CISSP官方習題集(中英對照)選擇題

CISSP英文真題2016中英對照版（僅選擇題）.WhichofthefollowingmethodsprotectsPersonallyIdentifiableInformation(PH)byuseofafullreplacementofthedataelement?以下哪一種方法通過全面替換數(shù)據元素來保護個人可識別信息(Pll,PersonalIdentifiableInformation)?A.TransparentDatabaseEncryption(TDE)透明數(shù)據庫加密(TDE,TransparentDataEncryption)B.Columnleveldatabaseencryption列級數(shù)據庫加密(Columnleveldatabaseencryption)C.Volumeencryption卷力口密(Volumesencryption)D.Datatokenization數(shù)據令牌化(Datatokenization)Answer:D.WhichofthefollowingelementsMUSTacompliantEU-USSafeHarborPrivacyPolicycontain?合規(guī)的歐盟和美國安全港(eu-usSafeharbor)隱私政策必須包含以下哪個要素？Anexplanatoryofhowlongthedatasubject'scollectedinformatonwillberetainedforandhowitwillbeeventuallydisposed.闡明所收集的數(shù)據主體其信息將保留多久以及最終將如何處置Anexplanatonofwhocanbecontactedattheorganizatoncollectngtheinformatonifcorrectonsarerequiredbythedatasubject.闡述如果數(shù)據主體要求更正信息時可與收集信息的機構中哪個人聯(lián)系Anexplanatonoftheregulatoryframeworksandcompliancestandardstheinformatoncollectngorganizatonadheresto.闡述收集信息的機構所遵循的監(jiān)管框架和合規(guī)性標準Anexplanatonofallthetechnologiesemployedbythecollectngorganizatoningatheringinformatononthedatasubject.闡述收集信息的機構在收集數(shù)據主體的信息時所采用的所有技術Answer:BWhatistheMOSTefectvecountermeasuretoamaliciouscodeatackagainstamobilesystem?以下哪一項是針對移動系統(tǒng)惡意代碼攻擊最有效的反制措施？A.Sandbox沙箱Changecontrol變更控制Memorymanagement內存管理Public-KeyInfrastructure(PKI)公鑰基礎架構(PKI)Answer:AWhichofthefollowingistheBESTmitigationfromphishingattacks?以下哪一項能最有效地減少釣魚攻擊？Networkactivitymonitoring網絡活動監(jiān)控Securityawarenesstraining安全意識培訓Corporatepolicyandprocedures企業(yè)政策和步驟Strongfileanddirectorypermissions對文件和目錄的強力權限Answer:BWhichofthefollowingisaphysicalsecuritycontrolthatprotectsAutomatedTellerMachines(ATM)fromskimming?以下哪一項是保護自動提款機(ATMautomatedtellermachines)免遭盜用(skimming)的物理安全控制？Anti-tampering防篡改(原文如此，正確翻譯應為“防改裝”)Securecardreader安全的讀卡器RadioFrequency(RF)scanner射頻(RFFrequency)掃描儀IntrusionPreventionSystem(IPS)入侵防御系統(tǒng)(IPS)Answer:A.Whichofthefollowingisanessentialelementofaprivilegedidentitylifecyclemanagement?以下哪項是特權身份生命周期管理的基本要素？Regularlyperformaccountre-validationandapproval定期執(zhí)行帳戶重新驗證和批準Accountprovisioningbasedonmulti-factorauthentication基于多因素認證的賬戶配置Frequentlyreviewperformedactivitiesandrequestjustification經常審查執(zhí)行的活動并要求理由Accountinformationtobeprovidedbysupervisororlinemanager由主管或業(yè)務經理提供的帳戶信息Answer:A.Whichofthefollowingisensuredwhenhashingfilesduringchainofcustodyhandling?在處理保管鏈過程中對文件進行散列可確保以下哪一項？Availability可用性Accountability問責性Integrity完整性Non-repudiation不可抵賴性Answer:C8.WhichHyperTextMarkupLanguage5(HTML5)optionpresentsasecuritychallengefornetworkdataleakagepreventionand/ormonitoring?超文本標記語言5(hypertextmarkuplanguage5)的哪個選項是對預防和/或監(jiān)控網絡數(shù)據泄露的安全挑戰(zhàn)？CrossOriginResourceSharing(CORS)跨資源共享(CORS)WebSocketsDocumentObjectModel(DOM)trees文檔對象模型(DOM)樹WebInterfaceDefinitionLanguage(IDL)Web界面定義語言Answer:BWhichofthefollowingstatementsisTRUEofblackboxtesting?以下哪個關于黑盒測試的陳述是對的？Onlythefunctionalspecificationsareknowntothetestplanner.測試規(guī)劃者只知道功能規(guī)格。Onlythesourcecodeandthedesigndocumentsareknowntothetestplanner.測試規(guī)劃者只知道源代碼和設計文件。Onlythesourcecodeandfunctionalspecificationsareknowntothetestplanner.測試規(guī)劃者只知道源代碼和功能規(guī)范。Onlythedesigndocumentsandthefunctionalspecificationsareknowntothetestplanner.測試規(guī)劃者只知道設計文件和功能規(guī)格。Answer:AAsoftwarescanneridentifiesaregionwithinabinaryimagehavinghighentropy.WhatdoesthisMOSTlikelyindicate?掃描軟件在二進制圖像內識別出一個有高埔的區(qū)域。這很有可能表示以下哪一項？Encryptionroutines機密例程Randomnumbergenerator隨機數(shù)生成器Obfuscatedcode混交代碼Botnetcommandandcontrol僵尸網絡指揮和控制Answer:CWhichofthefollowingisalimitationoftheCommonVulnerabilityScoringSystem(CVSS)asitrelatestoconductingcodereview?以下哪一項是與代碼審查相關的通用漏洞評分系統(tǒng)(CVSS)的局限？Ithasnormalizedseverityratings,它具有歸一化的嚴重性等級Ithasmanyworksheetsandpracticestoimplement,它有許多工作表和實踐來實現(xiàn)Itaimstocalculatetheriskofpublishedvulnerabilities.它旨在計算已發(fā)布漏洞的風險Itrequiresarobustriskmanagementframeworktobeputinplace.需要建立健全的風險管理框架Answer:CWhichofthefollowingistheMOSTimportantconsiderationwhenstoringandprocessingPersonallyIdentifiableInformation(PH)?以下哪一項實在存儲和處理個人可識別信息(PH,PersonallyIdentifiableInformation)時最重要的關注事項？EncryptandhashallPHtoavoiddisclosureandtampering.加密和散列所有Pll以避免泄漏和篡改StorePllfornomorethanoneyear.存儲PH不超過一年以上AvoidstoringPllinaCloudServiceProvider.避免在云服務供應商處存儲PllAdherencetocollectionlimitationlawsandregulations.遵守收集限制方面的法律和法規(guī)Answer:DWhichofthefollowingassessmentmetricsisBESTusedtounderstandasystem'svulnerabilitytopotentialexploits?以下哪一項評估測量標準最有助于了解系統(tǒng)有可能被利用的漏洞？Determiningtheprobabilitythatthesystemfunctionssafelyduringanytimeperiod確定系統(tǒng)在任何時間段內安全運轉的可能性Quantifyingthesystem'savailableservices量化系統(tǒng)的可用服務Identifyingthenumberofsecurityflawswithinthesystem確定系統(tǒng)內安全缺陷的數(shù)量Measuringthesystem'sintegrityinthepresenceoffailure測量系統(tǒng)在出現(xiàn)故障時的完整性Answer:CWhichofthefollowingisaneffectivemethodforavoidingmagneticmediadataremanence?以下哪一項是避免磁介質數(shù)據殘留的有效方法？Degaussing消磁Encryption加密DataLossPrevention(DLP)數(shù)據丟失預防(DLP)D.Authentication身份驗證Answer:AWhichofthefollowingMUSTbepartofacontracttosupportelectronicdiscoveryofdatastoredinacloudenvironment?合同中必須包括以下哪一項以支持電子搜尋存儲在云環(huán)境中的數(shù)據？Integrationwithorganizationaldirectoryservicesforauthentication與機構的身份驗證目錄服務整合Tokenizationofdata數(shù)據令牌化Accommodationofhybriddeploymentmodels安排混合部署模型Identificationofdatalocation識別數(shù)據位置Answer:DWhentransmittinginformationoverpublicnetworks,thedecisiontoencryptitshouldbebasedon在公共網絡上傳輸信息時，加密信息與否的決定應根據theestimatedmonetaryvalueoftheinformation.信息的估測貨幣價值whethertherearetransientnodesrelayingthetransmission.中繼傳輸時是否有瞬態(tài)節(jié)點thelevelofconfidentialityoftheinformation.信息的機密性等級thevolumeoftheinformation.信息量Answer:CLogicalaccesscontrolprogramsareMOSTeffectivewhentheyare邏輯訪問控制程序在什么時候最有效approvedbyexternalauditors.已得到外部審計員的批準combinedwithsecuritytokentechnology.與安全令牌技術結合使用maintainedbycomputersecurityofficers.由計算機安全官員進行維護madepartoftheoperatingsystem.已成為操作系統(tǒng)之一部分Answer:DWhichoneofthefollowingconsiderationshastheLEASTimpactwhenconsideringtransmissionsecurity?考慮傳輸安全時，下列哪一項因素影響最??？Networkavailability網絡可用性Dataintegrity數(shù)據完整性Networkbandwidth網絡帶寬Nodelocations節(jié)點的位置Answer:CWhatprinciplerequiresthatchangestotheplaintextaffectmanypartsoftheciphertext?什么原則要求對明文（輸入）的改變會影響很多部分的密文（輸出）？Diffusion擴散Encapsulation封裝Obfuscation混淆Permutation置換Answer:AWhichoneoftheseriskfactorswouldbetheLEASTimportantconsiderationinchoosingabuildingsiteforanewcomputerfacility?以下哪一個風險因素在為新的計算機設施進行考量選擇建筑場地時其重要性最低？Vulnerabilitytocrime易受犯罪活動攻擊Adjacentbuildingsandbusinesses相鄰的建筑與企業(yè)Proximitytoanairlineflightpath鄰近航空公司的飛行路徑Vulnerabilitytonaturaldisasters易受自然災難的損害Answer:CWhichoneofthefollowingtransmissionmediaisMOSTeffectiveinpreventingdatainterception?以下哪一種傳播介質在防止截獲數(shù)據方面最有效A.Microwave微波Twisted-pair雙絞線Fiberoptic光纖Coaxialcable同軸電纜Answer:CWhichsecurityactionshouldbetakenFIRSTwhencomputerpersonnelareterminatedfromtheirjobs?當計算機用戶被解除職務時，應該首先采取什么安全措施？Removetheircomputeraccess刪除他們的電腦訪問權Requirethemtoturnintheirbadge要求他們歸還員工工牌Conductanexitinterview進行離職面談Reducetheirphysicalaccessleveltothefacility降低他們對設備的物理訪問級別Answer:AApracticethatpermitstheownerofadataobjecttograntotherusersaccesstothatobjectwouldusuallyprovide允許某一數(shù)據對象的所有者授予其他用戶對該對象訪問權的做法通常提供MandatoryAccessControl(MAC).強制訪問控制owner-administeredcontrol.由所有者管理的控制owner-dependentaccesscontrol.依賴于所有者的訪問控制DiscretionaryAccessControl(DAC).自主訪問控制Answer:DThetypeofauthorizedinteractionsasubjectcanhavewithanobjectis主體對客體可以擁有的授權交互的類型就是control.控制permission,許可procedure.程序protocol.協(xié)議Answer:BWhyMUSTaKerberosserverbewellprotectedfromunauthorizedaccess?為什么必須對Kerberos服務器嚴加保護以防未授權的訪問？Itcontainsthekeysofallclients.它包含所有客戶的密鑰Italwaysoperatesatrootprivilege.它總是以根權限運作Itcontainsalltheticketsforservices.它包含服務的所有票證(Tickets)ItcontainstheInternetProtocol(IP)addressofallnetworkentities.它包含所有網絡實體的互聯(lián)網協(xié)議(IP,InternetProtocol)地址Answer:AWhichoneofthefollowingeffectivelyobscuresnetworkaddressesfromexternalexposurewhenimplementedonafirewallorrouter?在防火墻或路由器上實現(xiàn)時，以下哪一項有效地隱藏網絡地址避免暴露在外？NetworkAddressTranslation(NAT)網絡地址轉換(NAT)ApplicationProxy應用代理RoutingInformationProtocol(RIP)Version2路由信息協(xié)議(RIP)版本2AddressMasking地址掩碼Answer:AWhileimpersonatinganInformationSecurityOfficer(ISO),anattackerobtainsinformationfromcompanyemployeesabouttheirUserIDsandpasswords.Whichmethodofinformationgatheringhastheattackerused?當攻擊者冒充信息安全官(ISO,informationsecurityofficer),從公司員工那里獲得了他們的用戶ID和密碼，攻擊者使用了以下哪一種收集信息方法？Trustedpath可信路徑Maliciouslogic惡意邏輯Socialengineering社會工程Passivemisuse被動誤用Answer:CWhymustallusersbepositivelyidentifiedpriortousingmulti-usercomputers?在使用多用戶計算機之前，為什么必須要明確地標識所有用戶？Toprovideaccesstosystemprivileges提供對系統(tǒng)權限的訪問Toprovideaccesstotheoperatingsystem提供對操作系統(tǒng)的訪問Toensurethatunauthorizedpersonscannotaccessthecomputers確保未經授權的人員無法訪問計算機Toensurethatmanagementknowswhatusersarecurrentlyloggedon確保管理層知道用戶當前登錄的內容Answer:CThebirthdayattackisMOSTeffectiveagainstwhichoneofthefollowingciphertechnologies?生日攻擊(birthdayattack)對以下哪一種加密技術的破壞力最大？Chainingblockencryption鏈塊加密Asymmetriccryptography非對稱密碼Cryptographichash密碼散列Streamingcryptography串流密碼Answer:CAnadvantageoflinkencryptioninacommunicationsnetworkisthatit通信網絡中鏈路加密的一個優(yōu)點是makeskeymanagementanddistributioneasier.使密鑰管理和分發(fā)更容易protectsdatafromstarttofinishthroughtheentirenetwork.在整個網絡中從始至終保護數(shù)據improvestheefficiencyofthetransmission.提高傳輸效率encryptsallinformation,includingheadersandroutinginformation.對所有信息進行加密,包括包頭和路由信息Answer:DWhichoneofthefollowingistheMOSTimportantindesigningabiometricaccesssystemifitisessentialthatnooneotherthanauthorizedindividualsareadmitted?在設計生物特征識別訪問系統(tǒng)時，如果非授權人員不得訪問的原則是必不可少的，則以下哪一項最重要？FalseAcceptanceRate(FAR)錯誤接受率FalseRejectionRate(FRR)錯誤拒絕率CrossoverErrorRate(CER)交叉錯誤率RejectionErrorRate拒絕錯誤率Answer:AWhatisthetermcommonlyusedtorefertoatechniqueofauthenticatingonemachinetoanotherbyforgingpacketsfromatrustedsource?以下哪一個術語常用于指一臺機器對另一臺機器通過偽造來自可信源的數(shù)據包進行驗證的技術？Man-in-the-Middle(MITM)attack中間人攻擊Smurfing藍精靈(Smurfing)攻擊Sessionredirect會話重定向Spoofing哄騙Answer:DThePRIMARYpurposeofasecurityawarenessprogramisto安全意識程序的主要目的是ensurethateveryoneunderstandstheorganization/spoliciesandprocedures.確保每個人都了解組織的政策和程序communicatethataccesstoinformationwillbegrantedonaneed-to-knowbasis.通知，將根據需要知道獲取信息warnallusersthataccesstoallsystemswillbemonitoredonadailybasis.警告所有用戶，對所有系統(tǒng)的訪問每天都會被監(jiān)測complywithregulationsrelatedtodataandinformationprotection.遵守有關數(shù)據和信息保護的規(guī)定Answer:AAsonecomponentofaphysicalsecuritysystem,anElectronicAccessControl(EAC)tokenisBESTknownforitsabilityto作為物理安全系統(tǒng)的一個組成部分，電子訪問控制(EAC,ElectronicAccessControl)令牌其最廣為人知的能力是overcometheproblemsofkeyassignments.克服鑰匙分配帶來的問題monitortheopeningofwindowsanddoors.檢測門窗是否打開triggeralarmswhenintrudersaredetected.在檢測到入侵者時觸發(fā)警報lockdownafacilityduringanemergency.在發(fā)生緊急事件時鎖定設施Answer:AWhichoneofthefollowingisafundamentalobjectiveinhandlinganincident?下列哪一項是事件處理的根本目標？Torestorecontroloftheaffectedsystems恢復對受影響系統(tǒng)的控制Toconfiscatethesuspect'scomputers沒收嫌疑人的電腦Toprosecutetheattacker起訴攻擊者Toperformfullbackupsofthesystem執(zhí)行系統(tǒng)的完整備份Answer:AIntheareaofdisasterplanningandrecovery,whatstrategyentailsthepresentationofinformationabouttheplan?在災難計劃和恢復方面，以下哪一項策略牽涉到展示有關計劃的信息？Communication溝通Planning規(guī)劃Recovery恢復Escalation上報Answer:ATheprocessofmutualauthenticationinvolvesacomputersystemauthenticatingauserandauthenticatingthe相互驗證過程涉及到計算機系統(tǒng)驗證用戶，并且usertotheauditprocess.以審計過程驗證用戶computersystemtotheuser.以用戶驗證計算機系統(tǒng)user'saccesstoallauthorizedobjects.以所有授權的客體驗證用戶的訪問權computersystemtotheauditprocess.以審計過程驗證計算機系統(tǒng)Answer:BWhatmaintenanceactivityisresponsiblefordefining,implementing,andtestingupdatestoapplicationsystems?什么維護活動負責定義、實施和測試應用系統(tǒng)的更新？Programchangecontrol程序變更控制Regressiontesting回歸測試Exportexceptioncontrol導出異?？刂芔seracceptancetesting用戶驗收測試Answer:AWhichoneofthefollowingdescribesgranularity?以下哪一項是對粒度(granularity)的描述？MaximumnumberofentriesavailableinanAccessControlList(ACL)訪問控制列表(aclaccesscontrollist)中可用條目的最大數(shù)量Finenesstowhichatrustedsystemcanauthenticateusers可信系統(tǒng)驗證用戶的適應度Numberofviolationsdividedbythenumberoftotalaccesses違規(guī)數(shù)量除以訪問總量Finenesstowhichanaccesscontrolsystemcanbeadjusted訪問控制系統(tǒng)可調整的適應度Answer:DInabasicSYNfloodattack,whatistheattackerattemptingtoachieve?在基本的SYN泛濫攻擊中，攻擊者嘗試實現(xiàn)以下哪一項？Exceedthethresholdlimitoftheconnectionqueueforagivenservice超出給定服務的鏈接隊列閥值限制Setthethresholdtozeroforagivenservice將給定服務的閥值設為零Causethebuffertooverflow,allowingrootaccess導致緩沖區(qū)溢出，以取得根訪問權限Flushtheregisterstack,allowinghijackingoftherootaccount刷新寄存器堆棧，以便可以劫持根賬戶Answer:ATheFIRSTstepinbuildingafirewallisto建立防火墻的第一步是assigntherolesandresponsibilitiesofthefirewalladministrators.分配防火墻管理員的角色和職責definetheintendedaudiencewhowillreadthefirewallpolicy.定義需要讀取防火墻策略的目標讀者identifymechanismstoencouragecompliancewiththepolicy.確定鼓勵遵守政策的機制performariskanalysistoidentifyissuestobeaddressed.進行風險分析以確定要解決的問題Answer:DAsystemhasbeenscannedforvulnerabilitiesandhasbeenfoundtocontainanumberofcommunicationportsthathavebeenopenedwithoutauthority.Towhichofthefollowingmightthissystemhavebeensubjected?一個系統(tǒng)經過漏洞掃描發(fā)現(xiàn)，系統(tǒng)的一些通信端口是未經授權而被打開的。該系統(tǒng)可能遭受以下哪種情況？Trojanhorse特洛伊木馬DenialofService(DoS)拒絕服務Spoofing欺騙Man-in-the-Middle(MITM)中間人Answer:AWhichtypeofcontrolrecognizesthatatransactionamountisexcessiveinaccordancewithcorporatepolicy?依據公司政策認定交易金額是否過度(或可譯為“超限”)屬于哪一類控制措施？Detection檢測Prevention預防Investigation調查Correction校正Answer:AWhichofthefollowingdefinesthekeyexchangeforInternetProtocolSecurity(IPSec)?以下哪一項定義了互聯(lián)網協(xié)議安全(IPSec)的密鑰交換？SecureSocketsLayer(SSL)keyexchange安全套接層(SSL)密鑰交換InternetKeyExchange(IKE)互聯(lián)網密鑰交換(IKE)SecurityKeyExchange(SKE)安全密鑰交換(SKE)InternetControlMessageProtocol(ICMP)互聯(lián)網控制消息協(xié)議(ICMP)Answer:BTheoverallgoalofapenetrationtestistodetermineasystem's滲透測試的總體目標是確定一個系統(tǒng)的abilitytowithstandanattack.抵御攻擊的能力capacitymanagement.能力(性能)管理errorrecoverycapabilities.錯誤恢復功能reliabilityunderstress.壓力下的可靠性Answer:AWhenconstructinganInformationProtectionPolicy(IPP),itisimportantthatthestatedrulesarenecessary,adequate,and在構建信息保護政策(IPP，InformationProtectionPolicy)時，很重要的一點是，所述規(guī)則是必要的、足夠的、而且是flexible.靈活的confidential.保密的focused.有重點的achievable.可實現(xiàn)的Answer:DWhichoneofthefollowingaffectstheclassificationofdata?Passageoftime時間的推移Assignedsecuritylabel分配的安全標簽MultilevelSecurity(MLS)architecture多級安全(MLS,MultilevelSecurity)架構Minimumquerysize最小查詢量Answer:AWhichofthefollowingisasecuritylimitationofFileTransferProtocol(FTP)?以下哪一項是文件傳輸協(xié)議(FTP,FileTransferProtocol)在安全性方面的局限？PassiveFTPisnotcompatiblewithwebbrowsers.被動FTP與網絡瀏覽器不兼容Anonymousaccessisallowed.允許匿名訪問FTPusesTransmissionControlProtocol(TCP)ports20and21.FTP使用傳輸控制協(xié)議(TCP)端口20和21Authenticationisnotencrypted.身份驗證不加密Answer:DInBusinessContinuityPlanning(BCP),whatistheimportanceofdocumentingbusinessprocesses?在業(yè)務連續(xù)性計劃(BCP,BusinessContinuityPlanning)中，業(yè)務流程文檔化有何重要性？Providesseniormanagementwithdecision-makingtools向高級管理層提供決策工具Establishesandadoptsongoingtestingandmaintenancestrategies建立并采納進行中的測試和維護策略Defineswhowillperformwhichfunctionsduringadisasteroremergency定義在發(fā)生災難或緊急事件時由誰來行使那些職責Providesanunderstandingoftheorganization'sinterdependencies提供對組織機構的相互依賴關系的理解Answer:DTheStructuredQueryLanguage(SQL)implementsDiscretionaryAccessControls(DAC)using結構化查詢語言(SQL)使用來實現(xiàn)自由訪問控制(DAC)INSERTandDELETE.插入和刪除GRANTandREVOKE,授予和撤銷PUBLICandPRIVATE.公共和私人ROLLBACKandTERMINATE.回滾和終止Answer:BWhichlayeroftheOpenSystemsInterconnections(OSI)modelimplementationaddsinformationconcerningthelogicalconnectionbetweenthesenderandreceiver?開放系統(tǒng)互連(OSI,OpenSystemInterconnections)的模型實施以下哪一層添加了有關發(fā)送者和接受者之間邏輯連接的信息？Physical物理Session會話Transport傳輸Data-Link數(shù)據鏈接Answer:CWhichofthefollowingisanetworkintrusiondetectiontechnique?以下哪一種是網絡入侵檢測技術？Statisticalanomaly統(tǒng)計異常Perimeterintrusion邊界侵入Portscanning端口掃描Networkspoofing網絡欺騙Answer:AInternetProtocol(IP)sourceaddressspoofingisusedtodefeat互聯(lián)網協(xié)議(IP)源地址欺騙被用來挫敗address*basedauthentication.基于地址的認證AddressResolutionProtocol(ARP).地址解析協(xié)議(ARP)ReverseAddressResolutionProtocol(RARP).反向地址解析協(xié)議(RARP)TransmissionControlProtocol(TCP)hijacking.傳輸控制協(xié)議(TCP)劫持Answer:AWhichofthefollowingisanauthenticationprotocolinwhichanewrandomnumberisgenerateduniquelyforeachloginsession?在以下哪一種驗證協(xié)議中，每次新的登錄會話均會生成一個獨一的隨機碼？ChallengeHandshakeAuthenticationProtocol(CHAP)質詢握手驗證協(xié)議Point-to-PointProtocol(PPP)點對點協(xié)議ExtensibleAuthenticationProtocol(EAP)可擴展驗證協(xié)議PasswordAuthenticationProtocol(PAP)密碼驗證協(xié)議Answer:AWhatsecuritymanagementcontrolisMOSToftenbrokenbycollusion?什么安全管理控制措施最經常被串通所破壞？Jobrotation崗位輪換Separationofduties職責分離Leastprivilegemodel最低特權模式Increasedmonitoring增強監(jiān)測Answer:BAnIntrusionDetectionSystem(IDS)isgeneratingalarmsthatauseraccounthasover100failedloginattemptsperminute.Asnifferisplacedonthenetwork,andavarietyofpasswordsforthatuserarenoted.WhichofthefollowingisMOSTlikelyoccurring?入侵檢測系統(tǒng)(IDS,IntrusionDetectionSystem)警告某個用戶賬戶已有100次以上失敗的登陸嘗試。網絡上放置了嗅探器后發(fā)現(xiàn)該用戶使用了各種各樣的密碼。以下哪一項是最有可能發(fā)生的情況？Adictionaryattack字典式攻擊ADenialofService(DoS)attack拒絕服務(DOS,DenialofService)攻擊Aspoofingattack哄騙攻擊Abackdoorinstallation后門安裝Answer:AAnengineerinasoftwarecompanyhascreatedaviruscreationtool.Thetoolcangeneratethousandsofpolymorphicviruses.Theengineerisplanningtousethetoolinacontrolledenvironmenttotestthecompany'snextgenerationvirusscanningsoftware.WhichwouldBESTdescribethebehavioroftheengineerandwhy?某軟件公司的工程師創(chuàng)建了一個病毒制造工具，可生成成千上萬的多臺病毒。工程師計劃在受控制的環(huán)境中使用該工具以測試公司新一代病毒掃描軟件，以下哪一項是對該工程師其行為的最恰當描述，為什么？Thebehaviorisethicalbecausethetoolwillbeusedtocreateabettervirusscanner.其行為合乎職業(yè)道德，因為工具是用于創(chuàng)造更有效的病毒掃描程序Thebehaviorisethicalbecauseanyexperiencedprogrammercouldcreatesuchatool.其行為合乎職業(yè)道德，因為任何有經驗的程序員都可以創(chuàng)建此類工具Thebehaviorisnotethicalbecausecreatinganykindofvirusisbad.其行為不合乎職業(yè)道德，因為制造任何病毒都是壞行為ThebehaviorisnotethicalbecausesuchatoolcouldbeleakedontheInternet.其行為不合乎職業(yè)道德，因為此類工具可能會泄露到互聯(lián)網上Answer:AWhichofthefollowingDisasterRecovery(DR)sitesistheMOSTdifficulttotest?下列哪一種災難恢復(DR)站點最難測試？Hotsite熱站Coldsite冷站Warmsite溫站Mobilesite移動站Answer:BWhichofthefollowingstatementsisTRUEforpoint-to-pointmicrowavetransmissions?對于點對點微波傳輸，下列哪一個描述是對的？Theyarenotsubjecttointerceptionduetoencryption.由于加密，它們不會被攔截Interceptiononlydependsonsignalstrength.攔截只取決于信號強度Theyaretoohighlymultiplexedformeaningfulinterception.它們對于有意義的攔截來說太復雜了Theyaresubjecttointerceptionbyanantennawithinproximity.它們被接近的天線攔截Answer:DThekeybenefitsofasignedandencryptede-mailinclude簽名并加密的電子郵件其關鍵優(yōu)點包括confidentiality,authentication,andauthorization.保密性，身份驗證和授權confidentiality,non-repudiation,andauthentication.保密性，不可抵賴和身份驗證non-repudiation,authorization,andauthentication.不可抵賴性，授權和身份驗證non-repudiation,confidentiality,andauthorization.不可抵賴性,保密性和授權Answer:BCopyrightprovidesprotectionforwhichofthefollowing?版權對以下哪一項提供保護？Ideasexpressedinliteraryworks文學作品表達的構思Aparticularexpressionofanidea構思的特定表達Newandnon-obviousinventions新穎的、非顯而易見的發(fā)明Discoveriesofnaturalphenomena對自然現(xiàn)象的發(fā)現(xiàn)Answer:BWhichofthefollowingisTRUEaboutDisasterRecoveryPlan(DRP)testing?以下哪一項是關于災難恢復計劃(DRP)測試的準確陳述？Operationalnetworksareusuallyshutdownduringtesting.測試期間通常關閉運營中網絡Testingshouldcontinueevenifcomponentsofthetestfail.即使測試的某部分失敗,測試仍應繼續(xù)Thecompanyisfullypreparedforadisasterifalltestspass.如果所有測試都合格，公司對某災難有充分的準備Testingshouldnotbedoneuntiltheentiredisasterplancanbetested.只有在整個災難計劃能夠測試時才能進行測試Answer:BWhichofthefollowingistheFIRSTstepofapenetrationtestplan?以下哪一項是滲透測試計劃的第一步驟？Analyzinganetworkdiagramofthetargetnetwork分析目標網絡的網絡圖Notifyingthecompany'scustomers通知公司的客戶Obtainingtheapprovalofthecompany'smanagement得到公司管理層的批準Schedulingthepenetrationtestduringaperiodofleastimpact安排在影響最小的時間按段進行滲透測試Answer:CWhichofthefollowingactionsshouldbeperformedwhenimplementingachangetoadatabaseschemainaproductionsystem?在對生產系統(tǒng)數(shù)據庫骨架(schema)實施變更時，應執(zhí)行以下哪些操作？Testindevelopment,determinedates,notifyusers,andimplementinproduction在開發(fā)中進行測試，確定日期，通知用戶，并在生產中實施Applychangetoproduction,runinparallel,finalizechangeinproduction,anddevelopabackoutstrategy將變更應用于生產，并行運行，敲定生產的變更，并指定回退策略Performuseracceptancetestinginproduction,haveuserssignoff,andfinalizechange在生產中進行用戶接受性測試，讓用戶簽定，并敲定變更Changeindevelopment,performuseracceptancetesting,developaback-outstrategy,andimplementchange在開發(fā)中進行變更，執(zhí)行用戶接受性測試，制定回退策略，并實施變更Answer:DWhichofthefollowingisamethodusedtopreventStructuredQueryLanguage(SQL)injectionattacks?以下哪一項用于防止結構化查詢語言(SQL,structured,query,language)注入攻擊？Datacompression數(shù)據壓縮Dataclassification數(shù)據分類Datawarehousing數(shù)據倉貯Datavalidation數(shù)據驗證Answer:DTheBESTmethodofdemonstratingacompany/ssecurityleveltopotentialcustomersis向潛在客戶展示公司安全級別的最佳方法是areportfromanexternalauditor.外部審計師報告respondingtoacustomer^securityquestionnaire.對客戶安全調查問卷的回應aformalreportfromaninternalauditor.內部審計師的正式報告asitevisitbyacustomer^securityteam.客戶安全團隊的現(xiàn)場參觀Answer:AWhichofthefollowingdoesTemporalKeyIntegrityProtocol(TKIP)support?臨時密鑰完整性協(xié)議(TKIP)支持以下哪一項？Multicastandbroadcastmessages組播和廣播消息CoordinationofIEEE802.11protocols與IEEE802.11協(xié)議相協(xié)調WiredEquivalentPrivacy(WEP)systems有線等效保密(WEP)系統(tǒng)Synchronizationofmultipledevices多個設備的同步Answer:CThestringencyofanInformationTechnology(IT)securityassessmentwillbedeterminedbythe信息技術(IT)安全性評估的嚴格性由以下哪一項決定？system'spastsecurityrecord.過去的系統(tǒng)安全記錄sizeofthesystem'sdatabase.系統(tǒng)數(shù)據庫的大小sensitivityofthesystem'sdata.系統(tǒng)數(shù)據的敏感性ageofthesystem.系統(tǒng)的年齡Answer:CWhatshouldbetheINITIALresponsetoIntrusionDetectionSystem/lntrusionPreventionSystem(IDS/IPS)alerts?對IDS/IPS報警的初始響應應該是什么？EnsurethattheIncidentResponsePlanisavailableandcurrent.確保事件響應計劃可用且有效Determinethetraffic'sinitialsourceandblocktheappropriateport.確定流量的初始源，并阻斷正確的端口Disableordisconnectsuspectedtargetandsourcesystems.禁用或斷開可疑目標或源系統(tǒng)Verifythethreatanddeterminethescopeoftheattack.驗證威脅并確定攻擊源Answer:DAtaMINIMUM,aformalreviewofanyDisasterRecoveryPlan(DRP)shouldbeconducted最低限度上，應該多久對某個災難恢復計劃(DRPdisasterrecoveryplan)進行一次正式審核？A.monthly.每個月quarterly.每季度annually.每年bi-annually.每半年Answer:CCheckingroutinginformationone-mailtodetermineitisinavalidformatandcontainsvalidinformationisanexampleofwhichofthefollowinganti-spamapproaches?檢查電子郵件中的路由信息，以確定它是否是有效的格式并且包含有效信息，是以下哪種反垃圾郵件方法的例子？SimpleMailTransferProtocol(SMTP)blacklist簡單郵件傳輸協(xié)議(SMTP)黑名單ReverseDomainNameSystem(DNS)lookup反向域名系統(tǒng)(DNS)查找Hashingalgorithm散列算法Headeranalysis頭分析Answer:DDuringanauditofsystemmanagement,auditorsfindthatthesystemadministratorhasnotbeentrained.Whatactionsneedtobetakenatoncetoensuretheintegrityofsystems?在系統(tǒng)管理審計中，審計師發(fā)現(xiàn)系統(tǒng)管理員尚未經過培訓。需要立即采取哪些行動來確保系統(tǒng)的完整性？Areviewofhiringpoliciesandmethodsofverificationofnewemployees審查招聘政策以及對新員工的檢驗方法Areviewofalldepartmentalprocedures審查所有部門程序Areviewofalltrainingprocedurestobeundertaken審查所有應采取的培訓程序Areviewofallsystemsbyanexperiencedadministrator由經驗豐富的管理員審查所有系統(tǒng)Answer:DAninternalServiceLevelAgreement(SLA)coveringsecurityissignedbyseniormanagersandisinplace.WhenshouldcompliancetotheSLAbereviewedtoensurethatagoodsecuritypostureisbeingdelivered?涵蓋安全方面的內部服務等級協(xié)議(SLA,ServiceLevelAgreement)經高級經理簽署并落實到位。應該在什么時候對SLA合規(guī)性進行審查以確保達到良好的安全姿態(tài)？AspartoftheSLArenewalprocess作為SLA更新過程的一部分Priortoaplannedsecurityaudit在計劃進行的安全性審計以前Immediatelyafterasecuritybreach緊接在出現(xiàn)安全漏洞之后Atregularlyscheduledmeetings在定期舉行的會議上Answer:DWhendesigningavulnerabilitytest,whichoneofthefollowingislikelytogivetheBESTindicationofwhatcomponentscurrentlyoperateonthenetwork?在設計漏洞測試時，以下哪一項可能最好地標示出什么組件當前運行在網絡上？Topologydiagrams拓撲(Topology)示意圖Mappingtools映射工具Assetregister資產注冊表PingtestingPing測試Answer:BWhichofthefollowingisthebestpracticefortestingaBusinessContinuityPlan(BCP)?以下哪一項是測試業(yè)務連續(xù)性計劃(BCP)的最佳實踐？TestbeforetheITAudit在IT審計以前測試Testwhenenvironmentchanges當環(huán)境發(fā)生變化時測試Testafterinstallationofsecuritypatches在安裝了安全修補程序以后測試Testafterimplementationofsystempatches在實施了系統(tǒng)修補程序以后測試Answer:BWhichofthefollowingMUSTbedonewhenpromotingasecurityawarenessprogramtoseniormanagement?在向高級管理層推廣安全意識計劃時，必須進行以下哪項工作？Showtheneedforsecurity;identifythemessageandtheaudience顯示安全的需要；識別消息和受眾Ensurethatthesecuritypresentationisdesignedtobeall-inclusive確保安全演示文稿設計為全面的Notifythemthattheircomplianceismandatory通知他們他們的遵守是強制性的Explainhowhackershaveenhancedinformationsecurity解釋黑客如何增強信息安全Answer:AWhichofthefollowingisasecurityfeatureofGlobalSystemsforMobileCommunications(GSM)?以下哪一項是全球移動通信系統(tǒng)(GSM)的安全功能？ItusesaSubscriberIdentityModule(SIM)forauthentication.它使用用戶身份模塊(SIM)進行身份驗證Itusesencryptingtechniquesforallcommunications.它使用加密技術進行所有通信Theradiospectrumisdividedwithmultiplefrequencycarriers.無線電頻譜由多個頻率載波分開Thesignalisdifficulttoreadasitprovidesend-to-endencryption.信號難以讀取,因為它提供端對端加密Answer:AInadataclassificationscheme,thedataisownedbythe數(shù)據分類方案中，數(shù)據由誰擁有？InformationTechnology（IT）managers.信息技術經理businessmanagers.業(yè)務經理endusers.最終用戶systemsecuritymanagers.系統(tǒng)安全經理Answer:BAdisadvantageofanapplicationfilteringfirewallisthatitcanleadto應用過濾防火墻的一個缺點是它可以導致acrashofthenetworkasaresultofuseractivities.用戶活動導致網絡崩潰performancedegradationduetotherulesapplied.應用規(guī)則導致性能下降lossofpacketsonthenetworkduetoinsufficientbandwidth.由于帶寬不足導致網絡上的數(shù)據包丟失InternetProtocol（IP）spoofingbyhackers.黑客的互聯(lián)網協(xié)議（IP）欺騙Answer:BWhatistheMOSTimportantpurposeoftestingtheDisasterRecoveryPlan（DRP）?測試災難恢復計劃（DRP）最重要的目標是？Evaluatingtheefficiencyoftheplan評價計劃的有效性Identifyingthebenchmarkrequiredforrestoration識別恢復需求的標準V