1、Table of ContentsChapter 1Access Control.2Answer Key263Explanations300Chapter 2Application Security.24Answer Key266Explanations325Chapter 3Business Continuity and Disaster Recovery Planning.51Answer Key270Explanations353Chapter 4Cryptography.79Answer Key274Explanations384Chapter 5Information Securit
2、y and Risk Management.103Answer Key277Explanations410Chapter 6Legal,Regulations,Compliance and Investigations.135Answer Key281Explanations447Chapter 7Operations Security.161Answer Key284Explanations474Chapter 8Physical(Environmental)Security.182Answer Key287Explanations498Chapter 9Security Architect
3、ure and Design.208Answer Key291Explanations528Chapter 10Telecommunications and Network Security.236Answer Key295Explanations559CISSP PrintablesCopyright 2009 by PrepLogic,LLC.Product ID:4293Production Date:May 22,2009Total Questions:750All rights reserved.No part of this document shall be stored in
4、a retrieval systemor transmitted by any means,electronic,mechanical,photocopying,recording,orotherwise,without written permission from the publisher.No patent liability isassumed with respect to the use of the information contained herein.Warning and DisclaimerEvery effort has been made to make this
5、 document as complete and as accurate aspossible,but no warranty or fitness is implied.The publisher and authors assumeno responsibility for errors or omissions.The information provided is on an asis basis.The authors and the publisher shall have neither liability norresponsibility to any person or
6、entity with respect to any loss or damages arisingfrom the information contained in this document.Volume,Corporate,and Educational SalesPrepLogic offers favorable discounts on all products when ordered in quantity.For more information,please contact PrepLogic directly:1-800-418-Chapter 1Access Contr
7、ol1.is what allows you to perform requested actions or denies such actions based onaccess criteria.Select the best answer.A.AuthorizationB.IdentificationC.AuthenticationD.AuditingFind the Answer p.2632.What type of access control is based on job description?Select the best answer.A.Group-basedB.Role
8、-basedC.Transaction-basedD.DiscretionaryFind the Answer p.2633.Which of the following is a security disadvantage of single sign-on?Select the best answer.A.Simplified password management and administrationB.Less time required overall to perform logon and authenticationC.Stronger passwords are often
9、usedD.Users can roam the network without restrictionsFind the Answer p.263Access Control24.Which of the following is NOT an example of a single sign-on technology?Select the best answer.A.TACACSB.KerberosC.SESAMED.KryptoKnightFind the Answer p.2635.Role based access control can be labeled as what fo
10、rm of access control?Select the best answer.A.DiscretionaryB.MandatoryC.NondiscretionaryD.RecursiveFind the Answer p.2636.ACLs on objects are the most common implementation of what form of accesscontrol?Select the best answer.A.Role basedB.MandatoryC.NondiscretionaryD.DiscretionaryFind the Answer p.
11、263Access Control37.What form of access control is NOT centrally managed?Select the best answer.A.DiscretionaryB.MandatoryC.NondiscretionaryD.Role-basedFind the Answer p.2638.What is the most efficient form of access control for environments with a high rateof personnel turnover?Select the best answ
12、er.A.InterpretiveB.Role basedC.MandatoryD.DiscretionaryFind the Answer p.2639.Which of the following is the least appropriate technique for controlling access?Select the best answer.A.EncryptionB.Rule-based accessC.Restricted interfaceD.Capability tableFind the Answer p.263Access Control410.Which of
13、 the following is NOT a form of access control administration?Select the best answer.A.CentralizedB.DelegatedC.DecentralizedD.HybridFind the Answer p.26311.Which of the following is NOT a form of a centralized access control mechanism?Select the best answer.A.RADIUS(Remote Authentication Dial-in Use
14、r Service)B.TACACS+(Terminal Access Controller Access Control SystemPlus)C.Security domainsD.802.1xFind the Answer p.26312.Which form of TACACS(Terminal Access Controller Access Control System)canuse tokens for two-factor authentication and supports dynamic passwordauthentication?Select the best ans
15、wer.A.TACACS(Terminal Access Controller Access Control System)B.Dual-TACACS(Dual Terminal Access Controller Access ControlSystem)C.XTACACS(Extended Terminal Access Controller Access ControlSystem)D.TACACS+(Terminal Access Controller Access Control SystemPlus)Find the Answer p.263Access Control513.Wh
16、ich of the following is NOT an administrative access control method?Select the best answer.A.Work area separationB.Policies and proceduresC.Personnel controlsD.Supervisory structureFind the Answer p.26314.Which of the following is an administrative access control method?Select the best answer.A.Data
17、 backupsB.Security awareness trainingC.Network architectureD.AuditingFind the Answer p.26315.Which of the follow is NOT a physical access control method?Select the best answer.A.Network segregationB.Perimeter securityC.TestingD.CablingFind the Answer p.263Access Control616.Which of the following is
18、a physical access control method?Select the best answer.A.Restricting computer system and network accessB.EncryptionC.Security awareness trainingD.Computer media inventoryFind the Answer p.26317.Which of the following is NOT a technical/logical access control method?Select the best answer.A.Security
19、 awareness trainingB.Network architectureC.EncryptionD.Control zonesFind the Answer p.26318.Which of the following is a technical/logical access control method?Select the best answer.A.Work area separationB.AuditingC.Data backupsD.Policies and proceduresFind the Answer p.263Access Control719.What ty
20、pe of security control reduces the likelihood of security violations?Select the best answer.A.DetectiveB.CorrectiveC.PreventativeD.RecoveryFind the Answer p.26320.Which of the following is the odd element in this set of items?Select the best answer.A.Need to knowB.Access based on work tasksC.Data cl
21、assificationD.Least privilegeFind the Answer p.26321.Which of the following is the most secure form of password?Select the best answer.A.Static passwordB.Dynamic passwordC.One time passwordD.Cognitive passwordFind the Answer p.263Access Control822.What does the False Acceptance Rate(Type II)error of
22、 a biometric deviceindicate?Select the best answer.A.The rate at which authorized users are not granted accessB.The rate at which authorized users are granted accessC.The rate at which unauthorized users are not granted accessD.The rate at which unauthorized users are granted accessFind the Answer p
23、.26323.What will a fail-secure access control mechanism default to?Select the best answer.A.No accessB.Minimal accessC.Least privilegeD.Need to know accessFind the Answer p.26324.What is the primary disadvantage of single sign-on?Select the best answer.A.Password management and account administratio
24、nB.Users can roam the network without restrictionsC.User work task prohibitiveD.Length of time required to perform logonFind the Answer p.264Access Control925.Which of the following is usually NOT labeled as an entity that serves as either asubject or an object?Select the best answer.A.FileB.Databas
25、eC.ProgramD.ComputersFind the Answer p.26426.Which of the following is the act of providing the who of a subject,and is thefirst step in establishing accountability?Select the best answer.A.AuthorizationB.IdentificationC.AuditingD.Non-repudiationFind the Answer p.26427.Which of the following represe
26、nts the activity of verifying the claimed identity of asubject?Select the best answer.A.AuthorizationB.AccountabilityC.AuthenticationD.AvailabilityFind the Answer p.264Access Control1028.Which of the following is NOT an example of an authorization method?Select the best answer.A.Need to knowB.Access
27、 control matrixC.Security labelD.PasswordFind the Answer p.26429.Which of the following is NOT an example of a logical access control?Select the best answer.A.Perimeter padlocked gatesB.Restricted database interfacesC.Required authentication before accessD.Centralized remote access authentication se
28、rvicesFind the Answer p.26430.Which of the following is NOT typically considered to be used as an identificationfactor?Select the best answer.A.Smart CardB.PasswordC.Biometric featureD.Employee identificationFind the Answer p.264Access Control1131.Which form of password may require different interac
29、tions or responses from thesubject each time they attempt to logon?Select the best answer.A.Static passwordB.Dynamic passwordC.Cognitive passwordD.PassphraseFind the Answer p.26432.Which of the following is also a dynamic password?Select the best answer.A.PassphraseB.PINC.Smart cardD.One time passwo
30、rdFind the Answer p.26433.A password is an example of what type of authentication factor?Select the best answer.A.Type 1B.Type 2C.Type 3D.Type 4Find the Answer p.264Access Control1234.What is a Type 3 authentication factor?Select the best answer.A.Something you haveB.Something you areC.Something you
31、 knowD.Something you doFind the Answer p.26435.What is an example of a Type 3 authentication factor?Select the best answer.A.PasswordB.Signing your nameC.FingerprintD.Smart cardFind the Answer p.26436.Which of the following provides the greatest level of authentication security?Select the best answe
32、r.A.BiometricB.Type 2C.Something you doD.Two-factorFind the Answer p.264Access Control1337.Which of the following is converted to a hash value(a.k.a.a virtual password)before being sent to the authentication server for processing?Select the best answer.A.PassphraseB.Smart card swipeC.Fingerprint sca
33、nD.MAC filtering checkFind the Answer p.26438.What type of authentication token requires the subject to authenticate themselvesto the token,and then the token authenticates to the system?Select the best answer.A.Synchronous dynamic password tokenB.Static password tokenC.Asynchronous dynamic password
34、 tokenD.Challenge-response tokenFind the Answer p.26439.Biometrics can be used directly for all but which of the following purposes?Select the best answer.A.IdentificationB.Physical access controlC.AccountabilityD.AuthenticationFind the Answer p.264Access Control1440.When used as an _ method,biometr
35、ics function as a one to onefunction.Select the best answer.A.IdentificationB.AuthorizationC.ImpersonationD.AuthenticationFind the Answer p.26441.What is the primary use of the crossover error rate?Select the best answer.A.Sensitivity adjustmentB.Comparison of similar biometric devicesC.Configuratio
36、n controlD.Reducing enrollment timeFind the Answer p.26442.What is the threshold rate of subject processing per minute at which a biometricdevice considered to be accetable or unacceptable?Select the best answer.A.50 subjects per minuteB.2 subjects per minuteC.5 subjects per minuteD.10 subjects per
37、minuteFind the Answer p.264Access Control1543.What does a Type I biometric error indicate?Select the best answer.A.The rate at which authorized users are not granted accessB.The rate at which authorized users are granted accessC.The rate at which unauthorized users are not granted accessD.The rate a
38、t which unauthorized users are granted accessFind the Answer p.26444.What is the threshold point of enrollment time required at which a biometric deviceis generally considered unacceptable to most users?Select the best answer.A.30 secondsB.1 minuteC.2 minutesD.10 minutesFind the Answer p.26445.A bio
39、metric scanner for facility access is considered all but which of the followingtypes of access control?Select the best answer.A.PreventativeB.DetectiveC.CorrectiveD.RecoveryFind the Answer p.264Access Control1646.Which of the following is not considered a detective security control?Select the best a
40、nswer.A.MonitoringB.Separation of dutiesC.Job rotationD.Intrusion detectionFind the Answer p.26447.Which of the following is an example of a recovery security control?Select the best answer.A.Intrusion detectionB.EncryptionC.Anti-virus softwareD.Smart cardsFind the Answer p.26448.Which of the follow
41、ing is NOT an example of a preventative administrative accesscontrol?Select the best answer.A.Background checksB.Controlled termination processC.Data classificationD.AlarmsFind the Answer p.264Access Control1749.Which of the following is NOT an example of a preventative technical/logicalaccess contr
42、ol?Select the best answer.A.PasswordsB.Motion detectorsC.Constrained user interfacesD.FirewallsFind the Answer p.26550.Which of the following is NOT a preventative physical access control?Select the best answer.A.BiometricsB.fencesC.Call back systemsD.CCTV(Closed-Circuit TV)Find the Answer p.26551.W
43、hich of the following is used to ensure that users are held responsible for theiractions?Select the best answer.A.AuditingB.AuthenticationC.IdentificaitonD.AccountabilityFind the Answer p.265Access Control1852.Auditing allows for all but which of the following?Select the best answer.A.Controlling da
44、ta classificationsB.Reconstruction of eventsC.Evidence for legal actionD.Producing problem reportsFind the Answer p.26553.Which of the following is NOT considered an audit analysis tool?Select the best answer.A.Malicious code scanning toolB.Data reduction toolC.Variance detection toolD.Attack signat
45、ure detection toolFind the Answer p.26554.Which of the following is a method by which accountability can be enforced?Select the best answer.A.Data backupsB.Keystroke loggingC.Bandwidth throttlingD.Trusted recoveryFind the Answer p.265Access Control1955.What is the act of a hacker cleaning out all tr
46、aces of their activities from audit logsknown as?Select the best answer.A.SpoofingB.MasqueradingC.ScrubbingD.Data diddlingFind the Answer p.26556.Audit logs can be used for all but which of the following?Select the best answer.A.Legal evidenceB.Predicting the source of the next intrusion attemptC.De
47、monstrate the means by which an attack was wagedD.Corroborate and verify the story of a suspectFind the Answer p.26557.Which of the following is a means by which data is disclosed intentionally?Select the best answer.A.Social engineeringB.Malicious codeC.EspionageD.Object/media reuseFind the Answer
48、p.265Access Control2058.What is TEMPEST?Select the best answer.A.A centralized remote access authentication serviceB.A security domain authorization systemC.A vulnerability scannerD.The study and control of stray electrical signalsFind the Answer p.26559.Which of the following is NOT a valid counter
49、measure against the interception ofradio frequency and other electromagnetic radiation signals by unauthorizedindividuals?Select the best answer.A.Sound dampening insulationB.TEMPEST equipmentC.White noise generationD.Control zonesFind the Answer p.26560.Without _ there is no security.Select the bes
50、t answer.A.Removable media usage controlsB.Physical access controlsC.Access control listsD.FirewallsFind the Answer p.265Access Control2161.Which of the following is NOT considered a monitoring or reconnaisancetechnique?Select the best answer.A.Intrusion DetectionB.ProbingC.Proximity detectorsD.Dump
