CIS 560 Final Exam

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?

$2,000,000

The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?

13

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?

2

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?

20 percent

Henry is creating a firewall rule that will allow inbound mail to the organization. What TCP port must he allow through the firewall?

25

What ISO security standard can help guide the creation of an organization's security policy?

27002

How many years of post secondary education are typically required to earn a bachelor's degree in a non-accelerated program?

4

Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?

443 HTTP over SSL

Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?

80

what dod directive requires that information security professionals in the government earn professional certifications?

8140

Which of the following is NOT a benefit of cloud computing to organizations?

?

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?

Acceptability

Which one of the following is the best example of an authorization control?

Access control lists

Mark is considering outsourcing security functions to a third-party provider. What benefit is he most likely to achieve?

Access to high level of expertise

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?

Alice's private key

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?

Alice's public key

Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees?

Annually

Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used?

Application proxying

Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality?

Applying strong encryption

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Audit

During what phase of a remote access connection does the end user prove his or her claim of identity?

Authentication

In an accreditation process, who has the authority to approve a system for implementation?

Authorizing official (AO)

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Baseline

Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?

Black-box test

Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?

Bob's public key

Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?

Brute-force attack

Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?

Business associate of a covered entity

Jim is an experienced security professional who recently accepted a position in an organization that uses Check Point firewalls. What certification can Jim earn to demonstrate his ability to administer these devices?

CCSA

Rod has been a Certified Information Systems Security Professional (CISSP) for 10 years. He would like to earn an advanced certification that demonstrates his ability in information security architecture. Which of the following CISSP concentrations would meet Rod's needs?

CISSP-ISSAP

Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy?

Captive portal

What certification focuses on information systems audit, control, and secuirty professionals?

Certified Information Systems Auditor (CISA)

Which of the following certifications is considered the flagship Information Systems Security Certification Consortium, Inc. (ISC)2 certification and the gold standard for information security professionals?

Certified Information Systems Security Professional (CISSP)

Which of the following circumstances would NOT trigger mandatory security training for a federal agency under Office of Personnel Management (OPM) guidelines?

Change of senior leadership

Which of the following Cisco certifications demonstrates the most advanced level of security knowledge?

Cisco Certified Internetwork Expert (CCIE) Security

Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?

Collaboration

Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking?

Confidentiality

Gary is sending a message to Patricia. He wants to ensure that nobody views the message while it is in transit. What goal of cryptography is Gary attempting to achieve?

Confidentiality

What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access?

Content Filter

In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?

Correspondent node (CN)

What program, released in 2013, is an example of ransomware?

Crypt0L0cker

Which element is NOT a core component of the ISO 270002 standard?

Cryptography

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y?

Customer

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?

Customer?

What is NOT one of the four main purposes of an attack?

Data import

Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?

Data ownership

What information should an auditor share with the client during an exit interview?

Details on major issues

Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?

Diffie-Hellman

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Does the firewall properly block unsolicited network connection attempts?

What is a key principle of risk management programs?

Don't spend more to protect an asset than it is worth.

Which one of the following is NOT an area of critical infrastructure where the Internet of Things (IoT) is likely to spur economic development in less developed countries?

E-commerce

Tonya is working with a team of subject matter experts to diagnose a problem with her system. The experts determine that the problem likely resides at the Presentation Layer of the Open Systems Interconnection (OSI) model. Which technology is the most likely suspect?

Encryption

Which technology category would NOT likely be the subject of a standard published by the international electrotechnical commission (IEC)?

Encryption

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

Enforcing the integrity of computer-based information

What is the first step in a disaster recovery effort?

Ensure that everyone is safe

Which organization creates information security standards that specifically apply within the European Union?

European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?

Evil twin

what entity is responsible for overseeing compliance with the Family Educational Rights and Privacy Act (FERPA)?

FPCO

What mathematical problem forms the basis of most modern cryptographic algorithms?

Factoring large primes

Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?

False positive error

What compliance regulation applies specifically to the educational records maintained by schools about students?

Family Education Rights and Privacy Act (FERPA)

What is NOT a common motivation for attackers?

Fear

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process?

Federal Communications Commission (FCC)

Which control is not designed to combat malware?

Firewall

What type of firewall security feature limits the volume of traffic from individual hosts?

Flood guard

Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities?

GIAC Certified Forensic Examiner (GCFE)

Which element of the security policy framework offers suggestions rather than mandatory actions?

Guideline

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?

HIPAA

Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records?

Health Insurance Portability and Accountability Act (HIPAA)

Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?

Health monitoring

Which unit of measure represents frequency and is expressed as the number of cycles per second?

Hertz

With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?

Home agent (HA)

What type of system is intentionally exposed to attackers in an attempt to lure them out?

Honeypot

Which recovery site option provides readiness in minutes to hours?

Hot site

Juan comes across documentation from his organization related to several information security initiatives using different standards as their reference. Which International Organization for Standardization (ISO) standard provides current guidance on information security management?

ISO 27002

Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate?

Integrity

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?

Integrity

Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact?

International Council of E-Commerce Consultants (EC-Council)

Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI?

International Organization for Standardization (ISO)

Which organization promotes technology issues as an agency of the United Nations?

International Telecommunication Union (ITU)

Which network device is capable of blocking network connections that are identified as potentially malicious?

Intrusion Prevention Sytem (IPS)

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

Which of the following graduate degree programs focuses on managing the process of securing information systems, rather than the technical aspects of information security?

MBA

Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?

Mantraps

Which one of the following is an example of a reactive disaster recovery control?

Moving to a warm site

what government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program?

National Security Agency (NSA)

Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose?

Nmap

Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput?

OC-12

Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?

Opportunity cost

Which type of authentication includes smart cards?

Ownership

Which one of the following is an example of a logical access control?

Password

Brain is the information security training officer for a health care provider. He wants to develop a training program that complies with the provisions of the HEalth Insurance Portability and Accountability Act (HIPAA). Which of the following topics must be included?

Password Management

Which regulatory standard would NOT require audits of companies in the United States?

Personal Information Protection and Electronic Documents Act

A security awareness program that focuses on an organization's Bring Your Own Device (BYOD) policy is designed to cover the use of what type of equipment?

Personally owned devices

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

Which element of the security policy framework requires approval from upper management and applies to the entire organization?

Policy

Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?

Polymorphic virus

Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?

Presentation

Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing?

Procedure

Which of the following programs requires passing a standardized examination that is based upon a job-task analysis?

Professional certification

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

Project Initiation and planning

Which document is the initial stage of a standard under the Internet Engineering Task Force (IETF) process?

Proposed Standard (PS)

Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?

Recovery time objective (RTO)

Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?

Reduce

What type of publication is the primary working product of the Internet Engineering Task Force (IETF)?

Request for comment (RFC)

What is correct order of steps in the charge control process?

Request, impact assessment, approval, build/test, implement, monitor

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances?

Required

What term describes the risk that exists after an organization has performed all planned countermeasures and controls?

Residual risk

Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational and Privacy Act (FERPA)?

Right to delete unwanted information from records

Which formula is typically used to describe the components of information security risks?

Risk = Threat X Vulnerability

Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?

SAQ C

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?

SOC 3

In what type of attack does the attacker send unauthorized commands directly to a database?

SQL Injection

Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation?

Secure

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?

Secure Sockets Layer (SSL)

What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?

Security Assertion Markup Language (SAML)

Helen has no experience in security. She would like to earn a certification that demonstrates that she has the basic knowledge necessary to work in the information security field. What certification would be an appropriate first step for her?

Security+

Which scenario presents a unique challenge for developers of mobile applications?

Selecting multiple items from a list

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?

Separation of duties

Which intrusion detection system strategy relies upon pattern matching?

Signature detection

As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?

Simulation test

Which one of the following is an example of two-factor authentication?

Smart card and personal identification number (PIN)

Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system. hosted at the vendor's site using a web browser. Which service delivery model is Kaira's company using?

Software as a Service (SaaS)

Which one of the following principles is NOT a component of the Biba integrity model?

Subjects cannot change objects that have a lower integrity level.

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?

Supervisory Control and Data Acquisition (SCADA)

What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?

Switch

Which set of characteristics describes the Caesar cipher accurately?

Symmetric, stream, substitution

Which type of virus targets computer hardware and software startup functions?

System Infectors

What is NOT generally a section in an audit report?

System configurations

Which one of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries?

Technical and Industry development

Which one of the following is NOT an example of store-and-forward messaging?

Telephone call

Which term describes that can damage or compromise an asset?

Threat

How many years of specialized experience are required to earn one of the Certified Information Systems Security Professional (CISSP) concentrations?

Two

Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?

Typosquatting

What is NOT an effective key distribution method for plaintext encryption keys?

Unencrypted email

Which one of the following is typically used during the identification phase of a remote access connection?

Username

What is the only unbreakable cipher when it is used properly?

Vernam

Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating?

Whitelisting

Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?

Wi-Fi

What type of network connects systems over the largest geographic area?

Wide area network (WAN)

What standard is NOT secure and should never be used on modern wireless networks?

Wired Equivalent Privacy (WEP)

What is NOT a service commonly offered by unified threat management (UTM) devices?

Wireless network access

What type of malware does NOT have an anti-malware solution and should be covered in security awareness training?

Zero-day exploits

Which one of the following is an example of a disclosure threat?

espionage

security training programs typically differ from security education programs in their focus on _________

hands on skills

Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing?

passive wiretap

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

security kernel

Purchasing an insurance policy is an example of the ____________ risk management strategy.

transfer

What type of malicious software masquerades as legitimate software to entice the user to run it?

trojan horse

Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?

white-hat hacker