CPCU 500 Exam & Practice Exam Questions and
Answers Practice Questions with Solutions Newest |
Already Graded A+
1. Which software development vulnerability arises when multiple processes control or share
access to a resource, and the correct handling of that resource depends on the proper ordering or
timing of transactions?
A. Deadlocks
B. Buffer overflows
C. SQL injection
D. Race conditions
Answer: D
Rationale: Race conditions occur when the behavior of software depends on the timing or sequence of
uncontrollable events, such as thread scheduling. The correct answer is 'Race conditions' because they
specifically involve multiple processes competing for shared resources, leading to unpredictable
outcomes if not properly synchronized.
2. Which type of tool is specifically designed to identify vulnerabilities in source code that arise
from improper handling of user input?
A. Static analysis tool
B. Code linter
C. Fuzzer
D. Debugger
Answer: C
Rationale: A fuzzer is a testing tool that injects malformed or unexpected input into a program to detect
vulnerabilities such as buffer overflows or injection flaws, which often result from improper input
handling. Unlike static analysis tools, debuggers, or linters, fuzzers actively test runtime behavior with
varied inputs to uncover these specific issues.
3. A petroleum company uses a group of computers to monitor material flow in its refining process.
These computers are never connected to the internet or any other corporate network, and they host
proprietary monitoring software that the company has registered as a trade secret. Which type of
security is most effective in protecting this software from theft?
A. Endpoint
B. Physical
C. Network
D. Application
Answer: B
Page 1
,Rationale: Physical security is the correct answer because the computers are isolated from networks, so the primary threat
is unauthorized physical access. Network, application, and endpoint security are irrelevant or insufficient when the system is
air-gapped and the software is a trade secret.
4. Which of the following steps in the access control process involves tracking and logging user
actions to ensure responsibility for actions taken?
A. Authentication
B. Identification
C. Authorization
D. Accountability
Answer: D
Rationale: The sequence 1-Identification, 2-Authentication, 3-Authorization, 4-Access corresponds to the
IAAA model, where Accountability is the fourth step after Access, not part of the sequence. However,
among the options, Accountability is the closest match to the given list, as it is often associated with
access control.
5. Confidential Services Inc. is a military-support organization with 1,400 internet-connected
computers and 250 servers. All employees must hold security clearances. Which access control
model is most appropriate for this environment?
A. Mandatory access control
B. Role-based access control
C. Discretionary access control
D. Rule-based access control
Answer: C
Rationale: Discretionary access control (DAC) allows data owners to set permissions, which is suitable
here because employees with clearances can be trusted to manage access to sensitive information.
Mandatory access control would be too rigid for a military-support branch, while role-based and
rule-based models are less flexible for this context.
6. What term describes the proper attribution to the owner or creator of data?
A. Integrity
B. Availability
C. Confidentiality
D. Authenticity
Answer: D
Rationale: Attribution refers to giving proper credit to the owner or creator of data, which is a key
principle in data ethics and copyright. The other options do not directly relate to ownership or credit.
7. A security awareness training module depicts an employee using a hardware token for
two-factor authentication. Which specific security weakness is this module designed to address?
A. Weak passwords
B. Malware infections
Page 2
,C. Insider threats
D. Phishing attacks
Answer: A
Rationale: Two-factor authentication adds an extra layer of security beyond just a password, directly
mitigating the risk of weak or compromised passwords. Phishing, insider threats, and malware are not
directly addressed by the use of a hardware token.
8. What is the definition of competitive intelligence?
A. The use of intuition and experience to predict market trends
B. The process of gathering and analyzing information to support business decisions
C. The practice of spying on competitors to obtain trade secrets
D. The collection of historical financial data for annual reports
Answer: B
Rationale: Competitive intelligence specifically focuses on gathering and analyzing information about
competitors and the market to gain a strategic advantage. Option C accurately defines this, while option
A is too broad and could apply to general business intelligence.
9. Which organization audits other companies for licensing requirements?
A. BSA
B. SEC
C. ISO
D. FTC
Answer: A
Rationale: The BSA (Business Software Alliance) is known for conducting audits to ensure software
licensing compliance. ISO sets standards but does not audit for licensing, the FTC enforces consumer
protection laws, and the SEC regulates securities markets.
10. Which authentication factor can prevent a man-in-the-middle attack?
A. Something you know
B. Somewhere you are
C. Something you have
D. Something you are
Answer: A
Rationale: A man-in-the-middle attack intercepts communication between two parties. 'Something you
know' (e.g., a password) is vulnerable to interception, but when combined with other factors in
multi-factor authentication, it helps prevent such attacks. However, the question asks which factor can
prevent it, and 'something you know' alone is the correct answer because it is the only factor listed that
is directly involved in authentication protocols that can resist MITM when used properly.
11. Which term describes the existence of evidence that prevents an individual from denying that
they made a statement or took an action?
A. Confidentiality
Page 3
, B. Authentication
C. Nonrepudiation
D. Integrity
Answer: C
Rationale: Nonrepudiation ensures that an individual cannot deny having made a statement or taken an
action, often through digital signatures or logs. The other options relate to verifying identity,
permissions, and data accuracy, but not to denying actions.
12. What is the definition of information security?
A. Guaranteeing the confidentiality, integrity, and availability of data at all times.
B. Preventing all forms of cyber attacks on network infrastructure.
C. Protecting information and information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction.
D. Ensuring that only authorized users can access physical documents.
Answer: C
Rationale: The correct answer encompasses the full scope of information security, including protection
against various threats like unauthorized access, use, disclosure, disruption, modification, or
destruction. The distractors are incomplete or overly specific; for example, the third distractor mentions
CIA triad but omits the broader range of protective measures.
13. Which of the following options includes all three types of physical security controls: deterrent,
detective, and preventive?
A. fence with barbed wire
B. motion-activated light
C. security camera
D. guard dog
Answer: D
Rationale: A guard dog serves as a deterrent (its presence discourages intruders), a detective control (it
barks to alert of an intrusion), and a preventive control (it can physically stop an intruder). Security
cameras are primarily detective, fences are preventive, and motion-activated lights are deterrent and
detective but not preventive.
14. Something that has the potential to cause harm to our assets is known as a(n):
A. Risk
B. Impact
C. Hazard
D. Peril
Answer: B
Rationale: In risk management, 'impact' refers to the potential harm or loss that could affect assets. A
hazard is a condition that increases the likelihood of a loss, a peril is the direct cause of a loss, and risk
is the uncertainty about a loss. Thus, impact is the correct term for potential harm.
Page 4
Answers Practice Questions with Solutions Newest |
Already Graded A+
1. Which software development vulnerability arises when multiple processes control or share
access to a resource, and the correct handling of that resource depends on the proper ordering or
timing of transactions?
A. Deadlocks
B. Buffer overflows
C. SQL injection
D. Race conditions
Answer: D
Rationale: Race conditions occur when the behavior of software depends on the timing or sequence of
uncontrollable events, such as thread scheduling. The correct answer is 'Race conditions' because they
specifically involve multiple processes competing for shared resources, leading to unpredictable
outcomes if not properly synchronized.
2. Which type of tool is specifically designed to identify vulnerabilities in source code that arise
from improper handling of user input?
A. Static analysis tool
B. Code linter
C. Fuzzer
D. Debugger
Answer: C
Rationale: A fuzzer is a testing tool that injects malformed or unexpected input into a program to detect
vulnerabilities such as buffer overflows or injection flaws, which often result from improper input
handling. Unlike static analysis tools, debuggers, or linters, fuzzers actively test runtime behavior with
varied inputs to uncover these specific issues.
3. A petroleum company uses a group of computers to monitor material flow in its refining process.
These computers are never connected to the internet or any other corporate network, and they host
proprietary monitoring software that the company has registered as a trade secret. Which type of
security is most effective in protecting this software from theft?
A. Endpoint
B. Physical
C. Network
D. Application
Answer: B
Page 1
,Rationale: Physical security is the correct answer because the computers are isolated from networks, so the primary threat
is unauthorized physical access. Network, application, and endpoint security are irrelevant or insufficient when the system is
air-gapped and the software is a trade secret.
4. Which of the following steps in the access control process involves tracking and logging user
actions to ensure responsibility for actions taken?
A. Authentication
B. Identification
C. Authorization
D. Accountability
Answer: D
Rationale: The sequence 1-Identification, 2-Authentication, 3-Authorization, 4-Access corresponds to the
IAAA model, where Accountability is the fourth step after Access, not part of the sequence. However,
among the options, Accountability is the closest match to the given list, as it is often associated with
access control.
5. Confidential Services Inc. is a military-support organization with 1,400 internet-connected
computers and 250 servers. All employees must hold security clearances. Which access control
model is most appropriate for this environment?
A. Mandatory access control
B. Role-based access control
C. Discretionary access control
D. Rule-based access control
Answer: C
Rationale: Discretionary access control (DAC) allows data owners to set permissions, which is suitable
here because employees with clearances can be trusted to manage access to sensitive information.
Mandatory access control would be too rigid for a military-support branch, while role-based and
rule-based models are less flexible for this context.
6. What term describes the proper attribution to the owner or creator of data?
A. Integrity
B. Availability
C. Confidentiality
D. Authenticity
Answer: D
Rationale: Attribution refers to giving proper credit to the owner or creator of data, which is a key
principle in data ethics and copyright. The other options do not directly relate to ownership or credit.
7. A security awareness training module depicts an employee using a hardware token for
two-factor authentication. Which specific security weakness is this module designed to address?
A. Weak passwords
B. Malware infections
Page 2
,C. Insider threats
D. Phishing attacks
Answer: A
Rationale: Two-factor authentication adds an extra layer of security beyond just a password, directly
mitigating the risk of weak or compromised passwords. Phishing, insider threats, and malware are not
directly addressed by the use of a hardware token.
8. What is the definition of competitive intelligence?
A. The use of intuition and experience to predict market trends
B. The process of gathering and analyzing information to support business decisions
C. The practice of spying on competitors to obtain trade secrets
D. The collection of historical financial data for annual reports
Answer: B
Rationale: Competitive intelligence specifically focuses on gathering and analyzing information about
competitors and the market to gain a strategic advantage. Option C accurately defines this, while option
A is too broad and could apply to general business intelligence.
9. Which organization audits other companies for licensing requirements?
A. BSA
B. SEC
C. ISO
D. FTC
Answer: A
Rationale: The BSA (Business Software Alliance) is known for conducting audits to ensure software
licensing compliance. ISO sets standards but does not audit for licensing, the FTC enforces consumer
protection laws, and the SEC regulates securities markets.
10. Which authentication factor can prevent a man-in-the-middle attack?
A. Something you know
B. Somewhere you are
C. Something you have
D. Something you are
Answer: A
Rationale: A man-in-the-middle attack intercepts communication between two parties. 'Something you
know' (e.g., a password) is vulnerable to interception, but when combined with other factors in
multi-factor authentication, it helps prevent such attacks. However, the question asks which factor can
prevent it, and 'something you know' alone is the correct answer because it is the only factor listed that
is directly involved in authentication protocols that can resist MITM when used properly.
11. Which term describes the existence of evidence that prevents an individual from denying that
they made a statement or took an action?
A. Confidentiality
Page 3
, B. Authentication
C. Nonrepudiation
D. Integrity
Answer: C
Rationale: Nonrepudiation ensures that an individual cannot deny having made a statement or taken an
action, often through digital signatures or logs. The other options relate to verifying identity,
permissions, and data accuracy, but not to denying actions.
12. What is the definition of information security?
A. Guaranteeing the confidentiality, integrity, and availability of data at all times.
B. Preventing all forms of cyber attacks on network infrastructure.
C. Protecting information and information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction.
D. Ensuring that only authorized users can access physical documents.
Answer: C
Rationale: The correct answer encompasses the full scope of information security, including protection
against various threats like unauthorized access, use, disclosure, disruption, modification, or
destruction. The distractors are incomplete or overly specific; for example, the third distractor mentions
CIA triad but omits the broader range of protective measures.
13. Which of the following options includes all three types of physical security controls: deterrent,
detective, and preventive?
A. fence with barbed wire
B. motion-activated light
C. security camera
D. guard dog
Answer: D
Rationale: A guard dog serves as a deterrent (its presence discourages intruders), a detective control (it
barks to alert of an intrusion), and a preventive control (it can physically stop an intruder). Security
cameras are primarily detective, fences are preventive, and motion-activated lights are deterrent and
detective but not preventive.
14. Something that has the potential to cause harm to our assets is known as a(n):
A. Risk
B. Impact
C. Hazard
D. Peril
Answer: B
Rationale: In risk management, 'impact' refers to the potential harm or loss that could affect assets. A
hazard is a condition that increases the likelihood of a loss, a peril is the direct cause of a loss, and risk
is the uncertainty about a loss. Thus, impact is the correct term for potential harm.
Page 4
