cissp - certified information systems security professional study guide, 4th ed.

Dear Reader,Thank you for choosing CISSP: Certified Information Systems Security Professional Study Guide.. The CISSP: Certified Information Systems Security Professional Study Guide, 4t

Wiley Publishing, Inc.

76884ffirs.fm Page ii Wednesday, May 21, 2008 10:51 PM

76884ffirs.fm Page ii Wednesday, May 21, 2008 10:51 PM

Wiley Publishing, Inc.

Acquisitions Editor: Jeff Kellum

Development Editor: Allegro Editorial Services

Technical Editor: Michael Gregg

Production Editor: Rachel McConlogue

Copy Editor: Kim Wimpsett

Production Manager: Tim Tate

Vice President and Executive Group Publisher: Richard Swadley

Vice President and Executive Publisher: Joseph B Wikert

Vice President and Publisher: Neil Edde

Media Associate Project Manager: Laura Moss-Hollister

Media Assistant Producer: Kit Malone

Media Quality Assurance: Josh Frank

Book Designers: Judy Fung and Bill Gibson

Compositor: Craig J Woods, Happenstance Type-O-Rama

Proofreaders: Sondra Schneider and Nancy Bell

Indexer: Jack Lewis

Cover Designer: Ryan Sneed

Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales

or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other pro- fessional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organi- zation or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recom- mendations it may make Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (800) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 572-4002 Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be avail- able in electronic books.

Library of Congress Cataloging-in-Publication Data is available from the publisher.

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley

& Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written mission CISSP is a registered trademark of International Information Systems Security Certification Consortium, Inc All other trademarks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

per-10 9 8 7 6 5 4 3 2 1

76884ffirs.fm Page iv Wednesday, May 21, 2008 10:51 PM

Dear Reader,

Thank you for choosing CISSP: Certified Information Systems Security Professional Study Guide. This book is part of a family of premium quality Sybex books, all written by out-standing authors who combine practical experience with a gift for teaching

Sybex was founded in 1976 More than thirty years later, we’re still committed to producing consistently exceptional books With each of our titles we’re working hard to set a new standard for the industry From the paper we print on, to the authors we work with, our goal is to bring you the best books available

I hope you see all that reflected in these pages I’d be very interested to hear your comments and get your feedback on how we’re doing Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com, or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com Customer feedback is critical to our efforts at Sybex

Best regards,

Neil EddeVice President & PublisherSybex, an imprint of Wiley

76884ffirs.fm Page v Wednesday, May 21, 2008 10:51 PM

To Cathy, whenever there is trouble, just remember “Some beach, somewhere….”

—James Michael Stewart

To my family: Renee, Richard, Matthew, and Christopher, who lovingly put up with me during the hours I spent buried in my laptop writing this book.

—Mike Chapple

76884ffirs.fm Page vi Wednesday, May 21, 2008 10:51 PM

I hope our efforts to improve this study guide will lend themselves handily to your ing and comprehension of the wide berth of CISSP concepts I’d like to express my thanks to Sybex for continuing to support this project Thanks to Ed Tittel and Mike Chapple for con-tinuing to contribute to this project Also thanks to all my CISSP course students who have provided their insight and input to improve my training courseware and ultimately this tome

understand-To my wonderful wife, Cathy, our life together is just getting started understand-To my son, Xzavier Slayde, may you grow to be more than we could imagine To my parents, Dave and Sue, thanks for your love and consistent support To Mark, as best friends go, it could’ve been worse And finally, as always, to Elvis—all hail the King!

—James Michael Stewart

Thanks to both Michael Stewart and Mike Chapple for keeping me involved in this esting project I’m glad Michael has had the opportunity to keep teaching CISSP courses and provide us all with a lifeline to the hard-working professionals in the trenches for whom this credential can mean so much Congrats also to Michael on the latest addition to his family; my son, Gregory, just turned four and it seems like only last month we brought him home from the hospital May the months and years slip by as pleasantly and painlessly for you as they have for us Next, thanks to the folks at Sybex, especially Jeff Kellum for rounding us all up and keeping us headed in the same direction and for his excellent view of where we need to take this book Finally, I’d like to thank my loving and lovely wife, Dina, for putting up with

inter-me and for making our lives together both comfortable and interesting

—Ed Tittel

Special thanks go to the information security team at the University of Notre Dame Gary Dobbins, Bob Winding, David Seidl, and Robert Riley provided hours of interesting conversation and debate on security issues that inspired and informed much of the mate-rial in this book

I would like to thank Jeff Kellum, our editor at Wiley, and the people at Allegro Editorial Services, who provided invaluable assistance throughout the book development process I also owe a debt of gratitude to my literary agent, Carole Jelen of Waterside Productions My coauthors, Ed Tittel and James Michael Stewart, have worked with me ever since we pub-lished the first edition of this book together five years ago I’d also like to thank the many people who participated in the production of this book but whom I never had the chance to meet: the graphics team, the production staff, and all of those involved in bringing this book

to press

—Mike Chapple

76884ffirs.fm Page vii Wednesday, May 21, 2008 10:51 PM

About the Authors

a current focus on security He has taught dozens of CISSP training courses, not to mention numerous sessions on Windows security and the Certified Ethical Hacker certification He is the author of several books and courseware sets on security certification, Microsoft topics, and network administration More information about Michael can be found at his website: www.impactonline.com

information security, markup languages, and networking technologies He is a regular contributor

to numerous TechTarget websites; teaches online security and technology courses for companies including HP, Sony, and Motorola; and writes regularly for Tom’s Hardware Ed’s professional bio and other information are available at www.edtittel.com

In the past, he was chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S Air Force His primary areas of expertise include network intrusion detection and access controls Mike is a frequent con-tributor to TechTarget’s SearchSecurity site, a technical editor for Information Security

magazine, and the author of several information security titles including The GSEC Prep Guide from Wiley and Information Security Illuminated from Jones and Bartlett Publishers.76884ffirs.fm Page viii Wednesday, May 21, 2008 10:51 PM

Contents at a Glance

76884ffirs.fm Page ix Wednesday, May 21, 2008 10:51 PM

76884ffirs.fm Page x Wednesday, May 21, 2008 10:51 PM

Passwords 10Biometrics 13Tokens 18Tickets 20

Monitoring 46

76884.book Page xi Tuesday, May 20, 2008 10:47 AM

xii Contents

Network and Protocol

76884.book Page xii Tuesday, May 20, 2008 10:47 AM

Transparency 154

Confidentiality 180Integrity 181Availability 183

Layering 187Abstraction 188

Policies, Standards, Baselines, Guidelines, and Procedures 214

76884.book Page xiv Tuesday, May 20, 2008 10:47 AM

ODBC 257Aggregation 257

76884.book Page xv Tuesday, May 20, 2008 10:47 AM

xvi Contents

Sources 294Viruses 295

xviii Contents

SHA 381MD2 382MD4 382MD5 383

HMAC 385

76884.book Page xviii Tuesday, May 20, 2008 10:47 AM

Contents xix

Techniques for Ensuring Confidentiality,

Controls 464

ITSEC Classes and Required Assurance and Functionality 471

Attacks Based on Design or Coding Flaws and

Programming 482Timing, State Changes, and Communication Disconnects 482

xx Contents

Need to Know and the Principle of Least Privilege 500

76884.book Page xx Tuesday, May 20, 2008 10:47 AM

Contents xxi

Collusion 546Sabotage 547

Espionage 548

xxii Contents

Maintenance 581Testing 581Summary 582

Utilities 616

76884.book Page xxii Tuesday, May 20, 2008 10:47 AM

xxiv Contents

Visibility 695Accessibility 695

Lighting 698

76884.book Page xxiv Tuesday, May 20, 2008 10:47 AM

Contents xxv

76884flast.fm Page xxvi Thursday, May 22, 2008 10:26 AM

The CISSP: Certified Information Systems Security Professional Study Guide, 4th Edition,

offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam By purchasing this book, you’ve shown a willingness to learn and a desire to develop the skills you need to achieve this certification This introduction provides you with

a basic overview of this book and the CISSP exam

This book is designed for readers and students who want to study for the CISSP certification exam If your goal is to become a certified security professional, then the CISSP certification and this study guide are for you The purpose of this book is to adequately prepare you to take the CISSP exam

Before you dive into this book, you need to have accomplished a few tasks on your own You need to have a general understanding of IT and of security You should have the necessary five years of experience (or four years if you have a college degree) in one of the 10 domains covered by the CISSP exam If you are qualified to take the CISSP exam according to (ISC)2, then you are sufficiently prepared to use this book to study for the CISSP exam For more information on (ISC)2, see the next section

(ISC)2

The CISSP exam is governed by the International Information Systems Security Certification Consortium (ISC)2 organization (ISC)2 is a global not-for-profit organization It has four primary mission goals:

 Maintain the Common Body of Knowledge (CBK) for the field of information systems security

 Provide certification for information systems security professionals and practitioners

 Conduct certification training and administer the certification exams

 Oversee the ongoing accreditation of qualified certification candidates through continued education

The (ISC)2 is operated by a board of directors elected from the ranks of its certified practitioners You can obtain more information about (ISC)2 from its website at www.isc2.org

CISSP and SSCP

(ISC)2 supports and provides two primary certifications: CISSP and SSCP These certifications are designed to verify the knowledge and skills of IT security professionals across all industries The Certified Information Systems Security Professional credential is for security professionals respon-sible for designing and maintaining security infrastructure within an organization The System Security Certified Practitioner (SSCP) is a credential for security professionals responsible for implementing or operating a security infrastructure in an organization

76884flast.fm Page xxvii Thursday, May 22, 2008 10:26 AM

xxviii Introduction

The CISSP certification covers material from the 10 CBK domains:

 Access Control

 Telecommunications and Network Security

 Information Security and Risk Management

 Application Security

 Security Architecture and Design

 Operations Security

 Business Continuity and Disaster Recovery Planning

 Legal, Regulations, Compliance, and Investigations

 Physical (Environmental) Security

The SSCP certification covers material from seven CBK domains:

 Risk, Response, and Recovery

The content for the CISSP and SSCP domains overlap significantly, but the focus is different for each set of domains The CISSP focuses on theory and design, whereas the SSCP focuses more on implementation and best practices This book focuses only on the domains for the CISSP exam

Prequalifications

(ISC)2 has defined several qualification requirements you must meet to become a CISSP First, you must be a practicing security professional with at least five years’ experience or with four years’ experience and a recent IT or IS degree Professional experience is defined as security work performed for salary or commission within one or more of the 10 CBK domains.Second, you must agree to adhere to a formal code of ethics The CISSP Code of Ethics is

a set of guidelines the (ISC)2 wants all CISSP candidates to follow to maintain professionalism

in the field of information systems security You can find it in the Information section on the (ISC)2 website at www.isc2.org

(ISC)2 also offers an entry program known as an Associate of (ISC)2 This program allows someone without any or enough experience to qualify as a CISSP to take the CISSP exam any-way and then obtain experience afterward Associates are granted six years to obtain five years

of security experience Only after providing proof of such experience, usually by means of endorsement and a résumé, does (ISC)2 award the individual the CISSP certification

76884flast.fm Page xxviii Thursday, May 22, 2008 10:26 AM

Introduction xxix

To sign up for the CISSP exam, visit the (ISC)2 website, and follow the instructions listed there for registering to take the CISSP exam (the link reads “Register Now for CISSP Certification Exams”) You’ll provide your contact information, payment details, and security-related pro-fessional experience You’ll also select one of the available time and location settings for the exam Once (ISC)2 approves your application to take the exam, you’ll receive a confirmation email with all the details you’ll need to find the testing center and take the exam

Overview of the CISSP Exam

The CISSP exam consists of 250 questions, and you have 6 hours to complete it The exam is still administered using a paper booklet and answer sheet This means you’ll be using a pencil

to fill in answer bubbles

The CISSP exam focuses on security from a 30,000-foot view; it deals more with theory and concept than implementation and procedure It is very broad but not very deep To success-fully complete this exam, you’ll need to be familiar with every domain in the CBK but not nec-essarily be a master of each domain

You’ll need to register for the exam through the (ISC)2 website at www.isc2.org.(ISC)2 administers the exam itself In most cases, the exams are held in large conference rooms

at hotels Existing CISSP holders are recruited to serve as proctors or administrators for these exams Be sure to arrive at the testing center around 8 a.m., and keep in mind that absolutely no one will be admitted into the exam after 8:30 a.m Once all test takers are signed in and seated, the exam proctors will pass out the testing materials and read a few pages of instructions This may take 30 minutes or more Once that process is finished, the 6 hour window for taking the test will begin

CISSP Exam Question Types

Every question on the CISSP exam is a four-option, multiple-choice question with a single correct answer Some are straightforward, such as asking you to select a definition Some are

a bit more involved, such as asking you to select the appropriate concept or best practice And some questions present you with a scenario or situation and ask you to select the best response Here’s an example:

1. What is the most important goal and top priority of a security solution?

xxx Introduction

By the way, the correct answer for this question is C Protecting human safety

is always your first priority.

Advice on Taking the Exam

The CISSP exam consists of two key elements First, you need to know the material from the

10 CBK domains Second, you must have good test-taking skills With 6 hours to complete a 250-question exam, you have just less than 90 seconds for each question Thus, it is important

to work quickly, without rushing but also without wasting time

One key factor to remember is that guessing is better than not answering a question If you don’t answer a question, you will not get any credit But if you guess, you have at least a

25 percent chance of improving your score Wrong answers are not counted against you So, near the end of the sixth hour, be sure an answer is selected for every line on the answer sheet.You can write on the test booklet, but nothing written on it will count for or against your score Use the booklet to make notes and keep track of your progress We recommend circling each answer you select before you mark it on your answer sheet

To maximize your test-taking activities, here are some general guidelines:

 Answer easy questions first

 Skip harder questions, and return to them later Consider creating a column on the front cover of your testing booklet to keep track of skipped questions

 Eliminate wrong answers before selecting the correct one

 Watch for double negatives

 Be sure you understand what the question is asking

Manage your time You should try to complete about 50 questions per hour This will leave you with about an hour to focus on skipped questions and double-check your work

Be very careful to mark your answers on the correct question number on the answer sheet The most common cause of failure is making a transference mistake from the test booklet to the answer sheet

Be sure to bring food and drink to the test site You will not be allowed to leave to obtain sustenance Your food and drink will be stored against one wall of the testing room You can eat and drink at any time, but only against that wall Be sure to bring any medications or other essential items, but leave all things electronic at home or in your car Wear a watch, but make sure it is not a programmable one Bring pencils, manual sharpener, and an eraser

If English is not your first language, you can register for one of several other language versions

of the exam Or, if you choose to use the English version of the exam, a translation dictionary

is allowed You must be able to prove that you need such a dictionary; this is usually plished with your birth certificate or your passport

accom-76884flast.fm Page xxx Thursday, May 22, 2008 10:26 AM

Introduction xxxi

Study and Exam Preparation Tips

We recommend planning for a month or so of nightly intensive study for the CISSP exam Here are some suggestions to maximize your learning time; you can modify them as necessary based on your own learning habits:

 Take one or two evenings to read each chapter in this book and work through its review material

 Take all the practice exams provided in the book and on the CD Complete the written labs from each chapter, and use its self-assessment questions to help guide you to top-ics where more study or time spent working through key concepts and strategies might

be beneficial

 Review the (ISC)2’s study guide from www.isc2.org

 Use the flashcards found on the CD to reinforce your understanding of concepts

We recommend spending about half of your study time reading and reviewing concepts and the other half taking practice exams Students have reported that the more time they spent taking practice exams, the better they retained test topics.

You might also consider visiting resources such as www.cccure.org , www.cissp.com , and other CISSP-focused websites.

Completing the Certification Process

Once you have been informed that you successfully passed the CISSP certification, there is one final step before you are actually awarded the CISSP certification That final step is known as

endorsement Basically, this involves getting someone familiar with your work history to sign and submit an endorsement form on your behalf The endorsement form is sent to you as an attachment to the email notifying you of your achievement in passing the exam Simply send the form to a CISSP in good standing along with your résumé The endorser must review your résumé, ensure that you have sufficient experience in the 10 CISSP domains, and then submit the signed form to (ISC)2 via fax or post mail You must have submitted the endorsement files

to (ISC)2 within 90 days after receiving the confirmation of passing email Once (ISC)2 receives your endorsement form, the certification process will be completed and you will be sent a welcome packet via post mail

If you happen to fail the exam, you may take the exam a second time as soon as you can find another open slot in a testing location However, you will need to pay full price for your second attempt In the unlikely case you need to test a third time, (ISC) 2 requires that you wait

6 months before testing the third time

76884flast.fm Page xxxi Thursday, May 22, 2008 10:26 AM

xxxii Introduction

Post-CISSP Concentrations

(ISC)2 has added three concentrations to its certification lineup These concentrations are offered

only to CISSP certificate holders The (ISC)2 has taken the concepts introduced on the CISSP

exam and focused on specific areas, namely, architecture, management, and engineering These

three concentrations are as follows:

 Information Systems Security Architecture Professional (ISSAP): Aimed at those who

specialize in information security architecture Key domains covered here include access control systems and methodology; cryptography; physical security integration;

requirements analysis and security standards, guidelines, and criteria; related aspects of business continuity planning and disaster recovery planning; and telecommunications and network security This is a credential for those who design security systems or infrastructure or for those who audit and analyze such structures

technology- Information Systems Security Management Professional (ISSMP): Aimed at those who focus

on management of information security policies, practices, principles, and procedures Key domains covered here include enterprise security management practices; enterprise-wide sys-tem development security; law, investigations, forensics, and ethics; oversight for operations security compliance; and understanding business continuity planning, disaster recovery plan-ning, and continuity of operations planning This is a credential for those professionals who are responsible for security infrastructures, particularly where mandated compliance comes into the picture

 Information Systems Security Engineering Professional (ISSEP): Aimed at those who focus

on the design and engineering of secure hardware and software information systems, nents, or applications Key domains covered include certification and accreditation, systems security engineering, technical management, and U.S government information assurance rules and regulations Most ISSEPs work for the U.S government or for a government con-tractor that manages government security clearances

compo-For more details about these concentration exams and certifications, please see the (ISC)2

website at www.isc2.org

Notes on This Book’s Organization

This book is designed to cover each of the 10 CISSP Common Body of Knowledge domains

in sufficient depth to provide you with a clear understanding of the material The main body

of this book comprises 19 chapters The first nine domains are each covered by two chapters,

and the final domain (Physical Security) is covered in Chapter 19 The domain/chapter

break-down is as follows:

76884flast.fm Page xxxii Thursday, May 22, 2008 10:26 AM

Introduction xxxiii

Chapter 19 Physical (Environmental) Security

Each chapter includes elements to help you focus your studies and test your knowledge,

detailed in the following sections

The Elements of This Study Guide

You’ll see many recurring elements as you read through this study guide Here’s a description

of some of those elements:

Key Terms and Glossary In every chapter, we’ve identified key terms, which are important

for you to know You’ll also find these key terms and their definitions in the glossary

Summaries The summary is a brief review of the chapter to sum up what was covered.

Exam Essentials The Exam Essentials highlight topics that could appear on one or both of

the exams in some form While we obviously do not know exactly what will be included in a

particular exam, this section reinforces significant concepts that are key to understanding the

body of knowledge area and the test specs for the CISSP exam

Chapter Review Questions Each chapter includes practice questions that have been designed

to measure your knowledge of key ideas that were discussed in the chapter After you finish each

chapter, answer the questions; if some of your answers are incorrect, it’s an indication that you

need to spend some more time studying that topic The answers to the practice questions can be

found at the end of the chapter

Written Labs Each chapter includes written labs that synthesize various concepts and topics

that appear in the chapter These raise questions that are designed to help you put together

various pieces you’ve encountered individually in the chapter and assemble them to propose

or describe potential security strategies or solutions

Real World Scenarios As you work through each chapter, you’ll find at least two descriptions

of typical and plausible workplace situations where an understanding of the security strategies

and approaches relevant to the chapter content could play a role in fixing problems or in fending

off potential difficulties This gives readers a chance to see how specific security policies,

guide-lines, or practices should or may be applied to the workplace

What’s on the CD?

We worked really hard to provide some essential tools to help you with your certification process

All of the following gear should be loaded on your workstation when studying for the test

The Sybex Test Preparation Software

The test preparation software, made by experts at Sybex, prepares you for the CISSP exam In

this test engine, you will find all the review and assessment questions from the book, plus five

additional bonus exams that appear exclusively on the CD You can take the assessment test,

76884flast.fm Page xxxiii Thursday, May 22, 2008 10:26 AM

xxxiv Introduction

test yourself by chapter, take the practice exams, or take a randomly generated exam prising all the questions

com-Electronic Flashcards for PCs and Palm Devices

Sybex’s electronic flashcards include hundreds of questions designed to challenge you further for the CISSP exam Between the review questions, practice exams, and flashcards, you’ll have more than enough practice for the exam!

CISSP Study Guide in PDF

Sybex offers the CISSP Study Guide in PDF format on the CD so you can read the book on

your PC or laptop So if you travel and don’t want to carry a book, or if you just like to read from the computer screen, Adobe Acrobat is also included on the CD

Bonus Exams

Sybex includes bonus exams on the CD, each comprised of questions meant to survey your understanding of key elements in the CISSP CBK

How to Use This Book and CD

This book has a number of features designed to guide your study efforts for the CISSP fication exam It assists you by listing the CISSP body of knowledge at the beginning of each chapter and by ensuring that each topic is fully discussed within the chapter The practice questions at the end of each chapter and the practice exams on the CD are designed to test your retention of the material you’ve read to make you are aware of areas in which you should spend additional study time Here are some suggestions for using this book and CD:

certi- Take the assessment test before you start reading the material This will give you an idea

of the areas in which you need to spend additional study time, as well as those areas in which you may just need a brief refresher

 Answer the review questions after you’ve read each chapter; if you answer any incorrectly,

go back to the chapter and review the topic, or utilize one of the additional resources if you need more information

 Download the flashcards to your handheld device, and review them when you have a few minutes during the day

 Take every opportunity to test yourself In addition to the assessment test and review questions, there are bonus exams on the CD Take these exams without referring to the chapters and see how well you’ve done—go back and review any topics you’ve missed until you fully understand and can apply the concepts

Finally, find a study partner if possible Studying for, and taking, the exam with someone else will make the process more enjoyable, and you’ll have someone to help you understand topics that are difficult for you You’ll also be able to reinforce your own knowledge by helping your study partner in areas where they are weak

A. Difficult to guess or unpredictable

B. Meet minimum length requirements

C. Meet specific complexity requirements

D. All of the above

3. Which of the following is most likely to detect DoS attacks?

A. Host-based IDS

B. Network-based IDS

C. Vulnerability scanner

D. Penetration testing

4. Which of the following is considered a denial-of-service attack?

A. Pretending to be a technical manager over the phone and asking a receptionist to change their password

B. While surfing the Web, sending to a web server a malformed URL that causes the system

to use 100 percent of the CPU to process an endless loop

C. Intercepting network traffic by copying the packets as they pass through a specific subnet

D. Sending message packets to a recipient who did not request them simply to be annoying

5. At which layer of the OSI model does a router operate?

xxxvi Assessment Test

7. A VPN can be established over which of the following?

A. Wireless LAN connection

B. Remote access dial-up connection

C. WAN link

D. All of the above

8. Email is the most common delivery vehicle for which of the following?

A. Viruses

B. Worms

C. Malicious code

D. All of the above

9. The CIA Triad is comprised of what elements?

A. Contiguousness, interoperable, arranged

B. Authentication, authorization, accountability

C. Capable, available, integral

D. Availability, confidentiality, integrity

10. Which of the following is not a required component in the support of accountability?

B. Restricted job responsibilities

C. Group user accounts

Assessment Test xxxvii

13. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures utilized to gain a detailed understanding of the software development process?

D. Distributed denial of service

17. What is the value of the logical operation shown here?

X: 0 1 1 0 1 0Y: 0 0 1 1 0 1