You are on page 1of 12

10.

Which one of the following statements about the information security archit
e cture is least likely to be correct? A. It provides a framework for producing
high level policy statements and strat egies, detailed specifications, guideline
s, standards and job descriptions. B. It describes to the form, appearance, func
tion and location of information se curity processes. C. It provides a common ba
sis for the design, development, implementation and ma nagement of the informati
on security process. D. It provides the basis on which the enterprise's technolo
gy architecture will be selected and implemented. Answer: D 11. The security adm
inistration effort will be greatly reduced through the deplo yment of which one
of the following techniques? A. B. C. D. Role-based access control. Access contr
ol lists. Discretionary access control. Mandatory access control.
Answer: A Role-based access control is correct because it separates individuals
from roles and ties access to specific roles. This reduces the security administ
ration eff ort when individuals change positions within the enterprise. The othe
r answers a re normally associated with the identity of individuals, creating a
much more ch allenging administration environment. 12. At what stage during the
system development life cycle would the verificatio n of controls take place? A.
B. C. D. Solution definition. Construction. Implementation. Post-implementation
.

Answer: B During the Construction phase testing take place. This is when control
s would be verified. The other phases are inappropriate times for verification.
13. When is the prototyping approach to system development most appropriate? A.
B. C. D. When When When When the the the the solution is obtained from a reputab
le vendor. solution is technically complex. solution is developed by inexperienc
ed staff. solution's functional specification is not clear.
Answer: D "When the solution is obtained from a reputable vendor" is incorrect s
ince the f unctionality is already fixed. "When the solution is technically comp
lex" is inc orrect as prototyping would be an inefficient way to solve technical
ly complex i ssues. "When the solution is developed by inexperienced staff" is i
nappropriate as inexperienced staff will battle with the loose development style
associated w ith prototyping. "When the solution's functional specification is
not clear" is correct because prototyping specifically addresses a step by step
development pr ocess, checking the user requirement all the way. 14. In planning
for physical security, a series of barriers at different points may be consider
ed. Each level of physical protection should have: A. B. C. D. A defined securit
y perimeter with consistent protection. A published statement of activity within
each perimeter. Colour coded documentation for each protection level. Different
points of entry to distribute the risk of penetration.
Answer: A "A defined security perimeter with consistent protection" security is
as good as the weakest link. The other answers all have the opposite condition a
s being tr ue. 15. Which one of the following items would be a key deliverable f
rom the project planning phase of the security implementation plan? A. Detailed
description of business processes and data model. B. Initial security rating for
availability, confidentiality and integrity requi rements. C. Description of th
e system-specific controls to be developed. D. Definition of tests to be carried
out on all controls. Answer: B During the project planning phase it is most lik
ely that only provisional inform ation is available like initial security rating
s. During later phases would busi ness process modeling, systems specific contro
ls identified and testing be perfo rmed. 16. What would be the main objective of
enforcing a clear desk policy? A. B. C. D. Reduced risk of being a fire hazard.
Avoiding unauthorized access. Proper documentation control. Security workflow p
rocedure.

Answer: B "Reduced risk of being a fire hazard" is partly true, but not the main
objective . "Avoiding unauthorized access" is correct as it reduces the risk of
unauthoriz ed access to information. The other are inappropriate answers. 17. B
aseline security controls can be used best for which one of the following a ctiv
ities? A. B. C. D. Securing unstable environments. Detailing security implementa
tion tasks. Strengthening security standards. Establishing a corporate security
policy.
Answer: C "Strengthening security standards" is correct as the baseline sets the
common le vel of standards that is typically attained. It is a way to quickly g
et going wi th security implementation. Unstable environments would need careful
assessment an specific controls identified. Detailing security implementation t
asks or firs t defining policy are more thorough, but time consuming approaches.
18. The best justification for the implementation of baseline security controls
is which one of the following? A. B. C. D. Supplied by vendors. Designed by exp
erts. Successful practice. Comprehensive nature.
Answer: C "Successful practice" is correct as baseline controls are based on goo
d practice . It is not source from vendors nor experts. Baseline controls are no
t intended to be comprehensive. 19. Reports received from vulnerability scans of
ten serve as a wakeup call for m anagement. Network vulnerability scanners are u
seful for all except one of the f ollowing, which one is the exception? A. B. C.
D. Operating system vulnerabilities have been detected. A host is free of any i
ntroduced back doors. Recommended OS patches have been applied. Bugs that may be
exploited have been identified.
Answer: B "Operating system vulnerabilities have been detected": Vulnerability s
canners do this. "A host is free of any introduced back doors": Scanners provide
no assura nce whatsoever that a host is free of introduced back doors. A method
ical examin ation of the hosts for evidence of hostile activity and trojanised s
ystem execut ables is required. "Recommended OS patches have been applied": Vuln
erability sca nners detect missing patches. "Bugs that may be exploited have bee
n identified": Vulnerability scanners detect instances where known bugs have not
been repaired . 20. Which one of the following actions tends to have the highes
t payoff during t he detection stage of dealing with a security incident?

A. B. C. D.
Taking time to analyze anomalies. Focusing only on the material items. Reviewing
vulnerabilities of any previous risks assessments. Making use of penetration te
sts.
Answer: A Sometimes very small symptoms indicate that an incident is in progress
. An attac k on US computers was discovered because of a 75c anomaly in computer
usage char ges. 21. Once the incident response team has been selected and train
ed, the first poi nt of the incident response process to test would be which one
of the following? A. B. C. D. Team members' knowledge of what to do. The review
of system logs . The qualifications of the team members. Users' knowledge of wh
o to call.
Answer: D A key and often overlooked step in incident response is knowing who to
call. The reafter the other activity would follow. 22. Which one of the followi
ng would you perform first to ensure the execution o f response and recovery pla
ns will be as required? A. B. C. D. Review of archived logs. Penetration tests.
Vulnerability tests. Calculate annual loss expectancy .
Answer: C Response and recovery should be planned around a vulnerability assessm
ent. The o thers are incorrect. Logs simply provide a historical view, penetrati
on tests hi ghlight specific weaknesses and the annual loss expectancy if used f
or anything, provides a feel for what is a reasonable cost to incur. 23. Which o
ne of the following actions tends to have the highest payoff during t he detecti
on stage of dealing with a security incident? A. B. C. D. Immediately deleting a
ll sensitive data. Promptly taking a full backup of the system under attack. Rem
oving potentially dangerous user privileges. Using anti-virus software.
Answer: B An attacker will try to erase or corrupt evidence of an attack. Taking
a backup may result in evidence being retained for analysis and legal purposes.
24. The development of computer emergency response team is favoured because of
w hich one of the following reasons? A. It lowers the budget. B. Enables better
coordination. C. Frees up users from this responsibility.

D. Solves staffing issues. Answer: B Typically, it requires a good/big budget. I


t does result in better coordination as dedicated persons can build relationship
s as appropriate. It does not free up users from their responsibilities, rather
it helps users. Staffing issues can o nly be solved if the correct staff can be
employed. This often not the case. 25. A reciprocal agreement as a business cont
inuity plan would be MOST appropria te in which one of the following scenarios?
A. B. C. D. Two Two Two Two companies in the same neighborhood. similar branches
of the same company. companies with the same IT vendor. companies already netwo
rked together.
Answer: B Two similar branches will have many things in common. This makes a rec
iprocal ag reement a suitable option. This is not the case in the other instance
s as the co mputing requirements are likely to be very different. 26. When deplo
ying a honeypot to monitor hacker activity, where should the honey pot be locate
d? A. B. C. D. Inside the corporate firewall. On a separate network segment. On
the same network segment. Between the Internet and the DMZ.
Answer: C Honeypots must look as realistic targets as possible. Therefore they s
hould be w here the hacker expects to find them. Anywhere else could look suspic
ious. 27. Which one of the following types of backups is going to be of most use
for f orensic purposes? A. B. C. D. Tape archive of files. Dump of file system.
Device to Device copy. Dump of memory store.
Answer: C Device to device copy reads data block-by-block, thereby also copying
deleted fi les. This is the most effective approach for forensic purposes. 28. W
hat is an advantage of anti-virus software schemes based on change detectio n? A
. B. C. D. It It It It has has has has a good chance of detecting current and fu
ture viral strains. the highest probability of avoiding false alarms. good prote
ction against software infections. to be updated less frequently than activity m
onitors.
Answer: A 29. When selecting antiviral software one of the most important featur
es to cons

ider is which of the following? A. B. C. D. The The The The quality of the antiv
iral software's GUI. number of actual viruses the software can detect. inclusion
of dis-infection features in the software. environment in which the antiviral s
oftware will run.
Answer: D The actual environment is most important in chosen an anti virus strat
egy. "The quality of the antiviral software's GUI": False - GUIs are not very im
porta nt. "The number of actual viruses the software can detect": False this can
be a misl eading statistic. "The inclusion of dis-infection features in the sof
tware": False the detection a bility is more important. 30. A proactive and prac
tical technique for protection against malicious code is which one of the follow
ing? A. B. C. D. Prohibit the downloading of program code. Code for key wordsfir
st execute downloaded programs in a "sandbox". Filter downloaded program. Permit
code to be downloaded only from trusted sources.
Answer: C This is the only practical solution. 31. Which of the following is a t
ypical target in a denial of service attack? A. B. C. D. Programming Programming
Programming Programming flaws flaws flaws flaws in in in in a network stack. an
application system. a call centre. a browser.
Answer: A "Programming flaws in a network stack" is the only correct answer, as
denial of service is a network based attack. 32. Which of the following is the B
EST countermeasure to denial of service attac ks? A. B. C. D. Firewall Content f
ilter Smart router Modem
Answer: C Identifying and controlling the source of traffic, severely restricts
denial of service attacks. More so than simply strengthening the door! 33. Which
one of the following is most likely to have contributed to the success of many
denial of service attacks? A. Poor system administrator knowledge. B. Poor desig
n of firewall technology. C. Poor quality control in system design.

D. Poor audit testing and review techniques. Answer: A Poorly trained staff, lea
ding to poor configuration and administration is the mo st frequent problem. The
other options are less likely to be problematic. 34. There are many forms of de
nial of service attacks but the objective is the s ame, make sites unavailable t
hrough heavy congestion or consumption of the victi m's processing resources. Wh
ich one of the following countermeasure is the most difficult to implement? A. B
. C. D. Block the attack at the sourceHarden network security. Block the attack
at the sourceHarden network security. Impose state limits on servers. Spread a s
ite across multiple ISPs.
Answer: A Identifying and preventing an attack is the most difficult change. Tec
hniques us ed to attack specifically mislead one about the source. Each of the o
ther steps are much more tangible to perform. 35. Which one of the following ind
ividuals should be the leader of the Emergency Response Team? A. B. C. D. An exe
cutive manager. The IS manager. The business manager most affected. A specifical
ly trained manager.
Answer: A Business continuity planning includes amongst other activities, two im
portant co mponents, decision making and handling a crisis. Most decisions shoul
d be though t out in advance. Hence a person specifically trained to manage a cr
isis, with t he right information, would be the best leader. 36. Why should the
environmental control devices, alarms and control procedures be evaluated as par
t of the business continuity planning exercise? A. To determine what environment
al controls are required at the fallback site. B. To determine if they adequatel
y address all of the potential threats to the e nvironment. C. To develop a busi
ness continuity plan for these support services. D. To check that they are in go
od working order. Answer: B An important art of business continuity planning is
taking preventative steps. E nvironmental control devices would be a preventativ
e step. 37. A petroleum company whose greatest assets are its data regarding whe
re crude oil deposits are located, has its data stored on databases on its subne
ts locat ed around the world. Assume countermeasures to the known vulnerabilitie
s are in place, except that in reality patching systems is a slow and disjointed
process and several vulnerabilities are being exploited. Which one of the follo
wing is l ikely to be the first incident response step? A. Perform penetration t
ests and determine the steps necessary to penetrate thes

e systems. B. Review the latest risk assessment and establish whether current co
untermeasur es are adequate. C. Understand as much as possible about the systems
in use, including how they c ould be compromised. D. Perform a vulnerability as
sessment for the assets in question. Answer: C Common practice is to start with
gaining a proper understanding of the systems a nd then determining how incident
s that could occur can be dealt with. Irrespecti ve of the extent of any vulnera
bility, a determined hacker will breach the secur ity. Risk assessments date qui
ckly and therefore countermeasures can quickly bec ome obsolete and consequently
breached. Penetration tests provide evidence of th e weaknesses that exist and
are most useful to prove the vulnerability that has been identified. Both of whi
ch highlight the existence of weaknesses and therefo re useful, but not the firs
t step. 38. Using a methodology to respond to security incidents is generally co
nsidered by experienced professionals to be which one of the following? A. B. C.
D. Too slow for situations that are dynamic in nature. Imposes structure and or
ganization to the situation. Inhibiting to experienced security professionals. U
nnecessarily expensive for the majority of incidents.
Answer: B Pandemonium can and does often occur very quickly when security-relate
d incident s happen. Simultaneous incidents are more often the case. Therefore a
methodolog y helps prevent the situation getting out of control, even for seaso
ned professi onals. A methodology often includes the use of proven tools that re
sult in great er efficiency and ultimately a lower cost. 39. Using a methodology
to respond to a security related incident is almost an a bsolute requirement fo
r legal considerations. The most obvious being which one o f the following? A. B
. C. D. Adherence to statutory audit requirements. Demonstrating due care. Data
protection law. Working with law enforcement agencies.
Answer: B Adopting a reasonable and responsible set of measures to guard against
harm will constitute due care and avoid a possible lawsuit for incompetence in
dealing wi th an incident. 40. The most obvious and greatest benefit to incident
response efforts comes fro m which one of the following? A. B. C. D. Annual los
s expectancy total . Qualitative analysis of threats. Vulnerability assessment.
Penetration testing.
Answer: B The ALE total is the total cost associated with each source of risk an
d its prob

ability of occurrence. This total may be of interest when preparing the budget,
but cannot be directly linked to incident response efforts. The qualitative anal
ysis of threats is an intuitive view of the outcome of various sources of threa
t . Knowing the kinds of incidents that will be of greatest consequence will be
of benefit to incident response efforts. A vulnerability analysis is used to det
er mine how easily security can be breached. This provides data about risk. Pene
tra tion testing is used to provide tangible evidence of vulnerabilities and the
deg ree of difficulty in exploiting these. 41. Which one of the following is a
frequent reason given for the failure of Inc ident Response initiatives? A. B. C
. D. Funding. Knowledge. Personnel. Time.
Answer: A Responding to security incidents is not cheap and under funding is cit
ed to be a common problem. Knowledge is generally available from various sources
including the Internet. With knowledge personnel can be trained. Time is a func
tion of av ailability of knowledgeable people. 42. With which one of the followi
ng organizational units is an Incident Response function most likely to clash? A
. B. C. D. Internal Audit. Operations. Information Security. Systems Programming
.
Answer: B Operations are most likely to be negatively affected by an Incident Re
sponse tea m. The impact on the others will be far less. 43. Advance planning an
d preparation for incident response can be enhanced by wh ich one of the followi
ng activities? A. B. C. D. Historical records of loss. Penetration testing. Risk
analysis. Archived system logs.
Answer: C Historical records and archives only tell one about the past. Penetrat
ion testin g will highlight specific weaknesses. But risk analysis will create a
perspectiv e of the threats and vulnerability of the enterprise to these threat
s. 44. A reasonable security strategy to deal with hackers has in current times
evo lved to focus and rely more on which one of the following activities? A. B.
C. D. Risk analysis. Control implementation. Vulnerability tests. Intrusion dete
ction.
Answer: C

A determined hacker will breach security, even if the perceived risk is low. Int
rusion detection will enable immediate response to a breach that otherwise may
h ave been overlooked. 45. Security incidents are complex and time consuming to
address. Which one of t he following is considered the most efficient approach.
A. B. C. D. Prepare an incident response methodology. Prepare responses before a
n incident actually occurs. Only respond after an incident actually occurs. Prep
are the response only after the incident occurs.
Answer: B Security incidents are complex and time consuming to address. Preparin
g before a n incident occurs is considered the most efficient approach. 46. When
conducting forensic examinations, which one of the following would be b est? A.
B. C. D. Working with the actual data files as stored on the hard disk. Working
with a copy on the actual computer's hard disk. Creating a test bed of data on
the actual computer's hard disk. Creating a copy of the actual data files on a t
est computer's hard disk.
Answer: D Working with the actual data files will destroy the evidence. Working
with the a ctual hard disk will also destroy evidence. Therefore D is the soluti
on as it re quires a copy to be taken and used for the investigation. The invest
igation shou ld never use the actual media which should be kept securely as evid
ence. 47. An investigator must have the necessary authority to conduct a forensi
c inve stigation. What would be the normal basis of the authority derived to car
ry out these investigations? A. B. C. D. Acceptable use policy. Data protection
standards. Information security directive. Employee permission.
Answer: A By setting policy on what is acceptable and what is inappropriate, the
employer has the right to track down inappropriate use. The other options are i
nappropria te for a smoothly run forensic capability. 48. When gathering compute
r evidence which one of the following is good advice t o the person conducting t
he forensic review? A. B. C. D. Make printouts of all data files. Document every
thing you do . Focus on the big files first. Printout the computer's table of co
ntents.
Answer: D 49. When a person wishes to transmit an encrypted message whose key is
used?

A. B. C. D.
The The The The
sender's public key is used to encrypt the message. recipient's public key is us
ed to encrypt the message. sender's private key is used to encrypt the message.
recipient's private key is used to encrypt the message.
Answer: B No one other than the owner ever has access to the private key. For en
cryption t he recipient's public key is used so that only that person can decryp
t the messa ge. 50. What is the benefit of penetration tests? A. Determine the r
isks the enterprise is currently facing. B. Provide evidence of the vulnerabilit
y that has been identified. C. Establish the skills necessary to penetrate the s
ecurity mechanism in place. D. Understand the suitability of countermeasures imp
lemented. Answer: B Penetration testing is designed to test known weaknesses in
computer systems. It is less effective for unknown threats. Therefore it is best
used to gather evid ence about known vulnerabilies.

You might also like