itm 350 final
Threat
Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is not normally used to make these types of classification decisions?
Diffie-Hellman
Alice and Bob would like to communicate with each other using a session key, but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?
Bob's public key
Alice would like to send a message to Bob securely and wishes to use asymmetric encryption to encrypt the contents of the message. What key does she use to encrypt this message?
Alice's private key
Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?
Functional policies in support of organization policy
Antivirus, firewall, and email use policies belong to what part of a security policy hierarchy?
Slow virus
Arturo discovers a virus on his system that resides only in the computer's memory and not in a file. What type of virus has he discovered?
Event logs
Biyu is a network administrator. She is developing the compliance aspect of her company's security policy. Currently, she is focused on the records of actions that the organization's operating system or application software creates. What aspect of compliance is Biyu focusing on?
Structured Query Language (SQL) injection
Bob is developing a web application that depends on a backend database. What type of attack could a malicious individual use to send commands through his web application to the database?
Formatting
Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is not a good approach for destroying data?
Session Hijacking
Devaki is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged in to Devaki's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place?
Copies of all software configurations for routers and switches
Donnelly is an IT specialist. He is in charge of the server and network appliances inventory. The infrastructure roadmap calls for a network systems reconfiguration in the next six months. Adina, the security expert, asks Donnelly to prepare a standardized list of all current and proposed equipment and then to present it to her in a hardware configuration chart. What does Adina tell Donnelly that the chart should include?
botnets
Hacking groups create _______ to launch attacks whereby they infect vulnerable machines with agents that perform various functions at the command of the controller.
Need to know
Hajar is a network engineer. She is creating a system of access involving clearance and classification based on users and the objects they need in a secure network. She is restricting access to secure objects by users based on least privilege and which of the following?
Ownership
Janette is the director of her company's network infrastructure group. She is explaining to the business owners the advantages and disadvantages of outsourcing network security. One consideration she presents is the question of who would be responsible for the data, media, and infrastructure. What consideration is she describing?
Wi-Fi Protected Access version 3 (WPA3)
Juan is a wireless security professional. He is selecting a standard for wireless encryption protocols for access points and devices for his agency. For the highest security, which protocol should Juan choose?
Remote Access Tool (RAT)
Karen is a hacker. She wants to access a server and control it remotely. The tool she plans to use is a type of Trojan. What tool will Karen use for this purpose?
Cross-site scripting (XSS)
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?
Trojan horse
Lin installed a time-management utility that she downloaded from the Internet. Now several applications are not responding to normal commands. What type of malware did she likely encounter?
Project initiation and planning
Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking?
Decryption
Maria receives a ciphertext message from her colleague Wen. What type of function does Maria need to use to read the plaintext message?
Access to a higher level of expertise
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?
Separation of duties
Mia is her company's network security professional. She is developing access policies based on personnel security principles. As part of this effort, she is devising a method of taking high-security tasks and splitting them among several different employees so that no one person is responsible for knowing and performing the entire task. What practice is she developing?
Intimidation
Rodrigo has just received an email at work from an unknown person. The sender claims to have incriminating evidence against Rodrigo and threatens to release it to his employer and his family unless he discloses certain confidential information about his employer's company. Rodrigo does not know that several other people in the organization received the same email. What form of social engineering has occurred?
Blacklisting
Tonya would like to protect her users and the network when users browse to known dangerous sites. She plans to maintain a list of those sites and drop messages from those websites. What type of approach is Tonya advocating?
False
True or False? Mandatory vacations minimize risk by rotating employees among various systems or duties.
True
True or False? Revocation is a security measure that stops authorization for access to data.
True
True or False? Symmetric key ciphers require that both parties first exchange keys to be able to securely communicate.
False
True or False? The U.S. government currently has no standard for creating cryptographic keys for classified applications.
False
True or False? The term certificate authority (CA) refers to a trusted repository of all public keys.
Field theory
ome ciphers, regardless of type, rely on the difficulty of solving certain mathematical problems, which is the basis for asymmetric key cryptography. Which of the following is a branch of mathematics that involves multiplicative inverses that these ciphers use?
False
rue or False? In a known-plaintext attack (KPA), the cryptanalyst has access only to a segment of encrypted data and has no choice as to what that data might be.
Macro virus
Alison is a security professional. A user reports that, after opening an email attachment, every document he saves is in a template format and other Microsoft Word documents will not open. After investigating the issue, Alison determines that the user's Microsoft Office normal.dot template has been damaged, as well as many Word files. What type of virus is the most likely cause?
Cross-site request forgery (XSRF)
Applications represent the most common avenue for users, customers, and attackers to access data, which means you must build the software to enforce the security policy and to ensure compliance with regulations, including the privacy and integrity of both data and system processes. Regardless of the development model, the application must validate all input. Certain attacks can take advantage of weak validation. One such attack provides script code that causes a trusted user who views the input script to send malicious commands to a web server. What is this called?
Confidentiality
Bob is sending a message to Alice. He wants to ensure that nobody can read the content of the message while it is in transit. What goal of cryptography is Bob attempting to achieve?
Integrity
Bob is sending a message to Alice. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Bob attempting to achieve?
Alice's public key
Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?
Authorizing official (AO)
In an accreditation process, who has the authority to approve a system for implementation?
Baseline
Lin is creating a template for the configuration of Windows servers in her organization. The configuration includes the basic security settings that should apply to all systems. What type of document should she create?
Encouraging the adoption of ethical guidelines and standards
Omar is an infrastructure security professional. After reviewing a set of professional ethics issued by his company, he is learning and adopting ethical boundaries in an attempt to demonstrate them to others. What is this called?
Compartmentalized
Rylie is a newly hired cybersecurity expert for a government agency. Rylie used to work in the private sector. She has discovered that, whereas private sector companies often had confusing hierarchies for data classification, the government's classifications are well known and standardized. As part of her training, she is researching data that requires special authorization beyond normal classification. What is this type of data called?
Digital signature
Security objectives add value to relationships between businesses or between businesses and their customers. Which objective binds a message or data to a specific entity?
This scenario is a classic example of a spear phishing attack, highly targeted at an individual and including information about the company.
The chief executive officer (CEO) of a company recently fell victim to an attack. The attackers sent the CEO an email that appeared to come from the company's attorney. The email informed the CEO that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place?
True
True or False? A blanket purchase agreement (BPA) creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.
False
True or False? A block cipher encrypts one byte (or bit) at a time, whereas a stream cipher encrypts an entire block of data at a time.
False
True or False? A digitized signature is a combination of a strong hash of a message and a secret key.
True
True or False? A functional policy declares an organization's management direction for security in such specific functional areas as email use, remote access, and Internet interaction (including social media).
True
True or False? A keyword mixed alphabet cipher uses a cipher alphabet that consists of a keyword, minus duplicates, followed by the remaining letters of the alphabet.
False
True or False? A private key cipher is also called an asymmetric key cipher.
False
True or False? A product cipher is an encryption algorithm that has no corresponding decryption algorithm.
True
True or False? A salt value is a set of random characters you can combine with an input key to create an encryption key.
True
True or False? A security awareness program should address the requirements and expectations of an organization's security policy.
True
True or False? An algorithm is a repeatable process that produces the same result when it receives the same input.
True
True or False? Change control is the management of changes to the configuration of a system.
False
True or False? Change does not create risk for a business.
True
True or False? Classification scope determines what data to classify; classification process determines how to handle classified data.
True
True or False? Company-related classifications are not standard; therefore, there may be some differences of meaning between the terms "private" and "confidential" in different companies.
False
True or False? Configuration changes can be made at any time during a system life cycle, and no process is required.
True
True or False? Digital signatures require asymmetric key cryptography.
True
True or False? Elliptic curve cryptography (ECC) relies on algebraic structures of elliptic curves over finite fields.
True
True or False? In cryptography, a keyspace is the number of possible keys to a cipher.
