You are on page 1of 5

Lesson/Domain 10: Operations security

Quiz questions
1. Which of the following controls might force a person in operations into collusion
with personnel assigned organizationally within a different function for the sole
purpose of gaining access to data he is not authorized to access?
a. Limiting the local access of operations personnel
b. Enforcing auditing
c. Enforcing separation of duties
d. Limiting control of management personnel

2. Which of the following is not an attack against the operations department usually
has to be concerned with?
a. Brute force
b. Denial of service
c. Buffer overflow
d. Known plaintext attack

3. There are several ways of truly erasing data from different types of media.
Which is not a method of secure media sanitation?
a. Deleting a file from a hard drive
b. Degaussing
c. Overwriting
d. Physical destruction

4. Which of the following security practices is often compared to as the prudent


person concept?
a. Least privilege
b. Man-in-the-middle
c. Due care
d. Proximate causation

5. Which is not true regarding authorization creep?


a. Typically occurs when employees transfer to new departments or change
positions
b. Is a violation of least privilege
c. Enforces the need-to-know concept
d. Is the tendency of users to request additional privileges but seldom ask for
them to be taken away

1
6. A senior member of the IT programming staff, who has been loyal and is
extremely valuable, is suspected of fraud by a vice president. But the executive
has no proof and does not want to make unfound allegations. What operations
control would be best to identify if the programmer is committing fraud?
a. Separation of duties
b. Mandatory vacation
c. Least privilege
d. Need-to-know

7. Reviewing audit logs is an example of what type of a security control?


a. Deterrent
b. Detective Physical
c. Detective Technical
d. Preventive Technical

8. Which of the following controls are used to amend a situation after an attack has
occurred or vulnerability has been identified?
a. Deterrent
b. Corrective
c. Preventive
d. Recovery

9. A reservationist at a travel agency is allowed to commit two mistakes per month


without consequence. An automated system tracks these errors and alerts
appropriate personnel when this limit is exceeded. What is the limit referred to as?
a. Clipping level
b. Maximum tolerable downtime
c. Proximate causation
d. Due care

10. Operations departments should back up data in all of the following situations
except which?
a. Once per year
b. Immediately following a reorganization
c. After a system upgrade
d. For authorized on-demand requests

11. An operations control that identifies potential fraudulent activity by requiring


different personnel to switch job functions on a regular basis is called
_______________.
a. Mandatory vacation
b. Need-to-know
c. Separation of duties
d. Job rotation

12. Generating magnetic fields to erase the content on a type of media is called what?
a. Sniffing
b. Degaussing
2
c. Wiretapping
d. Magnetizing

13. If a company has been contacted because its mail server has been used to spread
spam, what is most likely the problem?
a. The internal mail server has been compromised by an internal hacker.
b. The mail server in the DMZ has private and public resource records.
c. The mail server has e-mail relaying enabled.
d. The mail server has SMTP enabled.

14. Enabling Tier I network technicians read-only access to border routers is an


example of ____________.
a. Biba model concept
b. Separation of duties
c. Least privilege
d. Due care

15. A tool used to detect penetration of a computer system and to identify misuse is
called ____________.
a. Audit trail
b. Documentation
c. Security policy
d. Security model

Answers
1. A

If operations personnel were limited from what they can access they would need to
participate in collusion with someone who actually has access to the resource. This is a
very painful question in the way that it is written, but very close to the way many CISSP
exam questions are formatted.

2. D

The first three are attacks that can directly affect security operations, but known plaintext
attack is an attack against cryptography used in the environment, not a direct attack on
operations.

3. A
Permanently erasing the contents from a medium is called sanitation. Just
deleting a file does not mean that the data is actually erased. It is still there
until the operating system overwrites it. There are several ways to accomplish
this:
Degaussing: Erasing data magnetically.
Overwriting: Replacing old content with new content. This is also called
zeroization when the new contents contain null values.
3
Physical destruction: If the medium cannot be properly sanitized, it must
be destroyed.

4. C
A prudent person is responsible, careful, cautious and practical. This is a legal
concept used to determine if individuals or companies are liable for specific
types of activities. Companies are required to execute due care in order to
protect the security of the business and the employees.

5. C
Authorization creep is the process of an individual continually gaining
privileges or rights that are not necessary to perform his job function. This is
commonly caused by employees moving from one role to another role within
an organization and continually obtaining more rights. This results in
employees having too many rights, which is a risk to a company.
Authorization creep violates both the least privilege and need-to-know
concepts.

6. B
Enforcing the mandatory vacation control is the best option for the vice
president. This will allow another person to perform the job function and
identify potential fraud while the original programmer is on vacation. The
good thing about mandatory vacations is that executives can spin it in a
positive light. Telling an employee to take a vacation can usually be
interpreted in a positive way. Instituting a job rotation, on the other hand, may
clue in the programmer of the executives suspicion.

7. C
Detective controls help to identify breakdowns in access controls. Reviewing
audit logs is one example of a type of technical detective control. For
example, a security professional who reviews a long distance telephone billing
sheet in an operations center can uncover potential fraud by operations
employees.

8. B
Corrective controls are used to fix a problem. For example, when it is
determined that an unauthorized user gained access to a network segment, a
corrective control would address the access control vulnerability that allowed
the user access.

9. A
Clipping levels are thresholds that indicate the number of acceptable user
errors or anomalies. The reason a clipping level is set is to notify security or
management when innocent mistakes become routine enough to suspect
fraudulent behavior.

10. A

4
Backing up data is critical within operations organizations. The most
important step to take is to create a backup plan. This will detail when and
what to back up, as well as where to store the files. Even though each entity
will require different phases of backups, it is not realistic to provide proper
data security when only backing up data once per year.

11. D
Job rotation is the correct answer. It involves training more than one person
for a specific job. This is a control used to identify potential fraud. Separation
of duties ensures that one person is not solely responsible for a critical task.

12. B
Degaussing is an effective way of erasing data on media. The process creates
strong magnetic fields that return the flux of the electrons back to their
original state.

13. C

Spammers will identify the mail servers on the Internet that have relaying enabled
and are wide open, meaning the server will forward any e-mail messages it
receives. These servers are put on a blacklist, and the servers are used by many
different spammers to hide the true origin of the spam messages.

14. C
Least privilege ensures that individuals have permissions to only what is
required to do their job and no more. In this question, Tier I technicians would
only need read access to network devices. Having the ability to make changes
to a border router would violate the least privilege policy.

15. A
Audit trails are effective tools and are considered detective-technical controls.
They can be used to display commands that have been entered into a system,
authentication attempts into a network, or systems and files that have been
accessed or modified.
Return to SearchSecurity.coms Security School for CISSP training:

CISSP Essentials library:


http://www.searchsecurity.com/CISSPessentials

Class 10 briefing:
http://www.searchsecurity.com/Class10spotlight

You might also like