CISSP Exam Prep Questions, Answers & Explanations

Free download. Book file PDF easily for everyone and every device. You can download and read online CISSP Exam Prep Questions, Answers & Explanations file PDF Book only if you are registered here. And also you can download or read online all Book PDF file that related with CISSP Exam Prep Questions, Answers & Explanations book. Happy reading CISSP Exam Prep Questions, Answers & Explanations Bookeveryone. Download file Free Book PDF CISSP Exam Prep Questions, Answers & Explanations at Complete PDF Library. This Book have some digital formats such us :paperbook, ebook, kindle, epub, fb2 and another formats. Here is The CompletePDF Book Library. It's free to register here to get Book file PDF CISSP Exam Prep Questions, Answers & Explanations Pocket Guide.

See Section 3. Your failure to cancel a hotel reservation made through QuickStart without written notice prior to the class start date will result in forfeiture of two 2 nights of the hotel charge. QuickStart, at its own discretion, may allow a no-show student to attend another session of the same or a lower priced course.

Class enrollments are accepted on a first pay first serve basis. A seat can be temporarily reserved using a signed and faxed copy of the enrollment agreement; however, QuickStart cannot guarantee a seat until QuickStart has received full payment. If you have not paid in full, you wi ll not be admitted to the class. The failure of either party to require strict performance by the other party of any provision hereof shall not affect the full right to require such performance at any time thereafter; nor shall the waiver by either party of a breach of any provision hereof be taken or held to be a waiver of the provision itself.

If any part of this Agreement is for any reason found to be unenforceable, all other parts nevertheless remain enforceable as long as a party's rights under this Agreement are not materially affected. In lieu of the unenforceable provision, the parties will substitute or add as part of this Agreement a provision that will be as similar as possible in economic and business objectives as was intended by the unenforceable provision. This Agreement shall for all purposes be governed by and interpreted in accordance with the laws of the State of Texas as those laws are applied to contracts entered into and to be performed entirely in Texas by Texas residents.

Any legal suit, action or proceeding arising out of or relating to this Agreement shall be commenced in a federal court in Texas or in state court in Travis County, Texas, and each party hereto irrevocably submits to the jurisdiction and venue of any such court in any such suit, action or proceeding and waives any right which it may have to transfer or change the venue of any such suit, action or proceeding, except that in connection with any suit, action or proceeding commenced in a state court, each party retains whatever right it may have to remove such suit, action or proceeding to federal court in Texas.

The parties agree that the United Nations Convention on Contracts for the International Sale of Goods is specifically excluded from application to this Agreement. The parties agree to work towards resolving any disputes in good faith. Neither party may commence any action, legal or other, with the regard to such dispute until thirty 30 days have passed from the time that any party has provided written notice to the other party regarding the nature of such dispute, provided that nothing stated herein will prevent QuickStart from seeking injunctive relief in the event of an actual or threatened breach of this Agreement.

Any notices required under this Agreement will be provided as follows:. Westlake Oaks Executive Park, S. Please provide a detailed explanation of your issues including contact information where you can be reached. You will be contacted to discuss an agreeable resolution. A different grievance procedure may apply to you if you are using the QuickStart Products subject to a contract between your organization and QuickStart or a QuickStart distributor. In that case you should contact the appropriate person within your organization to inquire about the grievance procedure that applies to you.

Neither this Agreement nor any of your rights or obligations hereunder may be assigned by you in whole or in part without the prior written approval of QuickStart. Any assignment of rights or delegation of duties in derogation of the foregoing shall be null and void. This Agreement is the complete and exclusive statement of the agreement between QuickStart and you, which supersedes any proposal or prior agreement, oral or written, and any other communications between the parties in relation to the subject matter of this Agreement.

This Agreement shall not be modified except by a subsequently dated written amendment signed by both parties by their duly authorized representatives. You acknowledge that, in providing you with the QuickStart Products, QuickStart has relied upon your consent to be bound by the terms of this Agreement. You further acknowledge that you have read, understand, and agree to be bound by the terms of this Agreement. This Agreement is not, however, intended to limit any rights that QuickStart may have under trade secret, copyright, patent, or other laws that may be available to it.

All Rights Reserved. According to a survey by PayScale. If you are looking to complete your CISSP certification training and pass with flying colors, the following exam question will help you prepare in the best possible way:. Question 1. In discretionary access environments, which of the following entities is authorized to grant information access to other people? He has total control over the file including the ability to set permissions for that file.

Question 2. Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control? MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.

The other answers may seem relevant to some test takers and may confuse them. Below is the explanation for the incorrect answers:. This access control can be applied using rules, ACL's, capability tables, etc. In fact, using descriptive names such as you company name would make you a more likely target in some cases. The SSID is sent in clear text within the packets. It is not in any way, shape or form a security mechanism. Fiber optic is immune to the effects of electromagnetic interference.

It is very hard to tap into and has a much longer effective usable length than any other cable type. The primary drawbacks of this cable type are its cost of installation and the high level of expertise needed to have it properly terminated. Question 5.

Agile Exam Prep - PMI-ACP Online Training - Certification by TrainAgile

The data link layer layer 2 is the second layer of the seven-layer OSI model of computer networking. You need to prepare yourself by studying hard and seeking the right guidance. QuickStart, with its nearly three decade of experience in the field of IT and technical training, can provide you the right guidance and offer you the perfect platform to launch your career. Dennis is a passionate individual with eight years of experience in the industry. He loves working with organizations large and small, helping them train their technology teams.

He specializes in DevOps training and has helped a number of organizations turn their IT teams into game-changers. Currency USD. QuickStart Technology Training. Menu Search Dashboard. Skip to Content. Compare Products. Chat Ask a question Knowledge Base. Upload A Profile Photo Local upload. Rotate Left deg deg deg. Rotate Right 15deg 30deg 45deg. Welcome To QuickStart Enter your credentials below.

Invalid login or password. Login with Google. I agree with the Terms And Conditions. Effective January 1, 3. You will be subject to the following cancellation provisions upon your cancellation of a private class unless stated otherwise in the SOW: 1. For what it is worth, I think a lot: cybrary.

Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. Get top-notch cyber security insights and advice right in your inbox every week. We never share your data. Privacy Policy. Thank you for subscription. Thanks for visiting! Go Up. The best preparation guides and study books Here are some of the top study and preparation guides. Miller and Peter H.

CISSP Community on Reddit Reddit is a social media site where members can submit content, participate in discussion boards, rank content and more. Leave a Reply Cancel reply Your email address will not be published. Previous post. Featured tags. A - A hash value that was encrypted with a sender's private key is called a digital signature.

Since Ray has encrypted the hash value with his private key, Ron will have to decrypt the message with Ray's public key and compare it to the hash value that he got when he performed the hashing function on the message. A - A honeypot is a system that attempts to lure attackers away from real information and data assets.

Multiple honeypots can act together and it would be called a honeynet. D - An unlocked electric panel can easily be misused by disgruntled employees. D - The salvage team is responsible for starting work on the recovery of the original site. This team like a restoration team needs to know how to do many tasks such as installing operating systems, handling wiring requirements, setting up workstations, servers etc.

C - A mandatory vacation is a policy that requires employees to take a full weeks or even two full weeks of vacation at a time each year. The theory is that any fraudulent behavior will be caught by others during that time. Criminal background checks only give a historical perspective. Snuffers and cameras are usually not sufficient to catch fraud.

C - A multipart virus first finds its way into system memory, and then infects the boot sector of the hard drive. It then infects the entire system. B - A proactive technique that can detect malware is called Heuristic detection. This is in contrast to signature-based detection fingerprint detection , which can not do this. A - Mature procedures or processes are usually well-documented.

D - A race condition is a situation where two or more processes use a shared resource and perform their operations in an incorrect order due to non- availability of the resource. If authentication and authorization are split as separate functions, there is a possibility that an attacker uses a race condition to have the authorization step completed before authentication. This will allow access into the system.

B - A replay attack involves an attacker grabbing traffic from a valid, legitimate session, and then 'replaying' it, giving the impression that it is valid traffic, and authenticating his session. A - A router is used when there is requirement to split up a network into collision domains and broadcast domains.

A bridge can do simple filtering to separate collision domains but not broadcast domains. A repeater can do neither. A hub is a multi-port repeater. D - Signatures are sequences of code extracted from malware by antivirus vendors. The anti-virus software has an engine that uses these signatures to identify malware. Heuristics attempt to catch unexpected behavior that is malicious even for unknown viruses and zero-day attacks. D - A signature-based intrusion detection system uses accumulated knowledge to determine if an attack is being made.

Models of known attacks are developed and these are called signatures. When an attack matches the information within a signature, the intrusion detection system takes the required action to protect the network or system. D - A simple padlock is preventative - although it may not necessarily be very effective by itself. The other choices are all detective. C - A Software Escrow is a third party who is entrusted with the final source code as a protection to both the development entity and the purchasing entity.

SSI Logic Recommended Products

No other choice offers a complete solution. SANs provide the necessary redundancy and fault-tolerance apart from being extremely reliable. D - A survey of various types of data leaks has revealed that mobile devices head the list, followed by the Internet as the single largest causes. C - A system that offers the best functionality and ease of use is one that usually has little security in place.

In contrast a completely secure system is one that almost none can use. In practice, a trade-off is achieved between the two extremes, based on what is acceptable. A - Three-factor authentication combines something you know a PIN number , something you have smartcard , and something you are your fingerprint. This provides strong authentication. B - A trademark can be a combination of a word, name, shape, color, sound or symbol.

These can be registered to ensure that they are unique. An attacker eavesdrops on the traffic and then predicts the correct sequence numbers. He then introduces fake data packets with the correct sequence numbers. This then allows the attacker to hijack the session. D - A Type I error occurs when authorized users are rejected by the biometric system whereas Type II errors occur when unauthorized users are accepted by the system. In an ideal scenario, both types of errors should tend to zero. This practice test specifically targets your knowledge of the Security and Risk Management domain area.

One of the primary steps in a quantitative risk analysis is to determine the annualized loss expectancy ALE. How is the ALE calculated? What is this an example of? Which of the following terms refers to a security hole that could result in an attack on a system? Before Joan can begin work at her new job, she must undergo a Criminal Background Check and participate in Security Awareness Training. What type of control are these preventative measures? Which of the following has the highest potential to be a security hazard to a company that has well-defined security procedures.

An employee who performs critical duties is fired. The Information Security Officer falls ill. Senior management plans to implement a security policy that outlines what can and cannot be done with employees' e-mail for monitoring purposes and to address privacy issues. What would such a security policy be called? Which of the following denotes the magnitude of potential losses due to a threat? Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances?

Non-enforced password management on servers and workstations would be defined as a:. Information such as data that is critical to a company needs to be properly identified and classified. In general, what are the guidelines to classify data? Classify all data irrespective of format digital, audio, video excluding paper. Classify all data irrespective of the format it exists in paper, digital, audio, video. Classify only data that is digital in nature and exists on the company servers, desktops and all computers in the company.

In a secure network, personnel play a key role in the maintenance and promotion of security procedures. Which of the following roles is responsible for ensuring that the company complies with software license agreements? Which of the following is not one of the ways in which risk is handled? Risk Inference. Steve is doing risk analysis as part of his company's Information Risk Management.

What can you say about the annualized rate of occurrence ARO? Which of the following statements is not true with respect to the relationships between threat, vulnerability, exposure, countermeasure and risk? C - A quantitative risk analysis calculates the ALE, which is the annual loss of an asset if expected threats are realized.

This value allows the company to evaluate the financial implications of potential threats. A - A Standard is non-negotiable. It must be followed to the fullest extent. A Baseline is a minimum configuration that is required across all of an organization's technology. D - A 'vulnerability' refers to a security hole that can potentially be tapped, resulting in an attack.

Why Earn your CISSP with Infosec?

It is not that an attack has been made, just that the possibility exists. B - Administrative controls are preventative in nature and include background checks, drug testing, security training on the Human Resources side, and also include policies, procedures, and data classification. C - After a Risk Analysis is performed, controls may be implemented. The risk that remains and is not mitigated by the controls is called Residual Risk. A - Among these choices, the greatest risk is from an employee performing critical duties being fired.

He may be in a position to compromise the security if he is disgruntled and wants to 'get back'. The other situations will be handled well since the company has a well-defined security procedures in place. B - Issue-specific policies are also called functional implementing policies. They address specific issues that management feels needs more explanation and attention. B - Exposure is the magnitude of losses a potential vulnerability may cost an entity, if exploited by an agent of threat.

D - Guidelines are general approaches and provide the necessary flexibility to handle emergencies. Non-enforced password management on servers and workstations is a vulnerability. However, all data needs to be classified, irrespective of the format in which it exists. A - Product-line managers are responsible for ensuring that license agreements are complied with.

They are also responsible for translating business objectives and specifications for the developer of a product or solution. A - Risk Inference is not a valid way to handle Risk. Risks are usually dealt with in four ways - risk mitigation, risk avoidance, risk transference and risk acceptance. D - The annualized loss expectancy is obtained by the product of the single loss expectancy and the annualized rate of occurrence. C - A countermeasure usually mitigates a risk and not a vulnerability.

A vulnerability is just the potential possibility that a risk may occur. Which of the following choices is an easy and less expensive way to improve physical security? Security policies can be categorized as regulatory, advisory or informative. What is true of an advisory policy? An advisory policy may not describe how confidential information will be processed. An advisory policy may describe the consequences of not abiding by the rules and procedures. A Microsoft Exchange email server uses the X. What standard protocol does it use to send mail to other servers on the Internet?

Kerberos is a very effective authentication mechanism.

Related Post

One of its weaknesses is that:. Denial-of-service attacks can easily be launched and these severely compromise the Kerberos server. The encryption processes are based on passwords and traditional password- cracking attacks can compromise the system. The ticket-granting ticket granted by the Ticket Granting Server to a requesting resource is susceptible to interception.

Which of the following locations would be the least useful in keeping a copy of a business continuity and disaster recovery plan? Data on a server has been compromised due to a hack into the system. A forensic investigator needs to copy the data on a hard disk on the server. Which of these will be the first step to be performed as part of the process? Use a file copy method to make sure that all files including hidden and system files are copied. Ensure that a bit-level copy is performed sector by sector, using a specialized tool. Intrusion Detection Systems require human intervention to respond to alarms.

Administrators place the proxy server so that it physically resides on the local area network. When an attacker is considering attacking a networked target, what is the first thing he or she does? What is a method by which a malicious user can use a weakness in an application, operating system, protocol, or network stack called? Samantha works for an accounting firm with the responsibility of traveling to client sites to assist in SOX compliance checking.

Which of the following accurately describes this work? Jeremy is hired by a publicly traded company to perform SOX compliance checking. You are called in to advise the hospital during the planning phase. Which type of cabling would you advise the hospital to use for this center, given that cost is not a major concern? Concurrency issues within a database due to improper table locking can cause tables to be over-written with stale information.

What sort of an issue is this? Which of the following mechanisms ensures the integrity of data held within a database? What kind of a policy would a large organization typically enforce during a day period prior to New Year's day? Apply a restriction on emails and ensure that no executable file attachments are allowed entry or exit the company.

Apply a minimal restriction on emails and ensure that no image attachments ex: jpg, gif files are allowed in email. Regulate all email traffic and apply a restriction on the kinds of attachments that can be allowed via email. A formally verified system design would be classified as:. The process by which the credentials of one entity is established to another utilizing credentials such as passwords, one-time tokens, or PIN numbers is known as:. A key logger and remote admin tool was used to harvest passwords and the digital signature of a senior officer of a brokerage firm.

Several orders to sell were then issued without approval, all signed by the firm's digital signature. What basic goal of cryptosystems has been compromised? The process of granting privileges to an entity based upon the time of day, group membership, network address, or verification of its credentials is known as:. An important tool used in risk management is risk analysis. Which statement about risk analysis is not true? The Herzberg principle applies to qualitative risk analysis.

  • Exchange Discount Summary.
  • Amelia Earhart : Flight Around the World (A Short Biography for Children).
  • World of Warcraft: Dawn of the Aspects: Part IV.
  • Download The CISSP Prep Guide: Gold Edition Free Books - video dailymotion;
  • Chants Democratic: New York City and the Rise of the American Working Class, 1788-1850.
  • Substitute for Love.
  • Political Waters;

Which of the following access controls is based on the sensitivity of the data? This early security model was constructed mainly for the purpose of preserving the confidentiality of data. Which of the following security models does this most likely refer to? Biometric devices are among the most accurate and secure methods of authentication available. However, some users find them obtrusive and are therefore reluctant to use them.

What biometric recognition system is the most widely accepted and implemented? This security model was developed to prevent potential conflicts of interest. It employs dynamic access controls that change depending on a subject's access history. Which of the following security models does this describe? When a graph of the error rate in a biometric system is plotted against its sensitivity, the point where the false accept rate intersects the false reject rate curve is known as:. You are currently doing a comprehensive technical evaluation on the security components within your organization.

What does this refer to? An employee of a company attempted to steal a CD disk containing confidential information. He was caught in the act by a security guard.

How to Answer CISSP Exam Questions

Which of these types of evidences would be the strongest in a legal prosecution against the employee? Corroborative evidence of the employee's action. A company encrypts a file with AES encryption. It is sent to the intended recipient via email with the password in the body of the message. If the email is intercepted, which basic goal of a cryptosystem has been compromised?

A purchasing agent is placing an order using a credit card account. The account number is on the order form. Which of the following ways would be the least secure method to complete this transaction? A security professional has been invited to be on the panel during the planning phase of constructing and setting up a data center.

Which of these would be a good suggestion from her? Construct the data center as a single room at ground level. Construct the data center as a single room in the basement. Construct the data center as a single room on the highest floor of the building to avoid break-ins. Which of the following threats can compromise data integrity? D - Adding lights is a simple and cost-effective way to prevent physical security breaches.

Bright lights generally deter intruders. Mantraps, camera systems, and bunkers are comparatively expensive solutions and require much more administrative effort. B - Advisory policies explain to employees the actions and conduct that should and should not take place within the company. These policies also describe the consequences of failing to follow the organization's rules and procedures.

A client may read mail received through one of the other protocols. However, this question revolves around how one mail server can send messages to another mail server. B - Although Kerberos is by itself a very robust authentication mechanism, its weak link lies in the fact that it uses passwords for encryption and these can be subject to traditional attacks. D - Among the choices listed, the primary facility is the least effective for storage of the business continuity and disaster recovery plans.

This is because in case of a disaster striking the facility, it may not be possible to retrieve the plans. The other choices, including keeping a copy of the plan in the BCP coordinator's home will serve the purpose. There have been instances where the media has contained prior information and was considered inadmissible in courts. B - Intrusion Detection Systems are quite expensive. The other choices listed are valid characteristics of IDSs.

C - An Access Control List ACL is a filter that can be configured, in this case, to drop packets that do not come from a particular source. D - An attacker will first need to know what ports are open on a system so that the attack strategy can be built from that knowledge. An attacker can also run exploitation scripts but they will take much longer and may be of no use if a web server is not running on the target machine.

C - An exploit is a way by which a system can be altered or used without authorization for purposes other than those of the owner. A vulnerability is the possibility that exploitation might take place A bug is a flaw in software that might cause a vulnerability to exist.

A - An external auditor is hired to assist an organization. This can take the form of an on-going contractor engagement, or a brief spot-check. C - An internal auditor works for the organization. While some auditors can also perform penetration testing, it is usually not their main job function. B - An MRI center will likely be subject to high electromagnetic emission.

Hence, only fiber-optic cabling and STP are options that can be used here among the choices given. Since cost is not a consideration, fiber-optic cabling is the preferred solution. Neither availability nor confidentiality is not an issue here. D - A two-phase commit mechanism is a control used in databases that ensures the integrity of the data held within the database. The other choices are not valid. C - As a trend, it has been found that a number of new viruses are released during the holiday season prior to New Year. The vulnerability that is exploited is that many emails with attachments not only executables that are carriers of viruses get exchanged during the holiday season.

Having a restrictive email attachment policy helps control this to some extent. B - As the assurance levels increase, the thoroughness and testing performed increases. Thus the package where system design is verified and tested is the highest level EAL7 [Security Engineering]. D - UTP cables are not necessarily safe. It is possible to tap into the middle of UTP cables and use sniffers to capture network traffic.

A - Authentication verifies that the credentials submitted by an entity match its stored information. Often, multifactor authentication is used for better authentication. D - Authenticity means that the sender is validated and identified.

Related Post

In this case, the messages were all properly sent and executed using the firm's digital signature but they were not authentic. A - Authorization allows users access to resources. It ensures that an entity has been given the necessary rights and privileges to perform requested actions. D - The Herzberg principle is not related to risk analysis. The other three are valid statements. B - Content-dependent access control is based on the sensitivity of the data. The more sensitive the data, the lesser the number of individuals who will have access to it.

A - Bell-LaPadula was created for the U. Military in the s for to protect secret information from leaking on multi-user and time-share mainframes. D - Biometrics is the science of measuring and statistically analyzing human biological characteristics. Biometric devices use a unique, measurable feature of an individual to authenticate their identity. Fingerprint scanning is widely accepted as a reliable means of human recognition and authentication, and is considered less obtrusive than other systems. B - Blowfish is considered almost unbreakable considering today's computing standards.

The other algorithms were considered unbreakable when they first came up. However, increase in computing power has now rendered them breakable. B - Brewer and Nash was created to prevent conflicts of interest. For instance, an accounting firm has financial data from two companies that compete. An accountant who accesses the records of one is automatically locked away from accessing the records of the other. This method is significantly different from Bell-LaPadula, Biba, and Clark-Wilson in that the privileges dynamically adjust based upon activity.

A DMZ is a demilitarized zone and is a networking concept. D - Certification is a process that involves a comprehensive technical evaluation on the components within your organization. The overall evaluations would involve risk analysis, safeguards, verification, auditing, and other tests that are able to assess the components in question. The end goal of the certification process should be to ensure that the products, systems, or components meet the overall security requirements of the organization.

B - Certification is the process by which security components are evaluated technically for compliance to an applicable standard or policy. Accreditation is the formal acceptance by management that the system's security and functionality is adequate. The other three activities listed are done during the current state assessment phase. A - Closed-circuit TV CCTV systems have many components, which include cameras, transmitters, receivers, recording systems, and monitors. The camera used in a CCTV system has many characteristics that need to be taken into account.

One of these characteristics is the lens. There are two kinds of irises used in camera lenses in CCTV systems - automatic and manual. Manual lenses would be used in areas with fixed lighting and automatic lenses are used in areas where the light changes from time to time. C - Conclusive evidence would be the strongest and would not require any corroboration. C - Confidentiality means that unauthorized users cannot access the protected information. This is not a breach in authenticity because the source was never in question. C - Courier Services can be bonded. There are many laws that make tampering with U.

Mail a federal offense. HTTPS is a relatively secure asynchronously encrypted transmission. However, there is no guarantee that a fax will be picked up from the machine by the intended recipient. B - Data centers should typically be at ground level so that they can be easily accessed by emergency crew. They should also be constructed as a single room which makes it easier to secure. The other options listed are not preferred ones. A - Data integrity is compromised when it is modified by an unauthorized person or program and the accuracy of the data is no longer certain.

Since a virus is able to alter system files and data, it can compromise data integrity. This practice test specifically targets your knowledge of the Identity and Access Management domain area. A program that uses a pre-defined list of values and compares it to captured values. A program that uses every possible input combination to try to determine a password. You use an access card to access specific rooms within a building. In the context of three-factor authentication, which of the following does the access card represent?

Something you have. Randy has worked in an organization for fifteen years. He has been granted accesses to various systems and they have never been revoked. If the company has to be compliant with Sarbanes-Oxley SOX regulations, at a minimum, how often does Randy's manager need to review his access permissions? Greg is a security professional and wants to ensure that users do not access the company's HR database between 10 PM and 5 AM.

Which of the following access control mechanisms might he employ? Alison is responsible for the security of a group of infrastructure devices. She discovers that an external attacker is using an automated password search program to try and break into the company systems. What is a simple yet effective strategy that is used to mitigate this type of attack? Which of these access control models is most likely to be used by the United States military?

In which of the following access control models does the owner of a file have the maximum flexibility to grant another user access to a file? When a biometrics system incorrectly accepts an impostor who should not actually be granted access, what type of error is it called? Such information would normally be classified as:. In a system governed by a multi-level security policy, a subject can access an object only when:.

The security level of the subject is equal to or greater than that of the object's classification. The security level of the subject is lesser than that of the object's classification. A network administrator in a company finds that employees in the company clog the network by exchange of music and movie files. Employee A shares his directory and enables Employee B to copy the files across the network, thus using up valuable bandwidth. What kind of access control permits this to happen? A security professional is evaluating biometric solutions for access control to a critical facility.

The junior manager of a finance department was granted access privileges to all files on the company server including employee performance details, employee payroll details, client feedback reports. This is a situation that should best be avoided and is termed as:. You are trying to book a holiday package through a website on the internet. You log in to the holiday resort's website and are automatically able to make your airline and car rental reservations on different websites without needing to sign in again. This would be possible through:. C - A brute force attack is designed to use every possible combination when determining the correct value.

The attack keeps occurring until a combination is found. For example, if the beginning of the password is known, such as 'pass' for 'password', then the attacker will try every other possible value for the remaining values that are missing. This could include: pass1, pass2, passaa, passAA, etc. C - A stateful firewall uses context-dependent access control. Context-dependent access control involves using a collection of information for making access decisions.

Instead of allowing access based on the sensitivity of the data, as with content-dependent access control, a stateful firewall using context-dependent access control will review a TCP connection and ensure that all of the correct steps are followed before allowing any packets to be transmitted through the firewall.

A - Access cards, keys, swipe cards, and badges are all examples of something you have. They are physical devices that you carry on your person so that you can be authenticated when you wish to access something. A - As per Sarbanes-Oxley regulations, managers need to review their employees' access permissions at least once a year. C - Greg could use time-of-day access control. Off-hours and trust based access control do not exist. Smart cards will not serve the purpose here. C - Limiting logon attempts provides protection against dictionary and exhaustive attacks.

A threshold is set to allow only a limited number of logon attempts. Once this is exceeded, a user's account will be locked out. Password aging is to keep passwords fresh. It will not help against such attacks. Password checkers are used to test the strength of users' passwords so they will not help prevent attacks. A one-time password does not serve the purpose here. The operating system makes the final decision about fulfilling a user request to access data.

The MAC model is specifically used in the military where confidentiality and classification of information are very important. D - In the discretionary access control model, a user is the owner of a file if he creates it. Such a system will allow the owner to specify which other users can access the file. In other access control methods, the owner of a file does not have as much flexibility to specify who can access the file. A Type I Error occurs when a biometric system rejects an authorized individual called false rejection.

D - Financial information is usually classified as sensitive. This type of information requires special precautions to ensure the confidentiality and integrity of the data. B - Multilevel security policies prevent information flow from a higher to a lower security level. Hence these policies permit a subject to access an object only if its security level classification is equal to or greater than that of the object.

C - Such a situation can arise in a discretionary model. Employee A will have the necessary permissions to share a directory or file with Employee B. Employee B then tries to access and copy the file s over the network, resulting in excess traffic. In the other access control models, users do not have as much freedom to permit other users to access their files. B - The biometric system with a crossover error rate CER of 3 is the most accurate system. The CER represents the point at which the false rejection rate authorized individuals are rejected equals the false acceptance rate unauthorized individuals are accepted.

A lower value indicates a more accurate system. CERs of 90 and 97 will not occur in practice. C - This is a situation called Excessive Privileges and is quite hard to control in larger organizations. D - This is possible through federation which allows a federated identity to be portable across businesses and allows the user to be authenticated across different systems and businesses.

In running a backup on a system, what should the first step be? Run a differential backup. The company's database server contains multiple tables with customer orders. If a disaster results in the server going offline the company would start to lose significant amounts of money after about 24 hours. What category of maximum tolerable downtime MTD should the server be placed in? An information systems security professional enforces separation of duties with the intention of reducing frauds and errors.

However, this results in inflexible operations. What could the professional do to ease things?