Information Security Ch. 1-6, 9

¡Supera tus tareas y exámenes ahora con Quizwiz!

Denial of service (DoS) attacks are larger in scope than distributed denial of service (DDoS) attacks.

False

Passphrases are less secure than passwords.

False

Which element of the security policy framework offers suggestions rather than mandatory actions?

Guideline

Which one of the following is NOT a good technique for performing authentication of an end user?

Identification Number

What is the correct order of steps in the change control process?

Request, impact assessment, approval, build/test, implement, monitor

Authentication controls include passwords and personal identification numbers (PINs)

True

Rootkits are malicious software programs designed to be hidden from normal methods of detection.

True

Which one of the following is the best example of an authorization control?

Access Control Lists

Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?

Applying security updates promptly

Which type of attack involves the creation of some deception in order to trick unsuspecting users?

Fabrication

Which one of the following is an example of a direct cost that might result from a business disruption?

Facility Repair

Which of the following is an example of a hardware security control?

MAC filtering

What is NOT a commonly used endpoint security technique?

Network Firewall

Which one of the following is an example of a logical access control?

Password

Which approach to cryptography provides the strongest theoretical protection?

Quantum cryptography

Which of the following is NOT one of the four fundamental principles outlined by the Internet Society that will drive the success of Internet of Things (IoT) innovation?

Secure

Bring Your Own Device (BYOD) opens the door to considerable security issues.

True

Cars that have Wi-Fi access and onboard computers require software patches and upgrades from the manufacturer.

True

The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.

True

The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?

13

Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?

22

Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month?

96.67%

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?

Acceptability

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?

Accountability

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?

Alice's private key

During which phase of the access control process does the system answer the question, "What can the requestor access?"

Authorization

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Authorization

Which password attack is typically used specifically against password files that contain cryptographic hashes?

Birthday Attacks

Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?

Bring Your Own Device (BYOD)

Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?

Business continuity plan (BCP)

Which information security objective allows trusted entities to endorse information?

Certification

Which activity manages the baseline settings for a system or device?

Configuration control

What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access?

Content Filter

In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?

Correspondent node (CN)

Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?

Crossover error rate (CER)

Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?

Data ownership

Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate?

Deidentification

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Discretionary access control (DAC)

Which risk is most effectively mitigated by an upstream Internet service provider (ISP)?

Distributed denial of service (DDoS)

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

Enforcing the integrity of computer-based information

What is the first step in a disaster recovery effort?

Ensure that everyone is safe.

Which one of the following is an example of a disclosure threat?

Espionage

Barry discovers that an attacker is running an access point in a building adjacent to his company. The access point is broadcasting the security set identifier (SSID) of an open network owned by the coffee shop in his lobby. Which type of attack is likely taking place?

Evil Twin

A VPN router is a security appliance that is used to filter IP packets.

False

A dictionary password attack is a type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource.

False

A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.

False

A rootkit uses a directed broadcast to create a flood of network traffic for the victim computer.

False

A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.

False

Authorization controls include biometric devices.

False

Bricks-and-mortar stores are completely obsolete now.

False

Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.

False

Configuration changes can be made at any time during a system life cycle and no process is required.

False

Connectivity is one of the five critical challenges that the Internet of Things (IoT) has to overcome.

False

Cryptographic key distribution is typically done by phone.

False

Cryptography is the process of transforming data from cleartext into ciphertext.

False

Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers and secure web pages.

False

In a known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data, and has no choice as to what that data might be.

False

In the Remote Access Domain, if private data or confidential data is compromised remotely, you should set automatic blocking for attempted logon retries.

False

Mandatory vacations minimize risk by rotating employees among various systems or duties.

False

Regarding the Internet of Things (IoT), a business involved in utilities, critical infrastructure, or environmental services can benefit from traffic-monitoring applications.

False

Service-level agreements (SLAs) are optical backbone trunks for private optical backbone networks.

False

Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files.

False

The Sarbanes-Oxley (SOX) Act requires all types of financial institutions to protect customers' private financial information.

False

The main difference between a virus and a worm is that a virus does not need a host program to infect.

False

The number of failed logon attempts that trigger an account action is called an audit logon event.

False

The term "data owner" refers to the person or group that manages an IT infrastructure.

False

Vishing is a type of wireless network attack.

False

Voice pattern biometrics are accurate for authentication because voices can't easily be replicated by computer software.

False

Wardialers are becoming more frequently used given the rise of Voice over IP (VoIP).

False

What compliance regulation applies specifically to the educational records maintained by schools about students?

Family Education Rights and Privacy Act (FERPA)

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

Formatting

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers?

HIPPA

Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?

Health Monitoring

Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?

Internet Engineering Task Force

Which network device is capable of blocking network connections that are identified as potentially malicious?

Intrusion prevention system (IPS)

What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?

Kerberos

Which of the following is NOT a benefit of cloud computing to organizations?

Lower dependence on outside vendors

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

What level of technology infrastructure should you expect to find in a cold site alternative data center facility?

No technology infrastructure

Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput?

OC-12

Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?

Online Certificate Status Protocol (OCSP)

Which type of authentication includes smart cards?

Ownership

Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?

Parallel Test

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phising

Which one of the following is NOT an advantage of biometric systems?

Physical characteristics may change

Which element of the security policy framework requires approval from upper management and applies to the entire organization?

Policy

Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?

Project initiation and planning

Which group is the most likely target of a social engineering attack?

Receptionists and administrative assistants

Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?

Recovery time objective (RTO)

Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?

Redundant Array of Independent Disks (RAID)

George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?

Risk Management Guide for Information Technology Systems (NIST SP800-30)

Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?

Risk survey results

Which scenario presents a unique challenge for developers of mobile applications?

Selecting multiple items from a list

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

In which type of attack does the attacker attempt to take over an existing connection between two systems?

Session Hikacking

Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?

Software as a Service (SaaS)

Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?

Spim

Which one of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries?

Technical and industry development

Which one of the following is NOT an example of store-and-forward messaging?

Telephone call

Which term describes an action that can damage or compromise an asset?

Threat

What type of malicious software masquerades as legitimate software to entice the user to run it?

Trojan Horse

A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.

True

A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.

True

A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.

True

A man-in-the-middle attack takes advantage of the multihop process used by many types of networks.

True

A person demonstrates anonymity when posting information to a web discussion site without authorities knowing who he or she is.

True

A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.

True

A smart card is a token shaped like a credit card that contains one or more microprocessor chips that accept, store, and send information through a reader.

True

A successful change control program should include the following elements to ensure the quality of the change control process: peer review, documentation, and back-out plans.

True

A trusted operating systems (TOS) provides features that satisfy specific government requirements for security.

True

Common methods used to identify a user to a system include username, smart card, and biometrics.

True

Company-related classifications are not standard, therefore, there may be some differences between the terms "private" and "confidential" in different companies.

True

Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.

True

Devices that combine the capabilities of mobile phones and personal digital assistants (PDAs) are commonly called smartphones.

True

E-commerce systems and applications demand strict confidentiality, integrity, and availability (CIA) security controls.

True

Fingerprints, palm prints, and retina scans are types of biometrics.

True

For businesses and organizations under recent compliance laws, data classification standards typically include private, confidential, internal use only, and public domain categories.

True

In e-business, secure web applications are one of the critical security controls that each organization must implement to reduce risk.

True

IoT technology has a significant impact on developing economies, given that it can transform countries into e-commerce-ready nations.

True

Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used.

True

Networks, routers, and equipment require continuous monitoring and management to keep wide area network (WAN) service available.

True

One advantage of using a security management firm for security monitoring and is that it has a high level of expertise.

True

Organizations should start defining their IT security policy framework by defining an asset classification policy

True

Policies that cover data management should cover transitions throughout the data life cycle.

True

Screen locks are a form of endpoint device security control.

True

Social engineering is deceiving or using people to get around security controls.

True

Some vending machines are equipped with a cellular phone network antenna for secure credit card transaction processing.

True

The Diffie-Hellman (DHE) algorithm is the basis for several common key exchange protocols, including Diffie-Hellman in Ephemeral mode (DHE) and Elliptic Curve DHE (ECDHE).

True

The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.

True

The System/Application Domain holds all the mission-critical systems, applications, and data.

True

The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.

True

The director of IT security is generally in charge of ensuring that the Workstation Domain conforms to policy.

True

The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.

True

The most critical aspect of a WAN services contract is how the service provider supplies troubleshooting, network management, and security management services.

True

The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.

True

The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.

True

Using Mobile IP, users can move between segments on a local area network (LAN) and stay connected without interruption.

True

When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks.

True

With proactive change management, management initiates the change to achieve a desired goal.

True

What is NOT an effective key distribution method for plaintext encryption keys?

Unencrypted email

An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?

Urgency

Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?

White-hat hacker

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

security kernel

Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?

typosquatting


Conjuntos de estudio relacionados

Chemistry Periodic Trends Retake Test Info (not done yet)

View Set

Marketing Management test 3 study

View Set

Second Language Acquisition Theories

View Set