Which International Organization for Standardization standard is commonly referred to as the ‘common criteria’? 15408 27001 14000 22002. The Reference Validation Mechanism that ensures the authorized access relationships between subjects and objects is implementing which of the following concept: The reference monitor. Discretionary Access Control. The Security Kernel. Mandatory Access Control. What security problem is most likely to exist if an operating system permits objects to be used sequentially by multiple users without forcing a refresh of the objects? Unauthorized obtaining of a privileged execution state. Disclosure of residual data. Denial of service through a deadly embrace. Data leakage through covert channels. What is a trusted shell? It means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it". It means that it is a communications channel between the user, or program, and the kernel. It means that someone working in that shell can communicate with someone else in another trusted shell. It means that it won’t let processes overwrite other processes’ data. Pervasive Computing and Mobile Computing Devices have to sacrifice certain functions. Which statement concerning those devices is false. In many cases, security services has been enhanced due to the lack of services available. These devices share common security concerns with other resource-constrained devices. In many cases, security services have been sacrificed to provide richer user interaction when processing power is very limited. Their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be difficult to control. Which of the following categories of access means that users are restricted
based on the type of information that an object holds? Just-in-time access Role-based access Context-dependent access Content-dependent access . Which of the following is a security-focused language that uses three
components, including the principal, the identity provider, and the service
provider? OpenID Connect Kerberos Oauth Security Assertion Markup Language . Which of the following is a threat modeling methodology that offers a
public knowledge database of threat tactics and techniques? Trike Cyber Kill Chain MITRE ATT&CK Framework STRIDE . Which of the following tests of the disaster recovery plan involves
practicing specific activities, particularly technical ones, but does not
involve actual systems and data used for primary business operations? Tabletop exercise Simulation Walk-through Parallel test. Which of the following is not one of the four primary areas addressed by
Crime Prevention Through Environmental Design (CPTED)?
Natural access control Sensitive processing area placement and design Territorial reinforcement Natural surveillance . Which of the following terms describes the process of tunneling network
traffic into other protocols?
Virtual local area network Encapsulation Virtual eXtensible Local Area Network Virtual private networking . Your company needs additional identification and authentication services
for certain cloud-based applications. You have enabled single sign-on
technologies in your on-premise identity solution, so that the same
credentials can be used through a cloud access security broker (CASB) for
your Software as a Service subscription. Which of the following types of
identity management (IdM) solutions have you implemented? Hybrid IdM On-premise IdM Third-party IdM Cloud-based IdM . Which of the following legacy voice and data services has a Basic Rate
Interface consisting of two B channels at 64 Kbps and one D channel at 16
Kbps?
Dial-up Digital subscriber line Integrated Services Digital Network (ISDN) Cable modem. Which type of assets cannot be easily interacted with or valued in terms of
cost, revenue, or other monetary measurement?
Critical assets Intangible assets Sensitive assets Tangible assets. Which of the following is not considered a characteristic of strong key
generation? Using multiple keys that generate the same ciphertext from the same plaintext Using keys that are more random and not based on common terms, such as
dictionary words Changing keys frequently Using longer key lengths . Which of the following is NOT an example of a vulnerability in source code? Time-of-check to time-of-use (TOC/TOU) attacks Improper input validation Cross-site request forgery (CSRF) Cross-site scripting . Which of the following network hardware devices can connect two or
more networks together and break up collision domains? Proxy Hub Switch Router. Your company has hired a new junior security administrator. You want
them to be able to perform only limited specific tasks while they are in
training. You do not want to grant them the full abilities of an
administrator. Which of the following security principles describes this
approach?
Separation of duties Authentication Nonrepudiation Principle of least privilege . Which of the following technologies allows virtual LAN management
traffic to be sent across physical subnets to geographically separated
locations by encapsulating layer 2 VLAN frames into UDP?
VLAN SDN VxLAN SDWAN . Which of the following terms describes the role of the person who is the
focus of data? Data subject Data user Data custodian Data controller. Which of the following are gathered during the requirements gathering
phase of the software development life cycle (SDLC)? Architecture requirements Design specifications Functional and performance requirements Test results . Your organization is disposing of several computers that run an older
version of the Windows Server operating system. Because Microsoft no
longer provides patches for it and the systems are not capable of running
several new line-of-business applications required in the company, which
of the following is correct regarding the status of these machines?
They have only reached the end-of-support stage of the asset life cycle, since they
can still fulfill their required function. They have reached neither the end-of-support stage nor the end-of-life stage of the
asset life cycle, since they can still get updates from the vendor and can still fulfill
their required function They have reached both the end-of-support and end-of-life stages of the asset life
cycle, since they no longer get updates from the vendor and no longer can fulfill their
required function.
They have only reached the end-of-life stage of the asset life cycle, since they can still
get updates from the vendor. . Which of the following is used in Windows systems to accomplish just-intime authorization and temporary escalation of privileges?
Changing privileged groups or roles Logging in as an administrative user runas command sudo command . Which of the following tenets of security is very closely related to
accountability?
Nonrepudiation Identification Authentication Authorization . Which of the following access control models allows anyone who created
or owns a resource to grant permissions to others for that resource? Discretionary access control model Mandatory access control model Role-based access control model Rule-based access control model. Which of the following is one of the four canons of the (ISC)2 Code of
Ethics? Thou shalt not use a computer to steal. Avoid real or perceived conflicts of interest. You should only charge the competitive industry rate for work performed for a
customer Protect society, the common good, necessary public trust and confidence, and the
infrastructure. Which of the following is not a characteristic of the original Wi-Fi
Protected Access (WPA) standard? Interim protocol used before the adoption of the official IEEE 802.11i standard Uses the Simultaneous Authentication of Equals exchange Larger key sizes than WEP Uses the Temporal Key Integrity Protocol. Which of the following describes the two primary ways that assets are
classified?
Criticality and sensitivity Cost and sensitivity Criticality and recoverability Cost and criticality. Which of the following statements specifically characterizes a stateful
inspection firewall?
Filters traffic based on end-to-end communication sessions rather than traffic content Filters traffic based on very basic traffic characteristics, such as IP address, port, or
protocol Filters traffic based on characteristics of applications Filters traffic based on the connection state of inbound and outbound network traffic. Which of the following terms best describes a negative event that has the
potential to exploit a weakness in an asset or the organization?
Threat actor Threat Risk Vulnerability.
|