CSIT 161
You can help ensure confidentiality by implementing __________.
A virtual private network for remote access
Which one of the following is the best example of an authorization control?
Access control lists
What is needed if you are sending confidential information within an email message through the public Internet.
Encrypting email communications
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?
Formatting
Why do e-commerce systems need the utmost in security controls?
It is a PCI DSS standard. Private customer data is entered into websites. Credit card data is entered into websites. Customer retention requires confidence in secure online purchases.
RSA Netwitness Investigator
Provides a high-level overview of all the traffic in a packet capture file.
Which is a security challenge that IoT deployments must overcome?
Secure communication with other IoT devices
What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?
Security Assertion Markup Language (SAML)
What floods a target with invalid or half-open TCP connection requests?
A SYN flood attack
Zenmap
GUI that enables you to enter Nmap commands and then provides some handy analysis tools.
Which one of the following is NOT an area of critical infrastructure where the Internet of Things (IoT) is likely to spur economic development in less developed countries?
E-commerce
Which of the following are impacts of the IoT on our business lives?
E-commerce Integrated supply chain with front-end sales order entry Companies now offering delivery services for products and services with real-time updates Customer reviews providing consumers with product and service reviews online and with more information about customer satisfaction
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
Project initiation and planning
What is a Wireshark?
Protocol analyzer, packet sniffer, packet analyzer.
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?
13
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
80
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?
Acceptability
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
Address Resolution Protocol (ARP) poisoning
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
What is NOT a good practice for developing strong professional ethics?
Assume that information should be free
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?
Authorization
In an accreditation process, who has the authority to approve a system for implementation?
Authorizing Official (AO)
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
Which security model does NOT protect the integrity of information?
Bell-LaPadula
Which password attack is typically used specifically against password files that contain cryptographic hashes?
Birthday attacks
Organizations that require customer service representatives to access private customer data can best protect customer privacy and make it easy to access other customer data by using which of the following security controls?
Blocking out customer private data details and allowing access only to the last four digits of Social Security numbers or account numbers
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
Bring Your Own Device (BYOD)
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-force attack
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business continuity plan (BCP)
Jody would like to Ñnd a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
The change management process includes ________ control and ________ control.
Configuration, change
In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?
Correspondent node (CN)
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?
Crossover error rate (CER)
Which type of malware involves extorting the user or organization into paying money to release a decryption key?
Cryptolocker Malware
Which type of attacks result in legitimate users not having access to a system resource?
DDoS
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
Typically, data must be _____________ to be shared or used for research purposes.
De-identified
Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate?
Deidentification
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
Which of the following security controls can help mitigate malicious email attachments?
Email filtering and quarantining Email attachment antivirus scanning Verifying with users that email source is reputable Holding all inbound emails with unknown attachments
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
Enforcing the integrity of computer-based information
Which one of the following is an example of a disclosure threat?
Espionage
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?
Evil Twin
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility repair
What compliance regulation applies specifically to the educational records maintained by schools about students?
Family Education Rights and Privacy Act (FERPA)
Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States?
Federal Information Security Management Act (FISMA)
Which control is not designed to combat malware?
Firewalls
Which software testing method provides random input to see how software handles unexpected data?
Fuzzing
Which one of the following is NOT a market driver for the Internet of Things (IoT)?
Global adoption of non-IP networking
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
HIPAA
When developing software, you should ensure the application does which of the following?
Has edit checks, range checks, validity checks, and other similar controls Checks user authorization Checks user authentication to the application Has procedures for recovering database integrity in the event of system failure
Which one of the following governs the use of Internet of Things (IoT) by healthcare providers, such as physicians and hospitals?
Health Insurance Portability and Accountability Act (HIPAA)
Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health Monitoring
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?
Home agent (HA)
What are the four access control methods?
Identification - Credentials confirming the person asking for access Authentication - Verifying the identity of the person by evaluating the credentials Authorization - The process of deciding what the person can access Accountability - Defining roles and responsibilities
Which of the following is an example of social engineering?
Impersonation
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?
Internet Engineering Task Force
Which Internet of Things (IoT) challenge involves the dificulty of developing and implementing protocols that allow devices to communicate in a standard fashion?
Interoperability
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Laws
Define access control
Limiting Access to system resources only to authorized entities.
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
Logic attack
When you log on to a network, you are presented with some combination of username, password, token, smart card, or biometrics. You are then authorized or denied access by the system. This is an example of __________.
Logical access controls
Which of the following is NOT a benefit of cloud computing to organizations?
Lower dependence on outside vendors
Which of the following is an example of a hardware security control?
MAC filtering
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
Which one of the following is an example of a reactive disaster recovery control?
Moving to a warm site
What is NOT a commonly used endpoint security technique?
Network firewall
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales?
Opportunity Cost
Which type of authentication includes smart cards?
Ownership
Which of the following is not a U.S. compliance law or act?
PCI DSS
A(n) _____ is a software tool that is used to capture packets from a network.
Packet Sniffer
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
Parallel test
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing?
Passive wiretap
What is an example of a logical access control?
Password
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
Payment Card Industry Data Security Standard (PCI DSS)
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions?
Payment Card Industry Data Security Standard (PCI DSS)
A successful change control program should include the following elements to ensure the quality of the change control process:
Peer review, documentation, and back-out plans.
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Phishing
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change.
________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties.
Principle of least privilege
Which tool can capture the packets transmitted between systems over a network?
Protocol analyzer
In 1989, the IAB issued a statement of policy about Internet ethics. This document is known as ________.
RFC 1087
Which group is the most likely target of a social engineering attack?
Receptionists and administrative assistants
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?
Redundant Array of Independent Disks (RAID)
Which type of attack involves capturing data packets from a network and transmitting them later to produce an unauthorized effect?
Replay
Which formula is typically used to describe the components of information security risks?
Risk = Threat x Vulnerability
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?
Risk survey results
In what type of attack does the attacker send unauthorized commands directly to a database?
SQL injection
What is NOT one of the three tenets of information security?
Safety
A person with very little hacking skills
Script Kiddie
Which of the following are challenges that IoT industry must overcome?
Security and privacy Interoperability and standards Legal and regulatory compliance E-commerce and economic development
The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
Security kernel
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?
Security risks will increase.
Which scenario presents a unique challenge for developers of mobile applications?
Selecting multiple items from a list
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Separation of duties
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Separation of duties
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
Service Level Agreement (SLA)
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session hijacking
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
Simulation test
What is an example of two-factor authentication?
Smart card and personal identification number (PIN)
Which phenomenon helped drive near real-time, high-speed broadband connectivity to the endpoint device?
Social media sharing
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
Software as a Service (SaaS)
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
Spim
________ involve the standardization of the hardware and software solutions used to address a security risk throughout the organization.
Standards
Which one of the following principles is NOT a component of the Biba integrity model?
Subjects cannot change objects that have a lower integrity level.
More and more organizations use the term ________ to describe the entire change and maintenance process for applications.
System development life cycle (SDLC)
Which of the following is an example of a formal model of access control?
The Clark and Wilson integrity model
Maximizing availability primarily involves minimizing __________.
The amount of downtime recovering from a disaster The mean time to repair a system or application Downtime by implementing a business continuity plan The recovery time objective
Which of the following best describes intellectual property?
The items a business has copyrighted All patents owned by a business The unique knowledge a business possesses Customer lists
The security program requires documentation of:
The security process The policies, procedures, and guidelines adopted by the organization The authority of the persons responsible for security
What is true of procedures?
They provide for places within the process to conduct assurance checks.
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Threat
Which term describes an action that can damage or compromise an asset?
Threat
The objectives of classifying information include which of the following?
To identify data value in accordance with organization policy To identify information protection requirements To standardize classification labeling throughout the organization To comply with privacy law, regulations, and so on
What is the main goal of a hacker?
To steal or compromise IT assets and potentially steal data.
Which of the following requires an IoT-connected automobile?
Traffic monitoring sensors that provide real-time updates for traffic conditions
Information security is specific to securing information, whereas information systems security is focused on the security of the systems that house the information.
True
Which one of the following is NOT a commonly accepted best practice for password security?
Use at least six alphanumeric characters.
What helps organizations decrease risks and threats?
Using security policies, standards, procedures, and guidelines
Unified messaging provides what functionality for users on the go?
Voice messages that are converted to audio files and emailed to the user's mailbox for playback while on the road
A(n) _____ is any weakness that makes it possible for a threat to cause harm to a computer or network.
Vulnerability
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
White-Hat Hacker
Which type of malware is a self-contained program that replicates and sends copies of itself to other computers, generally across a network?
Worm
If you are a publicly traded company or U.S. federal government agency, what should you do?
You must go public and announce that you have had a data breach and must inform the impacted individuals of that data breach.
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-day attack
Internet IP packets are to cleartext what encrypted IP packets are to __________.
Ciphertext
Software manufacturers limit their liability when selling software using which of the following
End-User License Agreement (EULA)
What is the correct order of steps in the change control process?
Request, impact assessment, approval, build/test, implement, monitor
A data classification standard is usually part of which policy definition?
Asset protection policy
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan horse
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?
An organization should share its information.
Which of the following security countermeasures is best for end-point protection against malware?
Antivirus/anti-malware protection Data leakage prevention Standardized workstation and laptop images Security awareness training
During which phase of the access control process does the system answer the question,"What can the requestor access?"
Authorization
The __________ tenet of information systems security is concerned with the recovery time objective.
Availability
Which activity manages the baseline settings for a system or device?
Configuration control
What is the first step in a disaster recovery effort?
Ensure that everyone is safe.
What is war driving?
Involves looking for open or public wireless networks.
What is NOT an example of store-and-forward messaging?
Telephone Call
A(n) _____ is any action that could damage an asset.
Threat
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
A data breach is typically performed after which of the following?
Unauthorized access to systems and application is obtained
An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?
Urgency
The __________ is the weakest link in an IT infrastructure.
User Domain
The process of identifying, quantifying, and prioritizing the vulnerabilities in a system is known as a __________.
Vulnerability assessment
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?
Warm site
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?
Waterfall