NDE - Exam Practice - Final

Given below are the steps involved in the access control mechanism. 1. Once the identification is successful, the system provides the user access to use the system 2. A user provides their credentials while logging into the system 3. The system then allows the user to perform only those operations for which the user has been authorized 4. The system validates the user with the database on the basis of the provided credentials

2 -> 4 -> 1 -> 3

TACACS+ authentication involves the following steps: 1. The router and the user exchange authentication parameters 2. The server responds with the REPLY message based on the provided information 3. A user initiates the connection for authentication 4. The router sends the parameters to the server for authentication

3 -> 1 -> 4 -> 2

Identify the component of access management that involves tracking the actions performed by a user on a network and keeps track of who, when, and how the users access the network.

Accounting

Which of the following components of technical network security controls examines the network devices and identifies weaknesses in the network?

Auditing

James, a network specialist joined an organization. He was provided with administrator privileges, through which he can access the files and servers and perform administrative activities. Which of the following information assurance principles authorizes James to access the server or system files?

Authentication

Which of the following practices is to be considered by a user while creating or updating their password?

Avoid using personal information

Jack, a security specialist was appointed by an organization to implement a highly secured authentication method at the entrance of their science and research center. To accomplish the responsibility, Jack created an authentication method that identifies a person based on the facial features from an image or a video source. Which of the following authentication methods Jack has implemented in the above scenario?

Biometric authentication

Ronnie, a security professional got many tickets stating that certain miscreants have been accessing the files with the credentials of the employees and they are creating havoc in the organization. To prevent such incidents, Ronnie implemented an authentication mechanism that identifies human characteristics for authenticating people. Which of the following types of authentication did Ronnie implement in the above scenario?

Biometric authentication

Identify the physical barrier that may be defined as a short vertical post which controls and restricts motor vehicles to the parking areas, offices etc. and are mainly used in building entrances, pedestrian areas and areas that require safety and security.

Bollards

Teena, a security administrator, plans to tighten the physical security of the organization to protect against malicious intruders. She deployed video surveillance cameras that consist of detachable lenses, provide surveillance for more than 40 ft, and use different lenses according to the distance to be covered. Which of the following types of video surveillance camera is mentioned in the above scenario?

C-Mount CCTV Camera: It consists of detachable lenses, which provide surveillance for more than 40.ft. Other CCTV camera lenses provide only 35 - 40 ft. coverage. C-Mount allows different lenses to be used according to the distance to be covered.

In an organization, CyberSol.org, the administrator implemented an authorization method that contains a single database. Using this method, the administrator can allow or deny access to the applications and resources to their employees based on the policies. Identify the authorization technique implemented by the administrator in the above scenario.

Centralized authorization

Which of the following types of physical security controls are known as alternative controls that are used when the intended controls fail or cannot be used?

Compensating controls

Bob, a policy management member, has decided to modify and add new designs to protect the original design according to the Vessel Hull Design Protection Act (VHDPA). Bob was provided with the right to design hulls (including the decks) of vessels only up to 200 feet using a duplicate of the original design. Which of the following acts was demonstrated in the above scenario?

DMCA

Which of the following acts is the American copyright law that implements two 1996 treaties from the World Intellectual Property Organization (WIPO) such as the WIPO copyright treaty and the WIPO performances and phonograms treaty?

DMCA

Which of the following acts allows a provision for the regulation of the processing of information relating to individuals and to make provision in connection with the Information Commissioner's functions under certain regulations relating to information?

DPA

Harvey, a system administrator, is assigned a task to create access permissions for users as well as verify the access permissions created for each employee in his organization. For this purpose, he used a type of authorization that maintains a separate database for each resource. Further, for better flexibility, it also enables the employees to provide access to other employees. Which of the following types of authorization was employed by Harvey in the above scenario?

Decentralized authorization

Identify the type of authorization that maintains a separate database for each resource and the database contains the details of all users who are permitted to access a particular resource.

Decentralized authorization

Jack, a security inspector, was assigned to install a physical security control in the company premises to defend against intrusion attempts. He implemented a security control that contains motion sensors connected with video surveillance to monitor and identify illegitimate intrusion attempts. Which of the following types of physical security control Jack has implemented in the above scenario?

Detective Controls: These controls detect security violations and record any intrusion attempts. These controls act when preventive controls fail. Examples include motion detector, alarm systems and sensors, video surveillance, etc.

Richard, a security professional, implements physical security controls according to the needs of the organization. As part of this, he implemented controls that do not prevent access directly but can discourage the attackers by sending warning messages about an intrusion attempt. Which of the following types of physical security controls was implemented by Richard in the above scenario?

Deterrent controls

Which of the following types of physical security controls is used to discourage attackers and send warning messages to them to discourage against intrusion attempts?

Deterrent controls

Steve, a professional in an organization, targeted his colleague James to access his mobile device and steal all the data stored in it. When James left the mobile on his desk, Steve tried to access it but failed to do so as the device was asking either for a fingerprint or valid PIN number to authenticate. Which of the following types of physical lock system James has implemented on his device?

Digital lock

Bob has recently joined an organization. He was provided with his access card to access only the third and ground floors of the organization building. When Bob tried to access the second floor by swiping his access card against the reader near the entrance, he was unable to open the door. Which of the following high-level security requirements the organization has employed in the above scenario?

Discipline Security Requirements: Actions to be taken for various components that need to be secured such as computer security, operations security, network security, personnel security, and physical security

Which of the following access control models can be termed as need-to-know access model where the decision can be taken by an owner to provide or deny access to specific user or a group of users?

Discretionary access control

Which of the following sections of typical policy document content ensures that policies are conveyed correctly throughout?

Distribution: It ensures that policies are conveyed correctly throughout.

Stella, a security team member, was instructed to train new employees on securing the organization from unwanted issues. As a primary part of training, she instructed employees not to throw sensitive documents in the trash, and also trained them on how to shred documents and erase magnetic data before putting them into the trash. Which of the following attacks were mitigated by grooming employees on the above techniques?

Dumpster diving

In which of the following locking systems is locking and unlocking achieved by supplying and eliminating power and the locking system mainly uses motors to activate or deactivate the locks?

Electromagnetic locks

Which of the following components of technical security controls protects the information passing through the network and preserves the privacy and reliability of the data?

Encryption and protocols

Which of the following points should be considered while designing the infrastructure and architecture for an organization or industry?

Establish procedures explaining how they should be protected

Which of the following acts provides the public with the right to request access to records from any federal agency and is often described as the law that keeps citizens informed about their government?

FOIA

Sam, an employee at organization, works in a file storage facility that manages the company's documents and files. Due to a short circuit in the storage facility, a small fire broke out at the corner of the room. As Sam is already located on the site, he used a manual fire-suppression system that discharges an agent from a cylindrical vessel to stop the initial fire from spreading to other rooms. Identify the type of fire-suppression system Sam has used in the above scenario

Fire Extinguisher: Fire extinguishers deal with extinguishing fires at the initial stage. These may not be used in case of a fire covering a large area. A fire extinguisher normally consists of an agent that is discharged, inside a cylindrical vessel.

Identify the act that is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.

GLBA

Which of the following sections of the typical policy document lists the different terms and abbreviations used in the policy?

Glossary/Acronyms: List the different terms and abbreviations used in the policy.

Which of the following acts contains the simplification standard known as National Provider Identifier (NPI), which is a unique identification number assigned to each beneficiary?

HIPAA

Which of the following points an organization should NOT consider while designing their infrastructure and architecture?

Have a single location for the server and storage rooms

Which of the following points need be considered by the organization while designing the infrastructure and architecture?

Have emergency exits

Which of the following types of fire detection system is used to detect and respond to the thermal energy generated due to fire incidents?

Heat Detectors: Heat detectors are used to detect and respond to thermal energy generated due to fire incidents.

Which of the following ISO/IEC standards provides ISMS implementation guide for the telecom industry that was developed jointly by ITU Telecommunication Standardization Sector (ITU-T) and ISO/IEC JTC1/SC 27?

ISO/IEC 27011

Williams, a network administrator, was assigned a duty to configure network security devices such as intrusion detection system (IDS) and intrusion prevention system (IPS) to protect the organization network from intrusion and block hackers' traffic from entering the network. Which of the following ISO/IES standards Williams must follow while configuring or modifying these security devices?

ISO/IEC 27039

Which of the following information assurance principles ensures that the information is not modified or tampered by any unauthorized parties?

Integrity

James, a software engineer, is working from a remote location and connects his laptop to the company's server through a VPN. The company has implemented a security protocol that provides authentication as well as encryption of the data passing through the VPN tunnels. Identify the network security protocol implemented by the company for secure communication.

Internet Protocol Security (IPsec)

Identify the type of security policy that directs the audience on the usage of technology-based systems with the help of guidelines and also defines remote access and wireless policies, incident response plan, password policies, and policies for personal devices.

Issue-specific security policy (ISSP)

Sally, a security professional, implemented a protocol for authenticating requests in computer networks. The protocol implemented by Sally is based on the client-server model, and uses encryption technology and a "ticket" mechanism to prove the identity of a user on a non-secure network. Identify the protocol implemented by Sally in the above scenario.

Kerberos

James, a network administrator, was assigned a task to create a standard access control model for the organization's confidential data. He implemented an access control model that determines the usage and access policies for the users. After its implementation, only users with appropriate access rights can access the resource. Which of the following access control models James has implemented in the above scenario?

Mandatory access control (MAC)

Bob has recently purchased a new laptop and enabled all the required security controls. The next day while verifying whether all the security mechanisms were enabled on his system or not, he found that the "firewall" was disabled. He immediately enabled the firewall option on his laptop. Identify the component of technical security controls that Bob enabled to protect his laptop from network-related threats.

Network security devices

James, a certified hacker, was appointed by an agency to perform a cyberattack against the rival company's servers with the intention of making the services unavailable to their customers. James performed a DoS attack on the servers but he could not make the services unavailable. Which of the following components of technical security controls protected the servers from the DoS attack?

Network security devices

Which of the following information assurance principles ensures that a party in a communication cannot deny sending the message?

Nonrepudiation

Identify the access control terminology that is referred to as an explicit resource on which an access restriction is imposed.

Object

Which of the following acts is a proprietary information security standard for organizations that handles cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards?

PCI-DSS

Which of the following PCI-DSS regulatory requirements do not allow unauthorized outbound traffic from the cardholder data environment to the Internet?

PCI-DSS Requirement No 1.3.5

ApTech Sol Inc., an MNC company, is following a regulatory requirement that states that every system should have antivirus software particularly in personal computers and servers to ensure that it is actively running and cannot be disabled or altered by users, unless specifically authorized by management. Which of the following PCI-DSS requirement states the above regulatory requirement?

PCI-DSS requirement no 5.1 and no 5.3

David has recently joined an organization and was assigned a company's laptop. One day, David tried to access his social media account from the organization's laptop but was not able to access it as the company had blocked access to all social media sites. Which of the following types of Internet access policy was implemented by the organization in the above scenario?

Paranoid Policy: A paranoid policy forbids everything. There is a strict restriction on all company computers, whether it is system or network usage. There is either no Internet connection or severely limited Internet usage.

Don, a professional hacker, targeted Bob's email account to access his emails. He initiated brute-force and dictionary attacks from two different systems with an impression that any one of these methods can compromise the Bob email account at the earliest possible time. Which of the following types of authentication method Don has been trying to bypass in the above scenario?

Password authentication

Which of the following types of Internet policy accepts a majority of Internet traffic and only blocks known dangerous services/attacks?

Permissive Policy: This policy is wide open, and only known dangerous services/attacks or behaviors are blocked. For example, in a permissive Internet policy, the majority of Internet traffic is accepted, except for several well-known and dangerous services/attacks.

Manuel, a security trainer, was hired by an organization to provide social engineering awareness among their employees. Manuel initiated the training by explaining to them various defensive measures against fake emails and malicious attachments. He gave instructions on how to differentiate legitimate email and a targeted fake email. Which of the following attacks were mitigated by grooming employees on the above techniques?

Phishing

Which of the following layers in the OSI model includes all cabling and network systems, power support for cables and systems, and environment supporting the systems?

Physical layer

Which of the following protocols is an application layer protocol that provides cryptographic privacy and authentication for network communication and enhances the security of emails?

Pretty Good Privacy (PGP) protocol

John, an employee at an organization, was provided with an access ID card to access only specific portions of the organization's building. He can enter specific areas by swiping his ID card against the card reader at the entrance. One day, John wanted to meet his friend Bob who works on the second floor of the same building where he has no access to enter. John swiped his ID card against the access reader on the second floor but the door remained closed. Which of the following types of physical security controls prevented John from entering the second floor?

Preventive controls

Which of the following goals provided by security policies forms the foundation of a security infrastructure?

Protect confidential and proprietary information from theft or modification

Peter, a network administrator, restricts the actions and Internet usage of certain employees based on their job roles and responsibilities. He implements a policy that provides maximum security and logs all activity such as system and network activities and all the nonessential services/procedures that cannot be made safe are not allowed. Which of the following types of Internet access policy was employed by Peter in the above scenario?

Prudent Policy: A prudent policy starts with all services blocked. The Network defender enables safe and necessary services individually. This provides maximum security and logs all activity such as system and network activities. According to this policy, nonessential services/procedures that cannot be made safe are not allowed.

Which of the following Internet access policy starts with all services blocked and enables safe and necessary services individually?

Prudent Policy: A prudent policy starts with all services blocked. The Network defender enables safe and necessary services individually. This provides maximum security and logs all activity such as system and network activities. According to this policy, nonessential services/procedures that cannot be made safe are not allowed.

Which of the following protocols provides centralized authentication, authorization, and accounting (AAA) for remote access servers to communicate with a central server?

RADIUS

Clark, a network security specialist, was assigned to secure an organization's network. Clark implemented a network defense approach that can tackle network attacks such as DoS and DDoS and includes security monitoring methods such as IDS, SIMS, TRS, and IPS. Which of the following network defense approaches did Clark implement in the above scenario?

Reactive approach

Which of the following network defense techniques examines the causes for attacks in networks by using fault-finding mechanisms, security forensics techniques, and post-mortem analysis?

Reactive approach

Which of the following security labels is given to a data or object that is only accessible by few people in the organization because of its technical, business, and personal issues?

Restricted: Only a few people can access the data or object. Sensitive data may be restricted for use in an organization because of its technical, business, and personal issues.

Danny, a security professional, wants to safeguard his organization's network from hacking attempts and virus attacks. For this reason, he follows a network defense approach that examines the causes for attacks in the network and includes fault finding, security forensics, and post-mortem analysis techniques. Which of the following network defense approaches was followed by Danny in the above scenario?

Retrospective approach

Identify the access control model in which the access permissions are beyond the user control, which implies that users cannot amend the access policies created by the system.

Role Based Access Controls

Benson, a security professional plans to implement more stringent security practices in his organization. For this reason, he uses a protocol that provides cryptographic security by encrypting the email messages and digitally signing them to ensure confidentiality, integrity, and nonrepudiation of messages. Which of the following protocols was employed by Benson in the above scenario?

S/MIME

Which of the following protocols is an application layer protocol used for sending digitally signed and encrypted email messages?

S/MIME

Which of the following acts contains Title IV as a key requirement for financial disclosures to describe enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures, and the stock transactions of corporate officers?

SOX

James, a security professional, was instructed to protect the organization network from evolving cyber threats. He implemented high-level security requirements for the organization that included protective measures for access control, malware protection, audit, availability, confidentiality, integrity, cryptography, identification, and authentication. Identify the security policy requirement implemented by James in the above scenario.

Safeguard Security Requirements: Protective measures required such as protective measures for access control, malware protection, audit, availability,

Which of the following HIPAA rules requires appropriate administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security of electronically protected health information?

Security Rule

John purchased a new Apple phone and added his Apple ID and password to access the device. John can now access multiple Apple application services such as App Books, Apple fitness+, and Siri through his Apple device using the ID. John can access all these application services without providing individual credentials for each application. Which of the following types of authentication method was demonstrated in the above scenario?

Single sign-on authentication

Williams, a programmer, has developed an authentication mechanism for his eCommerce application by using Google services. This allows the application users to access the website through their Google account. Which of the following authentication methods Williams has implemented in the above scenario?

Single sign-on authentication

Benila, a security professional, implemented cryptography-based authentication to ensure strong authentication in her organization. She employed an authentication mechanism that needs a device embedded with a small computer chip that stores personal information of the employee for identification. Identify the type of authentication employed by Benila in the above scenario.

Smart card authentication

In an organization, employees' incoming and outgoing status is being tracked and monitored via a small computer chip implanted on their ID card, which stores their personal information for identification. Which of the following authentication methods the organization has implemented in the above scenario?

Smart card authentication

John, an employee at an organization, was provided with a physical badge that provides access only for the second floor out of five floors in the organization building and that physical badge also tracks John's working hours and break times on the floor based on a record of swipes made by him. Which of the following types of authentication method allowed the organization to record John's total working hours on the floor in the above scenario?

Smart card authentication

Identify the type of employee awareness and training that includes training the employees on differentiating between legitimate email and a targeted phishing email, not downloading malicious attachment, and shredding document before putting into the trash.

Social engineering

Smith, a professional hacker, has decided to perform an attack on the target organization's employees. He tricked the employees to access specific links, which when clicked redirected the victim to a malicious page. The victim is lured to enter their personal information on the malicious page; this information is then retrieved by Smith. Identify the type of attack performed by Smith in the above scenario.

Social engineering

Identify the fire-fighting system that provides a pre-piped water system for organizations and provides water supply to hose lines in certain locations.

Sprinkler system

Lauriel, a system administrator, wants to implement a policy that can direct the employees to configure and maintain a system and to increase overall security in an organization. He implements a policy that also focuses on DMZ policy, encryption policy, acceptable use policy, policies for secure cloud computing, policies for intrusion detection and prevention, and access control policy. Identify the type of security policy implemented by Lauriel in the above scenario.

System-specific security policy

Sam, a system administrator, was assigned to configure the information security policy that focuses on the overall security of a particular system in an organization. Jack selected a security policy that includes DMZ policy, encryption policy, policies for IDS/IPS implementation, and acceptable use policy. Which of the following security policies Jack has implemented in the above scenario?

System-specific security policy (SSSP)

Margaret, a system administrator, regularly administers the devices connected to the organizational network. She found that certain devices are vulnerable to sniffing attacks. To protect the device from such attacks, Margaret employed a protocol that encrypts the entire communication between the client and the server, including the user's password, which protects it from sniffing attacks. Identify the protocol employed by Margaret in the above scenario.

TACACS+

Which of the following environmental threats affects electrical and electronic appliances, can lead to issues such as corrosion and short-circuits, and damages magnetic tapes and optical storage media?

Temperature and humidity

Which of the following types of physical threat involves activities such as planting a vehicle bomb, human bomb, or a postal bomb in and around the organization's premises that impacts the physical security of the organization?

Terrorism

bob, an employee at an organization, was assigned with responsibilities of training and monitoring guards, assisting guards during crisis situations, handle crowds, and maintaining facilities such as keys and locks. Identify the position held by Bob in the above

The plant's security officer

Which of the following titles of the Sarbanes Oxley Act consists of nine sections and establishes the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms that provide audit services?

Title I

Smith, a security specialist, was appointed by an organization to set a physical security barrier at the organization entrance. He installed a physical security control that allows only one employee at a time via the insertion of a coin, ticket, or a pass provided to them. Identify the type of physical security control implemented by Smith in the above scenario.

Turnstiles: This type of physical barrier allows entry to only one person at a time. Entry may be achieved only by the insertion of a coin, ticket, or a pass.

Alice, a shopping freak, logged into an ecommerce app and added certain favorite items to her cart list. Before placing the order, she added her shipping address and debit card details along with the CVV number on the app. After adding her card details, Alice clicked on the proceed option to pay the bill. During the bill payment, Alice received an OTP on her mobile phone. Upon providing a valid OTP on the payment gateway, Alice's order was successfully accepted. Which of the following types of authentication method was demonstrated in the above scenario?

Two-factor authentication

Rachel, a security professional plans to implement an added layer of defense to protect critical assets from sophisticated cyberattacks. She implemented an authentication technique that uses a physical entity such as a security token as one of the credentials and the other credential can include security codes. Identify the type of authentication implemented by Rachel in the above scenario.

Two-factor authentication

Smith, a developer in a software company, has designed a banking application. For security reasons, he created an authentication mechanism that requires logging-in with user credentials as well as an OTP, which is sent to the user's mobile number. Which of the following authentication methods Smith has implemented in the above scenario?

Two-factor authentication

Which of the following security labels requires no access permissions to access the documents, which means that any person at any level can access these documents?

Unclassified

Which of the following countries holds the "Online Copyright Infringement Liability Limitation Act"?

United States

Which of the following features of a good security policy describes that the policies must be written and designed appropriately, so they can be accessed easily across various sections of an organization?

Usable: Policies must be written and designed, so they may be used easily across various sections of an organization. Well-written policies are easy to manage and implement.

Identify the type of man-made threat that includes former employees who try to compromise the system by willingly harming the system components.

Vandalism

Thomas, a security professional, implements security policies to thwart cyberattacks and keep malicious users at bay from the organization. As part of this, he implements an aspect of security policy that focuses on mission, communications, encryption, user and maintenance rules, idle time management, privately owned versus public domain, shareware software rules, and virus protection policy. Which of the following aspect of security policy was implemented by Thomas in the above scenario?

security concept of operation

Which of the following physical security barriers can affect the fast evacuation of occupants in case of a fire emergency as it allows entry of only one person at a time?

turnstiles