Info Security Final Exam Review

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

Is the security control likely to become obsolete in the near future?

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records?

Masking

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

Prudent

What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?

Publicly traded companies

In a ________, the attacker sends a large number of packets requesting connections to the victim computer.

SYNflood

The world needs people who understand computer-systems ________ and who can protect computers and networksfrom criminals and terrorists.

Security

Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?

Decryption

________ is the basis for unified communications and is the protocol used by real-time applications such as IM chat, conferencing, and collaboration.

Dense wavelength division multiplexing (DWDM)

What is a key principle of risk management programs?

Don't spend more to protect an asset than it is worth.

Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use?

Virtual LAN (VLAN)

Black-hat hackers generally poke holes in systems, but do not attempt to disclose __________ they find to the administrators of those systems.

Vulnerabilities

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?

Vulnerability

Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues?

Hub

Which of the following is not a type of authentication?

identification

What term is used to describe a set of step-by-step actions to be performed to accomplish a security requirement, process, or objective?

procedure

Any organization that is serious about security will view ___________ as anongoing process.

risk management

Which organization created a standard version of the widely used C programming language in 1989?

ANSI

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Access to a high level of expertise

Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor?

Approved scanning vendor (ASV)

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Authorization

When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?

Nonrepudiation

________ is an authentication credential that is generally longer and more complex than a password.

Passphrase

In popular usage and in the media, the term ________ often describes someone who breaks into a computer system without authorization.

Hacker

What organization offers a variety of security certifications that are focused on the requirements of auditors?

ISACA

Connecting your computers or devices to the ________ immediately exposes them to attack.

Internet

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?

Qualitative

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

What type of network connects systems over the largest geographic area?

Wide area network (WAN)

Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?

World Wide Web Consortium (W3C)

Biometrics is another ________ method for identifying subjects.

access control

Two-factor __________ should be the minimum requirement for valuable resources asit provides a higher level of security than using only one.

authentication

___________ is the duty of every government that wants to ensure its national security.

Cybersecurity

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process?

Federal Communications Commission (FCC)

David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use?

Fibre Channel over Ethernet (FCoE)

Which approach to cryptography provides the strongest theoretical protection?

Quantum cryptography

Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?

Asymmetric encryption algorithm

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Audit

What is meant by standard?

A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization.

Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit.

50

A __________ tries to break IT security and gain access to systems with no authorization, in order to prove technical prowess.

Black-hat hacker

_______ is the proportion of value of a particular asset likely to be destroyed by a given risk,expressed as a percentage.

Exposure factor (EF)

Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.

False

True or False: The Delphi method is the estimated loss due to a specific realized threat. The formula to calculate this loss is =SLE × ARO.

False

True or False: Voice mail and e-mail are examples of real-time communications.

False

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?

Family Policy Compliance Office (FPCO)

Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?

Incident

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?

Integrity

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?

Integrity

What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries?

National Institute of Standards and Technology (NIST)

What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program?

National Security Agency (NSA)

Jennifer is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?

SAQ C

What is meant by annual rate of occurrence (ARO)?

The annual probability that a stated threat will be realized.

Which of the following is an accurate description of cloud computing?

The practice of using computing services that are delivered over a network.

Which of the following is the definition of access control?

The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources.

Today, people working in cyberspace must deal with new and constantly evolving ________.

Threats

Which type of cipher works by rearranging the characters in a message?

Transposition

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?

20 percent

Which information security objective allows trusted entities to endorse information?

Certification

Which regulatory standard would NOT require audits of companies in the United States?

Personal Information Protection and Electronic Documents Act (PIPEDA)

Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?

Presentation

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?

Supervisory Control and Data Acquisition (SCADA)

What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?

Switch

Information systems security is about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise.

True

Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?

Wi-Fi

A ___________ gives priorities to the functions an organization needs to keep going.

business continuity plan (BCP)

The requirement to keep information private or secret is the definition of __________.

confidentiality

A _________ has a hostile intent, possesses sophisticated skills, and may be interested in financial gain. They represent the greatest threat to networks and information resources.

cracker

Audits also often look at the current configuration of a system as a snapshot in time to verify that it complies with ________.

standards

What term is used to describe communication that doesn't happen in real time but rather consists of messages (voice or e-mail) that are stored on a server and downloaded to endpoint devices?

store-and-forward communications

A security awareness program includes ________.

teaching employees about security objectives, motivatingusers to comply with security policies, informing users about trends and threats in society