Which of the following is BEST defined as a physical control?
Correct Answer: B
Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. The following answers are incorrect answers: Monitoring of system activity is considered to be administrative control. Identification and authentication methods are considered to be a technical control. Logical access control mechanisms is also considered to be a technical control. Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 1280-1282). McGraw-Hill. Kindle Edition.
Question 32
Which of the following is the FIRST step in protecting data's confidentiality?
Correct Answer: C
Explanation/Reference: In order to protect the confidentiality of the data. The following answers are incorrect because : Install a firewall is incorrect as this would come after the information has been identified for sensitivity levels. Implement encryption is also incorrect as this is one of the mechanisms to protect the data once it has been identified. Review all user access rights is also incorrect as this is also a protection mechanism for the identified information. Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 126
Question 33
Which of the following would constitute the best example of a password to use for access to a system by a network administrator?
Correct Answer: D
Explanation/Reference: GyN19Za! would be the the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special character making it less vulnerable to password attacks. All of the other answers are incorrect because they are vulnerable to brute force or dictionary attacks. Passwords should not be common words or names. The addition of a number to the end of a common word only marginally strengthens it because a common password attack would also check combinations of words: Christmas23 Christmas123 etc...
Question 34
Which one of the following is NOT one of the outcomes of a vulnerability assessment?
Correct Answer: C
Section: Risk, Response and Recovery Explanation/Reference: When seeking to determine the security position of an organization, the security professional will eventually turn to a vulnerability assessment to help identify specific areas of weakness that need to be addressed. A vulnerability assessment is the use of various tools and analysis methodologies to determine where a particular system or process may be susceptible to attack or misuse. Most vulnerability assessments concentrate on technical vulnerabilities in systems or applications, but the assessment process is equally as effective when examining physical or administrative business processes. The vulnerability assessment is often part of a BIA. It is similar to a Risk Assessment in that there is a quantitative (financial) section and a qualitative (operational) section. It differs in that i t is smaller than a full risk assessment and is focused on providing information that is used solely for the business continuity plan or disaster recovery plan. A function of a vulnerability assessment is to conduct a loss impact analysis. Because there will be two parts to the assessment, a financial assessment and an operational assessment, it will be necessary to define loss criteria both quantitatively and qualitatively. Quantitative loss criteria may be defined as follows: Incurring financial losses from loss of revenue, capital expenditure, or personal liability resolution The additional operational expenses incurred due to the disruptive event Incurring financial loss from resolution of violation of contract agreements Incurring financial loss from resolution of violation of regulatory or compliance requirements Qualitative loss criteria may consist of the following: The loss of competitive advantage or market share The loss of public confidence or credibility, or incurring public mbarrassment During the vulnerability assessment, critical support areas must be defined in order to assess the impact of a disruptive event. A critical support area is defined as a business unit or function that must be present to sustain continuity of the business processes, maintain life safety, or avoid public relations embarrassment. Critical support areas could include the following: Telecommunications, data communications, or information technology areas Physical infrastructure or plant facilities, transportation services Accounting, payroll, transaction processing, customer service, purchasing The granular elements of these critical support areas will also need to be identified. By granular elements we mean the personnel, resources, and services the critical support areas need to maintain business continuity Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4628-4632). Auerbach Publications. Kindle Edition. KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 277.
Question 35
Which OSI/ISO layer does a SOCKS server operate at?
Correct Answer: A
Section: Network and Telecommunications Explanation/Reference: A SOCKS based server operates at the Session layer of the OSI model. SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. SOCKS is an abbreviation for "SOCKetS". As of Version 5 of SOCK, both UDP and TCP is supported. One of the best known circuit-level proxies is SOCKS proxy server. The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS Server, without requiring direct "IP-reachability" The protocol was originally developed by David Koblas, a system administrator of MIPS Computer Systems. After MIPS was taken over by Silicon Graphics in 1992, Koblas presented a paper on SOCKS at that year's Usenix Security Symposium and SOCKS became publicly available. The protocol was extended to version 4 by Ying-Da Lee of NEC. SOCKS includes two components, the SOCKS server and the SOCKS client. The SOCKS protocol performs four functions: Making connection requests Setting up proxy circuits Relaying application data Performing user authentication (optional) Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 96). and http://en.wikipedia.org/wiki/SOCKS and http://www.faqs.org/rfcs/rfc1928.html and The ISC2 OIG on page 619
