(ISC)² CISSP Certified Information Systems Security Professional Official Study Guide

10. C. The TCP SYN scan sends a SYN packet and receives a SYN ACK
packet in response, but it does not send the final ACK required to

complete the three-way handshake.

11. D. SQL injection attacks are web vulnerabilities, and Matthew
would be best served by a web vulnerability scanner. A network
vulnerability scanner might also pick up this vulnerability, but the
web vulnerability scanner is specifically designed for the task and
more likely to be successful.

12. C. PCI DSS requires that Badin rescan the application at least
annually and after any change in the application.


13. B. Metasploit is an automated exploit tool that allows attackers to
easily execute common attack techniques.

14. C. Mutation fuzzing uses bit flipping and other techniques to
slightly modify previous inputs to a program in an attempt to
detect software flaws.

15. A. Misuse case testing identifies known ways that an attacker might
exploit a system and tests explicitly to see if those attacks are

possible in the proposed code.

16. B. User interface testing includes assessments of both graphical
user interfaces (GUIs) and command-line interfaces (CLIs) for a
software program.

17. B. During a white box penetration test, the testers have access to
detailed configuration information about the system being tested.

18. B. Unencrypted HTTP communications take place over TCP port
80 by default.


19. C. The Fagin inspection process concludes with the follow-up
phase.

20. B. The backup verification process ensures that backups are
running properly and thus meeting the organization’s data
protection objectives.

Chapter 16: Managing Security Operations




1. C. Need to know is the requirement to have access to, knowledge

about, or possession of data to perform specific work tasks, but no
more. The principle of least privilege includes both rights and
permissions, but the term principle of least permission is not valid
within IT security. Separation of duties ensures that a single person
doesn’t control all the elements of a process. Role Based Access
Control (RBAC) grants access to resources based on a role.

2. D. The default level of access should be no access. The principle of

least privilege dictates that users should only be granted the level
of access they need for their job, and the question doesn’t indicate
that new users need any access to the database. Read access,
modify access, and full access grants users some level of access,
which violates the principle of least privilege.

3. C. A separation of duties policy prevents a single person from
controlling all elements of a process, and when applied to security

settings, it can prevent a person from making major security
changes without assistance. Job rotation helps ensure that multiple
people can do the same job and can help prevent the organization
from losing information when a single person leaves. Having
employees concentrate their talents is unrelated to separation of
duties.

4. B. Job rotation and separation of duties policies help prevent

fraud. Collusion is an agreement among multiple persons to
perform some unauthorized or illegal actions, and implementing
these policies doesn’t prevent collusion, nor does it encourage
employees to collude against an organization. They help deter and
prevent incidents, but they do not correct them.

5. A. A job rotation policy has employees rotate jobs or job
responsibilities and can help detect incidences of collusion and

fraud. A separation of duties policy ensures that a single person
doesn’t control all elements of a specific function. Mandatory

vacation policies ensure that employees take an extended time
away from their job, requiring someone else to perform their job

responsibilities, which increases the likelihood of discovering
fraud. Least privilege ensures that users have only the permissions
they need to perform their job and no more.

6. B. Mandatory vacation policies help detect fraud. They require
employees to take an extended time away from their job, requiring
someone else to perform their job responsibilities, and this

increases the likelihood of discovering fraud. It does not rotate job
responsibilities. While mandatory vacations might help employees
reduce their overall stress levels, and in turn increase productivity,
these are not the primary reasons for mandatory vacation policies.

7. A, B, C. Job rotation, separation of duties, and mandatory vacation
policies will all help reduce fraud. Baselining is used for
configuration management and would not help reduce collusion or

fraud.

8. B. Special privileges should not be granted equally to
administrators and operators. Instead, personnel should be
granted only the privileges they need to perform their job. Special
privileges are activities that require special access or elevated rights
and permissions to perform administrative and sensitive job tasks.
Assignment and usage of these privileges should be monitored, and

access should be granted only to trusted employees.

9. A. A service-level agreement identifies responsibilities of a third
party such as a vendor and can include monetary penalties if the
vendor doesn’t meet the stated responsibilities. A MOU is an
informal agreement and does not include monetary penalties. An
ISA defines requirements for establishing, maintaining, and
disconnecting a connection. SaaS is one of the cloud-based service

models and does not specify vendor responsibilities.

10. C. Systems should be sanitized when they reach the end of their
lifecycle to ensure that they do not include any sensitive data.
Removing CDs and DVDs is part of the sanitation process, but
other elements of the system, such as disk drives, should also be
checked to ensure that they don’t include sensitive information.

Removing software licenses or installing the original software is
not necessarily required unless the organization’s sanitization

process requires it.

11. A. Valuable assets require multiple layers of physical security, and
placing a datacenter in the center of the building helps provide
these additional layers. Placing valuable assets next to an outside
wall (including at the back of the building) eliminates some layers
of security.

12. D. VMs need to be updated individually just as they would be if
they were running on a physical server. Updates to the physical

server do not update hosted VMs. Similarly, updating one VM
doesn’t update all VMs.

13. A. Organizations have the most responsibility for maintenance and
security when leasing infrastructure as a service (IaaS) cloud
resources. The cloud service provider takes more responsibility
with the platform as a service (PaaS) model and the most

responsibility with the software as a service (SaaS) model. Hybrid
refers to a cloud deployment model (not a service model) and
indicates that two or more deployment models are used (such as
private, public, and/or community.

14. C. A community cloud deployment model provides cloud-based
assets to two or more organizations. A public cloud model includes
assets available for any consumers to rent or lease. A private cloud

deployment model includes cloud-based assets that are exclusive to
a single organization. A hybrid model includes a combination of
two or more deployment models. It doesn’t matter if it is a software
as a service (SaaS) model or any other service model.

15. B. The tapes should be purged, ensuring that data cannot be
recovered using any known means. Even though tapes may be at
the end of their lifecycle, they can still hold data and should be

purged before throwing them away. Erasing doesn’t remove all
usable data from media, but purging does. There is no need to store
the tapes if they are at the end of their lifecycle.

16. B. Images can be an effective configuration management method

using a baseline. Imaging ensures that systems are deployed with
the same, known configuration. Change management processes

help prevent outages from unauthorized changes. Vulnerability
management processes help to identify vulnerabilities, and patch
management processes help to ensure that systems are kept up-to-
date.

17. A. Change management processes may need to be temporarily
bypassed to respond to an emergency, but they should not be

bypassed simply because someone thinks it can improve
performance. Even when a change is implemented in response to
an emergency, it should still be documented and reviewed after the
incident. Requesting changes, creating rollback plans, and
documenting changes are all valid steps within a change
management process.

18. D. Change management processes would ensure that changes are

evaluated before being implemented to prevent unintended
outages or needlessly weakening security. Patch management
ensures that systems are up-to-date, vulnerability management
checks systems for known vulnerabilities, and configuration
management ensures that systems are deployed similarly, but
these other processes wouldn’t prevent problems caused by an
unauthorized change.


19. C. Only required patches should be deployed, so an organization
will not deploy all patches. Instead, an organization evaluates the
patches to determine which patches are needed, tests them to
ensure that they don’t cause unintended problems, deploys the
approved and tested patches, and audits systems to ensure that
patches have been applied.

20. B. Vulnerability scanners are used to check systems for known

issues and are part of an overall vulnerability management
program. Versioning is used to track software versions and is
unrelated to detecting vulnerabilities. Security audits and reviews
help ensure that an organization is following its policies but
wouldn’t directly check systems for vulnerabilities.

Chapter 17: Preventing and Responding to

Incidents




1. A. Containment is the first step after detecting and verifying an
incident. This limits the effect or scope of an incident.

Organizations report the incident based on policies and governing
laws, but this is not the first step. Remediation attempts to identify
the cause of the incident and steps that can be taken to prevent a
reoccurrence, but this is not the first step. It is important to protect
evidence while trying to contain an incident, but gathering the
evidence will occur after containment.

2. D. Security personnel perform a root cause analysis during the

remediation stage. A root cause analysis attempts to discover the
source of the problem. After discovering the cause, the review will
often identify a solution to help prevent a similar occurrence in the
future. Containing the incident and collecting evidence is done
early in the incident response process. Rebuilding a system may be
needed during the recovery stage.

3. A, B, C. Teardrop, smurf, and ping of death are all types of denial-

of-service (DoS) attacks. Attackers use spoofing to hide their
identity in a variety of attacks, but spoofing is not an attack by
itself. Note that this question is an example that can easily be
changed to a negative type of question such as “Which of the
following is not a DoS attack?”

4. C. A SYN flood attack disrupts the TCP three-way handshake
process by never sending the third packet. It is not unique to any

specific operating system such as Windows. Smurf attacks use
amplification networks to flood a victim with packets. A ping-of-
death attack uses oversized ping packets.

5. B. A zero-day exploit takes advantage of a previously unknown
vulnerability. A botnet is a group of computers controlled by a bot
herder that can launch attacks, but they can exploit both known

vulnerabilities and previously unknown vulnerabilities. Similarly,
denial-of-service (DoS) and distributed DoS (DDoS) attacks could

use zero-day exploits or use known methods.

6. A. Of the choices offered, drive-by downloads are the most
common distribution method for malware. USB flash drives can be
used to distribute malware, but this method isn’t as common as
drive-by downloads. Ransomware is a type of malware infection,
not a method of distributing malware. If users can install

unapproved software, they may inadvertently install malware, but
all unapproved software isn’t malware.

7. A. An IDS automates the inspection of audit logs and real-time
system events to detect abnormal activity indicating unauthorized
system access. Although IDSs can detect system failures and
monitor system performance, they don’t include the ability to
diagnose system failures or rate system performance. Vulnerability

scanners are used to test systems for vulnerabilities.

8. B. An HIDS monitors a single system looking for abnormal activity.
A network-based IDS (NIDS) watches for abnormal activity on a
network. An HIDS is normally visible as a running process on a
system and provides alerts to authorized users. An HIDS can detect
malicious code similar to how anti-malware software can detect
malicious code.

9. B. Honeypots are individual computers, and honeynets are entire

networks created to serve as a trap for intruders. They look like
legitimate networks and tempt intruders with unpatched and
unprotected security vulnerabilities as well as attractive and
tantalizing but false data. An intrusion detection system (IDS) will
detect attacks. In some cases, an IDS can divert an attacker to a
padded cell, which is a simulated environment with fake data

intended to keep the attacker’s interest. A pseudo flaw (used by
many honeypots and honeynets) is a false vulnerability
intentionally implanted in a system to tempt attackers.

10. C. A multipronged approach provides the best solution. This
involves having anti-malware software at several locations, such as
at the boundary between the internet and the internal network, at

email servers, and on each system. More than one anti-malware
application on a single system isn’t recommended. A single

solution for the whole organization is often ineffective because
malware can get into the network in more than one way. Content
filtering at border gateways (boundary between the internet and
the internal network) is a good partial solution, but it won’t catch
malware brought in through other methods.

11. B. Penetration testing should be performed only with the

knowledge and consent of the management staff. Unapproved
security testing could result in productivity loss, trigger emergency
response teams, and result in legal action against the tester
including loss of employment. A penetration test can mimic
previous attacks and use both manual and automated attack
methods. After a penetration test, a system may be reconfigured to
resolve discovered vulnerabilities.


12. B. Accountability is maintained by monitoring the activities of
subjects and objects as well as monitoring core system functions
that maintain the operating environment and the security
mechanisms. Authentication is required for effective monitoring,
but it doesn’t provide accountability by itself. Account lockout
prevents login to an account if the wrong password is entered too
many times. User entitlement reviews can identify excessive

privileges.

13. B. Audit trails are a passive form of detective security control.
Administrative controls are management practices. Corrective
controls can correct problems related to an incident, and physical
controls are controls that you can physically touch.

14. B. Auditing is a methodical examination or review of an
environment to ensure compliance with regulations and to detect

abnormalities, unauthorized occurrences, or outright crimes.
Penetration testing attempts to exploit vulnerabilities. Risk
analysis attempts to analyze risks based on identified threats and
vulnerabilities. Entrapment is tricking someone into performing an
illegal or unauthorized action.

15. A. Clipping is a form of nonstatistical sampling that reduces the

amount of logged data based on a clipping-level threshold.
Sampling is a statistical method that extracts meaningful data from

audit logs. Log analysis reviews log information looking for trends,
patterns, and abnormal or unauthorized events. An alarm trigger is
a notification sent to administrators when specific events or
thresholds occur.

16. B. Traffic analysis focuses more on the patterns and trends of data
rather than the actual content. Keystroke monitoring records

specific keystrokes to capture data. Event logging logs specific
events to record data. Security auditing records security events
and/or reviews logs to detect security incidents.

17. B. A user entitlement audit can detect when users have more
privileges than necessary. Account management practices attempt
to ensure that privileges are assigned correctly. The audit detects
whether the management practices are followed. Logging records

activity, but the logs need to be reviewed to determine if practices
are followed. Reporting is the result of an audit.

18. D. Security personnel should have gathered evidence for possible
prosecution of the attacker. However, the incident response plan
wasn’t published, so the server administrator was unaware of the
requirement. The first response after detecting and verifying an
incident is to contain the incident, but it could have been contained

without rebooting the server. The lessons learned stage includes
review, and it is the last stage. Remediation includes a root cause
analysis to determine what allowed the incident, but this is done
late in the process. In this scenario, rebooting the server performed
the recovery.

19. C. Attacking the IP address was the most serious mistake because it
is illegal in most locations. Additionally, because attackers often

use spoofing techniques, it probably isn’t the actual IP address of
the attacker. Rebooting the server without gathering evidence and
not reporting the incident were mistakes but won’t have a potential
lasting negative effect on the organization. Resetting the
connection to isolate the incident would have been a good step if it
was done without rebooting the server.

20. A. The administrator did not report the incident so there was no
opportunity to perform a lessons learned step. It could be the

incident occurred because of a vulnerability on the server, but
without an examination, the exact cause won’t be known unless the
attack is repeated. The administrator detected the event and
responded (though inappropriately). Rebooting the server is a
recovery step. It’s worth mentioning that the incident response
plan was kept secret and the server administrator didn’t have
access to it and so likely does not know what the proper response

should be.

Chapter 18: Disaster Recovery Planning




1. C. Once a disaster interrupts the business operations, the goal of

DRP is to restore regular business activity as quickly as possible.
Thus, disaster recovery planning picks up where business
continuity planning leaves off.

2. C. A power outage is an example of a man-made disaster. The other
events listed—tsunamis, earthquakes, and lightning strikes—are all
naturally occurring events.

3. D. Forty-one of the 50 U.S. states are considered to have a
moderate, high, or very high risk of seismic activity. This rounds to

80 percent to provide the value given in option D.

4. B. Most general business insurance and homeowner’s insurance
policies do not provide any protection against the risk of flooding
or flash floods. If floods pose a risk to your organization, you
should consider purchasing supplemental flood insurance under
FEMA’s National Flood Insurance Program.

5. B. Redundant arrays of inexpensive disks (RAID) are fault

tolerance controls that allow an organization’s storage service to
withstand the loss of one or more individual disks. Load balancing,
clustering, and HA pairs are all fault tolerance services designed
for servers, not storage.

6. C. Cloud computing services provide an excellent location for
backup storage because they are accessible from any location.

7. B. The term 100-year flood plain is used to describe an area where
flooding is expected once every 100 years. It is, however, more

mathematically correct to say that this label indicates a 1 percent
probability of flooding in any given year.

8. D. When you use remote mirroring, an exact copy of the database
is maintained at an alternative location. You keep the remote copy
up-to-date by executing all transactions on both the primary and

remote site at the same time.

9. C. Redundant systems/components provide protection against the
failure of one particular piece of hardware.


10. B. During the business impact assessment phase, you must identify
the business priorities of your organization to assist with the
allocation of BCP resources. You can use this same information to
drive the DRP business unit prioritization.

11. C. The cold site contains none of the equipment necessary to
restore operations. All of the equipment must be brought in and

configured and data must be restored to it before operations can
commence. This often takes weeks.

12. C. Warm sites typically take about 12 hours to activate from the
time a disaster is declared. This is compared to the relatively
instantaneous activation of a hot site and the lengthy time (at least
a week) required to bring a cold site to operational status.

13. D. Warm sites and hot sites both contain workstations, servers, and
the communications circuits necessary to achieve operational

status. The main difference between the two alternatives is the fact
that hot sites contain near-real-time copies of the operational data
and warm sites require the restoration of data from backup.

14. D. Remote mirroring is the only backup option in which a live
backup server at a remote site maintains a bit-for-bit copy of the
contents of the primary server, synchronized as closely as the
latency in the link between primary and remote systems will allow.


15. A. The executive summary provides a high-level view of the entire
organization’s disaster recovery efforts. This document is useful for
the managers and leaders of the firm as well as public relations
personnel who need a nontechnical perspective on this complex
effort.

16. D. Software escrow agreements place the application source code

in the hands of an independent third party, thus providing firms
with a “safety net” in the event a developer goes out of business or
fails to honor the terms of a service agreement.

17. A. Differential backups involve always storing copies of all files
modified since the most recent full backup regardless of any

incremental or differential backups created during the intervening
time period.

18. C. Any backup strategy must include full backups at some point in
the process. Incremental backups are created faster than
differential backups because of the number of files it is necessary to
back up each time.

19. A. Any backup strategy must include full backups at some point in
the process. If a combination of full and differential backups is

used, a maximum of two backups must be restored. If a
combination of full and incremental backups is chosen, the number
of required restorations may be unlimited.

20. B. Parallel tests involve moving personnel to the recovery site and
gearing up operations, but responsibility for conducting day-to-day
operations of the business remains at the primary operations

center.

Chapter 19: Investigations and Ethics




1. C. A crime is any violation of a law or regulation. The violation

stipulation defines the action as a crime. It is a computer crime if
the violation involves a computer either as the target or as a tool.

2. B. A military and intelligence attack is targeted at the classified
data that resides on the system. To the attacker, the value of the
information justifies the risk associated with such an attack. The
information extracted from this type of attack is often used to plan
subsequent attacks.

3. A. Confidential information that is not related to the military or

intelligence agencies is the target of business attacks. The ultimate
goal could be destruction, alteration, or disclosure of confidential
information.

4. B. A financial attack focuses primarily on obtaining services and
funds illegally.

5. B. A terrorist attack is launched to interfere with a way of life by
creating an atmosphere of fear. A computer terrorist attack can

reach this goal by reducing the ability to respond to a simultaneous
physical attack.

6. D. Any action that can harm a person or organization, either
directly or through embarrassment, would be a valid goal of a
grudge attack. The purpose of such an attack is to “get back” at
someone.

7. A, C. Thrill attacks have no reward other than providing a boost to
pride and ego. The thrill of launching the attack comes from the act

of participating in the attack (and not getting caught).

8. C. Although the other options have some merit in individual cases,
the most important rule is to never modify, or taint, evidence. If
you modify evidence, it becomes inadmissible in court.

9. D. The most compelling reason for not removing power from a

machine is that you will lose the contents of memory. Carefully
consider the pros and cons of removing power. After all is

considered, it may be the best choice.

10. B, D. Hacktivists (the word is a combination of hacker and activist)
often combine political motivations with the thrill of hacking. They
organize themselves loosely into groups with names like
Anonymous and Lolzsec and use tools like the Low Orbit Ion
Cannon to create large-scale denial-of-service attacks with little

knowledge required.
11. C. Criminal investigations may result in the imprisonment of

individuals and, therefore, have the highest standard of evidence to
protect the rights of the accused.

12. B. Root-cause analysis seeks to identify the reason that an
operational issue occurred. The root-cause analysis often highlights
issues that require remediation to prevent similar incidents in the
future.


13. A. Preservation ensures that potentially discoverable information is
protected against alteration or deletion.

14. B. Server logs are an example of documentary evidence. Gary may
ask that they be introduced in court and will then be asked to offer
testimonial evidence about how he collected and preserved the
evidence. This testimonial evidence authenticates the documentary
evidence.

15. B. In this case, you need a search warrant to confiscate equipment

without giving the suspect time to destroy evidence. If the suspect
worked for your organization and you had all employees sign
consent agreements, you could simply confiscate the equipment.

16. A. Log files contain a large volume of generally useless information.
However, when you are trying to track down a problem or an
incident, they can be invaluable. Even if an incident is discovered
as it is happening, it may have been preceded by other incidents.

Log files provide valuable clues and should be protected and
archived.

17. D. Review examines the information resulting from the processing

phase to determine what information is responsive to the request
and remove any information protected by attorney-client privilege.

18. D. Ethics are simply rules of personal behavior. Many professional

organizations establish formal codes of ethics to govern their
members, but ethics are personal rules individuals use to guide
their lives.

2
19. B. The second canon of the (ISC) Code of Ethics states how a
CISSP should act, which is honorably, honestly, justly, responsibly,

and legally.

20. B. RFC 1087 does not specifically address the statements in A, C, or
D. Although each type of activity listed is unacceptable, only
“actions that compromise the privacy of users” are explicitly
identified in RFC 1087.

Chapter 20: Software Development Security


1. A. The three elements of the DevOps model are software
development, quality assurance, and IT operations.


2. B. Input validation ensures that the input provided by users
matches the design parameters.

3. C. The request control provides users with a framework to request
changes and developers with the opportunity to prioritize those
requests.

4. C. In a fail-secure state, the system remains in a high level of
security until an administrator intervenes.

5. B. The waterfall model uses a seven-stage approach to software

development and includes a feedback loop that allows development
to return to the previous phase to correct defects discovered during
the subsequent phase.

6. A. Content-dependent access control is focused on the internal
data of each field.

7. C. Foreign keys are used to enforce referential integrity constraints
between tables that participate in a relationship.

8. D. In this case, the process the database user is taking advantage of

is aggregation. Aggregation attacks involve the use of specialized
database functions to combine information from a large number of
database records to reveal information that may be more sensitive
than the information in individual records would reveal.

9. C. Polyinstantiation allows the insertion of multiple records that
appear to have the same primary key values into a database at

different classification levels.
10. D. In Agile, the highest priority is to satisfy the customer through

early and continuous delivery of valuable software.

11. C. Expert systems use a knowledge base consisting of a series of
“if/then” statements to form decisions based on the previous

experience of human experts.

12. D. In the Managed phase, level 4 of the SW-CMM, the organization
uses quantitative measures to gain a detailed understanding of the

development process.

13. B. ODBC acts as a proxy between applications and the backend
DBMS.

14. A. In order to conduct a static test, the tester must have access to
the underlying source code.

15. A. A Gantt chart is a type of bar chart that shows the
interrelationships over time between projects and schedules. It

provides a graphical illustration of a schedule that helps to plan,
coordinate, and track specific tasks in a project.

16. C. Contamination is the mixing of data from a higher classification
level and/or need-to-know requirement with data from a lower
classification level and/or need-to-know requirement.

17. A. Database developers use polyinstantiation, the creation of
multiple records that seem to have the same primary key, to

protect against inference attacks.

18. C. Configuration audit is part of the configuration management
process rather than the change control process.

19. C. The isolation principle states that two transactions operating on
the same data must be temporarily separated from each other such
that one does not interfere with the other.

20. B. The cardinality of a table refers to the number of rows in the

table while the degree of a table is the number of columns.

Chapter 21: Malicious Code and Application

Attacks




1. A. Signature detection mechanisms use known descriptions of
viruses to identify malicious code resident on a system.


2. B. The DMZ (demilitarized zone) is designed to house systems like
web servers that must be accessible from both the internal and
external networks.

3. B. The time of check to time of use (TOCTOU) attack relies on the
timing of the execution of two events.

4. A. While an advanced persistent threat (APT) may leverage any of
these attacks, they are most closely associated with zero-day
attacks.


5. A. In an attempt to avoid detection by signature-based antivirus
software packages, polymorphic viruses modify their own code
each time they infect a system.

6. A. LastPass is a tool that allows users to create unique, strong
passwords for each service they use without the burden of
memorizing them all.

7. D. Buffer overflow attacks allow an attacker to modify the contents

of a system’s memory by writing beyond the space allocated for a
variable.

8. D. Except option D, the choices are forms of common words that
might be found during a dictionary attack. mike is a name and
would be easily detected. elppa is simply apple spelled backward,
and dayorange combines two dictionary words. Crack and other
utilities can easily see through these “sneaky” techniques. Option D

is simply a random string of characters that a dictionary attack
would not uncover.

9. B. Salting passwords adds a random value to the password prior to
hashing, making it impractical to construct a rainbow table of all

possible values.

10. D. The single quote character (') is used in SQL queries and must
be handled carefully on web forms to protect against SQL injection

attacks.

11. B. Developers of web applications should leverage database stored
procedures to limit the application’s ability to execute arbitrary
code. With stored procedures, the SQL statement resides on the
database server and may only be modified by database
administrators.


12. B. Port scans reveal the ports associated with services running on a
machine and available to the public.

13. A. Cross-site scripting attacks are successful only against web
applications that include reflected input.

14. D. Multipartite viruses use two or more propagation techniques
(for example, file infection and boot sector infection) to maximize
their reach.

15. B. Input validation prevents cross-site scripting attacks by limiting

user input to a predefined range. This prevents the attacker from
including the HTML <SCRIPT> tag in the input.

16. A. Stuxnet was a highly sophisticated worm designed to destroy
nuclear enrichment centrifuges attached to Siemens controllers.

17. B. Back doors are undocumented command sequences that allow
individuals with knowledge of the back door to bypass normal
access restrictions.


18. D. The Java sandbox isolates applets and allows them to run within
a protected environment, limiting the effect they may have on the
rest of the system.

19. D. The <SCRIPT> tag is used to indicate the beginning of an
executable client-side script and is used in reflected input to create
a cross-site scripting attack.

20. A. Packets with internal source IP addresses should not be allowed
to enter the network from the outside because they are likely

spoofed.

Appendix B

Answers to Written Labs

Chapter 1: Security Governance Through

Principles and Policies


1. The CIA Triad is the combination of confidentiality, integrity, and
availability. Confidentiality is the concept of the measures used to

ensure the protection of the secrecy of data, information, or
resources. Integrity is the concept of protecting the reliability and
correctness of data. Availability is the concept that authorized
subjects are granted timely and uninterrupted access to objects.
The term CIA Triad is used to indicate the three key components of
a security solution.

2. The requirements of accountability are identification,

authentication, authorization, and auditing. Each of these
components needs to be legally supportable to truly hold someone
accountable for their actions.

3. The benefits of change control management include preventing
unwanted security reduction because of uncontrolled change,
documenting and tracking of all alterations in the environment,
standardization, conforming with security policy, and the ability to

roll back changes in the event of an unwanted or unexpected
outcome.

4. (1) Identify the custodian, and define their responsibilities. (2)
Specify the evaluation criteria of how the information will be
classified and labeled. (3) Classify and label each resource.
Although the owner conducts this step, a supervisor should review

it. (4) Document any exceptions to the classification policy that are
discovered, and integrate them into the evaluation criteria. (5)
Select the security controls that will be applied to each
classification level to provide the necessary level of protection. (6)
Specify the procedures for declassifying resources and the
procedures for transferring custody of a resource to an external
entity. (7) Create an enterprise-wide awareness program to instruct
all personnel about the classification system.


5. The six security roles are senior management, IT/security staff,

owner, custodian, operator/user, and auditor.

6. The four components of a security policy are policies, standards,
guidelines, and procedures. Policies are broad security statements.

Standards are definitions of hardware and software security
compliance. Guidelines are used when there is not an appropriate
procedure. Procedures are detailed step-by-step instructions for
performing work tasks in a secure manner.

Chapter 2: Personnel Security and Risk

Management Concepts




1. Possible answers include job descriptions, principle of least
privilege, separation of duties, job responsibilities, job

rotation/cross-training, performance reviews, background checks,
job action warnings, awareness training, job training, exit
interviews/terminations, nondisclosure agreements, noncompete
agreements, employment agreements, privacy declaration, and
acceptable use policies.

2. The formulas are as follows:

SLE = AV * EF

ARO = # / yr


ALE = SLE * ARO

Cost/benefit = (ALE1 – ALE2) – ACS

3. The Delphi technique is an anonymous feedback-and-response
process used to enable a group to reach an anonymous consensus.
Its primary purpose is to elicit honest and uninfluenced responses
from all participants. The participants are usually gathered into a
single meeting room. To each request for feedback, each

participant writes down their response on paper anonymously. The
results are compiled and presented to the group for evaluation. The
process is repeated until a consensus is reached.

4. Risk assessment often involves a hybrid approach using both
quantitative and qualitative methods. A purely quantitative
analysis is not possible; not all elements and aspects of the analysis
can be quantified because some are qualitative, some are

subjective, and some are intangible. Since a purely quantitative risk
assessment is not possible, balancing the results of a quantitative
analysis is essential. The method of combining quantitative and
qualitative analysis into a final assessment of organizational risk is

known as hybrid assessment or hybrid analysis.

Chapter 3: Business Continuity Planning




1. Many federal, state, and local laws or regulations require

businesses to implement BCP provisions. Including legal
representation on your BCP team helps ensure that you remain
compliant with laws, regulations, and contractual obligations.

2. The “seat-of-the-pants” approach is an excuse used by individuals
who do not want to invest time and money in the proper creation of
a BCP. This can lead to catastrophe when a firmly laid plan isn’t in
place to guide the response during a stressful emergency situation.

3. Quantitative risk assessment involves using numbers and formulas

to make a decision. Qualitative risk assessment includes expertise
instead of numeric measures, such as emotions, investor/consumer
confidence, and workforce stability.

4. The BCP training plan should include a plan overview briefing for
all employees and specific training for individuals with direct or
indirect involvement. In addition, backup personnel should be
trained for each key BCP role.


5. The four steps of the BCP process are project scope and planning,
business impact assessment, continuity planning, and
approval/implementation.

Chapter 4: Laws, Regulations, and Compliance




1. The key provisions of the Privacy Shield Framework agreement

between the United States and the European Union are as follows:
Inform individuals about data processing


Provide free and accessible dispute resolution

Cooperate with the Department of Commerce

Maintain data integrity and purpose limitation

Ensure accountability for data transferred to third parties

Maintain transparency related to enforcement actions

Ensure commitments are kept as long as data is held

2. Some common questions that organizations may ask about
outsourced service providers are as follows:


What types of sensitive information are stored, processed, or
transmitted by the vendor?

What controls are in place to protect the organization’s
information?

How is our organization’s information segregated from that of
other clients?

If encryption is relied on as a security control, what encryption
algorithms and key lengths are used? How is key management

handled?

What types of security audits does the vendor perform, and
what access does the client have to those audits?

Does the vendor rely on any other third parties to store,
process, or transmit data? How do the provisions of the
contract related to security extend to those third parties?

Where will data storage, processing, and transmission take

place? If outside the home country of the client and/or vendor,
what implications does that have?

What is the vendor’s incident response process and when will

clients be notified of a potential security breach?

What provisions are in place to ensure the ongoing integrity
and availability of client data?

3. Some common steps that employers take to notify employees of
monitoring include clauses in employment contracts that state that
the employee should have no expectation of privacy while using

corporate equipment, similar written statements in corporate
acceptable use and privacy policies, logon banners warning that all
communications are subject to monitoring, and labels on
computers and telephones warning of monitoring.

Chapter 5: Protecting Security of Assets




1. Personally identifiable information (PII) is any information that

can identify an individual. It includes information that can be used
to distinguish or trace an individual’s identity, such as name, social
security number or national ID number, date and place of birth,
mother’s maiden name, and biometric records. Protected health
information (PHI) is any health-related information that can be
related to a specific person. PHI doesn’t apply only to healthcare
providers. Any employer that provides, or supplements, healthcare
policies collects and handles PHI.


2. Solid state drives (SSDs) should be destroyed (such as with a
disintegrator) to sanitize them. Traditional methods used for hard
drives are not reliable. While it doesn’t sanitize the drives,
encrypting all data stored on the drive does provide an extra layer
of protection.

3. Pseudonymization is the process of replacing data with

pseudonyms. In this context, pseudonyms are artificial identifiers,
which the General Data Protection Regulation (GDPR) refers to as
pseudonyms. The GDPR recommends the use of pseudonyms to
reduce the possibility of data identifying an individual.

4. Scoping refers to reviewing a list of baseline security controls and
selecting only those controls that apply to the IT system you’re
trying to protect. Tailoring refers to modifying the list of selected

baseline controls for some systems that have different
requirements.

Chapter 6: Cryptography and Symmetric Key

Algorithms




1. The major obstacle to the widespread adoption of onetime pad
cryptosystems is the difficulty in creating and distributing the very

lengthy keys on which the algorithm depends.

2. The first step in encrypting this message requires the assignment of
numeric column values to the letters of the secret keyword:


S E C U R E
5 2 1 6 4 3

Next, the letters of the message are written in order underneath the
letters of the keyword:


S E C U R E
5 2 1 6 4 3
I W I L L P
A S S T H E
C I S S P E
X A M A N D
B E C O M E
C E R T I F
I E D N E X
T M O N T H


Finally, the sender enciphers the message by reading down each
column; the order in which the columns are read corresponds to
the numbers assigned in the first step. This produces the following
ciphertext:


I S S M C R D O W S I A E E E M P E E D E F X H L H P N M I E
T I A C X B C I T L T S A O T N N


3. This message is decrypted by using the following function:

P = (C - 3) mod 26
C: F R Q J U D W X O D W L R Q V B R X J R W L W
P: C O N G R A T U L A T I O N S Y O U G O T I T

The hidden message is “Congratulations You Got It.”
Congratulations, you got it!

Chapter 7: PKI and Cryptographic

Applications


1. Bob should encrypt the message using Alice’s public key and then
transmit the encrypted message to Alice.

2. Alice should decrypt the message using her private key.


3. Bob should generate a message digest from the plaintext message
using a hash function. He should then encrypt the message digest
using his own private key to create the digital signature. Finally, he
should append the digital signature to the message and transmit it
to Alice.

4. Alice should decrypt the digital signature in Bob’s message using
Bob’s public key. She should then create a message digest from the

plaintext message using the same hashing algorithm Bob used to
create the digital signature. Finally, she should compare the two
message digests. If they are identical, the signature is authentic.

Chapter 8: Principles of Security Models,

Design, and Capabilities


1. Security models include state machine, information flow,
noninterference, Take-Grant, access control matrix, Bell-LaPadula,

Biba, Clark-Wilson, Brewer and Nash (aka Chinese Wall), Goguen-
Meseguer, Sutherland, and Graham-Denning.

2. The primary components of the trusted computing base (TCB) are
the hardware and software elements used to enforce the security
policy (these elements are called the TCB), the security perimeter
distinguishing and separating TCB components from non-TCB
components, and the reference monitor that serves as an access

control device across the security perimeter.

3. The two primary rules of Bell-LaPadula are the simple rule of no
read-up and the star rule of no write-down. The two rules of Biba
are the simple rule of no read-down and the star rule of no write-
up.

4. An open system is one with published APIs that allow third parties
to develop products to interact with it. A closed system is one that
is proprietary with no third-party product support. Open source is

a coding stance that allows others to view the source code of a
program. Closed source is an opposing coding stance that keeps
source code confidential.

Chapter 9: Security Vulnerabilities, Threats,

and Countermeasures




1. The three standard cloud-based X-as-a-service options are
platform as a service (PaaS), software as a service (SaaS), and

infrastructure as a service (IaaS). PaaS is the concept of providing
a computing platform and software solution stack as a virtual or
cloud-based service. Essentially, this type of cloud solution
provides all the aspects of a platform (that is, the operating system
and complete solution package). The primary attraction of PaaS is
the avoidance of having to purchase and maintain high-end

hardware and software locally. SaaS is a derivative of PaaS. SaaS
provides on-demand online access to specific software applications
or suites without the need for local installation. In many cases,
there are few local hardware and OS limitations. SaaS can be
implemented as a subscription, a pay-as-you-go service, or a free
service. IaaS takes the PaaS model yet another step forward and
provides not just on-demand operating solutions but complete

outsourcing options. This can include utility or metered computing
services, administrative task automation, dynamic scaling,
virtualization services, policy implementation and management
services, and managed/filtered internet connectivity. Ultimately,
IaaS allows an enterprise to scale up new software or data-based
services/solutions through cloud systems quickly and without

having to install massive hardware locally.

2. The four security modes are dedicated, system high,
compartmented, and multilevel.

3. The three pairs of aspects or features used to describe storage are
primary vs. secondary, volatile vs. nonvolatile, and random vs.
sequential.

4. Some vulnerabilities found in distributed architecture include

sensitive data found on desktops/terminals/notebooks, lack of
security understanding among users, greater risk of physical

component theft, compromise of a client leading to the
compromise of the whole network, greater risk from malware

because of user-installed software and removable media, and data
on clients less likely to be included in backups.

Chapter 10: Physical Security Requirements




1. A fence is an excellent perimeter safeguard that can help to deter

casual trespassing. Moderately secure installations work when the
fence is 6 to 8 feet tall and will typically be cyclone (also known as
chain link) fencing with the upper surface twisted or barbed to
deter casual climbers. More secure installations usually opt for
fence heights over 8 feet and often include multiple strands of
barbed or razor wire strung above the chain link fabric to further
deter climbers.


2. Halon degrades into toxic gases at 900 degrees Fahrenheit. Also, it
is not environmentally friendly (it is an ozone-depleting
substance). Recycled halon is available, but production of halon
ceased in developed countries in 2003. Halon is often replaced by a
more ecologically friendly and less toxic medium.

3. Anytime water is used to respond to fire, flame, or smoke, water
damage becomes a serious concern, particularly when water is

released in areas where electrical equipment is in use. Not only can
computers and other electrical gear be damaged or destroyed by
water, but also many forms of storage media can become damaged
or unusable. Also, when seeking hot spots to put out, firefighters
often use axes to break down doors or cut through walls to reach
them as quickly as possible. This, too, poses the potential for
physical damage to or destruction of devices and/or wiring that

may also be in the vicinity.

Chapter 11: Secure Network Architecture and

Securing Network Components




1. Application (7), Presentation (6), Session (5), Transport (4),
Network (3), Data Link (2), and Physical (1).


2. Problems with cabling and their countermeasures include
attenuation (use repeaters or don’t violate distance
recommendations), using the wrong CAT cable (check the cable
specifications against throughput requirements, and err on the side
of caution), crosstalk (use shielded cables, place cables in separate
conduits, or use cables of different twists per inch), cable breaks
(avoid running cables in locations where movement occurs),

interference (use cable shielding, use cables with higher twists per
inch, or switch to fiber-optic cables), and eavesdropping (maintain
physical security over all cable runs or switch to fiber-optic cables).

3. Some of the frequency spectrum-use technologies are spread
spectrum, Frequency Hopping Spread Spectrum (FHSS), Direct
Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-
Division Multiplexing (OFDM).


4. Methods to secure 802.11 wireless networking include disabling
the SSID broadcast; changing the SSID to something unique;
enabling MAC filtering; considering the use of static IPs or using
DHCP with reservations; turning on the highest form of encryption
offered (such as WEP, WPA, or WPA2/802.11i); treating wireless
as remote access and employing 802.1X, RADIUS, or TACACS;
separating wireless access points from the LAN with firewalls;

monitoring all wireless client activity with an IDS; and considering
requiring wireless clients to connect with a VPN to gain LAN
access.

5. The LAN shared media access technologies are CSMA, CSMA/CA
(used by 802.11 and AppleTalk), CSMA/CD (used by Ethernet),
token passing (used by Token Ring and FDDI/CDDI), and polling

(used by SDLC, HDLC, and some mainframe systems).

Chapter 12: Secure Communications and

Network Attacks




1. IPsec’s transport mode is used for host-to-host links and encrypts
only the payload, not the header. IPsec’s tunnel mode is used for

host-to-LAN and LAN-to-LAN links and encrypts the entire
original payload and header and then adds a link header.

2. Network Address Translation (NAT) allows for the identity of
internal systems to be hidden from external entities. Often NAT is
used to translate between RFC 1918 private IP addresses and
leased public addresses. NAT serves as a one-way firewall because
it allows only inbound traffic that is a response to a previous

internal query. NAT also allows a few leased public addresses to be
used to grant internet connectivity to a larger number of internal
systems.

3. Circuit switching is usually associated with physical connections.
The link itself is physically established and then dismantled for the
communication. Circuit switching offers known fixed delays,
supports constant traffic, is connection oriented, is sensitive only

to the loss of the connection rather than the communication, and
was most often used for voice transmissions. Packet switching is
usually associated with logical connections because the link is just
a logically defined path among possible paths. Within a packet-
switching system, each system or link can be employed

simultaneously by other circuits. Packet switching divides the
communication into segments, and each segment traverses the
circuit to the destination. Packet switching has variable delays
because each segment could take a unique path, is usually
employed for bursty traffic, is not physically connection oriented
but often uses virtual circuits, is sensitive to the loss of data, and is
used for any form of communication.


4. Email is inherently insecure because it is primarily a plaintext
communication medium and employs non-encrypted transmission

protocols. This allows for email to be easily spoofed, spammed,
flooded, eavesdropped on, interfered with, and hijacked. Defenses

against these issues primarily include having stronger
authentication requirements and using encryption to protect the
content while in transit.

Chapter 13: Managing Identity and

Authentication




1. Access control types include preventive, detective, corrective,
deterrent, recovery, directive, and compensating access controls.

They are implemented as administrative controls, logical/technical
controls, and/or physical controls.

2. Identification occurs when a subject claims an identity, such as
with a username. Authentication occurs when the subject provides
information to verify the claimed identity is the subject’s identity.
For example, a user can provide the correct password matched to
the user’s name. Authorization is the process of granting the

subject rights and permissions based on the subject’s proven
identity. Accountability is accomplished by logging actions of
subjects and is reliable only if the identification and authentication
processes are strong and secure.

3. A Type 1 authentication factor is something you know. A Type 2
authentication factor is something you have. A Type 3
authentication factor is something you are.


4. Federated identity management systems allow single sign-on
(SSO) to be extended beyond a single organization. SSO allows
users to authenticate once and access multiple resources without
authenticating again. SAML is a common language used to
exchange federated identity information between organizations.

5. The identity and access provisioning lifecycle includes provisioning

accounts, periodically reviewing and managing accounts, and
disabling or deleting accounts when they are no longer being used.

Chapter 14: Controlling and Monitoring

Access




1. A discretionary access control (DAC) model allows the owner,
creator, or data custodian of an object to control and define access.

Administrators centrally administer nondiscretionary access
controls and can make changes that affect the entire environment.

2. Assets, threats, and vulnerabilities should be identified through
asset valuation, threat modeling, and vulnerability analysis.

3. Brute-force attacks, dictionary attacks, sniffer attacks, rainbow
table attacks, and social-engineering attacks are all known methods
used to discover passwords.

4. A salt is different for every password in a database. A pepper is the

same for every password in a database. Salts for passwords are
stored in the same database as the hashed passwords. A pepper is
stored somewhere external to the database such as in application
code or as a configuration setting for a server.

Chapter 15: Security Assessment and Testing




1. TCP SYN scanning sends a single packet to each scanned port with

the SYN flag set. This indicates a request to open a new connection.
If the scanner receives a response that has the SYN and ACK flags
set, this indicates that the system is moving to the second phase in
the three-way TCP handshake and that the port is open. TCP SYN
scanning is also known as “half-open” scanning. TCP connect
scanning opens a full connection to the remote system on the
specified port. This scan type is used when the user running the
scan does not have the necessary permissions to run a half-open

scan.

2. The three possible port status values returned by nmap are as
follows:

Open—The port is open on the remote system and there is an
application that is actively accepting connections on that port.

Closed—The port is accessible on the remote system, meaning
that the firewall is allowing access, but there is no application

accepting connections on that port.

Filtered—Nmap is unable to determine whether a port is open
or closed because a firewall is interfering with the connection
attempt.

3. Static software testing techniques, such as code reviews, evaluate
the security of software without running it by analyzing either the
source code or the compiled application. Dynamic testing evaluates

the security of software in a runtime environment and is often the
only option for organizations deploying applications written by
someone else.

4. Mutation (dumb) fuzzing takes previous input values from actual
operation of the software and manipulates (or mutates) it to create
fuzzed input. It might alter the characters of the content, append

strings to the end of the content, or perform other data

manipulation techniques.

Generational (intelligent) fuzzing develops data models and creates
new fuzzed input based on an understanding of the types of data

used by the program.

Chapter 16: Managing Security Operations




1. Need to know focuses on permissions and the ability to access

information, whereas the principle of least privilege focuses on
privileges. Privileges include both rights and permissions. Both
limit the access of users and subjects to only what they need.
Following these principles prevents and limits the scope of security
incidents.

2. Managing sensitive information includes properly marking,
handling, storing, and destroying it based on its classification.

3. Monitoring the assignment of special privileges detects when

individuals are granted higher privileges such as when they are
added to an administrator account. It can detect when
unauthorized entities are granted higher privileges. Monitoring the
usage of special privileges detects when entities are using higher
privileges, such as creating unauthorized accounts, accessing or
deleting logs, and creating automated tasks. This monitoring can

detect potential malicious insiders and remote attackers.

4. The three models are software as a service (SaaS), platform as a
service (PaaS), and infrastructure as a service (IaaS). The cloud
service provider (CSP) provides the most maintenance and security
services with SaaS, less with PaaS, and the least with IaaS. While
NIST SP 800-144 provides these definitions, CSPs sometimes use
their own terms and definitions in marketing materials.

5. Change management processes help prevent outages by ensuring

that proposed changes are reviewed and tested before being
deployed. They also ensure that changes are documented.

Chapter 17: Preventing and Responding to

Incidents




1. Incident response steps listed in the CISSP Security Operations
domain are detection, response, mitigation, reporting, recovery,

remediation, and lessons learned.

2. Intrusion detection systems can be described as host based or
network based, based on their detection methods (knowledge
based or behavior based), and based on their responses (passive or
active).

Host-based IDSs examine events on individual computers in great
detail, including file activities, accesses, and processes. Network-

based IDSs examine general network events and anomalies
through traffic evaluation.

A knowledge-based IDS uses a database of known attacks to detect
intrusions. A behavior-based IDS starts with a baseline of normal
activity and measures network activity against the baseline to
identify abnormal activity.

A passive response will log the activity and often provide a
notification. An active response directly responds to the intrusion

to stop or block the attack.

3. Auditing is a methodical examination or review of an environment
and encompasses a wide variety of activities to ensure compliance
with regulations and to detect abnormalities, unauthorized
occurrences, or outright crimes. Audit trails provide the data that
supports such examination or review and essentially are what

make auditing and subsequent detection of attacks and
misbehavior possible.

4. Organizations should regularly perform access reviews and audits.
These can detect when an organization is not following its own
policies and procedures related to account management. They can

be performed manually or using automation techniques available
in some identity and access management (IAM) systems.

Chapter 18: Disaster Recovery Planning




1. Businesses have three main concerns when considering adopting a

mutual assistance agreement. First, the nature of an MAA often
necessitates that the businesses be located in close geographical
proximity. However, this requirement also increases the risk that
the two businesses will fall victim to the same threat. Second,
MAAs are difficult to enforce in the middle of a crisis. If one of the
organizations is affected by a disaster and the other isn’t, the
organization not affected could back out at the last minute, leaving
the other organization out of luck. Finally, confidentiality concerns

(both legal and business related) often prevent businesses from
trusting others with their sensitive operational data.

2. There are five main types of disaster recovery tests:

Read-through tests involve the distribution of recovery
checklists to disaster recovery personnel for review.

Structured walk-throughs are “tabletop” exercises that involve
assembling the disaster recovery team to discuss a disaster

scenario.

Simulation tests are more comprehensive and may impact one
or more noncritical business units of the organization.

Parallel tests involve relocating personnel to the alternate site
and commencing operations there.

Full-interruption tests involve relocating personnel to the
alternate site and shutting down operations at the primary site.


3. Full backups create a copy of all data stored on a server.
Incremental backups create copies of all files modified since the
last full or incremental backup. Differential backups create copies
of all files modified since the last full backup without regard to any
previous differential or incremental backups that may have taken
place.

Chapter 19: Investigations and Ethics




1. The major categories of computer crime are military/intelligence

attacks, business attacks, financial attacks, terrorist attacks, grudge
attacks, and thrill attacks.

2. Thrill attacks are motivated by individuals seeking to achieve the
“high” associated with successfully breaking into a computer
system.

3. Interviews are conducted with the intention of gathering
information from individuals to assist with your investigation.
Interrogations are conducted with the intent of gathering evidence

from suspects to be used in a criminal prosecution.

4. To be admissible, evidence must be reliable, competent, and
material to the case.