CSS310 Final
What file type is least likely to be impacted by a file infector virus? .dll .docx .com .exe
.docx
Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit. 120 30 50 60
50
Which Institute of Electrical and Electronics Engineers (IEEE) standard covers wireless LANs? 802.16 802.18 802.11 802.3
802.11
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario? Full interruption test Checklist test Simulation test Parallel test
Parallel test
Which one of the following is an example of a logical access control? Password Access card Key for a lock Fence
Password
What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act? Government agencies Non-profit organizations Publicly traded companies Privately held companies
Publicly traded companies
What is NOT a service commonly offered by unified threat management (UTM) devices? Content inspection Wireless network access URL filtering Malware inspection
Wireless network access
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X? Customer Business associate Consumer Covered entity
Consumer
Which type of cipher works by rearranging the characters in a message? Asymmetric Substitution Transposition Steganographic
Transposition
What is NOT an effective key distribution method for plaintext encryption keys? Unencrypted email Smart card CD Paper
Unencrypted email
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered? Risk Impact Vulnerability Threat
Vulnerability
What type of malware does NOT have an anti-malware solution and should be covered in security awareness training? Ransomware Worm Zero-day Virus
Zero-day
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable? SQL injection Cross-site scripting Cross-site request forgery Zero-day attack
Zero-day attack
Security training programs typically differ from security education programs in their focus on ______________. theoretical models hands-on skills academic courses security topics
hands-on skills
What is NOT one of the four main purposes of an attack? Data modification Data import Denial of availability Launch point
Data import
Which one of the following is an example of a direct cost that might result from a business disruption? Lost customers Damaged reputation Facility repair Lost market share
Facility repair
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature? Elliptic curve Hash Encryption Decryption
Hash
Which one of the following governs the use of Internet of Things (IoT) by healthcare providers, such as physicians and hospitals? Health Insurance Portability and Accountability Act (HIPAA) Federal Information Security Management Act (FISMA) Payment Card Industry Data Security Standard (PCI DSS) Federal Financial Institutions Examination Council (FFIEC)
Health Insurance Portability and Accountability Act (HIPAA)
Which unit of measure represents frequency and is expressed as the number of cycles per second? Gauss Weber Joule Hertz
Hertz
Which of the following would NOT be considered in the scope of organizational compliance efforts? Internal audit Company policy Laws Corporate culture
Laws
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need? Video surveillance Motion detectors Biometrics Mantraps
Mantraps
Helen is an experienced information security professional who earned a four-year degree while a full-time student. She would like to continue her studies on a part-time basis. What is the next logical degree for Helen to earn? Doctoral degree Master's degree Bachelor's degree Associate's degree
Master's degree
Which one of the following is an example of a reactive disaster recovery control? Antivirus software Surge suppression Disk mirroring Moving to a warm site
Moving to a warm site
Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose? Nmap Remote Access Tool (RAT) Ping Simple Network Management Protocol (SNMP) agent
Nmap
What level of technology infrastructure should you expect to find in a cold site alternative data center facility? Basic computer hardware No technology infrastructure Hardware that mirrors the primary site, but no data Hardware and data that mirror the primary site
No technology infrastructure
Which document is the initial stage of a standard under the Internet Engineering Task Force (IETF) process? Standard (STD) Best Current Practice (BCP) Proposed Standard (PS) Draft Standard (DS)
Proposed Standard (PS)
Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis? Objective Quantitative Financial Qualitative
Qualitative
What type of publication is the primary working product of the Internet Engineering Task Force (IETF)? Special Publication (SP) ISO standard Request for comment (RFC) Public service announcement (PSA)
Request for comment (RFC)
Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational Rights and Privacy Act (FERPA)? Right to delete unwanted information from records Right to consent to data release Right to request correction of errors Right to inspect student records
Right to delete unwanted information from records
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016? Senior System Managers System Administrators Risk Analysts Information Assurance Officers
Risk Analysts
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use? Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Risk Management Guide for Information Technology Systems (NIST SP800-30) CCTA Risk Analysis and Management Method (CRAMM) ISO/IEC 27005, "Information Security Risk Management"
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Which of the following study options provides little to no opportunity for feedback? Self-study programs Certificate programs Graduate programs Undergraduate programs
Self-study programs
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012? System Administrator Information Assurance Officer Senior System Manager Risk Analyst
Senior System Manager
Which intrusion detection system strategy relies upon pattern matching? Signature detection Behavior detection Statistical detection Traffic-based detection
Signature detection
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place? Spim Phishing Spam Social engineering
Spim
Which one of the following principles is NOT a component of the Biba integrity model? Subjects cannot read objects that have a lower level of integrity than the subject. A subject may not ask for service from subjects that have a higher integrity level. Subjects cannot change objects that have a lower integrity level. Subjects at a given integrity level can call up only subjects at the same integritylevel or lower.
Subjects cannot change objects that have a lower integrity level.
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer? Embedded Mobile Mainframe Supervisory Control and Data Acquisition (SCADA)
Supervisory Control and Data Acquisition (SCADA)
Which type of virus targets computer hardware and software startup functions? System infector Data infector Hardware infector File infector
System infector
Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees? Semi-annually Biannually Monthly Annually
Annually
Mary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with? Session and Transport Network and Session Application and Session Application and Transport
Application and Session
What level of academic degree requires the shortest period of time to earn and does NOT require any other postsecondary degree as a prerequisite? Doctoral degree Master's degree Associate's degree Bachelor's degree
Associate's degree
Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing? Authorize the IT system for processing. Assess security controls for effectiveness. Implement security controls in IT systems. Continuously monitor security controls.
Authorize the IT system for processing.
__________ is a continuous process designed to keep all personnel vigilant.
Awareness
Which password attack is typically used specifically against password files that contain cryptographic hashes? Birthday attacks Dictionary attacks Social engineering attacks Brute-force attacks
Birthday attacks
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? White-box test Black-box test Blue-box test Grey-box test
Black-box test
Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message? Bob's private key Alice's public key Alice's private key Bob's public key
Bob's public key
Jim is an experienced security professional who recently accepted a position in an organization that uses Check Point firewalls. What certification can Jim earn to demonstrate his ability to administer these devices? Security+ CCIE CCSA CISSP
CCSA
Rod has been a Certified Information Systems Security Professional (CISSP) for 10 years. He would like to earn an advanced certification that demonstrates his ability in information security architecture. Which of the following CISSP concentrations would meet Rod's needs? CISSP-ISSMP CISSP-ISSEP CISSP-ISASP CISSP-ISSAP
CISSP-ISSAP
Which of the following certifications cannot be used to satisfy the security credential requirements for the advanced Certified Internet Webmaster (CIW) certifications? Security+ Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) GIAC Certified Firewall Analyst (GCFW)
Certified Information Security Manager (CISM)
What certification focuses on information systems audit, control, and security professionals? Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Certified in the Governance of Enterprise IT (CGEIT) Certified in Risk and Information Systems Control (CRISC)
Certified Information Systems Auditor (CISA)
Which of the following certifications is considered the flagship Information Systems Security Certification Consortium, Inc. (ISC)2 certification and the gold standard for information security professionals? Systems Security Certified Practitioner (SSCP) Certified Information Systems Security Professional (CISSP) Certified Cloud Security Professional (CCSP) Certified Authorization Professional (CAP)
Certified Information Systems Security Professional (CISSP)
Which of the following circumstances would NOT trigger mandatory security training for a federal agency under Office of Personnel Management (OPM) guidelines? Change in security environment Change in employee responsibilities Change of senior leadership Change in security procedures
Change of senior leadership
Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors? Children's Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Children's Online Privacy Protection Act (COPPA) Sarbanes-Oxley Act (SOX)
Children's Internet Protection Act (CIPA)
Which of the following Cisco certifications demonstrates the most advanced level of security knowledge? Cisco Certified Technician (CCT) Security Cisco Certified Network Professional (CCNP) Security Cisco Certified Internetwork Expert (CCIE) Security Cisco Certified Network Associate (CCNA) Security
Cisco Certified Internetwork Expert (CCIE) Security
Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking? Accounting Availability Confidentiality Integrity
Confidentiality
Maya is creating a computing infrastructure compliant with the Payment Card Industry Data Security Standard (PCI DSS). What type of information is she most likely trying to protect? Health records Trade secrets Credit card information Educational records
Credit card information
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? False rejection rate (FRR) False acceptance rate (FAR) Reaction time Crossover error rate (CER)
Crossover error rate (CER)
What program, released in 2013, is an example of ransomware? FileVault CryptoVault Crypt0L0cker BitLocker
Crypt0L0cker
Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key? Rivest, Shamir, Adelman (RSA) Blowfish Diffie-Hellman Message digest algorithm (MD5)
Diffie-Hellman
Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore? 3 4 2 1
2
Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections? 23 22 80 20
22
What series of Special Publications does the National Institute of Standards and Technology (NIST) produce that covers information systems security activities? 800 600 700 900
800
What protocol is responsible for assigning IP addresses to hosts on most networks? Dynamic Host Configuration Protocol (DHCP) Transport Layer Security (TLS) Virtual LAN (VLAN) Simple Mail Transfer Protocol (SMTP)
Dynamic Host Configuration Protocol (DHCP)
What type of security communication effort focuses on a common body of knowledge? Acceptable use policy (AUP) Education Emails Professional development
Education
Tonya is working with a team of subject matter experts to diagnose a problem with her system. The experts determine that the problem likely resides at the Presentation Layer of the Open Systems Interconnection (OSI) model. Which technology is the most likely suspect? Encryption Signaling Routing User interface
Encryption
Which technology category would NOT likely be the subject of a standard published by the International Electrotechnical Commission (IEC)? Encryption Semiconductors Solar energy Consumer appliances
Encryption
Which organization creates information security standards that specifically apply within the European Union? Institute of Electrical and Electronics Engineers (IEEE) American National Standards Institute (ANSI) International Telecommunication Union (ITU) European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)
European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)
Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place? Evil twin Replay attack Wardriving Bluesnarfing
Evil twin
What mathematical problem forms the basis of most modern cryptographic algorithms? Traveling salesman problem Quantum mechanics Factoring large primes Birthday problem
Factoring large primes
Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? Remote administration error False positive error False negative error Clipping error
False positive error
What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)? Federal Communications Commission (FCC) Department of Defense (DOD) Federal Trade Commission (FTC) Family Policy Compliance Office (FPCO)
Family Policy Compliance Office (FPCO)
What is NOT a common motivation for attackers? Fear Fame Money Revenge
Fear
Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used? Stateful inspection Network address translation Application proxying Packet filtering
Application proxying
Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor? Qualified security assessor (QSA) Self-assessment vendor (SAV) Approved scanning vendor (ASV) Independent Scanning Assessor (ISA)
Approved scanning vendor (ASV)
Which of the following is NOT an advantage to undertaking self-study of information security topics? Fixed pace Self-motivation Low cost Flexible materials
Fixed pace
What type of firewall security feature limits the volume of traffic from individual hosts? Network separation Loop protection Stateful inspection Flood guard
Flood guard
How many years of post-secondary education are typically required to earn a bachelor's degree in a non-accelerated program? Six Two Three Four
Four
Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records? Sarbanes-Oxley (SOX) Act Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS)
Health Insurance Portability and Accountability Act (HIPAA)
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network? Care of address (COA) Foreign agent (FA) Correspondent node (CN) Home agent (HA)
Home agent (HA)
What type of system is intentionally exposed to attackers in an attempt to lure them out? Honeypot Database server Web server Bastion host
Honeypot
Which recovery site option provides readiness in minutes to hours? Warm site Cold site Multiple sites Hot site
Hot site
What organization offers a variety of security certifications that are focused on the requirements of auditors? CompTIA International Information Systems Security Certification Consortium, Inc. (ISC)2 ISACA Global Information Assurance Certification (GIAC)
ISACA
Juan comes across documentation from his organization related to several information security initiatives using different standards as their reference. Which International Organization for Standardization (ISO) standard provides current guidance on information security management? ISO 27002 ISO 17799 ISO 9000 ISO 14001
ISO 27002
What is a set of concepts and policies for managing IT infrastructure, development, and operations? IT Infrastructure Library (ITIL) ISO 27002 NIST Cybersecurity Framework (CSF) Control Objectives for Information and related Technology (COBIT)
IT Infrastructure Library (ITIL)
Which one of the following is NOT a good technique for performing authentication of an end user? Password Identification number Token Biometric scan
Identification number
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity? Incursion Outage Incident Event
Incident
Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve? Integrity Availability Confidentiality Accountability
Integrity
Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact? International Council of E-Commerce Consultants (EC-Council) Software Engineering Institute - Carnegie Mellon University High Tech Crime Network The International Society of Forensic Computer Examiners
International Council of E-Commerce Consultants (EC-Council)
Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working? Application Presentation Session Data Link
Presentation
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)? Security risks will be eliminated. Security risks will decrease. Security risks will stay the same. Security risks will increase.
Security risks will increase.
Ben is working toward a position as a senior security administrator and would like to earn his first International Information Systems Security Certification Consortium, Inc. (ISC)2 certification. Which certification is most appropriate for his needs? Certified Secure Software Lifecycle Professional (CSSLP) Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP) Certified Cloud Security Professional (CCSP)
Systems Security Certified Practitioner (SSCP)
What type of malicious software masquerades as legitimate software to entice the user to run it? Rootkit Trojan horse Worm Virus
Trojan horse
Which of the following graduate degree programs focuses on managing the process of securing information systems, rather than the technical aspects of information security? MS MBA MScIT MSc
MBA
What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program? Central Intelligence Agency (CIA) National Institute of Standards and Technology (NIST) National Security Agency (NSA) Federal Bureau of Investigation (FBI)
National Security Agency (NSA)
When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve? Integrity Nonrepudiation Confidentiality Authentication
Nonrepudiation
Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time? International Data Encryption Algorithm (IDEA) Online Certificate Status Protocol (OCSP) Certificate revocation list (CRL) Transport Layer Security (TLS)
Online Certificate Status Protocol (OCSP)
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through its online site. Which type of loss did the company experience as a result of lost sales? Manpower cost Opportunity cost Replacement cost Cost of good sold
Opportunity cost
Which regulatory standard would NOT require audits of companies in the United States? Personal Information Protection and Electronic Documents Act (PIPEDA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley Act (SOX) Payment Card Industry Data Security Standard (PCI DSS)
Personal Information Protection and Electronic Documents Act (PIPEDA)
What is NOT a goal of information security awareness programs? Teach users about security objectives Punish users who violate policy Inform users about trends and threats in security Motivate users to comply with security policy
Punish users who violate policy
Which approach to cryptography provides the strongest theoretical protection? Quantum cryptography Elliptic curve cryptography Asymmetric cryptography Classic cryptography
Quantum cryptography
Which data source comes first in the order of volatility when conducting a forensic investigation? Swap and paging files Logs RAM Data files on disk
RAM
Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? DIAMETER Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System Plus (TACACS+) Redundant Array of Independent Disks (RAID)
Redundant Array of Independent Disks (RAID)
What type of malicious software allows an attacker to remotely control a compromised computer? Armored virus Polymorphic virus Remote Access Tool (RAT) Worm
Remote Access Tool (RAT)
What is the correct order of steps in the change control process? Request, impact assessment, approval, build/test, monitor, implement Request, approval, impact assessment, build/test, implement, monitor Request, approval, impact assessment, build/test, monitor, implement Request, impact assessment, approval, build/test, implement, monitor
Request, impact assessment, approval, build/test, implement, monitor
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances? Addressable Standard Required Security
Required
What term describes the risk that exists after an organization has performed all planned countermeasures and controls? Transparent risk Business risk Total risk Residual risk
Residual risk
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? Mitigation steps Risk survey results Description of the risk Expected impact
Risk survey results
Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use? SAQ D SAQ A SAQ C SAQ B
SAQ C
Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database? XML injection SQL injection LDAP injection Cross-site scripting (XSS)
SQL injection
In what type of attack does the attacker send unauthorized commands directly to a database? Cross-site scripting Database dumping Cross-site request forgery SQL injection
SQL injection
Helen has no experience in security. She would like to earn a certification that demonstrates that she has the basic knowledge necessary to work in the information security field. What certification would be an appropriate first step for her? Security+ CompTIA Advanced Security Practitioner (CASP) GIAC Security Expert (GSE) Certified Information Systems Security Professional (CISSP)
Security+
Which scenario presents a unique challenge for developers of mobile applications? Obtaining Internet Protocol (IP) addresses Using checkboxes Applying encryption to network communications Selecting multiple items from a list
Selecting multiple items from a list
Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged into Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place? XML injection Cross-site scripting SQL injection Session hijacking
Session hijacking
Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place? Land Teardrop Smurf Cross-site scripting (XSS)
Smurf
What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)? Architecture for Internet protocols and procedures Editorial and publication procedures for requests for comments (RFCs) Subject matter expertise on routing and switching Confirmation of IETF chairs
Subject matter expertise on routing and switching
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? Data loss prevention CCTV Network IDS System integrity monitoring
System integrity monitoring
Which classification level is the highest level used by the U.S. federal government? Secret Private Confidential Top Secret
Top Secret
Which of the following items would generally NOT be considered personally identifiable information (PII)? Trade secret Driver's license number Name Social Security number
Trade secret
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter? Worm Logic bomb Trojan horse Virus
Trojan horse
Henry is creating a firewall rule that will allow inbound mail to the organization. What TCP port must he allow through the firewall? 80 53 22 25
25
What ISO security standard can help guide the creation of an organization's security policy? 42053 17259 27002 12333
27002
How many domains of knowledge are covered by the Certified Information Systems Security Professional (CISSP) exam? 7 8 9 10
8
What DoD directive requires that information security professionals in the government earn professional certifications? 8540 8140 8088 8270
8140
How many years of specialized experience are required to earn one of the Certified Information Systems Security Professional (CISSP) concentrations? Three Five Two Four
Two
Which one of the following is NOT a commonly accepted best practice for password security? Include a special character in passwords. Use at least six alphanumeric characters. Include a mixture of uppercase characters, lowercase characters, and numbers in passwords. Do not include usernames in passwords.
Use at least six alphanumeric characters.
Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use? Virtual private network (VPN) Firewall Virtual LAN (VLAN) Transport Layer Security (TLS)
Virtual LAN (VLAN)
Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime? Load balancing Redundant Array of inexpensive Disks (RAID) Clustering Warm site
Warm Site
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation? Warm site Cold site Hot site Primary site
Warm site
Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating? Blacklisting Whitelisting Packet filtering Context-based screening
Whitelisting
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations? Domain Name System (DNS) Ping Whois Simple Network Management Protocol (SNMP)
Whois
Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity? 3G Digital subscriber line (DSL) 4G Wi-Fi
Wi-Fi
What type of network connects systems over the largest geographic area? Storage area network (SAN) Metropolitan area network (MAN) Local area network (LAN) Wide area network (WAN)
Wide area network (WAN)
Forensics and incident response are examples of __________ controls. deterrent detective corrective preventive
corrective
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime. incident disaster emergency event
disaster
Purchasing an insurance policy is an example of the ____________ risk management strategy. reduce avoid transfer accept
transfer
________ refers to a program of study approved by the State Department of Education in the state that a school operates. Continuing professional education (CPE) Accredited Certificate of completion Continuing education
Accredited
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature? Alice's private key Bob's private key Alice's public key Bob's public key
Alice's private key
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature? Alice's private key Bob's public key Bob's private key Alice's public key
Alice's public key
Which organization created a standard version of the widely used C programming language in 1989? International Organization for Standardization (ISO) Institute of Electrical and Electronics Engineers (IEEE) European Telecommunications Standards Institute (ETSI) American National Standards Institute (ANSI)
American National Standards Institute (ANSI)
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)? $2,000 $20,000 $2,000,000 $200,000
$20,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor? 1 percent 10 percent 50 percent 20 percent
20 percent
What is the maximum value for any octet in an IPv4 IP address? 129 513 65 255
255
Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow? 3389 989 143 443
3389
Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication? 3389 443 143 80
443
What is NOT a valid encryption key length for use with the Blowfish algorithm? 64 bits 512 bits 256 bits 32 bits
512 bits
Jane is a manager at a federal government agency and recently hired a new employee, Mark, who will work with sensitive information. How much time does Jane have from Mark's hire date to get him security training? 60 days 30 days 10 days 15 days
60 days
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? An organization should properly destroy its information when it is no longer needed. An organization should keep its information up to date. An organization should share its information. An organization should collect only what it needs.
An organization should share its information.
Which of the following is NOT a role described in DoD Directive 8140, which covers cyber security training? Protect and defend Operate and maintain Investigate Attack
Attack
Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)? Covered entity as a healthcare clearinghouse Business associate of a covered entity Covered entity as a health plan Covered entity as a provider
Business associate of a covered entity
Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy? Captive portal Remote Authentication Dial-In User Service (RADIUS) Lightweight Extensible Authentication Protocol (LEAP) Protected Extensible Authentication Protocol (PEAP)
Captive portal
Richard would like to earn a certification that demonstrates his ability to manage the information security function. What certification would be most appropriate for Richard? Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) Certified Information Security Manager (CISM) Certified in the Governance of Enterprise IT (CGEIT)
Certified Information Security Manager (CISM)
Colin is a software developer. He would like to earn a credential that demonstrates to employers that he is well educated on software security issues. What certification would be most suitable for this purpose? Certified Cyber Forensics Professional (CCFP) Certified Secure Software Lifecycle Professional (CSSLP) HealthCare Certified Information Security Privacy Practitioner (HCISPP) Certified Information Systems Security Professional (CISSP)
Certified Secure Software Lifecycle Professional (CSSLP)
Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works? Ciphertext only Known plaintext Chosen ciphertext Chosen plaintext
Chosen plaintext
Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking? Integrity Confidentiality Accounting Availability
Confidentiality
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered? XML injection Cross-site scripting (XSS) Command injection SQL injection
Cross-site scripting (XSS)
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y? Business associate Covered entity Customer Consumer
Customer
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message? Hashing Validation Encryption Decryption
Decryption
Which risk is most effectively mitigated by an upstream Internet service provider (ISP)? Firewall configuration error Lost productivity Distributed denial of service (DDoS) Unauthorized remote access
Distributed denial of service (DDoS)
What is the highest level of academic degree that may be earned in the field of information security? Master of business administration (MBA) Bachelor of science (BS) Master of science (MS) Doctor of philosophy (PhD)
Doctor of philosophy (PhD)
What is a key principle of risk management programs? Apply controls in ascending order of risk. Security controls should be protected through the obscurity of their mechanisms. Don't spend more to protect an asset than it is worth. Risk avoidance is superior to risk mitigation.
Don't spend more to protect an asset than it is worth.
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? Compromising the privacy of users Enforcing the integrity of computer-based information Seeking to gain unauthorized access to resources Disrupting intended use of the Internet
Enforcing the integrity of computer-based information
Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process? Federal Deposit Insurance Corporation (FDIC) Federal Communications Commission (FCC) Federal Trade Commission (FTC) Securities and Exchange Commission (SEC)
Federal Communications Commission (FCC)
Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system? Federal Information Security Management Act (FISMA) Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley (SOX) Act
Federal Information Security Management Act (FISMA)
David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use? Secure Shell (SSH) Internet Small Computer System Interface (iSCSI) Fibre Channel over Ethernet (FCoE) Fibre Channel (FC)
Fibre Channel over Ethernet (FCoE)
Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities? GIAC Certified Penetration Tester (GPEN) GIAC Certified Firewall Analyst (GCFW) GIAC Systems and Network Auditor (GSNA) GIAC Certified Forensic Examiner (GCFE)
GIAC Certified Forensic Examiner (GCFE)
Gary is troubleshooting a security issue on an Ethernet network and would like to look at the Ethernet standard. What publication should he seek out? IEEE 802.3 ANSI x.1199 NIST 800-53 ISO 17799
IEEE 802.3
What certification organization began as an offshoot of the SANS Institute training programs? CompTIA International Information Systems Security Certification Consortium, Inc. (ISC)2 Certified Internet Webmaster (CIW) Global Information Assurance Certification (GIAC)
Global Information Assurance Certification (GIAC)
Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues? Hub Switch Firewall Router
Hub
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve? Nonrepudiation Integrity Authentication Confidentiality
Integrity
Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI? International Organization for Standardization (ISO) Ocean Surveillance Information System (OSIS) Information Systems Audit and Control Association (ISACA) National Institute of Standards and Technology (NIST)
International Organization for Standardization (ISO)
Which organization promotes technology issues as an agency of the United Nations? Internet Assigned Numbers Authority (IANA) International Telecommunication Union (ITU) Institute of Electrical and Electronics Engineers (IEEE) American National Standards Institute (ANSI)
International Telecommunication Union (ITU)
Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block? Internet Control Message Protocol (ICMP) Hypertext Transfer Protocol (HTTP) User Datagram Protocol (UDP) Transmission Control Protocol (TCP)
Internet Control Message Protocol (ICMP)
Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records? Hashing Truncation Encryption Masking
Masking
What term describes the longest period of time that a business can survive without a particular critical system? Recovery time objective (RTO) Emergency operations center (EOC) Recovery point objective (RPO) Maximum tolerable downtime (MTD)
Maximum tolerable downtime (MTD)
Which agreement type is typically less formal than other agreements and expresses areas of common interest? Service level agreement (SLA) Memorandum of understanding (MOU) Interconnection security agreement (ISA) Blanket purchase agreement (BPA)
Memorandum of understanding (MOU)
What federal agency is charged with the mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life?" National Aeronautics and Space Administration (NASA) National Institute of Standards and Technology (NIST) Federal Trade Commission (FTC) Federal Communications Commission (FCC)
National Institute of Standards and Technology (NIST)
What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries? Federal Communications Commission (FCC) National Institute of Standards and Technology (NIST) Department of Defense (DoD) National Security Administration (NSA)
National Institute of Standards and Technology (NIST)
Which term accurately describes Layer 3 of the Open Systems Interconnection (OSI) model? Network Application Physical Session
Network
Brian is the information security training officer for a health care provider. He wants to develop a training program that complies with the provisions of Health Insurance Portability and Accountability Act (HIPAA). Which of the following topics must be included? Patient safety Medical records formats Prescribing procedures Password management
Password management
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions? Communications Assistance for Law Enforcement Act (CALEA) Payment Card Industry Data Security Standard (PCI DSS) Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA)
Payment Card Industry Data Security Standard (PCI DSS)
Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered? Cross-platform virus Stealth virus Polymorphic virus Multipartite virus
Polymorphic virus
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed? Detective Deterrent Corrective Preventive
Preventive
Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing? Policy Procedure Standard Guideline
Procedure
Which of the following programs requires passing a standardized examination that is based upon a job-task analysis? Certificate of completion Bachelor's degree Professional certification Doctoral degree
Professional certification
Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take? Reduce Avoid Transfer Accept
Reduce
What is NOT a symmetric encryption algorithm? Data Encryption Standard (DES) International Data Encryption Algorithm (IDEA) Carlisle Adams Stafford Tavares (CAST) Rivest-Shamir-Adelman (RSA)
Rivest-Shamir-Adelman (RSA)
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? SOC 1 SOC 2 SOC 3 SOC 4
SOC 3
What firewall approach is shown in the figure? Bastion host Screened subnet Border firewall Multilayered firewall
Screened subnet
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? Dynamic Host Configuration Protocol (DHCP) Transmission Control Protocol/Internet Protocol (TCP/IP) Secure Sockets Layer (SSL) Domain Name System (DNS)
Secure Sockets Layer (SSL)
The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place? Adware Pharming Command injection Spear phishing
Spear phishing
What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows? Switch Hub Router Access point
Switch
Which set of characteristics describes the Caesar cipher accurately?
Symmetric, stream, substitution
What is NOT generally a section in an audit report? Timeline for Implementation System configurations Findings Recommendations
System configurations
Which term describes an action that can damage or compromise an asset? Risk Vulnerability Countermeasure Threat
Threat
Bobbi recently discovered that an email program used within her healthcare practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place? Tier C Tier B Tier D Tier A
Tier A
What is NOT a typical sign of virus activity on a system? Unexpected error messages Unexplained decrease in available disk space Sudden sluggishness of applications Unexpected power failures
Unexpected power failures
Bob has a high-volume virtual private network (VPN). He would like to use a device that would best handle the required processing power. What type of device should he use? Unified threat management (UTM) Router VPN concentrator Firewall
VPN concentrator
What is the only unbreakable cipher when it is used properly? Blowfish Vernam Rivest-Shamir-Adelman (RSA) Elliptic Curve Diffie-Hellman in Ephemeral mode (ECDHE)
Vernam
What standard is NOT secure and should never be used on modern wireless networks? 802.11ac Wi-Fi Protected Access version 2 (WPA2) Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)
Wired Equivalent Privacy (WEP)
What wireless security technology contains significant flaws and should never be used? Remote Authentication Dial-In User Service (RADIUS) WPA2 Wi-Fi Protected Access (WPA) Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP)
Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information? Internet Engineering Task Force (IETF) International Electrotechnical Commission (IEC) National Institute of Standards and Technology (NIST) World Wide Web Consortium (W3C)
World Wide Web Consortium (W3C)