CISSP - Mock Questions with all domains

After our latest implementation of IPv6 128-bit addresses, our MAC addresses have also changed. Which format are they in now?

Options are :

  • EUI/MAC-64 (Correct)
  • EUI/MAC-48
  • EUI/MAC-128
  • EUI/MAC-256

Answer : EUI/MAC-64

Explanation IPv6 uses EUI/MAC-64 addresses. If the card is EUI/MAC-48 it adds fffe to get a 64-bit address.

Which of these remote access protocol has the option to send our data encrypted?

Options are :

  • Telnet.
  • Secure Shell. (Correct)
  • Command prompt.
  • PowerShell.

Answer : Secure Shell.

Explanation SSH (Secure Shell) is used for remote access over a network. Data is encrypted, but some recent leaks have shown the CIA may have tools that can break SSH.

An attacker has gained access to our hashed passwords. We haven't started used salting or nonces yet. Why is that a problem?

Options are :

  • The attacker can circumvent clipping levels. (Correct)
  • It isn't a problem, hashes are one-way functions and can't be reversed.
  • Because the attacker now known our encryption keys.
  • The attacker can now reverse the hash to the real password by hashing the hash he stole.

Answer : The attacker can circumvent clipping levels.

Explanation If an attacker can get access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. This will circumvent the clipping levels (limit on wrong login attempts).

When we are storing our passwords, which of these would be the MOST secure way to do so?

Options are :

  • Plain text.
  • Encrypted asymmetric.
  • Hashed with salt. (Correct)
  • Encrypted symmetric.

Answer : Hashed with salt.

Explanation Hashing with salting is the best way of password storage, confirmation can be near instant and the password can't be reverse engineered.

Which of these, if used right, is the MOST secure form of "something you have" authentication?

Options are :

  • Smart card.
  • Passport.
  • Magnetic card.
  • Single-use password. (Correct)

Answer : Single-use password.

Explanation Single-use passwords: Having passwords which are only valid once makes many potential attacks ineffective, just like one-time pads. While they are passwords, it is something you have in your possession, not something you know.

When we talk about the different types of hackers, which of them would be skilled and malicious?

Options are :

  • Black hat. (Correct)
  • Gray hat.
  • White hat.
  • Script kiddie.

Answer : Black hat.

Explanation Black Hat hackers: Malicious hackers, trying to find flaws to exploit them (Crackers - they crack the code).

Why would we use a Requirements Traceability Matrix (RTM) in software testing?

Options are :

  • To ensure we are secure.
  • To test for malformed input.
  • To map requirements to the testing plan. (Correct)
  • To test the code while executing it.

Answer : To map requirements to the testing plan.

Explanation TM/RTM (Requirements Traceability Matrix): Normally a table, used to map customer requirements to the testing plan using a many-to-many relationship comparison. A requirements traceability matrix may be used to check if the current project requirements are being met, and to help in the creation of a request for proposal, software requirements specification, various deliverable documents, and project plan tasks.

Which low tech or no tech attack can often be just as successful as very technical attacks?

Options are :

  • DDOS.
  • Social engineering. (Correct)
  • Trojans.
  • Worms.

Answer : Social engineering.

Explanation Social engineering can often be just as successful as more technical attacks, people want to be helpful.

We are at our annual corporate IT security training event and we are talking about social engineering. Which of these are types of social engineering? (Select all that apply).

Options are :

  • Consensus. (Correct)
  • Urgency. (Correct)
  • War dialing.
  • Whale phishing. (Correct)
  • Vishing. (Correct)
  • Phreaking.

Answer : Consensus. Urgency. Whale phishing. Vishing.

Explanation Social engineering uses people skills to bypass security controls. Attacks are often more successful if they use one or more of these approaches: Authority (someone you trust or are afraid of) - Look and sound like an authority figure, be in charge, this can be in a uniform or a suit. Most effective with impersonation, whaling, and vishing attacks. Intimidation (If you don't bad thing happens) - Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks. Consensus (Following the crowd, everyone else was doing it) - Fake reviews on a website, using consensus/social proof is most effective with Trojans and hoaxes. Scarcity (If you don't act now, it is too late) - New iPhone out, only 200 available, often effective with phishing and Trojan attacks. Urgency (It has to happen now or else) - The company will be sued for $1,000,000 if these papers are not filled out before Friday, often used with Phishing. Familiarity (Have a common ground, or build it) - Knowing something about the victim ahead of time and then reference it can raises chances of a successful attack drastically. People want to be helpful, if they feel like they know you they want to even more. Often successful with vishing and in-person social engineering.

An attacker has discovered one of the SSIDs in our organization. They plan to use the information in their initial attack, what have they discovered?

Options are :

  • Our switches.
  • Our servers.
  • Our wireless. (Correct)
  • Our firewall.

Answer : Our wireless.

Explanation SSIDs are the names of our wireless access points, if an attacker has that it is likely that is the next target. SSIDs are easy to discover.

We have hired a penetration testing company to find security flaws in our organization. They are at the enumeration phase, what are they doing?

Options are :

  • Reconnaissance.
  • Scanning. (Correct)
  • Vulnerability assessment.
  • Exploitation.

Answer : Scanning.

Explanation Pen testing would normally have these phases, enumeration is the same as scanning. Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment > Exploitation > Reporting.

What would be the PRIMARY reason we use a specific server for storing our centralized logs, and only giving our administrators limited access?

Options are :

  • To have logs available for analysis.
  • To ensure the logs integrity. (Correct)
  • For the SEIM to be able to access them.
  • For redundancy.

Answer : To ensure the logs integrity.

Explanation We want to ensure our central log repository is not tempered with by staff or attackers. While it also can provide redundancy it is not the main reason. The SEIM can access logs wherever they may be.

There are many pitfalls when we work with the audit record management in our organization. Which of these is NOT one of those common problems?

Options are :

  • Log are not reviewed on a regular and timely basis.
  • Logs are stored on a central secure server. (Correct)
  • Audit logs and audit trails are not stored for a long enough time period.
  • Logs are not standardized or viewable by a SIEM.

Answer : Logs are stored on a central secure server.

Explanation Centralized storage is not a problem, that is good. Security Audit Logs (Audit trail): Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.

As part of her regular duties, Jane is reviewing our logs. When she does that, it is which type of a control?

Options are :

  • Detective. (Correct)
  • Preventative.
  • Deterrent.
  • Administrative.

Answer : Detective.

Explanation Security Audit Logs: Reviewing security audit logs in an IT system is one of the easiest ways to verify that access control mechanisms are working as intended. Reviewing audit logs is primarily a detective control. Centralized Logging: Should be automated, secure and even administrators should have limited access. Often a central repository is hashed and never touched, and a secondary copy is analyzed to ensure integrity. Logs should have a retention policy to ensure we are compliant and we keep the logs as long as we need them.

A team of penetration testers, with full physical access to our facility, have found PHI hard copies laying around. Which of our policies are our employees NOT following?

Options are :

  • Clean desk policy. (Correct)
  • Least privilege.
  • Wireless policy.
  • Shred policy.

Answer : Clean desk policy.

Explanation Clean desk policy requires employees to not have sensitive (or any at all) paperwork on their desks unless they are at the desk. If they are done with the paperwork they should dispose of it, if not lock it away.

The team of pen testers we have hired, is trying to gain access to our facility by trying to find an open door or window. What type of access control are they testing?

Options are :

  • Administrative.
  • Preventative.
  • Physical. (Correct)
  • Detective.

Answer : Physical.

Explanation Physical Controls: Locks, fences, guards, dogs, gates, bollards, doors, windows, etc.

In our software testing we are using fuzz testing. Which type of testing is that?

Options are :

  • Black box. (Correct)
  • White box.
  • Gray box.
  • Penetration testing.

Answer : Black box.

Explanation Fuzzing (Fuzz Testing) – A black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Before we engage the penetration testers we want to hire, we need to build a statement of work (SOW). Who needs to be involved in building it?

Options are :

  • Senior management.
  • Our legal department.
  • IT security
  • All of these. (Correct)

Answer : All of these.

Explanation To have a proper clear SOW, we need senior management's approval and outlines, legal approval and IT security's input.

Penetration testers have been looking for vulnerabilities for some weeks. What would be the FINAL stage of a penetration test?

Options are :

  • Auditing.
  • Reporting. (Correct)
  • Exploration.
  • Deleting log files.

Answer : Reporting.

Explanation Penetration Testing normally has 6 phases: Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment > Exploitation > Reporting. The 6th phase for a real attack would be delete logs/evidence and install backdoors.

As part of our staff training to raise the staff awareness, we are doing drills. What is the MAIN purpose of those?

Options are :

  • See if the plan is accurate, complete and effective.
  • See how staff reacts and to train them. (Correct)
  • Ensure the plan is being followed and understood.
  • Ensure compliance with regulations.

Answer : See how staff reacts and to train them.

Explanation Drills (exercises): Walkthroughs of the plan; main focus is to train staff, and improve employee response (think fire drills).

As part of our annual Disaster Recovery Plan (DRP) update, we are looking at different types of disasters scenarios. We rank the disasters depending on how likely they are for our location and how often they have happened in the past. In which category would we rate a fire?

Options are :

  • Environmental.
  • Human.
  • Natural.
  • All of these. (Correct)

Answer : All of these.

Explanation Fires can be caused by nature, our environment, and people.

Before we upgrade a system or apply a patch we want to get a backup of the system. We need the backup we take to not interfere with the current backup cycle and we need it to allow us to do a full restore with a single tape. Which backup type should we chose?

Options are :

  • Full backup.
  • Incremental backup.
  • Differential backup.
  • Copy backup. (Correct)

Answer : Copy backup.

Explanation Before we upgrade a system or apply a patch, we want to get a backup of the system. We need our backup to not interfere with the current backup cycle, and we need it to allow us to do a full restore with a single tape. Which backup type should we chose?

As part of our layered defense approach we have deployed Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Which type of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can possibly help us mitigate 0-day attacks?

Options are :

  • Heuristic based. (Correct)
  • Preference matching.
  • Signature based.
  • Network based.

Answer : Heuristic based.

Explanation Heuristic (Behavioral) based: Looks for abnormal behavior - can produce a lot of false positives. We build a baseline of what normal network traffic looks like and all traffic is matches to that baseline. They can at times mitigate 0day attacks. Can detect 'out of the ordinary' activity, not just attacks. Takes much more work and skills.

Part of Bob's job is to monitor our environments. Just after coming in on Monday morning, he gets an alert. What just happened?

Options are :

  • Something changed, neither negative or positive.
  • A triggered warning when something predefined happens (i.e. disk usage over 85%). (Correct)
  • A system has crashed.
  • We are being hacked.

Answer : A triggered warning when something predefined happens (i.e. disk usage over 85%).

Explanation Alert: Triggers warnings if certain event happens. This can be traffic utilization above 75% or memory usage at 90% or more for more than 2 minutes.

In building our comprehensive Business Continuity Plan (BCP), we would probably build all these plans, EXCEPT which?

Options are :

  • COOP.
  • MTBF. (Correct)
  • OEP.
  • BRP.

Answer : MTBF.

Explanation BCP’s often contain DRP (Disaster Recovery Plan), COOP (Continuity of Operations Plan), Crisis Communications Plan, Critical Infrastructure Protection Plan, Cyber Incident Response Plan, ISCP (Information System Contingency Plan), Occupant Emergency Plan.

We are, as part of our testing of our Disaster Recovery Plan (DRP), doing a simulation test. What would we look at in the simulation test?

Options are :

  • We go through the plan on our own, making sure each step for our team is accurate.
  • Team members review the plan quickly looking for glaring omissions, gaps, or missing sections.
  • The team pretends to have a disaster and responds to the plan with their teams input. (Correct)
  • We bring critical components up our secondary site and fail the traffic over to that site.

Answer : The team pretends to have a disaster and responds to the plan with their teams input.

Explanation Simulation Test (Walkthrough Drill): Similar to the walkthrough (but different, do not confuse them). The team simulates a disaster and the teams respond with their pieces from the DRP.

We have recently updated our Disaster Recovery Plan (DRP). We are at the "testing" phase of update. Why do we do that?

Options are :

  • See if the plan is accurate, complete and effective. (Correct)
  • See how staff reacts and to train them.
  • Ensure the plan is being followed and understood.
  • Ensure compliance with regulations.

Answer : See if the plan is accurate, complete and effective.

Explanation Testing: To ensure the plan is accurate, complete and effective, happens before we implement the plan.

We should update our Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) every year at least. Outside of the annual review and update cycle, when would we also update them?

Options are :

  • We acquire another company and they are integrated into ours.
  • A significant part of senior leadership has changed.
  • We have updated a major component of our systems.
  • All of these. (Correct)

Answer : All of these.

Explanation If our organization has had a major change we update our plans. This could be: We acquired another company or we split off into several companies. We changed major components of our systems (new backup solution, new IP scheme, …). We had a disaster and we had a lot of gaps in our plans. A significant part of senior leadership has changed. When we update the plans older copies are retrieved and destroyed, and current versions are distributed.

We have had a breach and an attacker gained access to some of our servers and workstations. We are planning to use the digital forensics from the time of the attack in a court of law. What should the evidence NOT be?

Options are :

  • Accurate.
  • Authentic.
  • Admissible.
  • Altered. (Correct)

Answer : Altered.

Explanation The evidence we collect must be accurate, complete, authentic, convincing, admissible.

Which of these is NOT protected by the 4th amendment in the US?

Options are :

  • Anything search warranted. (Correct)
  • Your emails.
  • Your internet history.
  • Anything done online.

Answer : Anything search warranted.

Explanation We ensure our evidence is acquired in legal manner remember the US Constitution 4th amendment. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated. Anything supinated, search warranted, turned over voluntary and in exigent circumstances (immediate danger of being destroyed), can allow law enforcement to bypass the 4th amendment.

Jane is doing network forensics on an attack. Which of these is a COMMON form used?

Options are :

  • Catch-as-you-can. (Correct)
  • Catch-and-release.
  • Stop, act and prevent.
  • Stop and release.

Answer : Catch-as-you-can.

Explanation Network forensics: Systems used to collect network data for forensics use usually come in two forms: Catch-it-as-you-can: All packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage. Stop, look and listen: Each packet is analyzed in a basic way in memory and only certain information is saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

Bob is working on categorizing incidents for our incident management plan. Which category should he chose for fires?

Options are :

  • Natural.
  • Environmental.
  • Human.
  • All of these. (Correct)

Answer : All of these.

Explanation Fires can be natural, caused by our equipment or set by people.

We are working on our incident management plans. In which phase would we write our procedures?

Options are :

  • Preparation. (Correct)
  • Detection.
  • Response.
  • Recovery.

Answer : Preparation.

Explanation Preparation: This are all the steps we take to prepare for incidences. We write the policies, procedures, we train our staff, we procure the detection soft/hardware, we give our incident response team the tools they need to respond to an incident. The more we train our team, the better they will handle the response, the faster we recover, the better we preserve the crime scene (if there is one), the less impactful an incident will be.

Jane is explaining our logical intrusion system to senior management. Help her answer this question from the CFO: "Which type of intrusion system would ALWAYS block malicious traffic if it recognizes it as malicious?"

Options are :

  • IPS. (Correct)
  • IDS.
  • Heuristic.
  • Pattern.

Answer : IPS.

Explanation IPS (Intrusion Prevention System): Similar to IDS, but they also take action to malicious traffic; what they do with the traffic is determined by configuration. Events trigger an action, drop/redirect traffic, often combined with the trigger monitoring/administrator warnings, emails or text messages.

During a Distributed Denial of Service (DDoS) attack, we log into a system where we see the notifications. The system does not act on the notification other than sending us an alert. Which system are we logged in to?

Options are :

  • HIDS.
  • NIPS.
  • NIDS. (Correct)
  • HIPS.

Answer : NIDS.

Explanation Only alert (intrusion detection) and DDOS would be network based, so NIDS.

When an attacker is using fragmentation attacks to avoid our Intrusion Prevention Systems (IPS), what is the attacker doing?

Options are :

  • Breaking the data into segments. (Correct)
  • Sending traffic on a well-known TCP port, where we would not expect the malicious traffic.
  • Have many different agents use different IPs and ports.
  • Change the attack signature.

Answer : Breaking the data into segments.

Explanation Fragmentation: Sending fragmented packets, the attack can avoid the detection system's ability to detect the attack signature.

When our Intrusion Prevention Systems (IPS) allows permitted traffic pass, that is an example of what?

Options are :

  • True positive.
  • True negative. (Correct)
  • False positive.
  • False negative.

Answer : True negative.

Explanation True Negative: Normal traffic on the network and the system detects it and does nothing

To help with managing the applications we allow on our servers and workstations, we are creating an application whitelist. What are we doing?

Options are :

  • Make a list of allowed applications. (Correct)
  • Making a list of prohibited applications.
  • Making a list of all applications.
  • Making a list of all of our own developed applications.

Answer : Make a list of allowed applications.

Explanation Application whitelisting: We can whitelist the applications we want to allow to run on our environments, but it can also be compromised. We would whitelist against a trusted digital certificate, a known hash or path and name, the latter is the least secure, an attacker can replace the file at the path with a malicious copy.

Which of these would NOT be part of the server hardening process, we do before we promote a new server into our production environment?

Options are :

  • Apply all patches.
  • Disable unused ports.
  • Disable non-required services.
  • Leave the default ports open. (Correct)

Answer : Leave the default ports open.

Explanation Leaving ports open is the opposite of server hardening. When we receive or build new systems they often are completely open, before we introduce them to our environment we harden them. We develop a long list of ports to close, services to disable, accounts to delete, missing patches and many other things.

When we look at software development, security should ALWAYS be what?

Options are :

  • Added on later.
  • Added when we are compromised.
  • Designed into the software. (Correct)
  • Added only in important areas.

Answer : Designed into the software.

Explanation Security should be designed into the software and be part of the initial requirements, just as functionality is. The more breaches and compromises there are, the more we see the move towards security being part of the scope of the software design project. We use software at our jobs, in our personal lives, our homes, cars, power, water, etc. It is everywhere and it has been and still is common to write functional code. Security is an afterthought or not considered at all.

Which programming language often saves data as an executable file? The file is saved once and executed many times.

Options are :

  • Source code.
  • Assembled language.
  • Interpreted languages.
  • Compiled languages. (Correct)

Answer : Compiled languages.

Explanation Compiled Languages: Translates the higher level language into machine code and saves, often as executables. Compiled once and run multiple times.

As programming has progressed we get newer generations of programming languages. Which of these sets are all 4th generation programming languages?

Options are :

  • Cobol, SQL, Perl, C++.
  • C++, Java, Cobol, C#.
  • ColdFusion, SQL, Perl, PHP. (Correct)
  • ColdFusion, SQL, C++, Perl.

Answer : ColdFusion, SQL, Perl, PHP.

Explanation 4th Generation languages (4GL) include ColdFusion, Progress 4GL, SQL, PHP and Perl. Fourth-generation languages are designed to reduce programming effort and the time it takes to develop software, resulting in a reduction in the cost of software development. Increases the efficiency by automating the creation of machine code. Often uses a GUI, drag and drop, and then generates the code. Often used for websites, databases, and reports.

Computer-aided software engineering (CASE) is classified into 3 categories. Which of these have the correct 3?

Options are :

  • Tools, workbenches and environments. (Correct)
  • Tools, environments and scenarios.
  • Workbenches, environments and scenarios.
  • Workbenches, use cases and tools.

Answer : Tools, workbenches and environments.

Explanation CASE (Computer-Aided Software Engineering) software is classified into 3 categories: Tools support specific tasks in the software life-cycle. Workbenches combine two or more tools focused on a specific part of the software life-cycle. Environments combine two or more tools or workbenches and support the complete software life-cycle. Used for developing high-quality, defect-free, and maintainable software. Often associated with methods for the development of information systems together with automated tools that can be used in the software development process.

When we release our software as open source, we do what?

Options are :

  • Release the software, but not the code.
  • Release the code and the software. (Correct)
  • Release neither the software or code.
  • Release the code, but not the software.

Answer : Release the code and the software.

Explanation Open source: We release the code publicly, where it can be tested, improved and corrected, but it also allows attackers to find the flaws in the code.

What do we release when we want users to test our software, but we are disabling key features of the software?

Options are :

  • Cripple ware. (Correct)
  • Shareware.
  • Freeware.
  • Bloatware.

Answer : Cripple ware.

Explanation Cripple ware: Partially functioning proprietary software, often with key features disabled. The user is required to make a payment to unlock the full functionality.

We are looking at SDLC project management software development methodologies. Which of these NOT one of them?

Options are :

  • Waterfall.
  • Agile.
  • Sashimi.
  • Bottom-up. (Correct)

Answer : Bottom-up.

Explanation Waterfall , Agile and Sashimi are all SDLC methods, bottom-up is not.

Which Agile software development methodology makes use of a master?

Options are :

  • XP.
  • Scrum. (Correct)
  • Spiral.
  • Sashimi.

Answer : Scrum.

Explanation Scrum master: Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables. Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences. The scrum master ensures that the Scrum framework is followed.

At a meeting with project stakeholders and sponsors, Bob gets asked how a relational database is structured. From these choices, what should Bob answer?

Options are :

  • A hierarchy model.
  • An object model..
  • Star schema model.
  • Tables with rows and columns. (Correct)

Answer : Tables with rows and columns.

Explanation Relational model: Organizes data into one or more tables (or relations) of columns and rows, with a unique key identifying each row. Rows are also called records or tuples. Generally, each table/relation represents one entity type. The rows represent instances of that type of entity and the columns representing values attributed to that instance.

Each row in a relational database is called a/an:

Options are :

  • Tuple. (Correct)
  • Attribute.
  • Relation.
  • Schema.

Answer : Tuple.

Explanation Relational model: Rows are also called records or tuples. Generally, each table/relation represents one entity type. The rows represent instances of that type of entity and the columns representing values attributed to that instance.

When we check our databases for integrity, we notice a value that is not consistent with the attribute data type. Which type of integrity failure is this?

Options are :

  • Referential integrity.
  • Semantic integrity. (Correct)
  • Entity integrity.
  • Formatted integrity.

Answer : Semantic integrity.

Explanation Semantic integrity: Each attribute value is consistent with the attribute data type.

An artificial neural network (ANN) tries to emulate a brain. Which of these is NOT TRUE about ANNs?

Options are :

  • They can analyze images where they know a fact about, this could be "gecko" or "no gecko", the more images they process the better they become at recognizing the fact.
  • They are mostly used in areas that are difficult to express in a traditional computer algorithm using rule based programming.
  • They are organized in layers, different layers perform different transformations on their input.
  • They use rule based programming and a lot of IF/THEN statements. (Correct)

Answer : They use rule based programming and a lot of IF/THEN statements.

Explanation ANNs do not use IF/THEN statements.

We use the DNS protocol every day, but what does it do?

Options are :

  • Assign IP addresses to our hosts.
  • Translates server names into IP addresses. (Correct)
  • Prevents ARP poisoning.
  • Allows users to securely browse the internet.

Answer : Translates server names into IP addresses.

Explanation DNS (Domain Name System): Translates server names into IP Addresses, uses TCP and UDP Port 53. can get translated into or 2607:f8b0:4007:80b::200e depending on requesters IP.

Jane has been tasked with implementing multifactor authentication for our organization. The request from senior management is to make it secure, but also to protect employees' privacy and not inadvertently record something that could reveal private employee health information. What would be some good reasons to NOT use biometric authentication in Janes implementation?

Options are :

  • It can reveal private employee information. (Correct)
  • It is wrong more often than not.
  • Biometrics often change.
  • Biometrics are easily copied.

Answer : It can reveal private employee information.

Explanation Something you are - Type 3 Authentication (Biometrics): Can inadvertently breach our employees privacy: Some fingerprint patterns are related to chromosomal diseases. Iris patterns could reveal genetic sex, retina scans can show if a person is pregnant or diabetic. Hand vein patterns could reveal vascular diseases. Most behavioral biometrics could reveal neurological diseases, etc.

We are thinking about implementing biometrics throughout our organization. Which of these could be reasons we should consider as reason to NOT implement biometrics? (Select all that apply).

Options are :

  • We can't reissue new biometric credentials if we are compromised. (Correct)
  • Biometrics can reveal personal health information. (Correct)
  • It is very expensive compared to other authentication methods. (Correct)
  • Biometrics are easy to replicate for an attacker.
  • It is a very new field and the technology is not very good.

Answer : We can't reissue new biometric credentials if we are compromised. Biometrics can reveal personal health information. It is very expensive compared to other authentication methods.

Explanation Biometrics can be very effective if implemented right, but it does have some risks we need to be aware of. We can't reissue new biometrics, it is possible to learn about genetic diseases, pregnancy and other personal information from some biometrics and it is more expensive to implement than type 1 and 2 authentication.

What is Mandatory Access Control (MAC) based on?

Options are :

  • Labels and clearance. (Correct)
  • The discretion of the object owner.
  • The job role of the user.
  • IF/THEN statements.

Answer : Labels and clearance.

Explanation MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.

Jane is implementing active directory throughout our organization. She wants all the domains to trust each other, which type of trust domain should she implement?

Options are :

  • Two-way trust.
  • Intransitive trust.
  • Transitive trust. (Correct)
  • One-way trust.

Answer : Transitive trust.

Explanation Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.

We are implementing new access control in our organization. If we look at the IAAA model, what could we use for authentication?

Options are :

  • Their username.
  • A password. (Correct)
  • Role based access control.
  • Non-repudiation.

Answer : A password.

Explanation Authentication: Something you know - Type 1 Authentication (passwords, pass phrase, PIN etc.). Something you have - Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.). Something you are - Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).

A disgruntled former employee of our organization is trying to break the passwords of one of our administrator accounts. He is using a keylogger; how does he do that?

Options are :

  • He uses the entire key space.
  • He uses full words often with numbers at the end.
  • He uses precompiled hashes to compare the password hash to.
  • He has software installed on a computer that records all keystrokes. (Correct)

Answer : He has software installed on a computer that records all keystrokes.

Explanation Keylogging (Keystroke logging): A keylogger is added to the users computer and it records every keystroke the user enters. Software, a program installed on the computer. The computer is often compromised by a trojan, where the payload is the keylogger or a backdoor. The keylogger calls home or uploads the keystrokes to a server at regular intervals. Hardware, attached to the USB port where the keyboard is plugged in. Can either call home or needs to be removed to retrieve the information.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions