INSY 4312 Exam 2 Review
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?
$2,000,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?
$2,000,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?
$20,000
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
*Alice's public key* Alice's private key Bob's public key Bob's private key
Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?
*Chosen plaintext* Ciphertext only Known plaintext Chosen ciphertext
What is NOT a symmetric encryption algorithm?
*Rivest-Shamir-Adelman (RSA)* Data Encryption Standard (DES) International Data Encryption Algorithm (IDEA) Carlisle Adams Stafford Tavares (CAST
A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.
*True* False
A salt value is a set of random characters you can combine with an actual input key to create the encryption key.
*True* False
A substitution cipher replaces bits, characters, or blocks of information with other bits, characters, or blocks.
*True* False
Digital signatures require asymmetric key cryptography.
*True* False
In a chosen-ciphertext attack, cryptanalysts submit data coded with the same cipher and key they are trying to break to the decryption device to see either the plaintext output or the effect the decrypted message has on some system.
*True* False
Integrity-checking tools use cryptographic methods to make sure nothing and no one has modified the software.
*True* False
The Diffie-Hellman (DHE) algorithm is the basis for several common key exchange protocols, including Diffie-Hellman in Ephemeral mode (DHE) and Elliptic Curve DHE (ECDHE).
*True* False
The financial industry created the ANSI X9.17 standard to define key management procedures.
*True* False
What standard is NOT secure and should never be used on modern wireless networks?
*Wired Equivalent Privacy (WEP)* Wi-Fi Protected Access (WPA) Wi-Fi Protected Access version 2 (WPA2) 802.11ac
What file type is least likely to be impacted by a file infector virus?
.docx
Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?
2
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?
20 percent
Henry is creating a firewall rule that will allow inbound mail to the organization. What TCP port must he allow through the firewall?
25
What is the maximum value for any octet in an IPv4 IP address?
255
What ISO security standard can help guide the creation of an organization's security policy?
27002
What is NOT a valid encryption key length for use with the Blowfish algorithm?
32 bits 64 bits 256 bits *512 bits*
Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow?
3389
Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?
443
Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?
443 HTTP over SSL
Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit.
50
What is NOT a valid encryption key length for use with the Blowfish algorithm?
512 bits
Jane is a manager at a federal government agency and recently hired a new employee, Mark, who will work with sensitive information. How much time does Jane have from Mark's hire date to get him security training?
60 days
How many domains of knowledge are covered by the Certified Information Systems Security Professional (CISSP) exam?
8
What series of Special Publications does the National Institute of Standards and Technology (NIST) produce that covers information systems security activities?
800
Which Institute of Electrical and Electronics Engineers (IEEE) standard covers wireless LANs?
802.11
What DoD directive requires that information security professionals in the government earn professional certifications?
8140
True
A SYN flood attack floods a target with invalid or half-open TCP connection requests. True or False?
Script kiddie
A person with a very little hacking skills?
OCTAVE
A risk management approach that requires a distributed approach with business units working with the IT organization.
Replay
A type of attack involves capturing data packets from a network and transmitting them later to produce unauthorized effect?
DDoS
A type of attacks result in legitimate users not having access to a system resource?
Cryptolocker malware
A type of malware that involves extorting the user or organization into paying money to release a decryption key.
Worm
A type of malware that is a self-contained program that replicates and sends copies of itself to other computers, generally across a network.
Business Continuity plan
A written plan for a structured response to any events that result in an interruption to critical business activities or functions. A BIA defines the resources
Packet sniffer
A(n) _____ is a software tool that is used to capture packets from a network.
Threat
A(n) _____ is any action that could damage an asset.
Vulnerability
A(n) _____ is any weakness that makes it possible for a threat to cause harm to a computer or network.
11. Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? A. Baseline B. Policy C. Guideline D. Procedure
A. Baseline
16. Which security model does NOT protect the integrity of information? A. Bell-LaPadula B. Clark-Wilson C. Biba D. Brewer and Nash
A. Bell-LaPadula
18. Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting? A. Black-box test B. White-box test C. Grey-box test D. Blue-box test
A. Black-box test
8. Which audit data collection method helps ensure that the information-gathering process covers all relevant areas? A. Checklist B. Interviews C. Questionnaires D. Observation
A. Checklist
14. Which activity manages the baseline settings for a system or device? A. Configuration control B. Reactive change management C. Proactive change management D. Change control
A. Configuration control
What compliance regulation applies specifically to the educational records maintained by schools about students? A. Family Education Rights and Privacy Act (FERPA) B. Health Insurance Portability and Accountability Act (HIPAA) C. Federal Information Security Management Act (FISMA) D. Gramm-Leach-Bliley Act (GLBA)
A. Family Education Rights and Privacy Act (FERPA)
17. Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data? A. Formatting B. Degaussing C. Physical destruction D. Overwriting
A. Formatting
2. Which of the following would NOT be considered in the scope of organizational compliance efforts? A. Laws B. Company policy C. Internal audit D. Corporate culture
A. Laws
14. What term describes the longest period of time that a business can survive without a particular critical system? A. Maximum tolerable downtime (MTD) B. Recovery time objective (RTO) C. Recovery point objective (RPO) D. Emergency operations center (EOC)
A. Maximum tolerable downtime (MTD)
Which one of the following is an example of a reactive disaster recovery control? A. Moving to a warm site B. Disk mirroring C. Surge suppression D. Antivirus software
A. Moving to a warm site The use of alternate processing facilities, such as warm sites, is a reactive control. Some parts of a disaster recovery plan (DRP) are preventive and intended to avoid the negative effects of a disaster in the first place. Preventive components of a DRP may include disk mirroring, surge suppression, and antivirus software.
16. Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking? A. Project initiation and planning B. Functional requirements and definition C. System design specification D. Operations and maintenance
A. Project initiation and planning
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining? A. Recovery time objective (RTO) B. Recovery point objective (RPO) C. Business recovery requirements D. Technical recovery requirements
A. Recovery time objective (RTO) The RTO expresses the maximum allowable time to recover a function. Time may be a critical factor and specifying the requirements for recovery time helps determine the best recovery options.
10. Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take? A. Reduce B. Transfer C. Accept D. Avoid
A. Reduce
6. Which item is an auditor least likely to review during a system controls audit? A. Resumes of system administrators B. Incident records C. Application logs D. Penetration test results
A. Resumes of system administrators
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use? A. Risk Management Guide for Information Technology Systems (NIST SP800-30) B. CCTA Risk Analysis and Management Method (CRAMM) C. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) D. ISO/IEC 27005, "Information Security Risk Management"
A. Risk Management Guide for Information Technology Systems (NIST SP800-30) NIST SP800-30, "Risk Management Guide for Information Technology Systems," is a widely used guide for IT security assessments. It contains specific guidance for U.S. government agencies and would be the most appropriate methodology for use in a federal government setting
12. What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? A. Secure European System for Applications in a Multi-Vendor Environment (SESAME) B. Lightweight Directory Access Protocol (LDAP) C. Security Assertion Markup Language (SAML) D. Kerberos
A. Secure European System for Applications in a Multi-Vendor Environment (SESAME)
19. What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? A. Security Assertion Markup Language (SAML) B. Secure European System for Applications in a Multi-Vendor Environment (SESAME) C. User Datagram Protocol (UDP) D. Password Authentication Protocol (PAP)
A. Security Assertion Markup Language (SAML)
15. Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work? A. Security information and event management (SIEM) B. Intrusion prevention system (IPS) C. Data loss prevention (DLP) D. Virtual private network (VPN)
A. Security information and event management (SIEM)
4. Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
A. Service level agreement (SLA)
6. Which one of the following is an example of two-factor authentication? A. Smart card and personal identification number (PIN) B. Personal identification number (PIN) and password C. Password and security questions D. Token and smart card
A. Smart card and personal identification number (PIN)
4. Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer? A. Supervisory Control and Data Acquisition (SCADA) B. Embedded C. Mobile D. Mainframe
A. Supervisory Control and Data Acquisition (SCADA)
A disaster recovery plan (DRP) directs the actions necessary to recover resources after a disaster. A. True B. False
A. True
A surge protector is an example of a preventative component of a disaster recovery plan (DRP). A. True B. False
A. True
Authentication controls include passwords and personal identification numbers (PINs). A. True B. False
A. True
In a Bring Your Own Device (BYOD) policy, the user acceptance component may include separation of private data from business data. A. True B. False
A. True
Remote wiping is a device security control that allows an organization to remotely erase data or email in the event of loss or theft of the device. A. True B. False
A. True
Screen locks are a form of endpoint device security control. A. True B. False
A. True
The Government Information Security Reform Act (Security Reform Act) of 2000 focuses on management and evaluation of the security of unclassified and national security systems. A. True B. False
A. True
The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry. A. True B. False
A. True
The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary. A. True B. False
A. True
The recovery point objective (RPO) is the maximum amount of data loss that is acceptable. A. True B. False
A. True
The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks. A. True B. False
A. True
The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks. A. True B. False
A. True
8. Which one of the following is NOT a commonly accepted best practice for password security? A. Use at least six alphanumeric characters. B. Do not include usernames in passwords. C. Include a special character in passwords. D. Include a mixture of uppercase characters, lowercase characters, and numbers in passwords.
A. Use at least six alphanumeric characters.
4. The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. A. security kernel B. CPU C. memory D. co-processor
A. security kernel
Risk register
According to PMI, which term best describes the list of identified risks?
________ refers to a program of study approved by the State Department of Education in the state that a school operates.
Accredited
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Alice's private key
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
Alice's public key
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Alice's public key *Alice's private key* Bob's public key Bob's private key
Which organization created a standard version of the widely used C programming language in 1989?
American National Standards Institute (ANSI)
Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees?
Annually
Mary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with?
Application and Session
Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used?
Application proxying
Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor?
Approved scanning vendor (ASV)
What level of academic degree requires the shortest period of time to earn and does NOT require any other postsecondary degree as a prerequisite?
Associate's degree
Which set of characteristics describes the Caesar cipher accurately?
Asymmetric, block, substitution < wrong Asymmetric, stream, transposition Symmetric, stream, substitution Symmetric, block, transposition
Which of the following is NOT a role described in DoD Directive 8140, which covers cybersecurity training?
Attack
Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing?
Authorize the IT system for processing
Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing?
Authorize the IT system for processing.
__________ is a continuous process designed to keep all personnel vigilant.
Awareness
8. Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)? A. $2,000 B. $20,000 C. $200,000 D. $2,000,000
B. $20,000
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation? A. 11 B. 13 C. 15 D. 18
B. 13
16. Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore? A. 1 B. 2 C. 3 D. 4
B. 2
3. Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? A. Reduced operating costs B. Access to a high level of expertise C. Developing in-house talent D. Building internal knowledge
B. Access to a high level of expertise
8. What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? A. An organization should collect only what it needs. B. An organization should share its information. C. An organization should keep its information up to date. D. An organization should properly destroy its information when it is no longer needed.
B. An organization should share its information.
1. Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in? A. Monitor B. Audit C. Improve D. Secure
B. Audit
18. In an accreditation process, who has the authority to approve a system for implementation? A. Certifier B. Authorizing official (AO) C. System owner D. System administrator
B. Authorizing official (AO)
9. Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? A. Does the organization have an effective password policy? B. Does the firewall properly block unsolicited network connection attempts? C. Who grants approval for access requests? D. Is the password policy uniformly enforced?
B. Does the firewall properly block unsolicited network connection attempts?
1. What a key principle of risk management programs? A. Security controls should be protected through the obscurity of their mechanisms. B. Don't spend more to protect an asset than it is worth. C. Apply controls in ascending order of risk. D. Risk avoidance is superior to risk mitigation.
B. Don't spend more to protect an asset than it is worth.
Most enterprises are well prepared for a disaster should one occur. A. True B. False
B. False : Most enterprises remain unprepared or underprepared for disaster. Despite recurrent reminders, many companies do not have a disaster recovery plan (DRP) at all.
A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats. A. True B. False
B. False A gap analysis is a comparison of the security controls you have in place and the controls you need in order to address all identified threats. A security policy defines a risk-mitigating definition or solution for your organization
Authorization controls include biometric devices. A. True B. False
B. False Authorization controls include access control lists, physical access control, and network traffic filters. A biometric device is an authentication control.
Removable storage is a software application that allows an organization to monitor and control business data on a personally owned device. A. True B. False
B. False Mobile device management (MDM) includes a software application that allows organizations to monitor, control, data wipe, or data delete business data from a personally owned device.
Continuity of critical business functions and operations is the first priority in a well-balanced business continuity plan (BCP). A. True B. False
B. False Safety and well-being of people is the first priority in a well-balanced BCP.
The first step in creating a comprehensive disaster recovery plan (DRP) is to document likely impact scenarios. A. True B. False
B. False The steps involved in creating a comprehensive DRP should be completed in this order: define potential threats, document likely impact scenarios, and document the business and technical requirements to initiate the implementation phase.
Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time. A. True B. False
B. False A mobile site is very flexible, has a fairly short switchover time, and has widely varying costs based on size and capacity. A cold site is the least expensive option but at the cost of the longest switchover time, since all hardware, software, and data must be loaded at the new site.
The term risk methodology refers to a list of identified risks that results from the risk-identification process. A. True B. False
B. False Risk methodology is a description of how you will manage risk. The risk register is a list of identified risks that results from the risk-identification process.
14. Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring? A. Remote administration error B. False positive error C. Clipping error D. False negative error
B. False positive error
19. When should an organization's managers have an opportunity to respond to the findings in an audit? A. Managers should write a report after receiving the final audit report. B. Managers should include their responses to the draft audit report in the final audit report. C. Managers should not have an opportunity to respond to audit findings. D. Managers should write a letter to the Board following receipt of the audit report.
B. Managers should include their responses to the draft audit report in the final audit report.
What is NOT a commonly used endpoint security technique? A. Full device encryption B. Network firewall C. Remote wiping D. Application control
B. Network firewall A network firewall is not an endpoint control because it is deployed on a network connection. Full device encryption, remote wiping, and application control are all examples of endpoint device security controls.
5. Which type of authentication includes smart cards? A. Knowledge B. Ownership C. Location D. Action
B. Ownership
1. Which one of the following is an example of a logical access control? A. Key for a lock B. Password C. Access card D. Fence
B. Password
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals? A. Health Insurance Portability and Accountability Act (HIPAA) B. Payment Card Industry Data Security Standard (PCI DSS) C. Federal Information Security Management Act (FISMA) D. Federal Financial Institutions Examination Council (FFIEC)
B. Payment Card Industry Data Security Standard (PCI DSS) PCI DSS applies to all merchants and service providers who handle credit card information.
4. Which regulatory standard would NOT require audits of companies in the United States? A. Sarbanes-Oxley Act (SOX) B. Personal Information Protection and Electronic Documents Act (PIPEDA) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standard (PCI DSS)
B. Personal Information Protection and Electronic Documents Act (PIPEDA)
12. Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed? A. Detective B. Preventive C. Corrective D. Deterrent
B. Preventive
20. Which activity is an auditor least likely to conduct during the information-gathering phase of an audit? A. Vulnerability testing B. Report writing C. Penetration testing D. Configuration review
B. Report writing
15. What is the correct order of steps in the change control process? A. Request, approval, impact assessment, build/test, monitor, implement B. Request, impact assessment, approval, build/test, implement, monitor C. Request, approval, impact assessment, build/test, implement, monitor D. Request, impact assessment, approval, build/test, monitor, implement
B. Request, impact assessment, approval, build/test, implement, monitor
Which formula is typically used to describe the components of information security risks? A. Risk = Likelihood X Vulnerability B. Risk = Threat X Vulnerability C. Risk = Threat X Likelihood D. Risk = Vulnerability X Cost
B. Risk = Threat X Vulnerability The risk equation is Risk = Threat X Vulnerability. A threat is the frequency of any event. In most cases, the events in the threat equation are negative or adverse events. Vulnerability is the likelihood that a specific threat will successfully be carried out. Multiplying the probability of a threat and the likelihood of a vulnerability yields the risk of that particular event
19. In what type of attack does the attacker send unauthorized commands directly to a database? A. Cross-site scripting B. SQL injection C. Cross-site request forgery D. Database dumping
B. SQL injection
13. Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network? A. Transmission Control Protocol/Internet Protocol (TCP/IP) B. Secure Sockets Layer (SSL) C. Domain Name System (DNS) D. Dynamic Host Configuration Protocol (DHCP)
B. Secure Sockets Layer (SSL)
17. Which one of the following principles is NOT a component of the Biba integrity model? A. Subjects cannot read objects that have a lower level of integrity than the subject. B. Subjects cannot change objects that have a lower integrity level. C. Subjects at a given integrity level can call up only subjects at the same integrity level or lower. D. A subject may not ask for service from subjects that have a higher integrity level.
B. Subjects cannot change objects that have a lower integrity level.
11. What is NOT generally a section in an audit report? A. Findings B. System configurations C. Recommendations D. Timeline for Implementation
B. System configurations
12. What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system? A. Network IDS B. System integrity monitoring C. CCTV D. Data loss prevention
B. System integrity monitoring
2. Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered? A. Threat B. Vulnerability C. Risk D. Impact
B. Vulnerability
15. Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime? A. Clustering B. Warm site C. Load balancing D. Redundant Array of inexpensive Disks (RAID)
B. Warm site
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation? A. Hot site B. Warm site C. Cold site D. Primary site
B. Warm site A warm site balances cost and switchover time. It is less expensive than a hot site but can activate more quickly than a cold site.
9. Purchasing an insurance policy is an example of the ____________ risk management strategy. A. reduce B. transfer C. accept D. avoid
B. transfer
What program, released in 2013, is an example of ransomware?
BitLocker
Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?
Bob's public key
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business Continuity Plan (BCP)
Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?
Business associate of a covered entity
6. Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor? A. 1 percent B. 10 percent C. 20 percent D. 50 percent
C. 20 percent
Which one of the following is the best example of an authorization control? A. Biometric device B. Digital certificate C. Access control lists D. One-time password
C. Access control lists Once you have authenticated a user, access controls help ensure that only authorized users can access the protected resources. Authorization controls include access control lists, intrusion prevention systems, and network traffic filters.
6. What is NOT a good practice for developing strong professional ethics? A. Set the example by demonstrating ethics in daily activities B. Encourage adopting ethical guidelines and standards C. Assume that information should be free D. Inform users through security awareness training
C. Assume that information should be free
2. During which phase of the access control process does the system answer the question, "What can the requestor access?" A. Identification B. Authentication C. Authorization D. Accountability
C. Authorization
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort? A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. Service level agreement (SLA)
C. Business continuity plan (BCP) BCPs specify how an organization can recover from an interruption, as opposed to a disaster that would be covered by the DRP. In general, an interruption is a minor event that may disrupt one or more business processes for a short period. In contrast, a disaster is an event that affects multiple business processes for an extended period. Disasters often also cause substantial resource damage that you must address before you can resolve the business process interruption.
9. Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? A. False acceptance rate (FAR) B. False rejection rate (FRR) C. Crossover error rate (CER) D. Reaction time
C. Crossover error rate (CER)
10. What information should an auditor share with the client during an exit interview? A. Draft copy of the audit report B. Final copy of the audit report C. Details on major issues D. The auditor should not share any information with the client at this phase
C. Details on major issues
7. Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? A. Seeking to gain unauthorized access to resources B. Disrupting intended use of the Internet C. Enforcing the integrity of computer-based information D. Compromising the privacy of users
C. Enforcing the integrity of computer-based information
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers? A. FFIEC B. FISMA C. HIPAA D. PCI DSS
C. HIPAA Health Insurance Portability and Accountability Act (HIPAA) governs the way doctors, hospitals, and other health care providers handle personal medical information. HIPAA requires that all medical records, billing, and patient information be handled in ways that maintain the patient's privacy.
7. What is a set of concepts and policies for managing IT infrastructure, development, and operations? A. ISO 27002 B. Control Objectives for Information and related Technology (COBIT) C. IT Infrastructure Library (ITIL) D. NIST Cybersecurity Framework (CSF)
C. IT Infrastructure Library (ITIL)
13. Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need? A. Video surveillance B. Motion detectors C. Mantraps D. Biometrics
C. Mantraps
5. Which agreement type is typically less formal than other agreements and expresses areas of common interest? A. Service level agreement (SLA) B. Blanket purchase agreement (BPA) C. Memorandum of understanding (MOU) D. Interconnection security agreement (ISA)
C. Memorandum of understanding (MOU)
17. Which security testing activity uses tools that scan for services running on systems? A. Reconnaissance B. Penetration testing C. Network mapping D. Vulnerability testing
C. Network mapping
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario? A. Checklist test B. Full interruption test C. Parallel test D. Simulation test
C. Parallel test The parallel test evaluates the effectiveness of the disaster recovery plan (DRP) by enabling full processing capability at an alternate data center without interrupting activity at the primary data center.
2. Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use? A. Promiscuous B. Permissive C. Prudent D. Paranoid
C. Prudent
5. Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis? A. Quantitative B. Financial C. Qualitative D. Objective
C. Qualitative
18. Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? A. Remote Authentication Dial-In User Service (RADIUS) B. Terminal Access Controller Access Control System Plus (TACACS+) C. Redundant Array of Independent Disks (RAID) D. DIAMETER
C. Redundant Array of Independent Disks (RAID)
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? A. Description of the risk B. Expected impact C. Risk survey results D. Mitigation steps
C. Risk survey results The risk register can contain many different types of information but should contain at a minimum: a description of the risk, the expected impact if the associated event occurs, the probability of the event occurring, steps to mitigate the risk, steps to take should the event occur, and the rank of the risk. Risk survey results are not typically included in a risk register.
5. Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
C. SOC 3
What is NOT one of the three tenets of information security? A. Confidentiality B. Integrity C. Safety D. Availability
C. Safety
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct? A. Checklist test B. Parallel test C. Simulation test D. Structured walk-through
C. Simulation test A simulation test is more realistic than a structured walk-through. In a simulation test, the DRP team uses role playing and follows through with as many of the effects of a simulated disaster as possible without affecting live operations.
20. Forensics and incident response are examples of __________ controls. A. detective B. preventive C. corrective D. deterrent
C. corrective
19. A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime. A. incident B. event C. disaster D. emergency
C. disaster
Jim is an experienced security professional who recently accepted a position in an organization that uses Check Point firewalls. What certification can Jim earn to demonstrate his ability to administer these devices?
CCSA
What is NOT an effective key distribution method for plaintext encryption keys?
CD
Rod has been a Certified Information Systems Security Professional (CISSP) for 10 years. He would like to earn an advanced certification that demonstrates his ability in information security architecture. Which of the following CISSP concentrations would meet Rod's needs?
CISSP-ISSAP
Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy?
Captive portal
Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?
Certificate revocation list (CRL) < wrong International Data Encryption Algorithm (IDEA) < wrong Transport Layer Security (TLS) Online Certificate Status Protocol (OCSP)
Which information security objective allows trusted entities to endorse information?
Certification
Richard would like to earn a certification that demonstrates his ability to manage the information security function. What certification would be most appropriate for Richard?
Certified Information Security Manager (CISM)
Which of the following certifications cannot be used to satisfy the security credential requirements for the advanced Certified Internet Webmaster (CIW) certifications?
Certified Information Security Manager (CISM)
What certification focuses on information systems audit, control, and security professionals?
Certified Information Systems Auditor (CISA)
Which of the following certifications is considered the flagship Information Systems Security Certification Consortium, Inc. (ISC)2 certification and the gold standard for information security professionals?
Certified Information Systems Security Professional (CISSP)
Colin is a software developer. He would like to earn a credential that demonstrates to employers that he is well educated on software security issues. What certification would be most suitable for this purpose?
Certified Secure Software Lifecycle Professional (CSSLP)
Which of the following circumstances would NOT trigger mandatory security training for a federal agency under Office of Personnel Management (OPM) guidelines?
Change of senior leadership
Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals?
Chief information security officer (CISO)
Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors?
Children's Internet Protection Act (CIPA)
Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?
Chosen plaintext
Which of the following Cisco certifications demonstrates the most advanced level of security knowledge?
Cisco Certified Internetwork Expert (CCIE) Security
Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking?
Confidentiality
Alison discovers that a system under her control has been infected with malware, which is using a keylogger to report user keystrokes to a third party. What information security property is this malware attacking?
Confidentiality
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?
Confidentiality *Integrity* Authentication Nonrepudiation
When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?
Confidentiality Integrity Authentication < wrong Nonrepudiation
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?
Consumer
Forensics and incident response are examples of __________ controls.
Corrective
Maya is creating a computing infrastructure compliant with the Payment Card Industry Data Security Standard (PCI DSS). What type of information is she most likely trying to protect?
Credit card information
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?
Cross-site scripting (XSS)
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?
Cross-site scripting (XSS)
What program, released in 2013, is an example of ransomware?
Crypt0L0cker
Which element is NOT a core component of the ISO 27002 standard?
Cryptography
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y?
Customer
7. Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)? A. $2,000 B. $20,000 C. $200,000 D. $2,000,000
D. $2,000,000
10. Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? A. Accuracy B. Reaction time C. Dynamism D. Acceptability
D. Acceptability
3. Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? A. Identification B. Authentication C. Authorization D. Accountability
D. Accountability
1. Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? A. Identification B. Authentication C. Accountability D. Authorization
D. Authorization
7. Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? A. Dictionary attack B. Rainbow table attack C. Social engineering attack D. Brute-force attack
D. Brute-force attack
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices? A. Support ownership B. Onboarding/offboarding C. Forensics D. Data ownership
D. Data ownership
What is the first step in a disaster recovery effort? A. Respond to the disaster. B. Follow the disaster recovery plan (DRP). C. Communicate with all affected parties. D. Ensure that everyone is safe.
D. Ensure that everyone is safe. The first critical step in a disaster recovery plan is to ensure that everyone is safe. The second step is responding to the disaster before pursuing recovery, and the final step is following the DRP, which includes communicating with all affected parties.
Which one of the following is an example of a direct cost that might result from a business disruption? A. Damaged reputation B. Lost market share C. Lost customers D. Facility repair
D. Facility repair Direct costs are immediate expenditures that reduce profit, such as the cost to repair a facility. Indirect costs, such as damaged reputation, lost market share, and lost customers, affect revenue but are harder to calculate because there is no record of an expenditure.
18. Which recovery site option provides readiness in minutes to hours? A. Warm site B. Cold site C. Multiple sites D. Hot site
D. Hot site
3. Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity? A. Event B. Outage C. Incursion D. Incident
D. Incident
3. Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit? A. Is the level of security control suitable for the risk it addresses? B. Is the security control in the right place and working well? C. Is the security control effective in addressing the risk it was designed to address? D. Is the security control likely to become obsolete in the near future?
D. Is the security control likely to become obsolete in the near future?
20. Which of the following is NOT a benefit of cloud computing to organizations? A. On-demand provisioning B. Improved disaster recovery C. No need to maintain a data center D. Lower dependence on outside vendors
D. Lower dependence on outside vendors
What level of technology infrastructure should you expect to find in a cold site alternative data center facility? A. Hardware and data that mirror the primary site B. Hardware that mirrors the primary site, but no data C. Basic computer hardware D. No technology infrastructure
D. No technology infrastructure
12. Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of? A. Intimidation B. Name dropping C. Appeal for help D. Phishing
D. Phishing
11. Which one of the following is NOT an advantage of biometric systems? A. Biometrics require physical presence. B. Biometrics are hard to fake. C. Users do not need to remember anything. D. Physical characteristics may change.
D. Physical characteristics may change.
10. What is NOT a goal of information security awareness programs? A. Teach users about security objectives B. Inform users about trends and threats in security C. Motivate users to comply with security policy D. Punish users who violate policy
D. Punish users who violate policy
17. Which data source comes first in the order of volatility when conducting a forensic investigation? A. Logs B. Data files on disk C. Swap and paging files D. RAM
D. RAM
11. What term describes the risk that exists after an organization has performed all planned countermeasures and controls? A. Total risk B. Business risk C. Transparent risk D. Residual risk
D. Residual risk
14. Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Rule-based access control D. Role-based access control (RBAC)
D. Role-based access control (RBAC)
13. Which of the following is an example of a hardware security control? A. NTFS permission B. MAC filtering C. ID badge D. Security policy
D. Security policy
15. Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following? A. Least privilege B. Security through obscurity C. Need to know D. Separation of duties
D. Separation of duties
9. Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? A. Job rotation B. Least privilege C. Need-to-know D. Separation of duties
D. Separation of duties
16. Which intrusion detection system strategy relies upon pattern matching? A. Behavior detection B. Traffic-based detection C. Statistical detection D. Signature detection
D. Signature detection
13. Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? A. Value B. Sensitivity C. Criticality D. Threat
D. Threat
20. In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete? A. Spiral B. Agile C. Lean D. Waterfall
D. Waterfall
What is NOT one of the four main purposes of an attack?
Data import
Betty receives a ciphertext message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?
Decryption
Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?
Diffie-Hellman
What is the highest level of academic degree that may be earned in the field of information security?
Doctor of philosophy (PhD)
What a key principle of risk management programs?
Don't spend more to protect an asset than it is worth.
What is a key principle of risk management programs?
Don't spend more to protect an asset than it is worth.
What protocol is responsible for assigning IP addresses to hosts on most networks?
Dynamic Host Configuration Protocol (DHCP)
What type of security communication effort focuses on a common body of knowledge?
Education
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?
Elliptic curve Decryption Encryption *Hash*
Tonya is working with a team of subject matter experts to diagnose a problem with her system. The experts determine that the problem likely resides at the Presentation Layer of the Open Systems Interconnection (OSI) model. Which technology is the most likely suspect?
Encryption
Which technology category would NOT likely be the subject of a standard published by the International Electrotechnical Commission (IEC)?
Encryption
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?
Encryption Hashing *Decryption* Validation
What is the first step in a disaster recovery effort?
Ensure that everyone is safe
Which organization creates information security standards that specifically apply within the European Union?
European Telecommunications Standards Institute (ETSI) Cyber Security Technical Committee (TC CYBER)
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility repair
What mathematical problem forms the basis of most modern cryptographic algorithms?
Factoring large primes
What mathematical problem forms the basis of most modern cryptographic algorithms?
Factoring large primes Traveling salesman problem Quantum mechanics < wrong Birthday problem
A border router can provide enhanced features to internal networks and help keep subnet traffic separate.
False
A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.
False
A smurf attack tricks users into providing logon information on what appears to be a legitimate website but is in fact a website set up by an attacker to obtain this information.
False
A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure.
False
A subnet mask is a partition of a network based on IP addresses.
False
A worm is a self-contained program that has to trick users into running it.
False
Another name for a border firewall is a DMZ firewall.
False
Continuity of critical business functions and operations is the priority in a well-balanced business continuity plan (BCP)
False
Deterrent controls identify that a threat has landed in your system.
False
IP addresses are eight-byte addresses that uniquely identify every device on the network.
False
Implicit deny is when firewalls look at message addresses to determine whether a message is being sent around an unending loop.
False
Internet Control Message Protocol (ICMP) is a method of IP address assignment that uses an alternate, public IP address to hide a system's real IP address.
False
Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test.
False
Most enterprises are well prepared for a disaster should one occur
False
Regarding data center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switch-over time
False
Retro viruses counter the ability of antivirus programs to detect changes in infected files.
False
Risk refers to the amount of harm a threat exploiting a vulnerability can cause.
False
Spyware does NOT use cookies.
False
System infectors are viruses that attack document files containing embedded macro programming capabilities.
False
The Transport Layer of the OSI Reference Model creates, maintains, and disconnects communications that take place between processes over the network.
False
The first step in the risk management process is to monitor and control deployed countermeasures.
False
The four primary types of malicious code attacks are unplanned attacks, planned attacks, direct attacks, and indirect attacks.
False
Trojans are self-contained programs designed to propagate from one host machine to another using the host's own network communications protocols.
False
With adequate security controls and defenses, an organization can often reduce its risk to zero.
False
The term risk methodology refers to a list of identified risks that results from the risk-identification process.
False (A description of how you will manage risk)
A packet-filtering firewall remembers information about the status of a network communication.
Falsle
What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?
Family Policy Compliance Office (FPCO)
What is NOT a common motivation for attackers?
Fear
Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process?
Federal Communications Commission (FCC)
Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system?
Federal Information Security Management Act (FISMA)
Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system? Federal Information Security Management Act
Federal Information Security Management Act (FISMA)
David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use?
Fibre Channel over Ethernet (FCoE)
Which of the following is NOT an advantage to undertaking self-study of information security topics?
Fixed pace
What type of firewall security feature limits the volume of traffic from individual hosts?
Flood guard
How many years of post-secondary education are typically required to earn a bachelor's degree in a non-accelerated program?
Four
Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities?
GIAC Certified Forensic Examiner (GCFE)
What certification organization began as an offshoot of the SANS Institute training programs?
Global Information Assurance Certification (GIAC)
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?
Hash
Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records?
Health Insurance Portability and Accountability Act (HIPAA)
Which unit of measure represents frequency and is expressed as the number of cycles per second?
Hertz
What type of system is intentionally exposed to attackers in an attempt to lure them out?
Honeypot
Which recovery site option provides readiness in minutes to hours?
Hot site
Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues?
Hub
Gary is troubleshooting a security issue on an Ethernet network and would like to look at the Ethernet standard. What publication should he seek out?
IEEE 802.3
What organization offers a variety of security certifications that are focused on the requirements of auditors?
ISACA
Juan comes across documentation from his organization related to several information security initiatives using different standards as their reference. Which International Organization for Standardization (ISO) standard provides current guidance on information security management?
ISO 27002
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?
Incident
Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?
Integrity
Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?
Integrity
Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact?
International Council of E-Commerce Consultants (EC-Council)
Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI?
International Organization for Standardization (ISO)
Which organization promotes technology issues as an agency of the United Nations?
International Telecommunication Union (ITU)
Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block?
Internet Control Message Protocol (ICMP)
Recovery time objective
It defines the amount of time it takes to recover a production IT system, application, and access to data.
Which of the following graduate degree programs focuses on managing the process of securing information systems, rather than the technical aspects of information security?
MBA
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?
Mantraps
Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records?
Masking
Helen is an experienced information security professional who earned a four-year degree while a full-time student. She would like to continue her studies on a part-time basis. What is the next logical degree for Helen to earn?
Master's degree
What term describes the longest period of time that a business can survive without a particular critical system?
Maximum Tolerable Downtime
What term describes the longest period of time that a business can survive without a particular critical system?
Maximum tolerable downtime (MTD)
Which one of the following is an example of a reactive disaster recovery control?
Moving to a warm site
What federal agency is charged with the mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life?"
National Institute of Standards and Technology (NIST)
What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries?
National Institute of Standards and Technology (NIST)
What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program?
National Security Agency (NSA)
Which term accurately describes Layer 3 of the Open Systems Interconnection (OSI) model?
Network
Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose?
Nmap
When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?
Nonrepudiation
Which one of the following statements best describe traditional economics theories?
Not all of the above
Which type of decision making is usually more likely to be controlled by the brain region neocortex, instead of amygdala?
Not instinctive
When you are designing some small, non-intrusive features in the environment that would still attract people's attention and in doing so impact their behavior, you are creating _______
Nudget
Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?
Online Certificate Status Protocol (OCSP)
BYOD
Organizations that permit their employees to use their own laptops or smartphone devices and connect to the IT infrastructure describe a policy referred to as:
What is NOT an effective key distribution method for plaintext encryption keys?
Paper *Unencrypted email* CD Smart card
Holly would like to run an annual major disaster recovery test that is a thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is the best in this scenario?
Parallel test
Brian is the information security training officer for a health care provider. He wants to develop a training program that complies with the provisions of Health Insurance Portability and Accountability Act (HIPAA). Which of the following topics must be included?
Password management
A security awareness program that focuses on an organization's Bring Your Own Device (BYOD) policy is designed to cover the use of what type of equipment?
Personally owned devices
Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?
Polymorphic virus
Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?
Presentation
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventative
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventive
Which of the following programs requires passing a standardized examination that is based upon a job-task analysis?
Professional certification
Which document is the initial stage of a standard under the Internet Engineering Task Force (IETF) process?
Proposed Standard (PS)
What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?
Publicly traded companies
Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?
Qualitative
Which approach to cryptography provides the strongest theoretical protection?
Quantum cryptography
Which approach to cryptography provides the strongest theoretical protection?
Quantum cryptography Asymmetric cryptography < wrong Elliptic curve cryptography Classic cryptography
Which data source comes first in the order of volatility when conducting a forensic investigation?
RAM
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?
Reduce
What type of malicious software allows an attacker to remotely control a compromised computer?
Remote Access Tool (RAT)
What type of publication is the primary working product of the Internet Engineering Task Force (IETF)?
Request for comment (RFC)
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances?
Required
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances? Required
Required
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual risk
Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational Rights and Privacy Act (FERPA)?
Right to delete unwanted information from records
Which formula is typically used to describe the components of information security risks?
Risk = Threat X Vulnerability
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016?
Risk Analysts
True
Risk Management is responding to a negative event when it occurs. True or False?
Earl is preparing a risk register for his organization's management program. Which data element is LEAST likely to be included in a risk register?
Risk survey results
Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?
Rivest, Shamir, Adelman (RSA) Message digest algorithm (MD5) Blowfish *Diffie-Hellman*
What is NOT a symmetric encryption algorithm?
Rivest-Shamir-Adelman (RSA)
What is the only unbreakable cipher when it is used properly?
Rivest-Shamir-Adelman (RSA) *Vernam* Elliptic Curve Diffie-Hellman in Ephemeral mode (ECDHE) Blowfish
Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS) self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?
SAQ C
Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database?
SQL Injection
Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database?
SQL injection
What firewall approach is shown in the figure?
Screened subnet
Helen has no experience in security. She would like to earn a certification that demonstrates that she has the basic knowledge necessary to work in the information security field. What certification would be an appropriate first step for her?
Security+
Which of the following study options provides little to no opportunity for feedback?
Self-study programs
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012?
Senior System Manager
Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged in to Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place?
Session hijacking
Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged into Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place?
Session hijacking
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
Simulation test ( Checklist test- Simplest Structured walk-through- Checklist with role playing Parallel test- Alternate data center without interrupting the primary. Full-interruption test)
Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place?
Smurf
The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place?
Spear phishing
What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)?
Subject matter expertise on routing and switching
What is NOT a typical sign of virus activity on a system?
Sudden sluggishness of applications
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?
Supervisory Control and Data Acquisition (SCADA)
What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?
Switch
Which set of characteristics describes the Caesar cipher accurately?
Symmetric, stream, substitution
Which type of virus targets computer hardware and software startup functions?
System Infectors
Which type of virus targets computer hardware and software startup functions?
System infector
Ben is working toward a position as a senior security administrator and would like to earn his first International Information Systems Security Certification Consortium, Inc. (ISC)2 certification. Which certification is most appropriate for his needs?
Systems Security Certified Practitioner (SSCP)
Risk
The NIST SP800-30 standard is a _______________ management framework standard for performing risk management.
True
The main goal of a hacker is to steal or compromise IT assets and potentially steal data. True or False?
Data
The recovery point objective (RPO) defines the last point in time for _______ recovery that can be enabled back into production.
Bobbi recently discovered that an email program used within her health care practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place?
Tier A
Which of the following items would generally NOT be considered personally identifiable information (PII)?
Trade secret
Which type of cipher works by rearranging the characters in a message?
Transposition
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter?
Trojan Horse
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter?
Trojan horse
A computer virus is an executable program that attaches to, or infects, other executable programs.
True
A control limits or constrains behavior.
True
A disaster recovery plan (DRP) directs the actions necessary to recover resources after a disaster.
True
A firewall is a basic network security defense tool.
True
A network protocol governs how networking equipment interacts to deliver data across the network.
True
A personnel safety plan should include an escape plan.
True
A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.
True
A successful denial of service (DoS) attack may create so much network congestion that authorized users cannot access network resources.
True
A wireless access point (WAP) is the connection between a wired and wireless network.
True
ActiveX is used by developers to create active content
True
Administrative controls develop and ensure compliance with policy and procedures.
True
An electronic mail bomb is a form of malicious macro attack that typically involves an email attachment that contains macros designed to inflict maximum damage.
True
Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).
True
Attacks against confidentiality and privacy, data integrity, and availability of services are all ways malicious code can threaten businesses.
True
Backdoor programs are typically more dangerous than computer viruses.
True
Because people inside an organization generally have more detailed knowledge of the IT infrastructure than outsiders do, they can place logic bombs more easily.
True
Defense in depth is the practice of layering defenses to increase overall security and provide more reaction time to respond to incidents.
True
Examples of major disruptions include extreme weather, application failure, and criminal activity.
True
Fencing and mantraps are examples of physical controls.
True
Implementing and monitoring risk responses are part of the risk management process.
True
In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.
True
In remote journaling, a system writes a log of online transactions to an offsite location.
True
Internet Small Computer System Interface (iSCSI) is a storage networking standard used to link data storage devices to networks using IP for its transport layer.
True
It is common for rootkits to modify parts of the operating system to conceal traces of their presence.
True
Network access control (NAC) works on wired and wireless networks.
True
Organizations should seek a balance between the utility and cost of various risk management options.
True
TCP/IP is a suite of protocols that operates at both the Network and Transport layers of the OSI Reference Model.
True
The Data Link Layer of the OSI Reference Model is responsible for transmitting information on computers connected to the same local area network (LAN).
True
The OSI Reference Model is a theoretical model of networking with interchangeable layers.
True
The Physical Layer of the OSI Reference Model must translate the binary ones and zeros of computer language into the language of the transport medium.
True
The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.
True
The function of homepage hijacking is to change a browser's homepage to point to the attacker's site.
True
The goal of a command injection is to execute commands on a host operating system.
True
The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.
True
The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.
True
The term "router" describes a device that connects two or more networks and selectively interchanges packets of data between them.
True
The term "web defacement" refers to someone gaining unauthorized access to a web server and altering the index page of a site on the server.
True
The term risk management describers the process of identifying, assessing, prioritizing, and addressing risks.
True
The three main categories of network security risk are reconnaissance, eavesdropping, and denial of service.
True
The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.
True
Unlike viruses, worms do NOT require a host program in order to survive and replicate.
True
While running business operations at an alternate site, you must continue to make backups of data and systems.
True
A private key cipher is also called an asymmetric key cipher.
True *False*
Cryptographic key distribution is typically done by phone.
True *False*
The term certificate authority (CA) refers to a trusted repository of all public keys.
True *False*
You must always use the same algorithm to encrypt information and decrypt the same information.
True *False*
In a known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data, and has no choice as to what that data might be.
True *False* it's *Ciphertext-only attack (COA)*
Product cipher is an encryption algorithm that has no corresponding decryption algorithm.
True *False* it's *One-way algorithm*
How many years of specialized experience are required to earn one of the Certified Information Systems Security Professional (CISSP) concentrations?
Two
What is NOT a typical sign of virus activity on a system?
Unexpected power failures
Bob has a high-volume virtual private network (VPN). He would like to use a device that would best handle the required processing power. What type of device should he use?
VPN concentrator
Which information security objective allows trusted entities to endorse information?
Validation <wrong Authorization Certification Witnessing
What is the only unbreakable cipher when it is used properly?
Vernam
Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use?
Virtual LAN (VLAN)
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?
Vulnerability
True
War driving involves looking for open or public wireless networks. True or False?
Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances costs and switch-over time. What would be the best option in this situation?
Warm site
Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?
Warm site
All of the above
What is the primary purpose of a business impact analysis(BIA)? ~To identify, categorize, and prioritize mission critical business functions ~To provide a road map for business continuity and disaster recovery planning ~To assist organizations with risk management ~To assist organizations with incident response planning ~All of the above
GLBA
Which U.S. security-related act governs the security of data specifically for the financial industry?
All of the above
Which of the following are organizational concerns for BYOD and mobility? ~Data ownership ~Privacy ~Lost or stolen device ~Data wiping ~All of the above
All of the above
Which of the following best describes intellectual property? ~The items a business has copyrighted ~All patents owned by a business ~The unique knowledge a business possesses ~Customer lists ~All of the above
All of the above
Which of the following business drivers are impacting businesses' and organizations' security requirements and implementations? ~Mobility ~Regulatory compliance ~Productivity enhancements ~Always-on connectivity ~All of the above
DDoS
Which of the following impacts availability? ~Cross-site scripting ~SQL injection ~DDoS ~Packet sniffing ~None of the above
Impersonation
Which of the following is an example of social engineering? ~SQL injection ~XML injection ~Security design ~Impersonation ~All of the above
All of the above
Which of the following security countermeasures is best for end-point protection against malware? ~Antivirus/anti-malware protection ~Data leakage prevention ~Standardized workstation and laptop images ~Security awareness training ~All of the above
All of the above
Which of the following solutions are used for authenticating a user to gain access to systems, applications, and data? ~Passwords and PINs ~Smart cards and tokens ~Biometric devices ~Digital certificates ~All of the above
RPO
Which term indicates the maximum amount of data loss over a time period?
Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating?
Whitelisting
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations?
Whois
Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?
Wi-Fi
Gary is configuring a smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?
Wi-Fi
What type of network connects systems over the largest geographic area?
Wide area network (WAN)
What standard is NOT secure and should never be used on modern wireless networks?
Wired Equivalent Privacy (WEP)
What wireless security technology contains significant flaws and should never be used?
Wired Equivalent Privacy (WEP)
What is NOT a service commonly offered by unified threat management (UTM) devices?
Wireless network access
True
With respect to IT security, a risk can result in either a positive or negative effect. True or False?
Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?
World Wide Web Consortium (W3C)
What type of malware does NOT have an anti-malware solution and should be covered in security awareness training?
Zero-day
HIPAA
____ is the U.S. security-related act that governs regulated health care information.
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012?
a) Senior System Manager
Forensics and incident response are examples of __________ controls.
corrective
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.
disaster
Security training programs typically differ from security education programs in their focus on ______________.
hands-on skills
Purchasing an insurance policy is an example of the ____________ risk management strategy.
transfer