The information security staff's participation in which of the following system development life cycle phases provides maximum benefit to the organization?
Correct Answer: D
Explanation/Reference: The other answers are not correct because: You are always looking for the "best" answer. While each of the answers listed here could be considered correct in that each of them require input from the security staff, the best answer is for that input to happen at all phases of the project. Reference: Official ISC2 Guide page: 556 All in One Third Edition page: 832 - 833
Question 627
Which auditing practice relates to the controlling of hardware, software, firmware, and documentation to insure it has not been improperly modified?
Correct Answer: B
Question 628
Which of the following is best defined as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in a system?
Correct Answer: C
Section: Security Operation Adimnistration Explanation/Reference: NOTE: This question is referring to a system which is Logical/Technical, so it is in the context of a system that you must choose the right answer. This is very important to read the question carefully and to identify the context whether it is in the Physical world or in the Technical/Logical world. RFC 2828 (Internet Security Glossary) defines fail safe as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system. A secure state means in the Logical/Technical world that no access would be granted or no packets would be allowed to flow through the system inspecting the packets such as a firewall for example. If the question would have made reference to a building or something specific to the Physical world then the answer would have been different. In the Physical World everything becomes open and full access would be granted. See the valid choices below for the Physical context. Fail-safe in the physical security world is when doors are unlocked automatically in case of emergency. Used in environment where humans work around. As human safety is prime concern during Fire or other hazards. The following were all wrong choices: Fail-secure in the physical security world is when doors are locked automatically in case of emergency. Can be in an area like Cash Locker Room provided there should be alternative manually operated exit door in case of emergency. Fail soft is selective termination of affected non-essential system functions and processes when a failure occurs or is detected in the system. Fail Over is a redundancy mechanism and does not apply to this question. There is a great post within the CCCure Forums on this specific Q: saintrockz who is a long term contributor to the forums did outstanding research and you have the results below. The CCCure forum is a gold mine where thousands of Qs related to the CBK have been discussed. According to the Official ISC2 Study Guide (OIG): Fault Tolerance is defined as built-in capability of a system to provide continued correct execution in the presence of a limited number of hardware or software faults. It means a system can operate in the presence of hardware component failures. A single component failure in a fault-tolerant system will not cause a system interruption because the alternate component will take over the task transparently. As the cost of components continues to drop, and the demand for system availability increases, many non-fault-tolerant systems have redundancy built-in at the subsystem level. As a result, many non-fault-tolerant systems can tolerate hardware faults - consequently, the line between a fault-tolerant system and a non-fault-tolerant system becomes increasingly blurred. According to Common Criteria: Fail Secure - Failure with preservation of secure state, which requires that the TSF (TOE security functions) preserve a secure state in the face of the identified failures. Acc. to The CISSP Prep Guide, Gold Ed.: Fail over - When one system/application fails, operations will automatically switch to the backup system. Fail safe - Pertaining to the automatic protection of programs and/or processing systems to maintain safety when a hardware or software failure is detected in a system. Fail secure - The system preserves a secure state during and after identified failures occur. Fail soft - Pertaining to the selective termination of affected non-essential processing when a hardware or software failure is detected in a system. Acc. to CISSP for Dummies: Fail closed - A control failure that results all accesses blocked. Fail open - A control failure that results in all accesses permitted. Failover - A failure mode where, if a hardware or software failure is detected, the system automatically transfers processing to a hot backup component, such as a clustered server. Fail-safe - A failure mode where, if a hardware or software failure is detected, program execution is terminated, and the system is protected from compromise. Fail-soft (or resilient) - A failure mode where, if a hardware or software failure is detected, certain, noncritical processing is terminated, and the computer or network continues to function in a degraded mode. Fault-tolerant - A system that continues to operate following failure of a computer or network component. It's good to differentiate this concept in Physical Security as well: Fail-safe * Door defaults to being unlocked * Dictated by fire codes Fail-secure * Door defaults to being locked Reference(s) used for this question: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Question 629
When a possible intrusion into your organization's information system has been detected, which of the following actions should be performed first?
Correct Answer: C
Once an intrusion into your organization's information system has been detected, the first action that needs to be performed is determining to what extent systems and data are compromised (if they really are), and then take action. This is the good old saying: "Do not cry wolf until you know there is a wolf for sure" Sometimes it smells like a wolf, it looks like a wolf, but it may not be a wolf. Technical problems or bad hardware might cause problems that looks like an intrusion even thou it might not be. You must make sure that a crime has in fact been committed before implementing your reaction plan. Information, as collected and interpreted through analysis, is key to your decisions and actions while executing response procedures. This first analysis will provide information such as what attacks were used, what systems and data were accessed by the intruder, what the intruder did after obtaining access and what the intruder is currently doing (if the intrusion has not been contained). The next step is to communicate with relevant parties who need to be made aware of the intrusion in a timely manner so they can fulfil their responsibilities. Step three is concerned with collecting and protecting all information about the compromised systems and causes of the intrusion. It must be carefully collected, labelled, catalogued, and securely stored. Containing the intrusion, where tactical actions are performed to stop the intruder's access, limit the extent of the intrusion, and prevent the intruder from causing further damage, comes next. Since it is more a long-term goal, eliminating all means of intruder access can only be achieved last, by implementing an ongoing security improvement process. Reference used for this question: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 271-289).
Question 630
What size is an MD5 message digest (hash)?
Correct Answer: A
Explanation/Reference: MD5 is a one-way hash function producing a 128-bit message digest from the input message, through 4 rounds of transformation. MD5 is specified as an Internet Standard (RFC1312). Reference(s) used for this question: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
