CSS310 Final

What file type is least likely to be impacted by a file infector virus? .dll .docx .com .exe

.docx

Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit. 120 30 50 60

50

Which Institute of Electrical and Electronics Engineers (IEEE) standard covers wireless LANs? 802.16 802.18 802.11 802.3

802.11

Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario? Full interruption test Checklist test Simulation test Parallel test

Parallel test

Which one of the following is an example of a logical access control? Password Access card Key for a lock Fence

Password

What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act? Government agencies Non-profit organizations Publicly traded companies Privately held companies

Publicly traded companies

What is NOT a service commonly offered by unified threat management (UTM) devices? Content inspection Wireless network access URL filtering Malware inspection

Wireless network access

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X? Customer Business associate Consumer Covered entity

Consumer

Which type of cipher works by rearranging the characters in a message? Asymmetric Substitution Transposition Steganographic

Transposition

What is NOT an effective key distribution method for plaintext encryption keys? Unencrypted email Smart card CD Paper

Unencrypted email

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered? Risk Impact Vulnerability Threat

Vulnerability

What type of malware does NOT have an anti-malware solution and should be covered in security awareness training? Ransomware Worm Zero-day Virus

Zero-day

Which type of attack against a web application uses a newly discovered vulnerability that is not patchable? SQL injection Cross-site scripting Cross-site request forgery Zero-day attack

Zero-day attack

Security training programs typically differ from security education programs in their focus on ______________. theoretical models hands-on skills academic courses security topics

hands-on skills

What is NOT one of the four main purposes of an attack? Data modification Data import Denial of availability Launch point

Data import

Which one of the following is an example of a direct cost that might result from a business disruption? Lost customers Damaged reputation Facility repair Lost market share

Facility repair

What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature? Elliptic curve Hash Encryption Decryption

Hash

Which one of the following governs the use of Internet of Things (IoT) by healthcare providers, such as physicians and hospitals? Health Insurance Portability and Accountability Act (HIPAA) Federal Information Security Management Act (FISMA) Payment Card Industry Data Security Standard (PCI DSS) Federal Financial Institutions Examination Council (FFIEC)

Health Insurance Portability and Accountability Act (HIPAA)

Which unit of measure represents frequency and is expressed as the number of cycles per second? Gauss Weber Joule Hertz

Hertz

Which of the following would NOT be considered in the scope of organizational compliance efforts? Internal audit Company policy Laws Corporate culture

Laws

Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need? Video surveillance Motion detectors Biometrics Mantraps

Mantraps

Helen is an experienced information security professional who earned a four-year degree while a full-time student. She would like to continue her studies on a part-time basis. What is the next logical degree for Helen to earn? Doctoral degree Master's degree Bachelor's degree Associate's degree

Master's degree

Which one of the following is an example of a reactive disaster recovery control? Antivirus software Surge suppression Disk mirroring Moving to a warm site

Moving to a warm site

Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose? Nmap Remote Access Tool (RAT) Ping Simple Network Management Protocol (SNMP) agent

Nmap

What level of technology infrastructure should you expect to find in a cold site alternative data center facility? Basic computer hardware No technology infrastructure Hardware that mirrors the primary site, but no data Hardware and data that mirror the primary site

No technology infrastructure

Which document is the initial stage of a standard under the Internet Engineering Task Force (IETF) process? Standard (STD) Best Current Practice (BCP) Proposed Standard (PS) Draft Standard (DS)

Proposed Standard (PS)

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis? Objective Quantitative Financial Qualitative

Qualitative

What type of publication is the primary working product of the Internet Engineering Task Force (IETF)? Special Publication (SP) ISO standard Request for comment (RFC) Public service announcement (PSA)

Request for comment (RFC)

Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational Rights and Privacy Act (FERPA)? Right to delete unwanted information from records Right to consent to data release Right to request correction of errors Right to inspect student records

Right to delete unwanted information from records

What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016? Senior System Managers System Administrators Risk Analysts Information Assurance Officers

Risk Analysts

George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use? Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Risk Management Guide for Information Technology Systems (NIST SP800-30) CCTA Risk Analysis and Management Method (CRAMM) ISO/IEC 27005, "Information Security Risk Management"

Risk Management Guide for Information Technology Systems (NIST SP800-30)

Which of the following study options provides little to no opportunity for feedback? Self-study programs Certificate programs Graduate programs Undergraduate programs

Self-study programs

What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012? System Administrator Information Assurance Officer Senior System Manager Risk Analyst

Senior System Manager

Which intrusion detection system strategy relies upon pattern matching? Signature detection Behavior detection Statistical detection Traffic-based detection

Signature detection

Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place? Spim Phishing Spam Social engineering

Spim

Which one of the following principles is NOT a component of the Biba integrity model? Subjects cannot read objects that have a lower level of integrity than the subject. A subject may not ask for service from subjects that have a higher integrity level. Subjects cannot change objects that have a lower integrity level. Subjects at a given integrity level can call up only subjects at the same integritylevel or lower.

Subjects cannot change objects that have a lower integrity level.

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer? Embedded Mobile Mainframe Supervisory Control and Data Acquisition (SCADA)

Supervisory Control and Data Acquisition (SCADA)

Which type of virus targets computer hardware and software startup functions? System infector Data infector Hardware infector File infector

System infector

Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees? Semi-annually Biannually Monthly Annually

Annually

Mary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with? Session and Transport Network and Session Application and Session Application and Transport

Application and Session

What level of academic degree requires the shortest period of time to earn and does NOT require any other postsecondary degree as a prerequisite? Doctoral degree Master's degree Associate's degree Bachelor's degree

Associate's degree

Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing? Authorize the IT system for processing. Assess security controls for effectiveness. Implement security controls in IT systems. Continuously monitor security controls.

Authorize the IT system for processing.

__________ is a continuous process designed to keep all personnel vigilant.

Awareness

Which password attack is typically used specifically against password files that contain cryptographic hashes? Birthday attacks Dictionary attacks Social engineering attacks Brute-force attacks

Birthday attacks

Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? White-box test Black-box test Blue-box test Grey-box test

Black-box test

Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message? Bob's private key Alice's public key Alice's private key Bob's public key

Bob's public key

Jim is an experienced security professional who recently accepted a position in an organization that uses Check Point firewalls. What certification can Jim earn to demonstrate his ability to administer these devices? Security+ CCIE CCSA CISSP

CCSA

Rod has been a Certified Information Systems Security Professional (CISSP) for 10 years. He would like to earn an advanced certification that demonstrates his ability in information security architecture. Which of the following CISSP concentrations would meet Rod's needs? CISSP-ISSMP CISSP-ISSEP CISSP-ISASP CISSP-ISSAP

CISSP-ISSAP

Which of the following certifications cannot be used to satisfy the security credential requirements for the advanced Certified Internet Webmaster (CIW) certifications? Security+ Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) GIAC Certified Firewall Analyst (GCFW)

Certified Information Security Manager (CISM)

What certification focuses on information systems audit, control, and security professionals? Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Certified in the Governance of Enterprise IT (CGEIT) Certified in Risk and Information Systems Control (CRISC)

Certified Information Systems Auditor (CISA)

Which of the following certifications is considered the flagship Information Systems Security Certification Consortium, Inc. (ISC)2 certification and the gold standard for information security professionals? Systems Security Certified Practitioner (SSCP) Certified Information Systems Security Professional (CISSP) Certified Cloud Security Professional (CCSP) Certified Authorization Professional (CAP)

Certified Information Systems Security Professional (CISSP)

Which of the following circumstances would NOT trigger mandatory security training for a federal agency under Office of Personnel Management (OPM) guidelines? Change in security environment Change in employee responsibilities Change of senior leadership Change in security procedures

Change of senior leadership

Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors? Children's Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Children's Online Privacy Protection Act (COPPA) Sarbanes-Oxley Act (SOX)

Children's Internet Protection Act (CIPA)

Which of the following Cisco certifications demonstrates the most advanced level of security knowledge? Cisco Certified Technician (CCT) Security Cisco Certified Network Professional (CCNP) Security Cisco Certified Internetwork Expert (CCIE) Security Cisco Certified Network Associate (CCNA) Security

Cisco Certified Internetwork Expert (CCIE) Security

Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking? Accounting Availability Confidentiality Integrity

Confidentiality

Maya is creating a computing infrastructure compliant with the Payment Card Industry Data Security Standard (PCI DSS). What type of information is she most likely trying to protect? Health records Trade secrets Credit card information Educational records

Credit card information

Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? False rejection rate (FRR) False acceptance rate (FAR) Reaction time Crossover error rate (CER)

Crossover error rate (CER)

What program, released in 2013, is an example of ransomware? FileVault CryptoVault Crypt0L0cker BitLocker

Crypt0L0cker

Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key? Rivest, Shamir, Adelman (RSA) Blowfish Diffie-Hellman Message digest algorithm (MD5)

Diffie-Hellman

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore? 3 4 2 1

2

Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections? 23 22 80 20

22

What series of Special Publications does the National Institute of Standards and Technology (NIST) produce that covers information systems security activities? 800 600 700 900

800

What protocol is responsible for assigning IP addresses to hosts on most networks? Dynamic Host Configuration Protocol (DHCP) Transport Layer Security (TLS) Virtual LAN (VLAN) Simple Mail Transfer Protocol (SMTP)

Dynamic Host Configuration Protocol (DHCP)

What type of security communication effort focuses on a common body of knowledge? Acceptable use policy (AUP) Education Emails Professional development

Education

Tonya is working with a team of subject matter experts to diagnose a problem with her system. The experts determine that the problem likely resides at the Presentation Layer of the Open Systems Interconnection (OSI) model. Which technology is the most likely suspect? Encryption Signaling Routing User interface

Encryption

Which technology category would NOT likely be the subject of a standard published by the International Electrotechnical Commission (IEC)? Encryption Semiconductors Solar energy Consumer appliances

Encryption

Which organization creates information security standards that specifically apply within the European Union? Institute of Electrical and Electronics Engineers (IEEE) American National Standards Institute (ANSI) International Telecommunication Union (ITU) European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)

European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place? Evil twin Replay attack Wardriving Bluesnarfing

Evil twin

What mathematical problem forms the basis of most modern cryptographic algorithms? Traveling salesman problem Quantum mechanics Factoring large primes Birthday problem

Factoring large primes

Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? Remote administration error False positive error False negative error Clipping error

False positive error

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)? Federal Communications Commission (FCC) Department of Defense (DOD) Federal Trade Commission (FTC) Family Policy Compliance Office (FPCO)

Family Policy Compliance Office (FPCO)

What is NOT a common motivation for attackers? Fear Fame Money Revenge

Fear

Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used? Stateful inspection Network address translation Application proxying Packet filtering

Application proxying

Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor? Qualified security assessor (QSA) Self-assessment vendor (SAV) Approved scanning vendor (ASV) Independent Scanning Assessor (ISA)

Approved scanning vendor (ASV)

Which of the following is NOT an advantage to undertaking self-study of information security topics? Fixed pace Self-motivation Low cost Flexible materials

Fixed pace

What type of firewall security feature limits the volume of traffic from individual hosts? Network separation Loop protection Stateful inspection Flood guard

Flood guard

How many years of post-secondary education are typically required to earn a bachelor's degree in a non-accelerated program? Six Two Three Four

Four

Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records? Sarbanes-Oxley (SOX) Act Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS)

Health Insurance Portability and Accountability Act (HIPAA)

With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network? Care of address (COA) Foreign agent (FA) Correspondent node (CN) Home agent (HA)

Home agent (HA)

What type of system is intentionally exposed to attackers in an attempt to lure them out? Honeypot Database server Web server Bastion host

Honeypot

Which recovery site option provides readiness in minutes to hours? Warm site Cold site Multiple sites Hot site

Hot site

What organization offers a variety of security certifications that are focused on the requirements of auditors? CompTIA International Information Systems Security Certification Consortium, Inc. (ISC)2 ISACA Global Information Assurance Certification (GIAC)

ISACA

Juan comes across documentation from his organization related to several information security initiatives using different standards as their reference. Which International Organization for Standardization (ISO) standard provides current guidance on information security management? ISO 27002 ISO 17799 ISO 9000 ISO 14001

ISO 27002

What is a set of concepts and policies for managing IT infrastructure, development, and operations? IT Infrastructure Library (ITIL) ISO 27002 NIST Cybersecurity Framework (CSF) Control Objectives for Information and related Technology (COBIT)

IT Infrastructure Library (ITIL)

Which one of the following is NOT a good technique for performing authentication of an end user? Password Identification number Token Biometric scan

Identification number

Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity? Incursion Outage Incident Event

Incident

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve? Integrity Availability Confidentiality Accountability

Integrity

Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact? International Council of E-Commerce Consultants (EC-Council) Software Engineering Institute - Carnegie Mellon University High Tech Crime Network The International Society of Forensic Computer Examiners

International Council of E-Commerce Consultants (EC-Council)

Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working? Application Presentation Session Data Link

Presentation

From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)? Security risks will be eliminated. Security risks will decrease. Security risks will stay the same. Security risks will increase.

Security risks will increase.

Ben is working toward a position as a senior security administrator and would like to earn his first International Information Systems Security Certification Consortium, Inc. (ISC)2 certification. Which certification is most appropriate for his needs? Certified Secure Software Lifecycle Professional (CSSLP) Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP) Certified Cloud Security Professional (CCSP)

Systems Security Certified Practitioner (SSCP)

What type of malicious software masquerades as legitimate software to entice the user to run it? Rootkit Trojan horse Worm Virus

Trojan horse

Which of the following graduate degree programs focuses on managing the process of securing information systems, rather than the technical aspects of information security? MS MBA MScIT MSc

MBA

What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program? Central Intelligence Agency (CIA) National Institute of Standards and Technology (NIST) National Security Agency (NSA) Federal Bureau of Investigation (FBI)

National Security Agency (NSA)

When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve? Integrity Nonrepudiation Confidentiality Authentication

Nonrepudiation

Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time? International Data Encryption Algorithm (IDEA) Online Certificate Status Protocol (OCSP) Certificate revocation list (CRL) Transport Layer Security (TLS)

Online Certificate Status Protocol (OCSP)

Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales? Manpower cost Opportunity cost Replacement cost Cost of good sold

Opportunity cost

Which regulatory standard would NOT require audits of companies in the United States? Personal Information Protection and Electronic Documents Act (PIPEDA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley Act (SOX) Payment Card Industry Data Security Standard (PCI DSS)

Personal Information Protection and Electronic Documents Act (PIPEDA)

What is NOT a goal of information security awareness programs? Teach users about security objectives Punish users who violate policy Inform users about trends and threats in security Motivate users to comply with security policy

Punish users who violate policy

Which approach to cryptography provides the strongest theoretical protection? Quantum cryptography Elliptic curve cryptography Asymmetric cryptography Classic cryptography

Quantum cryptography

Which data source comes first in the order of volatility when conducting a forensic investigation? Swap and paging files Logs RAM Data files on disk

RAM

Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? DIAMETER Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System Plus (TACACS+) Redundant Array of Independent Disks (RAID)

Redundant Array of Independent Disks (RAID)

What type of malicious software allows an attacker to remotely control a compromised computer? Armored virus Polymorphic virus Remote Access Tool (RAT) Worm

Remote Access Tool (RAT)

What is the correct order of steps in the change control process? Request, impact assessment, approval, build/test, monitor, implement Request, approval, impact assessment, build/test, implement, monitor Request, approval, impact assessment, build/test, monitor, implement Request, impact assessment, approval, build/test, implement, monitor

Request, impact assessment, approval, build/test, implement, monitor

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances? Addressable Standard Required Security

Required

What term describes the risk that exists after an organization has performed all planned countermeasures and controls? Transparent risk Business risk Total risk Residual risk

Residual risk

Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? Mitigation steps Risk survey results Description of the risk Expected impact

Risk survey results

Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use? SAQ D SAQ A SAQ C SAQ B

SAQ C

Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database? XML injection SQL injection LDAP injection Cross-site scripting (XSS)

SQL injection

In what type of attack does the attacker send unauthorized commands directly to a database? Cross-site scripting Database dumping Cross-site request forgery SQL injection

SQL injection

Helen has no experience in security. She would like to earn a certification that demonstrates that she has the basic knowledge necessary to work in the information security field. What certification would be an appropriate first step for her? Security+ CompTIA Advanced Security Practitioner (CASP) GIAC Security Expert (GSE) Certified Information Systems Security Professional (CISSP)

Security+

Which scenario presents a unique challenge for developers of mobile applications? Obtaining Internet Protocol (IP) addresses Using checkboxes Applying encryption to network communications Selecting multiple items from a list

Selecting multiple items from a list

Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged into Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place? XML injection Cross-site scripting SQL injection Session hijacking

Session hijacking

Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place? Land Teardrop Smurf Cross-site scripting (XSS)

Smurf

What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)? Architecture for Internet protocols and procedures Editorial and publication procedures for requests for comments (RFCs) Subject matter expertise on routing and switching Confirmation of IETF chairs

Subject matter expertise on routing and switching

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? Data loss prevention CCTV Network IDS System integrity monitoring

System integrity monitoring

Which classification level is the highest level used by the U.S. federal government? Secret Private Confidential Top Secret

Top Secret

Which of the following items would generally NOT be considered personally identifiable information (PII)? Trade secret Driver's license number Name Social Security number

Trade secret

Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter? Worm Logic bomb Trojan horse Virus

Trojan horse

Henry is creating a firewall rule that will allow inbound mail to the organization. What TCP port must he allow through the firewall? 80 53 22 25

25

What ISO security standard can help guide the creation of an organization's security policy? 42053 17259 27002 12333

27002

How many domains of knowledge are covered by the Certified Information Systems Security Professional (CISSP) exam? 7 8 9 10

8

What DoD directive requires that information security professionals in the government earn professional certifications? 8540 8140 8088 8270

8140

How many years of specialized experience are required to earn one of the Certified Information Systems Security Professional (CISSP) concentrations? Three Five Two Four

Two

Which one of the following is NOT a commonly accepted best practice for password security? Include a special character in passwords. Use at least six alphanumeric characters. Include a mixture of uppercase characters, lowercase characters, and numbers in passwords. Do not include usernames in passwords.

Use at least six alphanumeric characters.

Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use? Virtual private network (VPN) Firewall Virtual LAN (VLAN) Transport Layer Security (TLS)

Virtual LAN (VLAN)

Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime? Load balancing Redundant Array of inexpensive Disks (RAID) Clustering Warm site

Warm Site

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation? Warm site Cold site Hot site Primary site

Warm site

Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating? Blacklisting Whitelisting Packet filtering Context-based screening

Whitelisting

What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations? Domain Name System (DNS) Ping Whois Simple Network Management Protocol (SNMP)

Whois

Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity? 3G Digital subscriber line (DSL) 4G Wi-Fi

Wi-Fi

What type of network connects systems over the largest geographic area? Storage area network (SAN) Metropolitan area network (MAN) Local area network (LAN) Wide area network (WAN)

Wide area network (WAN)

Forensics and incident response are examples of __________ controls. deterrent detective corrective preventive

corrective

A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime. incident disaster emergency event

disaster

Purchasing an insurance policy is an example of the ____________ risk management strategy. reduce avoid transfer accept

transfer

________ refers to a program of study approved by the State Department of Education in the state that a school operates. Continuing professional education (CPE) Accredited Certificate of completion Continuing education

Accredited

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature? Alice's private key Bob's private key Alice's public key Bob's public key

Alice's private key

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature? Alice's private key Bob's public key Bob's private key Alice's public key

Alice's public key

Which organization created a standard version of the widely used C programming language in 1989? International Organization for Standardization (ISO) Institute of Electrical and Electronics Engineers (IEEE) European Telecommunications Standards Institute (ETSI) American National Standards Institute (ANSI)

American National Standards Institute (ANSI)

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)? $2,000 $20,000 $2,000,000 $200,000

$20,000

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor? 1 percent 10 percent 50 percent 20 percent

20 percent

What is the maximum value for any octet in an IPv4 IP address? 129 513 65 255

255

Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow? 3389 989 143 443

3389

Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication? 3389 443 143 80

443

What is NOT a valid encryption key length for use with the Blowfish algorithm? 64 bits 512 bits 256 bits 32 bits

512 bits

Jane is a manager at a federal government agency and recently hired a new employee, Mark, who will work with sensitive information. How much time does Jane have from Mark's hire date to get him security training? 60 days 30 days 10 days 15 days

60 days

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? An organization should properly destroy its information when it is no longer needed. An organization should keep its information up to date. An organization should share its information. An organization should collect only what it needs.

An organization should share its information.

Which of the following is NOT a role described in DoD Directive 8140, which covers cyber security training? Protect and defend Operate and maintain Investigate Attack

Attack

Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)? Covered entity as a healthcare clearinghouse Business associate of a covered entity Covered entity as a health plan Covered entity as a provider

Business associate of a covered entity

Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy? Captive portal Remote Authentication Dial-In User Service (RADIUS) Lightweight Extensible Authentication Protocol (LEAP) Protected Extensible Authentication Protocol (PEAP)

Captive portal

Richard would like to earn a certification that demonstrates his ability to manage the information security function. What certification would be most appropriate for Richard? Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) Certified Information Security Manager (CISM) Certified in the Governance of Enterprise IT (CGEIT)

Certified Information Security Manager (CISM)

Colin is a software developer. He would like to earn a credential that demonstrates to employers that he is well educated on software security issues. What certification would be most suitable for this purpose? Certified Cyber Forensics Professional (CCFP) Certified Secure Software Lifecycle Professional (CSSLP) HealthCare Certified Information Security Privacy Practitioner (HCISPP) Certified Information Systems Security Professional (CISSP)

Certified Secure Software Lifecycle Professional (CSSLP)

Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works? Ciphertext only Known plaintext Chosen ciphertext Chosen plaintext

Chosen plaintext

Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking? Integrity Confidentiality Accounting Availability

Confidentiality

Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered? XML injection Cross-site scripting (XSS) Command injection SQL injection

Cross-site scripting (XSS)

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y? Business associate Covered entity Customer Consumer

Customer

Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message? Hashing Validation Encryption Decryption

Decryption

Which risk is most effectively mitigated by an upstream Internet service provider (ISP)? Firewall configuration error Lost productivity Distributed denial of service (DDoS) Unauthorized remote access

Distributed denial of service (DDoS)

What is the highest level of academic degree that may be earned in the field of information security? Master of business administration (MBA) Bachelor of science (BS) Master of science (MS) Doctor of philosophy (PhD)

Doctor of philosophy (PhD)

What is a key principle of risk management programs? Apply controls in ascending order of risk. Security controls should be protected through the obscurity of their mechanisms. Don't spend more to protect an asset than it is worth. Risk avoidance is superior to risk mitigation.

Don't spend more to protect an asset than it is worth.

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? Compromising the privacy of users Enforcing the integrity of computer-based information Seeking to gain unauthorized access to resources Disrupting intended use of the Internet

Enforcing the integrity of computer-based information

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process? Federal Deposit Insurance Corporation (FDIC) Federal Communications Commission (FCC) Federal Trade Commission (FTC) Securities and Exchange Commission (SEC)

Federal Communications Commission (FCC)

Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system? Federal Information Security Management Act (FISMA) Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley (SOX) Act

Federal Information Security Management Act (FISMA)

David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use? Secure Shell (SSH) Internet Small Computer System Interface (iSCSI) Fibre Channel over Ethernet (FCoE) Fibre Channel (FC)

Fibre Channel over Ethernet (FCoE)

Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities? GIAC Certified Penetration Tester (GPEN) GIAC Certified Firewall Analyst (GCFW) GIAC Systems and Network Auditor (GSNA) GIAC Certified Forensic Examiner (GCFE)

GIAC Certified Forensic Examiner (GCFE)

Gary is troubleshooting a security issue on an Ethernet network and would like to look at the Ethernet standard. What publication should he seek out? IEEE 802.3 ANSI x.1199 NIST 800-53 ISO 17799

IEEE 802.3

What certification organization began as an offshoot of the SANS Institute training programs? CompTIA International Information Systems Security Certification Consortium, Inc. (ISC)2 Certified Internet Webmaster (CIW) Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues? Hub Switch Firewall Router

Hub

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve? Nonrepudiation Integrity Authentication Confidentiality

Integrity

Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI? International Organization for Standardization (ISO) Ocean Surveillance Information System (OSIS) Information Systems Audit and Control Association (ISACA) National Institute of Standards and Technology (NIST)

International Organization for Standardization (ISO)

Which organization promotes technology issues as an agency of the United Nations? Internet Assigned Numbers Authority (IANA) International Telecommunication Union (ITU) Institute of Electrical and Electronics Engineers (IEEE) American National Standards Institute (ANSI)

International Telecommunication Union (ITU)

Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block? Internet Control Message Protocol (ICMP) Hypertext Transfer Protocol (HTTP) User Datagram Protocol (UDP) Transmission Control Protocol (TCP)

Internet Control Message Protocol (ICMP)

Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records? Hashing Truncation Encryption Masking

Masking

What term describes the longest period of time that a business can survive without a particular critical system? Recovery time objective (RTO) Emergency operations center (EOC) Recovery point objective (RPO) Maximum tolerable downtime (MTD)

Maximum tolerable downtime (MTD)

Which agreement type is typically less formal than other agreements and expresses areas of common interest? Service level agreement (SLA) Memorandum of understanding (MOU) Interconnection security agreement (ISA) Blanket purchase agreement (BPA)

Memorandum of understanding (MOU)

What federal agency is charged with the mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life?" National Aeronautics and Space Administration (NASA) National Institute of Standards and Technology (NIST) Federal Trade Commission (FTC) Federal Communications Commission (FCC)

National Institute of Standards and Technology (NIST)

What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries? Federal Communications Commission (FCC) National Institute of Standards and Technology (NIST) Department of Defense (DoD) National Security Administration (NSA)

National Institute of Standards and Technology (NIST)

Which term accurately describes Layer 3 of the Open Systems Interconnection (OSI) model? Network Application Physical Session

Network

Brian is the information security training officer for a health care provider. He wants to develop a training program that complies with the provisions of Health Insurance Portability and Accountability Act (HIPAA). Which of the following topics must be included? Patient safety Medical records formats Prescribing procedures Password management

Password management

Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions? Communications Assistance for Law Enforcement Act (CALEA) Payment Card Industry Data Security Standard (PCI DSS) Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA)

Payment Card Industry Data Security Standard (PCI DSS)

Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered? Cross-platform virus Stealth virus Polymorphic virus Multipartite virus

Polymorphic virus

Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed? Detective Deterrent Corrective Preventive

Preventive

Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing? Policy Procedure Standard Guideline

Procedure

Which of the following programs requires passing a standardized examination that is based upon a job-task analysis? Certificate of completion Bachelor's degree Professional certification Doctoral degree

Professional certification

Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take? Reduce Avoid Transfer Accept

Reduce

What is NOT a symmetric encryption algorithm? Data Encryption Standard (DES) International Data Encryption Algorithm (IDEA) Carlisle Adams Stafford Tavares (CAST) Rivest-Shamir-Adelman (RSA)

Rivest-Shamir-Adelman (RSA)

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? SOC 1 SOC 2 SOC 3 SOC 4

SOC 3

What firewall approach is shown in the figure? Bastion host Screened subnet Border firewall Multilayered firewall

Screened subnet

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? Dynamic Host Configuration Protocol (DHCP) Transmission Control Protocol/Internet Protocol (TCP/IP) Secure Sockets Layer (SSL) Domain Name System (DNS)

Secure Sockets Layer (SSL)

The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place? Adware Pharming Command injection Spear phishing

Spear phishing

What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows? Switch Hub Router Access point

Switch

Which set of characteristics describes the Caesar cipher accurately?

Symmetric, stream, substitution

What is NOT generally a section in an audit report? Timeline for Implementation System configurations Findings Recommendations

System configurations

Which term describes an action that can damage or compromise an asset? Risk Vulnerability Countermeasure Threat

Threat

Bobbi recently discovered that an email program used within her healthcare practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place? Tier C Tier B Tier D Tier A

Tier A

What is NOT a typical sign of virus activity on a system? Unexpected error messages Unexplained decrease in available disk space Sudden sluggishness of applications Unexpected power failures

Unexpected power failures

Bob has a high-volume virtual private network (VPN). He would like to use a device that would best handle the required processing power. What type of device should he use? Unified threat management (UTM) Router VPN concentrator Firewall

VPN concentrator

What is the only unbreakable cipher when it is used properly? Blowfish Vernam Rivest-Shamir-Adelman (RSA) Elliptic Curve Diffie-Hellman in Ephemeral mode (ECDHE)

Vernam

What standard is NOT secure and should never be used on modern wireless networks? 802.11ac Wi-Fi Protected Access version 2 (WPA2) Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)

Wired Equivalent Privacy (WEP)

What wireless security technology contains significant flaws and should never be used? Remote Authentication Dial-In User Service (RADIUS) WPA2 Wi-Fi Protected Access (WPA) Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)

Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information? Internet Engineering Task Force (IETF) International Electrotechnical Commission (IEC) National Institute of Standards and Technology (NIST) World Wide Web Consortium (W3C)

World Wide Web Consortium (W3C)