Wgu Cissp
80 questions across 0 topics. Use the find bar or section chips to jump to what you need.
Signature Detection Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code
What is the most commonly used technique to protect against virus attacks? A Signature detection B Automated reconstruction C Data integrity assurance D Heuristic detection
Backdoor Back doors are undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Application Attacks
Ben's system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in? A Escalation of privilege B Back door C Rootkit D Buffer overflow
Buffer Overflow Buffer overflow attacks allow an attacker to modify the contents of a system's memory by writing beyond the space allocated for a variable. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Application Attacks
What type of application vulnerability most directly allows an attacker to modify the contents of a system's memory? A TOC/TOU B Back door C Rootkit D Buffer overflow
Reflected Input Cross-site scripting attacks are successful only against web applications that include reflected input. Domain 8: Software Development Security 8.5 Define and apply secure coding guidelines and standards Web App Security
What condition is necessary on a web page for it to be used in a cross-site scripting attack? A .NET technology B Database-driven content C Reflected input D CGI scripts
Stuxnet Stuxnet was a highly sophisticated worm designed to destroy nuclear enrichment centrifuges attached to Siemens controllers. 3.0 Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code
What worm was the first to cause major physical damage to a facility? A Melissa B RTM C Stuxnet D Code Red
DMZ (demilitarized zone) The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Web App Security
You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use? A Intranet B Sandbox C Internet D DMZ
fsas3alG Except option C, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backward, and dayorange combines two dictionary words. Crack and other utilities can easily see through these "sneaky" techniques. Option C is simply a random string of characters that a dictionary attack would not uncover. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Password Attacks
Which one of the following passwords is least likely to be compromised during a dictionary attack? A elppa B dayorange C fsas3alG D mike
Salting Salting passwords adds a random value to the password prior to hashing, making it impractical to construct a rainbow table of all possible values. 3.0 Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Password Attacks
What technique may be used to limit the effectiveness of rainbow table attacks? A Salting B Hashing C Transport encryption D Digital signatures
Port Scan Port scans reveal the ports associated with services running on a machine and available to the public. 3.0 Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Reconnaissance Attacks
What type of reconnaissance attack provides attackers with useful information about the services running on a system? A Dumpster diving B Port scan C Session hijacking D IP sweep
LastPass LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all. 3.0 Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Password Attacks
Which one of the following tools provides a solution to the problem of users forgetting complex passwords? A Tripwire B Shadow password files C Crack D LastPass
Zero-Day Exploit While an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks. 3.0 Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code
Which one of the following techniques is most closely associated with APT (Advanced Persistent Threat) attacks? A Social engineering B Zero-day exploit C SQL injection D Trojan horse
The SCRIPT (Note: enclosed in <>) tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code
What HTML tag is often used as part of a cross-site scripting (XSS) attack? (Note: enclosed in <> won't allow <> around answers due to cross-site scripting (XSS) ) A H1 B SCRIPT C XSS D HEAD
The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Web App Security
What character should always be treated carefully when encountered as user input on a web form? A ' B ! C & D *
Polymorphism In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code
What advanced virus technique modifies the malicious code of a virus on each system it infects? A Encryption B Stealth C Polymorphism D Multipartitism
TOCOU The time of check to time of use (TOCTOU) attack relies on the timing of the execution of two events. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Application Attacks
Which one of the following types of attacks relies on the difference between the timing of two events? A Land B Fraggle C Smurf D TOCTOU
Multipartite Virus Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code
What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems? A Multipartite virus B Stealth virus C Companion virus D Polymorphic virus
Stored Procedures Developers of web applications should leverage database stored procedures to limit the application's ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database administrators. Domain 8: Software Development Security 8.5 Define and apply secure coding guidelines and standards Web App Security
What database technology, if implemented for web forms, can limit the potential for SQL injection attacks? A Triggers B Concurrency control C Column encryption D Stored procedures
Sandbox The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system. Domain 3: Security Architecture and Engineering 3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements Malicious Code
What technology does the Java language use to minimize the threat posed by applets? A Confidentiality B Sandbox C Stealth D Encryption
Packets with internal source IP addresses should not be allowed to enter the network from the outside because they are likely spoofed. Domain 3: Security Architecture and Engineering 3.6 Assess and mitigate vulnerabilities in web-based systems Masquerading Attacks
When designing firewall rules to prevent IP spoofing, which of the following principles should you follow? A Packets with external source IP addresses don't enter the network from the outside. B Packets with public IP addresses don't pass through the router in either direction. C Packets with internal source IP addresses don't exit the network from the inside. D Packets with internal source IP addresses don't enter the network from the outside.
Input Validation Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML SCRIPT tag <> in the input. (Note: SCRIPT should be enclosed in <> tags) Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Web App Security
What is the most effective defense against cross-site scripting attacks? A User authentication B Input validation C Limiting account privileges D Encryption
Polyinstantiation Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing
What database technique can be used to prevent unauthorized users from determining classified information by noticing the absence of information normally available to them? A Manipulation B Inference C Aggregation D Polyinstantiation
ODBC acts as a proxy between applications and the backend DBMS. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing
Which of the following acts as a proxy between an application and a database to support interaction and simplify the work of programmers? A ODBC B DSS C Abstraction D SDLC
Isolation principle states that two transactions operating on the same data must be temporarily separated from each other such that one does not interfere with the other. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing
What transaction management principle ensures that two transactions do not interfere with each other as they operate on the same data? A Isolation B Durability C Atomicity D Consistency
Configuration Audit is part of the configuration management process rather than the change control process. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
Which one of the following is not part of the change management process? A Change control B Configuration audit C Release control D Request control
Aggregation In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Database and Data Warehousing
Richard believes that a database user is misusing his privileges to gain information about the company's overall business trends by issuing queries that combine data from a large number of records. What process is the database user taking advantage of? A Aggregation B Polyinstantiation C Contamination D Inference
Gantt A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
What type of chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track project tasks? A PERT B Gantt C Venn D Bar
Static Testing In order to conduct a static test, the tester must have access to the underlying source code. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
In what type of software testing does the tester have access to the underlying source code? A Black-box testing B Cross-site scripting testing C Dynamic testing D Static testing
Prioritize Security over other requirements In Agile, the highest priority is to satisfy the customer through early and continuous delivery of valuable software. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
Which one of the following is not a principle of Agile development? A Pay continuous attention to technical excellence. B Business people and developers work together. C Satisfy the customer through early and continuous delivery. D Prioritize security over other requirements.
Three The cardinality of a table refers to the number of rows in the table while the degree of a table is the number of columns. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Databases and Data Warehousing
Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the degree of this table? A Thirty B Undefined C Two D Three
Content-dependent access control is focused on the internal data of each field. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Databases and Data Warehousing
What form of access control is concerned primarily with the data stored by a field? A Perturbation B Content-dependent C Context-dependent D Semantic integrity mechanisms
Waterfall The waterfall model uses a seven-stage approach to software development and includes a feedback loop that allows development to return to the previous phase to correct defects discovered during the subsequent phase. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
What software development model uses a seven-stage approach with a feedback loop that allows progress one step backward? A Boyce-Codd B Waterfall C Spiral D Agile
Fail-Secure state, the system remains in a high level of security until an administrator intervenes. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
What approach to failure management places the system in a high level of security? A Fail clear B Fail-secure C Fail mitigation D Fail-open
Input Validation Input validation ensures that the input provided by users matches the design parameters. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
Bob is developing a software application and has a field where users may enter a date. He wants to ensure that the values provided by the users are accurate dates to prevent security issues. What technique should Bob use? A Screening B Polyinstantiation C Input validation D Contamination
A series of "if/then" rules codified in a knowledge base Expert systems use a knowledge base consisting of a series of "if/then" statements to form decisions based on the previous experience of human experts. Domain 8: Software Development Security 8.4 Assess security impact of acquired software Understanding Knowledge-Based Systems
What type of information is used to form the basis of an expert system's decision-making process? A A series of weighted layered computations B Combined input from a number of human experts, weighted according to past performance C A series of "if/then" rules codified in a knowledge base D A biological decision-making process that simulates the reasoning process used by the human mind
Polyinstantiation Database developers use polyinstantiation, the creation of multiple records that seem to have the same primary key, to protect against inference attacks. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Databases and Data Warehousing
What database security technology involves creating two or more rows with seemingly identical primary keys that contain different data for users with different security clearances? A Polyinstantiation B Views C Aggregation D Cell suppression
Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Databases and Data Warehousing
Which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level? A Contamination B Polyinstantiation C Aggregation D Inference
Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship. Domain 8: Software Development Security 8.2 Identify and apply security controls in development environments Establishing Databases and Data Warehousing
Which one of the following key types is used to enforce referential integrity between database tables? A Primary key B Candidate key C Super key D Foreign key
In the Managed phase, level 4 of the SW-CMM, the organization uses quantitative measures to gain a detailed understanding of the development process. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
In which phase of the SW-CMM does an organization use quantitative measures to gain a detailed understanding of the development process? (SW-CMM = Capability Maturity Model for Software) A Defined B Managed C Initial D Repeatable
Information Security The three elements of the DevOps model are software development, quality assurance, and IT operations. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
Which one of the following is not a component of the DevOps model? A IT operations B Information security C Software development D Quality assurance
Request Control The request control provides users with a framework to request changes and developers with the opportunity to prioritize those requests. Domain 8: Software Development Security 8.1 Understand and integrate security in the Software Development Life Cycle (SDLC) Introducing Systems Development Controls
What portion of the change management process allows developers to prioritize tasks? A Release control B Change audit C Request control D Configuration control
Violations of confidentiality are limited to direct intentional attacks. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
Which of the following is not true? A Violations of confidentiality can occur when a transmission is not properly encrypted. B Violations of confidentiality are limited to direct intentional attacks. C Violations of confidentiality include management oversight. D Violations of confidentiality include human error.
Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
What ensures that the subject of an activity or event cannot deny that the event occurred? A Hash totals B Nonrepudiation C Abstraction D CIA Triad
Answer: B & D Users should be aware that email messages are retained and phone conversations are recorded, but the backup mechanism used to perform these operations do not need to be disclosed to them. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
B & D Users should be aware that email messages are retained and phone conversations are recorded, but the backup mechanism used to perform these operations do not need to be disclosed to them. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles Answer: All but which of the following items requires awareness for all individuals affected? Each correct answer represents a complete solution. Choose two. A Gathering information about surfing habits B The backup mechanism used to retain email messages C Restricting personal email D Recording phone conversations
Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
Which of the following is not considered a violation of confidentiality? A Hardware destruction B Social engineering C Stealing passwords D Eavesdropping
SECRET Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
Which of the following is the lowest military data classification for classified data? A Private B Sensitive C Secret D Proprietary
Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out-of-the-way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
_______________ refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. A Seclusion B Concealment C Privacy D Criticality
Military (or government) and private sector (or commercial business) are the two common data classification schemes. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
What are the two common data classification schemes? A Personal and government B Military and private sector C Classified and unclassified D Private sector and unrestricted sector
The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
What is the primary objective of data classification schemes? A To establish a transaction trail for auditing accountability B To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity C To control access to objects for authorized subjects D To manipulate access controls to provide for the most efficient means to grant or restrict functionality
The prevention of security compromises is the primary goal of change management. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
What is the primary goal of change management? A Preventing security compromises B Allowing rollback of failed changes C Keeping users informed of changes D Maintaining documentation
Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
Which of the following is typically not a characteristic considered when classifying data? A Value B Size of object C Useful lifetime D National security implications
Access Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _____________________ the data, objects, and resources. A Control B Audit C Access D Repudiate
Availability means that authorized subjects are granted timely and uninterrupted access to objects. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects? A Availability B Encryption C Layering D Identification
The commercial business/private sector data classification of private is used to protect information about individuals. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
Which commercial business/private sector data classification is used to control information about individuals within an organization? A Confidential B Private C Sensitive D Proprietary
Taking Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented. Domain 1: Security and Risk Management 1.2 Evaluate and apply security governance principles Evaluate and Apply Security Governance Principles
What element of data categorization management can override all other forms of access control? A Taking ownership B Custodian responsibilities C Physical access D Classification
Layering is a core aspect of security mechanisms, but it is not a focus of data classifications. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
Data classifications are used to focus security controls over all but which of the following? A Processing B Layering C Transfer D Storage
Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
Vulnerabilities and risks are evaluated based on their threats against which of the following? A Extent of liability B Due care C Data usefulness D One or more of the CIA Triad principles
Series Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
Which of the following is the most important and distinctive concept in relation to layered security? A Filter B Parallel C Series D Multiple
Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Domain 1: Security and Risk Management 1.10 Understand and apply threat modeling concepts and methodologies Understand and Apply Threat Modeling Concepts and Methodologies
STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE? A Spoofing B Disclosure C Repudiation D Elevation of privilege
Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Understand and Apply Concepts of Confidentiality, Integrity, and Availability
Which of the following is not considered an example of data hiding? A Preventing an application from accessing hardware directly B Preventing an authorized reader of an object from deleting that object C Keeping a database from being accessed by unauthorized visitors D Restricting a subject at a lower classification level from accessing data at a higher classification level
The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad. Domain 1: Security and Risk Management 1.1 Understand and apply concepts of confidentiality, integrity and availability Security Governance Through Principles and Policies
Which of the following contains the primary goals and objectives of security? A A stand-alone system B The internet C A network's border perimeter D The CIA Triad
Preventive There is no such thing as a preventive alarm. Alarms are always triggered in response to a detected intrusion or attack. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
Which of the following is not a typical type of alarm that can be triggered for physical security? A Preventive B Notification C Repellant D Deterrent
Lighting Lighting is the most common form of perimeter security device or mechanism. Your entire site should be clearly lit. This provides for easy identification of personnel and makes it easier to notice intrusions. Domain 7: Security Operations 7.15 Implement and manage physical security Implement and Manage Physical Security
What is the most common form of perimeter security devices or mechanisms? A Security guards B Lighting C CCTV D Fences
Espionage No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot be prevented by physical access controls. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent all but which of the following? A Abuse B Piggybacking C Espionage D Masquerading
A computer room does not need to be human compatible to be efficient and secure. Having a human-incompatible server room provides a greater level of protection against attacks. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
Which of the following does not need to be true in order to maintain the most efficient and secure server room? A It must include the use of nonwater fire suppressants. B It must be human compatible. C The temperature must be kept between 60 and 75 degrees Fahrenheit. D The humidity must be kept between 40 and 60 percent.
1,500 volts Destruction of data stored on hard drives can be caused by 1,500 volts of static electricity. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
At what voltage level can static electricity cause destruction of data stored on hard drives? A 1,500 B 4,000 C 17,000 D 40
40-60 Percent The humidity in a computer room should ideally be from 40 to 60 percent. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
What is the ideal humidity range for a computer room? A 20-40 percent B 40-60 percent C 60-75 percent D 80-95 percent
Physical Security Physical security is the most important aspect of overall security. Without physical security, none of the other aspects of security are sufficient. Domain 3: Security Architecture and Engineering 3.10 Apply security principles to site and facility design Apply Security Principles to Site and Facility Design
Which of the following is the most important aspect of security? A Awareness training B Physical security C Intrusion detection D Logical security
Capacitance A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object. Domain 7: Security Operations 7.15 Implement and manage physical security Implement and Manage Physical Security
What type of motion detector senses changes in the electrical or magnetic field surrounding a monitored object? A Wave B Capacitance C Heat D Photoelectric
Preaction System A preaction system is the best type of water-based fire suppression system for a computer facility. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
What is the best type of water-based fire suppression system for a computer facility? A Wet pipe system B Dry pipe system C Preaction system D Deluge system
Light Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression? A Suppression medium B Heat C Light D Smoke
Equal access to all locations within a facility Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality should have a corresponding level of security restriction placed on it. Domain 3: Security Architecture and Engineering 3.10 Apply security principles to site and facility design Apply Security Principles to Site and Facility Design
Which of the following is not a security-focused design element of a facility or site? A Restricted access to areas with higher value or importance B Confidential assets located in the heart or center of a facility C Equal access to all locations within a facility D Separation of work and visitor areas
A Mantrap is a double set of doors that is often protected by a guard and used to contain a subject until their identity and authentication is verified. Domain 7: Security Operations 7.15 Implement and manage physical security Implement and Manage Physical Security
Which of the following is a double set of doors that is often protected by a guard and is used to contain a subject until their identity and authentication are verified? A Mantrap B Turnstile C Gate D Proximity detector
Key locks are the most common and inexpensive form of physical access control device. Lighting, security guards, and fences are all much more costly. Domain 7: Security Operations 7.15 Implement and manage physical security Implement and Manage Physical Security
What is the most common and inexpensive form of physical access control device? A Key locks B Security guard C Lighting D Fences
Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, while data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
Which of the following is not a typical security measure implemented in relation to a media storage facility containing reusable removable media? A Using sanitization tools on returned media B Employing a librarian or custodian C Using a check-in/check-out process D Hashing
People The most common cause of failure for a water-based system is human error. If you turn off the water source after a fire and forget to turn it back on, you'll be in trouble for the future. Also, pulling an alarm when there is no fire will trigger damaging water release throughout the office. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
What is the most common cause of failure for a water-based fire suppression system? A Placement of detectors in drop ceilings B Ionization detectors C People D Water shortage
Water is never the suppression medium in Type B fire extinguishers because they are used on liquid fires. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
A Type B fire extinguisher may use all except which of the following suppression mediums? A CO2 B Water C Soda acid D Halon or an acceptable halon substitute
Critical path analysis can be used to map out the needs of an organization for a new facility. A critical path analysis is the process of identifying relationships between mission-critical applications, processes, and operations and all of the supporting elements. Domain 3: Security Architecture and Engineering 3.10 Apply security principles to site and facility design Apply Security Principles to Site and Facility Design
What method can be used to map out the needs of an organization for a new facility? A Risk analysis B Inventory C Log file audit D Critical path analysis
Human safety is the most important goal of all security solutions. Domain 7: Security Operations 7.15 Implement and manage physical security Implement and Manage Physical Security
What is the most important goal of all security solutions? A Prevention of disclosure B Maintaining integrity C Human safety D Sustaining availability
Wiring closet is the infrastructure component often located in the same position across multiple floors in order to provide a convenient means of linking floor-based networks together. Domain 3: Security Architecture and Engineering 3.11 Implement site and facility security controls Implement Site and Facility Security Controls
What infrastructure component is often located in the same position across multiple floors in order to provide a convenient means of linking floor-based networks together? A Datacenter B Media cabinets C Server room D Wiring closet
Security guards are usually unaware of the scope of the operations within a facility, which supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information. Domain 7: Security Operations 7.15 Implement and manage physical security Implement and Manage Physical Security
Which of the following is not a disadvantage of using security guards? A Prescreening, bonding, and training do not guarantee effective and reliable security guards. B Security guards are usually unaware of the scope of the operations within a facility. C Not all environments and facilities support security guards. D Not all security guards are themselves reliable.
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials