ITC 560 Final
What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries?
National Institute of Standards and Technology (NIST)
Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking?
Confidentiality
Which activity manages the baseline settings for a system or device?
Configuration control
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?
Consumer
What is NOT a common endpoint for a virtual private network (VPN) connection used for remote network access?
Content filter
In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?
Correspondent node (CN)
Maya is creating a computing infrastructure compliant with the Payment Card Industry Data Security Standard (PCI DSS). What type of information is she most likely trying to protect?
Credit card information
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?
Cross-site scripting (XSS)
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?
Crossover error rate (CER)
Which characteristics of a biometric system measures the system's accuracy using a balance of different error types?
Crossover error rate (CER)
What program, released in 2013, is an example of ransomware?
Crypt0L0cker
Which element is NOT a core component of the ISO 27002 standard?
Cryptography
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y?
Customer
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?
Enforcing the integrity of computer-based information
Which one of the following is an example of a disclosure threat?
Espionage
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
Which one of the following is an example of a direct cost that might result from a business disruption?
Facility repair
What compliance regulation applies specifically to the educational records maintained by schools about students?
Family Education Rights and Privacy Act (FERPA)
What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?
Family Policy Compliance Office (FPCO)
What is NOT a common motivation for attackers?
Fear
Which of the following agencies is NOT involved in the Gramm-Leach Bliley Act (GLBA) oversight process?
Federal Communications Commission (FCC)
Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system?
Federal Information Security Management Act (FISMA)
Which compliance obligation includes security requirements that apply specifically to federal government agencies in the United States?
Federal Information Security Management Act (FISMA)
David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use?
Fibre Channel over Ethernet (FCoE)
What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program?
National Security Agency (NSA)
Which term accurately describes Layer 3 of the Open Systems Interconnection (OSI) model?
Network
What is NOT a commonly used endpoint security technique?
Network firewall
Which security testing activity uses tools that scan for services running on systems?
Network mapping
Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose?
Nmap
When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?
Non Repudiation
Beth must purchase firewalls for several network circuits used by her organization. Which one circuit will have the highest possible network throughput?
OC-12
Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time?
Online Certificate Status Protocol (OCSP)
Which type of authentication includes smart cards?
Ownership
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
Parallel test
Which one of the following is an example of a logical access control?
Password
Brian is the information security training officer for a health care provider. He wants to develop a training program that complies with the provisions of Health Insurance Portability and Accountability Act (HIPAA). Which of the following topics must be included?
Password management
Which control is not designed to combat malware?
Firewall
Which of the following is NOT an advantage to undertaking self-study of information security topics?
Fixed pace
What type of firewall security feature limits the volume of traffic from individual hosts?
Flood guard
Jonas is an experienced information security professional with a specialized focus on evaluating computers for evidence of criminal or malicious activity and recovering data. Which GIAC certification would be most appropriate for Jonas to demonstrate his abilities?
GIAC Certified Forensic Examiner (GCFE)
What certification organization began as an offshoot of the SANS Institute training programs?
Global Information Assurance Certification (GIAC)
Which one of the following is NOT a market driver for the Internet of Things (IoT)?
Global adoption of non-IP networking
Which element of the security policy framework offers suggestions rather than mandatory actions?
Guideline
Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to healthcare providers?
HIPAA
What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?
Hash
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer?
Health Insurance Portability and Accountability Act (HIPAA)
Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records?
Health Insurance Portability and Accountability Act (HIPAA)
Which one of the following governs the use Internet of Things (IoT) by health care providers, such as physicians and hospitals?
Health Insurance Portability and Accountability Act (HIPAA)
Which one of the following governs the use of Internet of Things (IoT) by health care providers, such as physicians and hospitals?
Health Insurance Portability and Accountability Act (HIPAA)
Which of the following is an example of business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health monitoring
Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?
Health monitoring
Which unit of measure represents frequency and is expressed as the number of cycles per second?
Hertz
With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?
Home agent (HA)
What type of system is intentionally exposed to attackers in an attempt to lure them out?
Honeypot
Which recovery site option provides readiness in minutes to hours?
Hot site
Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues?
Hub
Gary is troubleshooting a security issue on an Ethernet network and would like to look at the Ethernet standard. What publication should he seek out?
IEEE 802.3
Juan comes across documentation from his organization related to several information security initiatives using different standards as their reference. Which International Organization for Standardization (ISO) standard provides current guidance on information security management?
ISO 27002
What is a set of concepts and policies for managing IT infrastructure, development, and operations?
IT Infrastructure Library (ITIL)
Which one of the following is NOT a good technique for performing authentication of an end user?
Identification number
Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?
Incident
Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?
Integrity
Fran is interested in learning more about the popular Certified Ethical Hacker (CEH) credential. What organization should she contact?
International Council of E-Commerce Consultants (EC-Council)
Bill is conducting an analysis of a new IT service. He would like to assess it using the Open Systems Interconnection (OSI) model and would like to learn more about this framework. What organization should he turn to for the official definition of OSI?
International Organization for Standardization (ISO)
Which organization promotes technology issues as an agency of the United Nations?
International Telecommunication Union (ITE)
Yolonda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block?
Internet Control Message Protocol (ICMP)
Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?
Internet Engineering Task Force
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices t communicate in a standard fashion?
Interoperability
Which network device is capable of blocking network connections that are identified as potentially malicious?
Intrusion prevention system (IPS)
What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?
Kerberos
Which of the following would NOT be considered in the scope of organizational compliance efforts?
Laws
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
Logical attack
Which of the following is NOT a benefit of cloud computing to organizations?
Lower dependence on outside vendors
Which of the following is an example of a hardware security control?
MAC filtering
Which of the following graduate degree programs focuses on managing the process of securing information systems, rather than the technical aspects of information security?
MBA
Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?
Mantraps
Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records?
Masking
Helen is an experienced information security professional who earned a four-year degree while a full-time student. She would like to continue her studies on a part-time basis. What is the next logical degree for Helen to earn?
Master's degree
What term describes the longest period of time that a business can survive without a particular critical system?
Maximum tolerable downtime (MTD)
Which one of the following measures the average amount of time that it takes to repair a system, application, or component?
Mean time to repair (MTTR)
Which agreement type is typically less formal than other agreements and expresses areas of common interest?
Memorandum of understanding (MOU)
Which one of the following is an example of a reactive disaster recovery control?
Moving to a warm site
What federal agency is charged with the mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life?"
National Institute of Standards and Technology (NIST)
Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?
Qualitative
Which data source comes first in the order of volatility when conducting a forensic investigation?
RAM
Which group is the most likely target of a social engineering attack?
Receptionists and administrative assistants
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining?
Recovery time objective (RTO)
Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?
Reduce
What type of malicious software allows an attacker to remotely control a compromised computer?
Remote Access Tool (RAT)
Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?
Report Writing
What type of publication is the primary working product of the Internet Engineering Task Force (IETF)?
Request for comment (RFC)
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances?
Required
What term describes the risk that exists after an organization has performed all planned countermeasures and controls?
Residual risk
Which item is an auditor least likely to review during a system controls audit?
Resumes of system administrators
Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational Rights and Privacy Act (FERPA)?
Right to delete unwanted information from records
Which formula is typically used to describe the components of information security risks?
Risk = Threat X Vulnerability
What type of security tole is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016?
Risk Analyst
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4016?
Risk Analysts
George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register?
Risk survey results
What is NOT a symmetric encryption algorithm?
Rivest-Shamir-Adelman (RSA)
Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS) self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?
SAQ C
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?
SOC 3
Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database?
SQL Injection
In what type of attack does the attacker send unauthorized commands directly to a database?
SQL injection
Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?
Secure Sockets Layer (SSL)
Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?
Security information and event management (SIEM)
From a security perspective, what should organizations expect will occur as they become more dependent upon the Internet of Things (IoT)?
Security risks will increase
Helen has no experience in security. She would like to earn a certification that demonstrates that she has the basic knowledge necessary to work in the information security field. What certification would be an appropriate first step for her?
Security+
Which scenario presents a unique challenge for developers of mobile applications?
Selecting multiple items from a list
Which of the following study options provides little to no opportunity for feedback?
Self-study programs
What type of security role is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012?
Senior System Manager
What type of security tole is covered by the Committee on National Security Systems (CNSS) Training Standard CNSS-4012?
Senior System Manager
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?
Separation of duties
Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?
Separation of duties
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?
Service level agreements (SLA)
In which type of attack does the attacker attempt to take over an existing connection between two systems?
Session hijacking
Which intrusion detection system strategy relies upon pattern matching?
Signature Detection
As a follow-up to her annual testing, Holly would like to conduct quarterly disaster recovery tests that introduce as much realism as possible but do not require the use of technology resources. What type of test should Holly conduct?
Simulation test
Which one of the following is an example of two-factor authentication?
Smart card and personal identification number (PIN)
What is NOT a service commonly offered by unified threat management (UTM) devices?
Wireless network access
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?
$2,000,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annual loss expectancy (ALE)?
$20,000
What file type is least likely to be impacted by a file infector virus?
.docx
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?
20 percent
Which security control is most helpful in protecting against eavesdropping on wireless LAN (WLAN) data transmissions that would jeopardize confidentiality?
Applying strong encryption
Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor?
Approved scanning vendor (ASV)
What level of academic degree requires the shortest period of time to earn and does NOT require any other postsecondary degree as a prerequisite?
Associate's degree
What is NOT a good practice for developing strong professional ethics?
Assume that information should be free
Which of the following is NOT a role described in DoD Directive 8140, which covers cybersecurity training?
Attack
Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?
Audit
During what phase of a remote access connection does the end user prove his or her claim of identity?
Authentication
Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing?
Authorize the IT system for processing
In an accreditation process, who has the authority to approve a system for implementation?
Authorizing official (AO)
__________ is a continuous process designed to keep all personnel vigilant.
Awareness
Matthew captures traffic on his network and notices connections using ports 20, 22, 23, and 80. Which port normally hosts a protocol that uses secure, encrypted connections?
22
Henry is creating a firewall rule that will allow inbound mail to the organization. What TCP port must he allow through the firewall?
25
What is the maximum value for any octet in an IPv4 IP address?
255
Henry's last firewall rule must allow inbound access to a Windows Terminal Server. What port must he allow?
3389
How many years of post-secondary education are typically required to earn a bachelor's degree in a non-accelerated program?
4
Henry would like to create a different firewall rule that allows encrypted web traffic to reach a web server. What port is used for that communication?
443
Continuing professional education (CPE) credits typically represent _________ minutes of classroom time per CPE unit.
50
What is NOT a valid encryption key length for use with the Blowfish algorithm?
512 bits
Jane is a manager at a federal government agency and recently hired a new employee, Mark, who will work with sensitive information. How much time does Jane have from Mark's hire date to get him security training?
60 days
How many domains of knowledge are covered by the Certified Information Systems Security Professional (CISSP) exam?
8
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
80
What series of Special Publications does the National Institute of Standards and Technology (NIST) produce that covers information systems security activities?
800
Which Institute of Electrical Electronics Engineers (IEEE) standard covers wireless LANs?
802.11
What DoD directive requires that information security professionals in the government earn professional certifications?
8140
Juan's web server was down for an entire day last September. It experienced no other downtime during that month. Which one of the following represents the web server uptime for that month?
96.67%
Which action is the best step to protect Internet of Things (IoT) devices from becoming the entry point for security vulnerabilities into a network while still meeting business requirements?
Applying security updates promptly
Which one of the following is the best example of an authentication control?
Access control lists
Which one of the following is the best example of an authorization control?
Access control lists
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
Access to a high level of expertise
Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?
Accountability
__________ refers to a program of study approved by the State Department of Education in the state that a school operates.
Accredited
Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?
Address Resolution Protocol (ARP) poisoning
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Alice's private key
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
Alice's public key
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OCED)?
An organization should share its information
Donna is building a security awareness program designed to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS) 3.2. How often must she conduct training for all current employees?
Annually
Mary is designing a software component that will function at the Presentation Layer of the Open Systems Interconnection (OSI) model. What other two layers of the model will her component need to interact with?
Application and Session
Norm recently joined a new organization. He noticed that the firewall technology used by his new firm opens separate connections between the devices on both sides of the firewall. What type of technology is being used?
Application proxying
Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?
Baseline
Which password attack is typically used specifically against password files that contain cryptographic hashes?
Birthday attacks
Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?
Black-box test
Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?
Bring Your Own Device (BYOD)
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?
Brute-force attack
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business Continuity Plan (BCP)
Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?
Business associate of a covered entity
Which of the following Cisco certifications demonstrates the most advanced level of security knowledge?
Cisco Certified Internetwork Expert (CCIE)
Rod has been a Certified Information Systems Security Professional (CISSP) for 10 years. He would like to earn an advanced certification that demonstrates his ability in information security architecture. Which of the following CISSP concentrations would meet Rod's needs?
CISSP-ISSAP
Karen would like to use a wireless authentication technology similar to that found in hotels where users are redirected to a webpage when they connect to the network. What technology should she deploy?
Captive portal
Which information security objective allows trusted entities to endorse information?
Certification
Which of the following certifications cannot be used to satisfy the security credential requirements for the advanced Certified Internet Webmaster (CIW) certifications?
Certified Information Security Manager (CISM)
What certification focuses on information systems audit, control, and security professionals?
Certified Information Systems Auditor (CISA)
Which of the following certifications is considered the flagship Information Systems Security Certification Consortium, Inc. (ISC)2 certification and the gold standard for information security professionals?
Certified Information Systems Security Professional (CISSP)
Colin is a software developer. He would like to earn a credential that demonstrates to employers that he is well educated on software security issues. What certification would be most suitable for this purpose?
Certified Secure Software Lifecycle Professional (CSSLP)
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?
Checklist
Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals?
Chief Information Security Officer (CISO)
Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?
Chosen plaintext
What is NOT one of the four main purposes of an attack?
Data import
Which item in a Bring Your Own Device (BYOD) policy helps resolve intellectual property issues that may arise as the result of business use of personal devices?
Data ownership
Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?
Decryption
Which technology can be used to protect the privacy rights of individuals and simultaneously allow organizations to analyze data in aggregate?
Deidentification
What information should an auditor share with the client during an exit interview?
Details of major issues
Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?
Diffie-Hellman
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Discretionary access control (DAC)
What is the highest level of academic degree that may be earned in the field of information security?
Doctor of philosophy (PhD)
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?
Does the firewall properly block unsolicited network connection attempts?
What protocol is responsible for assigning IP addresses to hosts on most networks?
Dynamic Host Configuration Protocol (DHCP)
Which one of the following is NOT an area of critical infrastructure where the Internet of Things (IoT) is likely to spur economic development in less developed countries?
E-commerce
What type of security communication effort focuses on a common body of knowledge?
Education
Which technology category would NOT likely be the subject of a standard published by the International Electrotechnical Commission (IEC)?
Encryption
Which mitigation plan is most appropriate to limit the risk of unauthorized access to workstations?
Password protection
A security awareness program that focuses on an organization's Bring Your Own Device (BYOD) policy is designed to cover the use of what type of equipment?
Personally owned devices
Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?
Phishing
Which one of the following is NOT an advantage of biometric systems?
Physical characteristics may change
Which element of the security policy framework requires approval from upper management and applies to the entire organization?
Policy
Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?
Polymorphic virus
Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?
Presentation
Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?
Preventive
Chris is writing a document that provides step-by-step instructions for end users seeking to update the security software on their computers. Performing these updates is mandatory. Which type of document is Chris writing?
Procedure
Which of the following programs requires passing a standardized examination that is based upon a job-task analysis?
Professional certification
Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?
Project initiation and planning
Which document is the initial stage of a standard under the Internet Engineering Task Force (IETF) process?
Proposed Standard (PS)
Which tool can capture the packets transmitted between systems over a network?
Protocol analyzer
Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?
Prudent
What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?
Publicly traded
What is NOT a goal of information security awareness programs?
Punish users who violate policy
Barbara is investigating an attack against her network. She notices that the Internet Control Message Protocol (ICMP) echo replies coming into her network far exceed the ICMP echo requests leaving her network. What type of attack is likely taking place?
Smurf
Kaira's company recently switched to a new calendaring system provided by a vendor. Kaira and other users connect to the system, hosted at the vendor's site, using a web browser. Which service delivery model is Kaira's company using?
Software as a Service (SaaS)
The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place?
Spear phishing
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
Spim
What is NOT an area where the Internet Architecture Board (IAB) provides oversight on behalf of the Internet Engineering Task Force (IETF)?
Subject matter expertise on routing and switching
Which one of the following principles is NOT a component of the Biba integrity model?
Subjects cannot change objects that have a lower integrity level.
What is NOT a typical sign of virus activity on a system?
Sudden sluggishness of applications
Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?
Supervisory Control and Data Acquisition
What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flow?
Switch
What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?
Switch
Which set of characteristics describes the Caesar cipher accurately?
Symmetric, stream, substitution
Which type of virus targets computer hardware and software startup functions?
System Infector
What is NOT generally a section in an audit report?
System configurations
What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?
System integrity monitoring
Ben is working toward a position as a senior security administrator and would like to earn his first International Information Systems Security Certification Consortium, Inc. (ISC)2 certification. Which certification is most appropriate for his needs?
Systems Security Certified Practitioner (SSCP)
Which one of the following is an advantage that the Internet of Things (IoT) brings to economic development for countries?
Technical and Industry development
Which one of the following is NOT an example of store-and-forward messaging?
Telephone call
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?
Threat
Which term describes an action that can damage or compromise an asset?
Threat
Which term describes any action that could damage an asset?
Threat
Which one of the following is typically used during the identification phase of a remote access connection?
Username
Bobbi recently discovered that an email program used within her health care practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place?
Tier A
Which classification level is the highest level used by the U.S. federal government?.
Top Secret
Which of the following items would generally NOT be considered personally identifiable information (PII)?
Trade secret
Which type of cipher works by rearranging the characters in a message?
Transposition
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter?
Trojan horse
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan horse
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
What is NOT an effective key distribution method for plaintext encryption keys?
Unencrypted email
Which one of the following is NOT a commonly accepted best practice for password security?
Use no more that eight characters
What is the only unbreakable cipher when it is used properly?
Vernam
Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use?
Virtual LAN (VLAN)
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?
Vulnerability
Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?
Warm site
In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase in complete?
Waterfall
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri?
White-hat hacker
Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating?
Whitelisting
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations?
Whois
Gary is configuring a smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?
Wi-Fi
What standard is NOT secure and should never be used on modern wireless networks?
Wired Equivalent Privacy (WEP)
Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?
World Wide Web Consortium (W3C)
What type of malware does NOT have an anti-malware solution and should be covered in security awareness training?
Zero-day
Which type of attack against a web application uses a newly discovered vulnerability that is not patchable?
Zero-day attack
Forensics and incident response are examples of __________ controls.
corrective
A(n) __________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.
disaster
Security training programs typically differ from security education programs in their focus on ______________.
hands-on skills
The __________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.
security kernel
Purchasing an insurance policy is an example of the ____________ risk management strategy.
transfer