CS 450 - Final Exam
T/F A control classified as preventative has to be known by a person in order to be effective.
False
T/F All data is equally important, and thus equally damaging in the event of loss.
False
T/F Always analyze a seized system directly on the device.
False
T/F Changing a file's extension will alter the contents of a file.
False
T/F Clouds can be created by many entities, but must be internal to an organization.
False
T/F Detecting that a security event is occurring or has occurred is an easy matter.
False
T/F From a forensics perspective, Linux systems have the same artifacts as Windows systems.
False
T/F If you test something and it comes back negative, but it was in fact positive, then the result is a false positive.
False
T/F Large organizations typically have the resources to protect everything against all threats.
False
________ refers to the analysis of a specific system, including the analysis of file systems and artifacts of the operating system.
Host forensics
Which action is an example of transferring risk?
Management purchases insurance for the occurrence of an attack.
Who operates the Common Criteria Evaluation and Validation Scheme in the U.S.?
NIST and the NSA
What tool is the protocol/standard for the collection of network metadata on the flows of network traffic?
NetFlow
The ________ is a set of tools that can be used to target attacks at the people using systems; it has applets that can be used to create phishing e-mails, Java attack code, and other social engineering-type attacks.
Social-Engineering Toolkit
________ is the chance of loss that is predictable under relatively stable circumstances.
Systemic risk
________ is an iterative process of proactively searching out threats inside the network.
Threat hunting
T/F A common technical mistake during the initial response to an incident is "killing" rogue processes.
True
T/F A physical hard disk drive will persist data longer than a solid state drive.
True
T/F A qualitative risk assessment relies on judgment and experience.
True
T/F Blocking lateral movement can defeat APT-style attacks from spreading through a network and can limit their stealth.
True
A(n) ________ is any characteristic of an asset that can be exploited by a threat to cause harm.
Vulnerability
A(n) ________ is an attack that always maintains a primary focus on remaining in the network, operating undetected, and having multiple ways in and out.
advanced persistent threat
What is the first step in the general risk management model?
asset identification
Using the ________ analysis information, penetration testers can emulate adversaries and attempt a wide range of known attack vectors in order to verify that the known methods of attack are all mitigated.
attack surface
In which of the following processes does TC hardware check that valid software has been brought in by verifying a digital signature associated with the software?
authenticated boot service
The ________ command is the Linux command used to change access permissions of a file.
chmod
Which term is used for an integrated suite of tools or services offered as Security as a Service, or a third-party managed security service provider (MSSP), focused on cloud security?
cloud access security brokers (CASB)
Which cloud system is defined as one where several organizations with a common interest share a cloud environment for the specific purposes of the shared endeavor?
community
Which term refers to the process of controlling changes to items that have been baselined?
configuration control
What are the two components comprising information criticality?
data classification and quantity of data involved
What risk mitigation step can be taken to prevent data theft?
data minimization
Developing and maintaining a series of ________ and prohibiting their use in new code, while removing them from old code when possible, is a proven path toward more secure code.
deprecated functions
Which capability must be enabled on firewalls, secure web gateways, and cloud access security brokers to determine if the next system in a communication chain is legitimate or not?
instance awareness
Which command in Linux is used to show and manipulate routing, devices, policy routing, and tunnels?
ip
Which command is used to monitor network connections to and from a system?
netstat
The ________ command provides a list of the hosts, switches, and routers in the order in which a packet passes through them, providing a trace of the network route from source to target.
tracert
The ________ network in a cloud environment can be used and manipulated by users, whereas the actual network underneath cannot.
virtual
Which term describes the hosting of a desktop environment on a central server?
virtual desktop infrastructure
The rule that a subject can only write into an object of greater or equal security level is known as
"No Write Down"
Which of the following was created by the DoD 1970's and prevents the leaking/transfer of classified info to less secure clearance levels?
Bell-LaPadula Model
A Reference Monitor enforces which of the following security design principles
Complete mediation
Which indicator of compromise (IOC) standard is a method of information sharing developed by MITRE?
Cyber Observable Expression (CybOX)
A(n) ________ is a measure of the magnitude of loss of an asset.
Exposure Factor
What is a key guideline to follow when designing incident response procedures?
Include appropriate business personnel.
________ is a cryptographically secured means of communicating to and managing a network over an unsecured connection.
SSH
________ is a term for the execution of computer code in an environment designed to isolate the code from direct contact with the target system.
Sandboxing
Which computing service model is used for the outsourcing of security functions to a vendor that has advantages in scale, costs, or speed?
Security as a Service
T/F Nearly half of all exploits of computer programs stem historically from some form of buffer overflow.
True
T/F One of the characteristics of cloud computing is transparency to the end user.
True
T/F Recovery is the returning of the asset into the business function.
True
T/F Testing for security requires a much broader series of tests than functional testing does.
True
T/F There is no recovery from data that has been changed.
True
T/F Usually risk management includes both qualitative and quantitative elements.
True
Which of the following is provided by a Trusted Platform Module?
authenticated boot, certification, and encryption
A virtual private cloud ________ allows connections to and from a virtual private cloud instance.
endpoint
Which term refers to a measure of the magnitude of loss of an asset?
exposure factor (EF)
The term ________ relates to the application of scientific knowledge to legal problems.
forensics
Which technique uses random inputs to check for exploitable buffer overflows?
fuzz testing
Which term describes a circumstance that increases the likelihood or probable severity of a loss?
hazard
A(n) ________ is a low-level program that allows multiple operating systems to run concurrently on a single host computer.
hypervisor
What command is used to discover what systems are on a network and the open ports and services on those systems?
nmap
To examine a DNS query for a specific address, you can use the ________ command.
nslookup
Physical memory storage devices can be divided into a series of containers; each of these containers is called a(n) ________.
partition
Final code can be subjected to ________ tests, designed specifically to test configuration, security controls, and common defenses such as input and output validation and error handling.
penetration
The ________ command sends echo requests to a designated machine to determine if communication is possible.
ping
The term "________ cloud" refers to a cloud service rendered over a system that is open for public use.
public
After a penetration test is planned, ________ is the first step in performing that test; the objective is to obtain an understanding of the system and its components that someone wants to attack.
reconnaissance
Which term refers to the possibility of suffering harm or loss?
risk
The Python-based program designed to assist penetration testers in the gathering of information during the reconnaissance portion of a penetration test is called ________.
theHarvester
How is quarantine accomplished?
through the erection of firewalls that restrict communication between machines
The technology used to enable a computer to have more than one OS present and, in many cases, operating at the same time is ________.
virtualization
Which infection method involves planting malware on a website that the victim employees will likely visit?
watering hole attack
When analyzing computer storage components, a system specially designed for forensic examination, known as a forensic ________, can be used.
workstation
Which term is used to define vulnerabilities that are newly discovered and not yet addressed by a patch?
zero day
Which security model is designed to avoid conflicts of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest (Col) categories?
Chinese Wall Model
Which of the following is provided by the Common Criteria for Information Technology Security Evaluation?
sets of IT requirements of known validity that can be used to establish the security requirements of prospective products and systems, details how a specific product can be evaluated against known requirements, and details a process for responding to changes, and possibly reevaluating the product
The most common cause of digital evidence from an investigation being excluded from court proceedings is ________, the unauthorized alteration of that evidence.
spoliation
Evidence that is convincing or measures up without question is known as ________.
sufficient evidence
Which of the following security models is focused primarily on data integrity in commercial applications?
Clark-Wilson Integrity Model
________ are a form of operating system virtualization; they are a packaged-up combination of code and dependencies that help applications run quickly in different computing environments.
Containers
________ is a combination of development and operations—in other words, a blending of tasks performed by a company's application development and systems operations teams.
DevOps
________ consists of the documents, verbal statements, and material objects that are admissible in a court of law.
Evidence
Which of the following runs program code to execute the TPM commands received from the I/O port?
Execution engine
T/F Least privilege refers to removing all controls from a system.
False
T/F Secure coding refers to adding security functionality into a piece of software.
False
T/F The generation of a real random number is a trivial task.
False
T/F The spiral model is an iterative model designed to enable the construction of increasingly complex versions of a project.
False
T/F When the nmap tool is used, the sending of packets cannot be detected.
False
Which marketing term is used to describe the offering of a computing platform combining multiple sets of software in the cloud?
Platform as a Service (PaaS)
Which type of attack can be used to execute arbitrary commands in a database?
SQL injection
Which statistical term is a representation of the frequency of the event, measured in a standard year?
annualized rate of occurrence (ARO)
A(n) ________ is any resource or information an organization needs to conduct its business.
asset
This type of analysis attempts to identify any potential means for bypassing security policy and ways to reduce or eliminate such possibilities.
covert channel analysis
Oral testimony that proves a specific fact with no inferences or presumptions is which type of evidence?
direct evidence
Business records, printouts, and manuals are which type of evidence?
documentary evidence
Which type of computing brings processing closer to the edge of the network, which optimizes web applications and IoT devices?
edge
In an "old school" attack, which step is a listing of the systems and vulnerabilities to build an attack game plan?
enumeration
The movement to an account that enables root or higher-level privilege is known as ________.
escalation of privilege
Which type of testing involves running the system under a controlled speed environment?
load testing
Tangible objects that prove or disprove facts are what type of evidence?
real evidence
