Advanced CISSP Prep Guide: Exam Q&A
Used alone or as an in-depth supplement to the bestselling The CISSP Prep Guide, this book provides you with an even more intensive preparation for the CISSP exam. With the help of more than 300 advanced questions and detailed answers, you'll gain a better understanding of the key concepts associated with the ten domains of the common body of knowledge (CBK). Each question is designed to test you on the information you'll need to know in order to pass the exam. Along with explanations of the answers to these advanced questions, you'll find discussions on some common incorrect responses as well. In addition to serving as an excellent tutorial, this book presents you with the latest developments in information security. It includes new information on:
- Carnivore, Echelon, and the U.S. Patriot Act
- The Digital Millennium Copyright Act (DMCA) and recent rulings
- The European Union Electronic Signature Directive
- The Advanced Encryption Standard, biometrics, and the Software Capability Maturity Model
- Genetic algorithms and wireless security models
- New threats and countermeasures
The CD-ROM includes all the questions and answers from the book with the Boson-powered test engine.
About the Authors.
Chapter 1. Security Management.
Chapter 2. Access Control.
Chapter 3. Telecommunications and Network Security.
Chapter 4. Crytography.
Chapter 5. Security Architecture and Models.
Chapter 6. Operations Security.
Chapter 7. Applications and Systems Development.
Chapter 8. Business Continuity Planning--Disaster Recovery Planning.
Chapter 9. Law, Investigation and Ethics.
Chapter 10. Physical Security.
Appendix A. Answers to Sample Questions.
Appendix B. What's on the CD-ROM.
RUSSELL DEAN VINES, CISSP, CCNA, MCSE, MCNE, is President and founder of the RDV Group Inc., a New York City-based security consulting services firm. His company is active in detecting, preventing, and solving security vulnerabilities for clients in government, finance, and new media organizations. He directed the Security Consulting Services Group for Realtech Systems Corporation, and managed international information networks for CBS/Fox Video, Inc. Vines is the author of Wireless Security Essentials and coauthor of The CISSP Prep Guide (both from Wiley).
Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.
|CD ID#1||CD Question ID#1
Question: Which choice below most accurately reflects the goals of risk mitigation? Answer 1: Defining the acceptable level of risk the organization can tolerate, and reducing risk to that level Answer 2: Analyzing and removing all vulnerabilities and threats to security within the organization Answer 3: Defining the acceptable level of risk the organization can tolerate, and assigning any costs associated with loss or disruption to a third party, such as an insurance carrier Answer 4: Analyzing the effects of a business disruption and preparing the company's response Explanation: Chapter 1-Security Management Practices. The correct answer is a. The goal of risk mitigation is to reduce risk to a level acceptable to the organization. Therefore risk needs to be defined for the organization through risk analysis, business impact assessment, and/or vulnerability assessment. Answer b is not possible. Answer c is called risk transference. Answer d is a distracter. Errata: We have received reports from readers that the answers may not display on some PCs.
|CD ID#21||CD Question ID#21
Question: Which choice below is NOT an accurate statement about an organization's incident-handling capability? Answer 1: The organization's incident-handling capability should be used to detect and punish senior-level executive wrong-doing. Answer 2: It should be used to prevent future damage from incidents. Answer 3: It should be used to provide the ability to respond quickly and effectively to an incident. Answer 4: The organization's incident-handling capability should be used to contain and repair damage done from incidents. Explanation: Chapter 1-Security Management Practices. An organization should address computer security incidents by developing an incident-handling capability. The incident-handling capability should be used to: Provide the ability to respond quickly and effectively. Contain and repair the damage from incidents. When left unchecked, malicious software can significantly harm an organization's computing, depending on the technology and its connectivity. Containing the incident should include an assessment of whether the incident is part of a targeted attack on the organization or an isolated incident. Prevent future damage. An incident-handling capability should assist an organization in preventing (or at least minimizing) damage from future incidents. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities. Source: NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems. Errata: The correct answer is B, C, and D. The test engine was not set up to handle mutiple correct answers so gives choice A as being correct.
|CD ID#27||CD Question ID#27
Question: Which question below is NOT accurate regarding the process of risk assessment? Answer 1: The likelihood of a threat must be determined as an element of the risk assessment. Answer 2: The level of impact of a threat must be determined as an element of the risk assessment. Answer 3: Risk assessment is the first process in the risk management methodology. Answer 4: Risk assessment is the final result of the risk management methodology. Explanation: Chapter 1-Security Management Practices. Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk assessment is the first process in the risk management methodology. The risk assessment process helps organizations identify appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. The likelihood that a potential vulnerability could be exercised by a given threat-source can be described as high, medium, or low. Impact refers to the magnitude of harm that could be caused by a threat's exploitation of a vulnerability. The determination of the level of impact produces a relative value for the IT assets and resources affected. Source: NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems. Errata: The correct answer is C. The test says it is D, which is incorrect.
|CD ID#36||CD Question ID#36
Question: A type of preventive/physical access control is: Answer 1: Biometrics for authentication Answer 2: Motion detectors Answer 3: Biometrics for identification Answer 4: An intrusion detection system Explanation: Chapter 2-Access Control Systems and Methodology. Biometrics applied to identification of an individual is a "one-to-many" search where an individual's physiological or behavioral characteristics are compared to a database of stored information. An example would be trying to match a person's fingerprints to a set in a national database of fingerprints. This search differs from the biometrics search for authentication in answer a. That search would be a "one-to-one" comparison of a person's physiological or behavioral characteristics with their corresponding entry in an authentication database. Answer b, motion detectors, is a type of detective physical control and answer d is a detective/technical control. Errata: The question/answer is incorrect as written. Biometrics is preventive/technical and is used for authentication.
|CD ID#67||CD Question ID#67
Question: Which choice below is NOT one of the legal IP address ranges specified by RFC1976 and reserved by the Internet Assigned Numbers Authority (IANA) for non-routable private addresses? Answer 1: 10.0.0.0 - 10.255.255.255 Answer 2: 127.0.0.0 - 127.0.255.255 Answer 3: 172.16.0.0 - 172.31.255.255 Answer 4: 192.168.0.0 - 192.168.255.255 Explanation: Chapter 3-Telecommunications and Network Security. The other three address ranges can be used for Network Address Translation (NAT). While NAT is, in itself, not a very effective security measure, a large network can benefit from using NAT with Dynamic Host Configuration Protocol (DHCP) to help prevent certain internal routing information from being exposed. The address 127.0.0.1 is called the "loopback" address. Source: Designing Network Security by Merike Kaeo (Cisco Press, 1999). Errata: RFC1976 is actually 'PPP for Data Compression in Data Circuit-Terminating Equipment (DCE)'. The correct RFC Reference for this question should have been 1918, 'Address Allocation for Private Networks'. Please refer to http://www.faqs.org/rfcs/rfc1976.html for more information on RFC1976.
|CD ID#84||CD Question ID#84
Question: The IP address, 188.8.131.52, is considered to be in which class of address? Answer 1: Class A Answer 2: Class B Answer 3: Class C Answer 4: Class D Explanation: Chapter 3-Telecommunications and Network Security. The class A address range is 184.108.40.206 to 220.127.116.11. The class B address range is 18.104.22.168 to 22.214.171.124. The class C address range is from 192.0.0.0 to 126.96.36.199. The class D address range is 244.0.0.0 to 188.8.131.52, and is used for multicast packets. Sources: Designing Network Security by Merike Kaeo (Cisco Press, 1999) and CCNA Study Guide by Todd Lammle, Donald Porter, and James Chellis (Sybex, 1999). Errata: There is a typographical error in the answer for class D address range. It should be 184.108.40.206 to 220.127.116.11.
|CD ID#109||CD Question #109
Question: The graph in Figure A.7, which depicts the equation y2 = x 3 + ax + b, denotes the: Answer 1: Elliptic curve and the elliptic curve discrete logarithm problem Answer 2: RSA Factoring problem Answer 3: ElGamal discrete logarithm problem Answer 4: Knapsack problem Explanation: Chapter 4-Cryptography. Figure A.7 Graph of the function y2 = x 3 + ax + b. The elliptic curve is defined over a finite field comprised of real, complex or rational numbers. The points on an elliptic curve form a Group under addition as shown in Figure A.7. Multiplication (or multiple additions) in an elliptic curve system is equivalent to modular exponentiation; thus, defining a discreet logarithm problem. Errata: The graph in Figure A.7 does not show up on certain systems. Here's the graph:
|CD ID#122||CD Question ID#122
Question: The Advanced Encryption Standard (Rijndael) block cipher requirements regarding keys and block sizes have now evolved to which configuration? Answer 1: Both the key and block sizes can be 128, 192 and 256- bits each. Answer 2: The key size is 128 bits and the block size can be 128, 192 or 256- bits. Answer 3: The block size is 128 bits and the key can be 128, 192 or 256- bits. Answer 4: The block size is 128 bits and the key size is 128 bits. Explanation: Chapter 4-Cryptography. AES is comprised of the three key sizes, 128, 192 and 256-bits with a fixed block size of 128 bits, so answer C is correct. The Advanced Encryption Standard (AES) was announced on November 26, 2001, as Federal Information Processing Standard Publication (FIPS PUB 197). FIPS PUB 197 states that "This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P.L. 100-235) requires cryptographic protection. Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, this standard." Depending upon which of the three keys is used, the standard may be referred to as "AES-128," "AES-192" or "AES-256." The number of rounds used in the Rijndael cipher is a function of the key size as follows: 256-bit key à 14 rounds 192-bit key à 12 rounds 128-bit key à 10 rounds Rijndael has a symmetric and parallel structure that provides for flexibility of implementation and resistance to cryptanalytic attacks. Attacks on Rijndael would involve the use of differential and linear cryptanalysis. Errata: This question may be confusing to some because AES has a fixed block size, but the Rinjdael Block Cipher has a variable block size. The question is referring to AES developed by Rijndael.
|CD ID#134||CD Question ID#134
Question: Using a modulo 26 substitution cipher where the letters A to Z of the alphabet are given a value of 0 to 25, respectively, encrypt the message " OVERLORD BEGINS." Use the key K =NEW and D =3 where D is the number of repeating letters representing the key. The encrypted message is: Answer 1: BFAEQKEH XRKFAW Answer 2: BFAEPKEH XRKFAW Answer 3: BFAEPKEH XRKEAW Answer 4: BFAERKEH XRKEAW Explanation: Chapter 4-Cryptography. The solution is as follows: OVERLORD becomes 14 21 4 17 11 14 17 3 BEGINS becomes 1 4 6 8 13 18 The key NEW becomes 13 4 22 Adding the key repetitively to OVERLORD BEGINS modulo 26 yields 1 5 0 4 15 10 4 7 23 17 10 4 0 22, which translates to BFAEPKEH XRKEAW Errata: The correct answer is not given as a choice. The correct ciphertext should be BZAEPKEH XRKEAW.