The DES algorithm is an example of what type of cryptography?
Correct Answer: A
Section: Cryptography Explanation/Reference: DES is also known as a Symmetric Key or Secret Key algorithm. DES is a Symmetric Key algorithm, meaning the same key is used for encryption and decryption. For the exam remember that: DES key Sequence is 8 Bytes or 64 bits (8 x 8 = 64 bits) DES has an Effective key length of only 56 Bits. 8 of the Bits are used for parity purpose only. DES has a total key length of 64 Bits. The following answers are incorrect: Two-key This is incorrect because DES uses the same key for encryption and decryption. Asymmetric Key This is incorrect because DES is a Symmetric Key algorithm using the same key for encryption and decryption and an Asymmetric Key algorithm uses both a Public Key and a Private Key. Public Key. This is incorrect because Public Key or algorithm Asymmetric Key does not use the same key is used for encryption and decryption. References used for this question: http://en.wikipedia.org/wiki/Data_Encryption_Standard
Question 72
Which of the following is NOT a technique used to perform a penetration test?
Correct Answer: A
Section: Access Control Explanation Explanation/Reference: Traffic padding is a countermeasure to traffic analysis. Even if perfect cryptographic routines are used, the attacker can gain knowledge of the amount of traffic that was generated. The attacker might not know what Alice and Bob were talking about, but can know that they were talking and how much they talked. In certain circumstances this can be very bad. Consider for example when a military is organising a secret attack against another nation: it may suffice to alert the other nation for them to know merely that there is a lot of secret activity going on. As another example, when encrypting Voice Over IP streams that use variable bit rate encoding, the number of bits per unit of time is not obscured, and this can be exploited to guess spoken phrases. Padding messages is a way to make it harder to do traffic analysis. Normally, a number of random bits are appended to the end of the message with an indication at the end how much this random data is. The randomness should have a minimum value of 0, a maximum number of N and an even distribution between the two extremes. Note, that increasing 0 does not help, only increasing N helps, though that also means that a lower percentage of the channel will be used to transmit real data. Also note, that since the cryptographic routine is assumed to be uncrackable (otherwise the padding length itself is crackable), it does not help to put the padding anywhere else, e.g. at the beginning, in the middle, or in a sporadic manner. The other answers are all techniques used to do Penetration Testing. References: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, pages 233, 238. and https://secure.wikimedia.org/wikipedia/en/wiki/Padding_%28cryptography%29#Traffic_analysis
Question 73
Which of the following is not a form of passive attack?
Correct Answer: B
Explanation/Reference: Data diddling involves alteration of existing data and is extremely common. It is one of the easiest types of crimes to prevent by using access and accounting controls, supervision, auditing, separation of duties, and authorization limits. It is a form of active attack. All other choices are examples of passive attacks, only affecting confidentiality. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 10: Law, Investigation, and Ethics (page 645).
Question 74
What can be defined as an event that could cause harm to the information systems?
Correct Answer: B
Explanation/Reference: A threat is an event or activity that has the potential to cause harm to the information systems. A risk is the probability that a threat will materialize. A vulnerability, or weakness, is a lack of a safeguard, which may be exploited by a threat, causing harm to the information systems. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 1: Access Control Systems (page 32).
Question 75
Which communication method is characterized by very high speed transmission rates that are governed by electronic clock timing signals?
Correct Answer: B
Section: Network and Telecommunications Explanation/Reference: Synchronous Communication is characterized by very high speed transmission rates that are governed by electronic clock timing signals. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 100