BCIS 4740
Please refer to the following scenario:• Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.• Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.What is the single loss expectancy (SLE)?
$500,000
Please refer to the following scenario:• Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.• Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.What is the annualized rate of occurrence (ARO)?
0.05
What is the output value of the mathematical function 16 mod 3?
1
Acme Widgets has 10 employees and they all need the ability to communicate with one another using a symmetric encryption system. The system should allow any two employees to securely communicate without other employees eavesdropping. If an 11th employee is added to the organization, how many new keys must be added to the system?
10
Please refer to the following scenario:• Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.• Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.What is the exposure factor (EF)?
100%
How many possible keys exist in a 4-bit key space?
16
What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem?
56 bits
Which one of the following is not a possible key length for the Advanced Encryption Standard Rijndael cipher?
56 bits
What block size is used by the 3DES encryption algorithm?
64 bits
What type of malware connects to a command-and-control system, allowing attackers to manage, control, and update it remotely?
A bot
The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have?
A race condition
Selah infects the ads on a website that users from her target company frequently visit with malware as part of her penetration test. What technique has she used?
A watering hole attack
Vince is choosing a symmetric encryption algorithm for use in his organization. He would like to choose the strongest algorithm from the choices below. What algorithm should he choose?
AES
Wendy is scanning cloud-based repositories for sensitive information. Which one of the following should concern her most, if discovered in a public repository?
API keys
Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation?
AUP
Which one of the following software development models focuses on the early and continuous delivery of software?
Agile
Which one of the following statements about cryptographic keys is incorrect?
All cryptographic keys should be kept secret.
Which one of the following is the best example of a hacktivist group?
Anonymous
A person's name, age, location, or job title are all examples of what?
Attributes
What is the primary purpose of Kerberos?
Authentication
When a caller was recently directed to Amanda, who is a junior IT employee at her company, the caller informed her that they were the head of IT for her organization and that she needed to immediately disable the organization's firewall due to an ongoing issue with their e-commerce website. After Amanda made the change, she discovered that the caller was not the head of IT, and that it was actually a penetration tester hired by her company. Which social engineering principle best matches this type of attack?
Authority
Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message?
Block cipher
Frank is investigating a security incident where the attacker entered a very long string into an input field, which was followed by a system command. What type of attack likely took place?
Buffer overflow
Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities?
Bug bounty
Which element of the SCAP framework can be used to consistently describe vulnerabilities?
CVE
What is the function of the network access server within a RADIUS architecture?
Client
What type of security policy often serves as a backstop for issues not addressed in other policies?
Code of conduct
Norm is using full-disk encryption technology to protect the contents of laptops against theft. What goal of cryptography is he attempting to achieve?
Confidentiality
Which one of the following statements is not true about compensating controls under PCI DSS?
Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.
What type of cross-site scripting attack would not be visible to a security professional inspecting the HTML source code in a browser?
DOM-based XSS
Helen's organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen's organization?
Data processor
Under the European Union's GDPR, what term is assigned to the individual who leads an organization's privacy efforts?
Data protection officer
If David wishes to digitally sign the message that he is sending Mike, what key would he use to create the digital signature?
David's private key
When Mike receives the digitally signed message from David, what key should he use to verify the digital signature?
David's public key
Tim is working on a change to a web application used by his organization to fix a known bug. What environment should he be working in?
Development
What type of cryptographic attack attempts to force a user to reduce the level of encryption that they use to communicate with a remote server?
Downgrade
Ben searches through an organization's trash looking for sensitive documents, internal notes, and other useful information. What term describes this type of activity?
Dumpster diving
What type of digital certificate provides the greatest level of assurance that the certificate owner is who they claim to be?
EV
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
False positive
Which of the following biometric technologies is most broadly deployed due to its ease of use and acceptance from end users?
Fingerprint scanner
Which of the following is the best description of tailgating?
Following someone through a door they just unlocked
Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information?
Footprinting
What kind of attack makes the Caesar cipher virtually unusable?
Frequency analysis attack
What law creates privacy obligations for those who handle the personal information of European Union residents?
GDPR
Samantha wants to set an account policy that ensures that devices can be used only while the user is in the organization's main facility. What type of account policy should she set?
Geofencing
Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?
Guideline
What type of security solution provides a hardware platform for the storage and management of encryption keys?
HSM
Alan's team needs to perform computations on sensitive personal information but does not need access to the underlying data. What technology can the team use to perform these calculations without accessing the data?
Homomorphic encryption
Upon further inspection, Joe finds a series of thousands of requests to the same URL coming from a single IP address. Here are a few examples:http://www.mycompany.com/servicestatus.php?serviceID=1http://www.mycompany.com/servicestatus.php?serviceID=2http://www.mycompany.com/servicestatus.php?serviceID=3http://www.mycompany.com/servicestatus.php?serviceID=4http://www.mycompany.com/servicestatus.php?serviceID=5http://www.mycompany.com/servicestatus.php?serviceID=6What type of vulnerability was the attacker likely trying to exploit?
Insecure direct object reference
Edward Snowden was a government contractor who disclosed sensitive government documents to journalists to uncover what he believed were unethical activities. Which two of the following terms best describe Snowden's activities? (Choose two.)
Insider hacktivist
Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?
IoC
What does the CER for a biometric device indicate?
It indicates the point where the false rejection rate equals the false acceptance rate.
Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on?
It is a one-way function.
Which of the following best identifies the benefit of a passphrase?
It is easy to remember.
During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity?
Lateral movement
Refer the following scenario when answering questions.An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he's had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month.The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter. Which of the following basic principles was violated during the administrator's employment?
Least privilege
Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?
Low
Dave is developing a key escrow system that requires multiple people to retrieve a key but does not depend on every participant being present. What type of technique is he using?
M of N Control
What type of attack places an attacker in the position to eavesdrop on communications between a user and a web server?
Man-in-the-middle
Matt is updating the organization's threat assessment process. What category of control is Matt implementing?
Managerial
Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need?
Mandatory vacations
Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test?
Metasploit
David would like to send Mike a message using an asymmetric encryption algorithm. What key should he use to encrypt the message?
Mike's public key
Which one of the following attackers is most likely to be associated with an APT?
Nation-state actor
Greg is implementing a data loss prevention system. He would like to ensure that it protects against transmissions of sensitive information by guests on his wireless network. What DLP technology would best meet this goal?
Network-based
John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message?
Nonrepudiation
What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography?
One
When correctly implemented, what is the only cryptosystem known to be unbreakable?
One-time pad
Which one of the following certificate formats is closely associated with Windows binary certificate files?
PFX
Tina works for a hospital system and manages the system's patient records. What category of personal information best describes the information that is likely to be found in those records?
PHI
Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?
PR
Joe checks his web server logs and sees that someone sent the following query string to an application running on the server:http://www.mycompany.com/servicestatus.php?serviceID=892&serviceID=892' ;DROP TABLE Services;--What type of attack was most likely attempted?
Parameter pollution
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
Parameterized queries
Which of the following technologies is the least effective means of preventing shared accounts?
Password complexity requirements
During a vulnerability scan, Brian discovered that a system on his network contained this vulnerability: Threat-Impact-Solution.jpg What security control, if deployed, would likely have addressed this issue?
Patch management
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
Performing user input validation
Please refer to the following scenario:• Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?
Please refer to the following scenario:• Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.•Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks.In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is being used in this situation?
Which of the following best expresses the primary goal when controlling access to assets?
Preserve confidentiality, integrity, and availability of systems and data.
Which one of the following is not an advantage of database normalization?
Preventing injection attacks
Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?
Preventive
Which one of the following items is not normally included in a request for an exception to security policy?
Proposed revision to the security policy
Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated?
Purpose limitation
Elaine wants to implement an AAA system. Which of the following is an AAA system she could implement?
RADIUS
Theresa wants to implement an access control scheme that sets permissions based on what the individual's job requires. Which of the following schemes is most suited to this type of implementation?
RBAC
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
Read-only
Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization's systems. What role is Kevin playing in this exercise?
Red team
Please refer to the following scenario:• Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use?
Risk avoidance
Which one of the following servers is almost always an offline CA in a large PKI deployment?
Root CA
Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information?
Rules of engagement
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?
Run the scan in a test environment.
What type of cryptosystem commonly makes use of a passage from a well-known book for the encryption key?
Running key cipher
Which type of multifactor authentication is considered the least secure?
SMS
Wendy is a penetration tester who wishes to engage in a session hijacking attack. What information is crucial for Wendy to obtain if her attack will be successful?
Session cookie
Mike is sending David an encrypted message using a symmetric encryption algorithm. What key should he use to encrypt the message?
Shared secret key
Tracy is concerned about attacks against the machine learning algorithm that her organization is using to assess their network. What step should she take to ensure that her baseline data is not tainted?
She should run the ML algorithm on the network only if she believes it is secure.
Alan reads Susan's password from across the room as she logs in. What type of technique has he used?
Shoulder surfing
Michelle enables the Windows 10 picture password feature to control logins for her laptop. Which type of attribute will it provide?
Something you can do
A PIN is an example of what type of factor?
Something you know
What type of phishing targets specific groups of employees, such as all managers in the financial department of a company?
Spear phishing
Brian discovers that a user suspected of stealing sensitive information is posting many image files to a message board. What technique might the individual be using to hide sensitive information in those images?
Steganography
What type of cipher operates on one character of text at a time?
Stream cipher
Your organization issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?
Synchronous token
Tina is tuning her organization's intrusion prevention system to prevent false positive alerts. What type of control is Tina implementing?
Technical control
Which of the following is true related to a subject?
The subject is always the entity that receives information about or data from an object.
Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise?
Threat hunting
Trevor is deploying the Google Authenticator mobile application for use in his organization. What type of one-time password system does Google Authenticator use in its default mode?
Time-based one-time passwords
Joe is examining the logs for his web server and discovers that a user sent input to a web application that contained the string WAITFOR. What type of attack was the user likely attempting?
Timing-based SQL injection
What is a HSM used for?
To generate, manage, and securely store cryptographic keys
Which one of the following data protection techniques is reversible when conducted properly?
Tokenization
What type of cipher relies on changing the location of characters within a message to achieve confidentiality?
Transposition cipher
Which AES finalist makes use of prewhitening and postwhitening techniques?
Twofish
Nicole accidentally types www.smazon.com into her browser and discovers that she is directed to a different site loaded with ads and pop-ups. Which of the following is the most accurate description of the attack she has experienced?
Typo squatting
When you combine phishing with Voice over IP, it is known as:
Vishing
Which one of the following tools is most likely to detect an XSS vulnerability?
Web application vulnerability scanner
Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting?
White-box test
What language is STIX based on?
XML