QUESTION 349
166
ISC CISSP Exam
Which of the following media is MOST resistant to tapping?
A. Microwave
B. Twisted pair
C. Coaxial cable
D. Fiber optic
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 350
What type of wiretapping involves injecting something into the communications?
A. Aggressive
B. Captive
C. Passive
D. Active
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Most communications are vulnerable to some type of wiretapping or eavesdropping. It can usually
be done undetected and is referred to as a passive attack versus an active attack. – Shon Harris All-in-one
CISSP Certification Guide pg 649 “(I) An attack that intercepts and accesses data and other information
contained in a flow in a communication system. (C) Although the term originally referred to making a
mechanical connection to an electrical conductor that links two nodes, it is now used to refer to reading
information from any sort of medium used for a link or even directly from a node, such as gateway or
subnetwork switch. (C) “Active wiretapping” attempts to alter the data or otherwise affect the flow; “passive
wiretapping” only attempts to observe the flow and gain knowledge of information it contains. (See: active
attack, end-to-end encryption, passive attack.)” http://www.linuxsecurity.com/dictionary/dict-455.html
QUESTION 351
167
ISC CISSP Exam
Why would an Ethernet LAN in a bus topology have a greater risk of unauthorized disclosure than switched
Ethernet in a hub-and-spoke or star topology?
A. IEEE 802.5 protocol for Ethernet cannot support encryption.
B. Ethernet is a broadcast technology.
C. Hub and spoke connections are highly multiplexed.
D. TCP/IP is an insecure protocol.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Ethernet is broadcast and the question asks about a bus topology vs a SWITCHED Ethernet. Most
switched Ethernet lans are divided by vlans which contain broadcasts to a single vlan, but remember only a
layer 3 device can stop a broadcast.
QUESTION 352
What type of attacks occurs when a smartcard is operating under normal physical conditions, but sensitive
information is gained by examining the bytes going to and from the smartcard?
A. Physical attacks.
B. Logical attacks.
C. Trojan Horse attacks.
D. Social Engineering attacks.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Logical attacks occur when a smartcard is operating under normal physical conditions, but sensitive information
is gained by examining the bytes going to and from the smartcard. One example is the so-called “timing attack”
described by Paul Kocher. In this attack, various byte patterns are sent to the card to be signed by the private
key. Information such as the time required to perform the operation and the number of zeroes and ones in the
input bytes are used to eventually obtain the private key. There are logical countermeasures to this attack but
not all smartcard manufacturers have implemented them. This attack does require that the PIN to the card be
known, so that many private key operations can be performed on chosen input bytes.
168
ISC CISSP Exam
QUESTION 353
What is an effective countermeasure against Trojan horse attack that targets smart cards?
A. Singe-access device driver architecture.
B. Handprint driver architecture.
C. Fingerprint driver architecture.
D. All of the choices.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The countermeasure to prevent this attack is to use “single-access device driver” architecture. With this type of
architecture, the operating system enforces that only one application can have access to the serial device (and
thus the smartcard) at any given time. This prevents the attack but also lessens the convenience of the
smartcard because multiple applications cannot use the services of the card at the same time. Another way to
prevent the attack is by using a smartcard that enforces a “one private key usage per PIN entry” policy model.
In this model, the user must enter their PIN every single time the private key is to be used and therefore the
Trojan horse would not have access to the key.
QUESTION 354
Which of the following could illegally capture network user passwords?
A. Data diddling
B. Sniffing
C. Spoofing
D. Smurfing
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
169
ISC CISSP Exam
QUESTION 355
Which of the following statements is incorrect?
A. Since the early days of mankind humans have struggled with the problems of protecting assets
B. The addition of a PIN keypad to the card reader was a solution to unreported card or lost cards problems
C. There has never been a problem of lost keys
D. Human guard is an inefficient and sometimes ineffective method of protecting resources
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 356
A system uses a numeric password with 1-4 digits. How many passwords need to be tried before it is cracked?
A. 1024
B. 10000
C. 100000
D. 1000000
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The largest 4 digit number is 9999. So 0000 9999 provides 10000 possible combinations.
QUESTION 357
Which of the following can be used to protect your system against brute force password attack?
A. Decrease the value of password history.
B. Employees must send in a signed email before obtaining a password.
170
ISC CISSP Exam
C. After three unsuccessful attempts to enter a password, the account will be locked.
D. Increase the value of password age.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Employees must show up in person and present proper identification before obtaining a new or changed
password (depending on your policy). After three unsuccessful attempts to enter a password, the account will
be locked and only an administrator or the help desk can reactivate the involved user ID.
QUESTION 358
Which of the following is an effective measure against a certain type of brute force password attack?
A. Password used must not be a word found in a dictionary.
B. Password history is used.
C. Password reuse is not allowed.
D. None of the choices.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Password reuse is not allowed (rotating passwords). Password history must be used to prevent users from
reusing passwords. On all systems with such a facility the last 12 passwords used will be kept in the history. All
computer system users must choose passwords that cannot be easily guessed. Passwords used must not be a
word found in a dictionary.
QUESTION 359
Which type of attack will most likely provide an attacker with multiple passwords to authenticate to a system?
A. Password sniffing
171
ISC CISSP Exam
B. Dictionary attack
C. Dumpster diving
D. Social engineering
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 360
Which of the following are measures against password sniffing?
A. Passwords must not be sent through email in plain text.
B. Passwords must not be stored in plain text on any electronic media.
C. You may store passwords electronically if it is encrypted.
D. All of the choices.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Passwords must not be sent through email in plain text. Passwords must not be stored in plain text on any
electronic media. It is acceptable to store passwords in a file if it is encrypted with PGP or equivalent strong
encryption (once again depending on your organization policy). All vendor supplied default passwords must be
changed.
QUESTION 361
Which one of the following conditions is NOT necessary for a long dictionary attack to succeed?
A. The attacker must have access to the target system.
B. The attacker must have read access to the password file.
C. The attacker must have write access to the password file.
D. The attacker must know the password encryption mechanism and key variable.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
172
ISC CISSP Exam
Explanation:
The program encrypts the combination of characters and compares them to the encrypted entries in the
password file. If a match is found, the program has uncovered a password. – Shon Harris All-in-one CISSP
Certification Guide pg 199
QUESTION 362
What is an important factor affecting the time required to perpetrate a manual trial and error attack to gain
access to a target computer system?
A. Keyspace for the password.
B. Expertise of the person performing the attack.
C. Processing speed of the system executing the attack.
D. Encryption algorithm used for password transfer.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
I am not sure of the answer on this question. B seems good but the reference below states that Keyspace (or
length of password) is the main deterrent. I did not come across something that directly relates in my readings.
“If an attacker mounts a trial-and-error attack against your password, a longer password gives the attacker a
larger number of alternatives to try. If each character in the password may take on 96 different values (typical of
printable ASCII characters) then each additional character presents the attacker with 96 times as many
passwords to try. If the number of alternatives is large enough, the trial-and-error attack might discourage the
attacker, or lead to the attacker’s detection.” http://www.smat.us/sanity/riskyrules.html
QUESTION 363
Which one of the following BEST describes a password cracker?
A. A program that can locate and read a password file.
173
ISC CISSP Exam
B. A program that provides software registration passwords or keys.
C. A program that performs comparative analysis.
D. A program that obtains privileged access to the system.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
In a dictionary crack, L0phtCrack encrypts (i.e., hashes) all the passwords in a dictionary file you specify and
compares every result with the password hash. If L0phtCrack finds any matches, it knows the password is the
dictionary word. L0phtCrack comes with a default dictionary file, words- english. You can download additional
files from the Internet or create a custom file. In the Tools Options dialog box, you can choose to run the
dictionary attack against the LANMAN password hash, the NT LAN Manager (NTLM) password hash, or both
(which is the default). In a hybrid crack, L0phtCrack extends the dictionary crack by appending numbers or
symbols to each word in the dictionary file. For example, in addition to trying “Galileo,” L0phtCrack also tries
“Galileo24,” “13Galileo,” “?Galileo,” “Galileo!,” and so on. The default number of characters L0phtCrack tries is
two, and you can change this number in the Tools Options dialog box. In a brute-force crack, L0phtCrack tries
every possible combination of characters in a character set. L0phtCrack offers four character sets, ranging
from alpha only to all alphanumeric plus all symbol characters. You can choose a character set from the
Character Set drop-down box in the Tools Options dialog box or type a custom character set in the Character
Set drop-down box. L0phtCrack saves custom sets in files with an .lc extension. You can also specify a
character set in the password file, as the example in Figure 2 shows.
Not B: A key generator is what is being described by the registration password or key answer.
QUESTION 364
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token
performs off-line checking for the correct PIN, what type of attack is possible?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Brute force attacks are performed with tools that cycle through many possible character, number,
174
ISC CISSP Exam
and symbol combinations to guess a password. Pg 134 Shon Harris CISSP All-In-One Certification Exam
Guide. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.
QUESTION 365
Which of the following actions can increase the cost of an exhaustive attack?
A. Increase the age of a password.
B. Increase the length of a password.
C. None of the choices.
D. Increase the history of a password.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Defenses against exhaustive attacks involve increasing the cost of the attack by increasing the number of
possibilities to be exhausted. For example, increasing the length of a password will increase the cost of an
exhaustive attack. Increasing the effective length of a cryptographic key variable will make it more resistant to
an exhaustive attack.
QUESTION 366
Which of the following attacks focus on cracking passwords?
A. SMURF
B. Spamming
C. Teardrop
D. Dictionary
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
175
ISC CISSP Exam
Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves
trying a list of hundreds or thousands of words that are frequently chosen as passwords against several
systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a
particular dictionary attack.
QUESTION 367
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector?
A. Using TACACS+ server
B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the
firewall.
C. Setting modem ring count to at least 5
D. Only attaching modems to non-networked hosts.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 368
What is known as decoy system designed to lure a potential attacker away from critical systems?
A. Honey Pots
B. Vulnerability Analysis Systems
C. File Integrity Checker
D. Padded Cells
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems. Honey
pots are designed to:
Divert an attacker from accessing critical systems,
Collect information about the attacker’s activity, and encourage the attacker to stay
176
ISC CISSP Exam
on the system long enough for administrators to respond.
QUESTION 369
Which of the following will you consider as a program that monitors data traveling over a network?
A. Smurfer
B. Sniffer
C. Fragmenter
D. Spoofer
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A sniffer is a program and/or device that monitor data traveling over a network. Sniffers can be used both for
legitimate network management functions and for stealing information off a network. Unauthorized sniffers can
be extremely dangerous to a network’s security because they are virtually impossible to detect
QUESTION 370
Which of the following is NOT a system-sensing wireless proximity card?
A. magnetically striped card
B. passive device
C. field-powered device
D. transponder
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
177
ISC CISSP Exam
QUESTION 371
Attacks on smartcards generally fall into what categories?
A. Physical attacks.
B. Trojan Horse attacks.
C. Logical attacks.
D. All of the choices, plus Social Engineering attacks.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Attacks on smartcards generally fall into four categories: Logical attacks, Physical attacks, Trojan Horse attacks
and Social Engineering attacks.
QUESTION 372
Which of the following attacks could be the most successful when the security technology is properly
implemented and configured?
A. Logical attacks
B. Physical attacks
C. Social Engineering attacks
D. Trojan Horse attacks
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Social Engineering attacks – In computer security systems, this type of attack is usually the most successful,
especially when the security technology is properly implemented and configured. Usually, these attacks rely on
the faults in human beings. An example of a social engineering attack has a hacker impersonating a network
service technician. The serviceman approaches a low-level employee and requests their password for network
servicing purposes. With smartcards, this type of attack is a bit more difficult. Most people would not trust an
impersonator wishing to have their smartcard and PIN for service purposes.
178
ISC CISSP Exam
QUESTION 373
What type of attacks occurs when normal physical conditions are altered in order to gain access to sensitive
information on the smartcard?
A. Physical attacks
B. Logical attacks
C. Trojan Horse attacks
D. Social Engineering attacks
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Physical attacks occur when normal physical conditions, such as temperature, clock frequency, voltage, etc,
are altered in order to gain access to sensitive information on the smartcard. Most smartcard operating systems
write sensitive data to the EEPROM area in a proprietary, encrypted manner so that it is difficult to obtain clear
text keys by directly hacking into the EEPROM. Other physical attacks that have proven to be successful
involve an intense physical fluctuation at the precise time and location where the PIN verification takes place.
Thus, sensitive card functions can be performed even though the PIN is unknown. This type of attack can be
combined with the logical attack mentioned above in order to gain knowledge of the private key. Most physical
attacks require special equipment.
QUESTION 374
Which one of the following is an example of electronic piggybacking?
A. Attaching to a communications line and substituting data.
B. Abruptly terminating a dial-up or direct-connect session.
C. Following an authorized user into the computer room.
D. Recording and playing back computer transactions.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Ok this is a weird little question. The term electronic is kinda of throwing me a bit. A
179
ISC CISSP Exam
lot of times piggybacking can be used in terms of following someone in a building. Piggyback – Gaining
unauthorized access to a system via another user’s legitimate connection.
(see between-the-lines entry)
Between-the-lines entry 0 Unauthorized access obtained by tapping the temporarily inactive terminal of a
legitimate user. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 914, 885
QUESTION 375
A system using Discretionary Access Control (DAC) is vulnerable to which one of the following attacks?
A. Trojan horse
B. Phreaking
C. Spoofing
D. SYN flood
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: An attempt to gain access to a system by posing as an authorized user. Synonymous with
impersonating, masquerading, or mimicking. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 921
“Spoofing – The act of replacing the valid source and/or destination IP address and node numbers with false
ones.
Spoofing attack – any attack that involves spoofed or modified packets.” – Ed Tittle CISSP Study Guide (sybex)
QUESTION 376
Which of the following is an example of an active attack? Select one.
A. Traffic analysis
B. Masquerading
C. Eavesdropping
D. Shoulder surfing
180
ISC CISSP Exam
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Shoulder surfing is passive, like eavesdropping and traffic analysis. Masquerading is the only one where you
are actually doing something by changing something actively doing something.
QUESTION 377
What attack involves actions to mimic one’s identity?
A. Brute force
B. Exhaustive
C. Social engineering
D. Spoofing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Spoofing is an attack in which one person or process pretends to be a person or process that has more
privileges. For example, user A can mimic behavior to make process B believe user A is user C. In the absence
of any other controls, B may be duped into giving to user A the data and privileges that were intended for user
C.
QUESTION 378
Which access control model enables the owner of the resource to specify what subjects can access specific
resources?
A. Discretionary Access Control
B. Mandatory Access Control
C. Sensitive Access Control
D. Role-based Access Control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
181
ISC CISSP Exam
Explanation:
QUESTION 379
The type of discretionary access control that is based on an individual’s identity is called:
A. Identity-based access control
B. Rule-based access control
C. Non-Discretionary access control
D. Lattice-based access control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 380
Which of the following access control types gives “UPDATE” privileges on Structured Query Language (SQL)
database objects to specific users or groups?
A. Supplemental
B. Discretionary
C. Mandatory
D. System
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Supplemental and System are not access control types. The most correct answer is mandatory
opposed to discretionary. The descriptions below sound typical of how a sql accounting database controls
access.
“In a mandatory access control (MAC) model, users and data owners do not have as much freedom to
determine who can access their files. Data owners can allow others to have access to their files, but it is the
operating system that will make the final decision and can override the data owner’s wishes.” Pg. 154 Shon
Harris CISSP All-In-One Certification Exam Guide “Rule-based access controls are a variation of mandatory
access controls. A rule based systems uses a set of rules, restrictions or filters to determine what can and
cannot occur on the system, such as granting subject access, performing an action on an object, or accessing
a resource. Pg 16 Tittle: CISSP Study Guide.
182
ISC CISSP Exam
QUESTION 381
With Discretionary access controls, who determines who has access and what privilege they have?
A. End users.
B. None of the choices.
C. Resource owners.
D. Only the administrators.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which
objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during
which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to
ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use
of data. Further, subjects’ rights to access might be suspended when they are on vacation or leave of absence.
When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.
Under this type of control, the owner determines who has access and what privilege they have.
QUESTION 382
What defines an imposed access control level?
A. MAC
B. DAC
C. SAC
D. CAC
183
ISC CISSP Exam
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only
administrators and not owners of resources may make decisions that bear on or derive from policy. Only an
administrator may change the category of a resource, and no one may grant a right of access that is explicitly
forbidden in the access control policy.
QUESTION 383
Under MAC, who can change the category of a resource?
A. All users.
B. Administrators only.
C. All managers.
D. None of the choices.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only
administrators and not owners of resources may make decisions that bear on or derive from policy. Only an
administrator may change the category of a resource, and no one may grant a right of access that is explicitly
forbidden in the access control policy.
QUESTION 384
Under MAC, who may grant a right of access that is explicitly forbidden in the access control policy?
A. None of the choices.
B. All users.
184
ISC CISSP Exam
C. Administrators only.
D. All managers.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only
administrators and not owners of resources may make decisions that bear on or derive from policy. Only an
administrator may change the category of a resource, and no one may grant a right of access that is explicitly
forbidden in the access control policy.
QUESTION 385
You may describe MAC as:
A. Opportunistic
B. Prohibitive
C. None of the choices.
D. Permissive
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is
forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more
access with the same exclusionary principle. In this type of control system decisions are based on privilege
(clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
QUESTION 386
Under MAC, which of the following is true?
185
ISC CISSP Exam
A. All that is expressly permitted is forbidden.
B. All that is not expressly permitted is forbidden.
C. All that is not expressly permitted is not forbidden.
D. None of the choices.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is
forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more
access with the same exclusionary principle. In this type of control system decisions are based on privilege
(clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
QUESTION 387
Under MAC, a clearance is a:
A. Sensitivity
B. Subject
C. Privilege
D. Object
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is
forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more
access with the same exclusionary principle. In this type of control system decisions are based on privilege
(clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
QUESTION 388
Under MAC, a file is a(n):
186
ISC CISSP Exam
A. Privilege
B. Subject
C. Sensitivity
D. Object
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is
forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more
access with the same exclusionary principle. In this type of control system decisions are based on privilege
(clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
QUESTION 389
Under MAC, classification reflects:
A. Sensitivity
B. Subject
C. Privilege
D. Object
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is
forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more
access with the same exclusionary principle. In this type of control system decisions are based on privilege
(clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
QUESTION 390
MAC is used for:
187
ISC CISSP Exam
A. Defining imposed access control level.
B. Defining user preferences.
C. None of the choices.
D. Defining discretionary access control level.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined
as follows in the Handbook of Information Security Management:
With mandatory controls, only administrators and not owners of resources may make decisions that bear on or
derive from policy. Only an administrator may change the category of a resource, and no one may grant a right
of access that is explicitly forbidden in the access control policy.
QUESTION 391
With MAC, who may make decisions that bear on policy?
A. None of the choices.
B. All users.
C. Only the administrator.
D. All users except guests.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined
as follows in the Handbook of Information Security Management:
With mandatory controls, only administrators and not owners of resources may make decisions that bear on or
derive from policy. Only an administrator may change the category of a resource, and no one may grant a right
of access that is explicitly forbidden in the access control policy.
QUESTION 392
With MAC, who may NOT make decisions that derive from policy?
188
ISC CISSP Exam
A. All users except the administrator.
B. The administrator.
C. The power users.
D. The guests.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined
as follows in the Handbook of Information Security Management:
With mandatory controls, only administrators and not owners of resources may make decisions that bear on or
derive from policy. Only an administrator may change the category of a resource, and no one may grant a right
of access that is explicitly forbidden in the access control policy.
QUESTION 393
Under the MAC control system, what is required?
A. Performance monitoring
B. Labeling
C. Sensing
D. None of the choices
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is
forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more
access with the same exclusionary principle. In this type of control system decisions are based on privilege
(clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
QUESTION 394
Access controls that are not based on the policy are characterized as:
189
ISC CISSP Exam
A. Secret controls
B. Mandatory controls
C. Discretionary controls
D. Corrective controls
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Access controls that are not based on the policy are characterized as discretionary controls by the US
government and as need-to-know controls by other organizations. The latter term connotes least privilege –
those who may read an item of data are precisely those whose tasks entail the need.
QUESTION 395
DAC are characterized by many organizations as:
A. Need-to-know controls
B. Preventive controls
C. Mandatory adjustable controls
D. None of the choices
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Access controls that are not based on the policy are characterized as discretionary controls by the US
government and as need-to-know controls by other organizations. The latter term connotes least privilege –
those who may read an item of data are precisely those whose tasks entail the need.
QUESTION 396
Which of the following correctly describe DAC?
190
ISC CISSP Exam
A. It is the most secure method.
B. It is of the B2 class.
C. It can extend beyond limiting which subjects can gain what type of access to which objects.
D. It is of the B1 class.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With DAC, administrators can limit access to certain times of day or days of the week. Typically, the period
during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is
designed to ensure that access takes place only when supervisory personnel are present, to discourage
unauthorized use of data. Further, subjects’ rights to access might be suspended when they are on vacation or
leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than
merely suspended.
QUESTION 397
Under DAC, a subjects rights must be ________ when it leaves an organization altogether.
A. recycled
B. terminated
C. suspended
D. resumed
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which
objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during
which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to
ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use
of data. Further, subjects’ rights to access might be suspended when they are on vacation or leave of absence.
When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.
191
ISC CISSP Exam
QUESTION 398
In a discretionary mode, which of the following entities is authorized to grant information access to other
people?
A. manager
B. group leader
C. security manager
D. user
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 399
With RBAC, each user can be assigned:
A. One or more roles.
B. Only one role.
C. A token role.
D. A security token.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With RBAC, security is managed at a level that corresponds closely to the organization’s structure. Each user is
assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that
role. Roles can be hierarchical.
QUESTION 400
With RBAC, roles are:
192
ISC CISSP Exam
A. Based on labels.
B. All equal
C. Hierarchical
D. Based on flows.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With RBAC, security is managed at a level that corresponds closely to the organization’s structure. Each user is
assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that
role. Roles can be hierarchical.
QUESTION 401
With __________, access decisions are based on the roles that individual users have as part of an
organization.
A. Server based access control.
B. Rule based access control.
C. Role based access control.
D. Token based access control.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With role-based access control, access decisions are based on the roles that individual users have as part of
an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining
roles should be based on a thorough analysis of how an organization operates and should include input from a
wide spectrum of users in an organization.
QUESTION 402
Under Role based access control, access rights are grouped by:
193
ISC CISSP Exam
A. Policy name
B. Rules
C. Role name
D. Sensitivity label
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With role-based access control, access rights are grouped by role name, and the use of resources is restricted
to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor
can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of
researcher can be limited to gathering anonymous clinical information for studies.
QUESTION 403
Which of the following will you consider as a “role” under a role based access control system?
A. Bank rules
B. Bank computer
C. Bank teller
D. Bank network
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With role-based access control, access rights are grouped by role name, and the use of resources is restricted
to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor
can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of
researcher can be limited to gathering anonymous clinical information for studies.
QUESTION 404
Role based access control is attracting increasing attention particularly for what applications?
194
ISC CISSP Exam
A. Scientific
B. Commercial
C. Security
D. Technical
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Role based access control (RBAC) is a technology that is attracting increasing attention, particularly for
commercial applications, because of its potential for reducing the complexity and cost of security administration
in large networked applications.
QUESTION 405
What is one advantage of deploying Role based access control in large networked applications?
A. Higher security
B. Higher bandwidth
C. User friendliness
D. Lower cost
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access
control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprisespecific
security policies in a way that maps naturally to an organization’s structure. Traditionally, managing
security has required mapping an organization’s security policy to a relatively low-level set of controls, typically
access control lists.
QUESTION 406
DAC and MAC policies can be effectively replaced by:
195
ISC CISSP Exam
A. Rule based access control.
B. Role based access control.
C. Server based access control.
D. Token based access control
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access
control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprisespecific
security policies in a way that maps naturally to an organization’s structure. Traditionally, managing
security has required mapping an organization’s security policy to a relatively low-level set of controls, typically
access control lists.
QUESTION 407
Which of the following correctly describe Role based access control?
A. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your user
profile groups.
B. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your
organizations structure.
C. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ticketing
system.
D. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ACL.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access
control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprisespecific
security policies in a way that maps naturally to an organization’s structure. Traditionally, managing
security has required mapping an organization’s security policy to a relatively low-level set of controls, typically
access control lists.
196
ISC CISSP Exam
QUESTION 408
Which of the following RFC talks about Rule Based Security Policy?
A. 1316
B. 1989
C. 2717
D. 2828
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The RFC 2828 – Internet Security Glossary talks about Rule Based Security Policy: A security policy based on
global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource
being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on
behalf of users.
QUESTION 409
With Rule Based Security Policy, a security policy is based on:
A. Global rules imposed for all users.
B. Local rules imposed for some users.
C. Global rules imposed for no body.
D. Global rules imposed for only the local users.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The RFC 2828 – Internet Security Glossary talks about Rule Based Security Policy: A security policy based on
global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource
being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on
behalf of users.
197
ISC CISSP Exam
QUESTION 410
With Rule Based Security Policy, global rules usually rely on comparison of the _______ of the resource being
accessed.
A. A group of users.
B. Users
C. Sensitivity
D. Entities
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The RFC 2828 – Internet Security Glossary talks about Rule Based Security Policy: A security policy based on
global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource
being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on
behalf of users.
Topic 4, Application Development Security
QUESTION 411
Which of the following is a facial feature identification product that can employ artificial intelligence and can
require the system to learn from experience?
A. All of the choices.
B. Digital nervous system.
C. Neural networking
D. DSV
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
198
ISC CISSP Exam
There are facial feature identification products that are on the market that use other technologies or methods to
capture one’s face. One type of method used is neural networking technology. This type of technology can
employ artificial intelligence that requires the system to “learn” from experience. This “learning” experience
helps the system to close in on an identification of an individual. Most facial feature identification systems today
only allow for two-dimensional frontal images of one’s face.
Not DSV:
Signature biometrics are often referred to dynamic signature verification (DSV) and look at the way we sign our
names. [15] The dynamic nature differentiates it from the study of static signatures on paper. Within DSV a
number of characteristics can be extracted from the physical signing process. Examples of these behavioral
characteristics are the angle of the pen is held, the time taken to sign, velocity and acceleration of the tip of the
pen, number of times the pen is lifted from the paper. Despite the fact that the way we sign is mostly learnt
during the years it is very hard to forge and replicate.
QUESTION 412
Which option is NOT a benefit derived from the use of neural networks?
A. Linearity
B. Input-Output Mapping
C. Adaptivity
D. Fault Tolerance
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Linearity: “If the sum of the weighted inputs then exceeds the threshold, the neuron will “fire” and
there will be an output from that neuron. An alternative approach would be to have the output of the neuron be
a linear function of the sum of the artificial neuron inputs.”
Input-Output Mapping: “For example, if a specific output vector was required for a specific input where the
relationship between input and output was non-linear, the neural network would be trained by applying a set of
input vector.”
Adaptivity: “The neural network would have then be said to have learned to provide the correct response for
each input vector.”
199
ISC CISSP Exam
Pg. 261 Krutz: The CISSP Prep Guide
QUESTION 413
Which of the following is a characteristic of a decision support system (DSS)?
A. DSS is aimed at solving highly structured problems
B. DSS emphasizes flexibility in the decision making approach of users
C. DSS supports only structured decision-making tasks
D. DSS combines the use of models with non-traditional data access and retrieval functions
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 414
Which of the following is a communication mechanism that enables direct conversation between two
applications?
A. DDE
B. OLE
C. ODBC
D. DCOM
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Dynamic Data Exchange (DDE) enables applications to share data by providing IPC. It is based
on the client/server model and enables two programs to send commands to each other directly. DDE is a
communication mechanism that enables direct conversation between two applications. The source of the data
is called the server, and the receiver of the data is the client.” Pg. 718 Shon Harris: All-In-One CISSP
Certification Exam Guide
QUESTION 415
200
ISC CISSP Exam
Which expert system operating mode allows determining if a given hypothesis is valid?
A. Vertical chaining
B. Lateral chaining
C. Forward chaining
D. Backward chaining
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “The expert system operates in either a forward-chaining or backward-chaining mode. In a
forward-chaining mode, the expert system acquires information and comes to a conclusion based on that
information. Forward-chaining is the reasoning approach that can be used when there is a small number of
solutions relative to the number of inputs. In a backward- chaining mode, the expert system backtracks to
determine if a given hypothesis is valid. Backward-chaining is generally used when there are a large number of
possible solutions relative to the number of inputs. Another type of expert system is the blackboard. A
blackboard is an expert system-reasoning methodology in which a solution is generated by the use of a virtual
“blackboard,” wherein information or potential solutions are placed on the blackboard by the plurality of
individuals or expert knowledge sources. As more information is placed on the blackboard in an iterative
process, a solution is generated.” Pg 354 Krutz: The CISSP Prep Guide:
Gold Edition
QUESTION 416
Which one of the following is a security issue related to aggregation in a database?
A. Polyinstantiation
B. Inference
C. Partitioning
D. Data swapping
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Inference is the ability of users to infer or deduce information about data at sensitivity levels for
which they do not have access privileges. Ronald Krutz The CISSP PREP Guide (gold edition) pg 358
The other security issue is inference, which is very similar to aggregation. Shon Harris All-in-one CISSP
Certification Guide pg 727
Partitioning a database involves dividing the database into different parts, which makes it much
201
ISC CISSP Exam
harder for an unauthorized individual to find connecting pieces of data that can be brought together and other
information that can be deduced or uncovered. Shon Harris All-in-one CISSP Certification Guide pg 726
Polyinstantiation- This enables a relation to contain multiple tuples with the same primary keys with each
instance distinguished by a security level. Shon Harris All-in-one CISSP Certification Guide pg 727
QUESTION 417
How is polyinstantiation used to secure a multilevel database?
A. It prevents low-level database users from inferring the existence of higher level data.
B. It confirms that all constrained data items within the system conform to integrity specifications.
C. It ensures that all mechanism in a system are responsible for enforcing the database security policy.
D. Two operations at the same layer will conflict if they operate on the same data item and at least one of them
is an update.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Polyinstantiation is the development of a detailed version of an object from another object using
different values in the new object. In the database information security, this term is concerned with the same
primary key for different relations at different classification levels being stored in the same database. For
example, in a relational database, the same of a military unit may be classified Secret in the database and may
have an identification number as the primary key. If another user at a lower classification level attempts to
create a confidential entry for another military unit using the same identification number as a primary key, a
rejection of this attempt would imply to the lower level user that the same identification number existed at a
higher level of classification. To avoid this inference channel of information, the lower level user would be
issued the same identification number for their unit and the database management system would manage this
situation where the same primary key was used for different units.” Pg 352-353 Krutz: The CISSP Prep Guide:
Gold Edition.
“Polyinstantiation occurs when to or more rows in the same table appear to have identical primary key elements
but contain different data for use at differing classification levels. Polyinstantiation is often used as a defense
against some types of inference attacks.
For example, consider a database table containing the location of various naval ships on patrol.
202
ISC CISSP Exam
Normally, this database contains the exact position of each ship stored at the level with secret classification.
However, on particular ship, the USS UpToNoGood, is on an undercover mission to a top-secret location.
Military commanders do not want anyone to know that the ship deviated from its normal patrol. If the database
administrators simply change the classification of the UpToNoGood’s location to top secret, a user with secret
clearance would know that something unusual was going on when they couldn’t query the location of the ship.
However, if polyinstantiation is used, two records could be inserted into the table. The first one, classified at the
top secret level, would reflect the true location of the ship and be available only to users with the appropriate top
secret security clearance. The second record, classified at the secret level, would indicate that the ship was on
routine patrol and would be returned to users with a secret clearance.”
Pg. 191 Tittel: CISSP Study Guide Second Edition
QUESTION 418
Which of the following defines the software that maintains and provides access to the database?
A. database management system (DBMS)
B. relational database management systems (RDBMS)
C. database identification system (DBIS)
D. Interface Definition Language system (IDLS)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 419
Which of the following is not a responsibility of a database administrator?
A. Maintaining databases
B. Implementing access rules to databases
C. Reorganizing databases
D. Providing access authorization to databases
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
203
ISC CISSP Exam
QUESTION 420
SQL commands do not include which of the following?
A. Select, Update
B. Grant, Revoke
C. Delete, Insert
D. Add, Replace
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “SQL commands include Select, Update, Delete, Insert, Grant, and Revoke.” Pg 62 Krutz: CISSP
Prep Guide: Gold Edition
QUESTION 421
A persistent collection of interrelated data items can be defined as which of the following?
A. database
B. database management system
C. database security
D. database shadowing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 422
Which one of the following is commonly used for retrofitting multilevel security to a Database Management
System?
A. Trusted kernel
B. Kernel controller
C. Front end controller
D. Trusted front-end
204
ISC CISSP Exam
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 423
Which of the following is the marriage of object-oriented and relational technologies combining the attributes of
both?
A. object-relational database
B. object-oriented database
C. object-linking database
D. object-management database
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 424
A department manager has read access to the salaries of the employees in his/her department but not to the
salaries of employees in other departments. A database security mechanism that enforces this policy would
typically be said to provide which of the following?
A. content-dependent access control
B. context-dependent access control
C. least privileges access control
D. ownership-based access control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Database security takes a different approach than operating system security. In an operating
system, the identity and authentication of the subject controls access. This is done through access control lists
(ACLs), capability tables, roles, and security labels. The operating system only makes decisions about where a
subject can access a file; it does not make this decision based on the contents of the file itself. If Mitch can
access file A, it does not matter if that file contains information about a cookie recipe or secret information from
the Cold War. On the other hand, database security does look at the contents of a file when it makes an access
control decision, which is referred to as content-dependent access control. This type of access control
increases processing overhead, but it provides higher granular control.” Pg. 677 Shon Harris:
205
ISC CISSP Exam
CISSP Certification All-in-One Exam Guide
QUESTION 425
Which of the following is an important part of database design that ensures that attributes in a table depend
only on the primary key?
A. Normalization
B. Assimilation
C. Reduction
D. Compaction
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 426
Which of the following does not address Database Management Systems (DBMS) Security?
A. Perturbation
B. Cell suppression
C. Padded Cells
D. Partitioning
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 427
Which of the following is commonly used for retrofitting multilevel security to a database management system?
A. trusted front-end
B. trusted back-end
C. controller
206
ISC CISSP Exam
D. kernel
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 428
Normalizing data within a database includes all of the following except which?
A. Eliminating repeating groups by putting them into separate tables
B. Eliminating redundant data
C. Eliminating attributes in a table that are not dependent on the primary key of that table
D. Eliminating duplicate key fields by putting them into separate tables
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Data Normalization
Normalization is an important part of database design that ensures that attributes in a table depend only on the
primary key. This process makes it easier to maintain data and have consistent reports.
Normalizing data in the database consists of three steps:
1.)Eliminating any repeating groups by putting them into separate tables 2.)Eliminating redundant data
(occurring in more than one table) 3.)Eliminating attributes in a table that are not dependent on the primary key
of that table”
Pg. 62 Krutz: The CISSP Prep Guide: Gold Edition
QUESTION 429
SQL commands do not include which of the following?
A. Select, Update
B. Grant, Revoke
C. Delete, Insert
D. Add, Replace
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
207
ISC CISSP Exam
Explanation: “SQL commands include Select, Update, Delete, Grant, and Revoke.” Pg. 62 Krutz:
The CISSP Prep Guide: Gold Edition
“Developed by IBM, SQL is a standard data manipulation and relational database definition language. The SQL
Data Definition Language creates and deletes views and relations (tables). SQL commands include Select,
Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control to grant and
revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT privileges to an
object to another subject. If the owner intentionally does not transfer the GRANT privileges, however, which are
relative to an object to the individual A, A cannot pass on the GRANT privileges to another subject. In some
instances, however, this security control can be circumvented. For example, if A copies the object, A essentially
becomes the owner of that object and thus can transfer the GRANT privileges to another user, such as user B.
SQL security issues include the granularity of authorization and the number of different ways you can execute
the same query.
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition.
QUESTION 430
SQL security issues include which of the following?
A. The granularity of authorizations
B. The size of databases
C. The complexity of key structures
D. The number of candidate key elements
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Developed by IBM, SQL is a standard data manipulation and relational database definition
language. The SQL Data Definition Language creates and deletes views and relations (tables). SQL commands
include Select, Update, Delete, Insert, Grant, and Revoke. The latter two commands are used in access control
to grant and revoke privileges to resources. Usually, the owner of an object can withhold or transfer GRANT
privileges to an object to another subject. If the owner intentionally does not transfer the GRANT privileges,
however, which are relative to an object to the individual A, A cannot pass on the GRANT privileges to another
subject. In some instances, however, this security control can be circumvented. For example, if A copies the
object, A essentially becomes the owner of that object and thus can transfer the GRANT privileges to
208
ISC CISSP Exam
another user, such as user B.
SQL security issues include the granularity of authorization and the number of different ways you can execute
the same query.
Pg. 63 Krutz: The CISSP Prep Guide: Gold Edition.
QUESTION 431
Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being
sent to the database on a server?
A. Bind variables
B. Assimilation variables
C. Reduction variables
D. Resolution variables
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 432
What ensures that attributes in a table depend only on the primary key?
A. Referential integrity
B. The d