INFOSEC FINAL EXAM QUESTIONS
AND ANSWERS 100% PASS
The idea behind _____________ in ______________ is to manage risk with diverse defensive
strategies, so that if one layer of defense turns out to be inadequate, another layer of defense
will hopefully prevent a full breach. - ANS defense , depth
A security mechanism is a method, tool, or procedure for enforcing a security policy. -
ANS True
The role of trust is not crucial to understanding the nature of computer security. - ANS False
A security policy is a statement of what is, and what is not, allowed. - ANS True
Analysis of a policy model usually discusses particular policies. - ANS False
Match the following terms to their definitions:
- Principle of Least Privilege / Principle of Least Authority
- Principle of Separation of Privilege
- Principle of Fail-Safe Defaults
- Principle of Least Common Mechanism
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,- Principle of Least Astonishment - ANS Principle of Least Privilege / Principle of Least
Authority - a subject should be given only those privileges that it needs in order to complete its
task
Principle of Separation of Privilege - a system should not grant permission based on a single
condition
Principle of Fail-Safe Defaults - unless a subject is given explicit access to an object, it should be
denied access to that object
Principle of Least Common Mechanism - mechanisms used to access resources should not be
shared
Principle of Least Astonishment - security mechanisms should be designed to that users
understand the reason that the mechanisms work the way it does and that using the
mechanism is simple
Security mechanisms must be technical in nature. - ANS False
In theory, formal verification can prove the absence of vulnerabilities. - ANS True
Penetration testing is a testing technique, not a proof technique. - ANS True
The White Team is made up of all-knowing, neutral, third-party individuals who set the rules of
engagement, organizes teams, makes plans and monitors progress. - ANS True
Black-box testing - ANS uses test methods that aren't based directly on knowledge of a
program's architecture or design
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, White-box testing - ANS Based on knowledge of the application's design and source code.
Gray Box Testing - ANS Uses limited knowledge of the program's internals. This might mean
the tester knows about some parts of the source code and not others
Unlike other testing and verification technologies, a penetration test examines procedural and
operational controls as well as technological controls. - ANS True
The primary goal of a Purple Team is to maximize the results of Red Team engagements and
improve Blue Team capability. - ANS True
Select the correct Audit Data Collection Methods - ANS Checklists
Reviewing Polcy
Questionnaires
The goal of a penetration study/test is to violate the site security policy. - ANS True
The White Team is made up of all-knowing, neutral, third-party individuals who set the rules of
engagement, organizes teams, makes plans and monitors progress. - ANS True
Cryptography is a fundamental tool in security because encryption can guarantee: - ANS 1.
Data Confidentiality/Privacy
2. Data integrity
3. Protection from replay attacks
4. Message Authenticity
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
AND ANSWERS 100% PASS
The idea behind _____________ in ______________ is to manage risk with diverse defensive
strategies, so that if one layer of defense turns out to be inadequate, another layer of defense
will hopefully prevent a full breach. - ANS defense , depth
A security mechanism is a method, tool, or procedure for enforcing a security policy. -
ANS True
The role of trust is not crucial to understanding the nature of computer security. - ANS False
A security policy is a statement of what is, and what is not, allowed. - ANS True
Analysis of a policy model usually discusses particular policies. - ANS False
Match the following terms to their definitions:
- Principle of Least Privilege / Principle of Least Authority
- Principle of Separation of Privilege
- Principle of Fail-Safe Defaults
- Principle of Least Common Mechanism
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,- Principle of Least Astonishment - ANS Principle of Least Privilege / Principle of Least
Authority - a subject should be given only those privileges that it needs in order to complete its
task
Principle of Separation of Privilege - a system should not grant permission based on a single
condition
Principle of Fail-Safe Defaults - unless a subject is given explicit access to an object, it should be
denied access to that object
Principle of Least Common Mechanism - mechanisms used to access resources should not be
shared
Principle of Least Astonishment - security mechanisms should be designed to that users
understand the reason that the mechanisms work the way it does and that using the
mechanism is simple
Security mechanisms must be technical in nature. - ANS False
In theory, formal verification can prove the absence of vulnerabilities. - ANS True
Penetration testing is a testing technique, not a proof technique. - ANS True
The White Team is made up of all-knowing, neutral, third-party individuals who set the rules of
engagement, organizes teams, makes plans and monitors progress. - ANS True
Black-box testing - ANS uses test methods that aren't based directly on knowledge of a
program's architecture or design
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, White-box testing - ANS Based on knowledge of the application's design and source code.
Gray Box Testing - ANS Uses limited knowledge of the program's internals. This might mean
the tester knows about some parts of the source code and not others
Unlike other testing and verification technologies, a penetration test examines procedural and
operational controls as well as technological controls. - ANS True
The primary goal of a Purple Team is to maximize the results of Red Team engagements and
improve Blue Team capability. - ANS True
Select the correct Audit Data Collection Methods - ANS Checklists
Reviewing Polcy
Questionnaires
The goal of a penetration study/test is to violate the site security policy. - ANS True
The White Team is made up of all-knowing, neutral, third-party individuals who set the rules of
engagement, organizes teams, makes plans and monitors progress. - ANS True
Cryptography is a fundamental tool in security because encryption can guarantee: - ANS 1.
Data Confidentiality/Privacy
2. Data integrity
3. Protection from replay attacks
4. Message Authenticity
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
