单项选择题
1. Which of the following is a means of restricting access to objects based on the identity of the subject to
which they belong?
A. Mandatory access control
B. Group access control
C. Discretionary access control
D. User access control
2. What is the purpose of certification path validation?
A. Checks the legitimacy of the certificates in the certification path.
B. Checks that all certificates in the certification path refer to same certification practice statement.
C. Checks that no revoked certificates exist outside the certification path.
D. Checks that the names in the certification path are the same.
3. Which one of the following instigates a SYN flood attack?
A. Generating excessive broadcast packets.
B. Creating a high number of half-open connections.
C. Inserting repetitive Internet Relay Chat (IRC) messages.
D. A large number of Internet Control Message Protocol (ICMP) traces.
4. To mitigate the impact of a software vendor going out of business, a company that uses vendor
software should require which one of the following?
A. Detailed credit investigation prior to acquisition.
B. Source code held in escrow.
C. Standby contracts with other vendors.
D. Substantial penalties for breech of contract.
5. Which security program exists if a user accessing low-level data is able to draw conclusions about ___
A. Interference
B. Inference
C. Polyinstatiation
D. Under-classification
6. Security measures that protect message traffic independently on each communication path are called __
A. Link oriented
B. Procedure oriented
C. Pass-through oriented
D. End-to-end oriented
7. Which one of the following conditions is NOT necessary for a long dictionary attack to succeed?
A. The attacker must have access to the target system.
B. The attacker must have read access to the password file.
C. The attacker must have write access to the password file.
D. The attacker must know the password encryption mechanism and key variable.
8. In a Secure Electronic Transaction (SET), how many certificates are required for a payment gateway
to support multiple acquires?
A. Two certificates for the gateway only.
B. Two certificates for the gateway and two for the acquirers.
C. Two certificates for each acquirer.
D. Two certificates for the gateway and two for each acquirer.
9. Which one of the following is a KEY responsibility for the "Custodian of Data"?
A. Data content and backup
B. Integrity and security of data
C. Authentication of user access
D. Classification of data elements
10. When conducting a risk assessment, which one of the following is NOT an acceptable social
engineering practice?
A. Shoulder surfing
B. Misrepresentation
C. Subversion
D. Dumpster diving
11. Which one of the following is defined as the process of distributing incorrect Internet Protocol (IP)
addresses/names with the intent of diverting traffic?
A. Network aliasing
B. Domain Name Server (DNS) poisoning
C. Reverse Address Resolution Protocol (ARP)
D. Port scanning
12. Which one of the following is an example of electronic piggybacking?
A. Attaching to a communications line and substituting data.
B. Abruptly terminating a dial-up or direct-connect session.
C. Following an authorized user into the computer room.
D. Recording and playing back computer transactions.
13. Which one of the following operations of a secure communication session cannot be protected?
A. Session initialization
B. Session support
C. Session termination
D. Session control
14. What is the PRIMARY advantage of using a separate authentication server (e.g., Remote Access Dial-
In User System, Terminal Access Controller Access Control System) to authenticate dial-in users?
A. Single user logons are easier to manage and audit.
B. Each session has a unique (one-time) password assigned to it.
C. Audit and access information are not kept on the access server.
D. Call-back is very difficult to defeat.
15. In which way does a Secure Socket Layer (SSL) server prevent a "man-in-the-middle" attack?
A. It uses signed certificates to authenticate the server's public key.
B. A 128 bit value is used during the handshake protocol that is unique to the connection.
C. It uses only 40 bits of secret key within a 128 bit key length.
D. Every message sent by the SSL includes a sequence number within the message contents.
16. The intent of least privilege is to enforce the most restrictive user rights required __
A. To execute system processes.
B. By their job description.
C. To execute authorized tasks.
D. By their security role.
17. Which one of the following is a characteristic of a penetration testing project?
A. The project is open-ended until all known vulnerabilities are identified.
B. The project schedule is plotted to produce a critical path.
C. The project tasks are to break into a targeted system.
D. The project plan is reviewed with the target audience.
18. The MAIN reason for developing closed-circuit television (CCTV) as part of your physical security
program is to ____
A. Provide hard evidence for criminal prosecution.
B. Apprehend criminals.
C. Deter criminal activity.
D. Increase guard visibility.
19. Which one of the following tests determines whether the content of data within an application
program falls within predetermined limits?
A. Parity check
B. Reasonableness check
C. Mathematical accuracy check
D. Check digit verification
20. In addition to providing an audit trail required by auditors, logging can be used to __-
A. provide backout and recovery information
B. prevent security violations
C. provide system performance statistics
D. identify fields changed on master files.
21. In which one of the following documents is the assignment of individual roles and responsibilities
MOST appropriately defined?
A. Security policy
B. Enforcement guidelines
C. Acceptable use policy
D. Program manual
22. What is the basis for the Rivest-Shamir-Adelman (RSA) algorithm scheme?
A. Permutations
B. Work factor
C. Factorability
D. Reversivibility
23. Who is the individual permitted to add users or install trusted programs?
A. Database Administrator
B. Computer Manager
C. Security Administrator
D. Operations Manager
24. Which of the following are objectives of an information systems security program?
A. Threats, vulnerabilities, and risks
B. Security, information value, and threats
C. Integrity, confidentiality, and availability.
D. Authenticity, vulnerabilities, and costs.
25. After law enforcement is informed of a computer crime, the organization's investigators constraints
are ____
A. removed.
B. reduced.
C. increased.
D. unchanged.
相关推荐