý Answer B is incorrect because you never want to share your secret key. Answer C is incorrect because the CA will have your public key; you do not need to send it. Answer D is incorrect because if the communication requires a session key, the application will handle this function.
What is a cryptovariable?
1. The time delay in sending encrypted data
2. The variation in the stream of ciphertext
3. The variation in the key size used
4. The secret key
þ Answer D is correct. A cryptovariable is the secret key used to encrypt data.

ý Answers A and B are incorrect because cryptovariables are not related to time delays, or variations in the ciphertext. Answer C is incorrect because variations in the key size used changes the key space.

Chapter 7: Data Communications

You are auditing the security of the Web development department of your company. The Web development group recently deployed an online application that allows customers to purchase items over the Internet. The portions of the site that transmit confidential customer information employ SSL. The Web server that contains the online application sits inside a DMZ. Which port will all SSL traffic pass through?
1. 25
2. 80
3. 443
4. 21
þ Answer C is correct. SSL functions on port 443. To allow customers to reach the portions of the site that employ SSL, you should make sure that traffic is allowed on port 443.

ý Answer is incorrect. Port 25 is associated with SMTP. If the server was a mail server instead of a Web server, this port should be opened to allow network traffic. Answer B is incorrect. Port 80 is associated with HTTP. This port will be used along side port 443 on the Web server because HTTP is the standard protocol used to view unencrypted Web pages. Customers will be using this protocol and port when accessing standard portions of the Web site. Answer D is incorrect. FTP is associated with port 21. This is not associated with the Web application and therefore traffic should not be allowed to pass on port 21.
You are the security administrator for a local bank. Mark, the network administrator, is creating a small LAN in a public branch of your bank. Mark is consulting with you and would like to know what the most failure-prone piece of the network architecture will be. Your answer is that it is (a):
1. Hub
2. Switch
3. Server
4. Cables
þ Answer D is correct. Cables frequently fail and are a common point of failure in most networks. This should be a primary concern when designing a new network. You should take in consideration the amount of uptime that is expected and create the network topology accordingly. For example, if some downtime is tolerable, the star topology would be a good choice because of minimal cabling requirements and simplicity. If uptime for all nodes on the network is a primary concern, you should consider a more complex topology such as the mesh topology, which would allow for cable failures while keeping all nodes on the network connected throughout the failure.

ý Answer A is incorrect. A hub is a primary part of most present day networks. While a hub failure would most likely create a significant network outage for at least a short period of time, they typically do not fail as often as network cabling. Answer B is incorrect. A switch is a primary part of most present day networks. While a hub failure would most likely create a significant network outage for at least a short period of time, they typically do not fail as often as network cabling. Answer C is incorrect. A server can represent a number of things with variable importance on a network (for example, an authentication server, a file server, a mail server, or a Web server). Depending on the organization's needs, any one of these servers failing could cause network disruptions. Servers, however, do not fail as often as network cabling.
James, the network administrator, would like to provide Internet access to the LAN he is responsible for. He has purchased a T1 line from the local communication provider, which has assigned him one IP address. He would like to purchase a firewall to protect the internal network and also allow them to access the Internet using the single IP address that is provided. Which function should James make sure that the firewall can support to accomplish his current goals?
1. DMZ
2. NAT
3. PPP
4. IPSec
þ Answer B is correct. NAT allows private IP addresses to make requests to the Internet through one publicly available IP address. If James purchases a firewall that can employ NAT, he will be able to allow all internal hosts to access the Internet using the one public IP address that he has been assigned.

ý Answer A is incorrect. A DMZ is an area between two firewalls that usually host servers such as publicly available Web servers. The firewall that James will purchase does not have to support a DMZ to accomplish his goals. Answer C is incorrect. PPP is commonly used for dial-up connections. Since James has purchased a T-1 to provide Internet access, he will not be using PPP to allow internal hosts to access the Internet. Answer D is incorrect. IPSec is a protocol used to deploy VPN connections. James does not need to deploy a VPN to provide Internet access to the LAN. Therefore, the firewall does not need to support VPN.
You are purchasing a new firewall for the network you maintain security for. What are some of the options that you should look at before purchasing a firewall? (Choose all that apply.)
1. Packet filtering
2. Stateful inspection
3. SSL
4. NAT
þ Answers A, B, and D are correct. A packet-filtering firewall can allow or deny specific types of packets from entering or leaving the internal network. Any standard firewall can perform packet filtering to some degree. You should make sure that the firewall that you want to purchase supports the appropriate degree of packet filtering for your desired needs. Stateful inspection is a technology used by some firewalls that monitors all connections and attempted connections. This technology is important because it will allow you to monitor certain stealth port scans that do not complete a full connection. These types of port scans are commonly used as a first step by an attacker to view open ports on a network without being monitored. NAT allows internal hosts to be hidden behind one public IP address. This helps hide the internal network from potential attackers. You should try to purchase a firewall that supports NAT because it will add an additional layer of security as well as lower the number of IP address that you must purchase from your ISP.

ý Answer C is incorrect. SSL is a protocol used to encrypt Web pages for secure Web transactions. Although you may need to open port 443 to allow SSL traffic, this function will be taken care of if the firewall supports packet filtering.
You have several network devices that require a central authentication server. Which of the following authentication servers are possible choices? (Choose all that apply.)
1. RADIUS
2. TACACS
3. TACACS+
4. RADIUS+
þ Answers A, B, and C are correct. RADIUS is the oldest and perhaps the most widely supported authentication server available. It supports PPP, PAP, and CHAP. It can be used for a central authentication server that other network devices can reference. TACACS provides remote authentication and event logging. TACACS uses UDP as its primary network protocol. TACACS+ provides enhancements to the standard version of TACACS. It provides such enhancements as the ability for users to change passwords and allows dynamic password tokens that provide resynchronization.

ý Answer D is incorrect. RADIUS+ is not a possible choice because it does not exist.
A manager in your company recently returned from a conference where he learned about how other companies were using VPNs. He has broadband access to his house and would like you to install a VPN so that he can work from home. You have decided to use IPSec in tunneling mode. Which of the following is a benefit of using IPSec in tunneling mode?
1. It is faster
2. It encrypts the entire packet
3. It only encrypts the payload
4. Better authentication
þ Answer B is correct. The main benefit of IPSec in tunneling mode is that the packet's payload and header is encrypted. Tunneling mode only encrypts the packet's payload, which still leaves the packet's header open to attack.

ý Answer A is incorrect. Tunneling mode encrypts payload (data) and the header of packets over a VPN, while transport mode only encrypts the payload. Because of the additional overhead of encrypting the header, transport mode is not faster than tunneling mode. Answer C is incorrect. Tunneling mode encrypts the payload and the header, while transport mode only encrypts the payload. Answer D is incorrect. IPSec is not responsible for authentication. It only takes care of encrypting the data.
What OSI layer is TCP located on?
1. Physical
2. Transport
3. Application
4. Session
þ Answer B is correct. TCP is located at the transport layer. This layer also has other contains protocols such as UDP and IPSec.

ý Answer A is incorrect. TCP is not located on the physical layer of the OSI model. Cabling and devices such as hubs are located at this layer. Answer C is incorrect. The application layer contains protocols such as FTP, Telnet, HTTP, and SMTP. TCP is not located at this layer. Answer D is incorrect. The session layer contains protocols such as NFS, X11, and RPC. TCP is not located at this layer of the OSI model.
Owen is responsible for safeguarding his company's network against possible attacks that involve network monitoring. He must suggest what types of cabling will protect the network from sniffing attacks. Which of the following is the most secure against sniffing attacks?
1. Wireless Ethernet
2. 802.11
3. Fiber-optic cable
4. Coax cable
þ Answer C is correct. Fiber-optic cable provides the best protection against sniffing attacks. This type of cabling is very hard to tap into and therefore very hard to sniff data passing across the wire.

ý Answer A is incorrect. Wireless Ethernet is prone to sniffing attacks because the data transmissions can be viewed without requiring physical access to a network device. This is not an appropriate choice. Answer B is incorrect. 802.11 corresponds to standard Ethernet. This type of network will use twisted-pair, which is easy to tap into to monitor network traffic. Answer D is incorrect. Coax cable is very easy to tap and could provide an attacker with an easy point of penetration to conduct a sniffing attack.
John is the security administrator for his company. He is trying to identify which of the following facilitates the most security vulnerabilities to his network?
1. HTTP
2. A Web browser
3. SSL
4. SMTP
þ Answer B is correct. A Web browser is used to interpret HTTP and display Web content. A browser is a common point for security vulnerabilities. An obvious example of this can be seen in the number of security patches that are released for the most popular Web browser, Internet Explorer.

ý Answer A is incorrect. HTTP is the protocol used to view Web pages. The protocol itself does not present security vulnerabilities. Answer C is incorrect. SSL is a protocol that allows encrypted transmission to and from a Web application. SSL itself does not present a security vulnerability. Answer D is incorrect. SMTP is used to send e-mail messages. While e-mail is a common method used to transport viruses, worms, and Trojan horses, this is not due to the SMTP protocol.
You have recently installed SSH to replace Telnet on an IDS located on your company's DMZ. You need to allow SSH traffic into the DMZ. What port does SSH use?
1. 80
2. 110
3. 22
4. 23
þ Answer C is correct. SSH functions over port 22. You should open port 22 to allow a SSH session to be established to the IDS on the DMZ.

ý Answer A is incorrect. Port 80 is associated with HTTP. You do not need to allow this traffic into the DMZ unless a Web server is in the DMZ. Regardless of this, port 80 is not responsible for SSH to function correctly. Answer B is incorrect. Port 110 is associated with POP3, which is used for e-mail retrieval. It is not required for SSH. Answer D is incorrect. Port 23 is associated with Telnet. Since you recently replaced Telnet with SSH due to its security vulnerabilities such as passwords being transmitted in cleartext, you should be sure to close port 23 as well as disable Telnet on the IDS.
Heather is researching solutions to provide an extra layer of security to her network. She has become interested in IDSs An IDS does all of the following except:
1. Monitor
2. Detect
3. Notify
4. Filter
þ Answer D is correct. An IDS does not filer data on the network. This function falls on different types of firewalls.

ý Answer A is incorrect. An IDS provides monitoring capabilities. Answer B is incorrect. An IDS is used to detect potential attacks occurring on the network. Answer C is incorrect. After an IDS detects an attack, it is capable of notifying the administrator of the problem.
Jill administers her company's Web server. It has been reported to her that the Web server is unavailable to users. She has verified that the server has lost basic connectivity. What protocol will she need to troubleshoot on the Web server?
1. OSI model
2. PAP
3. TCP/IP
4. SMTP
þ Answer C is correct. TCP/IP is actually a set of two protocols that are widely used, including on the Internet, for data transmissions. Jill should first check TCP/IP on her server to verify that the correct information is entered.

ý Answer A is incorrect. The OSI model describes a standard format that all protocols must adhere to. While the protocol Jill will need to troubleshoot is part of the OSI model, she will not be troubleshooting the OSI model itself. Answer B is incorrect. PAP is a protocol used to authenticate a user over a network. Since connectivity and not authentication is Jill's problem, she will not need to troubleshoot PAP. Answer D is incorrect. SMTP is a protocol used to send mail across the Internet. She will not need to troubleshoot this protocol at this time.
You are investigating a large number of attacks that are coming form one specific address. You have contacted the administrator of the hosts with that IP address who has investigated and discovered that the machine has not been compromised and that no attacks are originating from the machine. Which of the following is falsely inserted to spoof an IP address?
1. Protocol ID
2. Header checksum
3. Source IP address
4. Destination IP address
þ Answer C is correct. The source IP address is inserted by an attacker to create the appearance that the IP packet originated from a trusted source.

ý Answer A is incorrect. The Protocol ID field indicates what protocol the packet is using. Answer B is incorrect. The header checksum is used for error detection to determine if bits are missing from the IP packet. Answer D is incorrect. The destination IP address is the target address of the packet.
What standard defines Ethernet?
1. 802.11
2. 802.3
3. X.25
4. T1
þ Answer B is correct. IEEE developed the 802.3 Ethernet standard that is now widely deployed in networks.

ý Answer A is incorrect. 802.11 defines the newer wireless Ethernet standard that uses microwave frequencies to transmit data packets through the air. Answer C is incorrect. X.25 is a packet-switching technology that can send data packets over different lines and then have them reformed at the destination. It is not typically used in North America anymore. Answer D is incorrect. A T1 supports 24 individual channels, which each support 64 Kbps for a total data transmission rate of 1.544 Mbps.
Authentication protocols are an important part of any network's basic security. You would like to choose a protocol for your network that will reauthenticate users. Which of the following protocols allows for re-authentication?
1. PAP
2. CHAP
3. IPSec
4. PPTP
þ Answer B is correct. CHAP supports reauthentication. The authenticating machine will periodically challenge the authenticated machine. The authenticated machine will then respond back with a one-way hash function. The authenticating machine will then check the hash against the expected value to reauthenticate the user.

ý Answer A is incorrect. PAP is a basic authentication protocol that transmits the username and password in cleartext across the network. PAP does not support reauthentication. Answer C is incorrect. IPSec is used to encrypt data over a VPN. IPSec can be implemented in either tunneling mode or transport mode. Answer D is incorrect. PPTP is a tunneling protocol commonly used when implementing a VPN.

Chapter 8: Malicious Code and Malware

Systems are having problems where unexplainable events are happening. A system has been reported to have mysterious problems, and worse yet, there are more instances of this throughout the organization. You are concerned because you sense that these are symptoms of an infected system. From the answers below, what three answers resemble systems of an infected system?
1. System will not boot any longer to a prompt
2. There is an entry in the audit log of the system about a driver problem
3. System boots up, but is non-responsive and/or will not load any applications
4. Windows icons change color and position after you open an e-mail
þ Answers A, C, and D are correct. All are examples of an obviously affected system. Although they could also be legitimate problems, these are commonly seen as affected systems issues.

ý Answer B is incorrect. An entry in an audit log is not necessarily seen as a symptom from some form of malware.
What kind of program is usually installed without the user's awareness and performs undesired actions that are often harmful, although sometimes merely annoying?
1. Viruses
2. Firmware
3. Software
4. Drivers
þ Answer A is correct. Viruses are programs that are usually installed without the user's awareness and perform undesired actions that are often harmful.

ý Answer B is incorrect. Firmware usually refers to BIOS software or chip-based software on most hardware. Answer C is incorrect. Although viruses are technically software, this does not match the exact definition of a virus. Answer D is incorrect. It is simply a driver which although it is software, it is not technically the term used for a virus.
What kind of virus will infect executable files or programs in the computer typically leaving the contents of the host file unchanged but appended to the host in such a way that the virus code is executed first?
1. Parasitic viruses
2. Bootstrap sector viruses
3. Multi-partite viruses
4. Companion viruses
þ Answer A is correct. Parasitic viruses infect executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged but appends to the host in such a way that the virus code is executed first.

ý Answer B is incorrect. Bootstrap sector viruses live on the first portion of the hard disk, known as the boot sector (this also includes the floppy disk). This virus replaces either the programs that store information about the disk's contents or the programs that start the computer. This type of virus is most commonly spread via the physical exchange of floppy disks. Answer C is incorrect. Multi-partite viruses combine the functionality of the parasitic virus and the bootstrap sector viruses by infecting either files or boot sectors. Answer D is incorrect. Companion viruses create new programs with the same name as already existing legitimate programs. It then tricks the OS into running the companion program instead of modifying an existing program.
When dealing with protocols, you know that most of the protocols in the TCP/IP protocol stack are flawed with many problems like the sending of credentials in cleartext. From the list below, which protocol allows this exploit only with the community stings being sent in cleartext?
1. SNMP
2. RIP
3. OSPF
4. ICMP
þ Answer A is correct. SNMP is used to monitor network devices and manage networks. It is a set of protocols that uses messages called PDUs over the network to various machines or devices that have SNMP agent software installed. These agents maintain MIBs that contain information about the device. When agents receive the PDUs, they respond with information from the MIB. It is sent over the network in cleartext, open to exploitation.

ý Answer B is incorrect. RIP is a distance vector-based routing protocol used for devices like servers and routers to dynamically build routing tables to know where to forward packets on the network. Answer C is incorrect. OSPF is also a routing protocol but is more advanced and is link state-based which allows it to make better routing decision and is a lot less bandwidth intensive from not having to send out as many updates to keep its tables updated. Answer D is incorrect. ICMP is an error-reporting protocol used to find problems or paths on a network. Ping and Traceroute are two utilities that use ICMP.
If a cache has been changed in any way to reflect the wrong addressing, you have an example of what kind of attack?
1. ARP spoofing
2. UDP bomb
3. Rootkits
4. Virus
þ Answer A is correct. The ARP maintains the ARP cache. This is a table that maps IP addresses to MAC (physical) addresses of computers on the network.

ý Answer B is incorrect. A UDP bomb is used by sending a UDP packet constructed with illegal values in certain fields, and by doing this, an attacker can crash a system. Answer C is incorrect. Rootkits contains a variety of malicious utilities, which allow an attacker to create Trojan horse programs that hide themselves from the legitimate user. It also includes the functionality to remotely apply patches to existing programs, allowing you to hide processes on the system. Answer D is incorrect. A virus is a program that will cause malicious issues once executed. DoS attacks, if performed correctly, are able to completely disable hosts and systems.
Wardialing is an attack that will allow you to exploit systems by using the PSTN. Wardialing requires which of the following?
1. An active TCP connection
2. A modem and a phone line
3. A connection to the Internet
4. Knowledge of UNIX systems
þ Answer B is correct. Wardialing uses a modem and phone line to dial banks of phone numbers to look for modems that are available for connections.

ý Answers A and C are incorrect. Wardialing is just the act of dialing thousands of phone numbers, therefore neither a TCP connection nor an Internet connection are required. Answer D is also incorrect. There are many wardialing programs that will run on almost any platform, so specific knowledge of UNIX is not necessary.
Man-in-the-Middle (MITM) attacks are commonly performed when an attacker wants to establish a way to eavesdrop on communications. Which of the following is most likely to make systems vulnerable to MITM attacks?
1. Weak passwords
2. Weak TCP sequence number generation
3. Authentication misconfiguration on routers
4. Use of the wrong OSs
þ Answer B is correct. TCP sequence number prediction is the basis for many TCP/IP-based attacks, including MITM attacks.

ý Answer A is incorrect. While weak passwords increase vulnerability to many types of attacks, the MITM attack specifically exploits the TCP sequencing numbers. Answer C is incorrect. Misconfiguration of authentication on routers will open up the network to a variety of attacks, but is not directly connected to MITM attacks. Answer D is incorrect. MITM attacks can be launched regardless of the OS if the TCP/IP protocol stack is used; it is protocol vulnerability rather than OS vulnerability.
The SYN flood attack sends TCP connections requests faster than a machine can process them. Which of the following attacks involves a SYN flood?
1. DoS
2. TCP hijacking
3. Replay
4. MITM
þ Answer A is correct. Creating a SYN flood will be seen as a DoS attack. A SYN flood sends thousands of SYN packets to a victim computer, which then sends the SYN/ACK back, and patiently waits for a response that never comes. While the server waits on thousands of replies, the resources are consumed in such a way as to render the machine useless.

ý Answer B is incorrect. TCP hijacking deals with stealing a user's session rather than flooding the target. Answer C is incorrect; Replay attacks do just what the name implies-they replay already used data in an attempt to trick the victim into accepting it. Answer D is incorrect. MITM attacks are listening/sniffing-based and do not involve flooding a machine with packets.
When working as a security analyst, you need to be aware of the fact that many times you may find yourself in a position where you have programmers to work with as well as the network. Programmers without proper skill, resources, or QA (or maliciously) could do what to cause an exploit?
1. Write a driver
2. Write a virus
3. Write poor code
4. Write a worm
þ Answer C is correct. Poor coding is explained very easily. Code is the shortened nickname for programming language code. Poor coding is just that; the poor or lacking creation of production code that does not work as advertised, or worse yet, opens a hole in your systems that can be exploited.

ý Answers A, B, and D are incorrect. A driver is nothing to worry about and all the answers in general do not face up to the fact that its poorly written code that caused the possibility of an exploit. Writing poor code or unchecked code (meaning it failed the QA process) is the number one reason why so many bugs exist in software today. All other answers are simply the process that they were going through anyway to create a program whether it is intended to be malicious or not. Writing poor code is common, be it a lack of skill or lack of a QA process.
Back doors are commonly found in software packages, applications, and OSs. Which of the following is the most common reason that an attacker would place a back door in a system?
1. To spread viruses
2. To provide an interactive login without authentication or logging
3. To remove critical system files
4. To run a peer-to-peer file-sharing server
þ Answer B is correct. Although there are many purposes a back door may serve, providing an interactive login to the system without authentication is one of the most common.

ý Answer A is incorrect. Viruses are not directly spread through back doors, although an attacker could gain access to a system through the back door and then upload viruses. Answer C is incorrect. Back doors do not remove files from systems by themselves, although an attacker could remove files after gaining access. Answer D is incorrect. File sharing is not typically done through a back door, and it is certainly not a way to run a peer-to-peer file-sharing server.
Buffer overflow attacks are very common and highly malicious. Buffer overflows can allow attackers to do which of the following?
1. Speak with employees to get sensitive information
2. Run code on a remote host as a privileged user
3. Write viruses that cause damage to systems
4. Crash a hard disk
þ Answer B is correct. Buffer overflows are a type of software exploit often used by attackers to run code on victim machines. Examples would be xterms or root shells.

ý Answer A is incorrect. It refers to a social engineering situation. Answer C is incorrect. Buffer overflows are simply a conduit for an attacker to insert an attack, and has nothing to do with the actual writing of a virus. Answer D is incorrect. While it could be a result of an attack by a buffer overflow, it is not a direct result of the overflow itself.
Which two protocols use port numbers to provide separate methods to identify what service or application incoming information is destined for, or from which outgoing information it originates?
1. UDP
2. IP
3. ARP
4. TCP
þ Answers A and D are correct. A port is, in its simplest meaning, a point where information enters or leaves a computer. The TCP and UDP protocols use port numbers to provide separate methods to identify what service or application incoming information is destined for or from which outgoing information originates. The term port scanner, in the context of network security, refers to a software program that hackers use to remotely determine what TCP/UDP ports are open on a given system and thus vulnerable to attack. Administrators to detect vulnerabilities in their own systems, in order to correct them before an intruder finds them, also use scanners. Network diagnostic tools such as the famous Security Administrator's Tool for Analyzing Networks (SATAN), a UNIX utility, include sophisticated port-scanning capabilities.

ý Answer B is incorrect. IP is a connectionless protocol that functions on Layer 3 (the Network layer) of the OSI model. IP is responsible for logical addressing and fragmentation. Answer C is incorrect. ARP is a protocol that functions on Layer 2 (the Data Link layer) of the OSI model. ARP is responsible for resolving MAC addressing into IP addressing.
While working with a newly implement router, you are asked by senior management to implement security by disabling the HTTP service on the router as well as not letting it through the router with an Access Control List (ACL). From the list below, which port correctly maps to HHTP?
1. TCP/UDP port 80
2. TCP/UDP port 88
3. TCP/UDP port 110
4. TCP/UDP port 119
þ Answer A is correct. HTTP is a very common protocol. The correct port number is 80.

ý Answer B is incorrect. Port 88 is used for Kerberos. Answer C is incorrect. Port 110 is used for the Post Office Protocol version 3 (POP3). Answer D is incorrect. Port 119 is used for the Network News Transfer Protocol.
While configuring a new Web Server, you are asked to set up network news feed. You know that you have to open a port on the firewall to allow the NNTP protocol to pass through in order for the service to work. From the list below, which port will you have to open up on the firewall to allow NNTP to work?
1. TCP/UDP port 119
2. TCP/UDP port 138
3. TCP/UDP port 220
4. TCP/UDP port 389
þ Answer A is correct. NNTP is a very common protocol. The correct port number is Port 119.

ý Answer B is incorrect. Port 138 is used for the NetBIOS datagram service. Answer C is incorrect. Port 220 is used for. Internet Message Access Protocol version 3 (IMAPv3). Answer D is incorrect. Port 389 is used for Lightweight Directory Access Protocol (LDAP). LDAP stands for.
Sending multiple packets with which of the following TCP flags set can launch a common DoS attack?
1. ACK
2. URG
3. PSH
4. SYN
þ Answer D is correct. SYN flags are set on synchronization packets that are sent in overwhelming numbers to a server, to consume its resources and render it useless to legitimate clients that attempt to connect to it. This type of attack is known as a SYN flood.

ý Answers A, B, and C are incorrect because these flags do not cause the victim to wait for a reply. There are control bits in the TCP header. The most common ones and what they handle are, U (URG) Urgent pointer field significant, A (ACK) Acknowledgment field significant, P (PSH) Push function, R (RST) Reset the connection, S (SYN) Synchronize sequence numbers, and F (FIN) No more data from sender.