Prepare for Exam1 Security

¡Supera tus tareas y exámenes ahora con Quizwiz!

The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege

True

The primary task of an organization's ___________ team is to control access to systems or resources. a. Management b. Security administration c. Compliance liaison d. Software development

b. Security administration

System life cycle (SLC)

A method used in systems engineering to describe the phases of a system's existence, including design, development, deployment, operation, and disposal

Compliance liaison

A person whose responsibility it is to ensure that employees are aware of and comply with an organization's security policies.

Business Continuity Plan

A plan that contains the actions needed to keep critical business processes running after a disruption is called a __________.

Disaster Recovery Plan

A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a __________.

Clean desk/clear screen policy

A policy stating that users must never leave sensitive information in plain view on an unattended desk or workstation.

Vulnerability testing

A process of finding the weaknesses in a system and determining which places may be attack points.

Operating system fingerprinting

A reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version is running on a computer

False

A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system

Waterfall model

A software development model that defines how development activities progress from one distinct phase to the next.

True

An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.

Procedures do NOT reduce mistakes in a crisis

False

Regarding log monitoring, false negatives are alerts that seem malicious but are not real security events.

False

Regarding security controls, the four most common permission levels are poor, permissive, prudent, and paranoid.

False

Risk refers to the amount of harm a threat exploiting a vulnerability can cause.

False

Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files.

False

Charles has obtained a user/password database and will attempt to crack the passwords. The passwords are hashed (encrypted). Charles has a huge list of precomputed hashes to compare to the encrypted passwords to see if he gets any matches. This password cracking technique utilizes:

Rainbow Tables

Which of the following does NOT offer authentication, authorization, and accounting (AAA) services?

Redundant Array of Independent Disks (RAID)

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

True

The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations. t/f

Configuration control

The process of controlling changes to items that have been baselined.

Change control

The process of managing changes to computer/device configuration or application software.

Wardialers are becoming more frequently used given the rise of Voice over IP (VoIP).

False

system configurations

What is NOT generally a section in an audit report?

SSL

Which VPN technology allows users to initiate connections over the Web?

Report writing

Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?

report writing

Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?

Configuration Control

Which activity manages the baseline settings for a system or device?

Memorandum of Understanding (MOU)

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Fuzzing

Which software testing method provides random input to see how software handles unexpected data?

Committee of Sponsoring Organizations (COSO) is a set of best practices for IT management.

False

Configuration changes can be made at any time during a system life cycle and no process is required.

False

The recovery point objective (RPO) can come from the business impact analysis or sometimes from a government mandate, such as banking laws.

True

Which security model does NOT protect the integrity of information?

Bell-LaPadula

Alice's private key

Alice would like to send a message to Bob using a digital signature. What cryptographic key does Alice use to create the digital signature?

Black-box test

Fran is conducting a security test of a new application. She does not have any access to the source code or other details of the application she is testing. What type of test is Fran conducting?

Today, people working in cyberspace must deal with new and constantly evolving ________.

Threats

A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.

True

Bob's public key

Alice would like to send a message to Bob securely and wishes to encrypt the contents of the message. What key does she use to encrypt this message?

Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value?

Brute-force attack

Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.

False

Passphrases are less secure than passwords.

False

WPA

What technology is the most secure way to encrypt wireless communications?

A ___________ gives priorities to the functions an organization needs to keep going.

business continuity plan (BCP)

Which of the following is likely to be a consequence of cloud computing in the future? A) Organizations will prefer to setup their own computing infrastructure. B) The cost of obtaining elastic resources will decrease. C) Jobs related to server operations at small organizations will increase. D) The number of technology-based startups will stagnate.

the cost of obtaining elastic resources will decrease

Agile development

A method of developing software that is based on small project iterations, or sprints, instead of long project schedules.

Black-box testing

A method of security testing that isn't based directly on knowledge of a program's architecture.

Fuzzing

A software testing method that consists of providing random input to software to see how it handles unexpected data.

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to archive?

Access to a high level of expertise

Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about?

Accountability

Service level agreement (SLA)

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

A __________ tries to break IT security and gain access to systems with no authorization, in order to prove technical prowess.

Black-hat hacker

False

The process of describing a risk scenario and then determining the degree of impact that event would have on business operations is quantitative risk analysis. t/f

A personnel safety plan should include an escape plan.

True

In an incremental backup, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes.

True

In security testing, reconnaissance involves reviewing a system to learn as much as possible about the organization, its systems, and its networks.

True

The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.

True

IT Infrastructure Library

What is a set of concepts and policies for managing IT infrastructure, development, and operations?

IT Infrastructure Library (ITIL)

What is a set of concepts and policies for managing IT infrastructure, development, and operations?

Assume that information should be free

What is NOT a good practice for developing strong professional ethics?

An organization should share its information

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

An organization should share its information.

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

System configurations

What is NOT generally a section in an audit report?

Request, impact assessment, approval, build/test, implement, monitor

What is the correct order of steps in the change control process?

Presentation

What layer of the OSI Reference Model is most commonly responsible for encryption?

Managers should include their responses to the draft report for the final audit report

When should an organization's managers have an opportunity to respond to the findings in an audit?

Checklist

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?

chosen plaintext

Which cryptographic attack offers cryptanalysts the most information about how an encryption algorithm works?

Personal Information Protection and Electronic Documents Act

Which regulatory standard would NOT require audits of companies in the United States?

Network Mapping

Which security testing activity uses tools that scan for services running on systems?

Network mapping

Which security testing activity uses tools that scan for services running on systems?

switch

Which simple network device helps to increase network performance by using the MAC address to send network traffic only to its intended destination?

Gary is configuring a Smartphone and is selecting a wireless connectivity method. Which approach will provide him with the highest speed wireless connectivity?

Wi-Fi

What type of network connects systems over the largest geographic area?

Wide area network (WAN)

Baseline

a benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products

Functional policy

a statement of an organization's management direction for security in such specific functional areas as email, remote access, and internet surfing.

Job rotation

a strategy to minimize risk by rotating employees between various systems or duties

A small company is likely to choose IaaS as it does not require much technical expertise to load operating systems on a server.

false

Security Information and Event Management system (SIEM)

software and devices that assist in collecting, storing, and analyzing the contents of log files

A vendor providing SaaS usually makes the software available as a thin-client

true

Which organization created a standard version of the widely used C programming language in 1989?

ANSI

Symmetric

An encryption cipher that uses the same key to encrypt and decrypt is called a(n) __________ key.

Anomaly-based IDS

An intrusion detection system that compares current activity with stored profiles of normal (expected) activity.

Alice and Bob would like to communicate with each other using a session key but they do not already have a shared secret key. Which algorithm can they use to exchange a secret key?

Asymmetric encryption algorithm

Ron is the IT director at a medium-sized company and is constantly bombarded by requests from users who want to select customized mobile devices. He decides to allow users to purchase their own devices. Which type of policy should Ron implement to include the requirements and security controls for this arrangement?

BYOD

With adequate security controls and defenses, an organization can often reduce its risk to zero.

False

An organization's internal IS that does not provide elasticity is still considered a cloud-based technology.

false

As standard practice, customers are regularly updated by cloud vendors about the location and number of copies made of their data.

false

Request, approval, impact assessment, build/test, monitor, implement

What is the correct order of steps in the change control process?

Signature detection

Which intrusion detection system strategy relies upon pattern matching?

Resumes of system administrators

Which item is an auditor least likely to review during a system controls audit?

Allie is working on the development of a web browser and wants to make sure that the browser correctly implements the Hypertext Markup Language (HTML) standard. What organization's documentation should she turn to for the authoritative source of information?

World Wide Web Consortium (W3C)

Standards

________ involve the standardization of the hard- ware and software solutions used to address a security risk throughout the organization.

Principles of least privilege

________ is the concept that users should be granted only the levels of permissions they need in order to perform their duties.

Standard

a mandated requirement for a hardware or software solution that is used to deal with security risk throughout the organization

Privacy policy

a policy that specifies how your organization collects, uses, and disposes of information about individuals

Guideline

a recommendation for how to use or how to purchase a product or system.

Event logs

a software or application-generated record that some action has occured.

Among common recovery location options, this is one that can take over operation quickly. It has all the equipment and data already staged at the location, though you may need to refresh or update the data. a. Hot site b. Alternate processing center c. Warm site d. Cold site

a. Hot site

Biometrics is another ________ method for identifying subjects.

access control

Because personnel are so important to solid security, one of the best security controls you can develop is a strong security _____________ and awareness program. a. Guidelines b. Training c. Environment d. Documentation

b. Training

______________ is an authorization method in which access to resources is decided by the user's formal status. a. Knowledge b. Decentralized access control c. Authority-level policy d. Physically constrained user interface

c. Authority-level policy

A routing server determines which CDN server should respond to a request in real-time.

true

Firewall

The basic job of a __________ is to enforce an access control policy at the border of a network.

nonrepudiation

__________ corroborates the identity of an entity, whether the sender, the sender's computer, some device, or some information.

Benchmark

the standard by which your computer or device is compared to determine if it's securely configured

Certification

the technical evaluation of a system to provide assurance that you have implemented it correctly.

Purchasing an insurance policy is an example of the ____________ risk management strategy.

transfer

If an organization opts for software as a service (SaaS), it will have to ________. A) install an operating system on the server B) purchase licenses for software replication C) transfer data and develop procedures D) install a DBMS

transfer data and develop procedures

A VPC allows organizations to gain the advantages of cloud storage for the portion of data that need not be physically controlled.

true

A content delivery network (CDN) provides a specialized type of PaaS.

true

A private internet uses cloud standards.

true

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?

$2,000,000

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the exposure factor?

20 percent

Authorizing official (AO)

A designated senior manager who reviews a certification report and makes the decision to approve the system for implementation

SQL injection

A form of web application attack in which a hacker submits SQL (structured query language) expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell.

Emergency operations group

A group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies.

Change control committee

A group that oversees all proposed changes to systems and networks.

True

A secure virtual private network (VPN) creates an authenticated and encrypted channel across some form of public network. t/f

Brian notices an attack taking place on his network. When he digs deeper, he realizes that the attacker has a physical presence on the local network and is forging Media Access Control (MAC) addresses. Which type of attack is most likely taking place?

Address Resolution Protocol (ARP) poisoning

Threat

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Covert act

An act carried out in secrecy.

Memorandum of understanding (MOU)

An agreement between two or more parties that expresses areas of common interests that result in shared actions

Blanket purchase agreement (BPA)

An agreement that defines a streamlined method of purchasing supplies or services

Cipher

An algorithm used for cryptographic purposes is known as a __________.

Real-time monitoring

Analysis of activity as it is happening.

Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor?

Approved scanning vendor (ASV)

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

Audit

Which information security objective allows trusted entities to endorse information?

Certification

False

Certification is the formal agreement by an authorizing official to accept the risk of implementing a system.

Which activity manages the baseline settings for a system or device?

Configuration Control

True

Configuration management is the management of modifications made to the hardware, software, firmware, documentation, test plans, and test documentation of an automated system through- out the system life cycle. t/f

Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?

Decryption

________ is the basis for unified communications and is the protocol used by real-time applications such as IM chat, conferencing, and collaboration.

Dense wavelength division multiplexing (DWDM)

What information should an auditor share with the client during an exit interview?

Details on major issues

SOC 3

Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request?

A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations.

False

A hardware configuration chart should NOT include copies of software configurations.

False

A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.

False

IoT devices cannot share and communicate your IoT device data to other systems and applications without your authorization or knowledge.

False

Jake has been asked to help test the business continuity plan at an offsite location while the system at the main location is shut down. He is participating in a parallel test.

False

The four central components of access control are users, resources, actions, and features.

False

The four main types of logs that you need to keep to support security auditing include event, access, user, and security.

False

True or False: Voice mail and e-mail are examples of real-time communications.

False

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

Formatting

In popular usage and in the media, the term ________ often describes someone who breaks into a computer system without authorization.

Hacker

With the use of Mobile IP, which device is responsible for keeping track of mobile nodes (MNs) and forwarding packets to the MN's current network?

Home agent (HA)

DMZ

Host isolation is the isolation of internal net- works and the establishment of a(n) __________.

Which recovery site option provides readiness in minutes to hours?

Hot site

False

IP addresses are assigned to computers by the manufacturer. t/f

SQL injection

In what type of attack does the attacker send unauthorized commands directly to a database?

Adam's company recently suffered an attack where hackers exploited an SQL injection issue on their web server and stole sensitive information from a database. What term describes this activity?

Incident

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

Is the security control likely to become obsolete in the near future?

Security Information and Event Management (SIEM)

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?

System development lifecycle

More and more organizations use the term ________ to describe the entire change and maintenance process for applications.

Which type of authentication includes smart cards?

Ownership

________ is an authentication credential that is generally longer and more complex than a password.

Passphrase

Hilda is troubleshooting a problem with the encryption of data. At which layer of the OSI Reference Model is she working?

Presentation

Which approach to cryptography provides the strongest theoretical protection?

Quantum cryptography

Which data source comes first in the order of volatility when conducting a forensic investigation?

RAM

Which group is the most likely target of a social engineering attack?

Receptionists and administrative assistants

Which activity is an auditor least likely to conduct during the information-gathering phase of an audit?

Report writing

In a ________, the attacker sends a large number of packets requesting connections to the victim computer.

SYNflood

The world needs people who understand computer-systems ________ and who can protect computers and networksfrom criminals and terrorists.

Security

What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications?

Security Assertion Markup Language (SAML)

What type of network device normally connects directly to endpoints and uses MAC-based filtering to limit traffic flows?

Switch

What is NOT generally a section in an audit report?

System configurations

True

The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege.

Which of the following is an accurate description of cloud computing?

The practice of using computing services that are delivered over a network.

A successful business impact analysis (BIA) maps the context, the critical business functions, and the processes on which they rely.

True

Administrative controls develop and ensure compliance with policy and procedures.

True

An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured.

True

Fencing and mantraps are examples of physical controls.

True

Fingerprints, palm prints, and retina scans are types of biometrics.

True

Implementing and monitoring risk responses are part of the risk management process.

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets.

True

While running business operations at an alternate site, you must continue to make backups of data and systems.

True

An attacker attempting to break into a facility pulls the fire alarm to distract the security guard manning an entry point. Which type of social engineering attack is the attacker using?

Urgency

Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?

Vulnerability

Which control is NOT an example of a fault tolerance technique designed to avoid interruptions that would cause downtime?

Warm site

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Waterfall

screened subnet

What firewall topology supports the implementa- tion of a DMZ?

Details on major issues

What information should an auditor share with the client during an exit interview?

hash

What type of function generates the unique value that corresponds to the contents of a message and is used to create a digital signature?

System integrity monitoring

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

system integrity monitoring

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

nonrepudiation

When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?

Managers should include their responses to the draft audit report in the final audit report.

When should an organization's managers have an opportunity to respond to the findings in an audit?

They provide for places within the process to conduct assurance checks.

Which of the following is true of procedures?

Laws

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Enforcing the integrity of computer-based information

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

transposition

Which type of cipher works by rearranging the characters in a message?

TCP/IP

__________ is a suite of protocols that was devel- oped by the Department of Defense to provide a highly reliable and fault-tolerant network infrastructure.

Maximum Tolerable Downtime (MTD)

__________ is the limit of time that a business can survive without a particular critical system.

nonReal-time monitoring

__________ is used when it's not as critical to detect and respond to incidents immediately.

Cryptography

__________ offers a mechanism to accomplish four security goals: confidentiality, integrity, authenti- cation, and nonrepudiation.

Overt act

an act that is open to view

To use cloud-based hosting, an organization will have to construct its own data center.

false

Which of the following statements is true about cloud services? A) Cloud service vendors tend to avoid virtualization. B) In-house hosting is generally preferable to cloud hosting. C) Cloud services always allow customers to maintain physical control over its data. D) Financial institutions are not likely to hire cloud services from a vendor.

financial institutions are not likely to hire cloud services from a vendor

Which of the following is not a type of authentication?

identification

The cloud-based service that provides the hardware and allows customers to load an operating system of their choice is known as ________. A) application virtualization B) platform as a service (PaaS) C) infrastructure as a service (IaaS) D) network functions virtualization (NFV)

infrastructure as a service (IaaS)

Remediation

the act of fixing a known risk, threat, or vulnerability that is identified or found in an IT infrastructure

If software licensed from others is to be installed on the cloud, licenses for replication of software must be purchased.

true

Organizations that are required by law to have physical control over their data can also benefit from cloud computing.

true

Service oriented architecture (SOA) is a way of designing computer programs so that they can be combined flexibly.

true

Nancy performs a full backup of her server every Sunday at 1 A.M. and differential backups on Mondays through Fridays at 1 A.M. Her server fails at 9 A.M. Wednesday. How many backups does Nancy need to restore?

2

False

A hardened configuration is a system that has had unnecessary services enabled. t/f

Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering?

Acceptability

Which one of the following is the best example of an authorization control?

Access control lists

Monitoring activity in the workplace includes which of the following?

All of these could be monitored.

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

An organization should share its information. (An organization should collect only what it needs, keep its information up to date, and properly destroy its information when its no longer needed)

Baseline

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

Mitigation activities

Any activities designed to reduce the severity of a vulnerability or remove it altogether.

Decryption

Betty receives a cipher text message from her colleague Tim. What type of function does Betty need to use to read the plaintext message?

Forensics and incident response are examples of __________ controls.

Corrective

Which characteristic of a biometric system measures the system's accuracy using a balance of different error types?

Crossover error rate (CER)

Does the firewall properly blick unsolicited network connection attempts?

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Discretionary access control (DAC)

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

Does the firewall properly block unsolicited network connection attempts?

Reactive change management

Enacting changes in response to reported problems.

_______ is the proportion of value of a particular asset likely to be destroyed by a given risk,expressed as a percentage.

Exposure factor (EF)

A report indicating that a system's disk is 80 percent full is a good indication that something is wrong with that system.

False

A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure.

False

A time-based synchronization system is a mechanism that limits access to computer systems and network resources. True or False?

False

An SOC 1 report primarily focuses on security.

False

The anti-malware utility is one of the most popular backdoor tools in use today.

False

The auto industry has not yet implemented the Internet of Things (IoT).

False

The first step in the risk management process is to monitor and control deployed countermeasures.

False

The term need-to-know refers to a device used as a logon authenticator for remote users of a network. True or False?

False

True or False: The Delphi method is the estimated loss due to a specific realized threat. The formula to calculate this loss is =SLE × ARO.

False

Vishing is a type of wireless network attack.

False

Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?

False positive error

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?

Family Policy Compliance Office (FPCO)

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process?

Federal Communications Commission (FCC)

David would like to connect a fibre channel storage device to systems over a standard data network. What protocol can he use?

Fibre Channel over Ethernet (FCoE)

Integrity

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?

Audit

Gilfoyle is reviewing security logs to independently assess security controls. Which security review process is Gilfoyle engaging in?

Secure Sockets Layer (SSL)

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers?

HIPAA

True

In security testing data collection, observation is the input used to differentiate between paper procedures and the way the job is really done.

Waterfall

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

waterfall

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

Is the security control likely to become obsolete in the near future

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

False

Mandatory vacations minimize risk by rotating employees among various systems or duties.

Brian needs to design a control that prevents piggybacking, only allowing one person to enter a facility at a time. What type of control would best meet this need?

Mantraps

Project Initiation and planning

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records?

Masking

Sprint

One of the small project iterations used in the "agile" method of developing software, in contrast with the usual long project schedules of other ways of developing software.

Which one of the following is an example of a logical (as opposed to physical) access control?

Password

Offboarding

Process of managing the way employees leave the organization.

Which tool can capture the packets transmitted between systems over a network?

Protocol analyzer

What term describes the risk that exists after an organization has performed all planned countermeasures and controls?

Residual Risk

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

Security Kernel

True

Security administration is the group of individu- als responsible for the planning, design, imple- mentation, and monitoring of an organization's security plan. t/f

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?

Security information and event management (SIEM)

White-box testing

Security testing that is based on knowledge of the application's design and source code.

Gray-box testing

Security testing that is based on limited knowledge of an application's design.

Which intrusion detection system strategy relies upon pattern matching?

Signature detection

Which one of the following is an example of two-factor authentication?

Smart card and personal identification number (PIN)

True

Some of the tools and techniques used in security monitoring include baselines, alarms, closed- circuit TV, and honeypots. t/f

Encryption

The act of scrambling plaintext into ciphertext is known as __________.

Reconnaissance

The review of the system to learn as much as possible about the organization, its systems, and networks is known as __________.

Purchasing an insurance policy is an example of the ____________ risk management strategy.

Transfer

A control limits or constrains behavior.

True

An auditing benchmark is the standard by which a system is compared to determine whether it is securely configured. True or False?

True

Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF).

True

Application service providers (ASPs) are software companies that build applications hosted in the cloud and on the Internet.

True

Authentication controls include passwords and personal identification numbers (PINs).

True

Company-related classifications are not standard, therefore there may be some differences between the terms "private" and "confidential" in different companies

True

Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it.

True

Data loss prevention (DLP) uses business rules to classify sensitive information to prevent unauthorized end users from sharing it.

True

During an audit, an auditor compares the current setting of a computer or device with a benchmark to help identify differences.

True

Examples of major disruptions include extreme weather, application failure, and criminal activity.

True

In remote journaling, a system writes a log of online transactions to an offsite location.

True

Information systems security is about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise.

True

Many jurisdictions require audits by law.

True

Most often passphrases are used for public and private key authentication. True or False?

True

One advantage of using a security management firm for security monitoring is that it has a high level of expertise.

True

Organizations should seek a balance between the utility and cost of various risk management options.

True

Performing security testing includes vulnerability testing and penetration testing.

True

Screen locks are a form of endpoint device security control.

True

Unified messaging allows you to download both voice and email messages to a smartphone or tablet.

True

Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?

Typosquatting

Which one of the following is NOT a commonly accepted best practice for password security?

Use at least six alphanumeric characters.

True

When you use a control that costs more than the risk involved, you're making a poor management decision. t/f

Procedure

a set of step-by-step instructions

____________ is the process of managing changes to computer/device configuration or application software. a. Sprint b. Change control c. Proactive change management d. Procedure control

b. Change control

The requirement to keep information private or secret is the definition of __________.

confidentiality

A _________ has a hostile intent, possesses sophisticated skills, and may be interested in financial gain. They represent the greatest threat to networks and information resources.

cracker

Cloud-based hosting is preferred by organizations that are required by law to have physical control over their data.

false

Content delivery networks (CDNs) increase Web sites' load time.

false

DBMS products are generally included in IaaS services

false

Large Web farms are likely to replace in-house servers used by small companies due to the benefits of cloud computing.

false

Remote action systems increase time and travel expenses.

false

Which of the following is a characteristic of a private cloud? A) Organizations define their own set of standards for interactions between programs. B) Idle servers on a private cloud can be allocated to other organizations. C) A private cloud is most likely to be built by a small organization. D) Most organizations avoid having multiple database servers in a private cloud

most organizations avoid having multiple database servers in a private cloud

Which of the following is an example of a hardware security control?

password*** security policy***

Which of the following services provides hardware, an operating system, and a database management system (DBMS) on a cloud-based offering? A) network as a service (NaaS) B) infrastructure as a service (IaaS) C) software as a service (SaaS) D) platform as a service (PaaS)

platform as a service (PaaS)

Audits also often look at the current configuration of a system as a snapshot in time to verify that it complies with ________.

standards

Proactive change management

the act of initiating changes to avoid expected problems

An elastic load balancer is a feature available in a private cloud that is not available in a private internet

true

Before the creation of personal computers, time-sharing vendors provided slices of computer time on a use-fee basis.

true

Cloud computing is likely to enable organizations to obtain elastic resources at very low costs.

true

router

A __________ is a device that interconnects two or more networks and selectively interchanges packets of data between them.

Benchmark

A __________ is a standard used to measure how effective your system is as it relates to industry expectations.

checksum

A __________ is used to detect forgeries.

Digital

A __________ signature is a representation of a physical signature stored in a digital format.

Security information and event management

A common platform for capturing and analyzing log entries is __________.

What is meant by standard?

A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization.

True

A strong hash function is designed so that a forged message cannot result in the same hash as a legitimate message. t/f

Internet Architecture Board (IAB)

A subcommittee of the IETF composed of independent researchers and professionals who have a technical interest the overall well-being of the Internet

Stateful matching

A technique of matching network traffic with rules or signatures based on the appearance of the traffic and its relationship to other packets.

Penetration testing

A testing method that tries to exploit a weakness in the system to prove that an attacker could successfully penetrate it.

Zone transfer

A unique query of a DNS server that asks it for the contents of its zone.

Service Level Agreement

A(n) ________ is a formal contract between your organization and an outside firm that details the specific services the firm will provide

Wide area network

A(n) __________ is a critical element in every corpo- rate network today, allowing access to an organi- zation's resources from almost anywhere in the world.

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

Access to a high level of expertise

Detective Control

An IDS is what type of control?

false

An organization does not have to comply with both regulatory standards and organizational standards. T/F

False positive error

Anthony is responsible for tuning his organization's intrusion detection system. He notices that the system reports an intrusion alert each time that an administrator connects to a server using Secure Shell (SSH). What type of error is occurring?

Incident

Any event that either violates or threatens to violate your security policy is known as a(n) __________.

During which phase of the access control process does the system answer the question,"What can the requestor access?"

Authorization

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Authorization

Threat

Ayo is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

Does the firewall properly block unsolicited network connection attempts?

Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit?

___________ is the duty of every government that wants to ensure its national security.

Cybersecurity

Symmetric algorithms

DES, IDEA, RC4, and WEP are examples of __________.

False

DHCP provides systems with their MAC addresses. t/f

True

Data classification is the responsibility of the per- son who owns the data. t/f

What is a key principle of risk management programs?

Don't spend more to protect an asset than it is worth.

True

Encryption ciphers fall into two general catego- ries: symmetric (private) key and asymmetric (public) key. t/f

Which practice is NOT considered unethical under RFC-1087 issued by the Internet Architecture Board (IAB)?

Enforcing the integrity of computer-based information (Seeking to gain unauthorized access to resources,Disrupting intended use of the Internet, Compromising the privacy of users)

Formatting

Erik is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

Access to a high level of expertise

Everett is considering outsourcing security functions to a third-party service provider (which is a kind of risky for a CIA agent :). What benefit is he most likely to achieve?

An attacker uses exploit software when wardialing.

False

Which one of the following is an example of a business-to-consumer (B2C) application of the Internet of Things (IoT)?

Health Monitoring

What organization offers a variety of security certifications that are focused on the requirements of auditors?

ISACA

Security information and event management

Isaac is responsible for performing log reviews for his organization in an attempt to identify security issues. He has a massive amount of data to review. What type of tool would best assist him with this work?

Is the security control likely to become obsolete in the near future?

Jacob is conducting an audit of the security controls at an organization as an independent reviewer. Which question would NOT be part of his audit?

What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?

Kerberos

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws (Company policy, Internal audit, Corporate culture)

What term describes the longest period of time that a business can survive without a particular critical system?

Maximum Tolerable Downtime

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

Which one of the following is an example of a reactive disaster recovery control?

Moving to a warm site

Service Level Agreement (SLA)

Nakia is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries?

National Institute of Standards and Technology (NIST)

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

Which one of the following is NOT an advantage of biometric systems?

Physical characteristics may change.

True

Policy sets the tone and culture of the organization. t/f

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

Prudent

What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?

Publicly traded companies

Beth is conducting a risk assessment. She is trying to determine the impact a security incident will have on the reputation of her company. What type of risk assessment is best suited to this type of analysis?

Qualitative

Alan is the security manager for a mid-sized business. The company has suffered several serious data losses when mobile devices were stolen. Alan decides to implement full disk encryption on all mobile devices. What risk response did Alan take?

Reduce

True

Regarding an intrusion detection system (IDS), stateful matching looks for specific sequences appearing across several packets in a traffic stream rather than justin individual packets. True/False?

What term describes the risk that exists after an organization has performed all planned countermeasures and controls?

Residual risk

Authorization

Richard is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

Audit

Ricky is reviewing security logs to independently assess security controls. Which security review process is Ricky engaging in?

George is the risk manager for a U.S. federal government agency. He is conducting a risk assessment for that agency's IT risk. What methodology is best suited for George's use?

Risk Management Guide for Information Technology Systems (NIST SP800-30)

Residual

Risk that remains even after risk mitigation efforts have been implemented is known as __________ risk.

Phishing

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Role-based access control (RBAC)**** Rule-based access control****

Jennifer is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?

SAQ C

What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)?

Secure European System for Applications in a Multi-Vendor Environment (SESAME)****

Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following?

Separation of duties

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for a timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

Which one of the following principles is NOT a component of the Biba integrity model?

Subjects cannot change objects that have a lower integrity level.

Joe is responsible for the security of the industrial control systems for a power plant. What type of environment does Joe administer?

Supervisory Control and Data Acquisition (SCADA)

What type of security monitoring tool would be most likely to identify an unauthorized change to a computer system?

System integrity monitoring

Which one of the following is NOT an example of store-and-forward messaging?

Telephone call

Onboarding

The process that a company uses to integrate new employees into an organization.

The security process The policies, procedures, and guidelines adopted by the organization The authority of the persons responsible for security

The security program requires documentation of:

Hardened configuration

The state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running.

True

The three basic types of firewalls are packet filter- ing, application proxy, and stateful inspection. t/f

True

The two basic types of ciphers are transposition and substitution t/f

Waterfall

There are several types of software development methods, but most traditional methods are based on the ________ model.

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these types of classification decisions?

Threat (Value, sensitivity, criticality are)

Which type of cipher works by rearranging the characters in a message?

Transposition

Residual risk is the risk that remains after you have installed countermeasures and controls. True or False?

True

SOC 2 reports are created for internal and other authorized stakeholders and are commonly implemented for service providers, hosted data centers, and managed cloud computing providers.

True

Social engineering is deceiving or using people to get around security controls.

True

Standards are used when an organization has selected a solution to fulfill a policy goal.

True

The Government Information Security Reform Act (Security Reform Act) of 2000 focuses on management and evaluation of the security of unclassified and national security systems.

True

Which one of the following is NOT a commonly accepted best practice for password security?

Use no more than eight characters.

Network mapping

Using tools to determine the layout and services running on an organization's systems and networks.

Val would like to isolate several systems belonging to the product development group from other systems on the network, without adding new hardware. What technology can she use?

Virtual LAN (VLAN)

Black-hat hackers generally poke holes in systems, but do not attempt to disclose __________ they find to the administrators of those systems.

Vulnerabilities

Punish users who violate policy

What is NOT a goal of information security awareness programs?

NAT

What technology allows you to hide the private IPv4 address of a system from the Internet?

The ____________ team's responsibilities include handling events that affect your computers and networks and ultimately can respond rapidly and effectively to any event. a. Management b. Compliance liaison c. IT Group d. Security administration

d. Security administration

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems. a. Physical access control b. authentication c. Event-based synchronous system d. Security kernel

d. Security kernel

A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.

disaster

A content delivery network (CDN) services a user's request using the geographically closest server.

false

Cloud vendors do not benefit from economies of scale.

false

An online service allows users to integrate their phonebook with their social media profiles and stores it on the cloud. The phonebook is updated with pictures of contacts when they are uploaded on social media sites. Which of the following cloud-based offerings is being provided to the users? A) network as a service (NaaS) B) platform as a service (PaaS) C) infrastructure as a service (IaaS) D) software as a service (SaaS)

software as a service (SaaS)

Phobas Inc. offers an online service which stores notes made by customers on the cloud. When a customer enters notes on one device, it gets updated in all the devices he/she owns. Which of the following cloud-based offerings is being provided to the customers? A) virtual private cloud B) platform as a service (PaaS) C) software as a service (SaaS) D) infrastructure as a service (IaaS)

software as a service (SaaS)

What term is used to describe communication that doesn't happen in real time but rather consists of messages (voice or e-mail) that are stored on a server and downloaded to endpoint devices?

store-and-forward communications

A security awareness program includes ________.

teaching employees about security objectives, motivatingusers to comply with security policies, informing users about trends and threats in society

A system uses cameras and motion-sensing equipment to issue tickets for traffic violations. This system is an example of ________. A) videotelephony B) telesurgery C) telelaw enforcement D) GPS augmentation

telelaw enforcement

standard

A -----------is a generally agreed-upon technology, method or format for a given application such as TCP/IP protocol

Connecting your computers or devices to the ________ immediately exposes them to attack.

Internet

Continuing professional education (CPE) credits typically represent ________ minutes of classroom time per CPE unit.

50

Which of the following is an example of a hardware security control?

MAC filtering

RSA

What is NOT a symmetric encryption algorithm?

Which of the following is an advantage of using a private cloud over a virtual private cloud (VPC)? A) Unlike a VPC, the infrastructure required for a private cloud can be built and operated easily. B) A VPC gains significantly by using an elastic load balancer, whereas a private cloud does not use an elastic load balancer. C) A VPC cannot be accessed from outside the organization, but a private cloud can be accessed from outside the organization. D) Unlike a VPC, a private cloud does not require permission from regulating bodies to host sensitive data.

unlike a VPC, a private cloud does not require permission from regulating bodies to host sensitive data

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?

$2,000,000

Addressing their purpose

An audit examines whether security controls are appropriate, installed correctly, and __________.

RFC 1087

In 1989, the IAB issued a statement of policy about Internet ethics. This document is known as ________.

Signature based

In __________ methods, the IDS compares current traffic with activity patterns consistent with those of a known network intrusion via pattern match- ing and stateful matching.

False negative

Incorrectly identifying abnormal activity as normal.

False positive

Incorrectly identifying normal activity as abnormal.

Gary is sending a message to Patricia. He wants to ensure that nobody tampers with the message while it is in transit. What goal of cryptography is Gary attempting to achieve?

Integrity

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?

Integrity

When should an organization's managers have an opportunity to respond to the findings in an audit?

Managers should include their responses to the draft audit report in the final audit report.

What government agency sponsors the National Centers of Academic Excellence (CAE) for the Cyber Operations Program?

National Security Agency (NSA)

Which regulatory standard would NOT require audits of companies in the United States?

Personal Information Protection and Electronic Documents Act (PIPEDA)

Violet deploys an intrusion prevention system (IPS) on her network as a security control. What type of control has Violet deployed?

Preventative

Separation of Duties

Ramonda is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Project initiation and planning

Shuri is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

What is meant by annual rate of occurrence (ARO)?

The annual probability that a stated threat will be realized.

Accreditation

the formal acceptance by the authorization offical of the risk of implementing the system

Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the annualized loss expectancy (ALE)?

20, 000

Deterrent controls identify that a threat has landed in your system.

False

During the secure phase of a security review, you review and measure all controls to capture actions and changes on the system.

False

Mandatory vacations minimize risk by rotating employees among various systems or duties.

False

Most enterprises are well prepared for a disaster should one occur.

False

Terry is troubleshooting a network that is experiencing high traffic congestion issues. Which device, if present on the network, should be replaced to alleviate these issues?

Hub

Which organization pursues standards for Internet of Things (IoT) devices and is widely recognized as the authority for creating standards on the Internet?

Internet Engineering Task Force

Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions?

Payment Card Industry Data Security Standard (PCI DSS)

Gina is preparing to monitor network activity using packet sniffing. Which technology is most likely to interfere with this effort if used on the network?

Secure Sockets Layer (SSL)

Which of the following statements is true of content delivery networks (CDNs)? A) They reduce users' access costs by delivering data faster. B) They distribute data on different servers without any data replication. C) Users receive content from the CDN server that is geographically closest. D) A routing server decides which server should deliver content on an hourly basis.

they reduce users' access costs by delivering data faster

What is NOT a good practice for developing strong professional ethics?

Assume that information should be free (Set the example by demonstrating ethics in daily activities, Encourage adopting ethical guidelines and standards, Inform users through security awareness training)

Alice's public key

Bob received a message from Alice that contains a digital signature. What cryptographic key does Bob use to verify the digital signature?

Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?

Business continuity plan (BCP)

Which audit data collection method helps ensure that the information-gathering process covers all relevant areas?

Checklist

Prudent

Christopher is designing a security policy for his organization. He would like to use an approach that allows a reasonable list of activities but does not allow other activities. Which permission level is he planning to use?

True

Classification scope determines what data you should classify; classification process determines how you handle classified data. True/False?

Phishing

T'Challa's organization received a mass email message that attempted to trick vibranium engineers into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Open Systems Interconnection (OSI) Refer- ence Model

The basic model for how you can build and use a network and its resources is known as the __________.

Configuration, change

The change management process includes ________ control and ________ control.

Which of the following is the definition of access control?

The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources.

A dictionary attack works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match.

True

A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing

True

A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.

True

Telediagnosis uses telecommunications to link surgeons to robotic equipment at distant

false

Clipping level

A value used in security monitoring that tells the security operations personnel to ignore activity that falls below a stated value

True

A vulnerability is any exposure that could allow a threat to be realized. t/f

When Patricia receives a message from Gary, she wants to be able to demonstrate to Sue that the message actually came from Gary. What goal of cryptography is Patricia attempting to achieve?

Nonrepudiation

Sireus Corp. is availing a cloud-based service. It plans to install a software package that will offer cloud services to its users. If it would like to avoid installing an operating system on the server, which of the following services should it choose? A) network as a service (NaaS) B) infrastructure as a service (IaaS) C) platform as a service (PaaS) D) software as a service (SaaS)

PLATFORM AS A SERVICE (PaaS)

Which one of the following is an example of a logical access control?

Password

Which of the following statements is true of a virtual private cloud (VPC)? A) A VPC does not make use of a VPN (virtual private network). B) An organization generally stores its most sensitive data on a VPC. C) A VPC can be accessed only from within an organization. D) A VPC can be built on public cloud infrastructure.

a VPC can be built on public cloud infrastructure

Which of the following is a difference between a virtual private network (VPN) and a virtual private cloud (VPC)? A) Unlike a VPN, a VPC uses encrypted connections between the users and the server. B) A VPN can be accessed over the Internet, but a VPC cannot be accessed over the Internet. C) Unlike a VPC, a VPN connects users to an organization's internal IS. D) A VPC provides the advantages of cloud storage, but a VPN by itself cannot provide these

a VPC provides the advantages of cloud storage, but a VPN by itself cannot provide these advantages

Which of the following is true of a VPN (virtual private network)? A) A VPN communication is secure even though it is transmitted over the public Internet. B) One disadvantage of a VPN is that it does not encrypt messages. C) Remote access is difficult in case of a VPN. D) It is a physical, private pathway over a public or shared network from the client to the server.

a VPN communication is secure even though it is transmitted over the public internet

Service-level agreement

a contractual commitment by a service provider or support organization to its customers or users

Notification, response, recovery and follow-up, and documentation are all components of what process? a. Incident handling b. Corrective control c. Business impact analysis (BIA) d. Countermeasure

a. Incident handling

Using https instead of http ________. A) shows the other users on that network who are accessing the same site B) allows a packet sniffer to see only the site visited and nothing further C) connects a user to the version of the site hosted on a private cloud D) detects the presence of packet sniffers in the vicinity

allows a packet sniffer to see only the site visited and nothing further

Interconnection security agreement (ISA)

an interoperability agreement, often an extension of MOU, that documents technical requirements of interconnected assets

Pattern-or signature-based IDS

an intrusion detection system that uses pattern matching and stateful matching to compare current traffic with activity patterns (signatures) of known network intruders

Two-factor __________ should be the minimum requirement for valuable resources asit provides a higher level of security than using only one.

authentication

____________ is used to describe a property that indicates that a specific subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification. a. Smart card b. Relationships c. Need-to-know d. Multi-tenancy

c. Need-to-know

an organization that hires cloud services _______ a. can accommodate increase in traffic from only one city b. is continually provided with the maximum possible bandwidth c. can limit the response time of its web pages d. hires a fixed number of servers

can limit the response time of its web pages

Which of the following statements is true of cloud-based and in-house hosting? A) In-house hosting makes scaling up to meet the demands of increased traffic easier. B) Cloud-based hosting involves the risk of investing in technology that may soon become obsolete. C) In-house hosting leads to loss of physical control of data. D) Cloud-based hosting reduces the visibility of the security being used to protect data.

cloud-based hosting reduces the visibility of the security being used to protect data

which of the following is a reason for the term elastic being used to define the cloud a. computing resources can be increased or decreased dynamically in cloud-based hosting b. operations staff manually allots fresh resources when the traffic increases c. customers are provided a consistent bandwidth on the cloud d. resources available for cloud-hosting are shared among customers

computing resources can be increased or decreased dynamically in cloud-based hosting

A ________ is a system of hardware and software that stores user data in many different geographical locations and makes that data available on demand. A) virtual private network B) content delivery network C) mobile virtual network D) local area network

content delivery network

A security awareness program includes _____________. a. Motivating users to comply with security policies b. Informing users about trends and threats in society c. Teaching employees about security objectives d. All of the above

d. All of the above

A(n) __________ is a measurable occurrence that has an impact on the business. a. Critical business function b. Corrective control c. Cost d. Event

d. Event

What is meant by certification? a. A strategy to minimize risk by rotating employees between various systems or duties b. The formal acceptance by the authorizing official of the risk of implementing the system c. A group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies d. The technical evaluation of a system to provide assurance that you have implemented the system correctly

d. The technical evaluation of a system to provide assurance that you have implemented the system correctly

Teleaction increases the value of routine face-to-face services

false

Which of the following statements is true of private clouds? A) Private clouds are easy to build and operate. B) Several organizations pool their resources to form a private cloud. C) Private clouds provide access from outside an organization without connecting to a VPN (virtual private network). D) Idle servers in a private cloud cannot re-allocated to other organizations.

idle servers in a private cloud cannot re-allocate to other organizations

An internal information system built using Web services ________. A) is called a virtual private network B) is a cloud-based technology if it offers elasticity C) is a subset of a virtual private cloud D) is an example of platform as a service (PaaS)

is a cloud-based technology if it offers elasticity

Which of the following is a disadvantage of a content delivery network? A) It increases the load time of web pages for users. B) Its vulnerability to denial-of-service (DOS) attacks is high. C) Its reliability is decreased as data is stored on many servers. D) It is better suited to store and deliver content that seldom changes.

it is better suited to store and deliver content that seldom changes

Which of the following is a characteristic of a virtual private network (VPN)? A) It establishes a physical connection between the client and the server, called tunnel. B) It sends encrypted messages over the public Internet. C) A VPN can be accessed from only one geographical location. D) VPNs cannot be accessed over the Internet.

it sends encrypted messages over thepublic internet

What is a VPN (virtual private network)? A) It is a markup language that fixes several HTML deficiencies and is commonly used for program-to-program interaction over the Web. B) It is an add-on to browsers that was developed by Adobe and is useful for providing animation, movies, and other advanced graphics inside a browser. C) It is the most common language for defining the structure and layout of web pages. D) It uses the Internet to create secure point-to-point connections.

it uses the internet to create secure point-to-point connections

What term is used to describe a set of step-by-step actions to be performed to accomplish a security requirement, process, or objective?

procedure

Any organization that is serious about security will view ___________ as anongoing process.

risk management

The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control.

security kernel

Cross-Site request forgery (XSRF)

similar to the XSS attack, an attacker provides script code that causes a trusted user who views the input script to send malicious commands to a webs server. Exploits the trust a server has in a user

Which of the following statements is true about cloud computing a. the elastic leasing of pooled computer resources over the internet is called the cloud b. a cloud is a peer-to-peer network used to share data between users c. cloud-based hosting does not operate over the internet d. any network of servers hosted in-house by an organization for its own requirements is regarded as a cloud

the elastic leasing of pooled computer resources over the internet is called the cloud

Security administration

the group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan

Certifier

the individual or team responsible for performing the security test and evaluation.

Which of the following is a reason why an internal information system (private internet) that uses Web services is not considered a cloud? A) The number of servers is fixed in a private internet and is not made elastic. B) Idle servers in a private internet are dynamically re-allocated. C) It is generally not accessible outside the organization. D) An organization maintains a private internet using its own resources.

the number of servers is fixed in a private internet and is not made elastic

System owner

the personal responsible for the daily operation of system and for ensuring that the system continues to operate in compliance with conditions set out by the authorizing official

Reconnaissance

the process of gathering information

which of the following is true of web services a. they are SOA-designed programs that comply with web service standards b. they are programs that comply with IEEE 802.3 protocol standard and cannot be used for cloud processing c. they are programs that comply with web service standards and can only run as an independent program d. they can be used only with other programs from the same vendor

they are SOA-designed programs that comply with web service standards

A tunnel is a virtual, private pathway over a public or shared network from the VPN (virtual private network) client to the VPN server.

true

A user may receive various pieces of a web page from different servers on a content delivery network (CDN).

true

Cloud computing is likely to lead to an increase in the number of technology-based startups

true

Cloud resources are pooled because many different organizations use the same physical hardware.

true

Content delivery networks (CDNs) are used to store and deliver content that rarely changes

true

The connection between a VPN client and a VPN server is called a tunnel.

true

To use software as a service (SaaS), the user has to just sign up for the service.

true

Which of the following statements is true about the increase in popularity of cloud hosting? A) Data communication is more expensive now than earlier. B) Virtualization allows instantaneous creation of new virtual machines. C) Internet-based standards have led to loss of flexibility in processing capabilities. D) The technology prevalent in the 1960s was more favorable for the construction of enormous

virtualization allows instantaneous creation of new virtual machines


Conjuntos de estudio relacionados

APES Modules 17, 18, 19 Questions

View Set

Chapter 3 Electrical Quantities and Ohm's Law/Blue book

View Set

Economics Final Review - Chapter 16

View Set

Denmark Vesey/Start and Causes of the Civil War

View Set

Chapter 7: Legal Dimensions of Nursing Practice Fundamentals of Nursing

View Set